From 01f8570576828a0271cae9d8c66ce1bf36fbe140 Mon Sep 17 00:00:00 2001 From: Amarachi Iheanacho Date: Thu, 29 Jan 2026 21:43:52 +0100 Subject: [PATCH] docs: move the on-prem doc Signed-off-by: Amarachi Iheanacho --- omni.yaml | 24 +- public/docs.json | 28 +- .../advanced-guides/deploy-traefik.mdx | 4 +- .../advanced-guides/device-plugins.mdx | 4 +- .../dynamic-resource-allocation.mdx | 2 +- .../advanced-guides/gcp-workload-identity.mdx | 34 +- .../advanced-guides/inlinemanifests.mdx | 6 +- .../advanced-guides/kubeprism.mdx | 2 +- .../advanced-guides/kuberay.mdx | 2 +- .../advanced-guides/node-labels.mdx | 8 +- .../talos-api-access-from-k8s.mdx | 6 +- .../advanced-guides/upgrading-kubernetes.mdx | 14 +- .../kubernetes-guides/cni/deploy-calico.mdx | 6 +- .../cni/deploying-cilium.mdx | 2 +- .../kubernetes-guides/csi/ceph-with-rook.mdx | 8 +- .../kubernetes-guides/csi/local-storage.mdx | 4 +- public/kubernetes-guides/csi/storage.mdx | 4 +- .../deploy-metrics-server.mdx | 6 +- .../security/pod-security.mdx | 14 +- .../security/seccomp-profiles.mdx | 4 +- ...plate-from-a-cluster-created-in-the-ui.mdx | 4 +- .../expose-an-http-service-from-a-cluster.mdx | 8 +- .../expose-omni-with-nginx-https.mdx | 2 +- .../importing-talos-clusters.mdx | 10 +- ...a-cluster-managed-by-cluster-templates.mdx | 12 +- .../scale-a-cluster-up-or-down.mdx | 4 +- .../cluster-management/support-bundle.mdx | 2 +- .../cluster-management/upgrading-clusters.mdx | 8 +- .../upgrading-omni.mdx | 2 +- .../cluster-management/using-audit-log.mdx | 4 +- .../omni/getting-started/getting-started.mdx | 4 +- .../omni/getting-started/support-matrix.mdx | 4 +- .../getting-started/use-kubectl-with-omni.mdx | 8 +- .../modify-kernel-arguments.mdx | 4 +- .../writing-infrastructure-providers.mdx | 12 +- ...ate-a-kubeconfig-for-a-service-account.mdx | 2 +- .../create-an-omni-service-account.mdx | 4 +- .../how-to-set-initial-machine-labels.mdx | 6 +- .../how-to-register-an-aws-ec2-instance.mdx | 2 +- .../register-a-bare-metal-machine-iso.mdx | 2 +- ...register-a-bare-metal-machine-pxe-ipxe.mdx | 8 +- .../register-a-gcp-instance.mdx | 10 +- .../register-a-hetzner-server.mdx | 4 +- .../register-an-azure-instance.mdx | 8 +- ...the-bare-metal-infrastructure-provider.mdx | 14 +- .../authentication-and-authorization.mdx | 2 +- .../configure-keycloak-for-omni.mdx | 0 .../configure-keycloak-for-omni-Root-URL.png | Bin .../configure-keycloak-for-omni-SAML.png | Bin ...ycloak-for-omni-add-predefined-mappers.png | Bin ...figure-keycloak-for-omni-client-scopes.png | Bin ...ure-keycloak-for-omni-client-signature.png | Bin ...figure-keycloak-for-omni-create-client.png | Bin ...keycloak-for-omni-create-new-user-form.png | Bin ...gure-keycloak-for-omni-create-new-user.png | Bin ...nfigure-keycloak-for-omni-create-realm.png | Bin ...igure-keycloak-for-omni-no-credentials.png | Bin ...onfigure-keycloak-for-omni-omni-create.png | Bin .../configure-keycloak-for-omni-openID.png | Bin ...re-keycloak-for-omni-predefined-mapper.png | Bin ...keycloak-for-omni-signature-encryption.png | Bin .../images/configure-keycloak-saml-idp.png | Bin .../rotate-siderolink-join-token.mdx | 6 +- .../configure-saml-and-acls.mdx | 4 +- ...ure-unifi-identity-enterprise-for-omni.mdx | 4 +- ...onfigure-workspace-one-access-for-omni.mdx | 2 +- .../using-saml-with-omni/overview.mdx | 2 +- .../deploy-image-factory-on-prem.mdx | 10 +- .../self-hosted/deploy-omni-on-prem.mdx | 18 +- .../how-to-back-up-on-prem-omni-db.mdx | 0 .../install-airgapped-omni.mdx | 8 +- .../self-hosted/omni-deployment-options.mdx | 2 +- .../self-hosted/overview.mdx | 0 public/omni/troubleshooting/faqs.mdx | 4 +- .../metal-network-configuration.mdx | 2 +- public/talos/v1.12/advanced-guides/SBOM.mdx | 2 +- .../migrating-from-kubeadm.mdx | 4 +- .../cgroups-analysis.mdx | 3 +- .../disaster-recovery.mdx | 16 +- .../etcd-maintenance.mdx | 16 +- .../building-images.mdx | 10 +- .../customizing-the-kernel.mdx | 6 +- .../developing-talos.mdx | 18 +- .../oci-base-spec.mdx | 4 +- .../overlays.mdx | 13 +- .../system-extensions.mdx | 12 +- .../hardware-and-drivers/amd-gpu.mdx | 4 +- .../nvidia-gpu-proprietary.mdx | 2 +- .../images-container-runtime/containerd.mdx | 6 +- .../image-cache-registry-mirror.mdx | 8 +- .../images-container-runtime/image-cache.mdx | 14 +- .../pull-through-cache.mdx | 6 +- .../images-container-runtime/static-pods.mdx | 2 +- .../resetting-a-machine.mdx | 2 +- .../lifecycle-management/upgrading-talos.mdx | 12 +- .../logging-and-telemetry/logging.mdx | 8 +- .../disk-encryption.mdx | 18 +- .../disk-management/common.mdx | 6 +- .../disk-management/existing.mdx | 2 +- .../disk-management/layout.mdx | 10 +- .../disk-management/overview.mdx | 4 +- .../disk-management/raw.mdx | 4 +- .../disk-management/resources.mdx | 8 +- .../disk-management/system.mdx | 4 +- .../disk-management/user.mdx | 6 +- .../storage-and-disk-management/swap.mdx | 6 +- .../system-configuration/acquire.mdx | 10 +- .../system-configuration/discovery.mdx | 8 +- .../editing-machine-configuration.mdx | 4 +- .../system-configuration/insecure.mdx | 12 +- .../system-configuration/patching.mdx | 4 +- .../performance-tuning.mdx | 8 +- .../reproducible-machine-configuration.mdx | 2 +- .../system-configuration/time-sync.mdx | 6 +- .../interactive-dashboard.mdx | 8 +- .../workers-on-controlplane.mdx | 2 +- .../getting-started/deploy-first-workload.mdx | 2 +- .../v1.12/getting-started/getting-started.mdx | 27 +- .../talos/v1.12/getting-started/prodnotes.mdx | 42 +- .../v1.12/getting-started/quickstart.mdx | 24 +- .../v1.12/getting-started/support-matrix.mdx | 2 +- .../getting-started/system-requirements.mdx | 2 +- .../getting-started/what's-new-in-talos.mdx | 38 +- .../talos/v1.12/learn-more/architecture.mdx | 2 +- .../talos/v1.12/learn-more/control-plane.mdx | 14 +- .../learn-more/controllers-resources.mdx | 6 +- .../talos/v1.12/learn-more/image-factory.mdx | 6 +- public/talos/v1.12/learn-more/kubespan.mdx | 12 +- .../v1.12/learn-more/networking-resources.mdx | 18 +- public/talos/v1.12/learn-more/philosophy.mdx | 2 +- .../learn-more/talos-network-connectivity.mdx | 2 +- public/talos/v1.12/learn-more/talosctl.mdx | 6 +- .../networking/advanced/ethernet-config.mdx | 6 +- .../talos/v1.12/networking/advanced/vip.mdx | 10 +- .../networking/configuration/dynamic.mdx | 6 +- .../networking/configuration/hostname.mdx | 2 +- .../networking/configuration/physical.mdx | 2 +- .../networking/configuration/resolvers.mdx | 2 +- .../v1.12/networking/configuration/static.mdx | 2 +- .../v1.12/networking/configuration/time.mdx | 2 +- .../v1.12/networking/corporate-proxies.mdx | 4 +- public/talos/v1.12/networking/host-dns.mdx | 6 +- .../v1.12/networking/ingress-firewall.mdx | 6 +- public/talos/v1.12/networking/kubespan.mdx | 18 +- .../predictable-interface-names.mdx | 2 +- public/talos/v1.12/networking/siderolink.mdx | 2 +- public/talos/v1.12/overview/what-is-talos.mdx | 2 +- .../air-gapped.mdx | 8 +- .../bare-metal-platforms/bootloader.mdx | 2 +- .../bare-metal-platforms/equinix-metal.mdx | 14 +- .../bare-metal-platforms/matchbox.mdx | 20 +- .../metal-network-configuration.mdx | 12 +- .../bare-metal-platforms/network-config.mdx | 6 +- .../bare-metal-platforms/secureboot.mdx | 32 +- .../boot-assets.mdx | 6 +- .../cloud-platforms/akamai.mdx | 12 +- .../cloud-platforms/aws.mdx | 30 +- .../cloud-platforms/azure.mdx | 24 +- .../cloud-platforms/cloudstack.mdx | 26 +- .../cloud-platforms/digitalocean.mdx | 14 +- .../cloud-platforms/gcp.mdx | 24 +- .../cloud-platforms/hetzner.mdx | 18 +- .../cloud-platforms/kubernetes.mdx | 10 +- .../cloud-platforms/nocloud.mdx | 2 +- .../cloud-platforms/openstack.mdx | 20 +- .../cloud-platforms/oracle.mdx | 18 +- .../cloud-platforms/scaleway.mdx | 10 +- .../cloud-platforms/upcloud.mdx | 20 +- .../cloud-platforms/vultr.mdx | 22 +- .../local-platforms/docker.mdx | 8 +- .../local-platforms/qemu.mdx | 10 +- .../local-platforms/virtualbox.mdx | 18 +- .../single-board-computers/bananapi_m64.mdx | 6 +- .../single-board-computers/jetson_nano.mdx | 6 +- .../libretech_all_h3_cc_h5.mdx | 6 +- .../single-board-computers/nanopi_r4s.mdx | 6 +- .../single-board-computers/orangepi_5.mdx | 2 +- .../orangepi_r1_plus_lts.mdx | 4 +- .../single-board-computers/pine64.mdx | 6 +- .../single-board-computers/rock4cplus.mdx | 4 +- .../single-board-computers/rock5b.mdx | 4 +- .../single-board-computers/rock64.mdx | 6 +- .../single-board-computers/rockpi_4.mdx | 6 +- .../single-board-computers/rockpi_4c.mdx | 6 +- .../single-board-computers/rpi_generic.mdx | 14 +- .../single-board-computers/turing_rk1.mdx | 4 +- .../virtualized-platforms/hyper-v.mdx | 12 +- .../virtualized-platforms/kvm.mdx | 8 +- .../virtualized-platforms/proxmox.mdx | 26 +- .../virtualized-platforms/vmware.mdx | 30 +- .../virtualized-platforms/xenorchestra.mdx | 4 +- public/talos/v1.12/security/ca-rotation.mdx | 8 +- .../talos/v1.12/security/cert-management.mdx | 8 +- .../iam-roles-for-service-accounts.mdx | 2 +- .../talos/v1.12/security/verifying-images.mdx | 4 +- public/talos/v1.13/advanced-guides/SBOM.mdx | 2 +- .../migrating-from-kubeadm.mdx | 4 +- .../cgroups-analysis.mdx | 3 +- .../disaster-recovery.mdx | 16 +- .../etcd-maintenance.mdx | 16 +- .../building-images.mdx | 10 +- .../customizing-the-kernel.mdx | 6 +- .../developing-talos.mdx | 18 +- .../oci-base-spec.mdx | 4 +- .../overlays.mdx | 13 +- .../system-extensions.mdx | 12 +- .../hardware-and-drivers/amd-gpu.mdx | 4 +- .../nvidia-gpu-proprietary.mdx | 2 +- .../images-container-runtime/containerd.mdx | 6 +- .../image-cache-registry-mirror.mdx | 10 +- .../images-container-runtime/image-cache.mdx | 29 +- .../pull-through-cache.mdx | 6 +- .../images-container-runtime/static-pods.mdx | 2 +- .../resetting-a-machine.mdx | 2 +- .../lifecycle-management/upgrading-talos.mdx | 12 +- .../logging-and-telemetry/logging.mdx | 8 +- .../disk-encryption.mdx | 18 +- .../disk-management/common.mdx | 6 +- .../disk-management/existing.mdx | 2 +- .../disk-management/layout.mdx | 10 +- .../disk-management/overview.mdx | 4 +- .../disk-management/raw.mdx | 4 +- .../disk-management/resources.mdx | 8 +- .../disk-management/system.mdx | 4 +- .../disk-management/user.mdx | 6 +- .../storage-and-disk-management/swap.mdx | 6 +- .../system-configuration/acquire.mdx | 10 +- .../system-configuration/discovery.mdx | 8 +- .../editing-machine-configuration.mdx | 4 +- .../system-configuration/insecure.mdx | 41 +- .../system-configuration/patching.mdx | 4 +- .../performance-tuning.mdx | 8 +- .../reproducible-machine-configuration.mdx | 2 +- .../system-configuration/time-sync.mdx | 6 +- .../interactive-dashboard.mdx | 8 +- .../workers-on-controlplane.mdx | 2 +- .../getting-started/deploy-first-workload.mdx | 2 +- .../v1.13/getting-started/getting-started.mdx | 29 +- .../talos/v1.13/getting-started/prodnotes.mdx | 42 +- .../v1.13/getting-started/quickstart.mdx | 24 +- .../v1.13/getting-started/support-matrix.mdx | 2 +- .../getting-started/system-requirements.mdx | 2 +- .../getting-started/what's-new-in-talos.mdx | 261 +- .../talos/v1.13/learn-more/architecture.mdx | 2 +- .../talos/v1.13/learn-more/control-plane.mdx | 14 +- .../learn-more/controllers-resources.mdx | 6 +- .../talos/v1.13/learn-more/image-factory.mdx | 6 +- public/talos/v1.13/learn-more/kubespan.mdx | 12 +- .../v1.13/learn-more/networking-resources.mdx | 18 +- public/talos/v1.13/learn-more/philosophy.mdx | 2 +- .../learn-more/talos-network-connectivity.mdx | 2 +- public/talos/v1.13/learn-more/talosctl.mdx | 6 +- .../networking/advanced/ethernet-config.mdx | 12 +- .../talos/v1.13/networking/advanced/vip.mdx | 10 +- .../networking/configuration/dynamic.mdx | 6 +- .../networking/configuration/hostname.mdx | 2 +- .../networking/configuration/physical.mdx | 2 +- .../networking/configuration/resolvers.mdx | 2 +- .../v1.13/networking/configuration/static.mdx | 2 +- .../v1.13/networking/configuration/time.mdx | 2 +- .../v1.13/networking/corporate-proxies.mdx | 4 +- public/talos/v1.13/networking/host-dns.mdx | 6 +- .../v1.13/networking/ingress-firewall.mdx | 6 +- public/talos/v1.13/networking/kubespan.mdx | 18 +- .../predictable-interface-names.mdx | 2 +- public/talos/v1.13/networking/siderolink.mdx | 2 +- public/talos/v1.13/overview/what-is-talos.mdx | 2 +- .../air-gapped.mdx | 8 +- .../bare-metal-platforms/bootloader.mdx | 2 +- .../bare-metal-platforms/equinix-metal.mdx | 14 +- .../bare-metal-platforms/matchbox.mdx | 20 +- .../metal-network-configuration.mdx | 12 +- .../bare-metal-platforms/network-config.mdx | 6 +- .../bare-metal-platforms/secureboot.mdx | 32 +- .../boot-assets.mdx | 8 +- .../cloud-platforms/akamai.mdx | 12 +- .../cloud-platforms/aws.mdx | 30 +- .../cloud-platforms/azure.mdx | 24 +- .../cloud-platforms/cloudstack.mdx | 26 +- .../cloud-platforms/digitalocean.mdx | 14 +- .../cloud-platforms/gcp.mdx | 24 +- .../cloud-platforms/hetzner.mdx | 18 +- .../cloud-platforms/kubernetes.mdx | 10 +- .../cloud-platforms/nocloud.mdx | 2 +- .../cloud-platforms/openstack.mdx | 20 +- .../cloud-platforms/oracle.mdx | 18 +- .../cloud-platforms/scaleway.mdx | 10 +- .../cloud-platforms/upcloud.mdx | 20 +- .../cloud-platforms/vultr.mdx | 22 +- .../local-platforms/docker.mdx | 8 +- .../local-platforms/qemu.mdx | 10 +- .../local-platforms/virtualbox.mdx | 18 +- .../single-board-computers/bananapi_m64.mdx | 6 +- .../single-board-computers/jetson_nano.mdx | 6 +- .../libretech_all_h3_cc_h5.mdx | 6 +- .../single-board-computers/nanopi_r4s.mdx | 6 +- .../single-board-computers/orangepi_5.mdx | 2 +- .../orangepi_r1_plus_lts.mdx | 4 +- .../single-board-computers/pine64.mdx | 6 +- .../single-board-computers/rock4cplus.mdx | 4 +- .../single-board-computers/rock5b.mdx | 4 +- .../single-board-computers/rock64.mdx | 6 +- .../single-board-computers/rockpi_4.mdx | 6 +- .../single-board-computers/rockpi_4c.mdx | 6 +- .../single-board-computers/rpi_generic.mdx | 16 +- .../single-board-computers/turing_rk1.mdx | 4 +- .../virtualized-platforms/hyper-v.mdx | 12 +- .../virtualized-platforms/kvm.mdx | 8 +- .../virtualized-platforms/proxmox.mdx | 26 +- .../virtualized-platforms/vmware.mdx | 30 +- .../virtualized-platforms/xenorchestra.mdx | 4 +- public/talos/v1.13/reference/cli.mdx | 2152 ++++++----- .../v1.13/reference/configuration/cli.mdx | 3291 ----------------- .../configuration/network/ethernetconfig.mdx | 4 +- .../configuration/v1alpha1/config.mdx | 47 +- public/talos/v1.13/security/ca-rotation.mdx | 8 +- .../talos/v1.13/security/cert-management.mdx | 8 +- .../iam-roles-for-service-accounts.mdx | 2 +- .../talos/v1.13/security/verifying-images.mdx | 4 +- 319 files changed, 2837 insertions(+), 5622 deletions(-) rename public/omni/{infrastructure-and-extensions/self-hosted => cluster-management}/expose-omni-with-nginx-https.mdx (97%) rename public/omni/{infrastructure-and-extensions/self-hosted => cluster-management}/upgrading-omni.mdx (94%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/configure-keycloak-for-omni.mdx (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-Root-URL.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-SAML.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-add-predefined-mappers.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-client-scopes.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-client-signature.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-create-client.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-create-new-user-form.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-create-new-user.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-create-realm.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-no-credentials.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-omni-create.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-openID.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-predefined-mapper.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-for-omni-signature-encryption.png (100%) rename public/omni/{infrastructure-and-extensions/self-hosted => security-and-authentication}/images/configure-keycloak-saml-idp.png (100%) rename public/omni/{infrastructure-and-extensions => }/self-hosted/deploy-image-factory-on-prem.mdx (95%) rename public/omni/{infrastructure-and-extensions => }/self-hosted/deploy-omni-on-prem.mdx (93%) rename public/omni/{infrastructure-and-extensions => }/self-hosted/how-to-back-up-on-prem-omni-db.mdx (100%) rename public/omni/{infrastructure-and-extensions => self-hosted}/install-airgapped-omni.mdx (99%) rename public/omni/{infrastructure-and-extensions => }/self-hosted/omni-deployment-options.mdx (96%) rename public/omni/{infrastructure-and-extensions => }/self-hosted/overview.mdx (100%) delete mode 100644 public/talos/v1.13/reference/configuration/cli.mdx diff --git a/omni.yaml b/omni.yaml index d05f3e23..5bf5f7cd 100644 --- a/omni.yaml +++ b/omni.yaml @@ -18,20 +18,19 @@ navigation: - "create-a-cluster.mdx" - "support-matrix.mdx" + - group: "Self Hosted" + folder: "omni/self-hosted" + pages: + - "overview.mdx" + - "omni-deployment-options.mdx" + - "deploy-omni-on-prem.mdx" + - "install-airgapped-omni.mdx" + - "deploy-image-factory-on-prem.mdx" + - "how-to-back-up-on-prem-omni-db.mdx" + - group: "Infrastructure and Extensions" folder: "omni/infrastructure-and-extensions" pages: - - group: "Self Hosted" - pages: - - "self-hosted/overview" - - "self-hosted/omni-deployment-options" - - "self-hosted/deploy-omni-on-prem" - - "self-hosted/deploy-image-factory-on-prem" - - "self-hosted/configure-keycloak-for-omni" - - "self-hosted/how-to-back-up-on-prem-omni-db" - - "self-hosted/expose-omni-with-nginx-https" - - "self-hosted/upgrading-omni" - - "install-airgapped-omni.mdx" - "infrastructure-providers.mdx" - "writing-infrastructure-providers.mdx" - "machine-registration.mdx" @@ -71,11 +70,13 @@ navigation: - "upgrading-clusters.mdx" - "omni-terraform.mdx" - "expose-an-http-service-from-a-cluster.mdx" + - "expose-omni-with-nginx-https.mdx" - "export-a-cluster-template-from-a-cluster-created-in-the-ui.mdx" - "etcd-backups.mdx" - "restore-etcd-of-a-cluster-managed-by-cluster-templates.mdx" - "using-audit-log.mdx" - "importing-talos-clusters.mdx" + - "upgrading-omni.mdx" - "wipe-a-machine.mdx" - "talos-config-overrides.mdx" - "override-ntp-servers.mdx" @@ -97,6 +98,7 @@ navigation: - "using-saml-with-omni/configure-oracle-cloud-for-omni" - "authentication-and-authorization.mdx" - "oidc-login-with-tailscale.mdx" + - "configure-keycloak-for-omni" - "how-to-manage-acls.mdx" - "omni-kms-disk-encryption.mdx" - "break-glass-emergency-access.mdx" diff --git a/public/docs.json b/public/docs.json index de68aa47..cefe730f 100644 --- a/public/docs.json +++ b/public/docs.json @@ -2168,23 +2168,20 @@ "omni/getting-started/support-matrix" ] }, + { + "group": "Self Hosted", + "pages": [ + "omni/self-hosted/overview", + "omni/self-hosted/omni-deployment-options", + "omni/self-hosted/deploy-omni-on-prem", + "omni/self-hosted/install-airgapped-omni", + "omni/self-hosted/deploy-image-factory-on-prem", + "omni/self-hosted/how-to-back-up-on-prem-omni-db" + ] + }, { "group": "Infrastructure and Extensions", "pages": [ - { - "group": "Self Hosted", - "pages": [ - "omni/infrastructure-and-extensions/self-hosted/overview", - "omni/infrastructure-and-extensions/self-hosted/omni-deployment-options", - "omni/infrastructure-and-extensions/self-hosted/deploy-omni-on-prem", - "omni/infrastructure-and-extensions/self-hosted/deploy-image-factory-on-prem", - "omni/infrastructure-and-extensions/self-hosted/configure-keycloak-for-omni", - "omni/infrastructure-and-extensions/self-hosted/how-to-back-up-on-prem-omni-db", - "omni/infrastructure-and-extensions/self-hosted/expose-omni-with-nginx-https", - "omni/infrastructure-and-extensions/self-hosted/upgrading-omni" - ] - }, - "omni/infrastructure-and-extensions/install-airgapped-omni", "omni/infrastructure-and-extensions/infrastructure-providers", "omni/infrastructure-and-extensions/writing-infrastructure-providers", "omni/infrastructure-and-extensions/machine-registration", @@ -2232,11 +2229,13 @@ "omni/cluster-management/upgrading-clusters", "omni/cluster-management/omni-terraform", "omni/cluster-management/expose-an-http-service-from-a-cluster", + "omni/cluster-management/expose-omni-with-nginx-https", "omni/cluster-management/export-a-cluster-template-from-a-cluster-created-in-the-ui", "omni/cluster-management/etcd-backups", "omni/cluster-management/restore-etcd-of-a-cluster-managed-by-cluster-templates", "omni/cluster-management/using-audit-log", "omni/cluster-management/importing-talos-clusters", + "omni/cluster-management/upgrading-omni", "omni/cluster-management/wipe-a-machine", "omni/cluster-management/talos-config-overrides", "omni/cluster-management/override-ntp-servers", @@ -2262,6 +2261,7 @@ }, "omni/security-and-authentication/authentication-and-authorization", "omni/security-and-authentication/oidc-login-with-tailscale", + "omni/security-and-authentication/configure-keycloak-for-omni", "omni/security-and-authentication/how-to-manage-acls", "omni/security-and-authentication/omni-kms-disk-encryption", "omni/security-and-authentication/break-glass-emergency-access", diff --git a/public/kubernetes-guides/advanced-guides/deploy-traefik.mdx b/public/kubernetes-guides/advanced-guides/deploy-traefik.mdx index 4be72694..1b1de11c 100644 --- a/public/kubernetes-guides/advanced-guides/deploy-traefik.mdx +++ b/public/kubernetes-guides/advanced-guides/deploy-traefik.mdx @@ -88,7 +88,7 @@ EOF ``` -## Step 4: Deploy a Sample Application +## Step 4: Deploy an application Deploy a simple test application called whoami. @@ -158,7 +158,7 @@ EOF ``` -## Step 6: Test the Setup +## Step 6: Test the setup Finally, verify that Traefik is routing traffic correctly. diff --git a/public/kubernetes-guides/advanced-guides/device-plugins.mdx b/public/kubernetes-guides/advanced-guides/device-plugins.mdx index 13db9813..5bc0ddae 100644 --- a/public/kubernetes-guides/advanced-guides/device-plugins.mdx +++ b/public/kubernetes-guides/advanced-guides/device-plugins.mdx @@ -7,7 +7,7 @@ description: "In this guide you will learn how to expose host devices to the Kub This guide will show you how to deploy a device plugin to your Talos cluster. In this guide, we will use [Kubernetes Generic Device Plugin](https://github.com/squat/generic-device-plugin), but there are other implementations available. -## Deploying the Device Plugin +## Deploying the device plugin The Kubernetes Generic Device Plugin is a DaemonSet that runs on each node in the cluster, exposing the devices to the pods. The device plugin is configured with a [list of devices to expose](https://github.com/squat/generic-device-plugin#overview), e.g. @@ -104,7 +104,7 @@ Allocated resources: squat.ai/tun 0 0 ``` -## Deploying a Pod with the Device +## Deploy a pod with the device Now that the device plugin is deployed, you can deploy a pod that requests the device. The request for the device is specified as a [resource](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) in the pod spec. diff --git a/public/kubernetes-guides/advanced-guides/dynamic-resource-allocation.mdx b/public/kubernetes-guides/advanced-guides/dynamic-resource-allocation.mdx index a176d441..15740666 100644 --- a/public/kubernetes-guides/advanced-guides/dynamic-resource-allocation.mdx +++ b/public/kubernetes-guides/advanced-guides/dynamic-resource-allocation.mdx @@ -34,7 +34,7 @@ cluster: You should have at least one node in the cluster with NVIDIA hardware and configured via the NVIDIA system extension and patch -## 1. Deploy the NVIDIA DRA plugin via helm +## 1. Deploy the NVIDIA DRA plugin via Helm Use helm to install the DRA plugin. diff --git a/public/kubernetes-guides/advanced-guides/gcp-workload-identity.mdx b/public/kubernetes-guides/advanced-guides/gcp-workload-identity.mdx index 75d4b9cf..6461fae4 100644 --- a/public/kubernetes-guides/advanced-guides/gcp-workload-identity.mdx +++ b/public/kubernetes-guides/advanced-guides/gcp-workload-identity.mdx @@ -6,7 +6,7 @@ description: "Guide on how to configure Google Cloud Workload Identity Federatio This guide provides a step-by-step walkthrough for configuring Google Cloud Workload Identity Federation on a Talos Kubernetes cluster. It covers setting up the necessary GCP infrastructure (buckets, pools, providers), patching the Talos API server with RSA keys for OIDC compatibility, and binding Kubernetes Service Accounts to Google Service Accounts for secure authentication. -## Environment Setup +## Environment setup We'll make use of the following environment variables throughout the setup. Edit the variables below with your correct information. @@ -19,7 +19,7 @@ export PROVIDER_NAME="WorkloadIdentityProvider" export REGION="us-east1" ``` -## GCP Infrastructure +## GCP infrastructure ### Create the OIDC Storage Bucket @@ -46,7 +46,7 @@ gcloud iam workload-identity-pools create ${POOL_NAME} \ --display-name="Talos Workload Identity Pool" ``` -### Create the OIDC Provider +### Create the OIDC provider Create an OIDC provider that trusts tokens from the specified issuer, enabling secure external authentication to Google Cloud. @@ -59,9 +59,9 @@ gcloud iam workload-identity-pools providers create-oidc ${PROVIDER_NAME} \ --attribute-mapping="google.subject=assertion.sub,attribute.sub=assertion.sub" ``` -## Talos Configuration +## Talos configuration -### RSA Key +### RSA key Now we will patch the Talos Kubernetes cluster api-server to use this OIDC provider as api-audiences alongside the default API server audience. Talos by default generates ECDSA keys for Kubernetes service account verification which don’t work with Google’s IAM Workload Identity Pool OIDC provider. @@ -71,7 +71,7 @@ Instead, we need to generate an RSA key and replace the default service account RSA_KEY_ENCODED=$(openssl genrsa 4096 2> /dev/null | base64 -w 0) ``` -### Retrieve OIDC Provider URL +### Retrieve OIDC provider URL Retrieve the URL of the OIDC provider for configuring external authentication. @@ -102,7 +102,7 @@ cluster: EOF ``` -### Apply OIDC Patch to Control Plane Node +### Apply OIDC patch to control plane node Retrieve a Control Plane node’s IP and apply the OIDC patch to configure the cluster for Workload Identity authentication @@ -112,7 +112,7 @@ CONTROL_PLANE_NODE_ADDRESS=$(kubectl --kubeconfig kubeconfig get nodes --output talosctl patch machineconfig --talosconfig talosconfig --patch @oidc-patch.yaml --nodes ${CONTROL_PLANE_NODE_ADDRESS} ``` -### Retrieve Kubernetes OIDC Configuration +### Retrieve Kubernetes OIDC configuration Download the cluster’s keys.json and discovery.json files, which contain the OIDC public keys and discovery metadata needed for external authentication. @@ -133,7 +133,7 @@ gcloud storage cp discovery.json gs://${BUCKET_NAME}/.well-known/openid-configur curl https://storage.googleapis.com/$BUCKET_NAME/.well-known/openid-configuration ``` -## Identity Binding & Permissions +## Identity binding & permissions ### Create the Google Service Account (GSA) @@ -144,7 +144,7 @@ GSA_NAME="talos-workload-sa" gcloud iam service-accounts create ${GSA_NAME} --project=${PROJECT_ID} ``` -### Get the Workload Identity Pool Name +### Get the Workload Identity Pool name Retrieve the full resource name of the Workload Identity Pool for configuring identity bindings. @@ -152,7 +152,7 @@ Retrieve the full resource name of the Workload Identity Pool for configuring id WORKLOAD_IDENTITY_POOL_URL=$(gcloud iam workload-identity-pools list --location="global" --filter="name:${POOL_NAME}" --format json | jq -r '.[].name') ``` -### Grant Permissions to the GSA +### Grant permissions to the GSA Assign the necessary roles to the Google Service Account, including access to project resources and the ability to be impersonated via Workload Identity. @@ -167,7 +167,7 @@ gcloud iam service-accounts add-iam-policy-binding "${GSA_NAME}@${PROJECT_ID}.ia ``` Ensure the member string matches your specific Kubernetes configuration. The format is `system:serviceaccount::`. In this example, we use the default namespace and the workload-identity service account. -### Generate the Workload Identity Config File +### Generate the Workload Identity configuration file Create a local configuration file that maps the Kubernetes service account to the Google Service Account for authentication. @@ -178,9 +178,9 @@ gcloud iam workload-identity-pools create-cred-config \ --credential-source-file="/var/run/secrets/tokens/gcp-ksa/token" \ --output-file=sts-creds.json ``` -## Deployment & Verification +## Deployment & Vverification -### Deploy Credential ConfigMap +### Deploy credential configMap Create a ConfigMap to store the credential configuration file, enabling the Pod's Google SDK to perform the token exchange. @@ -188,7 +188,7 @@ Create a ConfigMap to store the credential configuration file, enabling the Pod' kubectl --kubeconfig kubeconfig create configmap workload-identity-config --from-file=google-application-credentials.json=sts-creds.json -n default ``` -### Create a Kubernetes Service Account +### Create a Kubernetes service account Create the Kubernetes Service Account that will be bound to the Google Service Account to authorize the workload. @@ -196,7 +196,7 @@ Create the Kubernetes Service Account that will be bound to the Google Service A kubectl --kubeconfig kubeconfig create serviceaccount workload-identity --namespace default ``` -### Deploy Test Pod +### Deploy test pod Deploy a Pod that projects the Service Account token and credential configuration to verify the identity federation. @@ -244,7 +244,7 @@ spec: EOF ``` -### Verify Access +### Verify access Execute a command inside the running Pod to list the storage bucket contents, confirming that the Workload Identity authentication is functioning correctly. diff --git a/public/kubernetes-guides/advanced-guides/inlinemanifests.mdx b/public/kubernetes-guides/advanced-guides/inlinemanifests.mdx index eda9f8d5..acf5fa3f 100644 --- a/public/kubernetes-guides/advanced-guides/inlinemanifests.mdx +++ b/public/kubernetes-guides/advanced-guides/inlinemanifests.mdx @@ -50,7 +50,7 @@ cluster: - "https://gist.githubusercontent.com/user/gist-id/raw/manifest.yaml" ``` -## Resource Ordering Considerations +## Resource ordering considerations Talos automatically sorts all manifests, including `inlineManifests`, `extraManifests`, and built-in manifests (such as the kubelet bootstrap token and CoreDNS), before applying them in the following order: @@ -104,7 +104,7 @@ You can skip this step if you've already done it: kubectl get pods -n flux-system -w ``` -## Omni Patches +## Omni patches You can also apply `inlineManifests` or `extraManifests` patches to Talos clusters managed by Omni. @@ -122,7 +122,7 @@ Here’s a quick overview of the key differences between `inlineManifests` and ` | Benefits | No external dependencies | Centrally managed | | Disadvantages | Difficult to maintain and format embedded YAML | Requires external HTTP server | -## How Talos Handles Manifest Resources +## How Talos handles manifest resources Talos reconciles manifests on every boot, on every failure to apply, and on every change to the manifests in the machine config. When processing your `inlineManifests` and `extraManifests`, Talos follows a conservative, additive-only approach. diff --git a/public/kubernetes-guides/advanced-guides/kubeprism.mdx b/public/kubernetes-guides/advanced-guides/kubeprism.mdx index ec864a9b..0d0a6bf0 100644 --- a/public/kubernetes-guides/advanced-guides/kubeprism.mdx +++ b/public/kubernetes-guides/advanced-guides/kubeprism.mdx @@ -13,7 +13,7 @@ If the external cluster endpoint is unavailable (due to misconfiguration, networ KubePrism solves this problem by enabling an in-cluster highly-available controlplane endpoint on every node in the cluster. -## Video Walkthrough +## Video walkthrough To see a live demo of this writeup, see the video below: diff --git a/public/kubernetes-guides/advanced-guides/kuberay.mdx b/public/kubernetes-guides/advanced-guides/kuberay.mdx index d1408862..a3f20a5f 100644 --- a/public/kubernetes-guides/advanced-guides/kuberay.mdx +++ b/public/kubernetes-guides/advanced-guides/kuberay.mdx @@ -8,7 +8,7 @@ import { version } from '/snippets/custom-variables.mdx'; [Ray](https://www.ray.io/) is a project for running machine learning jobs in a cluster of machines. [KubeRay](https://github.com/ray-project/kuberay) is an operator for installing Ray on top of Kubernetes. For up-to-date installation guide check with the [upstream Ray documentation](https://docs.ray.io/en/latest/cluster/kubernetes/getting-started/kuberay-operator-installation.html). -## Install Ray operator with helm +## Install Ray operator with Helm Create a Kubernetes cluster with [`talosctl`](../../omni/getting-started/how-to-install-talosctl) or via [Omni](../../omni/overview/what-is-omni). diff --git a/public/kubernetes-guides/advanced-guides/node-labels.mdx b/public/kubernetes-guides/advanced-guides/node-labels.mdx index c7dd46bb..2cc116f6 100644 --- a/public/kubernetes-guides/advanced-guides/node-labels.mdx +++ b/public/kubernetes-guides/advanced-guides/node-labels.mdx @@ -49,7 +49,7 @@ After applying the machine config and rebooting the node, verify the labels with kubectl describe node ``` -### Role Labels +### Role labels To assign Kubernetes role labels such as: @@ -65,7 +65,7 @@ kubectl label node node-role.kubernetes.io/worker="" Alternatively, you can use the [Talos Cloud Controller Manager](https://github.com/siderolabs/talos-cloud-controller-manager/blob/main/docs/config.md) or your own controller to translate custom domain labels into the conventional `node-role.kubernetes.io/*` form if required. -## Node Taints +## Node taints Kubernetes taints let you prevent workloads from being scheduled on a node unless they have matching tolerations. You can learn more in the official [Taints and Tolerations documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). @@ -76,7 +76,7 @@ Attempting to do so results in errors such as: ` is not allowed to mo This behaviour is expected and required for Kubernetes hardening. -### Apply Taints +### Apply taints Talos supports setting initial taints only during first node registration, using the kubelet's `registerWithTaints` configuration. @@ -110,7 +110,7 @@ Apply this patch to your worker node’s configuration file. The taint will be applied once, during the node’s initial registration with the Kubernetes API server. After the node has joined the cluster, updating this field will no longer have any effect. -### Modify Taints After Bootstrap +### Modify taints after bootstrap After a node has joined the cluster, taints must be managed using a cluster-admin identity: diff --git a/public/kubernetes-guides/advanced-guides/talos-api-access-from-k8s.mdx b/public/kubernetes-guides/advanced-guides/talos-api-access-from-k8s.mdx index 8eca25cb..81449a6d 100644 --- a/public/kubernetes-guides/advanced-guides/talos-api-access-from-k8s.mdx +++ b/public/kubernetes-guides/advanced-guides/talos-api-access-from-k8s.mdx @@ -9,7 +9,7 @@ import { release } from '/snippets/custom-variables.mdx'; In this guide, we will enable the Talos feature to access the Talos API from within Kubernetes. -## Enabling the Feature +## Enable the feature Edit the machine configuration to enable the feature, specifying the Kubernetes namespaces from which Talos API can be accessed and the allowed Talos API roles. @@ -32,7 +32,7 @@ spec: - default ``` -## Injecting Talos ServiceAccount into manifests +## Inject Talos ServiceAccount into manifests Create the following manifest file `deployment.yaml`: @@ -127,7 +127,7 @@ spec: As you can notice, your deployment manifest is now injected with the Talos ServiceAccount. -## Testing API Access +## Test API access Apply the new manifest into `default` namespace: diff --git a/public/kubernetes-guides/advanced-guides/upgrading-kubernetes.mdx b/public/kubernetes-guides/advanced-guides/upgrading-kubernetes.mdx index 13328065..ba204f9b 100644 --- a/public/kubernetes-guides/advanced-guides/upgrading-kubernetes.mdx +++ b/public/kubernetes-guides/advanced-guides/upgrading-kubernetes.mdx @@ -13,13 +13,13 @@ For a list of Kubernetes versions compatible with each Talos release, see the [S For upgrading the Talos Linux operating system, see [Upgrading Talos](../../talos/v1.10/configure-your-talos-cluster/lifecycle-management/upgrading-talos) -## Video Walkthrough +## Video walkthrough To see a demo of this process, watch this video: -## Automated Kubernetes Upgrade +## Automated Kubernetes upgrade The recommended method to upgrade Kubernetes is to use the `talosctl upgrade-k8s` command. This will automatically update the components needed to upgrade Kubernetes safely. @@ -122,7 +122,7 @@ For example if [kube-proxy](https://docs.siderolabs.com/talos/latest/reference/c Pruning can be disabled by passing the `--manifests-no-prune` flag. -### Synchronize Declared and Deployed Configurations +### Synchronize declared and deployed configurations When Kubernetes is upgraded with `talosctl upgrade-k8s`, the live machine configuration on your nodes is updated with new component image versions (API server, controller manager, scheduler, kube-proxy, etc.). @@ -135,7 +135,7 @@ Version numbers for Talos, etcd, Kubernetes components, and add-ons change frequ See the [Reproducible Machine Configuration](../../talos/v1.10/configure-your-talos-cluster/system-configuration/reproducible-machine-configuration) guide for full instructions on handling machine configurations after version bumps. -## Manual Kubernetes Upgrade +## Manual Kubernetes upgrade Kubernetes can be upgraded manually by following the steps outlined below. They are equivalent to the steps performed by the `talosctl upgrade-k8s` command. @@ -149,7 +149,7 @@ If you don't already have one, you can get one by running: talosctl --nodes kubeconfig ``` -### API Server +### API server Patch machine configuration using `talosctl patch` command: @@ -213,7 +213,7 @@ kube-apiserver-talos-default-controlplane-1 1/1 Running 0 16m Repeat this process for every control plane node, verifying that state got propagated successfully between each node update. -### Controller Manager +### Controller manager Patch machine configuration using `talosctl patch` command: @@ -374,7 +374,7 @@ To edit the `DaemonSet`, run: kubectl edit daemonsets -n kube-system kube-proxy ``` -### Bootstrap Manifests +### Bootstrap manifests Bootstrap manifests can be retrieved in a format which works for `kubectl` with the following command: diff --git a/public/kubernetes-guides/cni/deploy-calico.mdx b/public/kubernetes-guides/cni/deploy-calico.mdx index dfd219f8..82b97fba 100644 --- a/public/kubernetes-guides/cni/deploy-calico.mdx +++ b/public/kubernetes-guides/cni/deploy-calico.mdx @@ -25,7 +25,7 @@ talosctl gen config \ --config-patch @patch.yaml ``` -## Installing Tigera Operator +## Installing Tigera operator Recommended way to install Calico is via `Tigera-operator` manifest. The operator will make sure that all Calico components are always up and running. @@ -37,7 +37,7 @@ Use the following command to install the latest Tigera operator. kubectl create -f https://docs.tigera.io/calico/latest/manifests/tigera-operator.yaml ``` -### Configuring Calico Networking +### Configuring Calico networking Calico has a pluggable dataplane architecture that lets you choose the networking technology based on your use case. You can configure the dataplane by setting the `linuxDataplane` key in the installation manifest. @@ -127,7 +127,7 @@ EOF -## Deploy Calico Whisker Network Observability Stack +## Deploy Calico Whisker network observability stack Use the following command to enable Calico observability stack: diff --git a/public/kubernetes-guides/cni/deploying-cilium.mdx b/public/kubernetes-guides/cni/deploying-cilium.mdx index 38a7808b..179783c5 100644 --- a/public/kubernetes-guides/cni/deploying-cilium.mdx +++ b/public/kubernetes-guides/cni/deploying-cilium.mdx @@ -14,7 +14,7 @@ Each method can either install Cilium using kube proxy (default) or without: [Ku In this guide we assume that [KubePrism](../advanced-guides/kubeprism) is enabled and configured to use the port 7445. -## Machine config preparation +## Machine configuration preparation When generating the machine config for a node set the CNI to none. For example using a config patch: diff --git a/public/kubernetes-guides/csi/ceph-with-rook.mdx b/public/kubernetes-guides/csi/ceph-with-rook.mdx index 522f46f1..f89a341e 100644 --- a/public/kubernetes-guides/csi/ceph-with-rook.mdx +++ b/public/kubernetes-guides/csi/ceph-with-rook.mdx @@ -100,7 +100,7 @@ ceph-bucket rook-ceph.ceph.rook.io/bucket Delete Immediate ceph-filesystem rook-ceph.cephfs.csi.ceph.com Delete Immediate true 77m ``` -## Talos Linux Considerations +## Talos Linux considerations By default, Rook configues Ceph to have 3 `mon` instances, in which case the data stored in `dataDirHostPath` can be regenerated from the other `mon` instances. So when performing maintenance on a Talos Linux node with a Rook Ceph cluster (e.g. upgrading the Talos Linux version), it is imperative that care be taken to maintain the health of the Ceph cluster. @@ -130,9 +130,9 @@ cephcluster.ceph.rook.io/rook-ceph condition met The above steps need to be performed for each Talos Linux node undergoing maintenance, one at a time. -## Cleaning Up +## Cleaning up -### Rook Ceph Cluster Removal +### Rook Ceph cluster removal Removing a Rook Ceph cluster requires a few steps, starting with signalling to Rook that the Ceph cluster is really being destroyed. Then all Persistent Volumes (and Claims) backed by the Ceph cluster must be deleted, followed by the Storage Classes and the Ceph storage types. @@ -217,7 +217,7 @@ customresourcedefinition.apiextensions.k8s.io "objectbucketclaims.objectbucket.i customresourcedefinition.apiextensions.k8s.io "objectbuckets.objectbucket.io" deleted ``` -### Talos Linux Rook Metadata Removal +### Talos Linux Rook metadata removal If the Rook Operator is cleanly removed following the above process, the node metadata and disks should be clean and ready to be re-used. In the case of an unclean cluster removal, there may be still a few instances of metadata stored on the system disk, as well as the partition information on the storage disks. diff --git a/public/kubernetes-guides/csi/local-storage.mdx b/public/kubernetes-guides/csi/local-storage.mdx index 602e189a..a798ae8a 100644 --- a/public/kubernetes-guides/csi/local-storage.mdx +++ b/public/kubernetes-guides/csi/local-storage.mdx @@ -8,7 +8,7 @@ import { version } from '/snippets/custom-variables.mdx'; Using local storage for Kubernetes workloads implies that the pod will be bound to the node where the local storage is available. Local storage is not replicated, so in case of a machine failure contents of the local storage will be lost. -## User Volumes +## User volumes The simplest way to use local storage is to use user volume. @@ -66,7 +66,7 @@ spec: type: DirectoryOrCreate ``` -## Local Path Provisioner +## Local path provisioner [Local Path Provisioner](https://github.com/rancher/local-path-provisioner) can be used to dynamically provision local storage. diff --git a/public/kubernetes-guides/csi/storage.mdx b/public/kubernetes-guides/csi/storage.mdx index 97943922..65180ff9 100644 --- a/public/kubernetes-guides/csi/storage.mdx +++ b/public/kubernetes-guides/csi/storage.mdx @@ -11,12 +11,12 @@ There are a _lot_ of options out there, and it can be fairly bewildering. For Talos, we have some recommendations to make the decision easier. -## Public Cloud +## Public cloud If you are running on a major public cloud, use their block storage. It is easy and automatic. -## Storage Clusters +## Storage clusters > **Sidero Labs** recommends having separate disks (separate from the Talos install disk) dedicated for storage. diff --git a/public/kubernetes-guides/monitoring-and-observability/deploy-metrics-server.mdx b/public/kubernetes-guides/monitoring-and-observability/deploy-metrics-server.mdx index 59986d42..60c816fb 100644 --- a/public/kubernetes-guides/monitoring-and-observability/deploy-metrics-server.mdx +++ b/public/kubernetes-guides/monitoring-and-observability/deploy-metrics-server.mdx @@ -10,7 +10,7 @@ It does this by gathering metrics data from the kubelets in a cluster. By default, the certificates in use by the kubelets will not be recognized by metrics-server. This can be solved by either configuring metrics-server to do no validation of the TLS certificates, or by modifying the kubelet configuration to rotate its certificates and use ones that will be recognized by metrics-server. -## Node Configuration +## Node configuration To enable kubelet certificate rotation, all nodes should have the following Machine Config snippet: @@ -21,7 +21,7 @@ machine: rotate-server-certificates: true ``` -## Install During Bootstrap +## Install during bootstrap We will want to ensure that new certificates for the kubelets are approved automatically. This can easily be done with the [Kubelet Serving Certificate Approver](https://github.com/alex1989hu/kubelet-serving-cert-approver), which will automatically approve the Certificate Signing Requests generated by the kubelets. @@ -35,7 +35,7 @@ cluster: - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml ``` -## Install After Bootstrap +## Install after bootstrap If you choose not to use `extraManifests` to install Kubelet Serving Certificate Approver and metrics-server during bootstrap, you can install them once the cluster is online using `kubectl`: diff --git a/public/kubernetes-guides/security/pod-security.mdx b/public/kubernetes-guides/security/pod-security.mdx index 7bb5d4ea..9c69c4e5 100644 --- a/public/kubernetes-guides/security/pod-security.mdx +++ b/public/kubernetes-guides/security/pod-security.mdx @@ -18,7 +18,7 @@ These [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod- By default, Talos with the help of PSA, applies the `baseline` profile to all namespaces, except for the `kube-system` namespace, which uses the `privileged` profile. -## Default PSA Configuration +## Default PSA calicoonfiguration Here is the default PSA configuration on Talos: @@ -43,7 +43,7 @@ This cluster-wide configuration: * Enforces the `baseline` security profile by default. * Throws a warning, if the `restricted` profile is violated, but does not enforce this profile. -## Modify the Default PSA Configuraion +## Modify the default PSA configuraion You can modify this PSA policy by updating the generated machine configuration before the cluster is created or on the fly by using the `talosctl` CLI utility. @@ -82,7 +82,7 @@ spec: kind: PodSecurityConfiguration ``` -## Workloads That Satisfy the Different Security Profiles +## Workloads that satisfy the different security profiles To deploy a workload that satisfies both the `baseline` and `restricted` profiles, you must ensure that your workloads: @@ -96,7 +96,7 @@ To see how PSA treats workloads that violate security profiles, consider these e * A Deployment that meets `baseline` requirements but `violates` restricted * A DaemonSet that violates both `restricted` and `baseline` profiles -### Deployment that Satisfies the Restricted Profile +### Deployment that satisfies the restricted profile This Deployment complies with the `restricted` profile and does not produce any errors or warnings when applied: @@ -169,7 +169,7 @@ This is because the Deployment follows Talos’ recommended security practices, * **allowPrivilegeEscalation: false**: Blocks processes from gaining additional privileges. * **capabilities: drop: [ALL]**: Removes unnecessary Linux capabilities. -### Deployment that Violates the Restricted but Meets Baseline Profile +### Deployment that violates the restricted but meets baseline profile Run the following command to create a Deployment that complies with the `baseline` profile but violates the `restricted` profile: @@ -192,7 +192,7 @@ NAME READY STATUS RESTARTS AGE nginx-85b98978db-j68l8 1/1 Running 0 2m3s -### DaemonSet that Fails Both the Restricted and Baseline Profiles +### DaemonSet that fails both the restricted and baseline profiles This DaemonSet violates both the `baseline` and `restricted` profiles: @@ -294,7 +294,7 @@ NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELE debug-container 2 2 0 2 0 4s ``` -## Troubleshooting Common PSA Error Messages +## Troubleshooting common PSA error messages Here are some typical error messages you’ll run into when a pod violates a PSA policy, along with what went wrong and how to fix it. diff --git a/public/kubernetes-guides/security/seccomp-profiles.mdx b/public/kubernetes-guides/security/seccomp-profiles.mdx index 1cff21e5..e3c914a2 100644 --- a/public/kubernetes-guides/security/seccomp-profiles.mdx +++ b/public/kubernetes-guides/security/seccomp-profiles.mdx @@ -12,7 +12,7 @@ Refer the [Kubernetes Seccomp Guide](https://kubernetes.io/docs/tutorials/securi In this guide we are going to configure a custom Seccomp Profile that logs all syscalls made by the workload. -## Preparing the nodes +## Prepare the nodes Create a machine config path with the contents below and save as `patch.yaml` @@ -70,7 +70,7 @@ An output similar to below can be observed: {"defaultAction":"SCMP_ACT_LOG"} ``` -## Create a Kubernetes workload that uses the custom Seccomp Profile +## Create a Kubernetes workload that uses the custom Seccomp profile Here we'll be using an example workload from the Kubernetes [documentation](https://kubernetes.io/docs/tutorials/security/seccomp/). diff --git a/public/omni/cluster-management/export-a-cluster-template-from-a-cluster-created-in-the-ui.mdx b/public/omni/cluster-management/export-a-cluster-template-from-a-cluster-created-in-the-ui.mdx index aec8b276..7e429bdb 100644 --- a/public/omni/cluster-management/export-a-cluster-template-from-a-cluster-created-in-the-ui.mdx +++ b/public/omni/cluster-management/export-a-cluster-template-from-a-cluster-created-in-the-ui.mdx @@ -4,7 +4,7 @@ title: Export a Cluster Template from a Cluster Created in the UI This guide shows you how to export a cluster template from a cluster created in the UI. This is useful when you want to switch a cluster from being manually managed to being managed by cluster templates (i.e. via the CLI, to be used in CI automation). -### Exporting the Cluster Template +### Exporting the cluster template To export a cluster, run the following command: @@ -61,7 +61,7 @@ kind: Machine name: 63564547-c9cb-4a30-a54a-8f95a29d66a5 ``` -### Using the Exported Cluster Template to Manage the Cluster +### Using the exported cluster template to manage the cluster You can now use this template to manage the cluster - edit the template as needed and sync it using the CLI: diff --git a/public/omni/cluster-management/expose-an-http-service-from-a-cluster.mdx b/public/omni/cluster-management/expose-an-http-service-from-a-cluster.mdx index eff781b9..51c56f35 100644 --- a/public/omni/cluster-management/expose-an-http-service-from-a-cluster.mdx +++ b/public/omni/cluster-management/expose-an-http-service-from-a-cluster.mdx @@ -2,7 +2,7 @@ title: Expose an HTTP Service from a Cluster --- -### Enabling Workload Service Proxying Feature +### Enable workload service proxying feature You first need to enable the workload service proxying feature on the cluster you want to expose Services from. @@ -21,7 +21,7 @@ features: You will notice that the “Exposed Services” section will appear on the left menu for the cluster the feature is enabled on. -### Exposing a Kubernetes Service +### Expose a Kubernetes service Let’s install a simple Nginx deployment and service to expose it. @@ -103,7 +103,7 @@ To encode an SVG file `icon.svg` to be used for the annotation, you can use the gzip -c icon.svg | base64 ``` -### Accessing the Exposed Service +### Access the exposed service You will notice that the Service you annotated will appear under the “Exposed Services” section in Omni Web, on the left menu when the cluster is selected. @@ -143,7 +143,7 @@ helm repo add grafana https://grafana.github.io/helm-charts helm install -f values.yaml grafana grafana/grafana ``` -#### Kubernetes Dashboard +#### Kubernetes dashboard The Kubernetes dashboard can be deployed via helm into a cluster and exposed with the workload proxy using the following `values.yaml`. diff --git a/public/omni/infrastructure-and-extensions/self-hosted/expose-omni-with-nginx-https.mdx b/public/omni/cluster-management/expose-omni-with-nginx-https.mdx similarity index 97% rename from public/omni/infrastructure-and-extensions/self-hosted/expose-omni-with-nginx-https.mdx rename to public/omni/cluster-management/expose-omni-with-nginx-https.mdx index 9a6318b5..c991f3bc 100644 --- a/public/omni/infrastructure-and-extensions/self-hosted/expose-omni-with-nginx-https.mdx +++ b/public/omni/cluster-management/expose-omni-with-nginx-https.mdx @@ -4,7 +4,7 @@ title: How to expose Omni with Nginx (HTTPS) ### Omni deployment configuration -You need to deploy an omni instance the [how to deploy omni on prem guide](./deploy-omni-on-prem), with the following flags set: +You need to deploy an omni instance the [how to deploy omni on prem guide](../self-hosted/deploy-omni-on-prem), with the following flags set: ```bash --name=$OMNI_NAME diff --git a/public/omni/cluster-management/importing-talos-clusters.mdx b/public/omni/cluster-management/importing-talos-clusters.mdx index 8e808254..72082b14 100644 --- a/public/omni/cluster-management/importing-talos-clusters.mdx +++ b/public/omni/cluster-management/importing-talos-clusters.mdx @@ -30,7 +30,7 @@ You will need to have `os:admin` role for the Talos cluster you want to import. You will need Omni role `Operator` or above in Omni to be able to create the necessary resources. -## Cluster Import +## Cluster import `omnictl cluster import` command has several key flags that, if omitted, are automatically inferred from the connected cluster or the local environment. These flags can be seen below. Note that this list doesn't include all possible flags. @@ -133,7 +133,7 @@ This command does the following: Note that the cluster has been imported but marked as `locked`. This is to prevent any changes being done by Omni to the imported cluster. Cluster locking is an Omni feature that prevents any changes from being applied to the Talos cluster. -### Image Schematic +### Image schematic With [Talos Linux Image Factory](https://factory.talos.dev/), it's possible to create a talos installer using extensions, extra kernel command line arguments as well as other settings. Such configuration is referred to as a Schematic. Cluster import command tries to detect if a Talos machine was configured using a boot asset from an Image Factory. If so, it will ensure that the same Schematic is used with the Image Factory Omni is connected to. @@ -149,7 +149,7 @@ If a Talos machine was not configured using an Image Factory asset, the validati This will not affect machines configured by using a boot asset from [Talos releases](https://github.com/siderolabs/talos/releases). -### Config Patches +### Config patches When importing a cluster into Omni, the goal is to preserve the cluster’s existing state and avoid modifying node configurations unless absolutely necessary. Cluster Machine config patches are used to achieve this idea. @@ -162,11 +162,11 @@ Certain machine config [fields](https://github.com/siderolabs/omni/blob/main/cli After a cluster is imported to Omni, the final machine config for each node is built by applying the config patch to the default machine config built using the initial talos and kubernetes versions used on cluster import. Redacted version of this machine config can be found under the `Config` tab of the Cluster Machine overview page in the Omni UI, while config patches can be found under `Patches` tab of the same overview page. -### Unlocking the Cluster +### Unlock the cluster Since Omni uses its own Kubernetes apiserver endpoint, when the cluster is unlocked, Omni will update `kube-apiserver`, `kube-scheduler` and `kube-controller-manager` static pod definitions to point to the Omni-managed kubernetes apiserver endpoint. -### Aborting an ongoing Import +### Aborting an ongoing import Import operation can be aborted using `cluster import abort` command. This command will delete all the resources created by Omni while importing the cluster and will also temporarily remove Omni connection from the Talos nodes. Unlike cluster deletion, aborting an import will not reset the machines to their initial state. Cluster will just stop being managed by Omni. diff --git a/public/omni/cluster-management/restore-etcd-of-a-cluster-managed-by-cluster-templates.mdx b/public/omni/cluster-management/restore-etcd-of-a-cluster-managed-by-cluster-templates.mdx index d72c364f..cb5e41d5 100644 --- a/public/omni/cluster-management/restore-etcd-of-a-cluster-managed-by-cluster-templates.mdx +++ b/public/omni/cluster-management/restore-etcd-of-a-cluster-managed-by-cluster-templates.mdx @@ -8,7 +8,7 @@ This tutorial has the following requirements: * The cluster which you want to restore **must still exist** (not be deleted from Omni) and have past backups available. * The cluster **must be managed using cluster templates** (not via the UI). -### Finding the Cluster's UUID +### Finding the cluster's UUID To find the cluster's UUID, run the following command, replacing `my-cluster` with the name of your cluster: @@ -25,7 +25,7 @@ default ClusterUUID my-cluster 1 bb874758-ee54-4d3b-bac3-4c83 Note the `UUID` column, which contains the cluster's UUID. -### Finding the Snapshot to Restore +### Finding the snapshot to restore List the available snapshots for the cluster: @@ -44,7 +44,7 @@ external EtcdBackup my-cluster-1701184500 undefined {"nanos":0,"seconds The `SNAPSHOT` column contains the snapshot name which you will need to restore the cluster. Let's assume you want to restore the cluster to the snapshot `FFFFFFFF9A99FBFD.snapshot`. -### Deleting the Existing Control Plane +### Deleting the existing control plane To restore the cluster, we need to first delete the existing control plane of the cluster. This will take the cluster into the non-bootstrapped state. Only then we can create the new control plane with the restored etcd. @@ -54,7 +54,7 @@ Use the following command to delete the control plane, replacing `my-cluster` wi omnictl delete machineset my-cluster-control-planes ``` -### Creating the Restore Template +### Creating the restore template Edit your cluster template manifest `template-manifest.yaml`, edit the list of control plane machines for your needs, and add the `bootstrapSpec` section to the control plane, with cluster UUID and the snapshot name we found above: @@ -81,7 +81,7 @@ machines: - 79f8db4d-3b6b-49a7-8ac4-aa5d2287f706 ``` -### Syncing the Template +### Syncing the template To sync the template, run the following command: @@ -92,7 +92,7 @@ omnictl cluster template status -f template-manifest.yaml After the sync, your cluster will be restored to the snapshot you specified. -### Restarting Kubelet on Worker Nodes +### Restarting Kubelet on worker nodes To ensure a healthy cluster operation, the kubelet needs to be restarted on all worker nodes. diff --git a/public/omni/cluster-management/scale-your-cluster/scale-a-cluster-up-or-down.mdx b/public/omni/cluster-management/scale-your-cluster/scale-a-cluster-up-or-down.mdx index 4ab28b39..c08162d6 100644 --- a/public/omni/cluster-management/scale-your-cluster/scale-a-cluster-up-or-down.mdx +++ b/public/omni/cluster-management/scale-your-cluster/scale-a-cluster-up-or-down.mdx @@ -2,7 +2,7 @@ title: Scale a Cluster Up or Down --- -#### Scaling Down or removing nodes from a cluster +#### Scale down a cluster To delete machines in a cluster, click the “Clusters” menu item on the left, then the name of the cluster you wish to delete nodes from. Click the “Nodes” menu item on the left. Now, select “Destroy” from the menu under the elipsis: @@ -10,7 +10,7 @@ To delete machines in a cluster, click the “Clusters” menu item on the left, The cluster will now scale down. -#### Scaling Up or adding nodes to a cluster +#### Scaling up a cluster To add machines to a cluster, click the “Cluster” menu item on the left, then the name of the cluster you wish to add nodes to. From the “Cluster Overview” tab, click the “Cluster Scaling” button in the sidebar on the right. diff --git a/public/omni/cluster-management/support-bundle.mdx b/public/omni/cluster-management/support-bundle.mdx index 03f0f7c8..4006ead1 100644 --- a/public/omni/cluster-management/support-bundle.mdx +++ b/public/omni/cluster-management/support-bundle.mdx @@ -8,7 +8,7 @@ Support Bundles are primarily used for troubleshooting. When something goes wron While the bundle does **not** include sensitive data like secrets, it may contain elements such as IP addresses, port information, system identifiers, and non-sensitive service logs that provide essential context for debugging. -## Download the Support Bundle +## Download the support bundle You can download the Support Bundle in two ways, from the Omni UI or through the CLI: diff --git a/public/omni/cluster-management/upgrading-clusters.mdx b/public/omni/cluster-management/upgrading-clusters.mdx index 35e7ebee..3048eee1 100644 --- a/public/omni/cluster-management/upgrading-clusters.mdx +++ b/public/omni/cluster-management/upgrading-clusters.mdx @@ -2,11 +2,9 @@ title: Upgrading Omni Clusters --- -### Introduction - Omni makes keeping your cluster up-to-date easy - which is good, as it is important to stay current with Talos Linux and Kubernetes releases, to ensure you are not exposed to already fixed security issues and bugs. Keeping your clusters up-to-date involves updating both the underlying operating system (Talos Linux) and Kubernetes. -### Upgrading the Operating System +### Upgrading the operating system In order to update the Talos Linux version of all nodes in a cluster, navigate to the overview of the cluster you wish to update. (For example, click the cluster name in the Clusters panel.) If newer Talos Linux versions are available, there will be an indication in the far right, where the current cluster Talos version is listed. Clicking that icon, or the "Update Talos" button in the lower right, will allow you to select the new version of Talos Linux that should be deployed across all nodes of the cluster. @@ -20,7 +18,7 @@ Omni will drain and cordon each node, update the OS, and then un-cordon the node NOTE: If any of your workloads are sensitive to being shut down ungracefully, be sure to use the lifecycle.preStop Pod spec. -### Kubernetes Upgrades +### Kubernetes upgrades As with the Talos Linux version, Omni will notify you on the right hand side of the cluster overview if there is a new version of Kubernetes available. You may click either the Upgrade icon next to the Kubernetes version, or the `Update Kubernetes` button on the lower right of the cluster overview. Kubernetes upgrades are done non-disruptively to workloads and are run in several phases: @@ -31,7 +29,7 @@ As with the Talos Linux version, Omni will notify you on the right hand side of > Note: The upgrade operation never deletes any resources from the cluster: obsolete resources should be deleted manually. -#### Applying changed Kubernetes Manifests +#### Applying changed Kubernetes manifests Unlike the Talos Linux command `talosctl upgrade-k8s`, Omni does not automatically apply updates to Kubernetes bootstrap manifests on a Kubernetes upgrade. This is to prevent Omni overwriting changes to the bootstrap manifests that you applied manually. (Talos Linux has a `--dry-run` feature on the upgrade command that shows you changes before the upgrade - Omni shows you the changes _after_ the upgrade, but before they are applied.) Thus after each Kubernetes upgrade, it is recommended to examine the `BootStrap Manifests` of the cluster (as shown in the left hand navigation) and apply the changes, if they are appropriate. diff --git a/public/omni/infrastructure-and-extensions/self-hosted/upgrading-omni.mdx b/public/omni/cluster-management/upgrading-omni.mdx similarity index 94% rename from public/omni/infrastructure-and-extensions/self-hosted/upgrading-omni.mdx rename to public/omni/cluster-management/upgrading-omni.mdx index 72b151f8..d9fddc5a 100644 --- a/public/omni/infrastructure-and-extensions/self-hosted/upgrading-omni.mdx +++ b/public/omni/cluster-management/upgrading-omni.mdx @@ -45,4 +45,4 @@ A full list of available versions can be found on the **[Omni container packages It is heavily recommended to also update `omnictl` to match the version of your Omni server. -Refer to the **[Install and configure omnictl](../../getting-started/install-and-configure-omnictl)** guide for instructions on how to update the CLI tool. +Refer to the **[Install and configure omnictl](../getting-started/install-and-configure-omnictl)** guide for instructions on how to update the CLI tool. diff --git a/public/omni/cluster-management/using-audit-log.mdx b/public/omni/cluster-management/using-audit-log.mdx index bcc4eedd..3b975647 100644 --- a/public/omni/cluster-management/using-audit-log.mdx +++ b/public/omni/cluster-management/using-audit-log.mdx @@ -27,7 +27,7 @@ Starting the server without the `--audit-log-dir` or with empty value will disab The audit log is stored in the directory specified by `--audit-log-dir ` flag. The log files are named `--.jsonlog`. The retention period is 30 days (including the current day), after which the log files are deleted. -#### Getting the Audit log +#### Getting the audit log There are two ways of getting a concatenated audit log using Omni: @@ -36,7 +36,7 @@ There are two ways of getting a concatenated audit log using Omni: The second way is preferable if you have a huge audit log, as it will not consume a lot of memory on the client if you look for something specific. -#### Format of the Audit log +#### Format of the audit log The audit log is stored in JSON format. Each line in the log file is a JSON object representing an audit event. diff --git a/public/omni/getting-started/getting-started.mdx b/public/omni/getting-started/getting-started.mdx index ad115031..ce52fda6 100644 --- a/public/omni/getting-started/getting-started.mdx +++ b/public/omni/getting-started/getting-started.mdx @@ -58,7 +58,7 @@ You must have the following to create a cluster with Omni: Once you’ve set up these prerequisites, you can move on to creating your cluster with Omni. -## Step 1: Download Installation Media +## Step 1: Download installation media Omni is a Bring Your Own Machine platform. You only need to boot a machine from a Talos image configured to connect to your Omni instance. @@ -139,7 +139,7 @@ This runs the SideroLabs Booter utility, which provisions PXE-booted machines us -## Step 3: Create Cluster +## Step 3: Create cluster Now that your machines are visible in Omni, you can create your cluster by following these steps: diff --git a/public/omni/getting-started/support-matrix.mdx b/public/omni/getting-started/support-matrix.mdx index cc04e82c..aa2c1495 100644 --- a/public/omni/getting-started/support-matrix.mdx +++ b/public/omni/getting-started/support-matrix.mdx @@ -5,11 +5,11 @@ The Sidero Labs managed version of Omni SaaS is updated regularly by our Operati If you are running a self-hosted version of Omni licensed under the BSL, please regularly [update](../cluster-management/upgrading-clusters) to the latest release - we suggest at least monthly. Bug fixes will not be backported to older versions of Omni, so support that involves a bug fix will require an update. -## Talos Linux Versions Supported +## Talos Linux versions upported Each version of Omni will support versions of Talos Linux where the first stable release of the minor version of Talos Linux was within 18 months of the Omni release date. For example, because Talos Linux 1.3.0 was released on 2022-12-15, the Omni version released on Jun 30th, 2024 will not support any version of 1.3.x, even though patch releases of 1.3 were made within the prior 18 months. However, all versions of Talos Linux Talos 1.4 and later (which was released on 2023-04-18) are supported. -## Current Minimum Talos Linux Support Within Omni +## Current minimum Talos Linux support within Omni Talos Linux 1.4 diff --git a/public/omni/getting-started/use-kubectl-with-omni.mdx b/public/omni/getting-started/use-kubectl-with-omni.mdx index aa24c84a..39f66c57 100644 --- a/public/omni/getting-started/use-kubectl-with-omni.mdx +++ b/public/omni/getting-started/use-kubectl-with-omni.mdx @@ -6,17 +6,17 @@ With an Omni managed cluster, you use `kubectl` as with any other Kubernetes clu All Kubernetes `kubectl` commands are routed through the API endpoint created by Omni, and Omni validates access through the configured OIDC provider or other user authorization mechanism. This ensures your Kubernetes cluster is safe - unlike other systems, mere possession of a `kubeconfig` grants no access - the user also has be valid in the configured authentication system of Omni. -#### Download the KubeConfig file +#### Download the KubeConfig file Navigate to the clusters page by clicking on the “Clusters” button in the sidebar. Click on the cluster and then click "Download kubeconfig" from the cluster dashboard on the right. The downloaded file will reflect the name of the cluster. -#### Install the OIDC plug in +#### Install the OIDC plug in Install the `oidc-login` plugin per the official documentation: [https://github.com/int128/kubelogin#getting-started](https://github.com/int128/kubelogin#getting-started) -#### Access the cluster with kubectl +#### Access the cluster with kubectl ``` kubectl --kubeconfig ./talos-default-kubeconfig.yaml get nodes @@ -45,7 +45,7 @@ rm -rf "${KUBECACHEDIR:-$HOME/.kube/cache}/oidc-login" After doing this, the next `kubectl` command you run should trigger the OIDC login flow again, where you can authenticate as the user you need via `Switch User` option. -### OIDC authentication over SSH +### OIDC authentication over SSH If you need to use `kubectl` on a remote host over SSH you have two options. diff --git a/public/omni/infrastructure-and-extensions/modify-kernel-arguments.mdx b/public/omni/infrastructure-and-extensions/modify-kernel-arguments.mdx index 5d1f7d33..e33bd38d 100644 --- a/public/omni/infrastructure-and-extensions/modify-kernel-arguments.mdx +++ b/public/omni/infrastructure-and-extensions/modify-kernel-arguments.mdx @@ -12,7 +12,7 @@ You can add extra kernel arguments to Talos when creating the installation media This document describes how to modify _additional_ kernel arguments only. -## Add Additional Kernel Arguments During Installation Media Creation +## Add additional kernel arguments during installation media creation On the overview page, click **Download installation media** on the right. @@ -51,7 +51,7 @@ spec: - talos.environment=http_proxy=http://proxy.example.com:8080 ``` -## Update kernel Arguments on Existing Machines +## Update kernel arguments on existing machines Modifying kernel arguments on existing machines triggers an upgrade and reboots the machine. diff --git a/public/omni/infrastructure-and-extensions/writing-infrastructure-providers.mdx b/public/omni/infrastructure-and-extensions/writing-infrastructure-providers.mdx index d4577caf..1c6a6e07 100644 --- a/public/omni/infrastructure-and-extensions/writing-infrastructure-providers.mdx +++ b/public/omni/infrastructure-and-extensions/writing-infrastructure-providers.mdx @@ -76,7 +76,7 @@ Then the following flow will outline how Omni interacts with it: 8. The controller responsible for automatic `MachineSetNode` creation assigns the machine to a cluster. From this point, the workflow is identical to that of manually added machines. -## Provider Implementation Details +## Provider implementation details A provider is a standalone service that must have access to the Omni API. It should be written in **Go** and stores its state in Omni under the namespace `infra-provider:`, @@ -110,7 +110,7 @@ Each step callback receives: - `zap.Logger` — preconfigured with contextual fields for the current machine request. - `provision.Context[T]` — provides access to state and utilities needed during provisioning. -#### Example: Defining Steps +#### Example: Defining steps Suppose you have a provisioner with a client for your platform: @@ -235,7 +235,7 @@ then access it later in `Deprovision`. `T` is available through `pctx.State` in the `provision.Step` callbacks, and as the third argument in the `Deprovision` call. -### Machine Connection to Omni +### Machine connection to Omni There are two main ways a machine can connect back to Omni: @@ -286,7 +286,7 @@ V2 tokens allow embedding machine request IDs directly into the join token, enabling immediate mapping between a machine and its `MachineRequest`. That's enabled by `infra.WithEncodeRequestIDsIntoTokens` option in the `provider.Run`. -### `provision.Context` Reference +### `provision.Context` reference - `GetRequestID() string` — returns the `MachineRequest` ID. - `GetTalosVersion() string` — returns the Talos version used for the installation media. @@ -295,13 +295,13 @@ That's enabled by `infra.WithEncodeRequestIDsIntoTokens` option in the `provider - `CreateConfigPatch(ctx, name, data)` — adds configuration patches for the machine. - `GenerateSchematicID(ctx, logger, opts...)` — invokes the image factory to create a schematic and returns its ID. -### Provider Data +### Provider data Provider data is a JSON-encoded field in the `MachineRequest` that contains provider-specific configuration parameters. When a provider starts, it registers its schema with Omni. Omni uses this schema to render UI forms and validate `MachineRequest` objects. -### Best Practices +### Best practices - Avoid generating unique images per machine. - Use the image factory to build base images and upload them as part of the provisioning flow. diff --git a/public/omni/omni-cluster-setup/create-a-kubeconfig-for-a-service-account.mdx b/public/omni/omni-cluster-setup/create-a-kubeconfig-for-a-service-account.mdx index e7d3f3a6..7cd7592f 100644 --- a/public/omni/omni-cluster-setup/create-a-kubeconfig-for-a-service-account.mdx +++ b/public/omni/omni-cluster-setup/create-a-kubeconfig-for-a-service-account.mdx @@ -8,7 +8,7 @@ To follow this guide, you will need `omnictl` installed and configured. If you h Note that Omni also supports [Omni Service Accounts](../omni-cluster-setup/create-an-omni-service-account), which provide authentication to Omni itself. Kubernetes Service Accounts are used to authenticate to a Kubernetes cluster, not Omni. -### Creating the Kubernetes Service Account Kubeconfig +### Creating the Kubernetes service account kubeconfig To create a service account kubeconfig, run the following command: diff --git a/public/omni/omni-cluster-setup/create-an-omni-service-account.mdx b/public/omni/omni-cluster-setup/create-an-omni-service-account.mdx index 952c59ad..3a9e5aa6 100644 --- a/public/omni/omni-cluster-setup/create-an-omni-service-account.mdx +++ b/public/omni/omni-cluster-setup/create-an-omni-service-account.mdx @@ -4,13 +4,11 @@ title: Create an Omni Service Account You will need `omnictl` installed and configured to follow this guide. If you haven't done so already, follow the [`omnictl` guide](../getting-started/install-and-configure-omnictl). - - And Omni service account will create token based authentication for access to Omni. This is separate from access to the clusters managed by Omni. For Kubernetes access, see [Kubernetes Service Accounts](./create-a-kubeconfig-for-a-service-account). -### Creating the Service Account +### Creating the service account To create an Omni service account, use the following command: diff --git a/public/omni/omni-cluster-setup/how-to-set-initial-machine-labels.mdx b/public/omni/omni-cluster-setup/how-to-set-initial-machine-labels.mdx index 40f12d7a..5af76ce9 100644 --- a/public/omni/omni-cluster-setup/how-to-set-initial-machine-labels.mdx +++ b/public/omni/omni-cluster-setup/how-to-set-initial-machine-labels.mdx @@ -12,8 +12,6 @@ The simplest way to set machine labels is by using the "Download Installation Me - - This guide demonstrates how to set initial machine labels when generating boot media / URL using the `omnictl` CLI tool or using [Image Factory](https://factory.talos.dev) directly. Both methods allow you to label your machines programmatically. @@ -65,7 +63,7 @@ These initial labels work not only for ISOs but for most installation media and This command will print the PXE boot URL and exit. -## Using Image Factory Directly +## Using Image Factory directly Instead of using your Omni instance to generate labeled boot media or PXE URLs, you can use the image factory directly. @@ -124,7 +122,7 @@ Although Image Factory has a [web UI](https://factory.talos.dev), it is currentl The version of the Image Factory UI built into Omni **does** support specifying initial machine labels. -## Verifying Labels +## Verifying labels After a machine boots from the labeled media/PXE URL and registers with Omni, you can verify the labels using the Omni web interface or the `omnictl` CLI tool. diff --git a/public/omni/omni-cluster-setup/registering-machines/how-to-register-an-aws-ec2-instance.mdx b/public/omni/omni-cluster-setup/registering-machines/how-to-register-an-aws-ec2-instance.mdx index 5fbc5be1..6dca46dc 100644 --- a/public/omni/omni-cluster-setup/registering-machines/how-to-register-an-aws-ec2-instance.mdx +++ b/public/omni/omni-cluster-setup/registering-machines/how-to-register-an-aws-ec2-instance.mdx @@ -88,7 +88,7 @@ Output: Note the `SubnetID` (`subnet-04f4d6708a2c2fb0d`). -### Create the Security Group +### Create the security group ```bash aws ec2 create-security-group \ diff --git a/public/omni/omni-cluster-setup/registering-machines/register-a-bare-metal-machine-iso.mdx b/public/omni/omni-cluster-setup/registering-machines/register-a-bare-metal-machine-iso.mdx index 2d943ee4..4afac800 100644 --- a/public/omni/omni-cluster-setup/registering-machines/register-a-bare-metal-machine-iso.mdx +++ b/public/omni/omni-cluster-setup/registering-machines/register-a-bare-metal-machine-iso.mdx @@ -59,7 +59,7 @@ First, plug the USB drive into your local machine. Now, find the device path for -### Boot the Machine +### Boot the machine Now that we have our bootable USB drive, plug it into the machine you are registering. Once the machine is booting you will notice logs from Talos Linux on the console stating that it is reachable over an IP address. diff --git a/public/omni/omni-cluster-setup/registering-machines/register-a-bare-metal-machine-pxe-ipxe.mdx b/public/omni/omni-cluster-setup/registering-machines/register-a-bare-metal-machine-pxe-ipxe.mdx index a6a56835..9abf8655 100644 --- a/public/omni/omni-cluster-setup/registering-machines/register-a-bare-metal-machine-pxe-ipxe.mdx +++ b/public/omni/omni-cluster-setup/registering-machines/register-a-bare-metal-machine-pxe-ipxe.mdx @@ -4,17 +4,17 @@ title: Register a Bare Metal Machine (PXE/iPXE) This guide shows you how to register a bare metal machine with Omni by PXE/iPXE booting. -### Copy the Required Kernel Parameters +### Copy the required kernel parameters Upon logging in you will be presented with the Omni dashboard. Click the “Copy Kernel Parameters” button on the right hand side, and save the value for later. -### Download the PXE/iPXE Assets +### Download the PXE/iPXE assets The following example assumes the use of Matchbox server. Download `vmlinuz` and `initramfs.xz` from the [release](https://github.com/siderolabs/talos/releases) of your choice (Talos Linux 1.4 or greater is required), and place them in `/var/lib/matchbox/assets`. -#### Create the Profile +#### Create the profile Place the following in `/var/lib/matchbox/profiles/default.json`: @@ -46,7 +46,7 @@ Update `siderolink.api`, `talos.events.sink`, and `talos.logging.kernel` with th Place the following in `/var/lib/matchbox/groups/default.json`: -#### Create the Group +#### Create the group ```json { diff --git a/public/omni/omni-cluster-setup/registering-machines/register-a-gcp-instance.mdx b/public/omni/omni-cluster-setup/registering-machines/register-a-gcp-instance.mdx index 5dee83c2..a0efc4bc 100644 --- a/public/omni/omni-cluster-setup/registering-machines/register-a-gcp-instance.mdx +++ b/public/omni/omni-cluster-setup/registering-machines/register-a-gcp-instance.mdx @@ -6,23 +6,23 @@ title: Register a GCP Instance Upon logging in you will be presented with the Omni dashboard. -### Download the Image +### Download the image First, download the GCP image from the Omni portal by clicking on the “Download Installation Media” button. Now, click on the “Options” dropdown menu and search for the “GCP” option. Notice there are two options: one for `amd64` and another for `arm64`. Select the appropriate option for the machine you are registering. Now that you have selected the GCP option for the appropriate architecture, click the “Download” button. -### Upload the Image +### Upload the image In the Google Cloud console, navigate to `Buckets` under the `Cloud Storage` menu, and create a new bucket with the default. Click on the bucket in the Google Cloud console, click `Upload Files`, and select the image download from the Omni console. -### Convert the Image +### Convert the image In the Google Cloud console select `Images` under the `Compute Engine` menu, and then `Create Image`. Name your image (e.g. Omni-talos-1.7.6), then select the Source as `Cloud Storage File`. Click `Browse` in the Cloud Storage File field and navigate to the bucket you created. Select the image you uploaded. Leave the rest of the options at their default and click `Create` at the bottom. -### Create a GCP Instance +### Create a GCP instance In Google Cloud console select `VM instances` under the `Compute Engine` menu. Now select `Create Instance`. Name your instance, and select a region and zone. Under “Machine Configuration”, ensure your instance has at least 4GB of memory. In the `Boot Disk` section, select `Change` and then select `Custom Images`. Select the image created in the previous steps. Now, click `Create` at the bottom to create your instance. -### Conclusion +### Conclusion Navigate to the “Machines” menu in the sidebar. You should now see a machine listed. diff --git a/public/omni/omni-cluster-setup/registering-machines/register-a-hetzner-server.mdx b/public/omni/omni-cluster-setup/registering-machines/register-a-hetzner-server.mdx index 9d070509..5234dfd4 100644 --- a/public/omni/omni-cluster-setup/registering-machines/register-a-hetzner-server.mdx +++ b/public/omni/omni-cluster-setup/registering-machines/register-a-hetzner-server.mdx @@ -6,7 +6,7 @@ title: Register a Hetzner Server Upon logging in you will be presented with the Omni dashboard. -### Download the Hetzner Image +### Download the Hetzner image First, download the Hetzner image from the Omni portal by clicking on the “Download Installation Media” button. Now, click on the “Options” dropdown menu and search for the “Hetzner” option. Notice there are two options: one for `amd64` and another for `arm64`. Select the appropriate option for the machine you are registering. Now, click the “Download” button. @@ -69,7 +69,7 @@ First, download the Hetzner image from the Omni portal by clicking on the “Dow -### Create a Server +### Create a server ```bash hcloud context create talos diff --git a/public/omni/omni-cluster-setup/registering-machines/register-an-azure-instance.mdx b/public/omni/omni-cluster-setup/registering-machines/register-an-azure-instance.mdx index f5c175e6..efec21c3 100644 --- a/public/omni/omni-cluster-setup/registering-machines/register-an-azure-instance.mdx +++ b/public/omni/omni-cluster-setup/registering-machines/register-an-azure-instance.mdx @@ -6,13 +6,13 @@ title: Register an Azure Instance Upon logging in you will be presented with the Omni dashboard. -### Download the Image +### Download the image Download the Azure image from the Omni portal by clicking on the “Download Installation Media” button. Click on the “Options” dropdown menu and search for the “Azure” option. Notice there are two options: one for `amd64` and another for `arm64`. Select the appropriate architecture for the machine you are registering, then click the “Download” button. Once downloaded to your local machine, untar with `tar -xvf /path/to/image` -### Upload the Image +### Upload the image @@ -56,7 +56,7 @@ Once downloaded to your local machine, untar with `tar -xvf /path/to/image` -### Convert the Image +### Convert the image @@ -78,7 +78,7 @@ Once downloaded to your local machine, untar with `tar -xvf /path/to/image` -### Create an Azure Instance +### Create an Azure instance diff --git a/public/omni/omni-cluster-setup/setting-up-the-bare-metal-infrastructure-provider.mdx b/public/omni/omni-cluster-setup/setting-up-the-bare-metal-infrastructure-provider.mdx index 02f09434..9d04f1c5 100644 --- a/public/omni/omni-cluster-setup/setting-up-the-bare-metal-infrastructure-provider.mdx +++ b/public/omni/omni-cluster-setup/setting-up-the-bare-metal-infrastructure-provider.mdx @@ -147,7 +147,7 @@ The provider will start a DHCP proxy server, responding to DHCP requests from th If you need to run this DHCP proxy on a different interface (so the responses are broadcast to the correct network), you can pass the `--dhcp-proxy-iface-or-ip` flag to the provider, specifying either the name of the network interface or an IP on that machine which belongs to the desired interface. -## 3. Starting the Bare-Metal Machines +## 3. Starting the Bare-Metal machines At this point, we can boot our bare-metal machines. Before we start, make sure that they are configured to boot over the network via PXE on the next boot, so that they can be booted by the provider. @@ -177,11 +177,11 @@ At this point, these machines are booted into a special mode of Talos Linux call * runs the only the required services to be able to further provisioned by the provider -## 4. Configuring and Accepting the Machines in Omni +## 4. Configuring and accepting the machines in Omni At this point, the machines should be booted into the Agent Mode, and have established a `SideroLink` connection to our Omni instance. -### 4.1. Verifying the Machines +### 4.1. Verifying the machines Let's verify our machines: @@ -224,7 +224,7 @@ Our machines have the following IDs: For security reasons, the machines cannot be provisioned in Omni before they are "_Accepted_". We will accept these machines using the Omni API. -### 4.2. Optional: Providing BMC (e.g., IPMI/Redfish) Configuration Manually +### 4.2. Optional: providing BMC (e.g., IPMI/Redfish) configuration manually Normally, when we accept a machine in Omni, the provider will auto-configure the BMC configuration, such as the IPMI IP, username and password automatically by asking the agent service running on the Talos machine. @@ -261,7 +261,7 @@ We can create this resource at a later time as well and the provider would start However, if we want to bypass the automatic credential configuration on machine acceptance, we need to ensure that the `InfraMachineBMCConfig` resource is present before we accept the machine. -### 4.3. Accepting the Machines +### 4.3. Accepting the machines As the final step, we need to accept these machines in Omni. @@ -330,7 +330,7 @@ infra-provider InfraMachineStatus cef9a5ee-71b7-48f1-8ce3-daf45e7be0a0 3 infra-provider InfraMachineStatus d3796040-2a28-4e0f-ba1a-1944f3a41dde 3 1 true ``` -## 5. Adding Machines to a Cluster +## 5. Adding machines to a cluster We can now create a cluster using these machines. For this, simply follow the guide for [creating a cluster](../getting-started/create-a-cluster). @@ -348,7 +348,7 @@ Then Omni will proceed with the regular flow of: The cluster will be provisioned as normal, and will get to the `Ready` status. -## 6. Removing Machines from a Cluster +## 6. Removing machines from a cluster When you delete a cluster and/or remove some bare-metal machines from a cluster, the following will happen: diff --git a/public/omni/security-and-authentication/authentication-and-authorization.mdx b/public/omni/security-and-authentication/authentication-and-authorization.mdx index 060cd3a9..b8ad0af1 100644 --- a/public/omni/security-and-authentication/authentication-and-authorization.mdx +++ b/public/omni/security-and-authentication/authentication-and-authorization.mdx @@ -32,7 +32,7 @@ Using SAML changes how user identities are managed in Omni: * Attributes from the SAML assertion are added to the user’s `Identity` resource with the prefix `saml.omni.sidero.dev/`. * Access Control Lists (ACLs) can be used to grant fine-grained permissions beyond roles. -## Authentication for Automation +## Authentication for automation In addition to interactive login, `omnictl` can also be used in automation. When using user authentication in non-interactive workflows, Omni issues short-lived credentials that expire after a limited time. User tokens can remain valid for up to eight hours, and Omni-generated user public keys currently expire after four hours. These limits are not configurable. diff --git a/public/omni/infrastructure-and-extensions/self-hosted/configure-keycloak-for-omni.mdx b/public/omni/security-and-authentication/configure-keycloak-for-omni.mdx similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/configure-keycloak-for-omni.mdx rename to public/omni/security-and-authentication/configure-keycloak-for-omni.mdx diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-Root-URL.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-Root-URL.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-Root-URL.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-Root-URL.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-SAML.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-SAML.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-SAML.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-SAML.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-add-predefined-mappers.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-add-predefined-mappers.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-add-predefined-mappers.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-add-predefined-mappers.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-client-scopes.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-client-scopes.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-client-scopes.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-client-scopes.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-client-signature.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-client-signature.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-client-signature.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-client-signature.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-create-client.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-create-client.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-create-client.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-create-client.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-create-new-user-form.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-create-new-user-form.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-create-new-user-form.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-create-new-user-form.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-create-new-user.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-create-new-user.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-create-new-user.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-create-new-user.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-create-realm.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-create-realm.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-create-realm.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-create-realm.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-no-credentials.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-no-credentials.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-no-credentials.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-no-credentials.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-omni-create.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-omni-create.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-omni-create.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-omni-create.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-openID.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-openID.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-openID.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-openID.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-predefined-mapper.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-predefined-mapper.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-predefined-mapper.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-predefined-mapper.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-signature-encryption.png b/public/omni/security-and-authentication/images/configure-keycloak-for-omni-signature-encryption.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-for-omni-signature-encryption.png rename to public/omni/security-and-authentication/images/configure-keycloak-for-omni-signature-encryption.png diff --git a/public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-saml-idp.png b/public/omni/security-and-authentication/images/configure-keycloak-saml-idp.png similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/images/configure-keycloak-saml-idp.png rename to public/omni/security-and-authentication/images/configure-keycloak-saml-idp.png diff --git a/public/omni/security-and-authentication/rotate-siderolink-join-token.mdx b/public/omni/security-and-authentication/rotate-siderolink-join-token.mdx index 0627371b..137b9f0b 100644 --- a/public/omni/security-and-authentication/rotate-siderolink-join-token.mdx +++ b/public/omni/security-and-authentication/rotate-siderolink-join-token.mdx @@ -8,7 +8,7 @@ Join tokens are the secret used to authenticate Talos machines' gRPC requests wh If the token is compromised it can be revoked and replaced with the new one. -### Conditions that Make Token Rotation Possible +### Conditions that make token rotation possible When a machine connects to Omni for the first time, it uses a join token specific to the Omni account that is shared by all new hosts that are registering with Omni. Omni then creates a unique, ephemeral token for each machine, and when Talos is installed to disk, that token is persisted to disk. If the shared token is revoked, machines that have persisted unique tokens (i.e. those with Talos installed to disk) will stay connected, but machines using only shared tokens will be disconnected. @@ -18,11 +18,11 @@ Talos < 1.6 doesn't support unique tokens. If Omni is started with `--join-tokens-mode=legacy` unique node tokens are not generated for any machines. This makes rotating join tokens not possible. -### To Rotate Join Tokens +### To rotate Join Tokens - #### Create New Join Token + #### Create new Join Token Click the "Join Tokens" section button under "Machine Management" in the sidebar. Next, click the "Create Join Token" button on the right. diff --git a/public/omni/security-and-authentication/using-saml-with-omni/configure-saml-and-acls.mdx b/public/omni/security-and-authentication/using-saml-with-omni/configure-saml-and-acls.mdx index 3e1bbcef..1731b039 100644 --- a/public/omni/security-and-authentication/using-saml-with-omni/configure-saml-and-acls.mdx +++ b/public/omni/security-and-authentication/using-saml-with-omni/configure-saml-and-acls.mdx @@ -120,7 +120,7 @@ As the admin user `admin@example.org`, apply this ACL using omnictl: $ omnictl apply -f acl.yaml ``` -## Accessing the Clusters +## Access the clusters Now, in an incognito window, log in as a support engineer, `cluster-support-1@example.org`. Since the user is not assigned to any Omni role yet, they cannot use Omni Web. @@ -171,7 +171,7 @@ The user will be able to get the cluster but not delete it, because the ACL allo If you do the same operations as the admin user, you'll notice that you are able to both get and delete staging and production clusters. -## Assigning Omni roles to Users +## Assign Omni roles to users If you want to allow SAML users to use Omni Web, you need to assign them at least the `Reader` role. As the admin, sign in to Omni Web and assign the role `Reader` to both `cluster-support-1@example.org` and `cluster-admin-1@example.org`. diff --git a/public/omni/security-and-authentication/using-saml-with-omni/configure-unifi-identity-enterprise-for-omni.mdx b/public/omni/security-and-authentication/using-saml-with-omni/configure-unifi-identity-enterprise-for-omni.mdx index 395de42d..24eb1b01 100644 --- a/public/omni/security-and-authentication/using-saml-with-omni/configure-unifi-identity-enterprise-for-omni.mdx +++ b/public/omni/security-and-authentication/using-saml-with-omni/configure-unifi-identity-enterprise-for-omni.mdx @@ -2,8 +2,6 @@ title: Configure Unifi Identity Enterprise for Omni --- -### Unifi Identity Enterprise - This section describes how to use Unifi Identity Enterprise (here forward UIIE) SSO with Omni via SAML First, login to the UIIE Manager portal and navigate to the SSO Apps section in the left menu. @@ -61,7 +59,7 @@ A copy of this file needs to be on the host which will run the Omni container as This completes the configurations required in UIIE -### Omni +### Configure Omni for SAML with UIIE To get Omni to use UIIE as a SAML provider, the following flags should be passed to Docker & the Omni container on launch. diff --git a/public/omni/security-and-authentication/using-saml-with-omni/configure-workspace-one-access-for-omni.mdx b/public/omni/security-and-authentication/using-saml-with-omni/configure-workspace-one-access-for-omni.mdx index d40664fd..7b075c23 100644 --- a/public/omni/security-and-authentication/using-saml-with-omni/configure-workspace-one-access-for-omni.mdx +++ b/public/omni/security-and-authentication/using-saml-with-omni/configure-workspace-one-access-for-omni.mdx @@ -87,7 +87,7 @@ This is the URL that will be used by Omni in the command line arguments in the n -### Omni +### Omni Provide the following flags to the Omni container on launch. diff --git a/public/omni/security-and-authentication/using-saml-with-omni/overview.mdx b/public/omni/security-and-authentication/using-saml-with-omni/overview.mdx index aabdefca..0cb161fe 100644 --- a/public/omni/security-and-authentication/using-saml-with-omni/overview.mdx +++ b/public/omni/security-and-authentication/using-saml-with-omni/overview.mdx @@ -3,4 +3,4 @@ title: Overview --- Omni can integrate with your enterprise SAML provider for authentication and identity management. See also information about [how SAML impacts Omni authentication.](../../security-and-authentication/authentication-and-authorization) Please contact support@siderolabs.com or your account manager to enable SAML on the SaaS version of Omni (N.B. this is only available for Startup tier and above). -If using Omni for non-production workloads, you can [self-host](../../infrastructure-and-extensions/self-hosted/overview) and configure SAML yourself. +If using Omni for non-production workloads, you can [self-host](../../self-hosted/overview) and configure SAML yourself. diff --git a/public/omni/infrastructure-and-extensions/self-hosted/deploy-image-factory-on-prem.mdx b/public/omni/self-hosted/deploy-image-factory-on-prem.mdx similarity index 95% rename from public/omni/infrastructure-and-extensions/self-hosted/deploy-image-factory-on-prem.mdx rename to public/omni/self-hosted/deploy-image-factory-on-prem.mdx index 465a0a62..71063db7 100644 --- a/public/omni/infrastructure-and-extensions/self-hosted/deploy-image-factory-on-prem.mdx +++ b/public/omni/self-hosted/deploy-image-factory-on-prem.mdx @@ -2,11 +2,11 @@ title: Deploy Image Factory On-prem --- -import { release } from '/snippets/custom-variables.mdx'; +import { release, version } from '/snippets/custom-variables.mdx'; The [Image Factory](https://github.com/siderolabs/image-factory) is a way for you to dynamically create Talos Linux images. There is a public, hosted version of the Image Factory at [factory.talos.dev](https://factory.talos.dev) and it can also be run in your environment. -The Image Factory is a critical component of [Omni](../../overview/what-is-omni) to generate installation media and update Talos nodes, but it is not required to use Omni to use the Image Factory. It is a web interface and API for the `imager` command which is used to customize Talos from the command line. +The Image Factory is a critical component of Omni to generate installation media and update Talos nodes, but it is not required to use Omni to use the Image Factory. It is a web interface and API for the `imager` command which is used to customize Talos from the command line. ## Prerequisites @@ -30,7 +30,7 @@ If you don't have a container registry available to push images to you can tempo - We recommend using certificates for your temporary registry you will need to provide your own certificates and mount them into the container at run time. If you do not have certificates, follow the steps in the [Omni air-gapped documentation](../install-airgapped-omni#1-generate-certificates). + We recommend using certificates for your temporary registry you will need to provide your own certificates and mount them into the container at run time. If you do not have certificates, follow the steps in the [Omni air-gapped documentation](../self-hosted/install-airgapped-omni#1-generate-certificates). ```bash docker run -d \ @@ -272,7 +272,7 @@ done -If your registry is running with a self-signed CA certificate (i.e. from the [Installing Airgapped Omni](../install-airgapped-omni) guide) you need to mount the CA certificate into the cosign container for it to be trusted. +If your registry is running with a self-signed CA certificate (i.e. from the [Installing Airgapped Omni](../self-hosted/install-airgapped-omni) guide) you need to mount the CA certificate into the cosign container for it to be trusted. ```bash for IMAGE in $(cat images.txt) @@ -431,4 +431,4 @@ You should now be able to browse to https://registry.internal:8080 and view the ## Run Omni -After the image factory is running you can continue to the [Omni Airgapped documentation](../install-airgapped-omni). +After the image factory is running you can continue to the [Omni Airgapped documentation](../self-hosted/install-airgapped-omni). diff --git a/public/omni/infrastructure-and-extensions/self-hosted/deploy-omni-on-prem.mdx b/public/omni/self-hosted/deploy-omni-on-prem.mdx similarity index 93% rename from public/omni/infrastructure-and-extensions/self-hosted/deploy-omni-on-prem.mdx rename to public/omni/self-hosted/deploy-omni-on-prem.mdx index c3c624f6..322ac180 100644 --- a/public/omni/infrastructure-and-extensions/self-hosted/deploy-omni-on-prem.mdx +++ b/public/omni/self-hosted/deploy-omni-on-prem.mdx @@ -22,7 +22,7 @@ Install Docker according to the Ubuntu installation guide [here](https://docs.do curl -L https://get.docker.io | sh ``` -#### Generate Certs +#### Generate certificates On-prem Omni will require valid SSL certificates. This means that self-signed certs _will not_ work. Generating certificates is left as an exercise to the user, but here is a rough example that was tested using [DigitalOcean's DNS integration](https://certbot-dns-digitalocean.readthedocs.io/en/stable/) with certbot to generate certificates. The process should be very similar for other providers like Route53. @@ -43,7 +43,7 @@ $ echo ' creds.ini $ certbot certonly --dns- -d ``` -### Configure Authentication +### Configure authentication #### Auth0 @@ -70,17 +70,17 @@ Take note of the following information from the Auth0 application: * Domain * Client ID -#### SAML Identity Providers +#### SAML identity providers Other identity providers also work with Omni. Configuring these should be similar to Auth0. -* [EntraID/Azure AD](../../security-and-authentication/using-saml-with-omni/how-to-configure-entraid-for-omni) -* [Keycloak](../../infrastructure-and-extensions/self-hosted/configure-keycloak-for-omni) -* [Okta](../../security-and-authentication/using-saml-with-omni/configure-okta-for-omni) -* [Workspace ONE Access](../../security-and-authentication/using-saml-with-omni/configure-workspace-one-access-for-omni) -* [Unifi Identity Enterprise](../../security-and-authentication/using-saml-with-omni/configure-unifi-identity-enterprise-for-omni) +* [EntraID/Azure AD](../security-and-authentication/using-saml-with-omni/how-to-configure-entraid-for-omni) +* [Keycloak](../security-and-authentication/configure-keycloak-for-omni) +* [Okta](../security-and-authentication/using-saml-with-omni/configure-okta-for-omni) +* [Workspace ONE Access](../security-and-authentication/using-saml-with-omni/configure-workspace-one-access-for-omni) +* [Unifi Identity Enterprise](../security-and-authentication/using-saml-with-omni/configure-unifi-identity-enterprise-for-omni) -### Create Etcd Encryption Key +### Create etcd encryption key Generate a GPG key: diff --git a/public/omni/infrastructure-and-extensions/self-hosted/how-to-back-up-on-prem-omni-db.mdx b/public/omni/self-hosted/how-to-back-up-on-prem-omni-db.mdx similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/how-to-back-up-on-prem-omni-db.mdx rename to public/omni/self-hosted/how-to-back-up-on-prem-omni-db.mdx diff --git a/public/omni/infrastructure-and-extensions/install-airgapped-omni.mdx b/public/omni/self-hosted/install-airgapped-omni.mdx similarity index 99% rename from public/omni/infrastructure-and-extensions/install-airgapped-omni.mdx rename to public/omni/self-hosted/install-airgapped-omni.mdx index df7d50ef..6d40b611 100644 --- a/public/omni/infrastructure-and-extensions/install-airgapped-omni.mdx +++ b/public/omni/self-hosted/install-airgapped-omni.mdx @@ -7,7 +7,7 @@ import { omni_release, version, release } from '/snippets/custom-variables.mdx'; This document will walk through each component to run the "Sidero stack" in an offline environment which includes the following components. * Omni -* [Image Factory](./self-hosted/deploy-image-factory-on-prem) +* [Image Factory](./deploy-image-factory-on-prem) * Container registry * Authentication service @@ -84,7 +84,7 @@ AUTH_ENDPOINT=auth.internal:5556 OMNI_ENDPOINT=omni.internal ``` -## 1. Generate Certificates +## 1. Generate certificates In order to run services securely, even in an air gapped environment, you should run with encrypted data in transit and at rest. There are multiple certificates and keys needed to secure your infrastructure. @@ -238,7 +238,7 @@ chmod 644 server*.pem ## 2. Image factory and container registry -Using the certificates we just created, follow the guide [Deploy Image Factory On-prem](./self-hosted/deploy-image-factory-on-prem). This will +Using the certificates we just created, follow the guide [Deploy Image Factory On-prem](./deploy-image-factory-on-prem). This will create a container registry and host the Image Factory in your environment. It will also sign container images with an offline key for verification. If you do not have a working Image Factory with Talos images and extensions seeded do not continue with the guide. That is a pre-requisite for running Omni in an air gapped environment. @@ -249,7 +249,7 @@ If you have existing SAML or OIDC authentication available you can use that with For a PoC environment we will run [dex](https://dexidp.io/docs/) with static users configured. Dex can be used for static configuration or to communicate with upstream providers. For this guide we will configure static users. -### Deploy Dex (optional) +### Deploy dex (optional) Because Omni does not have any user authentication Dex will be configured so we can log in to Omni with a static user. You will need to download the dex container from a machine that has internet access and push it to your internal registry. diff --git a/public/omni/infrastructure-and-extensions/self-hosted/omni-deployment-options.mdx b/public/omni/self-hosted/omni-deployment-options.mdx similarity index 96% rename from public/omni/infrastructure-and-extensions/self-hosted/omni-deployment-options.mdx rename to public/omni/self-hosted/omni-deployment-options.mdx index eee11714..0d27a6a0 100644 --- a/public/omni/infrastructure-and-extensions/self-hosted/omni-deployment-options.mdx +++ b/public/omni/self-hosted/omni-deployment-options.mdx @@ -20,7 +20,7 @@ Self-hosting Omni provides more control over data locality and infrastructure bu Omni is not part of the Kubernetes control plane, and temporary unavailability does not affect how your clusters run. They continue operating normally, and Talos machines reconnect when it becomes available again. This behavior is important when deciding whether high availability is necessary. -Kubernetes clusters deployed on Talos use technologies such as [KubePrism](../../../kubernetes-guides/advanced-guides/kubeprism) and a discovery service to make sure the cluster and workloads can run without highly available, external management such as Omni. +Kubernetes clusters deployed on Talos use technologies such as [KubePrism](../../kubernetes-guides/advanced-guides/kubeprism) and a discovery service to make sure the cluster and workloads can run without highly available, external management such as Omni. Omni *is* the authentication mechanism for external access to Talos and Kubernetes. All external user (e.g., `kubectl`) and service (e.g., Infrastructure Providers) communication goes through Omni. If Omni is unavailable for extended periods of time, external communication will not work until Omni is recovered. Omni also offers an emergency “break glass” configuration to access Talos machines and Kubernetes clusters when Omni is not available. diff --git a/public/omni/infrastructure-and-extensions/self-hosted/overview.mdx b/public/omni/self-hosted/overview.mdx similarity index 100% rename from public/omni/infrastructure-and-extensions/self-hosted/overview.mdx rename to public/omni/self-hosted/overview.mdx diff --git a/public/omni/troubleshooting/faqs.mdx b/public/omni/troubleshooting/faqs.mdx index f6deece8..98f965e4 100644 --- a/public/omni/troubleshooting/faqs.mdx +++ b/public/omni/troubleshooting/faqs.mdx @@ -29,6 +29,6 @@ To do so you will need to run each component within your environment. Please see documents: -* [Deploy Image Factory on-prem](../infrastructure-and-extensions/self-hosted/deploy-image-factory-on-prem) -* [Deploy Omni on-prem](../infrastructure-and-extensions/self-hosted/deploy-omni-on-prem) +* [Deploy Image Factory on-prem](../self-hosted/deploy-image-factory-on-prem) +* [Deploy Omni on-prem](../self-hosted/deploy-omni-on-prem) diff --git a/public/talos/v1.11/networking/metal-network-configuration.mdx b/public/talos/v1.11/networking/metal-network-configuration.mdx index bf10e77d..c7b54f28 100644 --- a/public/talos/v1.11/networking/metal-network-configuration.mdx +++ b/public/talos/v1.11/networking/metal-network-configuration.mdx @@ -346,7 +346,7 @@ resolvers: If the `dnsServers:` is not set, Talos will use default DNS servers. -### Time Servers +### Time servers The `timeServers:` section is used to configure NTP time servers, only single entry should be used: diff --git a/public/talos/v1.12/advanced-guides/SBOM.mdx b/public/talos/v1.12/advanced-guides/SBOM.mdx index 8972f0f6..1dcdddbd 100644 --- a/public/talos/v1.12/advanced-guides/SBOM.mdx +++ b/public/talos/v1.12/advanced-guides/SBOM.mdx @@ -23,7 +23,7 @@ You can acquire SBOMs for Talos Linux in the following ways: * core Talos Linux SBOM in the `/usr/share/spdx` directory. * extension SBOMs in the `/usr/local/share/spdx` directory. -## SBOMs as Resources +## SBOMs as resources Talos Linux SBOMs are also available as resources in the Talos Linux system. You can access the SBOMs using the `talosctl` command: diff --git a/public/talos/v1.12/advanced-guides/migrating-from-kubeadm.mdx b/public/talos/v1.12/advanced-guides/migrating-from-kubeadm.mdx index ee82612e..54b8a0e5 100644 --- a/public/talos/v1.12/advanced-guides/migrating-from-kubeadm.mdx +++ b/public/talos/v1.12/advanced-guides/migrating-from-kubeadm.mdx @@ -148,7 +148,7 @@ you can do the following: If the are not, modify all the labels fields, save the file, delete your current kube-proxy daemonset, and apply the one you modified. -## Limitations on Custom PKI +## Limitations on custom PKI Talos always uses a per-cluster PKI model. During bootstrap, Talos expects a single root CA to issue all other certificates, including those for etcd, the Kubernetes API server, and the front-proxy. @@ -157,4 +157,4 @@ Talos does not support kubeadm PKIs that rely on intermediate CAs (for example, By design, both `--cluster-signing-cert-file` and `--root-ca-file` point to the same CA certificate, and these values cannot be overridden. If your kubeadm cluster uses an intermediate CA hierarchy, you cannot directly reuse that PKI with Talos. -Instead, you must regenerate certificates using the Talos per-cluster CA model. \ No newline at end of file +Instead, you must regenerate certificates using the Talos per-cluster CA model. diff --git a/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/cgroups-analysis.mdx b/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/cgroups-analysis.mdx index dbab4854..a7aa3cc3 100644 --- a/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/cgroups-analysis.mdx +++ b/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/cgroups-analysis.mdx @@ -262,7 +262,6 @@ In the swap view, the following columns are displayed: * `SwapHigh`: the high swap limit of the cgroup * `SwapMax`: the maximum swap limit of the cgroup - ### `psi` ```bash @@ -314,7 +313,7 @@ In the PSI view, the following columns are displayed: * `CpuPsi10`: avg10 of the `full` PSI value for CPU pressure * `IoPsi10`: avg10 of the `full` PSI value for I/O pressure -## Custom Schemas +## Custom schemas The `talosctl cgroups` command allows you to define custom schemas to display the cgroups information in a specific way. The schema is defined in a YAML file with the following structure: diff --git a/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/disaster-recovery.mdx b/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/disaster-recovery.mdx index c7e2edda..ae21b140 100644 --- a/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/disaster-recovery.mdx +++ b/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/disaster-recovery.mdx @@ -15,7 +15,7 @@ in case of catastrophic failure. ## Backup -### Snapshotting `etcd` Database +### Snapshot `etcd` database Create a consistent snapshot of `etcd` database with `talosctl etcd snapshot` command: @@ -31,7 +31,7 @@ This database snapshot can be taken on any healthy control plane node (with IP a as all `etcd` instances contain exactly same data. It is recommended to configure `etcd` snapshots to be created on some schedule to allow point-in-time recovery using the latest snapshot. -### Disaster Database Snapshot +### Disaster database snapshot If the `etcd` cluster is not healthy (for example, if quorum has already been lost), the `talosctl etcd snapshot` command might fail. In that case, copy the database snapshot directly from the control plane node: @@ -43,7 +43,7 @@ talosctl -n cp /var/lib/etcd/member/snap/db . This snapshot might not be fully consistent (if the `etcd` process is running), but it allows for disaster recovery when latest regular snapshot is not available. -### Machine Configuration +### Machine configuration Machine configuration might be required to recover the node after hardware failure. Backup Talos node machine configuration with the command: @@ -62,12 +62,12 @@ Before starting a disaster recovery procedure, make sure that `etcd` cluster can If the quorum can be restored, restoring quorum might be a better strategy than performing full disaster recovery procedure. -### Latest Etcd Snapshot +### Latest etcd snapshot Get hold of the latest `etcd` database snapshot. If a snapshot is not fresh enough, create a database snapshot (see above), even if the `etcd` cluster is unhealthy. -### Init Node +### Init node Make sure that there are no control plane nodes with machine type `init`: @@ -83,7 +83,7 @@ Init node type is deprecated, and are incompatible with `etcd` recovery procedur `init` node can be converted to `controlplane` type with `talosctl edit mc --mode=staged` command followed by node reboot with `talosctl reboot` command. -### Preparing Control Plane Nodes +### Prepare control plane nodes If some control plane nodes experienced hardware failure, replace them with new nodes. @@ -102,7 +102,7 @@ At this point, all control plane nodes should boot up, and `etcd` service should The Kubernetes control plane endpoint should be pointed to the new control plane nodes if there were changes to the node addresses. -### Recovering from the Backup +### Recover from the Backup Make sure all `etcd` service instances are in `Preparing` state: @@ -141,7 +141,7 @@ Now `etcd` service should become healthy on the bootstrap node, Kubernetes contr should start and control plane endpoint should become available. Remaining control plane nodes join `etcd` cluster once control plane endpoint is up. -## Single Control Plane Node Cluster +## Single control plane node cluster This guide applies to the single control plane clusters as well. In fact, it is much more important to take regular snapshots of the `etcd` database in single control plane node diff --git a/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/etcd-maintenance.mdx b/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/etcd-maintenance.mdx index af617cce..481ef21e 100644 --- a/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/etcd-maintenance.mdx +++ b/public/talos/v1.12/build-and-extend-talos/cluster-operations-and-maintenance/etcd-maintenance.mdx @@ -8,7 +8,7 @@ description: "Operational instructions for etcd database." > Note: Commands from `talosctl etcd` namespace are functional only on the Talos control plane nodes. > Each time you see `` in this page, it is referencing IP address of control plane node. -## Space Quota +## Space quota `etcd` default database space quota is set to 2 GiB by default. If the database size exceeds the quota, `etcd` will stop operations until the issue is resolved. @@ -112,7 +112,7 @@ Should something go wrong with the downgrade, it is possible to use this backup This example shows how to downgrade an `etcd` in Talos cluster. -### Step 1: Check Downgrade Requirements +### Step 1: Check downgrade Requirements Is the cluster healthy and running v3.6.x? @@ -132,11 +132,11 @@ Is the cluster healthy and running v3.6.x? -### Step 2: Download Snapshot +### Step 2: Download snapshot [Download the snapshot backup](./disaster-recovery) to provide a downgrade path should any problems occur. -### Step 3: Validate Downgrade +### Step 3: Validate downgrade Validate the downgrade target version before enabling the downgrade: @@ -157,7 +157,7 @@ Validate the downgrade target version before enabling the downgrade: -### Step 4: Enable Downgrade +### Step 4: Enable downgrade @@ -199,7 +199,7 @@ Confirm the storage version of all servers has been migrated to v3.5 by checking > Note: Once downgrade is enabled, the cluster will remain operating with v3.5 protocol even if all the servers are still running the v3.6 binary, unless the downgrade is canceled with `talosctl -n downgrade cancel`. -### Step 5: Patch Machine Config +### Step 5: Patch machine configuration Before patching the node, check if the etcd is leader. We recommend downgrading the leader last. @@ -260,7 +260,7 @@ Verify that each member, and then the entire cluster, becomes healthy with the n -### Step 6: Continue on the Remaining Control Plane Nodes +### Step 6: Continue on the remaining control plane nodes When all members are downgraded, check the health and status of the cluster, and confirm the minor version of all members is v3.5, and storage version is empty: @@ -282,4 +282,4 @@ When all members are downgraded, check the health and status of the cluster, and ``` - \ No newline at end of file + diff --git a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/building-images.mdx b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/building-images.mdx index 53a0ee4c..29a93058 100644 --- a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/building-images.mdx +++ b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/building-images.mdx @@ -10,7 +10,7 @@ There might be several reasons to build Talos images from source: * verifying the [image integrity](../../security/verifying-images) * building an image with custom configuration -## Checkout Talos Source +## Checkout Talos source ```bash git clone https://github.com/siderolabs/talos.git @@ -20,7 +20,7 @@ If building for a specific release, checkout the corresponding tag: {`git checkout ${release_v1_12}`} -## Set up the Build Environment +## Set up the build environment See [Developing Talos](./developing-talos) for details on setting up the buildkit builder. @@ -51,7 +51,7 @@ Talos images compatible with old AMD64 CPUs: make GOAMD64=v1 ``` -## Building Kernel and Initramfs +## Building kernel and initramfs The most basic boot assets can be built with: @@ -61,7 +61,7 @@ make kernel initramfs Build result will be stored as `_out/vmlinuz-` and `_out/initramfs-.xz`. -## Building Container Images +## Building container images Talos container images should be pushed to the registry as the result of the build process. @@ -108,7 +108,7 @@ If ISO image should be built with the custom `imager` image, it can be specified make iso IMAGE_REGISTRY=docker.io USERNAME= ``` -## Building Disk Images +## Building disk images The disk image is built with the help of `imager` container image, by default `ghcr.io/siderolabs/imager` will be used with the matching tag: diff --git a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/customizing-the-kernel.mdx b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/customizing-the-kernel.mdx index bec83f54..2c9cda8f 100644 --- a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/customizing-the-kernel.mdx +++ b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/customizing-the-kernel.mdx @@ -22,7 +22,7 @@ In order to build a custom kernel (or a custom kernel module), the following ste We will go through each step in detail. -## Building a Custom Kernel +## Building a custom kernel First, you might need to prepare the build environment, follow the [Building Custom Images](./building-images) guide. @@ -66,7 +66,7 @@ make kernel REGISTRY=127.0.0.1:5005 PUSH=true PLATFORM=linux/amd64 This will create a container image `127.0.0.1:5005/siderolabs/kernel:$TAG` with the kernel and modules. -## Building Talos Base Artifacts +## Building Talos base artifacts Follow the [Building Custom Images](./building-images) guide to set up the Talos source code checkout. @@ -91,7 +91,7 @@ make imager PKG_KERNEL=127.0.0.1:5005/siderolabs/kernel:$TAG PLATFORM=linux/amd6 > Note: if you built the kernel for both `amd64` and `arm64`, a multi-arch `imager` container can be built as well by specifying `INSTALLER_ARCH=all` and `PLATFORM=linux/amd64,linux/arm64`. -## Building Talos Boot Assets +## Building Talos boot assets Follow the [Boot Assets](../../platform-specific-installations/boot-assets) guide to build Talos boot assets you might need to boot Talos: ISO, `installer` image, etc. Replace the reference to the `imager` in guide with the reference to the `imager` container built above. diff --git a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/developing-talos.mdx b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/developing-talos.mdx index 457b0edd..31ee8f05 100644 --- a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/developing-talos.mdx +++ b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/developing-talos.mdx @@ -91,7 +91,7 @@ sudo --preserve-env=HOME _out/talosctl- cluster create \ > > `talosctl cluster create` derives Talos machine configuration version from the install image tag, so sometimes early in the development cycle (when new minor tag is not released yet), machine config version can be overridden with `--talos-version=${version_v1_12}`. -## Console Logs +## Console logs Watching console logs is easy with `tail`: @@ -121,7 +121,7 @@ You can deploy some Kubernetes workloads to the cluster. You can edit machine config on the fly with `talosctl edit mc --immediate`, config patches can be applied via `--config-patch` flags, also many features have specific flags in `talosctl cluster create`. -## Quick Reboot +## Quick reboot To reboot whole cluster quickly (e.g. to pick up a change made in the code): @@ -133,7 +133,7 @@ Sending `q` to a single socket allows to reboot a single node. > Note: This command performs immediate reboot (as if the machine was powered down and immediately powered back up), for normal Talos reboot use `talosctl reboot`. -## Development Cycle +## Development cycle Fast development cycle: @@ -146,7 +146,7 @@ Fast development cycle: Some aspects of Talos development require to enable bootloader (when working on `installer` itself), in that case quick development cycle is no longer possible, and cluster should be destroyed and recreated each time. -## Running Integration Tests +## Running integration tests If integration tests were changed (or when running them for the first time), first rebuild the integration test binary: @@ -168,7 +168,7 @@ Whole test suite can be run removing `-test.short` flag. Specfic tests can be run with `-test.run=TestIntegration/api.ResetSuite`. -## Build Flavors +## Build flavors `make WITH_RACE=1` enables Go race detector, Talos runs slower and uses more memory, but memory races are detected. @@ -178,7 +178,7 @@ Specfic tests can be run with `-test.run=TestIntegration/api.ResetSuite`. Combine with `--with-debug-shell` flag when creating cluster to obtain shell access. This is uncommonly used as in this case the bash shell will run in place of machined. -## Destroying Cluster +## Destroying cluster ```bash sudo --preserve-env=HOME ../talos/_out/talosctl-linux-amd64 cluster destroy --provisioner=qemu @@ -218,7 +218,7 @@ Running tests as root can be done with `-exec` flag to `go test`, but this is ri go test -exec sudo -v ./internal/app/machined/pkg/controllers/network/... ``` -## Go Profiling +## Go profiling Build `initramfs` with debug enabled: `make initramfs WITH_DEBUG=1`. @@ -234,7 +234,7 @@ The IP address `172.20.0.2` is the address of the Talos node, and port `:9982` d - 9982: `machined` - 9983: `trustd` -## Testing Air-gapped Environments +## Testing air-gapped environments There is a hidden `talosctl debug air-gapped` command which launches two components: @@ -300,7 +300,7 @@ The following lines should appear in the output of the `talosctl debug air-gappe There might be more output depending on the registry caches being used or not. -## Running Upgrade Integration Tests +## Running upgrade integration tests Talos has a separate set of provision upgrade tests, which create a cluster on older versions of Talos, perform an upgrade, and verify that the cluster is still functional. diff --git a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/oci-base-spec.mdx b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/oci-base-spec.mdx index 457f1abb..c1c5b69c 100644 --- a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/oci-base-spec.mdx +++ b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/oci-base-spec.mdx @@ -9,7 +9,7 @@ While certain aspects of this specification can be modified through Kubernetes p Talos Linux provides the capability to adjust the OCI base runtime specification for all containers managed by the CRI. However, it is important to note that the Kubernetes/CRI plugin may still override some settings, meaning changes to the base runtime specification are not always guaranteed to take effect. -## Getting Current OCI Base Runtime Specification +## Getting current OCI base runtime specification To get the current OCI base runtime specification, you can use the following command (`yq -P .` is used to pretty-print the output): @@ -29,7 +29,7 @@ process: The output might depend on a specific Talos (`containerd`) version. -## Adjusting OCI Base Runtime Specification +## Adjusting OCI base runtime specification To adjust the OCI base runtime specification, the following machine configuration patch can be used: diff --git a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/overlays.mdx b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/overlays.mdx index e826d85d..fa823cb4 100644 --- a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/overlays.mdx +++ b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/overlays.mdx @@ -8,27 +8,26 @@ Overlays provide a way to customize Talos Linux boot image. Overlays hook into the Talos install steps and can be used to provide additional boot assets (in the case of single board computers), extra kernel arguments or some custom configuration that is not part of the default Talos installation and specific to a particular overlay. -## Overlays v/s Extensions +## Overlays v/s extensions Overlays are similar to extensions, but they are used to customize the installation process, while extensions are used to customize the root filesystem. -## Official Overlays +## Official overlays The list of official overlays can be found in the [Overlays GitHub repository](https://github.com/siderolabs/overlays/). -## Using Overlays +## Using overlays Overlays can be used to generate a modified metal image or installer image with the overlay applied. The process of generating boot assets with overlays is described in the [boot assets guide](../../platform-specific-installations/boot-assets). -### Example: Booting a Raspberry Pi 4 with an Overlay +### Example: Boot a Raspberry Pi 4 with an overlay Follow the board specific guide for [Raspberry Pi](../../platform-specific-installations/single-board-computers/rpi_generic) to download or generate the metal disk image and write to an SD card. Boot the machine with the boot media and apply the machine configuration with the installer image that has the overlay applied. - {`# Talos machine configuration patch machine: @@ -40,14 +39,14 @@ machine: > Note: The schematic id shown in the above patch is for a vanilla `rpi_generic` overlay. > Replace it with the schematic id of the overlay you want to apply. -## Authoring Overlays +## Author overlays An Overlay is a container image with the [specific folder structure](https://github.com/siderolabs/overlays#readme). Overlays can be built and managed using any tool that produces container images, e.g. `docker build`. Sidero Labs maintains a [repository of overlays](https://github.com/siderolabs/overlays). -### Developing An Overlay +### Develop an overlay Let's assume that you would like to contribute an overlay for a specific board, e.g. by contributing to the [`sbc-rockchip` repository](https://github.com/siderolabs/sbc-rockchip). Clone the repositry and insepct the existing overlays to understand the structure. diff --git a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/system-extensions.mdx b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/system-extensions.mdx index 989b9de5..acab7caf 100644 --- a/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/system-extensions.mdx +++ b/public/talos/v1.12/build-and-extend-talos/custom-images-and-development/system-extensions.mdx @@ -12,7 +12,7 @@ container runtimes, loading additional firmware, etc. System extensions are only activated during the installation or upgrade of Talos Linux. With system extensions installed, the Talos root filesystem is still immutable and read-only. -## Official System Extension Tiers +## Official system extension tiers Talos Linux provides a number of [official system extensions](https://github.com/siderolabs/extensions), which are split into the following tiers based on support level: @@ -31,7 +31,7 @@ tiers based on support level: | CVE Scan | 🟢 | ✔️ (scan is done, but CVEs don’t block the release) | ❌ | | Compatibility/Build issues | 🟢 | ✔️ (best effort) | ❌ (extension will be disabled if it fails to build) | -## Installing System Extensions +## Install system extensions > Note: the way to install system extensions in the `.machine.install` section of the machine configuration is now deprecated. @@ -49,7 +49,7 @@ both initial boot assets and disk images/`installer`, or just the `installer`. The process of generating boot assets with extensions included is described in the [boot assets guide](../../platform-specific-installations/boot-assets). -### Example: Booting from an ISO +### Example: Boot from an ISO Let's assume NVIDIA extension is required on a bare metal machine which is going to be booted from an ISO. As NVIDIA extension is not required for the initial boot and install step, it is sufficient to include the extension in the `installer` image only. @@ -63,7 +63,7 @@ As NVIDIA extension is not required for the initial boot and install step, it is When it's time to upgrade Talos, generate a custom `installer` container for a new version of Talos, push it to a registry, and perform upgrade pointing to the custom `installer` image. -### Example: Disk Image +### Example: Disk image Let's assume NVIDIA extension is required on AWS VM. @@ -75,14 +75,14 @@ Let's assume NVIDIA extension is required on AWS VM. When it's time to upgrade Talos, either repeat steps 1-4 to replace the VM with a new AMI, or like in the previous example, generate a custom `installer` and use it to upgrade Talos in-place. -## Authoring System Extensions +## Author system extensions A Talos system extension is a container image with the [specific folder structure](https://github.com/siderolabs/extensions?tab=readme-ov-file#building-extensions). System extensions can be built and managed using any tool that produces container images, e.g. `docker build`. Sidero Labs maintains a [repository of system extensions](https://github.com/siderolabs/extensions). -## Resource Definitions +## Resource definitions Use `talosctl get extensions` to get a list of system extensions: diff --git a/public/talos/v1.12/configure-your-talos-cluster/hardware-and-drivers/amd-gpu.mdx b/public/talos/v1.12/configure-your-talos-cluster/hardware-and-drivers/amd-gpu.mdx index 9c153d3d..2e5cf35d 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/hardware-and-drivers/amd-gpu.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/hardware-and-drivers/amd-gpu.mdx @@ -8,7 +8,7 @@ To make those GPUs available to Kubernetes workloads, you can deploy the ROCm GP This guide shows how to enable AMD GPU support on your Talos nodes, apply any tuning your hardware might need, and install ROCm inside your cluster. -## Before You Begin +## Before you begin You’ll need: @@ -70,7 +70,7 @@ What these parameters do: - `amdgpu.gttsize`: Increases the GPU GTT memory size for workloads that allocate large buffers - `ttm.pages_limit`: Raises the TTM memory limit for large model workloads. -## Deploy the ROCm GPU Operator +## Deploy the ROCm GPU operator With GPU support enabled at the OS level, you can deploy the ROCm GPU Operator to surface GPU resources to Kubernetes workloads. diff --git a/public/talos/v1.12/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu-proprietary.mdx b/public/talos/v1.12/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu-proprietary.mdx index c345cc4b..b77c5aa3 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu-proprietary.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu-proprietary.mdx @@ -21,7 +21,7 @@ Create the [boot assets](../../platform-specific-installations/boot-assets) whic > Make sure the driver version matches for both the `nonfree-kmod-nvidia` and `nvidia-container-toolkit` extensions. > The `nonfree-kmod-nvidia` extension is versioned as `-` and the `nvidia-container-toolkit` extension is versioned as `-`. -## Proprietary vs OSS Nvidia Driver Support +## Proprietary vs OSS Nvidia driver support The NVIDIA Linux GPU Driver contains several kernel modules: `nvidia.ko`, `nvidia-modeset.ko`, `nvidia-uvm.ko`, `nvidia-drm.ko`, and `nvidia-peermem.ko`. Two "flavors" of these kernel modules are provided, and both are available for use within Talos: diff --git a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/containerd.mdx b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/containerd.mdx index 5090926e..be965782 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/containerd.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/containerd.mdx @@ -9,7 +9,7 @@ The base containerd configuration expects to merge in any additional configs pre ## Examples -### Exposing Metrics +### Exposing metrics Patch the machine config by adding the following: @@ -35,7 +35,7 @@ container_blkio_io_service_bytes_recursive_bytes{container_id="0677d73196f5f4be1 ... ``` -### Pause Image +### Pause image This change is often required for air-gapped environments, as `containerd` CRI plugin has a reference to the `pause` image which is used to create pods, and it can't be controlled with Kubernetes pod definitions. @@ -82,7 +82,7 @@ machine: Also change the cdi spec dirs configuration in your Dynamic Resource Allocation driver, since it needs to place the discovered hardware device specs in these folders. -### Enabling NRI Plugins +### Enabling NRI plugins By default, Talos disables [NRI](https://github.com/containerd/containerd/blob/main/docs/NRI.md) plugins in `containerd`, as they might have security implications. However, if you need to enable them, you can do so by adding the following configuration: diff --git a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/image-cache-registry-mirror.mdx b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/image-cache-registry-mirror.mdx index b839dae5..2268c1f6 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/image-cache-registry-mirror.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/image-cache-registry-mirror.mdx @@ -20,7 +20,7 @@ talosctl images k8s-bundle | \ --layout=flat ``` -## Step 2. Generate Required Certificates +## Step 2. Generate required certificates You can generate the certificates using the following command: @@ -41,7 +41,7 @@ This produces: These are required for serving the cache over HTTPS. -## Step 3. Start the Image Cache Registry +## Step 3. Start the image cache registry `cache-serve` starts a lightweight, read-only registry that serves images from the cache directory. @@ -53,7 +53,7 @@ talosctl image cache-serve \ --tls-key-file=/tmp/tls.key ``` -## Step 4. Patch Talos to Trust the Registry CA +## Step 4. Patch Talos to trust the registry CA Talos requires HTTPS to pull installer images. @@ -74,7 +74,7 @@ certificates: | # including the BEGIN CERTIFICATE and END CERTIFICATE lines ``` -## Step 5. Configure Registry Mirrors +## Step 5. Configure registry mirrors Talos and Kubernetes components normally pull images from public registries such as `docker.io`, `ghcr.io`, and `registry.k8s.io`. diff --git a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/image-cache.mdx b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/image-cache.mdx index 129964c3..a98354cb 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/image-cache.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/image-cache.mdx @@ -10,7 +10,7 @@ This is especially useful in environments with limited or no Internet connectivi The cache is local to each machine and is automatically managed by Talos when enabled. -## Preparing Image Cache +## Preparing image cache First, build a list of image references that need to be cached. The `talosctl images k8s-bundle` might be used as a starting point, but it should be customized to include additional images (e.g. custom CNI, workload images, etc.) @@ -20,7 +20,7 @@ talosctl images k8s-bundle > images.txt cat extra-images.txt >> images.txt ``` -### Air-Gapped Environments +### Air-gapped environments If you are preparing for an air-gapped environment, you will need to cache the talos images as well. Starting with Talos 1.12 you can get a list of images needed from talosctl. @@ -31,7 +31,7 @@ talosctl images talos-bundle ${release_v1_12} >> images.txt `} -or deploy an [Image Factory](../../../../omni/infrastructure-and-extensions/self-hosted/deploy-image-factory-on-prem) to host Talos images internally. +or deploy an [Image Factory](../../../../omni/self-hosted/deploy-image-factory-on-prem) to host Talos images internally. Including all talos-bundle images will significantly increase the size of your installation media. The minimum images to install Talos include the `installer` and `installer-base` images. @@ -52,7 +52,7 @@ Example of pushing the OCI image cache directory to a container registry: crane push ./image-cache.oci my.registry/image-cache:my-cache ``` -## Building Boot Assets +## Build boot assets The image cache is provided to Talos via the boot assets. There are two supported boot asset types for the Image Cache: ISO and disk image. @@ -82,7 +82,7 @@ The ISO image can be utilized in the following ways (which allows both booting T > Note: Third-party boot loaders, such as Ventoy, are not supported as Talos will not be able to access the image cache. -### Disk Image +### Disk image In case of disk image, the image cache is included in the disk image itself, and on boot it would be used immediately by the Talos. @@ -142,7 +142,7 @@ If the disk image is used, the `IMAGECACHE` volume doesn't need to be configured See [System Volumes](../storage-and-disk-management/disk-management/system) for more information on volume configuration. -## Updating the Image Cache +## Update the image cache The image cache is initially populated during installation from the boot media (ISO or disk image) and stored on disk. Over time, you may want to update or refresh the cached images without reinstalling the node. @@ -159,7 +159,7 @@ This process allows you to refresh cached images without rebuilding or reinstall > **Note:** You can update the image cache using any medium described in the documentation for building boot assets. The media does not need to have Talos installed or be bootable itself, it only needs to provide the cache contents. -### Limitations of Live Image Cache Updates +### Limitations of live image cache updates Only images baked into the ISO or USB are copied. There is no way to push arbitrary new images directly into the cache on a running system. diff --git a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/pull-through-cache.mdx b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/pull-through-cache.mdx index 5b14e81d..ec662ca8 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/pull-through-cache.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/pull-through-cache.mdx @@ -16,7 +16,7 @@ The same concept can extended to air-gapped or partially connected environments, There are many implementations of container registries that support pull-through caching, including [Docker Registry](https://hub.docker.com/_/registry), [Harbor](https://goharbor.io/), [Zot](https://zotregistry.dev/), and others. -## Launch the Caching Docker Registry Proxies +## Launch the caching Docker Registry proxies The Docker Registry is the simplest way to set up pull-through caching proxies. It requires to set up a separate registry container per upstream registry. @@ -50,7 +50,7 @@ docker run -d -p 5003:5000 \ As a registry container can only handle a single upstream Docker registry, we launch a container per upstream, each on its own host port (5000, 5001, 5002, 5003 and 5004). -## Configuring Talos to Use the Caching Registries +## Configuring Talos to use the caching registries Talos Linux can be configured to redirect image pulls to the caching registries using [RegistryMirrorConfig](../../reference/configuration/cri/registrymirrorconfig) configuration document. The registry mirror configuration is honored by Talos Linux itself and automatically propagated to CRI runtimes (containerd). @@ -142,7 +142,7 @@ ca: |- -----END CERTIFICATE----- ``` -## Using Harbor as a Caching Registry +## Using Harbor as a caching registry [Harbor](https://goharbor.io/) is an open source container registry that can be used as a caching proxy. Harbor supports configuring multiple upstream registries, so it can be used to cache multiple registries at once behind a single endpoint. diff --git a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/static-pods.mdx b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/static-pods.mdx index 02070a87..1daa4c96 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/static-pods.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/images-container-runtime/static-pods.mdx @@ -75,7 +75,7 @@ $ talosctl logs kubelet 172.20.0.2: {"ts":1644505520281.427,"caller":"config/file.go:187","msg":"Could not process manifest file","path":"/etc/kubernetes/manifests/talos-default-nginx-gvisor.yaml","err":"invalid pod: [spec.containers: Required value]"} ``` -## Resource Definitions +## Resource definitions Static pod definitions are available as `StaticPod` resources combined with Talos-generated control plane static pods: diff --git a/public/talos/v1.12/configure-your-talos-cluster/lifecycle-management/resetting-a-machine.mdx b/public/talos/v1.12/configure-your-talos-cluster/lifecycle-management/resetting-a-machine.mdx index ef7504af..67f36069 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/lifecycle-management/resetting-a-machine.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/lifecycle-management/resetting-a-machine.mdx @@ -35,7 +35,7 @@ If the machine is part of an HA cluster, a normal, graceful reset should work fi However, if this is a single-node cluster used for testing purposes, a graceful reset is not an option since `etcd` cannot be "left" if there is only a single member. In this case, use the reset command with `--graceful=false` to skip checks that would normally block the reset. -## Kernel Parameter +## Kernel parameter Another method to reset a machine is by specifying the `talos.experimental.wipe=system` kernel parameter. If the machine is stuck in a boot loop and you have access to the console, you can use GRUB to specify this kernel argument. diff --git a/public/talos/v1.12/configure-your-talos-cluster/lifecycle-management/upgrading-talos.mdx b/public/talos/v1.12/configure-your-talos-cluster/lifecycle-management/upgrading-talos.mdx index da140b89..8d100834 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/lifecycle-management/upgrading-talos.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/lifecycle-management/upgrading-talos.mdx @@ -21,7 +21,7 @@ Likewise, Talos may be manually rolled back via API (or `talosctl rollback`), wh *Note* An upgrade of the Talos Linux OS will not (since v1.0) apply an upgrade to the Kubernetes version by default. Kubernetes upgrades should be managed separately per [upgrading kubernetes](../../../../kubernetes-guides/advanced-guides/upgrading-kubernetes). -## Supported Upgrade Paths +## Supported upgrade paths Because Talos Linux is image based, an upgrade is almost the same as installing Talos, with the difference that the system has already been initialized with a configuration. The supported configuration may change between versions. @@ -34,17 +34,17 @@ For example, if upgrading from Talos 1.0 to Talos 1.2.4, the recommended upgrade * upgrade from v1.0.6 to latest patch of 1.1 - to v1.1.2 * upgrade from v1.1.2 to v1.2.4 -## Before Upgrade to {release_v1_12} +## Before upgrade to {release_v1_12} There are no specific actions to be taken before an upgrade. -## Video Walkthrough +## Video walkthrough To see a live demo of an upgrade of Talos Linux, see the video below: -## After Upgrade to {release_v1_12} +## After upgrade to {release_v1_12} There are no specific actions to be taken after an upgrade. @@ -72,7 +72,7 @@ Because this occurs in a just rebooted system, there will be no conflict with an After the upgrade is applied, the node will reboot again, in order to boot into the new version. Note that because Talos Linux reboots via the `kexec` syscall, the extra reboot adds very little time. -## Machine Configuration Changes +## Machine configuration changes * [VolumeConfig](../../reference/configuration/block/volumeconfig) now supports encryption configuration for system volumes. * [VolumeConfig](../../reference/configuration/block/volumeconfig), [UserVolumeConfig](../../reference/configuration/block/uservolumeconfig) encryption configuration for TPM now supports specifying PCRs to lock the encryption key to. @@ -111,7 +111,7 @@ Note that because Talos Linux reboots via the `kexec` syscall, the extra reboot * `.machine.install.grubUseUKICmdline` to unify kernel args behavior for legacy GRUB bootloader with systemd-boot. -## Upgrade Sequence +## Upgrade sequence When a Talos node receives the upgrade command, it cordons itself in Kubernetes, to avoid receiving any new workload. diff --git a/public/talos/v1.12/configure-your-talos-cluster/logging-and-telemetry/logging.mdx b/public/talos/v1.12/configure-your-talos-cluster/logging-and-telemetry/logging.mdx index 929bc59a..318e8a60 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/logging-and-telemetry/logging.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/logging-and-telemetry/logging.mdx @@ -7,7 +7,7 @@ aliases: import { k8s_release } from '/snippets/custom-variables.mdx'; -## Viewing logs +## View logs Kernel messages can be retrieved with `talosctl dmesg` command: @@ -64,12 +64,12 @@ $ talosctl -n 172.20.1.2 logs -k kube-system/kube-proxy-gfkqj:kube-proxy:ad5e8dd If some host workloads (e.g. system extensions) send syslog messages, they can be retrieved with `talosctl logs syslogd` command. -## Forwarding logs for aggregation +## Forward logs for aggregation Talos writes logs to files in `/var/log` directory. A pod running in Kubernetes can mount this directory and forward logs to a log aggregation system. -## Sending logs over network +## Send logs over network ### Service logs @@ -160,7 +160,7 @@ Sample message: > `extraKernelArgs` in the machine configuration are only applied on Talos upgrades, not just by applying the config. > (Upgrading to the same version is fine). -### Receiving logs +### Receive logs If you have configure remote service logs or kernel logs on a Talos system and want to collect the logs centrally for debugging purposes you can temporarily run the netcat `nc` command to receive logs. diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-encryption.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-encryption.mdx index fd323793..524af86f 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-encryption.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-encryption.mdx @@ -91,7 +91,7 @@ encryption: slot: 0 ``` -### Encryption Keys +### Encryption keys > Note: What the LUKS2 docs call "keys" are, in reality, a passphrase. > When this passphrase is added, LUKS2 runs argon2 to create an actual key from that passphrase. @@ -125,7 +125,7 @@ encryption: Take a note that key order does not play any role on which key slot is used. Every key must always have a slot defined. -### Encryption Key Kinds +### Encryption key kinds Talos supports two kinds of keys: @@ -146,7 +146,7 @@ Every key kind also supports `lockToState` option, which means that the key will It is recommended to use `lockToState` for the `EPHEMERAL` partition and user volumes, so that the data on these partitions is not accessible if the `STATE` partition is wiped or replaced. If you would like non-`STATE` volumes to survive `STATE` partition wipe, do not enable `lockToState` option. -### Key Rotation +### Key rotation In order to completely rotate keys, it is necessary to do `talosctl apply-config` a couple of times, since there is a need to always maintain a single working key while changing the other keys around it. @@ -193,9 +193,9 @@ Run: talosctl apply-config -n --mode=reboot -f config.yaml ``` -## Going from Unencrypted to Encrypted and Vice Versa +## Going from unencrypted to encrypted and vice versa -### Ephemeral Partition +### Ephemeral partition There is no in-place encryption support for the partitions right now, so to avoid losing data only empty partitions can be encrypted. @@ -226,7 +226,7 @@ That's it! After you run the last command, the partition will be wiped and the node will reboot. During the next boot the system will encrypt the partition. -### State Partition +### State partition Calling wipe against the STATE partition will make the node lose the config, so the previous flow is not going to work. @@ -244,7 +244,7 @@ talosctl apply-config --insecure -n -f config.yaml After installation is complete the node should encrypt the STATE partition. -### Configuring TPM-Based Disk Encryption +### Configuring TPM-Based disk encryption Talos supports TPM-based disk encryption by binding the LUKS2 key to one or more PCR (Platform Configuration Register) values. This allows you to control how tightly the encrypted volume is tied to the machine’s firmware and boot state. @@ -261,7 +261,7 @@ pcrs: [7] PCR 7 reflects the SecureBoot state and provides backward-compatible behavior with older Talos releases. -#### Binding Only to Signed PCR Policies +#### Binding only to signed PCR policies If the user explicitly sets an empty list, Talos binds only to PCR 11, which is used for signed TPM policies: @@ -273,7 +273,7 @@ tpm: This ignores SecureBoot state, which is useful on hardware where PCR 7 values differ across platforms or firmware versions. -#### Binding to Multiple PCRs +#### Binding to multiple PCRs You can bind the key to multiple PCR values for stronger protection. For example, to bind to both the SecureBoot state (PCR 7) and the firmware state: diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/common.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/common.mdx index 9f432c4c..6a762dcf 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/common.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/common.mdx @@ -11,7 +11,7 @@ Several configuration documents share common elements for configuring volumes in * [`RawVolumeConfig`](../../../reference/configuration/block/rawvolumeconfig) * [`SwapVolumeConfig`](../../../reference/configuration/block/swapvolumeconfig) -## Disk Selector +## Disk selector The `diskSelector` field is utilized to choose the disk where the volume will be provisioned. It is a [Common Expression Language (CEL)](https://cel.dev/) expression that evaluates against the available disks. @@ -66,7 +66,7 @@ Examples of disk selector expressions: * `disk.serial.startsWith('deadbeef') && !cdrom`: select disks with serial number starting with `deadbeef` and not of CD-ROM type * `'/dev/disk/by-path/pci-0000:00:1f.2-ata-1' in disk.symlinks`: select disks with a specific stable symlink -### Minimum, Maximum and Grow +### Minimum, maximum and grow The `minSize` and `maxSize` fields define the minimum and maximum size of the volume, respectively. Talos Linux will always ensure that the volume is at least `minSize` in size and will not exceed `maxSize`. @@ -81,7 +81,7 @@ The `grow` flag controls what happens when the volume already exists: Setting `minSize` might influence disk selection - if the disk does not have enough free space to satisfy the minimum size requirement, it will not be selected for provisioning. -## Volume Selector +## Volume selector The `volumeSelector` field is a CEL expression that allows you to match existing volumes based on their properties. It is evaluated against the available volumes, and the first volume that matches the expression will be picked up. diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/existing.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/existing.mdx index b0d09d8c..a7d5c852 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/existing.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/existing.mdx @@ -13,7 +13,7 @@ Existing volumes are mounted under `/var/mnt/`, and this location g > Note: If you need to allocate a volume to be mounted to a container, please see [User Volumes](./user) guide. -### Declaring Existing Volumes +### Declaring existing volumes To declare an existing volume, append the following [document](../../../reference/configuration/block/existingvolumeconfig) to the machine configuration: diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/layout.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/layout.mdx index 4dc9ea6f..17df6c95 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/layout.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/layout.mdx @@ -6,7 +6,7 @@ weight: 10 Talos Linux provides tools to observe available disks and volumes on the machine. -## Listing Disks +## Listing disks To obtain a list of all available block devices (disks) on the machine, you can use the following command: @@ -55,7 +55,7 @@ spec: - /dev/disk/by-path/virtio-pci-0000:00:07.0 ``` -## Discovered Volumes +## Discovered volumes Talos Linux monitors all block devices and partitions on the machine. Details about these devices, including their type, can be found in the `DiscoveredVolume` resource. @@ -100,7 +100,7 @@ Currently, the following filesystem types are supported: The discovered volumes can include both Talos-managed volumes and any other volumes present on the machine, such as Ceph volumes. -## Disk Layout +## Disk layout The default disk layout for Talos installation is as follows: @@ -126,7 +126,7 @@ The `EPHEMERAL` partition by default consumes all unallocated space, but it can The `EPHEMERAL` partition is a catch-all location for storing data, while it might be desired to segregate the data into different partitions. Talos supports creating additional user volumes to be used for different purposes: e.g. local storage for various applications, specific volumes per applications, etc. -### Single Disk Layout +### Single disk layout ```text +-------------------------------------------------------------------------------------------------------+ @@ -139,7 +139,7 @@ Talos supports creating additional user volumes to be used for different purpose In this layout, the `EPHEMERAL` partition was limited to 200GB, and two additional partitions were created for `csi-data` and `local-storage`. -### Multiple Disk Layout +### Multiple disk layout ```text +---------------------------------------------------------------------------------------+ diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/overview.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/overview.mdx index 6e33dc2b..b082ac0e 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/overview.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/overview.mdx @@ -7,11 +7,11 @@ aliases: This guide provides an overview of the disk management features in Talos Linux. -## Disk and Volume Discovery +## Disk and volume discovery See [Disk Layout](./layout) for details on the disk layout and how to observe discovered disks and volumes. -## Volume Management +## Volume management Talos Linux implements disk management through the concept of volumes. A volume represents a provisioned, located, mounted, or unmounted entity, such as a disk, partition, or a directory/overlay mount. diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/raw.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/raw.mdx index 957bec62..8bdec4f5 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/raw.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/raw.mdx @@ -18,7 +18,7 @@ Disk encryption can be optionally enabled for raw volumes. > Note: If you need to allocate a volume to be mounted to a container, please see [User Volumes](./user) guide. -### Creating Raw Volumes +### Create raw volumes To create a raw volume, append the following [document](../../../reference/configuration/block/rawvolumeconfig) to the machine configuration: @@ -55,7 +55,7 @@ This volume can be referenced using a stable symlink `/dev/disk/by-partlabel/r-o > Note: Ceph will not create a partition if the partition label contains the substring `ceph`. Avoid using such names for your labels. -### Removing Raw Volumes +### Remove raw volumes Before removing a raw volume, ensure that it is not used anymore. diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/resources.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/resources.mdx index 19b5d55d..318fb354 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/resources.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/resources.mdx @@ -11,7 +11,7 @@ This information is useful for understanding how Talos Linux manages volumes and The configuration of volumes is defined using the `VolumeConfig` resource, while the current state of volumes is stored in the `VolumeStatus` resource. -### Volume Configuration +### Volume configuration The volume configuration is managed by Talos Linux based on machine configuration. To see configured volumes, use the following command: @@ -74,7 +74,7 @@ spec: targetPath: /system/state ``` -### Volume Status +### Volume status Current volume status can be obtained using the following command: @@ -105,7 +105,7 @@ Each volume goes through different phases during its lifecycle: Volumes are mounted when they are ready to be used, mounts are tracked in two resources: `MountRequest` describes the desired mount, while `MountStatus` describes the current state of the mount. -### Mount Request +### Mount request Mount requests are created automatically by Talos Linux based on the volume configuration, service configuration, etc. @@ -135,7 +135,7 @@ NODE NAMESPACE TYPE ID VERS 172.20.0.5 runtime MountRequest EPHEMERAL 2 EPHEMERAL ["sequencer"] ``` -### Mount Status +### Mount status As the volumes are mounted, the status of the mounts is updated in the `MountStatus` resource: diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/system.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/system.mdx index 45614a8b..18ef159c 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/system.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/system.mdx @@ -7,7 +7,7 @@ weight: 20 Talos Linux has a set of system volumes that are used for various purposes, such as storing the system state, ephemeral data, and more. This guide provides an overview of the system volumes and how to configure them. -## `EPHEMERAL` Volume +## `EPHEMERAL` volume The `EPHEMERAL` volume is a system volume that is used for storing ephemeral data, such as container data, downloaded images, logs, and `etcd` data (for controlplane nodes). @@ -63,7 +63,7 @@ provisioning: match: disk.transport == 'nvme' && !system_disk ``` -## `IMAGECACHE` Volume +## `IMAGECACHE` volume This system volume is not provisioned by default, and it only gets created if the [Image Cache](../../images-container-runtime/image-cache) feature is enabled. diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/user.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/user.mdx index 00e2905b..0397b0bd 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/user.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/disk-management/user.mdx @@ -18,7 +18,7 @@ The volume mount location is `/var/mnt/`, and it gets automatically Disk encryption can be optionally enabled for user volumes. -## Creating User Volumes +## Create user volumes To create a user volume, append the following [document](../../../reference/configuration/block/uservolumeconfig) to the machine configuration: @@ -79,7 +79,7 @@ spec: Please note, the path inside the container can be different from the path on the host. -## Removing User Volumes +## Remove user volumes Before removing a user volume, ensure that it is not mounted in any Kubernetes pod. @@ -100,7 +100,7 @@ or from the `DiscoveredVolume` resource any time later. > Note: If the `wipe disk` command fails with `blockdevice is in use by volume`, it means the user volume has not been removed from the machine configuration. -## Types of User Volumes +## Types of user volumes `UserVolumeConfig` includes an optional `volumeType` field that controls how a user volume is created and managed. If omitted, the system defaults to `partition`. diff --git a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/swap.mdx b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/swap.mdx index a29b96ce..8fcd6b57 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/swap.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/storage-and-disk-management/swap.mdx @@ -16,7 +16,7 @@ Swap and zswap can be used together, but they can also be configured independent Swap and zswap are disabled by default in Talos, but can be enabled through the configuration. -## Swap Devices +## Swap devices Swap devices can be configured in the [Talos machine configuration](../../reference/configuration/block/swapvolumeconfig) similar to how [User Volumes](./disk-management/user) are configured. As swap devices contain memory pages, it is recommended to enable disk encryption for swap devices to prevent sensitive data from being written to disk in plaintext. @@ -84,7 +84,7 @@ NODE NAMESPACE TYPE ID VERSION TOTAL SIZE STORED PAG Removing a `ZswapConfig` document will disable zswap on the system. Please note that zswap requires swap to be enabled on the system to function properly. -## Kubernetes and Swap +## Kubernetes and swap Kubernetes by default [does not allow swap to be used by containers](https://kubernetes.io/blog/2025/03/25/swap-linux-improvements/), as it can lead to performance issues and unpredictable behavior. @@ -136,7 +136,7 @@ NAME SwapCurrent SwapPeak SwapH If `SwapMax` is set to `0 B`, it means that swap is not enabled for this cgroup (container/pod). Current swap and zswap usage can be seen in the `SwapCurrent` and `ZswapCurrent` columns, respectively. -## Swap Tuning +## Swap tuning Swap can benefit some workloads by evicting inactive memory pages, keeping more RAM available for caches and buffers. diff --git a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/acquire.mdx b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/acquire.mdx index 5558839d..20e5d067 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/acquire.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/acquire.mdx @@ -5,7 +5,7 @@ description: "How Talos Linux acquires its machine configuration." Talos Linux requires a [machine configuration](../../reference/configuration/overview) to operate. This configuration can be provided in several ways, depending on your deployment method and environment. -## Methods of Acquiring Machine Configuration +## Methods of acquiring machine configuration Talos checks for machine configuration in the following order: @@ -39,7 +39,7 @@ MAINTENANCE -->|incomplete config| MAINTENANCE When Talos is installed on a disk, it creates a `STATE` partition. This partition is used to store the machine configuration and other stateful data. During the boot process, Talos checks this partition for a valid configuration file. -### Platform Configuration +### Platform configuration For cloud and virtualized environments, Talos can acquire its configuration from platform-specific metadata services. This includes: @@ -51,17 +51,17 @@ For cloud and virtualized environments, Talos can acquire its configuration from For the `metal` platform, Talos can download machine configuration from a specified URL (kernel argument [`talos.config`](../../reference/kernel#talosconfig)). -### Kernel Arguments +### Kernel arguments Talos can also accept machine configuration documents directly via kernel arguments [`talos.config.early` and `talos.config.inline`](../../reference/kernel#talosconfigearly-and-talosconfiginline). This method is particularly useful for initial bootstrapping, e.g. specifying a custom set of [trusted CAs](../../security/certificate-authorities). -### Embedded Configuration +### Embedded configuration Talos supports embedding the machine configuration directly into the bootable image (ISO, USB, `installer`). This is done using the [Imager tool](../../platform-specific-installations/boot-assets#example-adding-embedded-machine-configuration-with-imager) When the system boots, it reads the embedded configuration. -### Maintenance Mode +### Maintenance mode As the last resort, if the machine configuration is still incomplete for a full boot, Talos will drop into [maintenance mode](./insecure). diff --git a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/discovery.mdx b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/discovery.mdx index 1fc484e0..f43217fb 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/discovery.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/discovery.mdx @@ -24,7 +24,7 @@ The advantage of the external registry service is that it is not dependent on et > Note: Kubernetes registry is deprecated as it is not compatible with Kubernetes 1.32 and later versions in the default configuration. -## Video Walkthrough +## Video walkthrough To see a live demo of Cluster Discovery, see the video below: @@ -67,7 +67,7 @@ In these cases, discovery can be disabled or replaced with a privately operated An enabled discovery service is required for [KubeSpan](../../networking/kubespan) to function. -### Kubernetes Registry +### Kubernetes registry The `Kubernetes` registry uses Kubernetes `Node` resource data and additional Talos annotations: @@ -84,7 +84,7 @@ Annotations: cluster.talos.dev/node-id: Utoh3O0ZneV0kT2IUBrh7TgdouRcUW2yz > The workaround is to disable the feature gate on the API server, but it's not recommended as it disables also other important security protections. > For this reason, the Kubernetes registry is deprecated and disabled by default. -### Discovery Service Registry +### Discovery service registry The `Service` registry by default uses a public external Discovery Service to exchange encrypted information about cluster members. @@ -113,7 +113,7 @@ The discovery service does not have the encryption key. The discovery service may, with a commercial license, be operated by your organization and can be [downloaded here](https://github.com/siderolabs/discovery-service). In order for nodes to communicate to the discovery service, they must be able to connect to it on TCP port 443. -## Resource Definitions +## Resource definitions Talos provides resources that can be used to introspect the discovery and KubeSpan features. diff --git a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/editing-machine-configuration.mdx b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/editing-machine-configuration.mdx index 82a58fb6..d55aeb4a 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/editing-machine-configuration.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/editing-machine-configuration.mdx @@ -1,5 +1,5 @@ --- -title: "Editing Machine Configuration" +title: "Edit Machine Configuration" description: "How to edit and patch Talos machine configuration, with reboot, immediately, or stage update on reboot." aliases: - ../../guides/editing-machine-configuration @@ -152,6 +152,6 @@ Patches can also be sourced from files using `file` (or `@file`) syntax: talosctl -n patch machineconfig -p kubelet-patch.json -p manifest-patch.json ``` -### Recovering from Node Boot Failures +### Recover from node boot failures If a Talos node fails to boot because of wrong configuration (for example, control plane endpoint is incorrect), configuration can be updated to fix the issue. diff --git a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/insecure.mdx b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/insecure.mdx index 83b8af53..301477a4 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/insecure.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/insecure.mdx @@ -16,7 +16,7 @@ However, when a node is in maintenance mode, it still serves the Talos API over In this case, the `--insecure` flag tells `talosctl` to skip verifying the server’s certificate, allowing the connection to proceed. -Only a small subset of Talos API commands support the --insecure flag, specifically those required for initial setup and maintenance operations. +Only a small subset of Talos API commands support the `--insecure` flag, specifically those required for initial setup and maintenance operations. However, once you've applied a machine config, you must stop using the `--insecure` flag for all subsequent operations. The node will now expect secure communication using certificates stored in a talosconfig file. @@ -24,7 +24,7 @@ The node will now expect secure communication using certificates stored in a tal **Note**: The `--insecure` flag is used in a different context by the `talosctl image cache-create` command. This command is not used for interacting with the Talos node, but for allowing access to insecure image registries that do not support TLS. -## Validating the Node Identity in `--insecure` Mode +## Validate the node identity in `--insecure` Mode When using `--insecure`, `talosctl` cannot automatically verify the identity of the remote node. However, Talos still provides a way to manually confirm that you are communicating with the intended machine. @@ -55,7 +55,7 @@ talosctl apply-config This allows you to confirm that the configuration is being applied to the intended node, even though full authentication has not yet been established. -## In Omni-Managed Clusters +## In Omni-managed clusters The `--insecure` flag works differently when you're using Omni to manage Talos clusters. @@ -67,9 +67,9 @@ So the SideroLink connection is the only way you can run commands against a node This architecture provides a unique security advantage because if a machine is managed by Omni, you cannot send configurations to it from another machine without authentication, even if they are on the same network. This is because the Talos machine does not listen on any general network interface and only communicates with Omni through the secure SideroLink tunnel. -## Supported Commands With the insecure Flag +## Supported commands with the insecure flag -The following commands can be used with the --insecure flag: +The following commands can be used with the `--insecure` flag: `talosctl apply-config` @@ -118,7 +118,7 @@ Erase data from disk partitions on a Talos node. Refer to the [CLI reference](../../reference/cli) for full CLI details. -## Usage Example +## Usage example Here is an example of how to use the `--insecure` flag in Talos: diff --git a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/patching.mdx b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/patching.mdx index 0af5298b..5acac37e 100644 --- a/public/talos/v1.12/configure-your-talos-cluster/system-configuration/patching.mdx +++ b/public/talos/v1.12/configure-your-talos-cluster/system-configuration/patching.mdx @@ -210,7 +210,7 @@ machine: - 192.168.10.0/24 ``` -### Admission control: Pod Security Policy +### Admission control: Pod security policy Base machine configuration: @@ -315,7 +315,7 @@ In addition to patching single-document machine configurations, Talos supports p -## Local Docker Cluster - -The easiest way to try Talos is by using the CLI (`talosctl`) to create a cluster on a machine with `docker` installed. - ### Prerequisites #### `talosctl` @@ -35,7 +33,7 @@ brew install siderolabs/tap/talosctl Download `kubectl` via one of the methods outlined in the [documentation](https://kubernetes.io/docs/tasks/tools/install-kubectl/). -### Create the Cluster +### Create the cluster Now run the following: @@ -67,7 +65,7 @@ talos-default-worker-1 Ready 115s v${k8s_release} 10.5.0 `} -### Destroy the Cluster +### Destroy the cluster When you are all done, remove the cluster: diff --git a/public/talos/v1.12/getting-started/support-matrix.mdx b/public/talos/v1.12/getting-started/support-matrix.mdx index cafcb1bd..797836eb 100644 --- a/public/talos/v1.12/getting-started/support-matrix.mdx +++ b/public/talos/v1.12/getting-started/support-matrix.mdx @@ -25,7 +25,7 @@ description: "Table of supported Talos Linux versions and respective platforms." | [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.5.12 | >= 0.5.11 | | [Sidero](https://www.sidero.dev/) | >= 0.6.12 | >= 0.6.11 | -## Platform Tiers +## Platform tiers * Tier 1: Automated tests, high-priority fixes. * Tier 2: Tested from time to time, medium-priority bugfixes. diff --git a/public/talos/v1.12/getting-started/system-requirements.mdx b/public/talos/v1.12/getting-started/system-requirements.mdx index c8a04dc8..25596fc8 100644 --- a/public/talos/v1.12/getting-started/system-requirements.mdx +++ b/public/talos/v1.12/getting-started/system-requirements.mdx @@ -4,7 +4,7 @@ weight: 40 description: "Hardware requirements for running Talos Linux." --- -## Minimum Requirements +## Minimum requirements diff --git a/public/talos/v1.12/getting-started/what's-new-in-talos.mdx b/public/talos/v1.12/getting-started/what's-new-in-talos.mdx index f50d413d..0f02c861 100644 --- a/public/talos/v1.12/getting-started/what's-new-in-talos.mdx +++ b/public/talos/v1.12/getting-started/what's-new-in-talos.mdx @@ -6,9 +6,9 @@ description: "Discover the latest features and updates in Talos Linux 1.12." For critical changes, refer to the [upgrade notes](../configure-your-talos-cluster/lifecycle-management/upgrading-talos). -## Important Changes +## Important changes -### Network Configuration +### Network configuration Talos v1.12 introduces new [network configuration documents](../networking/configuration/overview). These changes follow the new ["multi-doc" configuration](https://github.com/siderolabs/talos/issues/10925) concept, and allow more granular machine configuration. @@ -37,7 +37,7 @@ This change **does not** affect KubeSpan configuration, which still resides unde The previous configuration ([machine.network](../../v1.11/reference/configuration/v1alpha1/config.mdx#network)) (with the exception of KubeSpan configuration) is now deprecated, but supported for backwards compatibility. -### New User Volume Types +### New user volume types The [UserVolumeConfig](../reference/configuration/block/uservolumeconfig) document has been extended with a new `volumeType` field to specify the type of user volume. @@ -62,9 +62,9 @@ When `volumeType` is set to `disk`: * Size-specific settings are not allowed in the provisioning block (`minSize`, `maxSize`, `grow`) -### Disk Encryption +### Disk encryption -#### TPM Encryption +#### TPM encryption Talos versions prior to v1.12 used PCR 7 state and signed policies locked to PCR 11 for TPM-based disk encryption. @@ -75,7 +75,7 @@ This change improves compatibility with systems that may have varying PCR 7 stat Signed PCR policies remain bound to PCR 11. You can view the currently used PCRs with the `talosctl get volumestatus -o yaml` command. -#### Device Mapper Names +#### Device mapper names Talos Linux now consistently provides mapped names for encrypted volumes in the format `/dev/mapper/luks2-`. This change should not affect system or user volumes but allows for easier identification of encrypted volumes, particularly raw encrypted volumes. @@ -86,7 +86,7 @@ The kernel log (`dmesg`) is now also available as the service log named `kernel` Talos now stores system component logs in `/var/log` with automatic log rotation, keeping the two most recent log files. This change enables collecting logs from Talos just like any other Linux system. -### GRUB Kernel Command Line +### GRUB kernel command line Talos Linux introduces a new machine configuration option, `.machine.install.grubUseUKICmdline`, to control whether GRUB should use the kernel command line provided by the boot assets (UKI) or the command line constructed by Talos itself (legacy behavior). @@ -95,12 +95,12 @@ For existing installations upgrading to v1.12, this option defaults to `false` t This change unifies the kernel command line across UEFI (`systemd-boot`) and BIOS (GRUB) boot modes. -### CRI Registry Configuration +### CRI registry configuration The CRI registry configuration in v1alpha1 legacy machine configuration under `.machine.registries` is now deprecated but remains supported for backward compatibility. New configuration documents — [RegistryMirrorConfig](../reference/configuration/cri/registrymirrorconfig), [RegistryAuthConfig](../reference/configuration/cri/registryauthconfig), and [RegistryTLSConfig](../reference/configuration/cri/registrytlsconfig)—should be used instead. -### Out of Memory (OOM) Handling +### Out of memory (OOM) handling Talos now includes a [userspace OOM handler](../configure-your-talos-cluster/system-configuration/oom), which automatically evicts workloads based on memory pressure. @@ -109,7 +109,7 @@ The OOM handler can be configured via the [OOMConfig](../reference/configuration ## Kubernetes -### API Server Cipher Suites +### API server cipher suites The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default. This aligns with the best practices documented in the CIS 1.12 benchmark. @@ -120,9 +120,9 @@ You can still expand the list of supported cipher suites via the `cluster.apiSer The etcd container image is now pulled from `registry.k8s.io/etcd` instead of `gcr.io/etcd-development/etcd`. -## Machine Configuration +## Machine configuration -### Ethernet Configuration +### Ethernet configuration The [Ethernet configuration](../reference/configuration/network/ethernetconfig) now includes a `wakeOnLAN` field to enable Wake-on-LAN (WOL) support. This field allows you to enable WOL and specify the desired WOL modes. @@ -137,24 +137,24 @@ Talos now ignores the following machine configuration fields: These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values listed above. -### Embedding Machine Configuration +### Embedding machine configuration Talos Linux now supports [embedding machine configuration](../configure-your-talos-cluster/system-configuration/acquire) directly into the boot image. ## Miscellaneous -### Extra Binaries +### Extra binaries Talos Linux now includes the `nft` binary in the rootfs to support CNIs that invoke the `nft` command. -### Talos Force Reboot +### Talos force reboot Talos now supports a "force" reboot mode, which allows you to skip graceful userland termination. This is useful when a userland service (e.g., the kubelet) becomes stuck during graceful shutdown, preventing the regular reboot flow from completing. Additionally, `talosctl` has been updated to support this feature via the `talosctl reboot --mode force` command. -### Kernel Module Signature Verification +### Kernel module signature verification Talos now supports optionally disabling kernel module signature verification by setting the `module.sig_enforce=0` kernel parameter. By default, kernel module signature verification is enabled (`module.sig_enforce=1`). @@ -162,7 +162,7 @@ When using Factory or Imager, supply the `-module.sig_enforce module.sig_enforce This change provides an easier way to load custom kernel modules, though it does reduce system security. -### Kernel Security Posture Profile (KSPP) +### Kernel security posture profile (KSPP) Talos now enables a stricter set of KSPP sysctl settings by default. You can view the list of overridden settings using the `talosctl get kernelparamstatus` command. @@ -182,13 +182,13 @@ Additionally, `talosctl image cache-create` has some changes: * comma-separated (`--platform=linux/amd64,linux/arm64`) * multiple instances (`--platform=linux/amd64 --platform=linux/arm64`) -### UEFI Boot +### UEFI boot When using UEFI boot with systemd-boot as the bootloader (on new Talos installations from version 1.10 onwards), Talos will no longer modify the UEFI boot order. Talos 1.11 introduced a fix to create a UEFI boot entry and set it as the first boot entry; however, this behavior caused issues on some systems. To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist and will not modify the boot order. -## Component Updates +## Component updates * Linux: 6.18.0 * Kubernetes: 1.35.0 diff --git a/public/talos/v1.12/learn-more/architecture.mdx b/public/talos/v1.12/learn-more/architecture.mdx index 8b008385..83a232ca 100644 --- a/public/talos/v1.12/learn-more/architecture.mdx +++ b/public/talos/v1.12/learn-more/architecture.mdx @@ -29,7 +29,7 @@ Talos uses these partitions with the following labels: 1. **STATE** - stores machine configuration, node identity data for cluster discovery and KubeSpan info 1. **EPHEMERAL** - stores ephemeral state information, mounted at `/var` -## The File System +## The file system One of the unique design decisions in Talos is the layout of the root file system. There are three "layers" to the Talos root file system. diff --git a/public/talos/v1.12/learn-more/control-plane.mdx b/public/talos/v1.12/learn-more/control-plane.mdx index 5c1fe371..8bcf980b 100644 --- a/public/talos/v1.12/learn-more/control-plane.mdx +++ b/public/talos/v1.12/learn-more/control-plane.mdx @@ -27,7 +27,7 @@ Talos nodes which have `.machine.type` of `controlplane` are control plane nodes Control plane nodes are tainted by default to prevent workloads from being scheduled onto them. This is both to protect the control plane from workloads consuming resources and starving the control plane processes, and also to reduce the risk of a vulnerability exposes the control plane's credentials to a workload. -## The Control Plane and Etcd +## The control plane and etcd A critical design concept of Kubernetes (and Talos) is the `etcd` database. @@ -64,7 +64,7 @@ A 5 node cluster can commit about 5% less writes per second than a 3 node cluste (This ensures that the failed node does not "vote" when adding in the new node, minimizing the chances of a quorum violation.) - If replacing a node that has not failed, add the new one, then remove the old. -## Bootstrapping the Control Plane +## Bootstrapping the control plane Every new cluster must be bootstrapped only once, which is achieved by telling a single control plane node to initiate the bootstrap. @@ -78,7 +78,7 @@ configuration option or unavailable container repository), if the bootstrap API call returns successfully, you do NOT need to bootstrap again: just fix the config or let Kubernetes retry. -### High-level Overview +### High-level overview Talos cluster bootstrap flow: @@ -90,7 +90,7 @@ Talos cluster bootstrap flow: 5. The `kubelet` registers the node in the API server. 6. Kubernetes control plane schedules pods on the nodes. -### Cluster Bootstrapping +### Cluster bootstrapping All nodes start the `kubelet` service. The `kubelet` tries to contact the control plane endpoint, but as it is not up yet, it keeps retrying. @@ -120,12 +120,12 @@ Each node now runs a full set of components to make the control plane HA. The `kubelet` service on worker nodes is now able to issue the client certificate and register itself with the API server. -### Scaling Up the Control Plane +### Scale up the control plane When new nodes are added to the control plane, the process is the same as the bootstrap process above: the `etcd` service discovers existing members of the control plane via the control plane endpoint, joins the `etcd` cluster, and the control plane components are scheduled on the node. -### Scaling Down the Control Plane +### Scale down the control plane Scaling down the control plane involves removing a node from the cluster. The most critical part is making sure that the node which is being removed leaves the etcd cluster. @@ -136,7 +136,7 @@ The recommended way to do this is to use: When using `talosctl reset` command, the targeted control plane node leaves the `etcd` cluster as part of the reset sequence, and its disks are erased. -### Upgrading Talos on Control Plane Nodes +### Upgrade Talos on control plane nodes When a control plane node is upgraded, Talos leaves `etcd`, wipes the system disk, installs a new version of itself, and reboots. The upgraded node then joins the `etcd` cluster on reboot. diff --git a/public/talos/v1.12/learn-more/controllers-resources.mdx b/public/talos/v1.12/learn-more/controllers-resources.mdx index 39a03f0c..dfb6d59e 100644 --- a/public/talos/v1.12/learn-more/controllers-resources.mdx +++ b/public/talos/v1.12/learn-more/controllers-resources.mdx @@ -38,7 +38,7 @@ A controller might also have additional inputs: running reconcile on schedule, w A controller has a single output: a set of resources of fixed type in a fixed namespace. Only one controller can manage resource type in the namespace, so conflicts are avoided. -## Querying Resources +## Querying resources Talos CLI tool `talosctl` provides read-only access to the resource API which includes getting specific resource, listing resources and watching for changes. @@ -120,7 +120,7 @@ Command `talosctl get` supports following output modes: * `json` prints same information as `yaml`, some additional details (e.g. comments) might be lost. This format is useful for automated processing with tools like `jq`. -### Watching Changes +### Watching changes If flag `--watch` is appended to the `talosctl get` command, the command switches to watch mode. If list of resources was requested, `talosctl` prints initial contents of the list and then appends resource information for every change: @@ -198,7 +198,7 @@ spec: ... ``` -## Inspecting Controller Dependencies +## Inspecting controller dependencies Talos can report current dependencies between controllers and resources for debugging purposes: diff --git a/public/talos/v1.12/learn-more/image-factory.mdx b/public/talos/v1.12/learn-more/image-factory.mdx index d95abd0d..edbd8407 100644 --- a/public/talos/v1.12/learn-more/image-factory.mdx +++ b/public/talos/v1.12/learn-more/image-factory.mdx @@ -117,7 +117,7 @@ The UI provides a way to list supported Talos Linux versions, list of system ext The UI operations are equivalent to API operations. -## Find Schematic ID from Talos Installation +## Find schematic ID from Talos installation Image Factory always appends "virtual" system extension with the version matching schematic ID used to generate the model. So, for any running Talos Linux instance the schematic ID can be found by looking at the list of system extensions: @@ -146,7 +146,7 @@ should be using the same schematic as the ISO/PXE boot image. Some system extensions are not available for all Talos Linux versions, so an attempt to generate a model with an unsupported system extension will fail. List of supported Talos versions and supported system extensions for each version is available in the [Image Factory UI](#ui) and [API](https://github.com/siderolabs/image-factory#readme). -## Under the Hood +## Under the hood Image Factory is based on the Talos `imager` container which provides both the Talos base boot assets, and the ability to generate custom assets based on a configuration. Image Factory manages a set of `imager` container images to acquire base Talos Linux boot assets (`kernel`, `initramfs`), a set of Talos Linux system extension images, and a set of schematics. @@ -169,7 +169,7 @@ Image Factory signs generated `installer` images, and verifies the signature of Image Factory does not provide a way to list all schematics, as schematics may contain sensitive information (e.g. private kernel boot arguments). As the schematic ID is content-addressable, it is not possible to guess the ID of a schematic without knowing the content of the schematic. -## Running your own Image Factory +## Running your own image factory Image Factory can be deployed on-premises to provide in-house asset generation. diff --git a/public/talos/v1.12/learn-more/kubespan.mdx b/public/talos/v1.12/learn-more/kubespan.mdx index 3cf2d1c3..360b12c5 100644 --- a/public/talos/v1.12/learn-more/kubespan.mdx +++ b/public/talos/v1.12/learn-more/kubespan.mdx @@ -4,7 +4,7 @@ weight: 100 description: "Understand more about KubeSpan for Talos Linux." --- -## WireGuard Peer Discovery +## WireGuard peer discovery The key pieces of information needed for WireGuard generally are: @@ -35,7 +35,7 @@ The Kubernetes-based system utilizes annotations on Kubernetes Nodes which descr On top of this, KubeSpan can optionally route Pod subnets. This is usually taken care of by the CNI, but there are many situations where the CNI fails to be able to do this itself, across networks. -## NAT, Multiple Routes, Multiple IPs +## NAT, multiple routes, multiple IPs One of the difficulties in communicating across networks is that there is often not a single address and port which can identify a connection for each node on the system. For instance, a node sitting on the same network might see its peer as `192.168.2.10`, but a node across the internet may see it as `2001:db8:1ef1::10`. @@ -46,7 +46,7 @@ WireGuard only allows us to select one at a time. KubeSpan implements a controller which continuously discovers and rotates these IP:port pairs until a connection is established. It then starts trying again if that connection ever fails. -## Packet Routing +## Packet routing After we have established a WireGuard connection, we have to make sure that the right packets get sent to the WireGuard interface. @@ -96,7 +96,7 @@ So in summary, we: This gives us an isolated, resilient, tolerant, and non-invasive way to route Kubernetes traffic safely, automatically, and transparently through WireGuard across almost any set of network topologies. -## Design Decisions +## Design decisions ### Routing @@ -149,7 +149,7 @@ So we have three components: 3. One IP Rule which sends packets marked with our firewall mark to our Wireguard routing table. -### Routing Table +### Routing table The routing table (number 180 by default) is simple, containing a single route for each family: send everything through the Wireguard interface. @@ -180,7 +180,7 @@ These rules say the same thing for each: if the packet is marked that it should go _to_ Wireguard, send it to the Wireguard routing table. -### Firewall Mark +### Firewall mark KubeSpan is using only two bits of the firewall mark with the mask `0x00000060`. diff --git a/public/talos/v1.12/learn-more/networking-resources.mdx b/public/talos/v1.12/learn-more/networking-resources.mdx index 4be3fb37..fed58527 100644 --- a/public/talos/v1.12/learn-more/networking-resources.mdx +++ b/public/talos/v1.12/learn-more/networking-resources.mdx @@ -43,7 +43,7 @@ Status resources have aliases with the `Status` suffix removed, so for example Talos networking controllers reconcile the state so that `*Status` equals the desired `*Spec`. -## Observing State +## Observing state The current network configuration state can be observed by querying `*Status` resources via `talosctl`: @@ -132,7 +132,7 @@ spec: duplex: Unknown ``` -## Inspecting Configuration +## Inspecting configuration The desired networking configuration is combined from multiple sources and presented as `*Spec` resources: @@ -178,7 +178,7 @@ spec: An important field is the `layer` field, which describes a configuration layer this spec is coming from: in this case, it's generated by a network operator (see below) and is set by the DHCPv4 operator. -## Configuration Merging +## Configuration merging Spec resources described in the previous section show the final merged configuration state, while initial specs are put to a different unmerged namespace `network-config`. @@ -276,7 +276,7 @@ is stable but not defined (e.g. if DHCP on multiple interfaces provides two diff `LinkSpecs` are merged across layers, so for example, machine configuration for the interface MTU overrides an MTU set by the DHCP server. -## Network Operators +## Network operators Network operators provide dynamic network configuration which can change over time as the node is running: @@ -321,7 +321,7 @@ NODE NAMESPACE TYPE ID VERS 172.20.0.2 network-config AddressSpec dhcp4/eth0/eth0/172.20.0.2/24 1 ``` -## Other Network Resources +## Other network resources There are some additional resources describing the network subsystem state. @@ -372,7 +372,7 @@ spec: etcFilesReady: true ``` -## Network Controllers +## Network controllers For each of the six basic resource types, there are several controllers: @@ -386,7 +386,7 @@ For the network operators: * `OperatorConfigController` produces `OperatorSpec` resources based on machine configuration and deafauls. * `OperatorSpecController` runs network operators watching `OperatorSpec` resources and producing various `*Spec` resources in the `network-config` namespace. -## Configuration Sources +## Configuration sources There are several configuration sources for the network configuration, which are described in this section. @@ -420,13 +420,13 @@ Platform configuration is cached across reboots in `/system/state/platform-netwo Network operators provide configuration for all basic resource types. -### Machine Configuration +### Machine configuration The machine configuration is parsed for link configuration, addresses, routes, hostname, resolvers and time servers. Any changes to `.machine.network` configuration can be applied in immediate mode. -## Network Configuration Debugging +## Network configuration debugging Most of the network controller operations and failures are logged to the kernel console, additional logs with `debug` level are available with `talosctl logs controller-runtime` command. diff --git a/public/talos/v1.12/learn-more/philosophy.mdx b/public/talos/v1.12/learn-more/philosophy.mdx index 41a72c77..dd68f018 100644 --- a/public/talos/v1.12/learn-more/philosophy.mdx +++ b/public/talos/v1.12/learn-more/philosophy.mdx @@ -86,7 +86,7 @@ There is no `systemd` on our system. There are no GNU utilities, no shell, no SSH, no packages, nothing you could associate with any other distribution. -## An Operating System designed for Kubernetes +## An operating system designed for Kubernetes Technically, Talos Linux installs to a computer like any other operating system. _Unlike_ other operating systems, Talos is not meant to run alone, on a diff --git a/public/talos/v1.12/learn-more/talos-network-connectivity.mdx b/public/talos/v1.12/learn-more/talos-network-connectivity.mdx index 151df33d..c32bff24 100644 --- a/public/talos/v1.12/learn-more/talos-network-connectivity.mdx +++ b/public/talos/v1.12/learn-more/talos-network-connectivity.mdx @@ -6,7 +6,7 @@ aliases: - ../guides/configuring-network-connectivity --- -## Configuring Network Connectivity +## Configuring network connectivity The simplest way to deploy Talos is by ensuring that all the remote components of the system (`talosctl`, the control plane nodes, and worker nodes) all have layer 2 connectivity. This is not always possible, however, so this page lays out the minimal network access that is required to configure and operate a talos cluster. diff --git a/public/talos/v1.12/learn-more/talosctl.mdx b/public/talos/v1.12/learn-more/talosctl.mdx index 67d904f5..c3a23a07 100644 --- a/public/talos/v1.12/learn-more/talosctl.mdx +++ b/public/talos/v1.12/learn-more/talosctl.mdx @@ -7,13 +7,13 @@ description: "The design and use of the Talos Linux control application." The `talosctl` tool acts as a reference implementation for the Talos API, but it also handles a lot of conveniences for the use of Talos and its clusters. -### Video Walkthrough +### Video walkthrough To see some live examples of talosctl usage, view the following video: -## Client Configuration +## Client configuration Talosctl configuration is located in `$HOME/.talos/config`. The location can always be overridden by the `TALOSCONFIG` environment variable or the `--talosconfig` parameter. @@ -24,7 +24,7 @@ The default operation is a non-destructive merge, where if a context of the same You can easily overwrite instead, as well. See the `talosctl config help` for more information. -## Endpoints and Nodes +## Endpoints and nodes ![Endpoints and Nodes](./images/talosctl-endpoints-and-nodes.png) diff --git a/public/talos/v1.12/networking/advanced/ethernet-config.mdx b/public/talos/v1.12/networking/advanced/ethernet-config.mdx index 3895c8fc..55bfc61e 100644 --- a/public/talos/v1.12/networking/advanced/ethernet-config.mdx +++ b/public/talos/v1.12/networking/advanced/ethernet-config.mdx @@ -6,7 +6,7 @@ description: "How to configure Ethernet network link settings." Talos Linux allows you to configure Ethernet network link settings, such as ring configuration or disabling TCP checksum offloading. The settings and their values closely follow `ethtool` command line options, so you can use similar recipes. -## Observing Current Status +## Observing current status You can observe current Ethernet settings in the `EthernetStatus` resource: @@ -105,7 +105,7 @@ features: For rings and channels configuration, values can be increased if they do not exceed the maximum supported by the network card (the maximum values are reported in the status with `-max` suffix). -### Enable Wake-on-LAN Support +### Enable Wake-on-LAN support Starting with 1.12, Talos Linux now supports configuring Wake-on-LAN (WOL) directly in the Ethernet configuration. @@ -123,7 +123,7 @@ wakeOnLan: modes: ["magic", "unicast"] ``` -#### Supported Modes +#### Supported modes Supported WOL modes depend on the NIC and driver, but common values include: diff --git a/public/talos/v1.12/networking/advanced/vip.mdx b/public/talos/v1.12/networking/advanced/vip.mdx index 125fed72..7365e699 100644 --- a/public/talos/v1.12/networking/advanced/vip.mdx +++ b/public/talos/v1.12/networking/advanced/vip.mdx @@ -26,13 +26,13 @@ Note that the virtual IP election depends on `etcd` being up, as Talos uses `etc The virtual IP is not restricted by ports - you can access any port that the control plane nodes are listening on, on that IP address. Thus it *is* possible to access the Talos API over the VIP, but it is *not recommended*, as you cannot access the VIP when etcd is down - and then you could not access the Talos API to recover etcd. -## Video Walkthrough +## Video walkthrough To see a live demo of this writeup, see the video below: -## Choose your Shared IP +## Choose your shared IP The Virtual IP should be a reserved, unused IP address in the same subnet as your controlplane nodes. @@ -49,7 +49,7 @@ We then choose our shared IP to be: - `192.168.0.15` -## Configure your Talos Machines +## Configure your Talos machines The shared IP setting is only valid for controlplane nodes. @@ -71,7 +71,7 @@ alive until after you have bootstrapped Kubernetes. Don't use the VIP as the `endpoint` in the `talosconfig`, as the VIP is bound to `etcd` and `kube-apiserver` health, and you will not be able to recover from a failure of either of those components using Talos API. -## VIP Failover Behavior +## VIP failover behavior When the control plane node holding the VIP shuts down gracefully, the address is reassigned almost instantly, ensuring uninterrupted access. @@ -83,7 +83,7 @@ The delay ensures that a temporary network hiccup or brief pause in communicatio By waiting out the election timeout before reassigning the VIP, Talos guarantees that only one node will advertise the shared IP, even if it means failover is slower in sudden failure scenarios. -### Impact on Workloads +### Impact on workloads A VIP failover impacts only external access to the cluster, such as when you run `kubectl` against the API server. diff --git a/public/talos/v1.12/networking/configuration/dynamic.mdx b/public/talos/v1.12/networking/configuration/dynamic.mdx index da146709..fa6f169e 100644 --- a/public/talos/v1.12/networking/configuration/dynamic.mdx +++ b/public/talos/v1.12/networking/configuration/dynamic.mdx @@ -11,7 +11,7 @@ DHCP client can be enabled on physical and logical links (bridges, bonds, VLANs) There are two DHCP versions supported in Talos Linux: DHCPv4 and DHCPv6. -## DHCPv4 Configuration +## DHCPv4 configuration To enable DHCPv4 on a physical link, create a [DHCPv4Config](../../reference/configuration/network/dhcpv4config) configuration document with the name of the link: @@ -30,7 +30,7 @@ Additional settings can be configured: * `duid`: use a DUID (DHCP Unique Identifier) as the client identifier, requires `duidRaw` field to be set. * `off`: disable the client identifier. -## DHCPv6 Configuration +## DHCPv6 configuration To enable DHCPv6 on a physical link, create a [DHCPv6Config](../../reference/configuration/network/dhcpv6config) configuration document with the name of the link: @@ -42,7 +42,7 @@ name: enp0s3 Additional settings are identical to DHCPv4. -## Observing Status +## Observing status Use `talosctl` to get the list of all configured operators (which includes DHCP clients): diff --git a/public/talos/v1.12/networking/configuration/hostname.mdx b/public/talos/v1.12/networking/configuration/hostname.mdx index a92f9dd1..94b9a2d2 100644 --- a/public/talos/v1.12/networking/configuration/hostname.mdx +++ b/public/talos/v1.12/networking/configuration/hostname.mdx @@ -38,7 +38,7 @@ hostname: my-custom-hostname auto: off ``` -## Observing Status +## Observing status Use `talosctl` to get the current hostname of a node: diff --git a/public/talos/v1.12/networking/configuration/physical.mdx b/public/talos/v1.12/networking/configuration/physical.mdx index 51d2333a..aad4a69e 100644 --- a/public/talos/v1.12/networking/configuration/physical.mdx +++ b/public/talos/v1.12/networking/configuration/physical.mdx @@ -40,7 +40,7 @@ up: true For low-level control over physical link properties, such as offloading features, refer to the [Ethernet configuration](./../advanced/ethernet-config) documentation. -## Observing Status +## Observing status Use `talosctl` to observe the status of all links: diff --git a/public/talos/v1.12/networking/configuration/resolvers.mdx b/public/talos/v1.12/networking/configuration/resolvers.mdx index ca3ae1db..374bf423 100644 --- a/public/talos/v1.12/networking/configuration/resolvers.mdx +++ b/public/talos/v1.12/networking/configuration/resolvers.mdx @@ -30,7 +30,7 @@ The `disableDefault` field, when set to `true`, prevents Talos from using the de See [Host DNS](../host-dns) for more information about DNS resolution in Talos. -## Observing Status +## Observing status Use `talosctl` to get the current resolver configuration of a node: diff --git a/public/talos/v1.12/networking/configuration/static.mdx b/public/talos/v1.12/networking/configuration/static.mdx index 64a49b63..07f06544 100644 --- a/public/talos/v1.12/networking/configuration/static.mdx +++ b/public/talos/v1.12/networking/configuration/static.mdx @@ -84,7 +84,7 @@ routes: - gateway: 192.168.1.1 ``` -## Observing Status +## Observing status You can observe the status of addresses and routes using `talosctl`: diff --git a/public/talos/v1.12/networking/configuration/time.mdx b/public/talos/v1.12/networking/configuration/time.mdx index 981c0ab0..255e9af4 100644 --- a/public/talos/v1.12/networking/configuration/time.mdx +++ b/public/talos/v1.12/networking/configuration/time.mdx @@ -20,7 +20,7 @@ ntp: See [Time Sync](../../configure-your-talos-cluster/system-configuration/time-sync) for more details about time synchronization in Talos Linux. -## Observing Status +## Observing status Use `talosctl` to get the current time synchronization configuration of a node: diff --git a/public/talos/v1.12/networking/corporate-proxies.mdx b/public/talos/v1.12/networking/corporate-proxies.mdx index 3879aacf..3bc6cd02 100644 --- a/public/talos/v1.12/networking/corporate-proxies.mdx +++ b/public/talos/v1.12/networking/corporate-proxies.mdx @@ -5,11 +5,11 @@ aliases: - ../../guides/configuring-corporate-proxies --- -## Appending the Certificate Authority of MITM Proxies +## Appending the certificate authority of MITM proxies See [Custom Certificate Authorities](../security/certificate-authorities) to append the CA certificate of your corporate proxy to the trusted store. -## Configuring a Machine to Use the Proxy +## Configuring a machine to use the proxy To make use of a proxy: diff --git a/public/talos/v1.12/networking/host-dns.mdx b/public/talos/v1.12/networking/host-dns.mdx index e2534a0b..560beb44 100644 --- a/public/talos/v1.12/networking/host-dns.mdx +++ b/public/talos/v1.12/networking/host-dns.mdx @@ -8,7 +8,7 @@ import { release_v1_12 } from '/snippets/custom-variables.mdx'; Talos Linux starting with 1.7.0 provides a caching DNS resolver for host workloads (including host networking pods). Host DNS resolver is enabled by default for clusters created with Talos 1.7, and it can be enabled manually on upgrade. -## Enabling Host DNS +## Enabling host DNS Use the following machine configuration patch to enable host DNS resolver: @@ -57,7 +57,7 @@ NODE NAMESPACE TYPE ID VERSION HEALTHY ADDRESS 172.20.0.2 network DNSUpstream 8.8.8.8 1 true 8.8.8.8:53 ``` -## Forwarding `kube-dns` to Host DNS +## Forwarding `kube-dns` to host DNS > Note: This feature is enabled by default for new clusters created with Talos 1.8.0 and later. @@ -79,7 +79,7 @@ This configuration should be applied to all nodes in the cluster, if applied aft When `forwardKubeDNSToHost` is enabled, Talos Linux allocates IP address `169.254.116.108` for the host DNS server, and `kube-dns` service is configured to use this IP address as the upstream DNS server: This way `kube-dns` service forwards all DNS requests to the host DNS server, and the cache is shared between the host and `kube-dns`. -## Resolving Talos Cluster Member Names +## Resolving Talos cluster member names Host DNS can be configured to resolve Talos cluster member names to IP addresses, so that the host can communicate with the cluster members by name. Sometimes machine hostnames are already resolvable by the upstream DNS, but this might not always be the case. diff --git a/public/talos/v1.12/networking/ingress-firewall.mdx b/public/talos/v1.12/networking/ingress-firewall.mdx index dbabe9c5..bdccc445 100644 --- a/public/talos/v1.12/networking/ingress-firewall.mdx +++ b/public/talos/v1.12/networking/ingress-firewall.mdx @@ -67,7 +67,7 @@ The `ingress` specifies the list of subnets that are allowed to access the host > Note: incorrect configuration of the ingress firewall might result in the host becoming inaccessible over Talos API. > It is recommended that the configuration be [applied](../configure-your-talos-cluster/system-configuration/editing-machine-configuration) in `--mode=try` to ensure it is reverted in case of a mistake. -## Recommended Rules +## Recommended rules The following rules improve the security of the cluster and cover only standard Talos services. If there are additional services running with host networking in the cluster, they should be covered by additional rules. @@ -86,7 +86,7 @@ In the examples we assume the following template variables to describe the clust * `$CP1`, `$CP2`, `$CP3` - the IP addresses of the controlplane nodes * `$VXLAN_PORT` - the UDP port used by the CNI for encapsulated traffic -### Controlplane +### Control plane In this example Ingress policy: @@ -204,7 +204,7 @@ ingress: - subnet: $CLUSTER_SUBNET ``` -## Learn More +## Learn more Talos Linux Ingress Firewall uses `nftables` to perform the filtering. diff --git a/public/talos/v1.12/networking/kubespan.mdx b/public/talos/v1.12/networking/kubespan.mdx index 083a1a22..28e5f26e 100644 --- a/public/talos/v1.12/networking/kubespan.mdx +++ b/public/talos/v1.12/networking/kubespan.mdx @@ -12,7 +12,7 @@ Management of keys and discovery of peers can be completely automated, making it KubeSpan consists of client code in Talos Linux, as well as a [discovery service](../configure-your-talos-cluster/system-configuration/discovery) that enables clients to securely find each other. Sidero Labs operates a free Discovery Service, but the discovery service may, with a commercial license, be operated by your organization and can be [downloaded here](https://github.com/siderolabs/discovery-service). -## Video Walkthrough +## Video walkthrough To see a live demo of KubeSpan, see one the videos below: @@ -20,7 +20,7 @@ To see a live demo of KubeSpan, see one the videos below: -## Network Requirements +## Network requirements KubeSpan uses **UDP port 51820** to carry all KubeSpan encrypted traffic. Because UDP traversal of firewalls is often lenient, and the Discovery Service communicates the apparent IP address of all peers to all other peers, KubeSpan will often work automatically, even when each nodes is behind their own firewall. @@ -37,7 +37,7 @@ Note that if workers are in different locations, behind different firewalls, the ## Caveats -### Kubernetes API Endpoint Limitations +### Kubernetes API endpoint limitations When the K8s endpoint is an IP address that is **not** part of Kubespan, but is an address that is forwarded on to the Kubespan address of a control plane node, without changing the source address, then worker nodes will fail to join the cluster. In such a case, the control plane node has no way to determine whether the packet arrived on the private Kubespan address, or the public IP address. @@ -47,7 +47,7 @@ This situation is seen, for example, when the Kubernetes API endpoint is the pub The control plane will receive packets on the public IP, but will reply from it's KubeSpan address. The workaround is to create a load balancer to terminate the Kubernetes API endpoint. -### Digital Ocean Limitations +### Digital ocean limitations Digital Ocean assigns an "Anchor IP" address to each droplet. Talos Linux correctly identifies this as a link-local address, and configures KubeSpan correctly, but this address will often be selected by Flannel or other CNIs as a node's private IP. @@ -59,13 +59,13 @@ This can be worked-around by assigning a non-Anchor private IP: Then restarting flannel: `kubectl delete pods -n kube-system -l k8s-app=flannel` -### Host Port Limitations +### Host port limitations As mentioned in Network Requirements, Kubespan uses **UDP port 51820** to carry all KubeSpan encrypted traffic. For clusters that make heavy use of host ports for Kubernetes pods, care should be taken to ensure that this port is not given to these pods. Failure to do so can result in a pod being assigned the 51820 port and conflicting with Kubespan traffic. -### Cilium Compatibility Limitations +### Cilium compatibility limitations KubeSpan and [Cilium](https://cilium.io) can generally be used together. However, some advanced Cilium configurations are **not compatible** with KubeSpan. @@ -88,7 +88,7 @@ We recommend the following workarounds: ## Enabling -### Creating a New Cluster +### Creating a new cluster To enable KubeSpan for a new cluster, we can use the `--with-kubespan` flag in `talosctl gen config`. This will enable peer discovery and KubeSpan. @@ -111,7 +111,7 @@ cluster: > The default discovery service is an external service hosted by Sidero Labs at `https://discovery.talos.dev/`. > Contact Sidero Labs if you need to run this service privately. -### Enabling for an Existing Cluster +### Enabling for an existing cluster In order to enable KubeSpan on an existing cluster, enable `kubespan` and `discovery` settings in the machine config for each machine in the cluster (`discovery` is enabled by default): @@ -170,7 +170,7 @@ extraAnnouncedEndpoints: - 192.168.101.3:61033 ``` -## Resource Definitions +## Resource definitions ### KubeSpanIdentities diff --git a/public/talos/v1.12/networking/predictable-interface-names.mdx b/public/talos/v1.12/networking/predictable-interface-names.mdx index 2de69907..75bd6c3d 100644 --- a/public/talos/v1.12/networking/predictable-interface-names.mdx +++ b/public/talos/v1.12/networking/predictable-interface-names.mdx @@ -19,7 +19,7 @@ The predictable network interface names features can be disabled by specifying ` "Cloud" platforms, like AWS, still use old `eth0` naming scheme as Talos automatically adds `net.ifnames=0` to the kernel command line. -## Single Network Interface +## Single network interface When running Talos on a machine with a single network interface, predictable interface names might be confusing, as it might come up as `enxSOMETHING` which is hard to address. There are two ways to solve this: diff --git a/public/talos/v1.12/networking/siderolink.mdx b/public/talos/v1.12/networking/siderolink.mdx index e945c27f..8289ba48 100644 --- a/public/talos/v1.12/networking/siderolink.mdx +++ b/public/talos/v1.12/networking/siderolink.mdx @@ -20,7 +20,7 @@ The SideroLink API URL format is: `https://siderolink.api/?jointoken=token&grpc_ This is useful in environments where UDP traffic is restricted but adds significant overhead to SideroLink communication, enable this only if necessary. Note that the SideroLink API server might ignore this hint, and the connection might use gRPC tunneling regardless of the setting. -## Connection Flow +## Connection flow 1. Talos Linux generates an ephemeral Wireguard key. 2. Talos Linux establishes a gRPC connection to the SideroLink API server, sending its Wireguard public key, join token, and other connection settings. diff --git a/public/talos/v1.12/overview/what-is-talos.mdx b/public/talos/v1.12/overview/what-is-talos.mdx index c5774f01..bf3b21b0 100644 --- a/public/talos/v1.12/overview/what-is-talos.mdx +++ b/public/talos/v1.12/overview/what-is-talos.mdx @@ -31,7 +31,7 @@ For these reasons, Talos has a number of features unique to it: Talos can be deployed anywhere you can run a modern Linux kernel. -## API Managed +## API managed Talos is managed by a single, declarative gRPC API. This is the most unique thing about Talos and something Talos users love. diff --git a/public/talos/v1.12/platform-specific-installations/air-gapped.mdx b/public/talos/v1.12/platform-specific-installations/air-gapped.mdx index c9c5485b..da9b4924 100644 --- a/public/talos/v1.12/platform-specific-installations/air-gapped.mdx +++ b/public/talos/v1.12/platform-specific-installations/air-gapped.mdx @@ -18,12 +18,12 @@ In this guide, we will assume that the environment is completely air-gapped, wit If there is partial connectivity, most of the requirements can be addresses via [pull-through cache](../configure-your-talos-cluster/images-container-runtime/pull-through-cache) and HTTP proxy configuration. -## Network Configuration +## Network configuration Network configuration in air-gapped environments might require custom settings for DNS and NTP servers. If running in a virtual environment, the hypervisor might provide time synchronization via [PTP interface](../configure-your-talos-cluster/system-configuration/time-sync) which doesn't require network access. -## Container Images +## Container images Talos Linux provides support for redirecting image pull requests to internal registries via [registry mirrors](../configure-your-talos-cluster/images-container-runtime/pull-through-cache) feature. This feature can be used to redirect all image pull requests to an internal registry which is pre-populated with required images. @@ -32,9 +32,9 @@ See the section on [airgapped registry](../configure-your-talos-cluster/images-c ## Image Factory -See the [guide on running Image Factory in air-gapped environments](../../../omni/infrastructure-and-extensions/self-hosted/deploy-image-factory-on-prem) for more details. +See the [guide on running Image Factory in air-gapped environments](../../../omni/self-hosted/deploy-image-factory-on-prem) for more details. -## Discovery Service +## Discovery service Talos Linux by default uses the public Discovery Service at `discovery.talos.dev` to facilitate cluster bootstrapping and node discovery. In air-gapped environments, it is recommended to run a self-hosted instance of the Discovery Service (requires a license from Sidero Labs). diff --git a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/bootloader.mdx b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/bootloader.mdx index 675143af..2fd196f8 100644 --- a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/bootloader.mdx +++ b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/bootloader.mdx @@ -56,7 +56,7 @@ Partition layout for GRUB: With GRUB, kernel arguments are stored in the GRUB configuration file. The `.machine.install.extraKernelArgs` field in the machine configuration can be used to modify these arguments, followed by an upgrade. -### Controlling Kernel Command Line Behavior +### Controlling kernel command line behavior Starting from Talos v1.12, you can control how GRUB determines the kernel command line using the `.machine.install.grubUseUKICmdline` machine configuration option. diff --git a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/equinix-metal.mdx b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/equinix-metal.mdx index fddea33a..f70c88d3 100644 --- a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/equinix-metal.mdx +++ b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/equinix-metal.mdx @@ -18,7 +18,7 @@ Regardless of the method, the process is: * Configure your Kubernetes endpoint to point to the newly created control plane nodes. * Bootstrap the cluster. -## Define the Kubernetes Endpoint +## Define the Kubernetes endpoint There are a variety of ways to create an HA endpoint for the Kubernetes cluster. Some of the ways are: @@ -31,9 +31,9 @@ Whatever way is chosen, it should result in an IP address/DNS name that routes t We do not know the control plane node IP addresses at this stage, but we should define the endpoint DNS entry so that we can use it in creating the cluster configuration. After the nodes are provisioned, we can use their addresses to create the endpoint A records, or bind them to the load balancer, etc. -## Create the Machine Configuration Files +## Create the machine configuration files -### Generating Configurations +### Generating configurations Using the DNS name of the loadbalancer defined above, generate the base configuration files for the Talos machines: @@ -46,7 +46,7 @@ created talosconfig > The `port` used above should be 6443, unless your load balancer maps a different port to port 6443 on the control plane nodes. -### Validate the Configuration Files +### Validate the configuration files ```bash talosctl validate --config controlplane.yaml --mode metal @@ -56,7 +56,7 @@ talosctl validate --config worker.yaml --mode metal > Note: Validation of the install disk could potentially fail as validation > is performed on your local machine and the specified disk may not exist. -### Passing in the configuration as User Data +### Passing in the configuration as user data You can use the metadata service provide by Equinix Metal to pass in the machines configuration. It is required to add a shebang to the top of the configuration file. @@ -89,7 +89,7 @@ If you did not pass in the machine configuration as User Data, you need to provi `talosctl apply-config --insecure --nodes --file ./controlplane.yaml` -### Creating a Cluster via the Equinix Metal CLI +### Creating a cluster via the Equinix Metal CLI This guide assumes the user has a working API token,and the [Equinix Metal CLI](https://github.com/equinix/metal-cli/) installed. @@ -126,7 +126,7 @@ endpoint.mydomain.com has address 147.75.109.71 endpoint.mydomain.com has address 145.40.90.177 ``` -## Bootstrap Etcd +## Bootstrap etcd Set the `endpoints` and `nodes` for `talosctl`: diff --git a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/matchbox.mdx b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/matchbox.mdx index db7fc90c..16b46858 100644 --- a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/matchbox.mdx +++ b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/matchbox.mdx @@ -5,7 +5,7 @@ aliases: - ../../../bare-metal-platforms/matchbox --- -## Creating a Cluster +## Creating a cluster In this guide we will create an HA Kubernetes cluster with 3 worker nodes. We assume an existing load balancer, matchbox deployment, and some familiarity with iPXE. @@ -13,9 +13,9 @@ We assume an existing load balancer, matchbox deployment, and some familiarity w We leave it up to the user to decide if they would like to use static networking, or DHCP. The setup and configuration of DHCP will not be covered. -### Create the Machine Configuration Files +### Create the machine configuration files -#### Generating Base Configurations +#### Generating base configurations Using the DNS name of the load balancer, generate the base configuration files for the Talos machines: @@ -29,7 +29,7 @@ created talosconfig At this point, you can modify the generated configs to your liking. Optionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -#### Validate the Configuration Files +#### Validate the configuration files ```bash $ talosctl validate --config controlplane.yaml --mode metal @@ -38,21 +38,21 @@ $ talosctl validate --config worker.yaml --mode metal worker.yaml is valid for metal mode ``` -#### Publishing the Machine Configuration Files +#### Publishing the machine configuration files In bare-metal setups it is up to the user to provide the configuration files over HTTP(S). A special kernel parameter (`talos.config`) must be used to inform Talos about _where_ it should retrieve its configuration file. To keep things simple we will place `controlplane.yaml`, and `worker.yaml` into Matchbox's `assets` directory. This directory is automatically served by Matchbox. -### Create the Matchbox Configuration Files +### Create the Matchbox configuration files The profiles we will create will reference `vmlinuz`, and `initramfs.xz`. Download these files from the [release](https://github.com/siderolabs/talos/releases) of your choice, and place them in `/var/lib/matchbox/assets`. #### Profiles -##### Control Plane Nodes +##### Control plane nodes ```json { @@ -77,7 +77,7 @@ Download these files from the [release](https://github.com/siderolabs/talos/rele > Note: Be sure to change `http://matchbox.talos.dev` to the endpoint of your matchbox server. -##### Worker Nodes +##### Worker nodes ```json { @@ -145,12 +145,12 @@ Now, create the following groups, and ensure that the `selector`s are accurate f } ``` -### Boot the Machines +### Boot the machines Now that we have our configuration files in place, boot all the machines. Talos will come up on each machine, grab its configuration file, and bootstrap itself. -### Bootstrap Etcd +### Bootstrap etcd Set the `endpoints` and `nodes`: diff --git a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx index 439bb558..a47438fe 100644 --- a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx +++ b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx @@ -27,7 +27,7 @@ Talos starting with version 1.4.0 offers a new option to configure networking on Talos [dashboard](../../deploy-and-manage-workloads/interactive-dashboard) provides a way to configure `META`-based network configuration for a machine using the console, but it doesn't support all kinds of network configuration. -## Network Configuration Format +## Network configuration format Talos `META`-based network configuration is a YAML file with the following format: @@ -362,7 +362,7 @@ timeServers: If the `timeServers:` is not set, Talos will use default NTP servers. -## Supplying `META` Network Configuration +## Supplying `META` network configuration Once the network configuration YAML document is ready, it can be supplied to Talos in one of the following ways: @@ -376,7 +376,7 @@ In this guide we will assume that the prepared network configuration is stored i > Note: as JSON is a subset of YAML, the network configuration can be also supplied as a JSON document. -### Supplying Network Configuration to a Running Talos Machine +### Supplying network configuration to a running Talos machine Use the `talosctl` to write a network configuration to a running Talos machine: @@ -384,7 +384,7 @@ Use the `talosctl` to write a network configuration to a running Talos machine: talosctl meta write 0xa "$(cat network.yaml)" ``` -### Supplying Network Configuration to a Talos Disk Image +### Supplying network configuration to a Talos disk image Following the [boot assets](../../platform-specific-installations/boot-assets) guide, create a disk image passing the network configuration as a `--meta` flag: @@ -394,7 +394,7 @@ docker run --rm -t -v $PWD/_out:/out -v /dev:/dev --privileged ghcr.io/siderolab `} -### Supplying Network Configuration to a Talos ISO/PXE Boot +### Supplying network configuration to a Talos ISO/PXE boot As there is no `META` partition created yet before Talos Linux is installed, `META` values can be set as an environment variable `INSTALLER_META_BASE64` passed to the initial boot of Talos. The supplied value will be used immediately, and also it will be written to the `META` partition once Talos is installed. @@ -417,7 +417,7 @@ echo -n "0xa=$(cat network.yaml)" | gzip -9 | base64 The resulting base64 string should be passed as an environment variable `INSTALLER_META_BASE64` to the initial boot of Talos: `talos.environment=INSTALLER_META_BASE64=`. -### Getting Current `META` Network Configuration +### Getting current `META` network configuration Talos exports `META` keys as resources: diff --git a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/network-config.mdx b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/network-config.mdx index 43d79539..b04ea992 100644 --- a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/network-config.mdx +++ b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/network-config.mdx @@ -13,7 +13,7 @@ In this case, the recommended way is to embed the machine configuration into the If machine configuration embedding is not possible, Talos provides several ways to configure network on bare-metal platforms before the machine configuration is fetched. -## Kernel Command Line +## Kernel command line Talos supports some kernel command line parameters to configure network before the machine configuration is fetched. @@ -39,7 +39,7 @@ vlan=eth0.100:eth0 See [kernel parameters reference](../../reference/kernel) for more details. -## Platform Network Configuration +## Platform network configuration Some platforms (e.g. AWS, Google Cloud, etc.) have their own network configuration mechanisms, which can be used to perform the initial network configuration. There is no such mechanism for bare-metal platforms, so Talos provides a way to use platform network config on the `metal` platform to submit the initial network configuration. @@ -72,7 +72,7 @@ docker run --rm -i --privileged ghcr.io/siderolabs/imager:${release_v1_12} image The platform network configuration gets merged with other sources of network configuration, the details can be found in the [network resources guide](../../learn-more/networking-resources#configuration-merging). -## `nocloud` Network Configuration +## `nocloud` network configuration Some bare-metal providers provide a way to configure network via the `nocloud` data source. Talos Linux can automatically pick up this [configuration](../cloud-platforms/nocloud) when `nocloud` image is used. diff --git a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/secureboot.mdx b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/secureboot.mdx index ea80dfdd..5be5877f 100644 --- a/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/secureboot.mdx +++ b/public/talos/v1.12/platform-specific-installations/bare-metal-platforms/secureboot.mdx @@ -10,14 +10,14 @@ When combined with TPM-based disk encryption, this provides a complete [Trusted This means the disk will only unlock if SecureBoot remains enabled with the same key set when using the default PCR 7 binding. However, **PCR binding is fully configurable** via the `VolumeConfig` `tpm.pcrs` option - see the [TPM encryption options](../../reference/configuration/block/volumeconfig#VolumeConfig.encryption.keys..tpm) for details. -## **PCR Binding Options** +## PCR binding options - **Default**: PCR 7 (SecureBoot state) + PCR 11 signed policy (UKI measurements and boot phases) - **Configurable**: Any combination of PCRs can be specified - **No PCRs**: Can be disabled by passing an empty list, relying solely on PCR 11 signed policy - **Backward compatibility**: Existing installations continue to use their original PCR binding -**Why Configurable PCRs?** +**Why configurable PCRs?** - **Frequent Updates**: PCR 7 covers the SecureBoot policy, particularly the "dbx" denylist of revoked certificates - **Automatic Updates**: Tools like `fwupd` now automatically update the SecureBoot database, causing PCR 7 to change frequently @@ -29,7 +29,7 @@ When the UKI image is generated, the UKI is measured and expected measurements a > Note: SecureBoot is not supported on x86 platforms in BIOS mode. -## SecureBoot Flow +## SecureBoot flow The SecureBoot process follows a strict verification chain from UEFI firmware to the final operating system: @@ -79,7 +79,7 @@ As Talos Linux is fully contained in the UKI image, the full operating system is > Note: There is no support at the moment to upgrade non-UKI (GRUB-based) Talos installation to use UKI/SecureBoot, so a fresh installation is required. -## SecureBoot with Sidero Labs Images +## SecureBoot with Sidero Labs images [Sidero Labs](https://www.siderolabs.com/) provides Talos images signed with the [Sidero Labs SecureBoot key](https://factory.talos.dev/secureboot/signing-cert.pem) via [Image Factory](../../learn-more/image-factory). @@ -93,7 +93,7 @@ The install should performed using SecureBoot installer (put it Talos machine co > Note: SecureBoot images can also be generated with [custom keys](#secureboot-with-custom-keys). -## Booting Talos Linux in SecureBoot Mode +## Booting Talos Linux in SecureBoot mode In this guide we will use the ISO image to boot Talos Linux in SecureBoot mode, followed by submitting machine configuration to the machine in maintenance mode. We will use one the ways to generate and submit machine configuration to the node, please refer to the [Production Notes](../../getting-started/prodnotes) for the full guide. @@ -159,17 +159,17 @@ Once the new `installer` image is pushed to the registry, [upgrade](../../config It is important to preserve the UKI signing key and the PCR signing key, otherwise the node will not be able to boot with the new UKI and unlock the encrypted partitions. -## Disk Encryption with TPM +## Disk encryption with TPM When encrypting the disk partition for the first time, Talos Linux generates a random disk encryption key and seals (encrypts) it with the TPM device. The TPM unlock policy is configured to trust the expected policy signed by the PCR signing key. This way TPM unlocking doesn't depend on the exact [PCR measurements](https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/), but rather on the expected policy signed by the PCR signing key and the configured PCR states (by default includes PCR 7 for SecureBoot status and the list of enrolled keys, plus PCR 11 for boot integrity). -### PCR Measurements in Detail +### PCR measurements in detail The Unified Kernel Image (UKI) boot process involves several measurement stages that record cryptographic hashes into TPM Platform Configuration Registers (PCRs): -#### systemd-stub UKI Measurements (PCR 11) +#### systemd-stub UKI measurements (PCR 11) According to the [UAPI Unified Kernel Image specification](https://uapi-group.org/specifications/specs/unified_kernel_image/) and [systemd-stub documentation](https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html), systemd-stub measures the following UKI sections into **PCR 11**: @@ -193,7 +193,7 @@ According to the [UAPI Unified Kernel Image specification](https://uapi-group.or The [systemd-boot bootloader](https://www.freedesktop.org/software/systemd/man/latest/systemd-boot.html) can optionally measure loaded boot entries and configuration, though this is typically not used in Talos UKI scenarios since the UKI can be loaded directly. -#### Talos Boot Phase Measurements (PCR 11) +#### Talos Boot phase measurements (PCR 11) In addition to the UKI section measurements, Talos extends **PCR 11** with its own boot phases to track the operating system initialization: @@ -204,7 +204,7 @@ In addition to the UKI section measurements, Talos extends **PCR 11** with its o **Important:** The `start-the-world` phase is measured into PCR 11 *after* the encrypted disk has been unlocked. This ensures that user services and workloads cannot decrypt the disk themselves, as any attempt to access TPM-sealed keys will fail due to the changed PCR 11 value. -#### TPM Unlock Policy +#### TPM unlock policy The TPM sealed disk encryption key can only be unsealed when the system reaches the **`enter-machined`** phase. This is the critical security boundary - the disk can only be decrypted if: @@ -214,7 +214,7 @@ The TPM sealed disk encryption key can only be unsealed when the system reaches This ensures that disk decryption only occurs after the trusted boot chain has been verified, but before any potentially untrusted user workloads start. -#### Configurable PCR Binding (Default: PCR 7) +#### Configurable PCR binding (Default: PCR 7) By default, new Talos installations and upgrades maintain binding to **PCR 7**, which includes: @@ -229,7 +229,7 @@ During the boot process, `systemd-stub` component of the UKI performs measuremen Talos Linux during the boot appends to the PCR register the measurements of the boot phases, and once the boot reaches the point of mounting the encrypted disk partition, the expected signed policy from the UKI is matched against measured values to unlock the TPM, and TPM unseals the disk encryption key which is then used to unlock the disk partition. -## TPM PCR Measurement Chain +## TPM PCR measurement chain The Trusted Platform Module (TPM) maintains Platform Configuration Registers (PCRs) that record measurements of boot components: @@ -319,7 +319,7 @@ During the upgrade, as long as the new UKI contains PCR policy signed with the s By default, disk encryption is tied to the state of **PCR 7** (SecureBoot state) in addition to **PCR 11** (boot integrity), so that it unlocks only if both the boot chain is valid and SecureBoot is enabled with the expected key set. However, **the PCR binding is fully configurable** via the `VolumeConfig` `tpm.pcrs` option - see the [TPM encryption options](../../reference/configuration/block/volumeconfig#VolumeConfig.encryption.keys..tpm) for details. -## Other Boot Options +## Other boot options Unified Kernel Image (UKI) is a UEFI-bootable image which can be booted directly from the UEFI firmware skipping the `systemd-boot` bootloader. In network boot mode, the UKI can be used directly as well, as it contains the full set of boot assets required to boot Talos Linux. @@ -327,9 +327,9 @@ In network boot mode, the UKI can be used directly as well, as it contains the f When SecureBoot is enabled, the UKI image ignores any kernel command line arguments passed to it, but rather uses the kernel command line arguments embedded into the UKI image itself. If kernel command line arguments need to be changed, the UKI image needs to be rebuilt with the new kernel command line arguments. -## SecureBoot with Custom Keys +## SecureBoot with custom keys -### Generating the Keys +### Generating the keys Talos requires two set of keys to be used for the SecureBoot process: @@ -372,7 +372,7 @@ These files can be used to enroll the keys into the UEFI firmware automatically > **Note** : UEFI decides what Secure Boot trusts. By default, `talosctl gen secureboot ...` generates a self-signed UKI signing certificate and `PK.auth/KEK.auth/db.auth` for enrollment. You can also generate your own version of these files which uses other signing keys and certificate authorities specific to your environment. -### Generating the SecureBoot Assets +### Generating the SecureBoot assets Once the keys are generated, they can be used to sign the Talos boot assets to generate required ISO images, PXE boot assets, disk images, installer containers, etc. In this guide we will generate a SecureBoot ISO image and an installer image. diff --git a/public/talos/v1.12/platform-specific-installations/boot-assets.mdx b/public/talos/v1.12/platform-specific-installations/boot-assets.mdx index 53ef5cfe..757990ca 100644 --- a/public/talos/v1.12/platform-specific-installations/boot-assets.mdx +++ b/public/talos/v1.12/platform-specific-installations/boot-assets.mdx @@ -293,7 +293,7 @@ The base profile can be customized with the additional flags to the imager: * `--system-extension-image` allows to install a system extension into the image * `--image-cache` allows to use a [local image cache](../configure-your-talos-cluster/images-container-runtime/image-cache) -### Extension Image Reference +### Extension image reference While Image Factory automatically resolves the extension name into a matching container image for a specific version of Talos, `imager` requires the full explicit container image reference. The `imager` also allows to install custom extensions which are not part of the official Talos Linux system extensions. @@ -312,7 +312,7 @@ crane export ghcr.io/siderolabs/extensions:${release_v1_12} | \\ For each Talos release, the `ghcr.io/siderolabs/extensions:VERSION` image contains a pinned reference to each system extension container image. -### Overlay Image Reference +### Overlay image reference While Image Factory automatically resolves the overlay name into a matching container image for a specific version of Talos, `imager` requires the full explicit container image reference. The `imager` also allows to install custom overlays which are not part of the official Talos overlays. @@ -330,7 +330,7 @@ crane export ghcr.io/siderolabs/overlays:${release_v1_12} | \\ For each Talos release, the `ghcr.io/siderolabs/overlays:VERSION` image contains a pinned reference to each overlay container image. -### Pulling from Private Registries +### Pulling from private registries Talos Linux official images are all public, but when pulling a custom image from a private registry, the `imager` might need authentication to access the images. diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/akamai.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/akamai.mdx index 618145c8..179da63e 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/akamai.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/akamai.mdx @@ -7,7 +7,7 @@ aliases: import { release_v1_12 } from '/snippets/custom-variables.mdx'; -## Creating a Talos Linux Cluster on Akamai Connected Cloud via the CLI +## Creating a Talos Linux cluster on Akamai connected cloud via the CLI This guide will demonstrate how to create a highly available Kubernetes cluster with one worker using the [Akamai Connected Cloud](https://www.linode.com/) provider. @@ -30,7 +30,7 @@ export REGION=us-ord linode-cli image-upload --region ${REGION} --label talos akamai-amd64.raw.gz ``` -### Create a Load Balancer +### Create a load balancer ```bash export REGION=us-ord @@ -40,7 +40,7 @@ export NODEBALANCER_ID=$(linode-cli nodebalancers list --label talos --format id linode-cli nodebalancers config-create --port 443 --protocol tcp --check connection ${NODEBALANCER_ID} ``` -### Create the Machine Configuration Files +### Create the machine configuration files Using the IP address (or DNS name, if you have created one) of the load balancer, generate the base configuration files for the Talos machines. Also note that the load balancer forwards port 443 to port 6443 on the associated nodes, so we should use 443 as the port in the config definition: @@ -53,7 +53,7 @@ talosctl gen config talos-kubernetes-akamai https://${NODEBALANCER_IP} --with-ex ### Create the Linodes -#### Create the Control Plane Nodes +#### Create the control plane nodes > Although root passwords are not used by Talos, Linode requires that a root password be associated with a linode during creation. @@ -95,7 +95,7 @@ for id in $(seq 3); do done ``` -#### Create the Worker Nodes +#### Create the worker nodes > Although root passwords are not used by Talos, Linode requires that a root password be associated with a linode during creation. @@ -125,7 +125,7 @@ config_id=$(linode-cli linodes configs-list ${linode_id} --format id --text --no linode-cli linodes config-update ${linode_id} ${config_id} --kernel "linode/direct-disk" ``` -### Bootstrap Etcd +### Bootstrap etcd Set the `endpoints` and `nodes`: diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/aws.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/aws.mdx index 41e5a6fd..5c9c00bc 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/aws.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/aws.mdx @@ -7,7 +7,7 @@ aliases: import { release_v1_12 } from '/snippets/custom-variables.mdx'; -## Creating a Cluster via the AWS CLI +## Creating a cluster via the AWS CLI In this guide we will create an HA Kubernetes cluster with 3 control plane nodes across 3 availability zones. You should have an existing AWS account and have the AWS CLI installed and configured. @@ -23,7 +23,7 @@ If you would like to create infrastructure via `terraform` or `opentofu` please > Note: this guide is not a production set up and steps were tested in `bash` and `zsh` shells. -### Create AWS Resources +### Create AWS resources We will be creating a control plane with 3 Ec2 instances spread across 3 availability zones. It is recommended to not use the default VPC so we will create a new one for this tutorial. @@ -40,7 +40,7 @@ VPC_ID=$(aws ec2 create-vpc \ --output text --query 'Vpc.VpcId') ``` -### Create the Subnets +### Create the subnets Create 3 smaller CIDRs to use for each subnet in different availability zones. Make sure to adjust these CIDRs if you changed the default value from the last command. @@ -98,7 +98,7 @@ aws ec2 create-route \ --gateway-id $IGW_ID ``` -### Official AMI Images +### Official AMI images Official AMI image ID can be found in the `cloud-images.json` file attached to the [Talos release](https://github.com/siderolabs/talos/releases). @@ -116,7 +116,7 @@ If using the official AMIs, you can skip to [Creating the Security group](#creat > The use of the official Talos AMIs are recommended, but if you wish to build your own AMIs, follow the procedure below. -#### Create the S3 Bucket +#### Create the S3 bucket ```bash aws s3api create-bucket \ @@ -125,13 +125,13 @@ aws s3api create-bucket \ --acl private ``` -#### Create the `vmimport` Role +#### Create the `vmimport` role In order to create an AMI, ensure that the `vmimport` role exists as described in the [official AWS documentation](https://docs.aws.amazon.com/vm-import/latest/userguide/required-permissions.html). Note that the role should be associated with the S3 bucket we created above. -#### Create the Image Snapshot +#### Create the image snapshot First, download the AWS image from Image Factory: @@ -160,7 +160,7 @@ aws ec2 describe-import-snapshot-tasks \ Once the `SnapshotTaskDetail.Status` indicates `completed`, we can register the image. -#### Register the Image +#### Register the image ```bash AMI=$(aws ec2 register-image \ @@ -176,7 +176,7 @@ AMI=$(aws ec2 register-image \ We now have an AMI we can use to create our cluster. -### Create a Security Group +### Create a security group ```bash SECURITY_GROUP_ID=$(aws ec2 create-security-group \ @@ -225,7 +225,7 @@ aws ec2 authorize-security-group-ingress \ --output text ``` -### Create a Load Balancer +### Create a load balancer The load balancer is used for a stable Kubernetes API endpoint. @@ -265,7 +265,7 @@ LISTENER_ARN=$(aws elbv2 create-listener \ --output text) ``` -### Create the Machine Configuration Files +### Create the machine configuration files We will create a [machine config patch](../../configure-your-talos-cluster/system-configuration/patching#rfc6902-json-patches) to use the AWS time servers. You can create [additional patches](../../reference/configuration/v1alpha1/config) to customize the configuration as needed. @@ -292,12 +292,12 @@ talosctl gen config talos-k8s-aws-tutorial https://${LOAD_BALANCER_DNS}:6443 \ > Note that the generated configs are too long for AWS userdata field if the `--with-examples` and `--with-docs` flags are not passed. -### Create the EC2 Instances +### Create the EC2 instances > Note: There is a known issue that prevents Talos from running on T2 instance types. > Please use T3 if you need burstable instance types. -#### Create the Control Plane Nodes +#### Create the control plane nodes ```bash declare -a CP_INSTANCES @@ -319,7 +319,7 @@ for SUBNET in ${SUBNETS[@]}; do done ``` -#### Create the Worker Nodes +#### Create the worker nodes For the worker nodes we will create a new launch template with the `worker.yaml` machine configuration and create an autoscaling group. @@ -367,7 +367,7 @@ aws autoscaling create-auto-scaling-group \ --vpc-zone-identifier $(echo ${SUBNETS[@]} | tr ' ' ',') ``` -### Configure the Load Balancer +### Configure the load balancer Now, using the load balancer target group's ARN, and the **PrivateIpAddress** from the controlplane instances that you created : diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/azure.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/azure.mdx index f8bc6185..d756f986 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/azure.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/azure.mdx @@ -5,13 +5,13 @@ aliases: - ../../../cloud-platforms/azure --- -## Creating a Cluster via the CLI +## Creating a cluster via the CLI In this guide we will create an HA Kubernetes cluster with 1 worker node. We assume existing [Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/), and some familiarity with Azure. If you need more information on Azure specifics, please see the [official Azure documentation](https://docs.microsoft.com/en-us/azure/). -### Environment Setup +### Environment setup We'll make use of the following environment variables throughout the setup. Edit the variables below with your correct information. @@ -36,7 +36,7 @@ export CONNECTION=$(az storage account show-connection-string \ -o tsv) ``` -### Create the Image +### Create the image First, download the Azure image from [Image Factory](https://factory.talos.dev/). Once downloaded, untar with `tar -xvf /path/to/azure-amd64.tar.gz` @@ -53,7 +53,7 @@ az storage blob upload \ -n talos-azure.vhd ``` -#### Register the Image +#### Register the image Now that the image is present in our blob storage, we'll register it. @@ -65,9 +65,9 @@ az image create \ -g $GROUP ``` -### Network Infrastructure +### Network infrastructure -#### Virtual Networks and Security Groups +#### Virtual networks and security groups Once the image is prepared, we'll want to work through setting up the network. Issue the following to create a network security group and add rules to it. @@ -120,7 +120,7 @@ az network nsg rule create \ --direction inbound ``` -#### Load Balancer +#### Load balancer We will create a public ip, load balancer, and a health check that we will use for our control plane. @@ -160,7 +160,7 @@ az network lb rule create \ --probe-name talos-lb-health ``` -#### Network Interfaces +#### Network interfaces In Azure, we have to pre-create the NICs for our control plane so that they can be associated with our load balancer. @@ -190,7 +190,7 @@ done # Use `--sku Basic` to set SKU to Basic. ``` -### Cluster Configuration +### Cluster configuration With our networking bits setup, we'll fetch the IP for our load balancer and create our configuration files. @@ -204,7 +204,7 @@ LB_PUBLIC_IP=$(az network public-ip show \ talosctl gen config talos-k8s-azure-tutorial https://${LB_PUBLIC_IP}:6443 ``` -### Compute Creation +### Compute creation We are now ready to create our azure nodes. Azure allows you to pass Talos machine configuration to the virtual machine at bootstrap time via @@ -212,7 +212,7 @@ Azure allows you to pass Talos machine configuration to the virtual machine at b Talos supports only `custom-data` method, machine configuration is available to the VM only on the first boot. -#### Manual Image Upload +#### Manual image upload ```bash # Create availability set @@ -261,7 +261,7 @@ done # for troubleshooting ``` -### Bootstrap Etcd +### Bootstrap etcd You should now be able to interact with your cluster with `talosctl`. We will need to discover the public IP for our first control plane node first. diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/cloudstack.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/cloudstack.mdx index 69dabb88..4e98c45d 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/cloudstack.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/cloudstack.mdx @@ -13,7 +13,7 @@ We will be using the [CloudStack Cloudmonkey](https://github.com/apache/cloudsta Please see the [official Apache CloudStack documentation](https://docs.cloudstack.apache.org/en/latest/) for information related to Apache CloudStack. -### Obtain the Talos Image +### Obtain the Talos image Download the Talos CloudStack image `cloudstack-amd64.raw.gz` from the [Image Factory](https://factory.talos.dev). @@ -26,11 +26,11 @@ You might be able to use the "Register Template from URL" to download the image > Note: CloudStack does not seem to like compressed images, so you might have to download the image to a local webserver, uncompress it and let CloudStack fetch the image from there instead. > Alternatively, you can try to remove `.gz` from URL to fetch an uncompressed image from the Image Factory. -### Get Required Variables +### Get required variables Next we will get a number of required variables and export them for later use: -#### Get Image Template ID +#### Get image template ID ```bash $ cmk list templates templatefilter=self | jq -r '.template[] | [.id, .name] | @tsv' | sort -k2 @@ -51,7 +51,7 @@ a8c71a6f-2e09-41ed-8754-2d4dd8783920 fsn1 $ export ZONE_ID=a8c71a6f-2e09-41ed-8754-2d4dd8783920 ``` -#### Get Service Offering ID +#### Get service offering ID Get a list of service offerings (instance types) and select the desired offering @@ -63,7 +63,7 @@ c7f5253e-e1f1-4e33-a45e-eb2ebbc65fd4 4096 2 K8S-WRK-S $ export SERVICEOFFERING_ID=82ac8c87-22ee-4ec3-8003-c80b09efe02c ``` -#### Get Network ID +#### Get network ID Get a list of networks and select the relevant network for your cluster. @@ -75,7 +75,7 @@ f706984f-9dd1-4cb8-9493-3fba1f0de7e3 Isolate demo $ export NETWORK_ID=143ed8f1-3cc5-4ba2-8717-457ad993cf25 ``` -#### Get next free Public IP address and ID +#### Get next free public IP address and ID To create a loadbalancer for the K8S API Endpoint, find the next available public IP address in the zone. @@ -91,7 +91,7 @@ $ export PUBLIC_IPADDRESS=10.0.0.102 $ export PUBLIC_IPADDRESS_ID=1901d946-3797-48aa-a113-8fb730b0770a ``` -#### Acquire and Associate Public IP Address +#### Acquire and associate Public IP Address Acquire and associate the public IP address with the network we selected earlier. @@ -106,7 +106,7 @@ $ cmk associateIpAddress ipaddress=${PUBLIC_IPADDRESS} networkid=${NETWORK_ID} } ``` -#### Create LB and FW rule using the Public IP Address +#### Create LB and FW rule using the public IP address Create a Loadbalancer for the K8S API Endpoint. @@ -128,7 +128,7 @@ $ cmk create loadbalancerrule algorithm=roundrobin name="k8s-api" privateport=64 } ``` -### Create the Talos Configuration Files +### Create the Talos configuration files Finally it's time to generate the Talos configuration files, using the Public IP address assigned to the loadbalancer. @@ -161,7 +161,7 @@ $ cmk deploy virtualmachine zoneid=${ZONE_ID} templateid=${IMAGE_ID} serviceoffe } ``` -#### Get Talos VM ID and Internal IP address +#### Get Talos VM ID and internal IP address Get the ID of our newly created VM. (Also available in the full output of the above command.) @@ -175,7 +175,7 @@ $ export VM_ID=d37aeca4-7d1f-45cd-9a4d-97fdbf535aa1 $ export VM_IP=10.1.1.243 ``` -#### Get Load Balancer ID +#### Get load balancer ID Obtain the ID of the `loadbalancerrule` we created earlier. @@ -186,7 +186,7 @@ ede6b711-b6bc-4ade-9e48-4b3f5aa59934 10.0.0.102 k8s-api $ export LB_RULE_ID=ede6b711-b6bc-4ade-9e48-4b3f5aa59934 ``` -#### Assign Talos VM to Load Balancer +#### Assign Talos VM to load balancer With the ID of the VM and the load balancer, we can assign the VM to the `loadbalancerrule`, making the K8S API endpoint available via the Load Balancer @@ -194,7 +194,7 @@ With the ID of the VM and the load balancer, we can assign the VM to the `loadba cmk assigntoloadbalancerrule id=${LB_RULE_ID} virtualmachineids=${VM_ID} ``` -### Bootstrap Etcd +### Bootstrap etcd Once the Talos VM has booted, it time to bootstrap etcd. diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/digitalocean.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/digitalocean.mdx index a75fc3f1..0c3a0474 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/digitalocean.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/digitalocean.mdx @@ -7,13 +7,13 @@ aliases: import { release_v1_12 } from '/snippets/custom-variables.mdx'; -## Creating a Talos Linux Cluster on Digital Ocean via the CLI +## Creating a Talos Linux cluster on Digital Ocean via the CLI In this guide we will create an HA Kubernetes cluster with 1 worker node, in the NYC region. We assume an existing [Space](https://www.digitalocean.com/docs/spaces/), and some familiarity with DigitalOcean. If you need more information on DigitalOcean specifics, please see the [official DigitalOcean documentation](https://www.digitalocean.com/docs/). -### Create the Image +### Create the image Download the DigitalOcean image `digital-ocean-amd64.raw.gz` from the Image Factory @@ -41,7 +41,7 @@ doctl compute image create \ Save the image ID. We will need it when creating droplets. -### Create a Load Balancer +### Create a load balancer ```bash doctl compute load-balancer create \ @@ -63,7 +63,7 @@ doctl compute load-balancer get --format IP Note that it may take a few minutes before the load balancer is provisioned, so repeat this command until it returns with the IP address. -### Create the Machine Configuration Files +### Create the machine configuration files Using the IP address (or DNS name, if you have created one) of the loadbalancer, generate the base configuration files for the Talos machines. Also note that the load balancer forwards port 443 to port 6443 on the associated nodes, so we should use 443 as the port in the config definition: @@ -89,7 +89,7 @@ doctl compute ssh-key create --public-key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA Note the ssh key ID that is returned - we will use it in creating the droplets. -#### Create the Control Plane Nodes +#### Create the control plane nodes Run the following commands to create three control plane nodes: @@ -125,7 +125,7 @@ doctl compute droplet create \ Note the droplet ID returned for the first control plane node. -#### Create the Worker Nodes +#### Create the worker nodes Run the following to create a worker node: @@ -140,7 +140,7 @@ doctl compute droplet create \ talos-worker-1 ``` -### Bootstrap Etcd +### Bootstrap etcd To configure `talosctl` we will need the first control plane node's IP: diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/gcp.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/gcp.mdx index c29fa070..4d9afadb 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/gcp.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/gcp.mdx @@ -7,7 +7,7 @@ aliases: import { release_v1_12, version_v1_12 } from '/snippets/custom-variables.mdx'; -## Creating a Cluster via the CLI +## Creating a cluster via the CLI In this guide, we will create an HA Kubernetes cluster in GCP with 1 worker node. We will assume an existing [Cloud Storage bucket](https://cloud.google.com/storage/docs/creating-buckets), and some familiarity with Google Cloud. @@ -15,9 +15,9 @@ If you need more information on Google Cloud specifics, please see the [official [jq](https://stedolan.github.io/jq/) and [talosctl](../../getting-started/quickstart#talosctl) also needs to be installed -## Manual Setup +## Manual setup -### Environment Setup +### Environment setup We'll make use of the following environment variables throughout the setup. Edit the variables below with your correct information. @@ -29,12 +29,12 @@ export STORAGE_BUCKET="StorageBucketName" export REGION="us-central1" ``` -### Create the Image +### Create the image First, download the Google Cloud image from [Image Factory](https://factory.talos.dev/). These images are called `gcp-$ARCH.tar.gz`. -#### Upload the Image +#### Upload the image Once you have downloaded the image, you can upload it to your storage bucket with: @@ -52,9 +52,9 @@ gcloud compute images create talos \ --guest-os-features=VIRTIO_SCSI_MULTIQUEUE ``` -### Network Infrastructure +### Network infrastructure -#### Load Balancers and Firewalls +#### Load balancers and firewalls Once the image is prepared, we'll want to work through setting up the network. Issue the following to create a firewall, load balancer, and their required components. @@ -116,7 +116,7 @@ gcloud compute firewall-rules create talos-controlplane-talosctl \ --allow tcp:50000 ``` -### Cluster Configuration +### Cluster configuration With our networking bits setup, we'll fetch the IP for our load balancer and create our configuration files. @@ -131,7 +131,7 @@ talosctl gen config talos-k8s-gcp-tutorial https://${LB_PUBLIC_IP}:443 Additionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -### Compute Creation +### Compute creation We are now ready to create our GCP nodes. @@ -162,7 +162,7 @@ gcloud compute instances create talos-worker-0 \ --tags talos-worker-$i ``` -### Bootstrap Etcd +### Bootstrap etcd You should now be able to interact with your cluster with `talosctl`. We will need to discover the public IP for our first control plane node first. @@ -239,7 +239,7 @@ gcloud compute images delete \ talos ``` -## Using GCP Deployment manager +## Using GCP deployment manager Using GCP deployment manager automatically creates a Google Storage bucket and uploads the Talos image to it. Once the deployment is complete the generated `talosconfig` and `kubeconfig` files are uploaded to the bucket. @@ -350,7 +350,7 @@ gcloud projects add-iam-policy-binding \ --role roles/compute.loadBalancerAdmin ``` -### Downloading talos and kube config +### Downloading talos and kubeconfig In addition to the `talosconfig` and `kubeconfig` files, the storage bucket contains the `controlplane.yaml` and `worker.yaml` files used to join additional nodes to the cluster. diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/hetzner.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/hetzner.mdx index 21106a2a..3d5955e9 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/hetzner.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/hetzner.mdx @@ -173,7 +173,7 @@ hcloud-upload-image upload --image-path hcloud-$TALOS_IMAGE_ARCH.raw.xz --archit After these actions, you can find the snapshot in the console interface. -## Creating a Cluster via the CLI +## Creating a cluster via the CLI This section assumes you have the [hcloud console utility](https://community.hetzner.com/tutorials/howto-hcloud-cli) on your local machine. @@ -182,7 +182,7 @@ This section assumes you have the [hcloud console utility](https://community.het hcloud context create talos-tutorial ``` -### Create a Load Balancer +### Create a load balancer Create a load balancer by issuing the commands shown below. Save the IP/DNS name, as this info will be used in the next step. @@ -201,9 +201,9 @@ hcloud load-balancer add-target controlplane \ --label-selector 'type=controlplane' ``` -### Create the Machine Configuration Files +### Create the machine configuration files -#### Generating Base Configurations +#### Generating base configurations Using the IP/DNS name of the load balancer created earlier, generate the base configuration files for the Talos machines by issuing: @@ -217,7 +217,7 @@ Generating the config without examples and docs is necessary because otherwise y At this point, you can modify the generated configs to your liking. Optionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -#### Validate the Configuration Files +#### Validate the configuration files Validate any edited machine configs with: @@ -226,12 +226,12 @@ talosctl validate --config controlplane.yaml --mode cloud talosctl validate --config worker.yaml --mode cloud ``` -### Create the Servers +### Create the servers We can now create our servers. Note that you can find `IMAGE_ID` in the snapshot section of the console: `https://console.hetzner.cloud/projects/$PROJECT_ID/servers/snapshots`. -#### Create the Control Plane Nodes +#### Create the control plane nodes Create the control plane nodes with: @@ -257,7 +257,7 @@ hcloud server create --name talos-control-plane-3 \ --user-data-from-file controlplane.yaml ``` -#### Create the Worker Nodes +#### Create the worker nodes Create the worker nodes with the following command, repeating (and incrementing the name counter) as many times as desired. @@ -269,7 +269,7 @@ hcloud server create --name talos-worker-1 \ --user-data-from-file worker.yaml ``` -### Bootstrap Etcd +### Bootstrap etcd To configure `talosctl` we will need the first control plane node's IP. This can be found by issuing: diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/kubernetes.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/kubernetes.mdx index 71739fef..f1bad6d2 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/kubernetes.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/kubernetes.mdx @@ -20,7 +20,7 @@ Some operations like upgrades and reboots are not supported. {`ghcr.io/siderolabs/talos:${release_v1_12}`} -## Machine Configuration +## Machine configuration Machine configuration can be generated using [Getting Started](../../getting-started/getting-started) guide. Machine install disk will ge ignored, as the install image. @@ -38,11 +38,11 @@ machine: Talos and Kubernetes API can be exposed using Kubernetes services or load balancers, so they can be accessed from outside the cluster. -## Running Talos Pods +## Running Talos pods There might be many ways to run Talos in Kubernetes (StatefulSet, Deployment, single Pod), so we will only provide some basic guidance here. -### Container Settings +### Container settings {` @@ -65,12 +65,12 @@ securityContext: `} -### Submitting Initial Machine Configuration +### Submitting initial machine configuration Initial machine configuration can be submitted using `talosctl apply-config --insecure` when the pod is running, or it can be submitted via an environment variable `USERDATA` with base64-encoded machine configuration. -### Volume Mounts +### Volume mounts Three ephemeral mounts are required for `/run`, `/system`, and `/tmp` directories: diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/nocloud.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/nocloud.mdx index ea13389c..008c680f 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/nocloud.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/nocloud.mdx @@ -19,7 +19,7 @@ There are two ways to configure Talos server with `nocloud` platform: > Note: This requires the nocloud image which can be downloaded from the [Image Factory](https://factory.talos.dev/). -### SMBIOS Serial Number +### SMBIOS serial number This method requires the network connection to be up (e.g. via DHCP). Configuration is delivered from the HTTP server. diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/openstack.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/openstack.mdx index 5a29a947..cae05fb1 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/openstack.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/openstack.mdx @@ -5,26 +5,26 @@ aliases: - ../../../cloud-platforms/openstack --- -## Creating a Cluster via the CLI +## Creating a cluster via the CLI In this guide, we will create an HA Kubernetes cluster in OpenStack with 1 worker node. We will assume an existing some familiarity with OpenStack. If you need more information on OpenStack specifics, please see the [official OpenStack documentation](https://docs.openstack.org). -### Environment Setup +### Environment setup You should have an existing openrc file. This file will provide environment variables necessary to talk to your OpenStack cloud. See [here](https://docs.openstack.org/newton/user-guide/common/cli-set-environment-variables-using-openstack-rc.html) for instructions on fetching this file. -### Create the Image +### Create the image First, download the OpenStack image from [Image Factory](https://factory.talos.dev/). These images are called `openstack-$ARCH.tar.gz`. Untar this file with `tar -xvf openstack-$ARCH.tar.gz`. The resulting file will be called `disk.raw`. -#### Upload the Image +#### Upload the image Once you have the image, you can upload to OpenStack with: @@ -32,9 +32,9 @@ Once you have the image, you can upload to OpenStack with: openstack image create --public --disk-format raw --file disk.raw talos ``` -### Network Infrastructure +### Network infrastructure -#### Load Balancer and Network Ports +#### Load balancer and network ports Once the image is prepared, you will need to work through setting up the network. Issue the following to create a load balancer, the necessary network ports for each control plane node, and associations between the two. @@ -79,14 +79,14 @@ openstack loadbalancer member create --subnet-id shared-subnet --address --protocol-port 6443 talos-control-plane-pool ``` -#### Security Groups +#### Security groups This example uses the default security group in OpenStack. Ports have been opened to ensure that connectivity from both inside and outside the group is possible. You will want to allow, at a minimum, ports 6443 (Kubernetes API server) and 50000 (Talos API) from external sources. It is also recommended to allow communication over all ports from within the subnet. -### Cluster Configuration +### Cluster configuration With our networking bits setup, we'll fetch the IP for our load balancer and create our configuration files. @@ -98,7 +98,7 @@ talosctl gen config talos-k8s-openstack-tutorial https://${LB_PUBLIC_IP}:6443 Additionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -### Compute Creation +### Compute creation We are now ready to create our OpenStack nodes. @@ -120,7 +120,7 @@ openstack server create talos-worker-1 --flavor m1.small --network shared --imag > Note: This step can be repeated to add more workers. -### Bootstrap Etcd +### Bootstrap etcd You should now be able to interact with your cluster with `talosctl`. We will use one of the floating IPs we allocated earlier. diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/oracle.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/oracle.mdx index 0f22aea7..5907775a 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/oracle.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/oracle.mdx @@ -91,7 +91,7 @@ machine: - 169.254.169.254 ``` -## Creating a Cluster via the CLI +## Creating a cluster via the CLI Login to the [console](https://www.oracle.com/cloud/). And open the Cloud Shell. @@ -115,7 +115,7 @@ export sl_id=$(oci network vcn list --compartment-id $compartment_id --query 'da oci network security-list update --security-list-id $sl_id --egress-security-rules '[{"destination": "0.0.0.0/0", "protocol": "all", "isStateless": false}]' --ingress-security-rules '[{"source": "0.0.0.0/0", "protocol": "all", "isStateless": false}]' --force ``` -### Create a Load Balancer +### Create a load balancer Create a load balancer by issuing the commands shown below. Save the IP/DNS name, as this info will be used in the next step. @@ -152,9 +152,9 @@ oci nlb listener create --default-backend-set-name controlplane --name controlpl oci nlb network-load-balancer list --compartment-id $compartment_id --display-name controlplane-lb --query 'data.items[0]."ip-addresses"' ``` -### Create the Machine Configuration Files +### Create the machine configuration files -#### Generating Base Configurations +#### Generating base configurations Using the IP/DNS name of the loadbalancer created earlier, generate the base configuration files for the Talos machines by issuing: @@ -168,7 +168,7 @@ created talosconfig At this point, you can modify the generated configs to your liking. Optionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -#### Validate the Configuration Files +#### Validate the configuration files Validate any edited machine configs with: @@ -179,9 +179,9 @@ $ talosctl validate --config worker.yaml --mode cloud worker.yaml is valid for cloud mode ``` -### Create the Servers +### Create the servers -#### Create the Control Plane Nodes +#### Create the control plane nodes Create the control plane nodes with: @@ -215,7 +215,7 @@ oci nlb backend create --backend-set-name talos --network-load-balancer-id $netw oci nlb backend create --backend-set-name controlplane --network-load-balancer-id $network_load_balancer_id --port 6443 --target-id $instance_id ``` -#### Create the Worker Nodes +#### Create the worker nodes Create the worker nodes with the following command, repeating (and incrementing the name counter) as many times as desired. @@ -232,7 +232,7 @@ oci compute instance launch --shape $shape --availability-domain $availability_d oci compute instance launch --shape $shape --availability-domain $availability_domain --compartment-id $compartment_id --image-id $image_id --subnet-id $subnet_id --display-name worker-3 --assign-public-ip true --user-data-file worker.yaml ``` -### Bootstrap Etcd +### Bootstrap etcd To configure `talosctl` we will need the first control plane node's IP. This can be found by issuing: diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/scaleway.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/scaleway.mdx index 3da96df5..1ad13226 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/scaleway.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/scaleway.mdx @@ -15,7 +15,7 @@ The process to run a Talos cluster, on a single node in Scaleway is as follows: - Configure the `scw` CLI to access your account (optional - you can use the console instead) - Have `qemu-img` and `wget` installed for image conversion -## Image Preparation +## Image preparation 1. **Download the image disk** of the Talos version you wish to run: @@ -45,7 +45,7 @@ The process to run a Talos cluster, on a single node in Scaleway is as follows: 4. **Upload to S3-compatible object storage**: Use the Scaleway console Object Storage interface to upload the QCOW2 file directly. -## Snapshot Creation +## Snapshot creation 1. Go to the Scaleway Web console. @@ -57,7 +57,7 @@ The process to run a Talos cluster, on a single node in Scaleway is as follows: 4. Name the snapshot *scaleway-amd64-v{ release_v1_12 }*, and use a Local Storage snapshot type. -## Instance Deployment +## Instance deployment 1. Create instance using the snapshot/image via GUI, CLI, or Infrastructure as Code tools. @@ -73,7 +73,7 @@ talosctl -n $VM_IP get disks --insecure talosctl -n $VM_IP get links --insecure ``` -## Talos Configuration +## Talos configuration As any other Talos instance, generate the Talos machineconfig, with the following patch : ``` @@ -129,7 +129,7 @@ talosctl --talosconfig=./_out/talosconfig --nodes $VM_IP -e $VM_IP version talosctl --talosconfig=./_out/talosconfig --nodes $VM_IP -e $VM_IP dashboard ``` -## Talos Cluster Bootstrap +## Talos cluster bootstrap One last command to bootstrap your Talos Cluster : ``` diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/upcloud.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/upcloud.mdx index e8f4ed24..b9da3a96 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/upcloud.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/upcloud.mdx @@ -11,7 +11,7 @@ In this guide we will create an HA Kubernetes cluster 3 control plane nodes and We assume some familiarity with UpCloud. If you need more information on UpCloud specifics, please see the [official UpCloud documentation](https://upcloud.com/resources/docs). -## Create the Image +## Create the image The best way to create an image for UpCloud, is to build one using [Hashicorp packer](https://www.packer.io/docs/builders/hetzner-cloud), with the @@ -120,9 +120,9 @@ packer build . After doing this, you can find the custom image in the console interface under storage. -## Creating a Cluster via the CLI +## Creating a cluster via the CLI -### Create an Endpoint +### Create an endpoint To communicate with the Talos cluster you will need a single endpoint that is used to access the cluster. @@ -136,9 +136,9 @@ Endpoint selection has been further documented [here](../../getting-started/gett After you decide on which endpoint to use, note down the domain name or IP, as we will need it in the next step. -### Create the Machine Configuration Files +### Create the machine configuration files -#### Generating Base Configurations +#### Generating base configurations Using the DNS name of the endpoint created earlier, generate the base configuration files for the Talos machines: @@ -157,7 +157,7 @@ Depending on the Kubernetes version you want to run, you might need to select a Optionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -#### Validate the Configuration Files +#### Validate the configuration files ```bash $ talosctl validate --config controlplane.yaml --mode cloud @@ -166,9 +166,9 @@ $ talosctl validate --config worker.yaml --mode cloud worker.yaml is valid for cloud mode ``` -### Create the Servers +### Create the servers -#### Create the Control Plane Nodes +#### Create the control plane nodes Run the following to create three total control plane nodes: @@ -192,7 +192,7 @@ done Note the IP address of the first control plane node, as we will need it later. -#### Create the Worker Nodes +#### Create the worker nodes Run the following to create a worker node: @@ -209,7 +209,7 @@ upctl server create \ `} -### Bootstrap Etcd +### Bootstrap etcd To configure `talosctl` we will need the first control plane node's IP, as noted earlier. We only add one node IP, as that is the entry into our cluster against which our commands will be run. diff --git a/public/talos/v1.12/platform-specific-installations/cloud-platforms/vultr.mdx b/public/talos/v1.12/platform-specific-installations/cloud-platforms/vultr.mdx index 8c643dfb..a604436b 100644 --- a/public/talos/v1.12/platform-specific-installations/cloud-platforms/vultr.mdx +++ b/public/talos/v1.12/platform-specific-installations/cloud-platforms/vultr.mdx @@ -14,9 +14,9 @@ This guide will demonstrate how to create a highly-available Kubernetes cluster [Vultr](https://www.vultr.com/) have a very well documented REST API, and an open-source [CLI](https://github.com/vultr/vultr-cli) tool to interact with the API which will be used in this guide. Make sure to follow installation and authentication instructions for the `vultr-cli` tool. -### Boot Options +### Boot options -#### Upload an ISO Image +#### Upload an ISO image First step is to make the Talos ISO available to Vultr by uploading the latest release of the ISO to the Vultr ISO server. @@ -28,7 +28,7 @@ vultr-cli iso create --url https://factory.talos.dev/image/376567988ad370138ad8b Make a note of the `ID` in the output, it will be needed later when creating the instances.met -#### PXE Booting via Image Factory +#### PXE booting via image factory Talos Linux can be PXE-booted on Vultr using [Image Factory](../../learn-more/image-factory), using the `vultr` platform: e.g. @@ -41,7 +41,7 @@ Talos Linux can be PXE-booted on Vultr using [Image Factory](../../learn-more/im (this URL references the default schematic and `amd64` architecture). Make a note of the `ID` in the output, it will be needed later when creating the instances. -### Create a Load Balancer +### Create a load balancer A load balancer is needed to serve as the Kubernetes endpoint for the cluster. @@ -66,9 +66,9 @@ vultr-cli load-balancer get $LOAD_BALANCER_ID | grep ^IP Make a note of the `IP` address, it will be needed later when generating the configuration. -### Create the Machine Configuration +### Create the machine configuration -#### Generate Base Configuration +#### Generate base configuration Using the IP address (or DNS name if one was created) of the load balancer created above, generate the machine configuration files for the new cluster. @@ -78,16 +78,16 @@ talosctl gen config talos-kubernetes-vultr https://$LOAD_BALANCER_ADDRESS Once generated, the machine configuration can be modified as necessary for the new cluster, for instance updating disk installation, or adding SANs for the certificates. -#### Validate the Configuration Files +#### Validate the configuration files ```bash talosctl validate --config controlplane.yaml --mode cloud talosctl validate --config worker.yaml --mode cloud ``` -### Create the Nodes +### Create the nodes -#### Create the Control Plane Nodes +#### Create the control plane nodes First a control plane needs to be created, with the example below creating 3 instances in a loop. The instance type (noted by the `--plan vc2-2c-4gb` argument) in the example is for a minimum-spec control plane node, and should be updated to suit the cluster being created. @@ -118,7 +118,7 @@ talosctl --talosconfig talosconfig apply-config --insecure --nodes $CONTROL_PLAN talosctl --talosconfig talosconfig apply-config --insecure --nodes $CONTROL_PLANE_3_ADDRESS --file controlplane.yaml ``` -#### Create the Worker Nodes +#### Create the worker nodes Now worker nodes can be created and configured in a similar way to the control plane nodes, the difference being mainly in the machine configuration file. Note that like with the control plane nodes, the instance type (here set by `--plan vc2-1-1gb`) should be changed for the actual cluster requirements. @@ -150,7 +150,7 @@ It is important that the `talosctl bootstrap` command be executed only once and talosctl --talosconfig talosconfig bootstrap --endpoints $CONTROL_PLANE_1_ADDRESS --nodes $CONTROL_PLANE_1_ADDRESS ``` -### Configure Endpoints and Nodes +### Configure endpoints and nodes While the cluster goes through the bootstrapping process and beings to self-manage, the `talosconfig` can be updated with the [endpoints and nodes](../../learn-more/talosctl#endpoints-and-nodes). diff --git a/public/talos/v1.12/platform-specific-installations/local-platforms/docker.mdx b/public/talos/v1.12/platform-specific-installations/local-platforms/docker.mdx index 9b47a963..e0efbfe1 100644 --- a/public/talos/v1.12/platform-specific-installations/local-platforms/docker.mdx +++ b/public/talos/v1.12/platform-specific-installations/local-platforms/docker.mdx @@ -30,7 +30,7 @@ Due to the fact that Talos will be running in a container, certain APIs are not For example `upgrade`, `reset`, and similar APIs don't apply in container mode. Further, when running on a Mac in docker, due to networking limitations, VIPs are not supported. -## Create the Cluster +## Create the cluster Creating a local cluster is as simple as: @@ -74,7 +74,7 @@ KUBERNETES ENDPOINT https://127.0.0.1:43083 > sudo modprobe br_netfilter > ``` -## Using the Cluster +## Using the cluster Once the cluster is available, you can make use of `talosctl` and `kubectl` to interact with the cluster. For example, to view current running containers, run `talosctl containers` for a list of containers in the `system` namespace, or `talosctl containers -k` for the `k8s.io` namespace. @@ -88,7 +88,7 @@ To cleanup, run: talosctl cluster destroy ``` -## Multiple Clusters +## Multiple clusters Multiple Talos Linux cluster can be created on the same host, each cluster will need to have: @@ -114,7 +114,7 @@ talosctl --context cluster2 version kubectl --context admin@cluster2 get nodes ``` -## Running Talos in Docker Manually +## Running Talos in Docker manually To run Talos in a container manually, run: diff --git a/public/talos/v1.12/platform-specific-installations/local-platforms/qemu.mdx b/public/talos/v1.12/platform-specific-installations/local-platforms/qemu.mdx index 08f3d504..fd55b665 100644 --- a/public/talos/v1.12/platform-specific-installations/local-platforms/qemu.mdx +++ b/public/talos/v1.12/platform-specific-installations/local-platforms/qemu.mdx @@ -72,7 +72,7 @@ brew install siderolabs/tap/talosctl For manual installation and other platforms please see the [talosctl installation guide](../../getting-started/talosctl ). -## Create the Cluster +## Create the cluster For the first time, create root state directory as your user so that you can inspect the logs as non-root user: @@ -106,7 +106,7 @@ The `omni-api-endpoint` flag configures nodes to connect to an Omni instance onc Using [SideroLink](../../networking/siderolink), the local QEMU nodes can communicate with Omni as long as the endpoint is reachable. This enables connections to a local Omni instance, a cloud-hosted Omni instance, or a Sidero SaaS Omni instance. -## Using the Cluster +## Using the cluster Once the cluster is available, you can make use of `talosctl` and `kubectl` to interact with the cluster. For example, to view current running containers, run `talosctl -n 10.5.0.2 containers` for a list of containers in the `system` namespace, or `talosctl -n 10.5.0.2 containers -k` for the `k8s.io` namespace. @@ -136,7 +136,7 @@ talos-default-controlplane-3 ControlPlane 10.5.0.4 1.00 1.6 GB 4.3 GB talos-default-worker-1 Worker 10.5.0.5 1.00 1.6 GB 4.3 GB ``` -## Cleaning Up +## Cleaning up To cleanup, run: @@ -146,7 +146,7 @@ sudo --preserve-env=HOME talosctl cluster destroy --provisioner qemu > **Note**: In that case that the host machine is rebooted before destroying the cluster, you may need to manually remove `~/.talos/clusters/talos-default`. -## Manual Clean Up +## Manual clean up The `talosctl cluster destroy` command depends heavily on the clusters state directory. It contains all related information of the cluster. @@ -155,7 +155,7 @@ The PIDs and network associated with the cluster nodes. If you happened to have deleted the state folder by mistake or you would like to cleanup the environment, here are the steps how to do it manually: -### Remove VM Launchers +### Remove VM launchers Find the process of `talosctl qemu-launch`: diff --git a/public/talos/v1.12/platform-specific-installations/local-platforms/virtualbox.mdx b/public/talos/v1.12/platform-specific-installations/local-platforms/virtualbox.mdx index c2d12278..6607f09a 100644 --- a/public/talos/v1.12/platform-specific-installations/local-platforms/virtualbox.mdx +++ b/public/talos/v1.12/platform-specific-installations/local-platforms/virtualbox.mdx @@ -9,7 +9,7 @@ import { release_v1_12 } from '/snippets/custom-variables.mdx'; In this guide we will create a Kubernetes cluster using VirtualBox. -## Video Walkthrough +## Video walkthrough To see a live demo of this writeup, visit Youtube here: @@ -17,7 +17,7 @@ To see a live demo of this writeup, visit Youtube here: ## Installation -### How to Get VirtualBox +### How to get VirtualBox Install VirtualBox with your operating system package manager or from the [website](https://www.virtualbox.org/). For example, on Ubuntu for x86: @@ -36,7 +36,7 @@ brew install siderolabs/tap/talosctl For manual installation and other platforms please see the [talosctl installation guide](../../getting-started/talosctl). -### Download ISO Image +### Download ISO image Download the ISO image from [Image Factory](https://www.talos.dev/latest/talos-guides/install/boot-assets/#image-factory). @@ -92,7 +92,7 @@ Finally, in the "Storage" section, select the optical drive and, on the right, s Repeat this process for a second VM to use as a worker node. You can also repeat this for additional nodes desired. -## Start Control Plane Node +## Start control plane node Once the VMs have been created and updated, start the VM that will be the first control plane node. This VM will boot the ISO image specified earlier and enter "maintenance mode". @@ -102,7 +102,7 @@ If you wish to export this IP as a bash variable, simply issue a command like `e -## Generate Machine Configurations +## Generate machine configurations With the IP address above, you can now generate the machine configurations to use for installing Talos and Kubernetes. Issue the following command, updating the output directory, cluster name, and control plane IP as you see fit: @@ -113,7 +113,7 @@ talosctl gen config talos-vbox-cluster https://$CONTROL_PLANE_IP:6443 --output-d This will create several files in the `_out` directory: controlplane.yaml, worker.yaml, and talosconfig. -## Create Control Plane Node +## Create control plane node Using the `controlplane.yaml` generated above, you can now apply this config using talosctl. Issue: @@ -133,7 +133,7 @@ Talos will be installed to disk, the VM will reboot, and then Talos will configu > > Simply remove the ISO image from the VM and restart it. -## Create Worker Node +## Create worker node Create at least a single worker node using a process similar to the control plane creation above. Start the worker node VM and wait for it to enter "maintenance mode". @@ -167,7 +167,7 @@ You should see stage change to `Running` and your cluster is now ready. talosctl --talosconfig $TALOSCONFIG bootstrap ``` -## Using the Cluster +## Using the cluster Once the cluster is available, you can make use of `talosctl` and `kubectl` to interact with the cluster. For example, to view current running containers, run `talosctl containers` for a list of containers in the `system` namespace, or `talosctl containers -k` for the `k8s.io` namespace. @@ -197,6 +197,6 @@ You can then use kubectl in this fashion: kubectl get nodes ``` -## Cleaning Up +## Cleaning up To cleanup, simply stop and delete the virtual machines from the VirtualBox UI. diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/bananapi_m64.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/bananapi_m64.mdx index b160a0c5..2d63efb2 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/bananapi_m64.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/bananapi_m64.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image using Image Factory +## Download the image using Image Factory The default schematic id for "vanilla" Banana Pi M64 is `8e11dcb3c2803fbe893ab201fcadf1ef295568410e7ced95c6c8b122a5070ce4`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/jetson_nano.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/jetson_nano.mdx index 8b00a229..5a18b7c9 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/jetson_nano.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/jetson_nano.mdx @@ -85,7 +85,7 @@ This will flash the firmware to the Jetson Nano SPI flash and you'll see a lot o If you've connected the serial console you'll also see the progress there. Once the flashing is done you can disconnect the USB cable and power off the Jetson Nano. -## Download the Image +## Download the image The default schematic id for "vanilla" Jetson Nano is `c7d6f36c6bdfb45fd63178b202a67cff0dd270262269c64886b43f76880ecf1e`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -99,7 +99,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image Now `dd` the image to your SD card/USB storage: @@ -109,7 +109,7 @@ sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M status=progress | Replace `/dev/mmcblk0` with the name of your SD card/USB storage. -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card/USB storage to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/libretech_all_h3_cc_h5.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/libretech_all_h3_cc_h5.mdx index 8e644817..05b53931 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/libretech_all_h3_cc_h5.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/libretech_all_h3_cc_h5.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" Libretech H3 CC H5 is `5689d7795f91ac5bf6ccc85093fad8f8b27f6ea9d96a9ac5a059997bffd8ad5c`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/nanopi_r4s.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/nanopi_r4s.mdx index 29b63c55..e814098f 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/nanopi_r4s.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/nanopi_r4s.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" NanoPi R4S is `5f74a09891d5830f0b36158d3d9ea3b1c9cc019848ace08ff63ba255e38c8da4`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/orangepi_5.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/orangepi_5.mdx index 1f9a00e7..791d0697 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/orangepi_5.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/orangepi_5.mdx @@ -34,7 +34,7 @@ xz -d metal-arm64.raw.xz `} -#### Flash the Image +#### Flash the image The image can be flashed using Etcher on Windows, macOS, or Linux or using dd on Linux: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/orangepi_r1_plus_lts.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/orangepi_r1_plus_lts.mdx index 4dac721a..2570fcfa 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/orangepi_r1_plus_lts.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/orangepi_r1_plus_lts.mdx @@ -21,7 +21,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image using Image Factory +## Download the image using Image Factory The default schematic id for "vanilla" Orange Pi R1 Plus LTS is `da388062cd9318efdc7391982a77ebb2a97ed4fbda68f221354c17839a750509`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -35,7 +35,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/pine64.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/pine64.mdx index 4916cd52..dd6edb83 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/pine64.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/pine64.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" Pine64 is `185431e0f0bf34c983c6f47f4c6d3703aa2f02cd202ca013216fd71ffc34e175`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/rock4cplus.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/rock4cplus.mdx index 6edf0367..f1ee19ae 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/rock4cplus.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/rock4cplus.mdx @@ -21,7 +21,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" Rock 4c Plus is `ed7091ab924ef1406dadc4623c90f245868f03d262764ddc2c22c8a19eb37c1c`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -54,7 +54,7 @@ The user has two options to proceed: Insert the SD card into the board, turn it on and proceed to [bootstrapping the node](#bootstrapping-the-node). -## Bootstrapping the Node +## Bootstrapping the node Wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/rock5b.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/rock5b.mdx index 3aafbcb8..5cd93da1 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/rock5b.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/rock5b.mdx @@ -14,7 +14,7 @@ You will need - follow [Installation/talosctl](../../getting-started/talosctl ) to intall `talosctl` - an SD card -## Download the Image +## Download the image Visit the [Image Factory](https://factory.talos.dev/), select `Single Board Computers`, select the version and select `Radxa ROCK 5B` from the options. @@ -30,7 +30,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image This guide assumes the node should boot from SD card. Booting from eMMC or NVMe has not been tested yet. diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/rock64.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/rock64.mdx index e5ff809a..c9ec9eb9 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/rock64.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/rock64.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" Pine64 Rock64 is `0e162298269125049a51ec0a03c2ef85405a55e1d2ac36a7ef7292358cf3ce5a`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/rockpi_4.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/rockpi_4.mdx index 3b9fa2f8..c32b2e1f 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/rockpi_4.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/rockpi_4.mdx @@ -24,7 +24,7 @@ chmod +x /usr/local/bin/talosctl -## Download the Image +## Download the image The default schematic id for "vanilla" RockPi 4 is `25d2690bb48685de5939edd6dee83a0e09591311e64ad03c550de00f8a521f51`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -39,7 +39,7 @@ xz -d metal-arm64.raw.xz -## Writing the Image +## Writing the image The path to your SD card/eMMC/USB/nVME can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -68,7 +68,7 @@ Follow the Radxa docs on [Install on M.2 NVME SSD](https://wiki.radxa.com/Rockpi After these above steps, Talos will boot from the nVME/USB and enter maintenance mode. Proceed to [bootstrapping the node](#bootstrapping-the-node). -## Bootstrapping the Node +## Bootstrapping the node Wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/rockpi_4c.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/rockpi_4c.mdx index 7e512b46..a88840d3 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/rockpi_4c.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/rockpi_4c.mdx @@ -21,7 +21,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" RockPi 4c is `08e72e242b71f42c9db5bed80e8255b2e0d442a372bc09055b79537d9e3ce191`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -35,7 +35,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card/eMMC/USB/nVME can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -64,7 +64,7 @@ Follow the Radxa docs on [Install on M.2 NVME SSD](https://wiki.radxa.com/Rockpi After these above steps, Talos will boot from the nVME/USB and enter maintenance mode. Proceed to [bootstrapping the node](#bootstrapping-the-node). -## Bootstrapping the Node +## Bootstrapping the node Wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/rpi_generic.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/rpi_generic.mdx index c90571a5..9caddcdb 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/rpi_generic.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/rpi_generic.mdx @@ -11,7 +11,7 @@ Talos disk image for the Raspberry Pi generic should in theory work for the boar This has only been officialy tested on the Raspberry Pi 4 and community tested on one variant of the Compute Module 4 using Super 6C boards. If you have tested this on other Raspberry Pi boards, please let us know. -## Video Walkthrough +## Video walkthrough To see a live demo of this writeup, see the video below: @@ -44,7 +44,7 @@ Power off the Raspberry Pi and remove the SD card from it. > Note: Updating the bootloader only needs to be done once. -## Download the Image +## Download the image > Note: if you need to enable Broadcom VideoCore GPU support, generate a new image from the [Image Factory](../../learn-more/image-factory) with the correct [config.txt](#configtxt-information) configuration and `vc4` system extension. > More information can be found under the [Image Factory Example](#example-raspberry-pi-generic-with-broadcom-videocore-gpu-support-with-image-factory) below. @@ -60,7 +60,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image Now `dd` the image to your SD card: @@ -68,7 +68,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: @@ -300,7 +300,7 @@ Now we can use the customized `installer` image to install Talos on Raspberry Pi When it's time to upgrade a machine, a new `installer` image can be generated using the new version of `imager`, and updating the system extension and overlay images to the matching versions. The custom `installer` image can now be used to upgrade Talos machine. -## config.txt Information +## config.txt information Refer to the default [config.txt](https://github.com/siderolabs/sbc-raspberrypi/blob/main/installers/rpi_generic/src/config.txt) file used by the [sbc-raspberrypi](https://github.com/siderolabs/sbc-raspberrypi) overlay. @@ -363,7 +363,7 @@ The following table can be used to troubleshoot booting issues: | 4 | 6 | Power failure type A | | 4 | 7 | Power failure type B | -### GPU Memory Issues +### GPU memory issues The Contiguous Memory Allocator (CMA) reserves physically contiguous memory for Raspberry Pi GPU/display operations (e.g., KMS/DRM rendering). An error like `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory` indicates an undersized CMA pool for graphics tasks. @@ -381,7 +381,7 @@ The default may be too small for GPU-intensive tasks, and oversizing reduces sys | 512 MB | 4K media, ML with GPU | | 1024 MB | Experimental, may destabilize | -#### Change CMA Size +#### Change CMA size **Kernel Parameters**: diff --git a/public/talos/v1.12/platform-specific-installations/single-board-computers/turing_rk1.mdx b/public/talos/v1.12/platform-specific-installations/single-board-computers/turing_rk1.mdx index 3a55b7e0..bad04d36 100644 --- a/public/talos/v1.12/platform-specific-installations/single-board-computers/turing_rk1.mdx +++ b/public/talos/v1.12/platform-specific-installations/single-board-computers/turing_rk1.mdx @@ -24,7 +24,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image Go to `https://factory.talos.dev` select `Single Board Computers`, select the version and select `Turing RK1` from the options. Choose your desired extensions and fill in the kernel command line arguments if needed. @@ -105,7 +105,7 @@ Skip step 1 if you already installed your NVMe drive. Talos will now boot from the NVMe/USB and enter maintenance mode. -## Bootstrapping the Node +## Bootstrapping the node To monitor boot messages, run: (repeat) diff --git a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/hyper-v.mdx b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/hyper-v.mdx index 6d8b2f93..64ce8276 100644 --- a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/hyper-v.mdx +++ b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/hyper-v.mdx @@ -23,7 +23,7 @@ aliases: ``` - Confirm the change when prompted. -## Plan Overview +## Plan overview We will create a basic 3-node cluster with one control-plane node and two worker nodes. The main difference between the control plane and worker nodes is the amount of RAM and an additional storage VHD for the worker nodes. @@ -33,7 +33,7 @@ We use a `VMNamePrefix` argument for the VM name prefix, not the full hostname. This command will find any existing VM with that prefix and increment the highest suffix found. For example, if `talos-cp01` and `talos-cp02` exist, it will create VMs starting from `talos-cp03`, depending on the `NumberOfVMs` argument. -## Setup a Control Plane Node +## Setup a control plane node > Note: Ensure the `LAB` adapter exists in Hyper-V and is set to external. @@ -45,7 +45,7 @@ New-TalosVM -VMNamePrefix talos-cp -CPUCount 2 -StartupMemory 4GB -SwitchName LA This will create the `talos-cp01` VM and power it on. -## Setup Worker Nodes +## Setup worker nodes Create two worker nodes with the following command: @@ -55,7 +55,7 @@ New-TalosVM -VMNamePrefix talos-worker -CPUCount 4 -StartupMemory 8GB -SwitchNam This will create `talos-worker01` and `talos-worker02` VMs, each with an additional 50GB VHD for storage (which can be used for Mayastor). -## Push Config to the Nodes +## Push config to the nodes Once the VMs are ready, find their IP addresses from the VM console. Push the config to the control plane node with: @@ -71,7 +71,7 @@ talosctl gen config talos-cluster https://$($CONTROL_PLANE_IP):6443 --output-dir talosctl apply-config --insecure --nodes $CONTROL_PLANE_IP --file .\controlplane.yaml ``` -## Push Config to Worker Nodes +## Push config to worker nodes Similarly, for the worker nodes: @@ -81,7 +81,7 @@ talosctl apply-config --insecure --nodes 10.10.10.x --file .\worker.yaml Apply the config to both worker nodes. -## Bootstrap Cluster +## Bootstrap cluster With the nodes ready, bootstrap the Kubernetes cluster: diff --git a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/kvm.mdx b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/kvm.mdx index 88b3f6da..97ccf6a1 100644 --- a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/kvm.mdx +++ b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/kvm.mdx @@ -30,7 +30,7 @@ cd ~/talos-kvm Download the latest `metal-amd64.iso` from the Talos [GitHub releases page](https://github.com/siderolabs/talos/releases). -## Configure the Network +## Configure the network Before we get started, let’s set up an isolated network for your Talos cluster. @@ -116,7 +116,7 @@ Autostart: yes Bridge: talos-bridge ``` -## Provisioning the Environment +## Provisioning the environment Now that you have a dedicated network let's go ahead and provision VMs. @@ -163,7 +163,7 @@ Use the following command to verify that your VMs are in a running state: virsh list ``` -## Configure the Cluster +## Configure the cluster Now that you have your VMs provisioned it's time to configure the cluster. This step is done through `talosctl` command utility. @@ -214,7 +214,7 @@ talosctl apply-config --insecure --nodes $NODE_IP --file configs/worker.yaml At this point your VMs will reboot. -## Bootstrapping the Cluster +## Bootstrapping the cluster After your VMs restart, you can bootstrap the cluster. Bootstrap simply means starting up your Kubernetes cluster for the first time. diff --git a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/proxmox.mdx b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/proxmox.mdx index 88554955..c79d080f 100644 --- a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/proxmox.mdx +++ b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/proxmox.mdx @@ -9,7 +9,7 @@ import { release_v1_12 } from '/snippets/custom-variables.mdx'; In this guide we will create a Kubernetes cluster using Proxmox. -## Video Walkthrough +## Video walkthrough To see a live demo of this writeup, visit Youtube here: @@ -17,7 +17,7 @@ To see a live demo of this writeup, visit Youtube here: ## Installation -### How to Get Proxmox +### How to get Proxmox It is assumed that you have already installed Proxmox onto the server you wish to create Talos VMs on. Visit the [Proxmox](https://www.proxmox.com/en/downloads) downloads page if necessary. @@ -32,7 +32,7 @@ brew install siderolabs/tap/talosctl For manual installation and other platforms please see the [talosctl installation guide](../../getting-started/talosctl ). -### Download ISO Image +### Download ISO image In order to install Talos in Proxmox, you will need the ISO image from [Image Factory](https://www.talos.dev/latest/talos-guides/install/boot-assets/#image-factory). @@ -188,7 +188,7 @@ You can also repeat this for additional nodes desired. > Doing so will cause Talos to be unable to see all available memory and have insufficient memory to complete > installation of the cluster. -## Start Control Plane Node +## Start control plane node Once the VMs have been created and updated, start the VM that will be the first control plane node. This VM will boot the ISO image specified earlier and enter "maintenance mode". @@ -226,7 +226,7 @@ linux /boot/vmlinuz init_on_alloc=1 slab_nomerge pti=on panic=0 consoleblank=0 p Then press Ctrl-x or F10 -## Generate Machine Configurations +## Generate machine configurations With the IP address above, you can now generate the machine configurations to use for installing Talos and Kubernetes. Issue the following command, updating the output directory, cluster name, and control plane IP as you see fit: @@ -264,7 +264,7 @@ talosctl gen config talos-proxmox-cluster https://$CONTROL_PLANE_IP:6443 --outpu - If you did include the extension, go to your VM → **Options** and set **QEMU Guest Agent** to **Enabled**. -## Create Control Plane Node +## Create control plane node Using the `controlplane.yaml` generated above, you can now apply this config using talosctl. Issue: @@ -279,7 +279,7 @@ The VM will remain in stage `Booting` until the bootstrap is completed in a late > Note: This process can be repeated multiple times to create an HA control plane. -## Create Worker Node +## Create worker node Create at least a single worker node using a process similar to the control plane creation above. Start the worker node VM and wait for it to enter "maintenance mode". @@ -293,7 +293,7 @@ talosctl apply-config --insecure --nodes $WORKER_IP --file _out/worker.yaml > Note: This process can be repeated multiple times to add additional workers. -## Using the Cluster +## Using the cluster Once the cluster is available, you can make use of `talosctl` and `kubectl` to interact with the cluster. For example, to view current running containers, run `talosctl containers` for a list of containers in the `system` namespace, or `talosctl containers -k` for the `k8s.io` namespace. @@ -307,7 +307,7 @@ talosctl config endpoint $CONTROL_PLANE_IP talosctl config node $CONTROL_PLANE_IP ``` -### Bootstrap Etcd +### Bootstrap etcd ```bash talosctl bootstrap @@ -323,7 +323,7 @@ talosctl kubeconfig . ## Troubleshooting -### Cluster Creation Issues +### Cluster creation issues If `talosctl cluster create` fails with disk controller errors: @@ -337,7 +337,7 @@ If `talosctl cluster create` fails with disk controller errors: talosctl cluster create --disks scsi:10GiB ``` -### Network Connectivity Issues +### Network connectivity issues If nodes fail to obtain IP addresses or show "network is unreachable" errors: @@ -361,10 +361,10 @@ If nodes fail to obtain IP addresses or show "network is unreachable" errors: - **Bootstrap hangs**: If bootstrap hangs or disks aren't discovered, verify you're using **VirtIO SCSI** (not "VirtIO SCSI Single") - **Disk not found**: Check disk path using `talosctl get disks --insecure --nodes $CONTROL_PLANE_IP` and update `install.disk` in machine config if needed (e.g., `install.disk: /dev/vda`) -### Secure Boot +### Secure boot For Secure Boot setup, see the [Secure Boot documentation](../bare-metal-platforms/secureboot). -## Cleaning Up +## Cleaning up To cleanup, simply stop and delete the virtual machines from the Proxmox UI. diff --git a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/vmware.mdx b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/vmware.mdx index 71157cbb..07185b3d 100644 --- a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/vmware.mdx +++ b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/vmware.mdx @@ -7,12 +7,12 @@ aliases: import { release_v1_12, release_branch_v1_12 } from '/snippets/custom-variables.mdx'; -## Creating a Cluster via the `govc` CLI +## Creating a cluster via the `govc` CLI In this guide we will create an HA Kubernetes cluster with 2 worker nodes. We will use the `govc` cli which can be downloaded [here](https://github.com/vmware/govmomi/tree/master/govc#installation). -## Prereqs/Assumptions +## Prerequisites This guide will use the virtual IP ("VIP") functionality that is built into Talos in order to provide a stable, known IP for the Kubernetes control plane. This simply means the user should pick an IP on their "VM Network" to designate for this purpose and keep it handy for future steps. @@ -24,9 +24,9 @@ To check your version of ESXi refer to the following Broadcom More information regarding virtual machine hardware versions can be found in the following Broadcom [KB article](https://knowledge.broadcom.com/external/article/315655/virtual-machine-hardware-versions.html). -## Create the Machine Configuration Files +## Create the machine configuration files -### Generating Base Configurations +### Generating base configurations Using the VIP chosen in the prereq steps, we will now generate the base configuration files for the Talos machines. This can be done with the `talosctl gen config ...` command. @@ -66,7 +66,7 @@ created talosconfig At this point, you can modify the generated configs to your liking if needed. Optionally, you can specify additional patches by adding to the `cp.patch.yaml` file downloaded earlier, or create your own patch files. -### Validate the Configuration Files +### Validate the configuration files ```bash $ talosctl validate --config controlplane.yaml --mode cloud @@ -90,7 +90,7 @@ cluster: - --flannel-backend=host-gw ``` -## Set Environment Variables +## Set environment variables `govc` makes use of the following environment variables @@ -111,13 +111,13 @@ export GOVC_DATASTORE= export GOVC_NETWORK= ``` -## Choose Install Approach +## Choose install approach As part of this guide, we have a more automated install script that handles some of the complexity of importing OVAs and creating VMs. If you wish to use this script, we will detail that next. If you wish to carry out the manual approach, simply skip ahead to the "Manual Approach" section. -### Scripted Install +### Scripted install Download the `vmware.sh` script to your local machine. You can do this by issuing: @@ -142,7 +142,7 @@ To create a content library and import the Talos OVA corresponding to the mentio ./vmware.sh upload_ova ``` -#### Create Cluster +#### Create cluster With the OVA uploaded to the content library, you can create a 5 node (by default) cluster with 3 control plane and 2 worker nodes: @@ -154,7 +154,7 @@ This step will create a VM from the OVA, edit the settings based on the env vari You may now skip past the "Manual Approach" section down to "Bootstrap Cluster". -### Manual Approach +### Manual approach #### Import the OVA into vCenter @@ -180,7 +180,7 @@ Import the OVA to the library with: govc library.import -n talos-${TALOS_VERSION} /path/to/downloaded/talos.ova ``` -#### Create the Bootstrap Node +#### Create the bootstrap node We'll clone the OVA to create the bootstrap node (our first control plane node). @@ -199,7 +199,7 @@ govc vm.change \ -vm control-plane-1 ``` -#### Update Hardware Resources for the Bootstrap Node +#### Update hardware resources for the bootstrap node - `-c` is used to configure the number of cpus - `-m` is used to configure the amount of memory (in MB) @@ -221,7 +221,7 @@ govc vm.disk.change -vm control-plane-1 -disk.name disk-1000-0 -size 10G govc vm.power -on control-plane-1 ``` -#### Create the Remaining Control Plane Nodes +#### Create the remaining control plane nodes ```bash govc library.deploy /talos-${TALOS_VERSION} control-plane-2 @@ -261,7 +261,7 @@ govc vm.power -on control-plane-2 govc vm.power -on control-plane-3 ``` -#### Update Settings for the Worker Nodes +#### Update settings for the worker nodes ```bash govc library.deploy /talos-${TALOS_VERSION} worker-1 @@ -301,7 +301,7 @@ govc vm.power -on worker-1 govc vm.power -on worker-2 ``` -#### Bootstrap Cluster +#### Bootstrap cluster In the vSphere UI, open a console to one of the control plane nodes. You should see some output stating that etcd should be bootstrapped. diff --git a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/xenorchestra.mdx b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/xenorchestra.mdx index b285c898..417e939e 100644 --- a/public/talos/v1.12/platform-specific-installations/virtualized-platforms/xenorchestra.mdx +++ b/public/talos/v1.12/platform-specific-installations/virtualized-platforms/xenorchestra.mdx @@ -53,7 +53,7 @@ It is recommended to use the Talos image with the system extension `siderolabs/x This section explains how to create a reusable Talos VM template in Xen Orchestra. -### Recommended Configuration for VMs +### Recommended configuration for VMs Before you begin, familiarize yourself with Talos' [system requirements](../../getting-started/system-requirements) and allocate resources accordingly. @@ -296,7 +296,7 @@ talosctl services --nodes ${CONTROL_PLANE_IP} | grep xen-guest-agent If it does not appear, the node is not yet in a `bootstrappable` state. -#### Bootstrap Etcd +#### Bootstrap etcd Initialize the Etcd cluster: diff --git a/public/talos/v1.12/security/ca-rotation.mdx b/public/talos/v1.12/security/ca-rotation.mdx index c530d056..07a70deb 100644 --- a/public/talos/v1.12/security/ca-rotation.mdx +++ b/public/talos/v1.12/security/ca-rotation.mdx @@ -29,7 +29,7 @@ Both rotation flows are described in detail below. ## Talos API -### Automated Talos API CA Rotation +### Automated Talos API CA rotation Talos API CA rotation doesn't interrupt connections within the cluster, and it doesn't require a reboot of the nodes. @@ -108,7 +108,7 @@ If other client access `talosconfig` files needs to be generated, use `talosctl > Note: if using [Talos API access from Kubernetes](../../../kubernetes-guides/advanced-guides/talos-api-access-from-k8s) feature, pods might need to be restarted manually to pick up new `talosconfig`. -### Manual Steps for Talos API CA Rotation +### Manual steps for Talos API CA rotation 1. Generate new Talos CA (e.g. use `talosctl gen secrets` and use Talos CA). 2. Patch machine configuration on all nodes updating `.machine.acceptedCAs` with new CA certificate. @@ -120,7 +120,7 @@ If other client access `talosconfig` files needs to be generated, use `talosctl ## Kubernetes API -### Automated Kubernetes API CA Rotation +### Automated Kubernetes API CA rotation The automated process only rotates Kubernetes API CA, used by the `kube-apiserver`, `kubelet`, etc. Other Kubernetes secrets might need to be rotated manually as required. @@ -182,7 +182,7 @@ New `kubeconfig` can be fetched with `talosctl kubeconfig` command from the clus Kubernetes pods might need to be restarted manually to pick up changes to the Kubernetes API CA. -### Manual Steps for Kubernetes API CA Rotation +### Manual steps for Kubernetes API CA rotation Steps are similar [to the Talos API CA rotation](#manual-steps-for-talos-api-ca-rotation), but use: diff --git a/public/talos/v1.12/security/cert-management.mdx b/public/talos/v1.12/security/cert-management.mdx index a08c257b..24646df0 100644 --- a/public/talos/v1.12/security/cert-management.mdx +++ b/public/talos/v1.12/security/cert-management.mdx @@ -16,9 +16,9 @@ Each time you download the `kubeconfig` file from a Talos Linux cluster, the cli The `talosconfig` file should be renewed at least once a year, using the `talosctl config new` command, as shown below, or by one of the other methods. -## Generating New Client Configuration +## Generating new client configuration -### Using Controlplane Node +### Using control plane node If you have a valid (not expired) `talosconfig` with `os:admin` role, a new client configuration file can be generated with `talosctl config new` against @@ -30,7 +30,7 @@ talosctl -n CP1 config new talosconfig-reader --roles os:reader --crt-ttl 24h A specific [role](./rbac) and certificate lifetime can be specified. -### From Secrets Bundle +### From secrets bundle If a secrets bundle (`secrets.yaml` from `talosctl gen secrets`) was saved while [generating machine configuration](../getting-started/#configure-talos): @@ -41,7 +41,7 @@ talosctl gen config --with-secrets secrets.yaml --output-types talosconfig -o ta > Note: `` and `` arguments don't matter, as they are not used for `talosconfig`. -### From Control Plane Machine Configuration +### From control plane machine configuration In order to create a new key pair for client configuration, you will need the root Talos API CA. The base64 encoded CA can be found in the control plane node's configuration file. diff --git a/public/talos/v1.12/security/iam-roles-for-service-accounts.mdx b/public/talos/v1.12/security/iam-roles-for-service-accounts.mdx index 7d5532e2..3dfc89fd 100644 --- a/public/talos/v1.12/security/iam-roles-for-service-accounts.mdx +++ b/public/talos/v1.12/security/iam-roles-for-service-accounts.mdx @@ -204,7 +204,7 @@ Patch your Talos `machineconfig` to use the new Service Account issuer and signi talosctl apply-config --nodes --file machineconfig-patch.yaml ``` -## Step 3: Install Required Kubernetes Components +## Step 3: Install required Kubernetes components Two components are required on the cluster: `cert-manager` and `amazon-eks-pod-identity-webhook`. diff --git a/public/talos/v1.12/security/verifying-images.mdx b/public/talos/v1.12/security/verifying-images.mdx index 96a5603f..69dc0d22 100644 --- a/public/talos/v1.12/security/verifying-images.mdx +++ b/public/talos/v1.12/security/verifying-images.mdx @@ -11,7 +11,7 @@ Sidero Labs signs the container images generated for the Talos release with [cos * `ghcr.io/siderolabs/imager` (Talos install image generator) * all [system extension images](https://github.com/siderolabs/extensions/) -## Verifying Container Image Signatures +## Verifying container image signatures The `cosign` tool can be used to verify the signatures of the Talos container images: @@ -29,7 +29,7 @@ The following checks were performed on each of these signatures: The image should be signed using [cosign certificate authority flow](https://docs.sigstore.dev/certificate_authority/certificate-issuing-overview/) by a Sidero Labs employee with and email from `siderolabs.com` domain. -## Reproducible Builds +## Reproducible builds Talos builds for `kernel`, `initramfs`, `talosctl`, ISO image, and container images are reproducible. So you can verify that the build is the same as the one as provided on [GitHub releases page](https://github.com/siderolabs/talos/releases). diff --git a/public/talos/v1.13/advanced-guides/SBOM.mdx b/public/talos/v1.13/advanced-guides/SBOM.mdx index d296ba3a..6c9aef72 100644 --- a/public/talos/v1.13/advanced-guides/SBOM.mdx +++ b/public/talos/v1.13/advanced-guides/SBOM.mdx @@ -23,7 +23,7 @@ You can acquire SBOMs for Talos Linux in the following ways: * core Talos Linux SBOM in the `/usr/share/spdx` directory. * extension SBOMs in the `/usr/local/share/spdx` directory. -## SBOMs as Resources +## SBOMs as resources Talos Linux SBOMs are also available as resources in the Talos Linux system. You can access the SBOMs using the `talosctl` command: diff --git a/public/talos/v1.13/advanced-guides/migrating-from-kubeadm.mdx b/public/talos/v1.13/advanced-guides/migrating-from-kubeadm.mdx index ee82612e..54b8a0e5 100644 --- a/public/talos/v1.13/advanced-guides/migrating-from-kubeadm.mdx +++ b/public/talos/v1.13/advanced-guides/migrating-from-kubeadm.mdx @@ -148,7 +148,7 @@ you can do the following: If the are not, modify all the labels fields, save the file, delete your current kube-proxy daemonset, and apply the one you modified. -## Limitations on Custom PKI +## Limitations on custom PKI Talos always uses a per-cluster PKI model. During bootstrap, Talos expects a single root CA to issue all other certificates, including those for etcd, the Kubernetes API server, and the front-proxy. @@ -157,4 +157,4 @@ Talos does not support kubeadm PKIs that rely on intermediate CAs (for example, By design, both `--cluster-signing-cert-file` and `--root-ca-file` point to the same CA certificate, and these values cannot be overridden. If your kubeadm cluster uses an intermediate CA hierarchy, you cannot directly reuse that PKI with Talos. -Instead, you must regenerate certificates using the Talos per-cluster CA model. \ No newline at end of file +Instead, you must regenerate certificates using the Talos per-cluster CA model. diff --git a/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/cgroups-analysis.mdx b/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/cgroups-analysis.mdx index dbab4854..a7aa3cc3 100644 --- a/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/cgroups-analysis.mdx +++ b/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/cgroups-analysis.mdx @@ -262,7 +262,6 @@ In the swap view, the following columns are displayed: * `SwapHigh`: the high swap limit of the cgroup * `SwapMax`: the maximum swap limit of the cgroup - ### `psi` ```bash @@ -314,7 +313,7 @@ In the PSI view, the following columns are displayed: * `CpuPsi10`: avg10 of the `full` PSI value for CPU pressure * `IoPsi10`: avg10 of the `full` PSI value for I/O pressure -## Custom Schemas +## Custom schemas The `talosctl cgroups` command allows you to define custom schemas to display the cgroups information in a specific way. The schema is defined in a YAML file with the following structure: diff --git a/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/disaster-recovery.mdx b/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/disaster-recovery.mdx index c7e2edda..ae21b140 100644 --- a/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/disaster-recovery.mdx +++ b/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/disaster-recovery.mdx @@ -15,7 +15,7 @@ in case of catastrophic failure. ## Backup -### Snapshotting `etcd` Database +### Snapshot `etcd` database Create a consistent snapshot of `etcd` database with `talosctl etcd snapshot` command: @@ -31,7 +31,7 @@ This database snapshot can be taken on any healthy control plane node (with IP a as all `etcd` instances contain exactly same data. It is recommended to configure `etcd` snapshots to be created on some schedule to allow point-in-time recovery using the latest snapshot. -### Disaster Database Snapshot +### Disaster database snapshot If the `etcd` cluster is not healthy (for example, if quorum has already been lost), the `talosctl etcd snapshot` command might fail. In that case, copy the database snapshot directly from the control plane node: @@ -43,7 +43,7 @@ talosctl -n cp /var/lib/etcd/member/snap/db . This snapshot might not be fully consistent (if the `etcd` process is running), but it allows for disaster recovery when latest regular snapshot is not available. -### Machine Configuration +### Machine configuration Machine configuration might be required to recover the node after hardware failure. Backup Talos node machine configuration with the command: @@ -62,12 +62,12 @@ Before starting a disaster recovery procedure, make sure that `etcd` cluster can If the quorum can be restored, restoring quorum might be a better strategy than performing full disaster recovery procedure. -### Latest Etcd Snapshot +### Latest etcd snapshot Get hold of the latest `etcd` database snapshot. If a snapshot is not fresh enough, create a database snapshot (see above), even if the `etcd` cluster is unhealthy. -### Init Node +### Init node Make sure that there are no control plane nodes with machine type `init`: @@ -83,7 +83,7 @@ Init node type is deprecated, and are incompatible with `etcd` recovery procedur `init` node can be converted to `controlplane` type with `talosctl edit mc --mode=staged` command followed by node reboot with `talosctl reboot` command. -### Preparing Control Plane Nodes +### Prepare control plane nodes If some control plane nodes experienced hardware failure, replace them with new nodes. @@ -102,7 +102,7 @@ At this point, all control plane nodes should boot up, and `etcd` service should The Kubernetes control plane endpoint should be pointed to the new control plane nodes if there were changes to the node addresses. -### Recovering from the Backup +### Recover from the Backup Make sure all `etcd` service instances are in `Preparing` state: @@ -141,7 +141,7 @@ Now `etcd` service should become healthy on the bootstrap node, Kubernetes contr should start and control plane endpoint should become available. Remaining control plane nodes join `etcd` cluster once control plane endpoint is up. -## Single Control Plane Node Cluster +## Single control plane node cluster This guide applies to the single control plane clusters as well. In fact, it is much more important to take regular snapshots of the `etcd` database in single control plane node diff --git a/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/etcd-maintenance.mdx b/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/etcd-maintenance.mdx index af617cce..481ef21e 100644 --- a/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/etcd-maintenance.mdx +++ b/public/talos/v1.13/build-and-extend-talos/cluster-operations-and-maintenance/etcd-maintenance.mdx @@ -8,7 +8,7 @@ description: "Operational instructions for etcd database." > Note: Commands from `talosctl etcd` namespace are functional only on the Talos control plane nodes. > Each time you see `` in this page, it is referencing IP address of control plane node. -## Space Quota +## Space quota `etcd` default database space quota is set to 2 GiB by default. If the database size exceeds the quota, `etcd` will stop operations until the issue is resolved. @@ -112,7 +112,7 @@ Should something go wrong with the downgrade, it is possible to use this backup This example shows how to downgrade an `etcd` in Talos cluster. -### Step 1: Check Downgrade Requirements +### Step 1: Check downgrade Requirements Is the cluster healthy and running v3.6.x? @@ -132,11 +132,11 @@ Is the cluster healthy and running v3.6.x? -### Step 2: Download Snapshot +### Step 2: Download snapshot [Download the snapshot backup](./disaster-recovery) to provide a downgrade path should any problems occur. -### Step 3: Validate Downgrade +### Step 3: Validate downgrade Validate the downgrade target version before enabling the downgrade: @@ -157,7 +157,7 @@ Validate the downgrade target version before enabling the downgrade: -### Step 4: Enable Downgrade +### Step 4: Enable downgrade @@ -199,7 +199,7 @@ Confirm the storage version of all servers has been migrated to v3.5 by checking > Note: Once downgrade is enabled, the cluster will remain operating with v3.5 protocol even if all the servers are still running the v3.6 binary, unless the downgrade is canceled with `talosctl -n downgrade cancel`. -### Step 5: Patch Machine Config +### Step 5: Patch machine configuration Before patching the node, check if the etcd is leader. We recommend downgrading the leader last. @@ -260,7 +260,7 @@ Verify that each member, and then the entire cluster, becomes healthy with the n -### Step 6: Continue on the Remaining Control Plane Nodes +### Step 6: Continue on the remaining control plane nodes When all members are downgraded, check the health and status of the cluster, and confirm the minor version of all members is v3.5, and storage version is empty: @@ -282,4 +282,4 @@ When all members are downgraded, check the health and status of the cluster, and ``` - \ No newline at end of file + diff --git a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/building-images.mdx b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/building-images.mdx index 13cb5ea8..6327154f 100644 --- a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/building-images.mdx +++ b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/building-images.mdx @@ -10,7 +10,7 @@ There might be several reasons to build Talos images from source: * verifying the [image integrity](../../security/verifying-images) * building an image with custom configuration -## Checkout Talos Source +## Checkout Talos source ```bash git clone https://github.com/siderolabs/talos.git @@ -20,7 +20,7 @@ If building for a specific release, checkout the corresponding tag: {`git checkout ${release_v1_13}`} -## Set up the Build Environment +## Set up the build environment See [Developing Talos](./developing-talos) for details on setting up the buildkit builder. @@ -51,7 +51,7 @@ Talos images compatible with old AMD64 CPUs: make GOAMD64=v1 ``` -## Building Kernel and Initramfs +## Building kernel and initramfs The most basic boot assets can be built with: @@ -61,7 +61,7 @@ make kernel initramfs Build result will be stored as `_out/vmlinuz-` and `_out/initramfs-.xz`. -## Building Container Images +## Building container images Talos container images should be pushed to the registry as the result of the build process. @@ -108,7 +108,7 @@ If ISO image should be built with the custom `imager` image, it can be specified make iso IMAGE_REGISTRY=docker.io USERNAME= ``` -## Building Disk Images +## Building disk images The disk image is built with the help of `imager` container image, by default `ghcr.io/siderolabs/imager` will be used with the matching tag: diff --git a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/customizing-the-kernel.mdx b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/customizing-the-kernel.mdx index 9bddfa37..a63ef057 100644 --- a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/customizing-the-kernel.mdx +++ b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/customizing-the-kernel.mdx @@ -22,7 +22,7 @@ In order to build a custom kernel (or a custom kernel module), the following ste We will go through each step in detail. -## Building a Custom Kernel +## Building a custom kernel First, you might need to prepare the build environment, follow the [Building Custom Images](./building-images) guide. @@ -66,7 +66,7 @@ make kernel REGISTRY=127.0.0.1:5005 PUSH=true PLATFORM=linux/amd64 This will create a container image `127.0.0.1:5005/siderolabs/kernel:$TAG` with the kernel and modules. -## Building Talos Base Artifacts +## Building Talos base artifacts Follow the [Building Custom Images](./building-images) guide to set up the Talos source code checkout. @@ -91,7 +91,7 @@ make imager PKG_KERNEL=127.0.0.1:5005/siderolabs/kernel:$TAG PLATFORM=linux/amd6 > Note: if you built the kernel for both `amd64` and `arm64`, a multi-arch `imager` container can be built as well by specifying `INSTALLER_ARCH=all` and `PLATFORM=linux/amd64,linux/arm64`. -## Building Talos Boot Assets +## Building Talos boot assets Follow the [Boot Assets](../../platform-specific-installations/boot-assets) guide to build Talos boot assets you might need to boot Talos: ISO, `installer` image, etc. Replace the reference to the `imager` in guide with the reference to the `imager` container built above. diff --git a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/developing-talos.mdx b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/developing-talos.mdx index 2067d79b..0405bede 100644 --- a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/developing-talos.mdx +++ b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/developing-talos.mdx @@ -91,7 +91,7 @@ sudo --preserve-env=HOME _out/talosctl- cluster create \ > > `talosctl cluster create` derives Talos machine configuration version from the install image tag, so sometimes early in the development cycle (when new minor tag is not released yet), machine config version can be overridden with `--talos-version=${version_v1_13}`. -## Console Logs +## Console logs Watching console logs is easy with `tail`: @@ -121,7 +121,7 @@ You can deploy some Kubernetes workloads to the cluster. You can edit machine config on the fly with `talosctl edit mc --immediate`, config patches can be applied via `--config-patch` flags, also many features have specific flags in `talosctl cluster create`. -## Quick Reboot +## Quick reboot To reboot whole cluster quickly (e.g. to pick up a change made in the code): @@ -133,7 +133,7 @@ Sending `q` to a single socket allows to reboot a single node. > Note: This command performs immediate reboot (as if the machine was powered down and immediately powered back up), for normal Talos reboot use `talosctl reboot`. -## Development Cycle +## Development cycle Fast development cycle: @@ -146,7 +146,7 @@ Fast development cycle: Some aspects of Talos development require to enable bootloader (when working on `installer` itself), in that case quick development cycle is no longer possible, and cluster should be destroyed and recreated each time. -## Running Integration Tests +## Running integration tests If integration tests were changed (or when running them for the first time), first rebuild the integration test binary: @@ -168,7 +168,7 @@ Whole test suite can be run removing `-test.short` flag. Specfic tests can be run with `-test.run=TestIntegration/api.ResetSuite`. -## Build Flavors +## Build flavors `make WITH_RACE=1` enables Go race detector, Talos runs slower and uses more memory, but memory races are detected. @@ -178,7 +178,7 @@ Specfic tests can be run with `-test.run=TestIntegration/api.ResetSuite`. Combine with `--with-debug-shell` flag when creating cluster to obtain shell access. This is uncommonly used as in this case the bash shell will run in place of machined. -## Destroying Cluster +## Destroying cluster ```bash sudo --preserve-env=HOME ../talos/_out/talosctl-linux-amd64 cluster destroy --provisioner=qemu @@ -218,7 +218,7 @@ Running tests as root can be done with `-exec` flag to `go test`, but this is ri go test -exec sudo -v ./internal/app/machined/pkg/controllers/network/... ``` -## Go Profiling +## Go profiling Build `initramfs` with debug enabled: `make initramfs WITH_DEBUG=1`. @@ -234,7 +234,7 @@ The IP address `172.20.0.2` is the address of the Talos node, and port `:9982` d - 9982: `machined` - 9983: `trustd` -## Testing Air-gapped Environments +## Testing air-gapped environments There is a hidden `talosctl debug air-gapped` command which launches two components: @@ -300,7 +300,7 @@ The following lines should appear in the output of the `talosctl debug air-gappe There might be more output depending on the registry caches being used or not. -## Running Upgrade Integration Tests +## Running upgrade integration tests Talos has a separate set of provision upgrade tests, which create a cluster on older versions of Talos, perform an upgrade, and verify that the cluster is still functional. diff --git a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/oci-base-spec.mdx b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/oci-base-spec.mdx index 457f1abb..c1c5b69c 100644 --- a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/oci-base-spec.mdx +++ b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/oci-base-spec.mdx @@ -9,7 +9,7 @@ While certain aspects of this specification can be modified through Kubernetes p Talos Linux provides the capability to adjust the OCI base runtime specification for all containers managed by the CRI. However, it is important to note that the Kubernetes/CRI plugin may still override some settings, meaning changes to the base runtime specification are not always guaranteed to take effect. -## Getting Current OCI Base Runtime Specification +## Getting current OCI base runtime specification To get the current OCI base runtime specification, you can use the following command (`yq -P .` is used to pretty-print the output): @@ -29,7 +29,7 @@ process: The output might depend on a specific Talos (`containerd`) version. -## Adjusting OCI Base Runtime Specification +## Adjusting OCI base runtime specification To adjust the OCI base runtime specification, the following machine configuration patch can be used: diff --git a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/overlays.mdx b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/overlays.mdx index 9bf14b62..a4a6d2b0 100644 --- a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/overlays.mdx +++ b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/overlays.mdx @@ -8,27 +8,26 @@ Overlays provide a way to customize Talos Linux boot image. Overlays hook into the Talos install steps and can be used to provide additional boot assets (in the case of single board computers), extra kernel arguments or some custom configuration that is not part of the default Talos installation and specific to a particular overlay. -## Overlays v/s Extensions +## Overlays v/s extensions Overlays are similar to extensions, but they are used to customize the installation process, while extensions are used to customize the root filesystem. -## Official Overlays +## Official overlays The list of official overlays can be found in the [Overlays GitHub repository](https://github.com/siderolabs/overlays/). -## Using Overlays +## Using overlays Overlays can be used to generate a modified metal image or installer image with the overlay applied. The process of generating boot assets with overlays is described in the [boot assets guide](../../platform-specific-installations/boot-assets). -### Example: Booting a Raspberry Pi 4 with an Overlay +### Example: Boot a Raspberry Pi 4 with an overlay Follow the board specific guide for [Raspberry Pi](../../platform-specific-installations/single-board-computers/rpi_generic) to download or generate the metal disk image and write to an SD card. Boot the machine with the boot media and apply the machine configuration with the installer image that has the overlay applied. - {`# Talos machine configuration patch machine: @@ -40,14 +39,14 @@ machine: > Note: The schematic id shown in the above patch is for a vanilla `rpi_generic` overlay. > Replace it with the schematic id of the overlay you want to apply. -## Authoring Overlays +## Author overlays An Overlay is a container image with the [specific folder structure](https://github.com/siderolabs/overlays#readme). Overlays can be built and managed using any tool that produces container images, e.g. `docker build`. Sidero Labs maintains a [repository of overlays](https://github.com/siderolabs/overlays). -### Developing An Overlay +### Develop an overlay Let's assume that you would like to contribute an overlay for a specific board, e.g. by contributing to the [`sbc-rockchip` repository](https://github.com/siderolabs/sbc-rockchip). Clone the repositry and insepct the existing overlays to understand the structure. diff --git a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/system-extensions.mdx b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/system-extensions.mdx index 989b9de5..acab7caf 100644 --- a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/system-extensions.mdx +++ b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/system-extensions.mdx @@ -12,7 +12,7 @@ container runtimes, loading additional firmware, etc. System extensions are only activated during the installation or upgrade of Talos Linux. With system extensions installed, the Talos root filesystem is still immutable and read-only. -## Official System Extension Tiers +## Official system extension tiers Talos Linux provides a number of [official system extensions](https://github.com/siderolabs/extensions), which are split into the following tiers based on support level: @@ -31,7 +31,7 @@ tiers based on support level: | CVE Scan | 🟢 | ✔️ (scan is done, but CVEs don’t block the release) | ❌ | | Compatibility/Build issues | 🟢 | ✔️ (best effort) | ❌ (extension will be disabled if it fails to build) | -## Installing System Extensions +## Install system extensions > Note: the way to install system extensions in the `.machine.install` section of the machine configuration is now deprecated. @@ -49,7 +49,7 @@ both initial boot assets and disk images/`installer`, or just the `installer`. The process of generating boot assets with extensions included is described in the [boot assets guide](../../platform-specific-installations/boot-assets). -### Example: Booting from an ISO +### Example: Boot from an ISO Let's assume NVIDIA extension is required on a bare metal machine which is going to be booted from an ISO. As NVIDIA extension is not required for the initial boot and install step, it is sufficient to include the extension in the `installer` image only. @@ -63,7 +63,7 @@ As NVIDIA extension is not required for the initial boot and install step, it is When it's time to upgrade Talos, generate a custom `installer` container for a new version of Talos, push it to a registry, and perform upgrade pointing to the custom `installer` image. -### Example: Disk Image +### Example: Disk image Let's assume NVIDIA extension is required on AWS VM. @@ -75,14 +75,14 @@ Let's assume NVIDIA extension is required on AWS VM. When it's time to upgrade Talos, either repeat steps 1-4 to replace the VM with a new AMI, or like in the previous example, generate a custom `installer` and use it to upgrade Talos in-place. -## Authoring System Extensions +## Author system extensions A Talos system extension is a container image with the [specific folder structure](https://github.com/siderolabs/extensions?tab=readme-ov-file#building-extensions). System extensions can be built and managed using any tool that produces container images, e.g. `docker build`. Sidero Labs maintains a [repository of system extensions](https://github.com/siderolabs/extensions). -## Resource Definitions +## Resource definitions Use `talosctl get extensions` to get a list of system extensions: diff --git a/public/talos/v1.13/configure-your-talos-cluster/hardware-and-drivers/amd-gpu.mdx b/public/talos/v1.13/configure-your-talos-cluster/hardware-and-drivers/amd-gpu.mdx index 9c153d3d..2e5cf35d 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/hardware-and-drivers/amd-gpu.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/hardware-and-drivers/amd-gpu.mdx @@ -8,7 +8,7 @@ To make those GPUs available to Kubernetes workloads, you can deploy the ROCm GP This guide shows how to enable AMD GPU support on your Talos nodes, apply any tuning your hardware might need, and install ROCm inside your cluster. -## Before You Begin +## Before you begin You’ll need: @@ -70,7 +70,7 @@ What these parameters do: - `amdgpu.gttsize`: Increases the GPU GTT memory size for workloads that allocate large buffers - `ttm.pages_limit`: Raises the TTM memory limit for large model workloads. -## Deploy the ROCm GPU Operator +## Deploy the ROCm GPU operator With GPU support enabled at the OS level, you can deploy the ROCm GPU Operator to surface GPU resources to Kubernetes workloads. diff --git a/public/talos/v1.13/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu-proprietary.mdx b/public/talos/v1.13/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu-proprietary.mdx index c345cc4b..b77c5aa3 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu-proprietary.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu-proprietary.mdx @@ -21,7 +21,7 @@ Create the [boot assets](../../platform-specific-installations/boot-assets) whic > Make sure the driver version matches for both the `nonfree-kmod-nvidia` and `nvidia-container-toolkit` extensions. > The `nonfree-kmod-nvidia` extension is versioned as `-` and the `nvidia-container-toolkit` extension is versioned as `-`. -## Proprietary vs OSS Nvidia Driver Support +## Proprietary vs OSS Nvidia driver support The NVIDIA Linux GPU Driver contains several kernel modules: `nvidia.ko`, `nvidia-modeset.ko`, `nvidia-uvm.ko`, `nvidia-drm.ko`, and `nvidia-peermem.ko`. Two "flavors" of these kernel modules are provided, and both are available for use within Talos: diff --git a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/containerd.mdx b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/containerd.mdx index 5090926e..be965782 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/containerd.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/containerd.mdx @@ -9,7 +9,7 @@ The base containerd configuration expects to merge in any additional configs pre ## Examples -### Exposing Metrics +### Exposing metrics Patch the machine config by adding the following: @@ -35,7 +35,7 @@ container_blkio_io_service_bytes_recursive_bytes{container_id="0677d73196f5f4be1 ... ``` -### Pause Image +### Pause image This change is often required for air-gapped environments, as `containerd` CRI plugin has a reference to the `pause` image which is used to create pods, and it can't be controlled with Kubernetes pod definitions. @@ -82,7 +82,7 @@ machine: Also change the cdi spec dirs configuration in your Dynamic Resource Allocation driver, since it needs to place the discovered hardware device specs in these folders. -### Enabling NRI Plugins +### Enabling NRI plugins By default, Talos disables [NRI](https://github.com/containerd/containerd/blob/main/docs/NRI.md) plugins in `containerd`, as they might have security implications. However, if you need to enable them, you can do so by adding the following configuration: diff --git a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache-registry-mirror.mdx b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache-registry-mirror.mdx index 45172c46..2268c1f6 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache-registry-mirror.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache-registry-mirror.mdx @@ -13,14 +13,14 @@ To serve the image cache over HTTPS: First, build a list of images and create the cache. This example builds a minimal Talos image cache. To learn how to create an image cache, see the [Image cache documentation](./image-cache) ```bash -talosctl images default | \ +talosctl images k8s-bundle | \ talosctl images cache-create \ --images=- \ --image-cache-path=/tmp/cache \ --layout=flat ``` -## Step 2. Generate Required Certificates +## Step 2. Generate required certificates You can generate the certificates using the following command: @@ -41,7 +41,7 @@ This produces: These are required for serving the cache over HTTPS. -## Step 3. Start the Image Cache Registry +## Step 3. Start the image cache registry `cache-serve` starts a lightweight, read-only registry that serves images from the cache directory. @@ -53,7 +53,7 @@ talosctl image cache-serve \ --tls-key-file=/tmp/tls.key ``` -## Step 4. Patch Talos to Trust the Registry CA +## Step 4. Patch Talos to trust the registry CA Talos requires HTTPS to pull installer images. @@ -74,7 +74,7 @@ certificates: | # including the BEGIN CERTIFICATE and END CERTIFICATE lines ``` -## Step 5. Configure Registry Mirrors +## Step 5. Configure registry mirrors Talos and Kubernetes components normally pull images from public registries such as `docker.io`, `ghcr.io`, and `registry.k8s.io`. diff --git a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache.mdx b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache.mdx index 5116118a..b19cbfd8 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache.mdx @@ -10,16 +10,31 @@ This is especially useful in environments with limited or no Internet connectivi The cache is local to each machine and is automatically managed by Talos when enabled. -## Preparing Image Cache +## Preparing image cache First, build a list of image references that need to be cached. -The `talosctl images default` might be used as a starting point, but it should be customized to include additional images (e.g. custom CNI, workload images, etc.) +The `talosctl images k8s-bundle` might be used as a starting point, but it should be customized to include additional images (e.g. custom CNI, workload images, etc.) ```bash -talosctl images default > images.txt +talosctl images k8s-bundle > images.txt cat extra-images.txt >> images.txt ``` +### Air-gapped environments +If you are preparing for an air-gapped environment, you will need to cache the talos images as well. + +Starting with Talos 1.12 you can get a list of images needed from talosctl. + + +{` +talosctl images talos-bundle ${release_v1_13} >> images.txt +`} + + +or deploy an [Image Factory](../../../../omni/self-hosted/deploy-image-factory-on-prem) to host Talos images internally. + +Including all talos-bundle images will significantly increase the size of your installation media. The minimum images to install Talos include the `installer` and `installer-base` images. + Next, prepare an OCI image which contains all cached images: ```bash @@ -37,7 +52,7 @@ Example of pushing the OCI image cache directory to a container registry: crane push ./image-cache.oci my.registry/image-cache:my-cache ``` -## Building Boot Assets +## Build boot assets The image cache is provided to Talos via the boot assets. There are two supported boot asset types for the Image Cache: ISO and disk image. @@ -67,7 +82,7 @@ The ISO image can be utilized in the following ways (which allows both booting T > Note: Third-party boot loaders, such as Ventoy, are not supported as Talos will not be able to access the image cache. -### Disk Image +### Disk image In case of disk image, the image cache is included in the disk image itself, and on boot it would be used immediately by the Talos. @@ -126,7 +141,7 @@ If the disk image is used, the `IMAGECACHE` volume doesn't need to be configured See [System Volumes](../storage-and-disk-management/disk-management/system) for more information on volume configuration. -## Updating the Image Cache +## Update the image cache The image cache is initially populated during installation from the boot media (ISO or disk image) and stored on disk. Over time, you may want to update or refresh the cached images without reinstalling the node. @@ -143,7 +158,7 @@ This process allows you to refresh cached images without rebuilding or reinstall > **Note:** You can update the image cache using any medium described in the documentation for building boot assets. The media does not need to have Talos installed or be bootable itself, it only needs to provide the cache contents. -### Limitations of Live Image Cache Updates +### Limitations of live image cache updates Only images baked into the ISO or USB are copied. There is no way to push arbitrary new images directly into the cache on a running system. diff --git a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/pull-through-cache.mdx b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/pull-through-cache.mdx index 5b14e81d..ec662ca8 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/pull-through-cache.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/pull-through-cache.mdx @@ -16,7 +16,7 @@ The same concept can extended to air-gapped or partially connected environments, There are many implementations of container registries that support pull-through caching, including [Docker Registry](https://hub.docker.com/_/registry), [Harbor](https://goharbor.io/), [Zot](https://zotregistry.dev/), and others. -## Launch the Caching Docker Registry Proxies +## Launch the caching Docker Registry proxies The Docker Registry is the simplest way to set up pull-through caching proxies. It requires to set up a separate registry container per upstream registry. @@ -50,7 +50,7 @@ docker run -d -p 5003:5000 \ As a registry container can only handle a single upstream Docker registry, we launch a container per upstream, each on its own host port (5000, 5001, 5002, 5003 and 5004). -## Configuring Talos to Use the Caching Registries +## Configuring Talos to use the caching registries Talos Linux can be configured to redirect image pulls to the caching registries using [RegistryMirrorConfig](../../reference/configuration/cri/registrymirrorconfig) configuration document. The registry mirror configuration is honored by Talos Linux itself and automatically propagated to CRI runtimes (containerd). @@ -142,7 +142,7 @@ ca: |- -----END CERTIFICATE----- ``` -## Using Harbor as a Caching Registry +## Using Harbor as a caching registry [Harbor](https://goharbor.io/) is an open source container registry that can be used as a caching proxy. Harbor supports configuring multiple upstream registries, so it can be used to cache multiple registries at once behind a single endpoint. diff --git a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/static-pods.mdx b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/static-pods.mdx index 02070a87..1daa4c96 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/static-pods.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/static-pods.mdx @@ -75,7 +75,7 @@ $ talosctl logs kubelet 172.20.0.2: {"ts":1644505520281.427,"caller":"config/file.go:187","msg":"Could not process manifest file","path":"/etc/kubernetes/manifests/talos-default-nginx-gvisor.yaml","err":"invalid pod: [spec.containers: Required value]"} ``` -## Resource Definitions +## Resource definitions Static pod definitions are available as `StaticPod` resources combined with Talos-generated control plane static pods: diff --git a/public/talos/v1.13/configure-your-talos-cluster/lifecycle-management/resetting-a-machine.mdx b/public/talos/v1.13/configure-your-talos-cluster/lifecycle-management/resetting-a-machine.mdx index ef7504af..67f36069 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/lifecycle-management/resetting-a-machine.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/lifecycle-management/resetting-a-machine.mdx @@ -35,7 +35,7 @@ If the machine is part of an HA cluster, a normal, graceful reset should work fi However, if this is a single-node cluster used for testing purposes, a graceful reset is not an option since `etcd` cannot be "left" if there is only a single member. In this case, use the reset command with `--graceful=false` to skip checks that would normally block the reset. -## Kernel Parameter +## Kernel parameter Another method to reset a machine is by specifying the `talos.experimental.wipe=system` kernel parameter. If the machine is stuck in a boot loop and you have access to the console, you can use GRUB to specify this kernel argument. diff --git a/public/talos/v1.13/configure-your-talos-cluster/lifecycle-management/upgrading-talos.mdx b/public/talos/v1.13/configure-your-talos-cluster/lifecycle-management/upgrading-talos.mdx index 426c16d5..53b791f3 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/lifecycle-management/upgrading-talos.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/lifecycle-management/upgrading-talos.mdx @@ -21,7 +21,7 @@ Likewise, Talos may be manually rolled back via API (or `talosctl rollback`), wh *Note* An upgrade of the Talos Linux OS will not (since v1.0) apply an upgrade to the Kubernetes version by default. Kubernetes upgrades should be managed separately per [upgrading kubernetes](../../../../kubernetes-guides/advanced-guides/upgrading-kubernetes). -## Supported Upgrade Paths +## Supported upgrade paths Because Talos Linux is image based, an upgrade is almost the same as installing Talos, with the difference that the system has already been initialized with a configuration. The supported configuration may change between versions. @@ -34,17 +34,17 @@ For example, if upgrading from Talos 1.0 to Talos 1.2.4, the recommended upgrade * upgrade from v1.0.6 to latest patch of 1.1 - to v1.1.2 * upgrade from v1.1.2 to v1.2.4 -## Before Upgrade to {release_v1_13} +## Before upgrade to {release_v1_13} There are no specific actions to be taken before an upgrade. -## Video Walkthrough +## Video walkthrough To see a live demo of an upgrade of Talos Linux, see the video below: -## After Upgrade to {release_v1_13} +## After upgrade to {release_v1_13} There are no specific actions to be taken after an upgrade. @@ -72,7 +72,7 @@ Because this occurs in a just rebooted system, there will be no conflict with an After the upgrade is applied, the node will reboot again, in order to boot into the new version. Note that because Talos Linux reboots via the `kexec` syscall, the extra reboot adds very little time. -## Machine Configuration Changes +## Machine configuration changes * [VolumeConfig](../../reference/configuration/block/volumeconfig) now supports encryption configuration for system volumes. * [VolumeConfig](../../reference/configuration/block/volumeconfig), [UserVolumeConfig](../../reference/configuration/block/uservolumeconfig) encryption configuration for TPM now supports specifying PCRs to lock the encryption key to. @@ -111,7 +111,7 @@ Note that because Talos Linux reboots via the `kexec` syscall, the extra reboot * `.machine.install.grubUseUKICmdline` to unify kernel args behavior for legacy GRUB bootloader with systemd-boot. -## Upgrade Sequence +## Upgrade sequence When a Talos node receives the upgrade command, it cordons itself in Kubernetes, to avoid receiving any new workload. diff --git a/public/talos/v1.13/configure-your-talos-cluster/logging-and-telemetry/logging.mdx b/public/talos/v1.13/configure-your-talos-cluster/logging-and-telemetry/logging.mdx index 929bc59a..318e8a60 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/logging-and-telemetry/logging.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/logging-and-telemetry/logging.mdx @@ -7,7 +7,7 @@ aliases: import { k8s_release } from '/snippets/custom-variables.mdx'; -## Viewing logs +## View logs Kernel messages can be retrieved with `talosctl dmesg` command: @@ -64,12 +64,12 @@ $ talosctl -n 172.20.1.2 logs -k kube-system/kube-proxy-gfkqj:kube-proxy:ad5e8dd If some host workloads (e.g. system extensions) send syslog messages, they can be retrieved with `talosctl logs syslogd` command. -## Forwarding logs for aggregation +## Forward logs for aggregation Talos writes logs to files in `/var/log` directory. A pod running in Kubernetes can mount this directory and forward logs to a log aggregation system. -## Sending logs over network +## Send logs over network ### Service logs @@ -160,7 +160,7 @@ Sample message: > `extraKernelArgs` in the machine configuration are only applied on Talos upgrades, not just by applying the config. > (Upgrading to the same version is fine). -### Receiving logs +### Receive logs If you have configure remote service logs or kernel logs on a Talos system and want to collect the logs centrally for debugging purposes you can temporarily run the netcat `nc` command to receive logs. diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-encryption.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-encryption.mdx index fd323793..524af86f 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-encryption.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-encryption.mdx @@ -91,7 +91,7 @@ encryption: slot: 0 ``` -### Encryption Keys +### Encryption keys > Note: What the LUKS2 docs call "keys" are, in reality, a passphrase. > When this passphrase is added, LUKS2 runs argon2 to create an actual key from that passphrase. @@ -125,7 +125,7 @@ encryption: Take a note that key order does not play any role on which key slot is used. Every key must always have a slot defined. -### Encryption Key Kinds +### Encryption key kinds Talos supports two kinds of keys: @@ -146,7 +146,7 @@ Every key kind also supports `lockToState` option, which means that the key will It is recommended to use `lockToState` for the `EPHEMERAL` partition and user volumes, so that the data on these partitions is not accessible if the `STATE` partition is wiped or replaced. If you would like non-`STATE` volumes to survive `STATE` partition wipe, do not enable `lockToState` option. -### Key Rotation +### Key rotation In order to completely rotate keys, it is necessary to do `talosctl apply-config` a couple of times, since there is a need to always maintain a single working key while changing the other keys around it. @@ -193,9 +193,9 @@ Run: talosctl apply-config -n --mode=reboot -f config.yaml ``` -## Going from Unencrypted to Encrypted and Vice Versa +## Going from unencrypted to encrypted and vice versa -### Ephemeral Partition +### Ephemeral partition There is no in-place encryption support for the partitions right now, so to avoid losing data only empty partitions can be encrypted. @@ -226,7 +226,7 @@ That's it! After you run the last command, the partition will be wiped and the node will reboot. During the next boot the system will encrypt the partition. -### State Partition +### State partition Calling wipe against the STATE partition will make the node lose the config, so the previous flow is not going to work. @@ -244,7 +244,7 @@ talosctl apply-config --insecure -n -f config.yaml After installation is complete the node should encrypt the STATE partition. -### Configuring TPM-Based Disk Encryption +### Configuring TPM-Based disk encryption Talos supports TPM-based disk encryption by binding the LUKS2 key to one or more PCR (Platform Configuration Register) values. This allows you to control how tightly the encrypted volume is tied to the machine’s firmware and boot state. @@ -261,7 +261,7 @@ pcrs: [7] PCR 7 reflects the SecureBoot state and provides backward-compatible behavior with older Talos releases. -#### Binding Only to Signed PCR Policies +#### Binding only to signed PCR policies If the user explicitly sets an empty list, Talos binds only to PCR 11, which is used for signed TPM policies: @@ -273,7 +273,7 @@ tpm: This ignores SecureBoot state, which is useful on hardware where PCR 7 values differ across platforms or firmware versions. -#### Binding to Multiple PCRs +#### Binding to multiple PCRs You can bind the key to multiple PCR values for stronger protection. For example, to bind to both the SecureBoot state (PCR 7) and the firmware state: diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/common.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/common.mdx index 9f432c4c..6a762dcf 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/common.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/common.mdx @@ -11,7 +11,7 @@ Several configuration documents share common elements for configuring volumes in * [`RawVolumeConfig`](../../../reference/configuration/block/rawvolumeconfig) * [`SwapVolumeConfig`](../../../reference/configuration/block/swapvolumeconfig) -## Disk Selector +## Disk selector The `diskSelector` field is utilized to choose the disk where the volume will be provisioned. It is a [Common Expression Language (CEL)](https://cel.dev/) expression that evaluates against the available disks. @@ -66,7 +66,7 @@ Examples of disk selector expressions: * `disk.serial.startsWith('deadbeef') && !cdrom`: select disks with serial number starting with `deadbeef` and not of CD-ROM type * `'/dev/disk/by-path/pci-0000:00:1f.2-ata-1' in disk.symlinks`: select disks with a specific stable symlink -### Minimum, Maximum and Grow +### Minimum, maximum and grow The `minSize` and `maxSize` fields define the minimum and maximum size of the volume, respectively. Talos Linux will always ensure that the volume is at least `minSize` in size and will not exceed `maxSize`. @@ -81,7 +81,7 @@ The `grow` flag controls what happens when the volume already exists: Setting `minSize` might influence disk selection - if the disk does not have enough free space to satisfy the minimum size requirement, it will not be selected for provisioning. -## Volume Selector +## Volume selector The `volumeSelector` field is a CEL expression that allows you to match existing volumes based on their properties. It is evaluated against the available volumes, and the first volume that matches the expression will be picked up. diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/existing.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/existing.mdx index b0d09d8c..a7d5c852 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/existing.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/existing.mdx @@ -13,7 +13,7 @@ Existing volumes are mounted under `/var/mnt/`, and this location g > Note: If you need to allocate a volume to be mounted to a container, please see [User Volumes](./user) guide. -### Declaring Existing Volumes +### Declaring existing volumes To declare an existing volume, append the following [document](../../../reference/configuration/block/existingvolumeconfig) to the machine configuration: diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/layout.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/layout.mdx index 4dc9ea6f..17df6c95 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/layout.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/layout.mdx @@ -6,7 +6,7 @@ weight: 10 Talos Linux provides tools to observe available disks and volumes on the machine. -## Listing Disks +## Listing disks To obtain a list of all available block devices (disks) on the machine, you can use the following command: @@ -55,7 +55,7 @@ spec: - /dev/disk/by-path/virtio-pci-0000:00:07.0 ``` -## Discovered Volumes +## Discovered volumes Talos Linux monitors all block devices and partitions on the machine. Details about these devices, including their type, can be found in the `DiscoveredVolume` resource. @@ -100,7 +100,7 @@ Currently, the following filesystem types are supported: The discovered volumes can include both Talos-managed volumes and any other volumes present on the machine, such as Ceph volumes. -## Disk Layout +## Disk layout The default disk layout for Talos installation is as follows: @@ -126,7 +126,7 @@ The `EPHEMERAL` partition by default consumes all unallocated space, but it can The `EPHEMERAL` partition is a catch-all location for storing data, while it might be desired to segregate the data into different partitions. Talos supports creating additional user volumes to be used for different purposes: e.g. local storage for various applications, specific volumes per applications, etc. -### Single Disk Layout +### Single disk layout ```text +-------------------------------------------------------------------------------------------------------+ @@ -139,7 +139,7 @@ Talos supports creating additional user volumes to be used for different purpose In this layout, the `EPHEMERAL` partition was limited to 200GB, and two additional partitions were created for `csi-data` and `local-storage`. -### Multiple Disk Layout +### Multiple disk layout ```text +---------------------------------------------------------------------------------------+ diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/overview.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/overview.mdx index 6e33dc2b..b082ac0e 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/overview.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/overview.mdx @@ -7,11 +7,11 @@ aliases: This guide provides an overview of the disk management features in Talos Linux. -## Disk and Volume Discovery +## Disk and volume discovery See [Disk Layout](./layout) for details on the disk layout and how to observe discovered disks and volumes. -## Volume Management +## Volume management Talos Linux implements disk management through the concept of volumes. A volume represents a provisioned, located, mounted, or unmounted entity, such as a disk, partition, or a directory/overlay mount. diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/raw.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/raw.mdx index 957bec62..8bdec4f5 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/raw.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/raw.mdx @@ -18,7 +18,7 @@ Disk encryption can be optionally enabled for raw volumes. > Note: If you need to allocate a volume to be mounted to a container, please see [User Volumes](./user) guide. -### Creating Raw Volumes +### Create raw volumes To create a raw volume, append the following [document](../../../reference/configuration/block/rawvolumeconfig) to the machine configuration: @@ -55,7 +55,7 @@ This volume can be referenced using a stable symlink `/dev/disk/by-partlabel/r-o > Note: Ceph will not create a partition if the partition label contains the substring `ceph`. Avoid using such names for your labels. -### Removing Raw Volumes +### Remove raw volumes Before removing a raw volume, ensure that it is not used anymore. diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/resources.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/resources.mdx index 19b5d55d..318fb354 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/resources.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/resources.mdx @@ -11,7 +11,7 @@ This information is useful for understanding how Talos Linux manages volumes and The configuration of volumes is defined using the `VolumeConfig` resource, while the current state of volumes is stored in the `VolumeStatus` resource. -### Volume Configuration +### Volume configuration The volume configuration is managed by Talos Linux based on machine configuration. To see configured volumes, use the following command: @@ -74,7 +74,7 @@ spec: targetPath: /system/state ``` -### Volume Status +### Volume status Current volume status can be obtained using the following command: @@ -105,7 +105,7 @@ Each volume goes through different phases during its lifecycle: Volumes are mounted when they are ready to be used, mounts are tracked in two resources: `MountRequest` describes the desired mount, while `MountStatus` describes the current state of the mount. -### Mount Request +### Mount request Mount requests are created automatically by Talos Linux based on the volume configuration, service configuration, etc. @@ -135,7 +135,7 @@ NODE NAMESPACE TYPE ID VERS 172.20.0.5 runtime MountRequest EPHEMERAL 2 EPHEMERAL ["sequencer"] ``` -### Mount Status +### Mount status As the volumes are mounted, the status of the mounts is updated in the `MountStatus` resource: diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/system.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/system.mdx index 45614a8b..18ef159c 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/system.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/system.mdx @@ -7,7 +7,7 @@ weight: 20 Talos Linux has a set of system volumes that are used for various purposes, such as storing the system state, ephemeral data, and more. This guide provides an overview of the system volumes and how to configure them. -## `EPHEMERAL` Volume +## `EPHEMERAL` volume The `EPHEMERAL` volume is a system volume that is used for storing ephemeral data, such as container data, downloaded images, logs, and `etcd` data (for controlplane nodes). @@ -63,7 +63,7 @@ provisioning: match: disk.transport == 'nvme' && !system_disk ``` -## `IMAGECACHE` Volume +## `IMAGECACHE` volume This system volume is not provisioned by default, and it only gets created if the [Image Cache](../../images-container-runtime/image-cache) feature is enabled. diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/user.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/user.mdx index 00e2905b..0397b0bd 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/user.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/disk-management/user.mdx @@ -18,7 +18,7 @@ The volume mount location is `/var/mnt/`, and it gets automatically Disk encryption can be optionally enabled for user volumes. -## Creating User Volumes +## Create user volumes To create a user volume, append the following [document](../../../reference/configuration/block/uservolumeconfig) to the machine configuration: @@ -79,7 +79,7 @@ spec: Please note, the path inside the container can be different from the path on the host. -## Removing User Volumes +## Remove user volumes Before removing a user volume, ensure that it is not mounted in any Kubernetes pod. @@ -100,7 +100,7 @@ or from the `DiscoveredVolume` resource any time later. > Note: If the `wipe disk` command fails with `blockdevice is in use by volume`, it means the user volume has not been removed from the machine configuration. -## Types of User Volumes +## Types of user volumes `UserVolumeConfig` includes an optional `volumeType` field that controls how a user volume is created and managed. If omitted, the system defaults to `partition`. diff --git a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/swap.mdx b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/swap.mdx index a29b96ce..8fcd6b57 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/swap.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/storage-and-disk-management/swap.mdx @@ -16,7 +16,7 @@ Swap and zswap can be used together, but they can also be configured independent Swap and zswap are disabled by default in Talos, but can be enabled through the configuration. -## Swap Devices +## Swap devices Swap devices can be configured in the [Talos machine configuration](../../reference/configuration/block/swapvolumeconfig) similar to how [User Volumes](./disk-management/user) are configured. As swap devices contain memory pages, it is recommended to enable disk encryption for swap devices to prevent sensitive data from being written to disk in plaintext. @@ -84,7 +84,7 @@ NODE NAMESPACE TYPE ID VERSION TOTAL SIZE STORED PAG Removing a `ZswapConfig` document will disable zswap on the system. Please note that zswap requires swap to be enabled on the system to function properly. -## Kubernetes and Swap +## Kubernetes and swap Kubernetes by default [does not allow swap to be used by containers](https://kubernetes.io/blog/2025/03/25/swap-linux-improvements/), as it can lead to performance issues and unpredictable behavior. @@ -136,7 +136,7 @@ NAME SwapCurrent SwapPeak SwapH If `SwapMax` is set to `0 B`, it means that swap is not enabled for this cgroup (container/pod). Current swap and zswap usage can be seen in the `SwapCurrent` and `ZswapCurrent` columns, respectively. -## Swap Tuning +## Swap tuning Swap can benefit some workloads by evicting inactive memory pages, keeping more RAM available for caches and buffers. diff --git a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/acquire.mdx b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/acquire.mdx index 5558839d..20e5d067 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/acquire.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/acquire.mdx @@ -5,7 +5,7 @@ description: "How Talos Linux acquires its machine configuration." Talos Linux requires a [machine configuration](../../reference/configuration/overview) to operate. This configuration can be provided in several ways, depending on your deployment method and environment. -## Methods of Acquiring Machine Configuration +## Methods of acquiring machine configuration Talos checks for machine configuration in the following order: @@ -39,7 +39,7 @@ MAINTENANCE -->|incomplete config| MAINTENANCE When Talos is installed on a disk, it creates a `STATE` partition. This partition is used to store the machine configuration and other stateful data. During the boot process, Talos checks this partition for a valid configuration file. -### Platform Configuration +### Platform configuration For cloud and virtualized environments, Talos can acquire its configuration from platform-specific metadata services. This includes: @@ -51,17 +51,17 @@ For cloud and virtualized environments, Talos can acquire its configuration from For the `metal` platform, Talos can download machine configuration from a specified URL (kernel argument [`talos.config`](../../reference/kernel#talosconfig)). -### Kernel Arguments +### Kernel arguments Talos can also accept machine configuration documents directly via kernel arguments [`talos.config.early` and `talos.config.inline`](../../reference/kernel#talosconfigearly-and-talosconfiginline). This method is particularly useful for initial bootstrapping, e.g. specifying a custom set of [trusted CAs](../../security/certificate-authorities). -### Embedded Configuration +### Embedded configuration Talos supports embedding the machine configuration directly into the bootable image (ISO, USB, `installer`). This is done using the [Imager tool](../../platform-specific-installations/boot-assets#example-adding-embedded-machine-configuration-with-imager) When the system boots, it reads the embedded configuration. -### Maintenance Mode +### Maintenance mode As the last resort, if the machine configuration is still incomplete for a full boot, Talos will drop into [maintenance mode](./insecure). diff --git a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/discovery.mdx b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/discovery.mdx index 8e251c8c..ddb3eb94 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/discovery.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/discovery.mdx @@ -24,7 +24,7 @@ The advantage of the external registry service is that it is not dependent on et > Note: Kubernetes registry is deprecated as it is not compatible with Kubernetes 1.32 and later versions in the default configuration. -## Video Walkthrough +## Video walkthrough To see a live demo of Cluster Discovery, see the video below: @@ -67,7 +67,7 @@ In these cases, discovery can be disabled or replaced with a privately operated An enabled discovery service is required for [KubeSpan](../../networking/kubespan) to function. -### Kubernetes Registry +### Kubernetes registry The `Kubernetes` registry uses Kubernetes `Node` resource data and additional Talos annotations: @@ -84,7 +84,7 @@ Annotations: cluster.talos.dev/node-id: Utoh3O0ZneV0kT2IUBrh7TgdouRcUW2yz > The workaround is to disable the feature gate on the API server, but it's not recommended as it disables also other important security protections. > For this reason, the Kubernetes registry is deprecated and disabled by default. -### Discovery Service Registry +### Discovery service registry The `Service` registry by default uses a public external Discovery Service to exchange encrypted information about cluster members. @@ -113,7 +113,7 @@ The discovery service does not have the encryption key. The discovery service may, with a commercial license, be operated by your organization and can be [downloaded here](https://github.com/siderolabs/discovery-service). In order for nodes to communicate to the discovery service, they must be able to connect to it on TCP port 443. -## Resource Definitions +## Resource definitions Talos provides resources that can be used to introspect the discovery and KubeSpan features. diff --git a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/editing-machine-configuration.mdx b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/editing-machine-configuration.mdx index 7efe936c..ed1d7771 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/editing-machine-configuration.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/editing-machine-configuration.mdx @@ -1,5 +1,5 @@ --- -title: "Editing Machine Configuration" +title: "Edit Machine Configuration" description: "How to edit and patch Talos machine configuration, with reboot, immediately, or stage update on reboot." aliases: - ../../guides/editing-machine-configuration @@ -152,6 +152,6 @@ Patches can also be sourced from files using `file` (or `@file`) syntax: talosctl -n patch machineconfig -p kubelet-patch.json -p manifest-patch.json ``` -### Recovering from Node Boot Failures +### Recover from node boot failures If a Talos node fails to boot because of wrong configuration (for example, control plane endpoint is incorrect), configuration can be updated to fix the issue. diff --git a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/insecure.mdx b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/insecure.mdx index 51955338..301477a4 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/insecure.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/insecure.mdx @@ -16,7 +16,7 @@ However, when a node is in maintenance mode, it still serves the Talos API over In this case, the `--insecure` flag tells `talosctl` to skip verifying the server’s certificate, allowing the connection to proceed. -Only a small subset of Talos API commands support the --insecure flag, specifically those required for initial setup and maintenance operations. +Only a small subset of Talos API commands support the `--insecure` flag, specifically those required for initial setup and maintenance operations. However, once you've applied a machine config, you must stop using the `--insecure` flag for all subsequent operations. The node will now expect secure communication using certificates stored in a talosconfig file. @@ -24,7 +24,38 @@ The node will now expect secure communication using certificates stored in a tal **Note**: The `--insecure` flag is used in a different context by the `talosctl image cache-create` command. This command is not used for interacting with the Talos node, but for allowing access to insecure image registries that do not support TLS. -## In Omni-Managed Clusters +## Validate the node identity in `--insecure` Mode + +When using `--insecure`, `talosctl` cannot automatically verify the identity of the remote node. +However, Talos still provides a way to manually confirm that you are communicating with the intended machine. + +### Certificate fingerprint + +When a Talos node boots into maintenance mode, it generates a temporary, self-signed TLS certificate. +The certificate fingerprint is printed directly to the machine’s console logs during boot. + +You can view this fingerprint via: + +* Physical console access +* VM console +* Serial console +* IPMI or other out-of-band management interfaces + +### Using the fingerprint with `talosctl` + +Once you have obtained the fingerprint from the console, you can explicitly pass it to talosctl: + +```bash +talosctl apply-config +--insecure +--cert-fingerprint +--nodes +--file machine.yaml +``` + +This allows you to confirm that the configuration is being applied to the intended node, even though full authentication has not yet been established. + +## In Omni-managed clusters The `--insecure` flag works differently when you're using Omni to manage Talos clusters. @@ -36,9 +67,9 @@ So the SideroLink connection is the only way you can run commands against a node This architecture provides a unique security advantage because if a machine is managed by Omni, you cannot send configurations to it from another machine without authentication, even if they are on the same network. This is because the Talos machine does not listen on any general network interface and only communicates with Omni through the secure SideroLink tunnel. -## Supported Commands With the insecure Flag +## Supported commands with the insecure flag -The following commands can be used with the --insecure flag: +The following commands can be used with the `--insecure` flag: `talosctl apply-config` @@ -87,7 +118,7 @@ Erase data from disk partitions on a Talos node. Refer to the [CLI reference](../../reference/cli) for full CLI details. -## Usage Example +## Usage example Here is an example of how to use the `--insecure` flag in Talos: diff --git a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/patching.mdx b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/patching.mdx index 0af5298b..5acac37e 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/system-configuration/patching.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/system-configuration/patching.mdx @@ -210,7 +210,7 @@ machine: - 192.168.10.0/24 ``` -### Admission control: Pod Security Policy +### Admission control: Pod security policy Base machine configuration: @@ -315,7 +315,7 @@ In addition to patching single-document machine configurations, Talos supports p -## Local Docker Cluster - -The easiest way to try Talos is by using the CLI (`talosctl`) to create a cluster on a machine with `docker` installed. - ### Prerequisites #### `talosctl` @@ -35,7 +33,7 @@ brew install siderolabs/tap/talosctl Download `kubectl` via one of the methods outlined in the [documentation](https://kubernetes.io/docs/tasks/tools/install-kubectl/). -### Create the Cluster +### Create the cluster Now run the following: @@ -67,7 +65,7 @@ talos-default-worker-1 Ready 115s v${k8s_release} 10.5.0 `} -### Destroy the Cluster +### Destroy the cluster When you are all done, remove the cluster: diff --git a/public/talos/v1.13/getting-started/support-matrix.mdx b/public/talos/v1.13/getting-started/support-matrix.mdx index cafcb1bd..797836eb 100644 --- a/public/talos/v1.13/getting-started/support-matrix.mdx +++ b/public/talos/v1.13/getting-started/support-matrix.mdx @@ -25,7 +25,7 @@ description: "Table of supported Talos Linux versions and respective platforms." | [CAPI Control Plane Provider Talos](https://github.com/siderolabs/cluster-api-control-plane-provider-talos) | >= 0.5.12 | >= 0.5.11 | | [Sidero](https://www.sidero.dev/) | >= 0.6.12 | >= 0.6.11 | -## Platform Tiers +## Platform tiers * Tier 1: Automated tests, high-priority fixes. * Tier 2: Tested from time to time, medium-priority bugfixes. diff --git a/public/talos/v1.13/getting-started/system-requirements.mdx b/public/talos/v1.13/getting-started/system-requirements.mdx index c8a04dc8..25596fc8 100644 --- a/public/talos/v1.13/getting-started/system-requirements.mdx +++ b/public/talos/v1.13/getting-started/system-requirements.mdx @@ -4,7 +4,7 @@ weight: 40 description: "Hardware requirements for running Talos Linux." --- -## Minimum Requirements +## Minimum requirements
diff --git a/public/talos/v1.13/getting-started/what's-new-in-talos.mdx b/public/talos/v1.13/getting-started/what's-new-in-talos.mdx index 03abb8ea..0f02c861 100644 --- a/public/talos/v1.13/getting-started/what's-new-in-talos.mdx +++ b/public/talos/v1.13/getting-started/what's-new-in-talos.mdx @@ -1,11 +1,264 @@ --- -title: What's New in Talos 1.13.0 +title: What's New in Talos 1.12.0 weight: 50 -description: "Discover the latest features and updates in Talos Linux 1.13." +description: "Discover the latest features and updates in Talos Linux 1.12." --- For critical changes, refer to the [upgrade notes](../configure-your-talos-cluster/lifecycle-management/upgrading-talos). -## Important Changes +## Important changes -TBD \ No newline at end of file +### Network configuration + +Talos v1.12 introduces new [network configuration documents](../networking/configuration/overview). +These changes follow the new ["multi-doc" configuration](https://github.com/siderolabs/talos/issues/10925) concept, and allow more granular machine configuration. + +Asides from providing more granular/flexible configuration, the new "multi-doc" configuration documents can be applied at any time, including maintenance mode, and can also be embedded into the boot image, +or supplied via the `talos.config.early` kernel command line argument. + +The new documents replace the previous network configuration under [.machine.network](../../v1.11/reference/configuration/v1alpha1/config#network), including: +- `hostname`: replaced by [HostnameConfig](../reference/configuration/network/hostnameconfig) +- `interfaces` replaced by: + - [LinkConfig](../reference/configuration/network/linkconfig) + - [LinkAliasConfig](../reference/configuration/network/linkaliasconfig) + - [EthernetConfig](../reference/configuration/network/ethernetconfig) + - [BondConfig](../reference/configuration/network/bondconfig) + - [BridgeConfig](../reference/configuration/network/bridgeconfig) + - [DHCPv4Config](../reference/configuration/network/dhcpv4config) + - [DHCPv6Config](../reference/configuration/network/dhcpv6config) + - [VLANConfig](../reference/configuration/network/vlanconfig) + - [WireGuardConfig](../reference/configuration/network/wireguardconfig) + - [DummyLinkConfig](../reference/configuration/network/dummylinkconfig) + - [Layer2VIPConfig](../reference/configuration/network/layer2vipconfig) +- `nameservers`, `searchDomains`, `disableSearchDomain`: replaced by [ResolverConfig](../reference/configuration/network/resolverconfig) +- `extraHostEntries`: replaced by [StaticHostConfig](../reference/configuration/network/statichostconfig) + +This change **does not** affect KubeSpan configuration, which still resides under [`.machine.network`](../reference/configuration/v1alpha1/config#network) + +The previous configuration ([machine.network](../../v1.11/reference/configuration/v1alpha1/config.mdx#network)) (with the exception of KubeSpan configuration) is now deprecated, but supported for backwards compatibility. + +### New user volume types + +The [UserVolumeConfig](../reference/configuration/block/uservolumeconfig) document has been extended with a new `volumeType` field to specify the type of user volume. + +#### `directory` + +When `volumeType` is set to `directory`, provisioning and filesystem operations are skipped, and a directory is created under `/var/mnt/`. +The `directory` type enables lightweight storage volumes backed by a host directory, eliminating the need for a full block device partition. + +When `volumeType` is set to `directory`: + + * A directory is created at `/var/mnt/` + * `provisioning`, `filesystem`, and `encryption` are not allowed + +> Note: This mode does not provide filesystem-level isolation and inherits the `EPHEMERAL` partition capacity limits. +> It should not be used for workloads requiring predictable storage quotas. + +#### `disk` + +When `volumeType` is set to `disk`, Talos provisions a user volume on the disk that matches the `diskSelector` criteria. + +When `volumeType` is set to `disk`: + + * Size-specific settings are not allowed in the provisioning block (`minSize`, `maxSize`, `grow`) + +### Disk encryption + +#### TPM encryption + +Talos versions prior to v1.12 used PCR 7 state and signed policies locked to PCR 11 for TPM-based disk encryption. + +Talos now supports configuring which PCR states are used for TPM-based disk encryption via the `options.pcrs` field in the `tpm` section of the disk encryption configuration. +If no options are specified, Talos defaults to using PCR 7 for backward compatibility with existing installations. +This change improves compatibility with systems that may have varying PCR 7 states due to UEFI Secure Boot configurations, and allows users to disable locking to PCR 7 state entirely if desired. + +Signed PCR policies remain bound to PCR 11. +You can view the currently used PCRs with the `talosctl get volumestatus -o yaml` command. + +#### Device mapper names + +Talos Linux now consistently provides mapped names for encrypted volumes in the format `/dev/mapper/luks2-`. +This change should not affect system or user volumes but allows for easier identification of encrypted volumes, particularly raw encrypted volumes. + +### Logging + +The kernel log (`dmesg`) is now also available as the service log named `kernel` (accessible via `talosctl logs kernel`). + +Talos now stores system component logs in `/var/log` with automatic log rotation, keeping the two most recent log files. This change enables collecting logs from Talos just like any other Linux system. + +### GRUB kernel command line + +Talos Linux introduces a new machine configuration option, `.machine.install.grubUseUKICmdline`, to control whether GRUB should use the kernel command line provided by the boot assets (UKI) or the command line constructed by Talos itself (legacy behavior). + +This option defaults to `true` for new installations, meaning GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation. +For existing installations upgrading to v1.12, this option defaults to `false` to preserve the legacy behavior. + +This change unifies the kernel command line across UEFI (`systemd-boot`) and BIOS (GRUB) boot modes. + +### CRI registry configuration + +The CRI registry configuration in v1alpha1 legacy machine configuration under `.machine.registries` is now deprecated but remains supported for backward compatibility. +New configuration documents — [RegistryMirrorConfig](../reference/configuration/cri/registrymirrorconfig), [RegistryAuthConfig](../reference/configuration/cri/registryauthconfig), and [RegistryTLSConfig](../reference/configuration/cri/registrytlsconfig)—should be used instead. + +### Out of memory (OOM) handling + +Talos now includes a [userspace OOM handler](../configure-your-talos-cluster/system-configuration/oom), +which automatically evicts workloads based on memory pressure. + +The OOM handler can be configured via the [OOMConfig](../reference/configuration/runtime/oomconfig) document. + +## Kubernetes + +### API server cipher suites + +The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default. +This aligns with the best practices documented in the CIS 1.12 benchmark. + +You can still expand the list of supported cipher suites via the `cluster.apiServer.extraArgs."tls-cipher-suites"` machine configuration field if needed. + +### etcd + +The etcd container image is now pulled from `registry.k8s.io/etcd` instead of `gcr.io/etcd-development/etcd`. + +## Machine configuration + +### Ethernet configuration + +The [Ethernet configuration](../reference/configuration/network/ethernetconfig) now includes a `wakeOnLAN` field to enable Wake-on-LAN (WOL) support. +This field allows you to enable WOL and specify the desired WOL modes. + +### Deprecations + +Talos now ignores the following machine configuration fields: + +- `machine.features.rbac` (locked to `true`) +- `machine.features.apidCheckExtKeyUsage` (locked to `true`) +- `cluster.apiServer.disablePodSecurityPolicy` (locked to `true`) + +These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values listed above. + +### Embedding machine configuration + +Talos Linux now supports [embedding machine configuration](../configure-your-talos-cluster/system-configuration/acquire) directly into the boot image. + +## Miscellaneous + +### Extra binaries + +Talos Linux now includes the `nft` binary in the rootfs to support CNIs that invoke the `nft` command. + +### Talos force reboot + +Talos now supports a "force" reboot mode, which allows you to skip graceful userland termination. +This is useful when a userland service (e.g., the kubelet) becomes stuck during graceful shutdown, preventing the regular reboot flow from completing. + +Additionally, `talosctl` has been updated to support this feature via the `talosctl reboot --mode force` command. + +### Kernel module signature verification + +Talos now supports optionally disabling kernel module signature verification by setting the `module.sig_enforce=0` kernel parameter. +By default, kernel module signature verification is enabled (`module.sig_enforce=1`). +When using Factory or Imager, supply the `-module.sig_enforce module.sig_enforce=0` kernel parameters to disable module signature enforcement. + +This change provides an easier way to load custom kernel modules, though it does reduce system security. + +### Kernel security posture profile (KSPP) + +Talos now enables a stricter set of KSPP sysctl settings by default. +You can view the list of overridden settings using the `talosctl get kernelparamstatus` command. + +### `talosctl image cache-serve` + +`talosctl` includes a new `image cache-serve` subcommand. +It allows you to serve the created OCI image registry over HTTP/HTTPS. +It is a read-only registry, meaning images cannot be pushed to it; however, the backing storage can be updated by re-running the `cache-create` command. + +Additionally, `talosctl image cache-create` has some changes: + +* New flag `--layout`: accepts `oci` (_default_) or `flat`: + * `oci` preserves the current behavior + * `flat` does not repack the artifact layer but moves it to a destination directory, allowing it to be served by `talosctl image cache-serve` +* Modified flag `--platform`: now accepts multiple OS/architecture combinations: + * comma-separated (`--platform=linux/amd64,linux/arm64`) + * multiple instances (`--platform=linux/amd64 --platform=linux/arm64`) + +### UEFI boot + +When using UEFI boot with systemd-boot as the bootloader (on new Talos installations from version 1.10 onwards), Talos will no longer modify the UEFI boot order. +Talos 1.11 introduced a fix to create a UEFI boot entry and set it as the first boot entry; however, this behavior caused issues on some systems. +To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist and will not modify the boot order. + +## Component updates + + * Linux: 6.18.0 + * Kubernetes: 1.35.0 + * CNI Plugins: 1.8.0 + * cryptsetup: 2.8.1 + * LVM2: 2_03_37 + * systemd-udevd: 257.8 + * runc: 1.3.4 + * CoreDNS: 1.13.1 + * etcd: 3.6.6 + * Flannel: 0.27.4 + * Flannel CNI plugin: v1.8.0-flannel2 + * containerd: 2.1.5 + +Talos is built with Go 1.25.5. + +## Contributors + +* Andrey Smirnov +* Mateusz Urbanek +* Noel Georgi +* Dmitrii Sharshakov +* Amarachi Iheanacho +* Orzelius +* Laura Brehm +* Oguz Kilcan +* Justin Garrison +* Artem Chernyshev +* Utku Ozdemir +* Bryan Lee +* Edward Sammut Alessi +* George Gaál +* Jorik Jonker +* Michael Smith +* Nicole Hubbard +* 459below +* Adrian L Lange +* Alp Celik +* Andrew Longwill +* Birger Johan Nordølum +* Chris Sanders +* Dmitry +* Febrian +* Florian Grignon +* Fred Heinecke +* Giau. Tran Minh +* Grzegorz Rozniecki +* Guillaume LEGRAIN +* Hector Monsalve +* Joakim Nohlgård +* Lennard Klein +* Markus Freitag +* Max Makarov +* Mike Beaumont +* Misha Aksenov +* MrMrRubic +* Olivier Doucet +* Pranav +* Sammy ETUR +* Serge Logvinov +* Serge van Ginderachter +* Skye Soss +* Skyler Mäntysaari +* SuitDeer +* Tom +* aurh1l +* frozenprocess +* frozensprocess +* kassad +* leppeK +* samoreno +* theschles +* winnie diff --git a/public/talos/v1.13/learn-more/architecture.mdx b/public/talos/v1.13/learn-more/architecture.mdx index 8b008385..83a232ca 100644 --- a/public/talos/v1.13/learn-more/architecture.mdx +++ b/public/talos/v1.13/learn-more/architecture.mdx @@ -29,7 +29,7 @@ Talos uses these partitions with the following labels: 1. **STATE** - stores machine configuration, node identity data for cluster discovery and KubeSpan info 1. **EPHEMERAL** - stores ephemeral state information, mounted at `/var` -## The File System +## The file system One of the unique design decisions in Talos is the layout of the root file system. There are three "layers" to the Talos root file system. diff --git a/public/talos/v1.13/learn-more/control-plane.mdx b/public/talos/v1.13/learn-more/control-plane.mdx index 5c1fe371..8bcf980b 100644 --- a/public/talos/v1.13/learn-more/control-plane.mdx +++ b/public/talos/v1.13/learn-more/control-plane.mdx @@ -27,7 +27,7 @@ Talos nodes which have `.machine.type` of `controlplane` are control plane nodes Control plane nodes are tainted by default to prevent workloads from being scheduled onto them. This is both to protect the control plane from workloads consuming resources and starving the control plane processes, and also to reduce the risk of a vulnerability exposes the control plane's credentials to a workload. -## The Control Plane and Etcd +## The control plane and etcd A critical design concept of Kubernetes (and Talos) is the `etcd` database. @@ -64,7 +64,7 @@ A 5 node cluster can commit about 5% less writes per second than a 3 node cluste (This ensures that the failed node does not "vote" when adding in the new node, minimizing the chances of a quorum violation.) - If replacing a node that has not failed, add the new one, then remove the old. -## Bootstrapping the Control Plane +## Bootstrapping the control plane Every new cluster must be bootstrapped only once, which is achieved by telling a single control plane node to initiate the bootstrap. @@ -78,7 +78,7 @@ configuration option or unavailable container repository), if the bootstrap API call returns successfully, you do NOT need to bootstrap again: just fix the config or let Kubernetes retry. -### High-level Overview +### High-level overview Talos cluster bootstrap flow: @@ -90,7 +90,7 @@ Talos cluster bootstrap flow: 5. The `kubelet` registers the node in the API server. 6. Kubernetes control plane schedules pods on the nodes. -### Cluster Bootstrapping +### Cluster bootstrapping All nodes start the `kubelet` service. The `kubelet` tries to contact the control plane endpoint, but as it is not up yet, it keeps retrying. @@ -120,12 +120,12 @@ Each node now runs a full set of components to make the control plane HA. The `kubelet` service on worker nodes is now able to issue the client certificate and register itself with the API server. -### Scaling Up the Control Plane +### Scale up the control plane When new nodes are added to the control plane, the process is the same as the bootstrap process above: the `etcd` service discovers existing members of the control plane via the control plane endpoint, joins the `etcd` cluster, and the control plane components are scheduled on the node. -### Scaling Down the Control Plane +### Scale down the control plane Scaling down the control plane involves removing a node from the cluster. The most critical part is making sure that the node which is being removed leaves the etcd cluster. @@ -136,7 +136,7 @@ The recommended way to do this is to use: When using `talosctl reset` command, the targeted control plane node leaves the `etcd` cluster as part of the reset sequence, and its disks are erased. -### Upgrading Talos on Control Plane Nodes +### Upgrade Talos on control plane nodes When a control plane node is upgraded, Talos leaves `etcd`, wipes the system disk, installs a new version of itself, and reboots. The upgraded node then joins the `etcd` cluster on reboot. diff --git a/public/talos/v1.13/learn-more/controllers-resources.mdx b/public/talos/v1.13/learn-more/controllers-resources.mdx index 39a03f0c..dfb6d59e 100644 --- a/public/talos/v1.13/learn-more/controllers-resources.mdx +++ b/public/talos/v1.13/learn-more/controllers-resources.mdx @@ -38,7 +38,7 @@ A controller might also have additional inputs: running reconcile on schedule, w A controller has a single output: a set of resources of fixed type in a fixed namespace. Only one controller can manage resource type in the namespace, so conflicts are avoided. -## Querying Resources +## Querying resources Talos CLI tool `talosctl` provides read-only access to the resource API which includes getting specific resource, listing resources and watching for changes. @@ -120,7 +120,7 @@ Command `talosctl get` supports following output modes: * `json` prints same information as `yaml`, some additional details (e.g. comments) might be lost. This format is useful for automated processing with tools like `jq`. -### Watching Changes +### Watching changes If flag `--watch` is appended to the `talosctl get` command, the command switches to watch mode. If list of resources was requested, `talosctl` prints initial contents of the list and then appends resource information for every change: @@ -198,7 +198,7 @@ spec: ... ``` -## Inspecting Controller Dependencies +## Inspecting controller dependencies Talos can report current dependencies between controllers and resources for debugging purposes: diff --git a/public/talos/v1.13/learn-more/image-factory.mdx b/public/talos/v1.13/learn-more/image-factory.mdx index ce61d8a7..9a55ce52 100644 --- a/public/talos/v1.13/learn-more/image-factory.mdx +++ b/public/talos/v1.13/learn-more/image-factory.mdx @@ -117,7 +117,7 @@ The UI provides a way to list supported Talos Linux versions, list of system ext The UI operations are equivalent to API operations. -## Find Schematic ID from Talos Installation +## Find schematic ID from Talos installation Image Factory always appends "virtual" system extension with the version matching schematic ID used to generate the model. So, for any running Talos Linux instance the schematic ID can be found by looking at the list of system extensions: @@ -146,7 +146,7 @@ should be using the same schematic as the ISO/PXE boot image. Some system extensions are not available for all Talos Linux versions, so an attempt to generate a model with an unsupported system extension will fail. List of supported Talos versions and supported system extensions for each version is available in the [Image Factory UI](#ui) and [API](https://github.com/siderolabs/image-factory#readme). -## Under the Hood +## Under the hood Image Factory is based on the Talos `imager` container which provides both the Talos base boot assets, and the ability to generate custom assets based on a configuration. Image Factory manages a set of `imager` container images to acquire base Talos Linux boot assets (`kernel`, `initramfs`), a set of Talos Linux system extension images, and a set of schematics. @@ -169,7 +169,7 @@ Image Factory signs generated `installer` images, and verifies the signature of Image Factory does not provide a way to list all schematics, as schematics may contain sensitive information (e.g. private kernel boot arguments). As the schematic ID is content-addressable, it is not possible to guess the ID of a schematic without knowing the content of the schematic. -## Running your own Image Factory +## Running your own image factory Image Factory can be deployed on-premises to provide in-house asset generation. diff --git a/public/talos/v1.13/learn-more/kubespan.mdx b/public/talos/v1.13/learn-more/kubespan.mdx index 3cf2d1c3..360b12c5 100644 --- a/public/talos/v1.13/learn-more/kubespan.mdx +++ b/public/talos/v1.13/learn-more/kubespan.mdx @@ -4,7 +4,7 @@ weight: 100 description: "Understand more about KubeSpan for Talos Linux." --- -## WireGuard Peer Discovery +## WireGuard peer discovery The key pieces of information needed for WireGuard generally are: @@ -35,7 +35,7 @@ The Kubernetes-based system utilizes annotations on Kubernetes Nodes which descr On top of this, KubeSpan can optionally route Pod subnets. This is usually taken care of by the CNI, but there are many situations where the CNI fails to be able to do this itself, across networks. -## NAT, Multiple Routes, Multiple IPs +## NAT, multiple routes, multiple IPs One of the difficulties in communicating across networks is that there is often not a single address and port which can identify a connection for each node on the system. For instance, a node sitting on the same network might see its peer as `192.168.2.10`, but a node across the internet may see it as `2001:db8:1ef1::10`. @@ -46,7 +46,7 @@ WireGuard only allows us to select one at a time. KubeSpan implements a controller which continuously discovers and rotates these IP:port pairs until a connection is established. It then starts trying again if that connection ever fails. -## Packet Routing +## Packet routing After we have established a WireGuard connection, we have to make sure that the right packets get sent to the WireGuard interface. @@ -96,7 +96,7 @@ So in summary, we: This gives us an isolated, resilient, tolerant, and non-invasive way to route Kubernetes traffic safely, automatically, and transparently through WireGuard across almost any set of network topologies. -## Design Decisions +## Design decisions ### Routing @@ -149,7 +149,7 @@ So we have three components: 3. One IP Rule which sends packets marked with our firewall mark to our Wireguard routing table. -### Routing Table +### Routing table The routing table (number 180 by default) is simple, containing a single route for each family: send everything through the Wireguard interface. @@ -180,7 +180,7 @@ These rules say the same thing for each: if the packet is marked that it should go _to_ Wireguard, send it to the Wireguard routing table. -### Firewall Mark +### Firewall mark KubeSpan is using only two bits of the firewall mark with the mask `0x00000060`. diff --git a/public/talos/v1.13/learn-more/networking-resources.mdx b/public/talos/v1.13/learn-more/networking-resources.mdx index 4be3fb37..fed58527 100644 --- a/public/talos/v1.13/learn-more/networking-resources.mdx +++ b/public/talos/v1.13/learn-more/networking-resources.mdx @@ -43,7 +43,7 @@ Status resources have aliases with the `Status` suffix removed, so for example Talos networking controllers reconcile the state so that `*Status` equals the desired `*Spec`. -## Observing State +## Observing state The current network configuration state can be observed by querying `*Status` resources via `talosctl`: @@ -132,7 +132,7 @@ spec: duplex: Unknown ``` -## Inspecting Configuration +## Inspecting configuration The desired networking configuration is combined from multiple sources and presented as `*Spec` resources: @@ -178,7 +178,7 @@ spec: An important field is the `layer` field, which describes a configuration layer this spec is coming from: in this case, it's generated by a network operator (see below) and is set by the DHCPv4 operator. -## Configuration Merging +## Configuration merging Spec resources described in the previous section show the final merged configuration state, while initial specs are put to a different unmerged namespace `network-config`. @@ -276,7 +276,7 @@ is stable but not defined (e.g. if DHCP on multiple interfaces provides two diff `LinkSpecs` are merged across layers, so for example, machine configuration for the interface MTU overrides an MTU set by the DHCP server. -## Network Operators +## Network operators Network operators provide dynamic network configuration which can change over time as the node is running: @@ -321,7 +321,7 @@ NODE NAMESPACE TYPE ID VERS 172.20.0.2 network-config AddressSpec dhcp4/eth0/eth0/172.20.0.2/24 1 ``` -## Other Network Resources +## Other network resources There are some additional resources describing the network subsystem state. @@ -372,7 +372,7 @@ spec: etcFilesReady: true ``` -## Network Controllers +## Network controllers For each of the six basic resource types, there are several controllers: @@ -386,7 +386,7 @@ For the network operators: * `OperatorConfigController` produces `OperatorSpec` resources based on machine configuration and deafauls. * `OperatorSpecController` runs network operators watching `OperatorSpec` resources and producing various `*Spec` resources in the `network-config` namespace. -## Configuration Sources +## Configuration sources There are several configuration sources for the network configuration, which are described in this section. @@ -420,13 +420,13 @@ Platform configuration is cached across reboots in `/system/state/platform-netwo Network operators provide configuration for all basic resource types. -### Machine Configuration +### Machine configuration The machine configuration is parsed for link configuration, addresses, routes, hostname, resolvers and time servers. Any changes to `.machine.network` configuration can be applied in immediate mode. -## Network Configuration Debugging +## Network configuration debugging Most of the network controller operations and failures are logged to the kernel console, additional logs with `debug` level are available with `talosctl logs controller-runtime` command. diff --git a/public/talos/v1.13/learn-more/philosophy.mdx b/public/talos/v1.13/learn-more/philosophy.mdx index 41a72c77..dd68f018 100644 --- a/public/talos/v1.13/learn-more/philosophy.mdx +++ b/public/talos/v1.13/learn-more/philosophy.mdx @@ -86,7 +86,7 @@ There is no `systemd` on our system. There are no GNU utilities, no shell, no SSH, no packages, nothing you could associate with any other distribution. -## An Operating System designed for Kubernetes +## An operating system designed for Kubernetes Technically, Talos Linux installs to a computer like any other operating system. _Unlike_ other operating systems, Talos is not meant to run alone, on a diff --git a/public/talos/v1.13/learn-more/talos-network-connectivity.mdx b/public/talos/v1.13/learn-more/talos-network-connectivity.mdx index 151df33d..c32bff24 100644 --- a/public/talos/v1.13/learn-more/talos-network-connectivity.mdx +++ b/public/talos/v1.13/learn-more/talos-network-connectivity.mdx @@ -6,7 +6,7 @@ aliases: - ../guides/configuring-network-connectivity --- -## Configuring Network Connectivity +## Configuring network connectivity The simplest way to deploy Talos is by ensuring that all the remote components of the system (`talosctl`, the control plane nodes, and worker nodes) all have layer 2 connectivity. This is not always possible, however, so this page lays out the minimal network access that is required to configure and operate a talos cluster. diff --git a/public/talos/v1.13/learn-more/talosctl.mdx b/public/talos/v1.13/learn-more/talosctl.mdx index 67d904f5..c3a23a07 100644 --- a/public/talos/v1.13/learn-more/talosctl.mdx +++ b/public/talos/v1.13/learn-more/talosctl.mdx @@ -7,13 +7,13 @@ description: "The design and use of the Talos Linux control application." The `talosctl` tool acts as a reference implementation for the Talos API, but it also handles a lot of conveniences for the use of Talos and its clusters. -### Video Walkthrough +### Video walkthrough To see some live examples of talosctl usage, view the following video: -## Client Configuration +## Client configuration Talosctl configuration is located in `$HOME/.talos/config`. The location can always be overridden by the `TALOSCONFIG` environment variable or the `--talosconfig` parameter. @@ -24,7 +24,7 @@ The default operation is a non-destructive merge, where if a context of the same You can easily overwrite instead, as well. See the `talosctl config help` for more information. -## Endpoints and Nodes +## Endpoints and nodes ![Endpoints and Nodes](./images/talosctl-endpoints-and-nodes.png) diff --git a/public/talos/v1.13/networking/advanced/ethernet-config.mdx b/public/talos/v1.13/networking/advanced/ethernet-config.mdx index ff559513..55bfc61e 100644 --- a/public/talos/v1.13/networking/advanced/ethernet-config.mdx +++ b/public/talos/v1.13/networking/advanced/ethernet-config.mdx @@ -6,7 +6,7 @@ description: "How to configure Ethernet network link settings." Talos Linux allows you to configure Ethernet network link settings, such as ring configuration or disabling TCP checksum offloading. The settings and their values closely follow `ethtool` command line options, so you can use similar recipes. -## Observing Current Status +## Observing current status You can observe current Ethernet settings in the `EthernetStatus` resource: @@ -105,11 +105,11 @@ features: For rings and channels configuration, values can be increased if they do not exceed the maximum supported by the network card (the maximum values are reported in the status with `-max` suffix). -### Enable Wake-on-LAN Support +### Enable Wake-on-LAN support Starting with 1.12, Talos Linux now supports configuring Wake-on-LAN (WOL) directly in the Ethernet configuration. -Use the `wakeOnLAN` field under the `EthernetConfig` resource to enable WOL and specify the desired WOL modes. +Use the `wakeOnLan` field under the `EthernetConfig` resource to enable WOL and specify the desired WOL modes. This allows a node’s network interface to wake the system from a low-power state when receiving a magic packet or other WOL-triggering event. Example: @@ -118,12 +118,12 @@ Example: apiVersion: v1alpha1 kind: EthernetConfig name: enp0s3 -wakeOnLAN: +wakeOnLan: enabled: true modes: ["magic", "unicast"] ``` -#### Supported Modes +#### Supported modes Supported WOL modes depend on the NIC and driver, but common values include: @@ -143,4 +143,4 @@ You can check WOL support and status with: talosctl get ethernetstatus -o yaml ``` -This command will show the current wakeOnLAN settings along with other Ethernet features. +This command will show the current wakeOnLan settings along with other Ethernet features. diff --git a/public/talos/v1.13/networking/advanced/vip.mdx b/public/talos/v1.13/networking/advanced/vip.mdx index 125fed72..7365e699 100644 --- a/public/talos/v1.13/networking/advanced/vip.mdx +++ b/public/talos/v1.13/networking/advanced/vip.mdx @@ -26,13 +26,13 @@ Note that the virtual IP election depends on `etcd` being up, as Talos uses `etc The virtual IP is not restricted by ports - you can access any port that the control plane nodes are listening on, on that IP address. Thus it *is* possible to access the Talos API over the VIP, but it is *not recommended*, as you cannot access the VIP when etcd is down - and then you could not access the Talos API to recover etcd. -## Video Walkthrough +## Video walkthrough To see a live demo of this writeup, see the video below: -## Choose your Shared IP +## Choose your shared IP The Virtual IP should be a reserved, unused IP address in the same subnet as your controlplane nodes. @@ -49,7 +49,7 @@ We then choose our shared IP to be: - `192.168.0.15` -## Configure your Talos Machines +## Configure your Talos machines The shared IP setting is only valid for controlplane nodes. @@ -71,7 +71,7 @@ alive until after you have bootstrapped Kubernetes. Don't use the VIP as the `endpoint` in the `talosconfig`, as the VIP is bound to `etcd` and `kube-apiserver` health, and you will not be able to recover from a failure of either of those components using Talos API. -## VIP Failover Behavior +## VIP failover behavior When the control plane node holding the VIP shuts down gracefully, the address is reassigned almost instantly, ensuring uninterrupted access. @@ -83,7 +83,7 @@ The delay ensures that a temporary network hiccup or brief pause in communicatio By waiting out the election timeout before reassigning the VIP, Talos guarantees that only one node will advertise the shared IP, even if it means failover is slower in sudden failure scenarios. -### Impact on Workloads +### Impact on workloads A VIP failover impacts only external access to the cluster, such as when you run `kubectl` against the API server. diff --git a/public/talos/v1.13/networking/configuration/dynamic.mdx b/public/talos/v1.13/networking/configuration/dynamic.mdx index da146709..fa6f169e 100644 --- a/public/talos/v1.13/networking/configuration/dynamic.mdx +++ b/public/talos/v1.13/networking/configuration/dynamic.mdx @@ -11,7 +11,7 @@ DHCP client can be enabled on physical and logical links (bridges, bonds, VLANs) There are two DHCP versions supported in Talos Linux: DHCPv4 and DHCPv6. -## DHCPv4 Configuration +## DHCPv4 configuration To enable DHCPv4 on a physical link, create a [DHCPv4Config](../../reference/configuration/network/dhcpv4config) configuration document with the name of the link: @@ -30,7 +30,7 @@ Additional settings can be configured: * `duid`: use a DUID (DHCP Unique Identifier) as the client identifier, requires `duidRaw` field to be set. * `off`: disable the client identifier. -## DHCPv6 Configuration +## DHCPv6 configuration To enable DHCPv6 on a physical link, create a [DHCPv6Config](../../reference/configuration/network/dhcpv6config) configuration document with the name of the link: @@ -42,7 +42,7 @@ name: enp0s3 Additional settings are identical to DHCPv4. -## Observing Status +## Observing status Use `talosctl` to get the list of all configured operators (which includes DHCP clients): diff --git a/public/talos/v1.13/networking/configuration/hostname.mdx b/public/talos/v1.13/networking/configuration/hostname.mdx index a92f9dd1..94b9a2d2 100644 --- a/public/talos/v1.13/networking/configuration/hostname.mdx +++ b/public/talos/v1.13/networking/configuration/hostname.mdx @@ -38,7 +38,7 @@ hostname: my-custom-hostname auto: off ``` -## Observing Status +## Observing status Use `talosctl` to get the current hostname of a node: diff --git a/public/talos/v1.13/networking/configuration/physical.mdx b/public/talos/v1.13/networking/configuration/physical.mdx index 51d2333a..aad4a69e 100644 --- a/public/talos/v1.13/networking/configuration/physical.mdx +++ b/public/talos/v1.13/networking/configuration/physical.mdx @@ -40,7 +40,7 @@ up: true For low-level control over physical link properties, such as offloading features, refer to the [Ethernet configuration](./../advanced/ethernet-config) documentation. -## Observing Status +## Observing status Use `talosctl` to observe the status of all links: diff --git a/public/talos/v1.13/networking/configuration/resolvers.mdx b/public/talos/v1.13/networking/configuration/resolvers.mdx index ca3ae1db..374bf423 100644 --- a/public/talos/v1.13/networking/configuration/resolvers.mdx +++ b/public/talos/v1.13/networking/configuration/resolvers.mdx @@ -30,7 +30,7 @@ The `disableDefault` field, when set to `true`, prevents Talos from using the de See [Host DNS](../host-dns) for more information about DNS resolution in Talos. -## Observing Status +## Observing status Use `talosctl` to get the current resolver configuration of a node: diff --git a/public/talos/v1.13/networking/configuration/static.mdx b/public/talos/v1.13/networking/configuration/static.mdx index 64a49b63..07f06544 100644 --- a/public/talos/v1.13/networking/configuration/static.mdx +++ b/public/talos/v1.13/networking/configuration/static.mdx @@ -84,7 +84,7 @@ routes: - gateway: 192.168.1.1 ``` -## Observing Status +## Observing status You can observe the status of addresses and routes using `talosctl`: diff --git a/public/talos/v1.13/networking/configuration/time.mdx b/public/talos/v1.13/networking/configuration/time.mdx index 981c0ab0..255e9af4 100644 --- a/public/talos/v1.13/networking/configuration/time.mdx +++ b/public/talos/v1.13/networking/configuration/time.mdx @@ -20,7 +20,7 @@ ntp: See [Time Sync](../../configure-your-talos-cluster/system-configuration/time-sync) for more details about time synchronization in Talos Linux. -## Observing Status +## Observing status Use `talosctl` to get the current time synchronization configuration of a node: diff --git a/public/talos/v1.13/networking/corporate-proxies.mdx b/public/talos/v1.13/networking/corporate-proxies.mdx index 3879aacf..3bc6cd02 100644 --- a/public/talos/v1.13/networking/corporate-proxies.mdx +++ b/public/talos/v1.13/networking/corporate-proxies.mdx @@ -5,11 +5,11 @@ aliases: - ../../guides/configuring-corporate-proxies --- -## Appending the Certificate Authority of MITM Proxies +## Appending the certificate authority of MITM proxies See [Custom Certificate Authorities](../security/certificate-authorities) to append the CA certificate of your corporate proxy to the trusted store. -## Configuring a Machine to Use the Proxy +## Configuring a machine to use the proxy To make use of a proxy: diff --git a/public/talos/v1.13/networking/host-dns.mdx b/public/talos/v1.13/networking/host-dns.mdx index bf153479..2e26505e 100644 --- a/public/talos/v1.13/networking/host-dns.mdx +++ b/public/talos/v1.13/networking/host-dns.mdx @@ -8,7 +8,7 @@ import { release_v1_13 } from '/snippets/custom-variables.mdx'; Talos Linux starting with 1.7.0 provides a caching DNS resolver for host workloads (including host networking pods). Host DNS resolver is enabled by default for clusters created with Talos 1.7, and it can be enabled manually on upgrade. -## Enabling Host DNS +## Enabling host DNS Use the following machine configuration patch to enable host DNS resolver: @@ -57,7 +57,7 @@ NODE NAMESPACE TYPE ID VERSION HEALTHY ADDRESS 172.20.0.2 network DNSUpstream 8.8.8.8 1 true 8.8.8.8:53 ``` -## Forwarding `kube-dns` to Host DNS +## Forwarding `kube-dns` to host DNS > Note: This feature is enabled by default for new clusters created with Talos 1.8.0 and later. @@ -79,7 +79,7 @@ This configuration should be applied to all nodes in the cluster, if applied aft When `forwardKubeDNSToHost` is enabled, Talos Linux allocates IP address `169.254.116.108` for the host DNS server, and `kube-dns` service is configured to use this IP address as the upstream DNS server: This way `kube-dns` service forwards all DNS requests to the host DNS server, and the cache is shared between the host and `kube-dns`. -## Resolving Talos Cluster Member Names +## Resolving Talos cluster member names Host DNS can be configured to resolve Talos cluster member names to IP addresses, so that the host can communicate with the cluster members by name. Sometimes machine hostnames are already resolvable by the upstream DNS, but this might not always be the case. diff --git a/public/talos/v1.13/networking/ingress-firewall.mdx b/public/talos/v1.13/networking/ingress-firewall.mdx index dbabe9c5..bdccc445 100644 --- a/public/talos/v1.13/networking/ingress-firewall.mdx +++ b/public/talos/v1.13/networking/ingress-firewall.mdx @@ -67,7 +67,7 @@ The `ingress` specifies the list of subnets that are allowed to access the host > Note: incorrect configuration of the ingress firewall might result in the host becoming inaccessible over Talos API. > It is recommended that the configuration be [applied](../configure-your-talos-cluster/system-configuration/editing-machine-configuration) in `--mode=try` to ensure it is reverted in case of a mistake. -## Recommended Rules +## Recommended rules The following rules improve the security of the cluster and cover only standard Talos services. If there are additional services running with host networking in the cluster, they should be covered by additional rules. @@ -86,7 +86,7 @@ In the examples we assume the following template variables to describe the clust * `$CP1`, `$CP2`, `$CP3` - the IP addresses of the controlplane nodes * `$VXLAN_PORT` - the UDP port used by the CNI for encapsulated traffic -### Controlplane +### Control plane In this example Ingress policy: @@ -204,7 +204,7 @@ ingress: - subnet: $CLUSTER_SUBNET ``` -## Learn More +## Learn more Talos Linux Ingress Firewall uses `nftables` to perform the filtering. diff --git a/public/talos/v1.13/networking/kubespan.mdx b/public/talos/v1.13/networking/kubespan.mdx index 083a1a22..28e5f26e 100644 --- a/public/talos/v1.13/networking/kubespan.mdx +++ b/public/talos/v1.13/networking/kubespan.mdx @@ -12,7 +12,7 @@ Management of keys and discovery of peers can be completely automated, making it KubeSpan consists of client code in Talos Linux, as well as a [discovery service](../configure-your-talos-cluster/system-configuration/discovery) that enables clients to securely find each other. Sidero Labs operates a free Discovery Service, but the discovery service may, with a commercial license, be operated by your organization and can be [downloaded here](https://github.com/siderolabs/discovery-service). -## Video Walkthrough +## Video walkthrough To see a live demo of KubeSpan, see one the videos below: @@ -20,7 +20,7 @@ To see a live demo of KubeSpan, see one the videos below: -## Network Requirements +## Network requirements KubeSpan uses **UDP port 51820** to carry all KubeSpan encrypted traffic. Because UDP traversal of firewalls is often lenient, and the Discovery Service communicates the apparent IP address of all peers to all other peers, KubeSpan will often work automatically, even when each nodes is behind their own firewall. @@ -37,7 +37,7 @@ Note that if workers are in different locations, behind different firewalls, the ## Caveats -### Kubernetes API Endpoint Limitations +### Kubernetes API endpoint limitations When the K8s endpoint is an IP address that is **not** part of Kubespan, but is an address that is forwarded on to the Kubespan address of a control plane node, without changing the source address, then worker nodes will fail to join the cluster. In such a case, the control plane node has no way to determine whether the packet arrived on the private Kubespan address, or the public IP address. @@ -47,7 +47,7 @@ This situation is seen, for example, when the Kubernetes API endpoint is the pub The control plane will receive packets on the public IP, but will reply from it's KubeSpan address. The workaround is to create a load balancer to terminate the Kubernetes API endpoint. -### Digital Ocean Limitations +### Digital ocean limitations Digital Ocean assigns an "Anchor IP" address to each droplet. Talos Linux correctly identifies this as a link-local address, and configures KubeSpan correctly, but this address will often be selected by Flannel or other CNIs as a node's private IP. @@ -59,13 +59,13 @@ This can be worked-around by assigning a non-Anchor private IP: Then restarting flannel: `kubectl delete pods -n kube-system -l k8s-app=flannel` -### Host Port Limitations +### Host port limitations As mentioned in Network Requirements, Kubespan uses **UDP port 51820** to carry all KubeSpan encrypted traffic. For clusters that make heavy use of host ports for Kubernetes pods, care should be taken to ensure that this port is not given to these pods. Failure to do so can result in a pod being assigned the 51820 port and conflicting with Kubespan traffic. -### Cilium Compatibility Limitations +### Cilium compatibility limitations KubeSpan and [Cilium](https://cilium.io) can generally be used together. However, some advanced Cilium configurations are **not compatible** with KubeSpan. @@ -88,7 +88,7 @@ We recommend the following workarounds: ## Enabling -### Creating a New Cluster +### Creating a new cluster To enable KubeSpan for a new cluster, we can use the `--with-kubespan` flag in `talosctl gen config`. This will enable peer discovery and KubeSpan. @@ -111,7 +111,7 @@ cluster: > The default discovery service is an external service hosted by Sidero Labs at `https://discovery.talos.dev/`. > Contact Sidero Labs if you need to run this service privately. -### Enabling for an Existing Cluster +### Enabling for an existing cluster In order to enable KubeSpan on an existing cluster, enable `kubespan` and `discovery` settings in the machine config for each machine in the cluster (`discovery` is enabled by default): @@ -170,7 +170,7 @@ extraAnnouncedEndpoints: - 192.168.101.3:61033 ``` -## Resource Definitions +## Resource definitions ### KubeSpanIdentities diff --git a/public/talos/v1.13/networking/predictable-interface-names.mdx b/public/talos/v1.13/networking/predictable-interface-names.mdx index 2de69907..75bd6c3d 100644 --- a/public/talos/v1.13/networking/predictable-interface-names.mdx +++ b/public/talos/v1.13/networking/predictable-interface-names.mdx @@ -19,7 +19,7 @@ The predictable network interface names features can be disabled by specifying ` "Cloud" platforms, like AWS, still use old `eth0` naming scheme as Talos automatically adds `net.ifnames=0` to the kernel command line. -## Single Network Interface +## Single network interface When running Talos on a machine with a single network interface, predictable interface names might be confusing, as it might come up as `enxSOMETHING` which is hard to address. There are two ways to solve this: diff --git a/public/talos/v1.13/networking/siderolink.mdx b/public/talos/v1.13/networking/siderolink.mdx index e945c27f..8289ba48 100644 --- a/public/talos/v1.13/networking/siderolink.mdx +++ b/public/talos/v1.13/networking/siderolink.mdx @@ -20,7 +20,7 @@ The SideroLink API URL format is: `https://siderolink.api/?jointoken=token&grpc_ This is useful in environments where UDP traffic is restricted but adds significant overhead to SideroLink communication, enable this only if necessary. Note that the SideroLink API server might ignore this hint, and the connection might use gRPC tunneling regardless of the setting. -## Connection Flow +## Connection flow 1. Talos Linux generates an ephemeral Wireguard key. 2. Talos Linux establishes a gRPC connection to the SideroLink API server, sending its Wireguard public key, join token, and other connection settings. diff --git a/public/talos/v1.13/overview/what-is-talos.mdx b/public/talos/v1.13/overview/what-is-talos.mdx index c5774f01..bf3b21b0 100644 --- a/public/talos/v1.13/overview/what-is-talos.mdx +++ b/public/talos/v1.13/overview/what-is-talos.mdx @@ -31,7 +31,7 @@ For these reasons, Talos has a number of features unique to it: Talos can be deployed anywhere you can run a modern Linux kernel. -## API Managed +## API managed Talos is managed by a single, declarative gRPC API. This is the most unique thing about Talos and something Talos users love. diff --git a/public/talos/v1.13/platform-specific-installations/air-gapped.mdx b/public/talos/v1.13/platform-specific-installations/air-gapped.mdx index 82755237..3af65e38 100644 --- a/public/talos/v1.13/platform-specific-installations/air-gapped.mdx +++ b/public/talos/v1.13/platform-specific-installations/air-gapped.mdx @@ -18,12 +18,12 @@ In this guide, we will assume that the environment is completely air-gapped, wit If there is partial connectivity, most of the requirements can be addresses via [pull-through cache](../configure-your-talos-cluster/images-container-runtime/pull-through-cache) and HTTP proxy configuration. -## Network Configuration +## Network configuration Network configuration in air-gapped environments might require custom settings for DNS and NTP servers. If running in a virtual environment, the hypervisor might provide time synchronization via [PTP interface](../configure-your-talos-cluster/system-configuration/time-sync) which doesn't require network access. -## Container Images +## Container images Talos Linux provides support for redirecting image pull requests to internal registries via [registry mirrors](../configure-your-talos-cluster/images-container-runtime/pull-through-cache) feature. This feature can be used to redirect all image pull requests to an internal registry which is pre-populated with required images. @@ -32,9 +32,9 @@ See the section on [airgapped registry](../configure-your-talos-cluster/images-c ## Image Factory -See the [guide on running Image Factory in air-gapped environments](../../../omni/infrastructure-and-extensions/self-hosted/deploy-image-factory-on-prem) for more details. +See the [guide on running Image Factory in air-gapped environments](../../../omni/self-hosted/deploy-image-factory-on-prem) for more details. -## Discovery Service +## Discovery service Talos Linux by default uses the public Discovery Service at `discovery.talos.dev` to facilitate cluster bootstrapping and node discovery. In air-gapped environments, it is recommended to run a self-hosted instance of the Discovery Service (requires a license from Sidero Labs). diff --git a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/bootloader.mdx b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/bootloader.mdx index 675143af..2fd196f8 100644 --- a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/bootloader.mdx +++ b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/bootloader.mdx @@ -56,7 +56,7 @@ Partition layout for GRUB: With GRUB, kernel arguments are stored in the GRUB configuration file. The `.machine.install.extraKernelArgs` field in the machine configuration can be used to modify these arguments, followed by an upgrade. -### Controlling Kernel Command Line Behavior +### Controlling kernel command line behavior Starting from Talos v1.12, you can control how GRUB determines the kernel command line using the `.machine.install.grubUseUKICmdline` machine configuration option. diff --git a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/equinix-metal.mdx b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/equinix-metal.mdx index d611680b..92d82ee4 100644 --- a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/equinix-metal.mdx +++ b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/equinix-metal.mdx @@ -18,7 +18,7 @@ Regardless of the method, the process is: * Configure your Kubernetes endpoint to point to the newly created control plane nodes. * Bootstrap the cluster. -## Define the Kubernetes Endpoint +## Define the Kubernetes endpoint There are a variety of ways to create an HA endpoint for the Kubernetes cluster. Some of the ways are: @@ -31,9 +31,9 @@ Whatever way is chosen, it should result in an IP address/DNS name that routes t We do not know the control plane node IP addresses at this stage, but we should define the endpoint DNS entry so that we can use it in creating the cluster configuration. After the nodes are provisioned, we can use their addresses to create the endpoint A records, or bind them to the load balancer, etc. -## Create the Machine Configuration Files +## Create the machine configuration files -### Generating Configurations +### Generating configurations Using the DNS name of the loadbalancer defined above, generate the base configuration files for the Talos machines: @@ -46,7 +46,7 @@ created talosconfig > The `port` used above should be 6443, unless your load balancer maps a different port to port 6443 on the control plane nodes. -### Validate the Configuration Files +### Validate the configuration files ```bash talosctl validate --config controlplane.yaml --mode metal @@ -56,7 +56,7 @@ talosctl validate --config worker.yaml --mode metal > Note: Validation of the install disk could potentially fail as validation > is performed on your local machine and the specified disk may not exist. -### Passing in the configuration as User Data +### Passing in the configuration as user data You can use the metadata service provide by Equinix Metal to pass in the machines configuration. It is required to add a shebang to the top of the configuration file. @@ -89,7 +89,7 @@ If you did not pass in the machine configuration as User Data, you need to provi `talosctl apply-config --insecure --nodes --file ./controlplane.yaml` -### Creating a Cluster via the Equinix Metal CLI +### Creating a cluster via the Equinix Metal CLI This guide assumes the user has a working API token,and the [Equinix Metal CLI](https://github.com/equinix/metal-cli/) installed. @@ -126,7 +126,7 @@ endpoint.mydomain.com has address 147.75.109.71 endpoint.mydomain.com has address 145.40.90.177 ``` -## Bootstrap Etcd +## Bootstrap etcd Set the `endpoints` and `nodes` for `talosctl`: diff --git a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/matchbox.mdx b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/matchbox.mdx index db7fc90c..16b46858 100644 --- a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/matchbox.mdx +++ b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/matchbox.mdx @@ -5,7 +5,7 @@ aliases: - ../../../bare-metal-platforms/matchbox --- -## Creating a Cluster +## Creating a cluster In this guide we will create an HA Kubernetes cluster with 3 worker nodes. We assume an existing load balancer, matchbox deployment, and some familiarity with iPXE. @@ -13,9 +13,9 @@ We assume an existing load balancer, matchbox deployment, and some familiarity w We leave it up to the user to decide if they would like to use static networking, or DHCP. The setup and configuration of DHCP will not be covered. -### Create the Machine Configuration Files +### Create the machine configuration files -#### Generating Base Configurations +#### Generating base configurations Using the DNS name of the load balancer, generate the base configuration files for the Talos machines: @@ -29,7 +29,7 @@ created talosconfig At this point, you can modify the generated configs to your liking. Optionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -#### Validate the Configuration Files +#### Validate the configuration files ```bash $ talosctl validate --config controlplane.yaml --mode metal @@ -38,21 +38,21 @@ $ talosctl validate --config worker.yaml --mode metal worker.yaml is valid for metal mode ``` -#### Publishing the Machine Configuration Files +#### Publishing the machine configuration files In bare-metal setups it is up to the user to provide the configuration files over HTTP(S). A special kernel parameter (`talos.config`) must be used to inform Talos about _where_ it should retrieve its configuration file. To keep things simple we will place `controlplane.yaml`, and `worker.yaml` into Matchbox's `assets` directory. This directory is automatically served by Matchbox. -### Create the Matchbox Configuration Files +### Create the Matchbox configuration files The profiles we will create will reference `vmlinuz`, and `initramfs.xz`. Download these files from the [release](https://github.com/siderolabs/talos/releases) of your choice, and place them in `/var/lib/matchbox/assets`. #### Profiles -##### Control Plane Nodes +##### Control plane nodes ```json { @@ -77,7 +77,7 @@ Download these files from the [release](https://github.com/siderolabs/talos/rele > Note: Be sure to change `http://matchbox.talos.dev` to the endpoint of your matchbox server. -##### Worker Nodes +##### Worker nodes ```json { @@ -145,12 +145,12 @@ Now, create the following groups, and ensure that the `selector`s are accurate f } ``` -### Boot the Machines +### Boot the machines Now that we have our configuration files in place, boot all the machines. Talos will come up on each machine, grab its configuration file, and bootstrap itself. -### Bootstrap Etcd +### Bootstrap etcd Set the `endpoints` and `nodes`: diff --git a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx index ebf1b13f..bf1b0886 100644 --- a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx +++ b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx @@ -27,7 +27,7 @@ Talos starting with version 1.4.0 offers a new option to configure networking on Talos [dashboard](../../deploy-and-manage-workloads/interactive-dashboard) provides a way to configure `META`-based network configuration for a machine using the console, but it doesn't support all kinds of network configuration. -## Network Configuration Format +## Network configuration format Talos `META`-based network configuration is a YAML file with the following format: @@ -362,7 +362,7 @@ timeServers: If the `timeServers:` is not set, Talos will use default NTP servers. -## Supplying `META` Network Configuration +## Supplying `META` network configuration Once the network configuration YAML document is ready, it can be supplied to Talos in one of the following ways: @@ -376,7 +376,7 @@ In this guide we will assume that the prepared network configuration is stored i > Note: as JSON is a subset of YAML, the network configuration can be also supplied as a JSON document. -### Supplying Network Configuration to a Running Talos Machine +### Supplying network configuration to a running Talos machine Use the `talosctl` to write a network configuration to a running Talos machine: @@ -384,7 +384,7 @@ Use the `talosctl` to write a network configuration to a running Talos machine: talosctl meta write 0xa "$(cat network.yaml)" ``` -### Supplying Network Configuration to a Talos Disk Image +### Supplying network configuration to a Talos disk image Following the [boot assets](../../platform-specific-installations/boot-assets) guide, create a disk image passing the network configuration as a `--meta` flag: @@ -394,7 +394,7 @@ docker run --rm -t -v $PWD/_out:/out ghcr.io/siderolabs/imager:${release_v1_13} `} -### Supplying Network Configuration to a Talos ISO/PXE Boot +### Supplying network configuration to a Talos ISO/PXE boot As there is no `META` partition created yet before Talos Linux is installed, `META` values can be set as an environment variable `INSTALLER_META_BASE64` passed to the initial boot of Talos. The supplied value will be used immediately, and also it will be written to the `META` partition once Talos is installed. @@ -417,7 +417,7 @@ echo -n "0xa=$(cat network.yaml)" | gzip -9 | base64 The resulting base64 string should be passed as an environment variable `INSTALLER_META_BASE64` to the initial boot of Talos: `talos.environment=INSTALLER_META_BASE64=`. -### Getting Current `META` Network Configuration +### Getting current `META` network configuration Talos exports `META` keys as resources: diff --git a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/network-config.mdx b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/network-config.mdx index 8b494168..45ed49be 100644 --- a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/network-config.mdx +++ b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/network-config.mdx @@ -13,7 +13,7 @@ In this case, the recommended way is to embed the machine configuration into the If machine configuration embedding is not possible, Talos provides several ways to configure network on bare-metal platforms before the machine configuration is fetched. -## Kernel Command Line +## Kernel command line Talos supports some kernel command line parameters to configure network before the machine configuration is fetched. @@ -39,7 +39,7 @@ vlan=eth0.100:eth0 See [kernel parameters reference](../../reference/kernel) for more details. -## Platform Network Configuration +## Platform network configuration Some platforms (e.g. AWS, Google Cloud, etc.) have their own network configuration mechanisms, which can be used to perform the initial network configuration. There is no such mechanism for bare-metal platforms, so Talos provides a way to use platform network config on the `metal` platform to submit the initial network configuration. @@ -72,7 +72,7 @@ docker run --rm -i ghcr.io/siderolabs/imager:${release_v1_13} image --platform m The platform network configuration gets merged with other sources of network configuration, the details can be found in the [network resources guide](../../learn-more/networking-resources#configuration-merging). -## `nocloud` Network Configuration +## `nocloud` network configuration Some bare-metal providers provide a way to configure network via the `nocloud` data source. Talos Linux can automatically pick up this [configuration](../cloud-platforms/nocloud) when `nocloud` image is used. diff --git a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/secureboot.mdx b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/secureboot.mdx index 69d89586..1e60184b 100644 --- a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/secureboot.mdx +++ b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/secureboot.mdx @@ -10,14 +10,14 @@ When combined with TPM-based disk encryption, this provides a complete [Trusted This means the disk will only unlock if SecureBoot remains enabled with the same key set when using the default PCR 7 binding. However, **PCR binding is fully configurable** via the `VolumeConfig` `tpm.pcrs` option - see the [TPM encryption options](../../reference/configuration/block/volumeconfig#VolumeConfig.encryption.keys..tpm) for details. -## **PCR Binding Options** +## PCR binding options - **Default**: PCR 7 (SecureBoot state) + PCR 11 signed policy (UKI measurements and boot phases) - **Configurable**: Any combination of PCRs can be specified - **No PCRs**: Can be disabled by passing an empty list, relying solely on PCR 11 signed policy - **Backward compatibility**: Existing installations continue to use their original PCR binding -**Why Configurable PCRs?** +**Why configurable PCRs?** - **Frequent Updates**: PCR 7 covers the SecureBoot policy, particularly the "dbx" denylist of revoked certificates - **Automatic Updates**: Tools like `fwupd` now automatically update the SecureBoot database, causing PCR 7 to change frequently @@ -29,7 +29,7 @@ When the UKI image is generated, the UKI is measured and expected measurements a > Note: SecureBoot is not supported on x86 platforms in BIOS mode. -## SecureBoot Flow +## SecureBoot flow The SecureBoot process follows a strict verification chain from UEFI firmware to the final operating system: @@ -79,7 +79,7 @@ As Talos Linux is fully contained in the UKI image, the full operating system is > Note: There is no support at the moment to upgrade non-UKI (GRUB-based) Talos installation to use UKI/SecureBoot, so a fresh installation is required. -## SecureBoot with Sidero Labs Images +## SecureBoot with Sidero Labs images [Sidero Labs](https://www.siderolabs.com/) provides Talos images signed with the [Sidero Labs SecureBoot key](https://factory.talos.dev/secureboot/signing-cert.pem) via [Image Factory](../../learn-more/image-factory). @@ -93,7 +93,7 @@ The install should performed using SecureBoot installer (put it Talos machine co > Note: SecureBoot images can also be generated with [custom keys](#secureboot-with-custom-keys). -## Booting Talos Linux in SecureBoot Mode +## Booting Talos Linux in SecureBoot mode In this guide we will use the ISO image to boot Talos Linux in SecureBoot mode, followed by submitting machine configuration to the machine in maintenance mode. We will use one the ways to generate and submit machine configuration to the node, please refer to the [Production Notes](../../getting-started/prodnotes) for the full guide. @@ -159,17 +159,17 @@ Once the new `installer` image is pushed to the registry, [upgrade](../../config It is important to preserve the UKI signing key and the PCR signing key, otherwise the node will not be able to boot with the new UKI and unlock the encrypted partitions. -## Disk Encryption with TPM +## Disk encryption with TPM When encrypting the disk partition for the first time, Talos Linux generates a random disk encryption key and seals (encrypts) it with the TPM device. The TPM unlock policy is configured to trust the expected policy signed by the PCR signing key. This way TPM unlocking doesn't depend on the exact [PCR measurements](https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/), but rather on the expected policy signed by the PCR signing key and the configured PCR states (by default includes PCR 7 for SecureBoot status and the list of enrolled keys, plus PCR 11 for boot integrity). -### PCR Measurements in Detail +### PCR measurements in detail The Unified Kernel Image (UKI) boot process involves several measurement stages that record cryptographic hashes into TPM Platform Configuration Registers (PCRs): -#### systemd-stub UKI Measurements (PCR 11) +#### systemd-stub UKI measurements (PCR 11) According to the [UAPI Unified Kernel Image specification](https://uapi-group.org/specifications/specs/unified_kernel_image/) and [systemd-stub documentation](https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html), systemd-stub measures the following UKI sections into **PCR 11**: @@ -193,7 +193,7 @@ According to the [UAPI Unified Kernel Image specification](https://uapi-group.or The [systemd-boot bootloader](https://www.freedesktop.org/software/systemd/man/latest/systemd-boot.html) can optionally measure loaded boot entries and configuration, though this is typically not used in Talos UKI scenarios since the UKI can be loaded directly. -#### Talos Boot Phase Measurements (PCR 11) +#### Talos Boot phase measurements (PCR 11) In addition to the UKI section measurements, Talos extends **PCR 11** with its own boot phases to track the operating system initialization: @@ -204,7 +204,7 @@ In addition to the UKI section measurements, Talos extends **PCR 11** with its o **Important:** The `start-the-world` phase is measured into PCR 11 *after* the encrypted disk has been unlocked. This ensures that user services and workloads cannot decrypt the disk themselves, as any attempt to access TPM-sealed keys will fail due to the changed PCR 11 value. -#### TPM Unlock Policy +#### TPM unlock policy The TPM sealed disk encryption key can only be unsealed when the system reaches the **`enter-machined`** phase. This is the critical security boundary - the disk can only be decrypted if: @@ -214,7 +214,7 @@ The TPM sealed disk encryption key can only be unsealed when the system reaches This ensures that disk decryption only occurs after the trusted boot chain has been verified, but before any potentially untrusted user workloads start. -#### Configurable PCR Binding (Default: PCR 7) +#### Configurable PCR binding (Default: PCR 7) By default, new Talos installations and upgrades maintain binding to **PCR 7**, which includes: @@ -229,7 +229,7 @@ During the boot process, `systemd-stub` component of the UKI performs measuremen Talos Linux during the boot appends to the PCR register the measurements of the boot phases, and once the boot reaches the point of mounting the encrypted disk partition, the expected signed policy from the UKI is matched against measured values to unlock the TPM, and TPM unseals the disk encryption key which is then used to unlock the disk partition. -## TPM PCR Measurement Chain +## TPM PCR measurement chain The Trusted Platform Module (TPM) maintains Platform Configuration Registers (PCRs) that record measurements of boot components: @@ -319,7 +319,7 @@ During the upgrade, as long as the new UKI contains PCR policy signed with the s By default, disk encryption is tied to the state of **PCR 7** (SecureBoot state) in addition to **PCR 11** (boot integrity), so that it unlocks only if both the boot chain is valid and SecureBoot is enabled with the expected key set. However, **the PCR binding is fully configurable** via the `VolumeConfig` `tpm.pcrs` option - see the [TPM encryption options](../../reference/configuration/block/volumeconfig#VolumeConfig.encryption.keys..tpm) for details. -## Other Boot Options +## Other boot options Unified Kernel Image (UKI) is a UEFI-bootable image which can be booted directly from the UEFI firmware skipping the `systemd-boot` bootloader. In network boot mode, the UKI can be used directly as well, as it contains the full set of boot assets required to boot Talos Linux. @@ -327,9 +327,9 @@ In network boot mode, the UKI can be used directly as well, as it contains the f When SecureBoot is enabled, the UKI image ignores any kernel command line arguments passed to it, but rather uses the kernel command line arguments embedded into the UKI image itself. If kernel command line arguments need to be changed, the UKI image needs to be rebuilt with the new kernel command line arguments. -## SecureBoot with Custom Keys +## SecureBoot with custom keys -### Generating the Keys +### Generating the keys Talos requires two set of keys to be used for the SecureBoot process: @@ -372,7 +372,7 @@ These files can be used to enroll the keys into the UEFI firmware automatically > **Note** : UEFI decides what Secure Boot trusts. By default, `talosctl gen secureboot ...` generates a self-signed UKI signing certificate and `PK.auth/KEK.auth/db.auth` for enrollment. You can also generate your own version of these files which uses other signing keys and certificate authorities specific to your environment. -### Generating the SecureBoot Assets +### Generating the SecureBoot assets Once the keys are generated, they can be used to sign the Talos boot assets to generate required ISO images, PXE boot assets, disk images, installer containers, etc. In this guide we will generate a SecureBoot ISO image and an installer image. diff --git a/public/talos/v1.13/platform-specific-installations/boot-assets.mdx b/public/talos/v1.13/platform-specific-installations/boot-assets.mdx index 36eb8b95..3555e881 100644 --- a/public/talos/v1.13/platform-specific-installations/boot-assets.mdx +++ b/public/talos/v1.13/platform-specific-installations/boot-assets.mdx @@ -251,8 +251,6 @@ talosctl upgrade \\ A custom disk image, boot asset can be generated by using the Talos Linux `imager` container: ghcr.io/siderolabs/imager:{release_v1_13}. The `imager` container image can be checked by [verifying its signature](../security/verifying-images). -Imager supports running as rootless container via Podman or Docker without requiring any special privileges. - The generation process can be run with a simple `docker run` command: @@ -292,7 +290,7 @@ The base profile can be customized with the additional flags to the imager: * `--system-extension-image` allows to install a system extension into the image * `--image-cache` allows to use a [local image cache](../configure-your-talos-cluster/images-container-runtime/image-cache) -### Extension Image Reference +### Extension image reference While Image Factory automatically resolves the extension name into a matching container image for a specific version of Talos, `imager` requires the full explicit container image reference. The `imager` also allows to install custom extensions which are not part of the official Talos Linux system extensions. @@ -311,7 +309,7 @@ crane export ghcr.io/siderolabs/extensions:${release_v1_13} | \\ For each Talos release, the `ghcr.io/siderolabs/extensions:VERSION` image contains a pinned reference to each system extension container image. -### Overlay Image Reference +### Overlay image reference While Image Factory automatically resolves the overlay name into a matching container image for a specific version of Talos, `imager` requires the full explicit container image reference. The `imager` also allows to install custom overlays which are not part of the official Talos overlays. @@ -329,7 +327,7 @@ crane export ghcr.io/siderolabs/overlays:${release_v1_13} | \\ For each Talos release, the `ghcr.io/siderolabs/overlays:VERSION` image contains a pinned reference to each overlay container image. -### Pulling from Private Registries +### Pulling from private registries Talos Linux official images are all public, but when pulling a custom image from a private registry, the `imager` might need authentication to access the images. diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/akamai.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/akamai.mdx index 5590520e..69f25665 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/akamai.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/akamai.mdx @@ -7,7 +7,7 @@ aliases: import { release_v1_13 } from '/snippets/custom-variables.mdx'; -## Creating a Talos Linux Cluster on Akamai Connected Cloud via the CLI +## Creating a Talos Linux cluster on Akamai connected cloud via the CLI This guide will demonstrate how to create a highly available Kubernetes cluster with one worker using the [Akamai Connected Cloud](https://www.linode.com/) provider. @@ -30,7 +30,7 @@ export REGION=us-ord linode-cli image-upload --region ${REGION} --label talos akamai-amd64.raw.gz ``` -### Create a Load Balancer +### Create a load balancer ```bash export REGION=us-ord @@ -40,7 +40,7 @@ export NODEBALANCER_ID=$(linode-cli nodebalancers list --label talos --format id linode-cli nodebalancers config-create --port 443 --protocol tcp --check connection ${NODEBALANCER_ID} ``` -### Create the Machine Configuration Files +### Create the machine configuration files Using the IP address (or DNS name, if you have created one) of the load balancer, generate the base configuration files for the Talos machines. Also note that the load balancer forwards port 443 to port 6443 on the associated nodes, so we should use 443 as the port in the config definition: @@ -53,7 +53,7 @@ talosctl gen config talos-kubernetes-akamai https://${NODEBALANCER_IP} --with-ex ### Create the Linodes -#### Create the Control Plane Nodes +#### Create the control plane nodes > Although root passwords are not used by Talos, Linode requires that a root password be associated with a linode during creation. @@ -95,7 +95,7 @@ for id in $(seq 3); do done ``` -#### Create the Worker Nodes +#### Create the worker nodes > Although root passwords are not used by Talos, Linode requires that a root password be associated with a linode during creation. @@ -125,7 +125,7 @@ config_id=$(linode-cli linodes configs-list ${linode_id} --format id --text --no linode-cli linodes config-update ${linode_id} ${config_id} --kernel "linode/direct-disk" ``` -### Bootstrap Etcd +### Bootstrap etcd Set the `endpoints` and `nodes`: diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/aws.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/aws.mdx index 5f078320..7736bfb0 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/aws.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/aws.mdx @@ -7,7 +7,7 @@ aliases: import { release_v1_13 } from '/snippets/custom-variables.mdx'; -## Creating a Cluster via the AWS CLI +## Creating a cluster via the AWS CLI In this guide we will create an HA Kubernetes cluster with 3 control plane nodes across 3 availability zones. You should have an existing AWS account and have the AWS CLI installed and configured. @@ -23,7 +23,7 @@ If you would like to create infrastructure via `terraform` or `opentofu` please > Note: this guide is not a production set up and steps were tested in `bash` and `zsh` shells. -### Create AWS Resources +### Create AWS resources We will be creating a control plane with 3 Ec2 instances spread across 3 availability zones. It is recommended to not use the default VPC so we will create a new one for this tutorial. @@ -40,7 +40,7 @@ VPC_ID=$(aws ec2 create-vpc \ --output text --query 'Vpc.VpcId') ``` -### Create the Subnets +### Create the subnets Create 3 smaller CIDRs to use for each subnet in different availability zones. Make sure to adjust these CIDRs if you changed the default value from the last command. @@ -98,7 +98,7 @@ aws ec2 create-route \ --gateway-id $IGW_ID ``` -### Official AMI Images +### Official AMI images Official AMI image ID can be found in the `cloud-images.json` file attached to the [Talos release](https://github.com/siderolabs/talos/releases). @@ -116,7 +116,7 @@ If using the official AMIs, you can skip to [Creating the Security group](#creat > The use of the official Talos AMIs are recommended, but if you wish to build your own AMIs, follow the procedure below. -#### Create the S3 Bucket +#### Create the S3 bucket ```bash aws s3api create-bucket \ @@ -125,13 +125,13 @@ aws s3api create-bucket \ --acl private ``` -#### Create the `vmimport` Role +#### Create the `vmimport` role In order to create an AMI, ensure that the `vmimport` role exists as described in the [official AWS documentation](https://docs.aws.amazon.com/vm-import/latest/userguide/required-permissions.html). Note that the role should be associated with the S3 bucket we created above. -#### Create the Image Snapshot +#### Create the image snapshot First, download the AWS image from Image Factory: @@ -160,7 +160,7 @@ aws ec2 describe-import-snapshot-tasks \ Once the `SnapshotTaskDetail.Status` indicates `completed`, we can register the image. -#### Register the Image +#### Register the image ```bash AMI=$(aws ec2 register-image \ @@ -176,7 +176,7 @@ AMI=$(aws ec2 register-image \ We now have an AMI we can use to create our cluster. -### Create a Security Group +### Create a security group ```bash SECURITY_GROUP_ID=$(aws ec2 create-security-group \ @@ -225,7 +225,7 @@ aws ec2 authorize-security-group-ingress \ --output text ``` -### Create a Load Balancer +### Create a load balancer The load balancer is used for a stable Kubernetes API endpoint. @@ -265,7 +265,7 @@ LISTENER_ARN=$(aws elbv2 create-listener \ --output text) ``` -### Create the Machine Configuration Files +### Create the machine configuration files We will create a [machine config patch](../../configure-your-talos-cluster/system-configuration/patching#rfc6902-json-patches) to use the AWS time servers. You can create [additional patches](../../reference/configuration/v1alpha1/config) to customize the configuration as needed. @@ -292,12 +292,12 @@ talosctl gen config talos-k8s-aws-tutorial https://${LOAD_BALANCER_DNS}:6443 \ > Note that the generated configs are too long for AWS userdata field if the `--with-examples` and `--with-docs` flags are not passed. -### Create the EC2 Instances +### Create the EC2 instances > Note: There is a known issue that prevents Talos from running on T2 instance types. > Please use T3 if you need burstable instance types. -#### Create the Control Plane Nodes +#### Create the control plane nodes ```bash declare -a CP_INSTANCES @@ -319,7 +319,7 @@ for SUBNET in ${SUBNETS[@]}; do done ``` -#### Create the Worker Nodes +#### Create the worker nodes For the worker nodes we will create a new launch template with the `worker.yaml` machine configuration and create an autoscaling group. @@ -367,7 +367,7 @@ aws autoscaling create-auto-scaling-group \ --vpc-zone-identifier $(echo ${SUBNETS[@]} | tr ' ' ',') ``` -### Configure the Load Balancer +### Configure the load balancer Now, using the load balancer target group's ARN, and the **PrivateIpAddress** from the controlplane instances that you created : diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/azure.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/azure.mdx index f8bc6185..d756f986 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/azure.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/azure.mdx @@ -5,13 +5,13 @@ aliases: - ../../../cloud-platforms/azure --- -## Creating a Cluster via the CLI +## Creating a cluster via the CLI In this guide we will create an HA Kubernetes cluster with 1 worker node. We assume existing [Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/), and some familiarity with Azure. If you need more information on Azure specifics, please see the [official Azure documentation](https://docs.microsoft.com/en-us/azure/). -### Environment Setup +### Environment setup We'll make use of the following environment variables throughout the setup. Edit the variables below with your correct information. @@ -36,7 +36,7 @@ export CONNECTION=$(az storage account show-connection-string \ -o tsv) ``` -### Create the Image +### Create the image First, download the Azure image from [Image Factory](https://factory.talos.dev/). Once downloaded, untar with `tar -xvf /path/to/azure-amd64.tar.gz` @@ -53,7 +53,7 @@ az storage blob upload \ -n talos-azure.vhd ``` -#### Register the Image +#### Register the image Now that the image is present in our blob storage, we'll register it. @@ -65,9 +65,9 @@ az image create \ -g $GROUP ``` -### Network Infrastructure +### Network infrastructure -#### Virtual Networks and Security Groups +#### Virtual networks and security groups Once the image is prepared, we'll want to work through setting up the network. Issue the following to create a network security group and add rules to it. @@ -120,7 +120,7 @@ az network nsg rule create \ --direction inbound ``` -#### Load Balancer +#### Load balancer We will create a public ip, load balancer, and a health check that we will use for our control plane. @@ -160,7 +160,7 @@ az network lb rule create \ --probe-name talos-lb-health ``` -#### Network Interfaces +#### Network interfaces In Azure, we have to pre-create the NICs for our control plane so that they can be associated with our load balancer. @@ -190,7 +190,7 @@ done # Use `--sku Basic` to set SKU to Basic. ``` -### Cluster Configuration +### Cluster configuration With our networking bits setup, we'll fetch the IP for our load balancer and create our configuration files. @@ -204,7 +204,7 @@ LB_PUBLIC_IP=$(az network public-ip show \ talosctl gen config talos-k8s-azure-tutorial https://${LB_PUBLIC_IP}:6443 ``` -### Compute Creation +### Compute creation We are now ready to create our azure nodes. Azure allows you to pass Talos machine configuration to the virtual machine at bootstrap time via @@ -212,7 +212,7 @@ Azure allows you to pass Talos machine configuration to the virtual machine at b Talos supports only `custom-data` method, machine configuration is available to the VM only on the first boot. -#### Manual Image Upload +#### Manual image upload ```bash # Create availability set @@ -261,7 +261,7 @@ done # for troubleshooting ``` -### Bootstrap Etcd +### Bootstrap etcd You should now be able to interact with your cluster with `talosctl`. We will need to discover the public IP for our first control plane node first. diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/cloudstack.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/cloudstack.mdx index 69dabb88..4e98c45d 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/cloudstack.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/cloudstack.mdx @@ -13,7 +13,7 @@ We will be using the [CloudStack Cloudmonkey](https://github.com/apache/cloudsta Please see the [official Apache CloudStack documentation](https://docs.cloudstack.apache.org/en/latest/) for information related to Apache CloudStack. -### Obtain the Talos Image +### Obtain the Talos image Download the Talos CloudStack image `cloudstack-amd64.raw.gz` from the [Image Factory](https://factory.talos.dev). @@ -26,11 +26,11 @@ You might be able to use the "Register Template from URL" to download the image > Note: CloudStack does not seem to like compressed images, so you might have to download the image to a local webserver, uncompress it and let CloudStack fetch the image from there instead. > Alternatively, you can try to remove `.gz` from URL to fetch an uncompressed image from the Image Factory. -### Get Required Variables +### Get required variables Next we will get a number of required variables and export them for later use: -#### Get Image Template ID +#### Get image template ID ```bash $ cmk list templates templatefilter=self | jq -r '.template[] | [.id, .name] | @tsv' | sort -k2 @@ -51,7 +51,7 @@ a8c71a6f-2e09-41ed-8754-2d4dd8783920 fsn1 $ export ZONE_ID=a8c71a6f-2e09-41ed-8754-2d4dd8783920 ``` -#### Get Service Offering ID +#### Get service offering ID Get a list of service offerings (instance types) and select the desired offering @@ -63,7 +63,7 @@ c7f5253e-e1f1-4e33-a45e-eb2ebbc65fd4 4096 2 K8S-WRK-S $ export SERVICEOFFERING_ID=82ac8c87-22ee-4ec3-8003-c80b09efe02c ``` -#### Get Network ID +#### Get network ID Get a list of networks and select the relevant network for your cluster. @@ -75,7 +75,7 @@ f706984f-9dd1-4cb8-9493-3fba1f0de7e3 Isolate demo $ export NETWORK_ID=143ed8f1-3cc5-4ba2-8717-457ad993cf25 ``` -#### Get next free Public IP address and ID +#### Get next free public IP address and ID To create a loadbalancer for the K8S API Endpoint, find the next available public IP address in the zone. @@ -91,7 +91,7 @@ $ export PUBLIC_IPADDRESS=10.0.0.102 $ export PUBLIC_IPADDRESS_ID=1901d946-3797-48aa-a113-8fb730b0770a ``` -#### Acquire and Associate Public IP Address +#### Acquire and associate Public IP Address Acquire and associate the public IP address with the network we selected earlier. @@ -106,7 +106,7 @@ $ cmk associateIpAddress ipaddress=${PUBLIC_IPADDRESS} networkid=${NETWORK_ID} } ``` -#### Create LB and FW rule using the Public IP Address +#### Create LB and FW rule using the public IP address Create a Loadbalancer for the K8S API Endpoint. @@ -128,7 +128,7 @@ $ cmk create loadbalancerrule algorithm=roundrobin name="k8s-api" privateport=64 } ``` -### Create the Talos Configuration Files +### Create the Talos configuration files Finally it's time to generate the Talos configuration files, using the Public IP address assigned to the loadbalancer. @@ -161,7 +161,7 @@ $ cmk deploy virtualmachine zoneid=${ZONE_ID} templateid=${IMAGE_ID} serviceoffe } ``` -#### Get Talos VM ID and Internal IP address +#### Get Talos VM ID and internal IP address Get the ID of our newly created VM. (Also available in the full output of the above command.) @@ -175,7 +175,7 @@ $ export VM_ID=d37aeca4-7d1f-45cd-9a4d-97fdbf535aa1 $ export VM_IP=10.1.1.243 ``` -#### Get Load Balancer ID +#### Get load balancer ID Obtain the ID of the `loadbalancerrule` we created earlier. @@ -186,7 +186,7 @@ ede6b711-b6bc-4ade-9e48-4b3f5aa59934 10.0.0.102 k8s-api $ export LB_RULE_ID=ede6b711-b6bc-4ade-9e48-4b3f5aa59934 ``` -#### Assign Talos VM to Load Balancer +#### Assign Talos VM to load balancer With the ID of the VM and the load balancer, we can assign the VM to the `loadbalancerrule`, making the K8S API endpoint available via the Load Balancer @@ -194,7 +194,7 @@ With the ID of the VM and the load balancer, we can assign the VM to the `loadba cmk assigntoloadbalancerrule id=${LB_RULE_ID} virtualmachineids=${VM_ID} ``` -### Bootstrap Etcd +### Bootstrap etcd Once the Talos VM has booted, it time to bootstrap etcd. diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/digitalocean.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/digitalocean.mdx index 43414d6e..4b92056f 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/digitalocean.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/digitalocean.mdx @@ -7,13 +7,13 @@ aliases: import { release_v1_13 } from '/snippets/custom-variables.mdx'; -## Creating a Talos Linux Cluster on Digital Ocean via the CLI +## Creating a Talos Linux cluster on Digital Ocean via the CLI In this guide we will create an HA Kubernetes cluster with 1 worker node, in the NYC region. We assume an existing [Space](https://www.digitalocean.com/docs/spaces/), and some familiarity with DigitalOcean. If you need more information on DigitalOcean specifics, please see the [official DigitalOcean documentation](https://www.digitalocean.com/docs/). -### Create the Image +### Create the image Download the DigitalOcean image `digital-ocean-amd64.raw.gz` from the Image Factory @@ -41,7 +41,7 @@ doctl compute image create \ Save the image ID. We will need it when creating droplets. -### Create a Load Balancer +### Create a load balancer ```bash doctl compute load-balancer create \ @@ -63,7 +63,7 @@ doctl compute load-balancer get --format IP Note that it may take a few minutes before the load balancer is provisioned, so repeat this command until it returns with the IP address. -### Create the Machine Configuration Files +### Create the machine configuration files Using the IP address (or DNS name, if you have created one) of the loadbalancer, generate the base configuration files for the Talos machines. Also note that the load balancer forwards port 443 to port 6443 on the associated nodes, so we should use 443 as the port in the config definition: @@ -89,7 +89,7 @@ doctl compute ssh-key create --public-key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA Note the ssh key ID that is returned - we will use it in creating the droplets. -#### Create the Control Plane Nodes +#### Create the control plane nodes Run the following commands to create three control plane nodes: @@ -125,7 +125,7 @@ doctl compute droplet create \ Note the droplet ID returned for the first control plane node. -#### Create the Worker Nodes +#### Create the worker nodes Run the following to create a worker node: @@ -140,7 +140,7 @@ doctl compute droplet create \ talos-worker-1 ``` -### Bootstrap Etcd +### Bootstrap etcd To configure `talosctl` we will need the first control plane node's IP: diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/gcp.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/gcp.mdx index 25a76e8a..f8f56fa9 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/gcp.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/gcp.mdx @@ -7,7 +7,7 @@ aliases: import { release_v1_13, version_v1_13 } from '/snippets/custom-variables.mdx'; -## Creating a Cluster via the CLI +## Creating a cluster via the CLI In this guide, we will create an HA Kubernetes cluster in GCP with 1 worker node. We will assume an existing [Cloud Storage bucket](https://cloud.google.com/storage/docs/creating-buckets), and some familiarity with Google Cloud. @@ -15,9 +15,9 @@ If you need more information on Google Cloud specifics, please see the [official [jq](https://stedolan.github.io/jq/) and [talosctl](../../getting-started/quickstart#talosctl) also needs to be installed -## Manual Setup +## Manual setup -### Environment Setup +### Environment setup We'll make use of the following environment variables throughout the setup. Edit the variables below with your correct information. @@ -29,12 +29,12 @@ export STORAGE_BUCKET="StorageBucketName" export REGION="us-central1" ``` -### Create the Image +### Create the image First, download the Google Cloud image from [Image Factory](https://factory.talos.dev/). These images are called `gcp-$ARCH.tar.gz`. -#### Upload the Image +#### Upload the image Once you have downloaded the image, you can upload it to your storage bucket with: @@ -52,9 +52,9 @@ gcloud compute images create talos \ --guest-os-features=VIRTIO_SCSI_MULTIQUEUE ``` -### Network Infrastructure +### Network infrastructure -#### Load Balancers and Firewalls +#### Load balancers and firewalls Once the image is prepared, we'll want to work through setting up the network. Issue the following to create a firewall, load balancer, and their required components. @@ -116,7 +116,7 @@ gcloud compute firewall-rules create talos-controlplane-talosctl \ --allow tcp:50000 ``` -### Cluster Configuration +### Cluster configuration With our networking bits setup, we'll fetch the IP for our load balancer and create our configuration files. @@ -131,7 +131,7 @@ talosctl gen config talos-k8s-gcp-tutorial https://${LB_PUBLIC_IP}:443 Additionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -### Compute Creation +### Compute creation We are now ready to create our GCP nodes. @@ -162,7 +162,7 @@ gcloud compute instances create talos-worker-0 \ --tags talos-worker-$i ``` -### Bootstrap Etcd +### Bootstrap etcd You should now be able to interact with your cluster with `talosctl`. We will need to discover the public IP for our first control plane node first. @@ -239,7 +239,7 @@ gcloud compute images delete \ talos ``` -## Using GCP Deployment manager +## Using GCP deployment manager Using GCP deployment manager automatically creates a Google Storage bucket and uploads the Talos image to it. Once the deployment is complete the generated `talosconfig` and `kubeconfig` files are uploaded to the bucket. @@ -350,7 +350,7 @@ gcloud projects add-iam-policy-binding \ --role roles/compute.loadBalancerAdmin ``` -### Downloading talos and kube config +### Downloading talos and kubeconfig In addition to the `talosconfig` and `kubeconfig` files, the storage bucket contains the `controlplane.yaml` and `worker.yaml` files used to join additional nodes to the cluster. diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/hetzner.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/hetzner.mdx index 4615636b..1cf44810 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/hetzner.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/hetzner.mdx @@ -173,7 +173,7 @@ hcloud-upload-image upload --image-path hcloud-$TALOS_IMAGE_ARCH.raw.xz --archit After these actions, you can find the snapshot in the console interface. -## Creating a Cluster via the CLI +## Creating a cluster via the CLI This section assumes you have the [hcloud console utility](https://community.hetzner.com/tutorials/howto-hcloud-cli) on your local machine. @@ -182,7 +182,7 @@ This section assumes you have the [hcloud console utility](https://community.het hcloud context create talos-tutorial ``` -### Create a Load Balancer +### Create a load balancer Create a load balancer by issuing the commands shown below. Save the IP/DNS name, as this info will be used in the next step. @@ -201,9 +201,9 @@ hcloud load-balancer add-target controlplane \ --label-selector 'type=controlplane' ``` -### Create the Machine Configuration Files +### Create the machine configuration files -#### Generating Base Configurations +#### Generating base configurations Using the IP/DNS name of the load balancer created earlier, generate the base configuration files for the Talos machines by issuing: @@ -217,7 +217,7 @@ Generating the config without examples and docs is necessary because otherwise y At this point, you can modify the generated configs to your liking. Optionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -#### Validate the Configuration Files +#### Validate the configuration files Validate any edited machine configs with: @@ -226,12 +226,12 @@ talosctl validate --config controlplane.yaml --mode cloud talosctl validate --config worker.yaml --mode cloud ``` -### Create the Servers +### Create the servers We can now create our servers. Note that you can find `IMAGE_ID` in the snapshot section of the console: `https://console.hetzner.cloud/projects/$PROJECT_ID/servers/snapshots`. -#### Create the Control Plane Nodes +#### Create the control plane nodes Create the control plane nodes with: @@ -257,7 +257,7 @@ hcloud server create --name talos-control-plane-3 \ --user-data-from-file controlplane.yaml ``` -#### Create the Worker Nodes +#### Create the worker nodes Create the worker nodes with the following command, repeating (and incrementing the name counter) as many times as desired. @@ -269,7 +269,7 @@ hcloud server create --name talos-worker-1 \ --user-data-from-file worker.yaml ``` -### Bootstrap Etcd +### Bootstrap etcd To configure `talosctl` we will need the first control plane node's IP. This can be found by issuing: diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/kubernetes.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/kubernetes.mdx index 869b6b28..7ead7253 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/kubernetes.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/kubernetes.mdx @@ -20,7 +20,7 @@ Some operations like upgrades and reboots are not supported. {`ghcr.io/siderolabs/talos:${release_v1_13}`} -## Machine Configuration +## Machine configuration Machine configuration can be generated using [Getting Started](../../getting-started/getting-started) guide. Machine install disk will ge ignored, as the install image. @@ -38,11 +38,11 @@ machine: Talos and Kubernetes API can be exposed using Kubernetes services or load balancers, so they can be accessed from outside the cluster. -## Running Talos Pods +## Running Talos pods There might be many ways to run Talos in Kubernetes (StatefulSet, Deployment, single Pod), so we will only provide some basic guidance here. -### Container Settings +### Container settings {` @@ -65,12 +65,12 @@ securityContext: `} -### Submitting Initial Machine Configuration +### Submitting initial machine configuration Initial machine configuration can be submitted using `talosctl apply-config --insecure` when the pod is running, or it can be submitted via an environment variable `USERDATA` with base64-encoded machine configuration. -### Volume Mounts +### Volume mounts Three ephemeral mounts are required for `/run`, `/system`, and `/tmp` directories: diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/nocloud.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/nocloud.mdx index ea13389c..008c680f 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/nocloud.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/nocloud.mdx @@ -19,7 +19,7 @@ There are two ways to configure Talos server with `nocloud` platform: > Note: This requires the nocloud image which can be downloaded from the [Image Factory](https://factory.talos.dev/). -### SMBIOS Serial Number +### SMBIOS serial number This method requires the network connection to be up (e.g. via DHCP). Configuration is delivered from the HTTP server. diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/openstack.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/openstack.mdx index 5a29a947..cae05fb1 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/openstack.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/openstack.mdx @@ -5,26 +5,26 @@ aliases: - ../../../cloud-platforms/openstack --- -## Creating a Cluster via the CLI +## Creating a cluster via the CLI In this guide, we will create an HA Kubernetes cluster in OpenStack with 1 worker node. We will assume an existing some familiarity with OpenStack. If you need more information on OpenStack specifics, please see the [official OpenStack documentation](https://docs.openstack.org). -### Environment Setup +### Environment setup You should have an existing openrc file. This file will provide environment variables necessary to talk to your OpenStack cloud. See [here](https://docs.openstack.org/newton/user-guide/common/cli-set-environment-variables-using-openstack-rc.html) for instructions on fetching this file. -### Create the Image +### Create the image First, download the OpenStack image from [Image Factory](https://factory.talos.dev/). These images are called `openstack-$ARCH.tar.gz`. Untar this file with `tar -xvf openstack-$ARCH.tar.gz`. The resulting file will be called `disk.raw`. -#### Upload the Image +#### Upload the image Once you have the image, you can upload to OpenStack with: @@ -32,9 +32,9 @@ Once you have the image, you can upload to OpenStack with: openstack image create --public --disk-format raw --file disk.raw talos ``` -### Network Infrastructure +### Network infrastructure -#### Load Balancer and Network Ports +#### Load balancer and network ports Once the image is prepared, you will need to work through setting up the network. Issue the following to create a load balancer, the necessary network ports for each control plane node, and associations between the two. @@ -79,14 +79,14 @@ openstack loadbalancer member create --subnet-id shared-subnet --address --protocol-port 6443 talos-control-plane-pool ``` -#### Security Groups +#### Security groups This example uses the default security group in OpenStack. Ports have been opened to ensure that connectivity from both inside and outside the group is possible. You will want to allow, at a minimum, ports 6443 (Kubernetes API server) and 50000 (Talos API) from external sources. It is also recommended to allow communication over all ports from within the subnet. -### Cluster Configuration +### Cluster configuration With our networking bits setup, we'll fetch the IP for our load balancer and create our configuration files. @@ -98,7 +98,7 @@ talosctl gen config talos-k8s-openstack-tutorial https://${LB_PUBLIC_IP}:6443 Additionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -### Compute Creation +### Compute creation We are now ready to create our OpenStack nodes. @@ -120,7 +120,7 @@ openstack server create talos-worker-1 --flavor m1.small --network shared --imag > Note: This step can be repeated to add more workers. -### Bootstrap Etcd +### Bootstrap etcd You should now be able to interact with your cluster with `talosctl`. We will use one of the floating IPs we allocated earlier. diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/oracle.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/oracle.mdx index f938d10e..0a9bc452 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/oracle.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/oracle.mdx @@ -91,7 +91,7 @@ machine: - 169.254.169.254 ``` -## Creating a Cluster via the CLI +## Creating a cluster via the CLI Login to the [console](https://www.oracle.com/cloud/). And open the Cloud Shell. @@ -115,7 +115,7 @@ export sl_id=$(oci network vcn list --compartment-id $compartment_id --query 'da oci network security-list update --security-list-id $sl_id --egress-security-rules '[{"destination": "0.0.0.0/0", "protocol": "all", "isStateless": false}]' --ingress-security-rules '[{"source": "0.0.0.0/0", "protocol": "all", "isStateless": false}]' --force ``` -### Create a Load Balancer +### Create a load balancer Create a load balancer by issuing the commands shown below. Save the IP/DNS name, as this info will be used in the next step. @@ -152,9 +152,9 @@ oci nlb listener create --default-backend-set-name controlplane --name controlpl oci nlb network-load-balancer list --compartment-id $compartment_id --display-name controlplane-lb --query 'data.items[0]."ip-addresses"' ``` -### Create the Machine Configuration Files +### Create the machine configuration files -#### Generating Base Configurations +#### Generating base configurations Using the IP/DNS name of the loadbalancer created earlier, generate the base configuration files for the Talos machines by issuing: @@ -168,7 +168,7 @@ created talosconfig At this point, you can modify the generated configs to your liking. Optionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -#### Validate the Configuration Files +#### Validate the configuration files Validate any edited machine configs with: @@ -179,9 +179,9 @@ $ talosctl validate --config worker.yaml --mode cloud worker.yaml is valid for cloud mode ``` -### Create the Servers +### Create the servers -#### Create the Control Plane Nodes +#### Create the control plane nodes Create the control plane nodes with: @@ -215,7 +215,7 @@ oci nlb backend create --backend-set-name talos --network-load-balancer-id $netw oci nlb backend create --backend-set-name controlplane --network-load-balancer-id $network_load_balancer_id --port 6443 --target-id $instance_id ``` -#### Create the Worker Nodes +#### Create the worker nodes Create the worker nodes with the following command, repeating (and incrementing the name counter) as many times as desired. @@ -232,7 +232,7 @@ oci compute instance launch --shape $shape --availability-domain $availability_d oci compute instance launch --shape $shape --availability-domain $availability_domain --compartment-id $compartment_id --image-id $image_id --subnet-id $subnet_id --display-name worker-3 --assign-public-ip true --user-data-file worker.yaml ``` -### Bootstrap Etcd +### Bootstrap etcd To configure `talosctl` we will need the first control plane node's IP. This can be found by issuing: diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/scaleway.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/scaleway.mdx index 20d09324..a8b7c646 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/scaleway.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/scaleway.mdx @@ -15,7 +15,7 @@ The process to run a Talos cluster, on a single node in Scaleway is as follows: - Configure the `scw` CLI to access your account (optional - you can use the console instead) - Have `qemu-img` and `wget` installed for image conversion -## Image Preparation +## Image preparation 1. **Download the image disk** of the Talos version you wish to run: @@ -45,7 +45,7 @@ The process to run a Talos cluster, on a single node in Scaleway is as follows: 4. **Upload to S3-compatible object storage**: Use the Scaleway console Object Storage interface to upload the QCOW2 file directly. -## Snapshot Creation +## Snapshot creation 1. Go to the Scaleway Web console. @@ -57,7 +57,7 @@ The process to run a Talos cluster, on a single node in Scaleway is as follows: 4. Name the snapshot *scaleway-amd64-v{ release_v1_13 }*, and use a Local Storage snapshot type. -## Instance Deployment +## Instance deployment 1. Create instance using the snapshot/image via GUI, CLI, or Infrastructure as Code tools. @@ -73,7 +73,7 @@ talosctl -n $VM_IP get disks --insecure talosctl -n $VM_IP get links --insecure ``` -## Talos Configuration +## Talos configuration As any other Talos instance, generate the Talos machineconfig, with the following patch : ``` @@ -129,7 +129,7 @@ talosctl --talosconfig=./_out/talosconfig --nodes $VM_IP -e $VM_IP version talosctl --talosconfig=./_out/talosconfig --nodes $VM_IP -e $VM_IP dashboard ``` -## Talos Cluster Bootstrap +## Talos cluster bootstrap One last command to bootstrap your Talos Cluster : ``` diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/upcloud.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/upcloud.mdx index 1250bd43..7d8df01c 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/upcloud.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/upcloud.mdx @@ -11,7 +11,7 @@ In this guide we will create an HA Kubernetes cluster 3 control plane nodes and We assume some familiarity with UpCloud. If you need more information on UpCloud specifics, please see the [official UpCloud documentation](https://upcloud.com/resources/docs). -## Create the Image +## Create the image The best way to create an image for UpCloud, is to build one using [Hashicorp packer](https://www.packer.io/docs/builders/hetzner-cloud), with the @@ -120,9 +120,9 @@ packer build . After doing this, you can find the custom image in the console interface under storage. -## Creating a Cluster via the CLI +## Creating a cluster via the CLI -### Create an Endpoint +### Create an endpoint To communicate with the Talos cluster you will need a single endpoint that is used to access the cluster. @@ -136,9 +136,9 @@ Endpoint selection has been further documented [here](../../getting-started/gett After you decide on which endpoint to use, note down the domain name or IP, as we will need it in the next step. -### Create the Machine Configuration Files +### Create the machine configuration files -#### Generating Base Configurations +#### Generating base configurations Using the DNS name of the endpoint created earlier, generate the base configuration files for the Talos machines: @@ -157,7 +157,7 @@ Depending on the Kubernetes version you want to run, you might need to select a Optionally, you can specify [machine configuration patches](../../configure-your-talos-cluster/system-configuration/patching#configuration-patching-with-talosctl-cli) which will be applied during the config generation. -#### Validate the Configuration Files +#### Validate the configuration files ```bash $ talosctl validate --config controlplane.yaml --mode cloud @@ -166,9 +166,9 @@ $ talosctl validate --config worker.yaml --mode cloud worker.yaml is valid for cloud mode ``` -### Create the Servers +### Create the servers -#### Create the Control Plane Nodes +#### Create the control plane nodes Run the following to create three total control plane nodes: @@ -192,7 +192,7 @@ done Note the IP address of the first control plane node, as we will need it later. -#### Create the Worker Nodes +#### Create the worker nodes Run the following to create a worker node: @@ -209,7 +209,7 @@ upctl server create \ `} -### Bootstrap Etcd +### Bootstrap etcd To configure `talosctl` we will need the first control plane node's IP, as noted earlier. We only add one node IP, as that is the entry into our cluster against which our commands will be run. diff --git a/public/talos/v1.13/platform-specific-installations/cloud-platforms/vultr.mdx b/public/talos/v1.13/platform-specific-installations/cloud-platforms/vultr.mdx index 25a161b0..08766377 100644 --- a/public/talos/v1.13/platform-specific-installations/cloud-platforms/vultr.mdx +++ b/public/talos/v1.13/platform-specific-installations/cloud-platforms/vultr.mdx @@ -14,9 +14,9 @@ This guide will demonstrate how to create a highly-available Kubernetes cluster [Vultr](https://www.vultr.com/) have a very well documented REST API, and an open-source [CLI](https://github.com/vultr/vultr-cli) tool to interact with the API which will be used in this guide. Make sure to follow installation and authentication instructions for the `vultr-cli` tool. -### Boot Options +### Boot options -#### Upload an ISO Image +#### Upload an ISO image First step is to make the Talos ISO available to Vultr by uploading the latest release of the ISO to the Vultr ISO server. @@ -28,7 +28,7 @@ vultr-cli iso create --url https://factory.talos.dev/image/376567988ad370138ad8b Make a note of the `ID` in the output, it will be needed later when creating the instances.met -#### PXE Booting via Image Factory +#### PXE booting via image factory Talos Linux can be PXE-booted on Vultr using [Image Factory](../../learn-more/image-factory), using the `vultr` platform: e.g. @@ -41,7 +41,7 @@ Talos Linux can be PXE-booted on Vultr using [Image Factory](../../learn-more/im (this URL references the default schematic and `amd64` architecture). Make a note of the `ID` in the output, it will be needed later when creating the instances. -### Create a Load Balancer +### Create a load balancer A load balancer is needed to serve as the Kubernetes endpoint for the cluster. @@ -66,9 +66,9 @@ vultr-cli load-balancer get $LOAD_BALANCER_ID | grep ^IP Make a note of the `IP` address, it will be needed later when generating the configuration. -### Create the Machine Configuration +### Create the machine configuration -#### Generate Base Configuration +#### Generate base configuration Using the IP address (or DNS name if one was created) of the load balancer created above, generate the machine configuration files for the new cluster. @@ -78,16 +78,16 @@ talosctl gen config talos-kubernetes-vultr https://$LOAD_BALANCER_ADDRESS Once generated, the machine configuration can be modified as necessary for the new cluster, for instance updating disk installation, or adding SANs for the certificates. -#### Validate the Configuration Files +#### Validate the configuration files ```bash talosctl validate --config controlplane.yaml --mode cloud talosctl validate --config worker.yaml --mode cloud ``` -### Create the Nodes +### Create the nodes -#### Create the Control Plane Nodes +#### Create the control plane nodes First a control plane needs to be created, with the example below creating 3 instances in a loop. The instance type (noted by the `--plan vc2-2c-4gb` argument) in the example is for a minimum-spec control plane node, and should be updated to suit the cluster being created. @@ -118,7 +118,7 @@ talosctl --talosconfig talosconfig apply-config --insecure --nodes $CONTROL_PLAN talosctl --talosconfig talosconfig apply-config --insecure --nodes $CONTROL_PLANE_3_ADDRESS --file controlplane.yaml ``` -#### Create the Worker Nodes +#### Create the worker nodes Now worker nodes can be created and configured in a similar way to the control plane nodes, the difference being mainly in the machine configuration file. Note that like with the control plane nodes, the instance type (here set by `--plan vc2-1-1gb`) should be changed for the actual cluster requirements. @@ -150,7 +150,7 @@ It is important that the `talosctl bootstrap` command be executed only once and talosctl --talosconfig talosconfig bootstrap --endpoints $CONTROL_PLANE_1_ADDRESS --nodes $CONTROL_PLANE_1_ADDRESS ``` -### Configure Endpoints and Nodes +### Configure endpoints and nodes While the cluster goes through the bootstrapping process and beings to self-manage, the `talosconfig` can be updated with the [endpoints and nodes](../../learn-more/talosctl#endpoints-and-nodes). diff --git a/public/talos/v1.13/platform-specific-installations/local-platforms/docker.mdx b/public/talos/v1.13/platform-specific-installations/local-platforms/docker.mdx index 25953eb9..da18d735 100644 --- a/public/talos/v1.13/platform-specific-installations/local-platforms/docker.mdx +++ b/public/talos/v1.13/platform-specific-installations/local-platforms/docker.mdx @@ -30,7 +30,7 @@ Due to the fact that Talos will be running in a container, certain APIs are not For example `upgrade`, `reset`, and similar APIs don't apply in container mode. Further, when running on a Mac in docker, due to networking limitations, VIPs are not supported. -## Create the Cluster +## Create the cluster Creating a local cluster is as simple as: @@ -74,7 +74,7 @@ KUBERNETES ENDPOINT https://127.0.0.1:43083 > sudo modprobe br_netfilter > ``` -## Using the Cluster +## Using the cluster Once the cluster is available, you can make use of `talosctl` and `kubectl` to interact with the cluster. For example, to view current running containers, run `talosctl containers` for a list of containers in the `system` namespace, or `talosctl containers -k` for the `k8s.io` namespace. @@ -88,7 +88,7 @@ To cleanup, run: talosctl cluster destroy ``` -## Multiple Clusters +## Multiple clusters Multiple Talos Linux cluster can be created on the same host, each cluster will need to have: @@ -114,7 +114,7 @@ talosctl --context cluster2 version kubectl --context admin@cluster2 get nodes ``` -## Running Talos in Docker Manually +## Running Talos in Docker manually To run Talos in a container manually, run: diff --git a/public/talos/v1.13/platform-specific-installations/local-platforms/qemu.mdx b/public/talos/v1.13/platform-specific-installations/local-platforms/qemu.mdx index eab7f8b7..59f47eab 100644 --- a/public/talos/v1.13/platform-specific-installations/local-platforms/qemu.mdx +++ b/public/talos/v1.13/platform-specific-installations/local-platforms/qemu.mdx @@ -72,7 +72,7 @@ brew install siderolabs/tap/talosctl For manual installation and other platforms please see the [talosctl installation guide](../../getting-started/talosctl ). -## Create the Cluster +## Create the cluster For the first time, create root state directory as your user so that you can inspect the logs as non-root user: @@ -106,7 +106,7 @@ The `omni-api-endpoint` flag configures nodes to connect to an Omni instance onc Using [SideroLink](../../networking/siderolink), the local QEMU nodes can communicate with Omni as long as the endpoint is reachable. This enables connections to a local Omni instance, a cloud-hosted Omni instance, or a Sidero SaaS Omni instance. -## Using the Cluster +## Using the cluster Once the cluster is available, you can make use of `talosctl` and `kubectl` to interact with the cluster. For example, to view current running containers, run `talosctl -n 10.5.0.2 containers` for a list of containers in the `system` namespace, or `talosctl -n 10.5.0.2 containers -k` for the `k8s.io` namespace. @@ -136,7 +136,7 @@ talos-default-controlplane-3 ControlPlane 10.5.0.4 1.00 1.6 GB 4.3 GB talos-default-worker-1 Worker 10.5.0.5 1.00 1.6 GB 4.3 GB ``` -## Cleaning Up +## Cleaning up To cleanup, run: @@ -146,7 +146,7 @@ sudo --preserve-env=HOME talosctl cluster destroy --provisioner qemu > **Note**: In that case that the host machine is rebooted before destroying the cluster, you may need to manually remove `~/.talos/clusters/talos-default`. -## Manual Clean Up +## Manual clean up The `talosctl cluster destroy` command depends heavily on the clusters state directory. It contains all related information of the cluster. @@ -155,7 +155,7 @@ The PIDs and network associated with the cluster nodes. If you happened to have deleted the state folder by mistake or you would like to cleanup the environment, here are the steps how to do it manually: -### Remove VM Launchers +### Remove VM launchers Find the process of `talosctl qemu-launch`: diff --git a/public/talos/v1.13/platform-specific-installations/local-platforms/virtualbox.mdx b/public/talos/v1.13/platform-specific-installations/local-platforms/virtualbox.mdx index 8021c2b5..e05ae297 100644 --- a/public/talos/v1.13/platform-specific-installations/local-platforms/virtualbox.mdx +++ b/public/talos/v1.13/platform-specific-installations/local-platforms/virtualbox.mdx @@ -9,7 +9,7 @@ import { release_v1_13 } from '/snippets/custom-variables.mdx'; In this guide we will create a Kubernetes cluster using VirtualBox. -## Video Walkthrough +## Video walkthrough To see a live demo of this writeup, visit Youtube here: @@ -17,7 +17,7 @@ To see a live demo of this writeup, visit Youtube here: ## Installation -### How to Get VirtualBox +### How to get VirtualBox Install VirtualBox with your operating system package manager or from the [website](https://www.virtualbox.org/). For example, on Ubuntu for x86: @@ -36,7 +36,7 @@ brew install siderolabs/tap/talosctl For manual installation and other platforms please see the [talosctl installation guide](../../getting-started/talosctl). -### Download ISO Image +### Download ISO image Download the ISO image from [Image Factory](https://www.talos.dev/latest/talos-guides/install/boot-assets/#image-factory). @@ -92,7 +92,7 @@ Finally, in the "Storage" section, select the optical drive and, on the right, s Repeat this process for a second VM to use as a worker node. You can also repeat this for additional nodes desired. -## Start Control Plane Node +## Start control plane node Once the VMs have been created and updated, start the VM that will be the first control plane node. This VM will boot the ISO image specified earlier and enter "maintenance mode". @@ -102,7 +102,7 @@ If you wish to export this IP as a bash variable, simply issue a command like `e -## Generate Machine Configurations +## Generate machine configurations With the IP address above, you can now generate the machine configurations to use for installing Talos and Kubernetes. Issue the following command, updating the output directory, cluster name, and control plane IP as you see fit: @@ -113,7 +113,7 @@ talosctl gen config talos-vbox-cluster https://$CONTROL_PLANE_IP:6443 --output-d This will create several files in the `_out` directory: controlplane.yaml, worker.yaml, and talosconfig. -## Create Control Plane Node +## Create control plane node Using the `controlplane.yaml` generated above, you can now apply this config using talosctl. Issue: @@ -133,7 +133,7 @@ Talos will be installed to disk, the VM will reboot, and then Talos will configu > > Simply remove the ISO image from the VM and restart it. -## Create Worker Node +## Create worker node Create at least a single worker node using a process similar to the control plane creation above. Start the worker node VM and wait for it to enter "maintenance mode". @@ -167,7 +167,7 @@ You should see stage change to `Running` and your cluster is now ready. talosctl --talosconfig $TALOSCONFIG bootstrap ``` -## Using the Cluster +## Using the cluster Once the cluster is available, you can make use of `talosctl` and `kubectl` to interact with the cluster. For example, to view current running containers, run `talosctl containers` for a list of containers in the `system` namespace, or `talosctl containers -k` for the `k8s.io` namespace. @@ -197,6 +197,6 @@ You can then use kubectl in this fashion: kubectl get nodes ``` -## Cleaning Up +## Cleaning up To cleanup, simply stop and delete the virtual machines from the VirtualBox UI. diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/bananapi_m64.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/bananapi_m64.mdx index e3c5fbe0..2e9f0850 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/bananapi_m64.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/bananapi_m64.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image using Image Factory +## Download the image using Image Factory The default schematic id for "vanilla" Banana Pi M64 is `8e11dcb3c2803fbe893ab201fcadf1ef295568410e7ced95c6c8b122a5070ce4`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/jetson_nano.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/jetson_nano.mdx index ec2f4b30..e735c856 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/jetson_nano.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/jetson_nano.mdx @@ -85,7 +85,7 @@ This will flash the firmware to the Jetson Nano SPI flash and you'll see a lot o If you've connected the serial console you'll also see the progress there. Once the flashing is done you can disconnect the USB cable and power off the Jetson Nano. -## Download the Image +## Download the image The default schematic id for "vanilla" Jetson Nano is `c7d6f36c6bdfb45fd63178b202a67cff0dd270262269c64886b43f76880ecf1e`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -99,7 +99,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image Now `dd` the image to your SD card/USB storage: @@ -109,7 +109,7 @@ sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M status=progress | Replace `/dev/mmcblk0` with the name of your SD card/USB storage. -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card/USB storage to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/libretech_all_h3_cc_h5.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/libretech_all_h3_cc_h5.mdx index fd9ef44f..6b609b94 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/libretech_all_h3_cc_h5.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/libretech_all_h3_cc_h5.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" Libretech H3 CC H5 is `5689d7795f91ac5bf6ccc85093fad8f8b27f6ea9d96a9ac5a059997bffd8ad5c`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/nanopi_r4s.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/nanopi_r4s.mdx index 931faec1..e53069a3 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/nanopi_r4s.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/nanopi_r4s.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" NanoPi R4S is `5f74a09891d5830f0b36158d3d9ea3b1c9cc019848ace08ff63ba255e38c8da4`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/orangepi_5.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/orangepi_5.mdx index 394b8ad8..1eb267bd 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/orangepi_5.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/orangepi_5.mdx @@ -34,7 +34,7 @@ xz -d metal-arm64.raw.xz `} -#### Flash the Image +#### Flash the image The image can be flashed using Etcher on Windows, macOS, or Linux or using dd on Linux: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/orangepi_r1_plus_lts.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/orangepi_r1_plus_lts.mdx index aae372fc..e2b73bf6 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/orangepi_r1_plus_lts.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/orangepi_r1_plus_lts.mdx @@ -21,7 +21,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image using Image Factory +## Download the image using Image Factory The default schematic id for "vanilla" Orange Pi R1 Plus LTS is `da388062cd9318efdc7391982a77ebb2a97ed4fbda68f221354c17839a750509`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -35,7 +35,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/pine64.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/pine64.mdx index 8cc57463..27c11302 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/pine64.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/pine64.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" Pine64 is `185431e0f0bf34c983c6f47f4c6d3703aa2f02cd202ca013216fd71ffc34e175`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/rock4cplus.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/rock4cplus.mdx index 8b6111b7..df405dfc 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/rock4cplus.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/rock4cplus.mdx @@ -21,7 +21,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" Rock 4c Plus is `ed7091ab924ef1406dadc4623c90f245868f03d262764ddc2c22c8a19eb37c1c`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -54,7 +54,7 @@ The user has two options to proceed: Insert the SD card into the board, turn it on and proceed to [bootstrapping the node](#bootstrapping-the-node). -## Bootstrapping the Node +## Bootstrapping the node Wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/rock5b.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/rock5b.mdx index 73012bfc..a4e179e6 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/rock5b.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/rock5b.mdx @@ -14,7 +14,7 @@ You will need - follow [Installation/talosctl](../../getting-started/talosctl ) to intall `talosctl` - an SD card -## Download the Image +## Download the image Visit the [Image Factory](https://factory.talos.dev/), select `Single Board Computers`, select the version and select `Radxa ROCK 5B` from the options. @@ -30,7 +30,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image This guide assumes the node should boot from SD card. Booting from eMMC or NVMe has not been tested yet. diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/rock64.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/rock64.mdx index 7dec4ca8..de344c72 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/rock64.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/rock64.mdx @@ -23,7 +23,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" Pine64 Rock64 is `0e162298269125049a51ec0a03c2ef85405a55e1d2ac36a7ef7292358cf3ce5a`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -37,7 +37,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -48,7 +48,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/rockpi_4.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/rockpi_4.mdx index ee481ff2..a39adc4c 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/rockpi_4.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/rockpi_4.mdx @@ -24,7 +24,7 @@ chmod +x /usr/local/bin/talosctl -## Download the Image +## Download the image The default schematic id for "vanilla" RockPi 4 is `25d2690bb48685de5939edd6dee83a0e09591311e64ad03c550de00f8a521f51`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -39,7 +39,7 @@ xz -d metal-arm64.raw.xz -## Writing the Image +## Writing the image The path to your SD card/eMMC/USB/nVME can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -68,7 +68,7 @@ Follow the Radxa docs on [Install on M.2 NVME SSD](https://wiki.radxa.com/Rockpi After these above steps, Talos will boot from the nVME/USB and enter maintenance mode. Proceed to [bootstrapping the node](#bootstrapping-the-node). -## Bootstrapping the Node +## Bootstrapping the node Wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/rockpi_4c.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/rockpi_4c.mdx index 7c177776..69c6dd56 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/rockpi_4c.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/rockpi_4c.mdx @@ -21,7 +21,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image The default schematic id for "vanilla" RockPi 4c is `08e72e242b71f42c9db5bed80e8255b2e0d442a372bc09055b79537d9e3ce191`. Refer to the [Image Factory](../../learn-more/image-factory) documentation for more information. @@ -35,7 +35,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image The path to your SD card/eMMC/USB/nVME can be found using `fdisk` on Linux or `diskutil` on macOS. In this example, we will assume `/dev/mmcblk0`. @@ -64,7 +64,7 @@ Follow the Radxa docs on [Install on M.2 NVME SSD](https://wiki.radxa.com/Rockpi After these above steps, Talos will boot from the nVME/USB and enter maintenance mode. Proceed to [bootstrapping the node](#bootstrapping-the-node). -## Bootstrapping the Node +## Bootstrapping the node Wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/rpi_generic.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/rpi_generic.mdx index b10dc7d3..203e02d7 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/rpi_generic.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/rpi_generic.mdx @@ -11,7 +11,7 @@ Talos disk image for the Raspberry Pi generic should in theory work for the boar This has only been officialy tested on the Raspberry Pi 4 and community tested on one variant of the Compute Module 4 using Super 6C boards. If you have tested this on other Raspberry Pi boards, please let us know. -## Video Walkthrough +## Video walkthrough To see a live demo of this writeup, see the video below: @@ -44,7 +44,7 @@ Power off the Raspberry Pi and remove the SD card from it. > Note: Updating the bootloader only needs to be done once. -## Download the Image +## Download the image > Note: if you need to enable Broadcom VideoCore GPU support, generate a new image from the [Image Factory](../../learn-more/image-factory) with the correct [config.txt](#configtxt-information) configuration and `vc4` system extension. > More information can be found under the [Image Factory Example](#example-raspberry-pi-generic-with-broadcom-videocore-gpu-support-with-image-factory) below. @@ -60,7 +60,7 @@ xz -d metal-arm64.raw.xz `} -## Writing the Image +## Writing the image Now `dd` the image to your SD card: @@ -68,7 +68,7 @@ Now `dd` the image to your SD card: sudo dd if=metal-arm64.raw of=/dev/mmcblk0 conv=fsync bs=4M ``` -## Bootstrapping the Node +## Bootstrapping the node Insert the SD card to your board, turn it on and wait for the console to show you the instructions for bootstrapping the node. Following the instructions in the console output to connect to the interactive installer: @@ -199,7 +199,7 @@ Now we can generate the metal image with the following command: {` -$ docker run --rm -t -v $PWD/_out:/out ghcr.io/siderolabs/imager:${release_v1_13} rpi_generic \ + docker run --rm -t -v $PWD/_out:/out ghcr.io/siderolabs/imager:${release_v1_13} rpi_generic \ --arch arm64 \ --overlay-image ghcr.io/siderolabs/sbc-raspberrypi:v0.1.0@sha256:849ace01b9af514d817b05a9c5963a35202e09a4807d12f8a3ea83657c76c863 \ --overlay-name=rpi_generic \ @@ -300,7 +300,7 @@ Now we can use the customized `installer` image to install Talos on Raspberry Pi When it's time to upgrade a machine, a new `installer` image can be generated using the new version of `imager`, and updating the system extension and overlay images to the matching versions. The custom `installer` image can now be used to upgrade Talos machine. -## config.txt Information +## config.txt information Refer to the default [config.txt](https://github.com/siderolabs/sbc-raspberrypi/blob/main/installers/rpi_generic/src/config.txt) file used by the [sbc-raspberrypi](https://github.com/siderolabs/sbc-raspberrypi) overlay. @@ -363,7 +363,7 @@ The following table can be used to troubleshoot booting issues: | 4 | 6 | Power failure type A | | 4 | 7 | Power failure type B | -### GPU Memory Issues +### GPU memory issues The Contiguous Memory Allocator (CMA) reserves physically contiguous memory for Raspberry Pi GPU/display operations (e.g., KMS/DRM rendering). An error like `DRM_IOCTL_MODE_CREATE_DUMB failed: Cannot allocate memory` indicates an undersized CMA pool for graphics tasks. @@ -381,7 +381,7 @@ The default may be too small for GPU-intensive tasks, and oversizing reduces sys | 512 MB | 4K media, ML with GPU | | 1024 MB | Experimental, may destabilize | -#### Change CMA Size +#### Change CMA size **Kernel Parameters**: diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/turing_rk1.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/turing_rk1.mdx index b44864a8..52d32423 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/turing_rk1.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/turing_rk1.mdx @@ -24,7 +24,7 @@ chmod +x /usr/local/bin/talosctl `} -## Download the Image +## Download the image Go to `https://factory.talos.dev` select `Single Board Computers`, select the version and select `Turing RK1` from the options. Choose your desired extensions and fill in the kernel command line arguments if needed. @@ -105,7 +105,7 @@ Skip step 1 if you already installed your NVMe drive. Talos will now boot from the NVMe/USB and enter maintenance mode. -## Bootstrapping the Node +## Bootstrapping the node To monitor boot messages, run: (repeat) diff --git a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/hyper-v.mdx b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/hyper-v.mdx index 6d8b2f93..64ce8276 100644 --- a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/hyper-v.mdx +++ b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/hyper-v.mdx @@ -23,7 +23,7 @@ aliases: ``` - Confirm the change when prompted. -## Plan Overview +## Plan overview We will create a basic 3-node cluster with one control-plane node and two worker nodes. The main difference between the control plane and worker nodes is the amount of RAM and an additional storage VHD for the worker nodes. @@ -33,7 +33,7 @@ We use a `VMNamePrefix` argument for the VM name prefix, not the full hostname. This command will find any existing VM with that prefix and increment the highest suffix found. For example, if `talos-cp01` and `talos-cp02` exist, it will create VMs starting from `talos-cp03`, depending on the `NumberOfVMs` argument. -## Setup a Control Plane Node +## Setup a control plane node > Note: Ensure the `LAB` adapter exists in Hyper-V and is set to external. @@ -45,7 +45,7 @@ New-TalosVM -VMNamePrefix talos-cp -CPUCount 2 -StartupMemory 4GB -SwitchName LA This will create the `talos-cp01` VM and power it on. -## Setup Worker Nodes +## Setup worker nodes Create two worker nodes with the following command: @@ -55,7 +55,7 @@ New-TalosVM -VMNamePrefix talos-worker -CPUCount 4 -StartupMemory 8GB -SwitchNam This will create `talos-worker01` and `talos-worker02` VMs, each with an additional 50GB VHD for storage (which can be used for Mayastor). -## Push Config to the Nodes +## Push config to the nodes Once the VMs are ready, find their IP addresses from the VM console. Push the config to the control plane node with: @@ -71,7 +71,7 @@ talosctl gen config talos-cluster https://$($CONTROL_PLANE_IP):6443 --output-dir talosctl apply-config --insecure --nodes $CONTROL_PLANE_IP --file .\controlplane.yaml ``` -## Push Config to Worker Nodes +## Push config to worker nodes Similarly, for the worker nodes: @@ -81,7 +81,7 @@ talosctl apply-config --insecure --nodes 10.10.10.x --file .\worker.yaml Apply the config to both worker nodes. -## Bootstrap Cluster +## Bootstrap cluster With the nodes ready, bootstrap the Kubernetes cluster: diff --git a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/kvm.mdx b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/kvm.mdx index 88b3f6da..97ccf6a1 100644 --- a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/kvm.mdx +++ b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/kvm.mdx @@ -30,7 +30,7 @@ cd ~/talos-kvm Download the latest `metal-amd64.iso` from the Talos [GitHub releases page](https://github.com/siderolabs/talos/releases). -## Configure the Network +## Configure the network Before we get started, let’s set up an isolated network for your Talos cluster. @@ -116,7 +116,7 @@ Autostart: yes Bridge: talos-bridge ``` -## Provisioning the Environment +## Provisioning the environment Now that you have a dedicated network let's go ahead and provision VMs. @@ -163,7 +163,7 @@ Use the following command to verify that your VMs are in a running state: virsh list ``` -## Configure the Cluster +## Configure the cluster Now that you have your VMs provisioned it's time to configure the cluster. This step is done through `talosctl` command utility. @@ -214,7 +214,7 @@ talosctl apply-config --insecure --nodes $NODE_IP --file configs/worker.yaml At this point your VMs will reboot. -## Bootstrapping the Cluster +## Bootstrapping the cluster After your VMs restart, you can bootstrap the cluster. Bootstrap simply means starting up your Kubernetes cluster for the first time. diff --git a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/proxmox.mdx b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/proxmox.mdx index eb077785..f75038f4 100644 --- a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/proxmox.mdx +++ b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/proxmox.mdx @@ -9,7 +9,7 @@ import { release_v1_13 } from '/snippets/custom-variables.mdx'; In this guide we will create a Kubernetes cluster using Proxmox. -## Video Walkthrough +## Video walkthrough To see a live demo of this writeup, visit Youtube here: @@ -17,7 +17,7 @@ To see a live demo of this writeup, visit Youtube here: ## Installation -### How to Get Proxmox +### How to get Proxmox It is assumed that you have already installed Proxmox onto the server you wish to create Talos VMs on. Visit the [Proxmox](https://www.proxmox.com/en/downloads) downloads page if necessary. @@ -32,7 +32,7 @@ brew install siderolabs/tap/talosctl For manual installation and other platforms please see the [talosctl installation guide](../../getting-started/talosctl ). -### Download ISO Image +### Download ISO image In order to install Talos in Proxmox, you will need the ISO image from [Image Factory](https://www.talos.dev/latest/talos-guides/install/boot-assets/#image-factory). @@ -188,7 +188,7 @@ You can also repeat this for additional nodes desired. > Doing so will cause Talos to be unable to see all available memory and have insufficient memory to complete > installation of the cluster. -## Start Control Plane Node +## Start control plane node Once the VMs have been created and updated, start the VM that will be the first control plane node. This VM will boot the ISO image specified earlier and enter "maintenance mode". @@ -226,7 +226,7 @@ linux /boot/vmlinuz init_on_alloc=1 slab_nomerge pti=on panic=0 consoleblank=0 p Then press Ctrl-x or F10 -## Generate Machine Configurations +## Generate machine configurations With the IP address above, you can now generate the machine configurations to use for installing Talos and Kubernetes. Issue the following command, updating the output directory, cluster name, and control plane IP as you see fit: @@ -264,7 +264,7 @@ talosctl gen config talos-proxmox-cluster https://$CONTROL_PLANE_IP:6443 --outpu - If you did include the extension, go to your VM → **Options** and set **QEMU Guest Agent** to **Enabled**. -## Create Control Plane Node +## Create control plane node Using the `controlplane.yaml` generated above, you can now apply this config using talosctl. Issue: @@ -279,7 +279,7 @@ The VM will remain in stage `Booting` until the bootstrap is completed in a late > Note: This process can be repeated multiple times to create an HA control plane. -## Create Worker Node +## Create worker node Create at least a single worker node using a process similar to the control plane creation above. Start the worker node VM and wait for it to enter "maintenance mode". @@ -293,7 +293,7 @@ talosctl apply-config --insecure --nodes $WORKER_IP --file _out/worker.yaml > Note: This process can be repeated multiple times to add additional workers. -## Using the Cluster +## Using the cluster Once the cluster is available, you can make use of `talosctl` and `kubectl` to interact with the cluster. For example, to view current running containers, run `talosctl containers` for a list of containers in the `system` namespace, or `talosctl containers -k` for the `k8s.io` namespace. @@ -307,7 +307,7 @@ talosctl config endpoint $CONTROL_PLANE_IP talosctl config node $CONTROL_PLANE_IP ``` -### Bootstrap Etcd +### Bootstrap etcd ```bash talosctl bootstrap @@ -323,7 +323,7 @@ talosctl kubeconfig . ## Troubleshooting -### Cluster Creation Issues +### Cluster creation issues If `talosctl cluster create` fails with disk controller errors: @@ -337,7 +337,7 @@ If `talosctl cluster create` fails with disk controller errors: talosctl cluster create --disks scsi:10GiB ``` -### Network Connectivity Issues +### Network connectivity issues If nodes fail to obtain IP addresses or show "network is unreachable" errors: @@ -361,10 +361,10 @@ If nodes fail to obtain IP addresses or show "network is unreachable" errors: - **Bootstrap hangs**: If bootstrap hangs or disks aren't discovered, verify you're using **VirtIO SCSI** (not "VirtIO SCSI Single") - **Disk not found**: Check disk path using `talosctl get disks --insecure --nodes $CONTROL_PLANE_IP` and update `install.disk` in machine config if needed (e.g., `install.disk: /dev/vda`) -### Secure Boot +### Secure boot For Secure Boot setup, see the [Secure Boot documentation](../bare-metal-platforms/secureboot). -## Cleaning Up +## Cleaning up To cleanup, simply stop and delete the virtual machines from the Proxmox UI. diff --git a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/vmware.mdx b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/vmware.mdx index ecc39977..fe713366 100644 --- a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/vmware.mdx +++ b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/vmware.mdx @@ -7,12 +7,12 @@ aliases: import { release_v1_13, release_branch_v1_13 } from '/snippets/custom-variables.mdx'; -## Creating a Cluster via the `govc` CLI +## Creating a cluster via the `govc` CLI In this guide we will create an HA Kubernetes cluster with 2 worker nodes. We will use the `govc` cli which can be downloaded [here](https://github.com/vmware/govmomi/tree/master/govc#installation). -## Prereqs/Assumptions +## Prerequisites This guide will use the virtual IP ("VIP") functionality that is built into Talos in order to provide a stable, known IP for the Kubernetes control plane. This simply means the user should pick an IP on their "VM Network" to designate for this purpose and keep it handy for future steps. @@ -24,9 +24,9 @@ To check your version of ESXi refer to the following Broadcom More information regarding virtual machine hardware versions can be found in the following Broadcom [KB article](https://knowledge.broadcom.com/external/article/315655/virtual-machine-hardware-versions.html). -## Create the Machine Configuration Files +## Create the machine configuration files -### Generating Base Configurations +### Generating base configurations Using the VIP chosen in the prereq steps, we will now generate the base configuration files for the Talos machines. This can be done with the `talosctl gen config ...` command. @@ -66,7 +66,7 @@ created talosconfig At this point, you can modify the generated configs to your liking if needed. Optionally, you can specify additional patches by adding to the `cp.patch.yaml` file downloaded earlier, or create your own patch files. -### Validate the Configuration Files +### Validate the configuration files ```bash $ talosctl validate --config controlplane.yaml --mode cloud @@ -90,7 +90,7 @@ cluster: - --flannel-backend=host-gw ``` -## Set Environment Variables +## Set environment variables `govc` makes use of the following environment variables @@ -111,13 +111,13 @@ export GOVC_DATASTORE= export GOVC_NETWORK= ``` -## Choose Install Approach +## Choose install approach As part of this guide, we have a more automated install script that handles some of the complexity of importing OVAs and creating VMs. If you wish to use this script, we will detail that next. If you wish to carry out the manual approach, simply skip ahead to the "Manual Approach" section. -### Scripted Install +### Scripted install Download the `vmware.sh` script to your local machine. You can do this by issuing: @@ -142,7 +142,7 @@ To create a content library and import the Talos OVA corresponding to the mentio ./vmware.sh upload_ova ``` -#### Create Cluster +#### Create cluster With the OVA uploaded to the content library, you can create a 5 node (by default) cluster with 3 control plane and 2 worker nodes: @@ -154,7 +154,7 @@ This step will create a VM from the OVA, edit the settings based on the env vari You may now skip past the "Manual Approach" section down to "Bootstrap Cluster". -### Manual Approach +### Manual approach #### Import the OVA into vCenter @@ -180,7 +180,7 @@ Import the OVA to the library with: govc library.import -n talos-${TALOS_VERSION} /path/to/downloaded/talos.ova ``` -#### Create the Bootstrap Node +#### Create the bootstrap node We'll clone the OVA to create the bootstrap node (our first control plane node). @@ -199,7 +199,7 @@ govc vm.change \ -vm control-plane-1 ``` -#### Update Hardware Resources for the Bootstrap Node +#### Update hardware resources for the bootstrap node - `-c` is used to configure the number of cpus - `-m` is used to configure the amount of memory (in MB) @@ -221,7 +221,7 @@ govc vm.disk.change -vm control-plane-1 -disk.name disk-1000-0 -size 10G govc vm.power -on control-plane-1 ``` -#### Create the Remaining Control Plane Nodes +#### Create the remaining control plane nodes ```bash govc library.deploy /talos-${TALOS_VERSION} control-plane-2 @@ -261,7 +261,7 @@ govc vm.power -on control-plane-2 govc vm.power -on control-plane-3 ``` -#### Update Settings for the Worker Nodes +#### Update settings for the worker nodes ```bash govc library.deploy /talos-${TALOS_VERSION} worker-1 @@ -301,7 +301,7 @@ govc vm.power -on worker-1 govc vm.power -on worker-2 ``` -#### Bootstrap Cluster +#### Bootstrap cluster In the vSphere UI, open a console to one of the control plane nodes. You should see some output stating that etcd should be bootstrapped. diff --git a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/xenorchestra.mdx b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/xenorchestra.mdx index 68da1869..b25309a7 100644 --- a/public/talos/v1.13/platform-specific-installations/virtualized-platforms/xenorchestra.mdx +++ b/public/talos/v1.13/platform-specific-installations/virtualized-platforms/xenorchestra.mdx @@ -53,7 +53,7 @@ It is recommended to use the Talos image with the system extension `siderolabs/x This section explains how to create a reusable Talos VM template in Xen Orchestra. -### Recommended Configuration for VMs +### Recommended configuration for VMs Before you begin, familiarize yourself with Talos' [system requirements](../../getting-started/system-requirements) and allocate resources accordingly. @@ -296,7 +296,7 @@ talosctl services --nodes ${CONTROL_PLANE_IP} | grep xen-guest-agent If it does not appear, the node is not yet in a `bootstrappable` state. -#### Bootstrap Etcd +#### Bootstrap etcd Initialize the Etcd cluster: diff --git a/public/talos/v1.13/reference/cli.mdx b/public/talos/v1.13/reference/cli.mdx index 95cfa695..48d03d47 100644 --- a/public/talos/v1.13/reference/cli.mdx +++ b/public/talos/v1.13/reference/cli.mdx @@ -1,8 +1,12 @@ --- description: Talosctl CLI tool reference. -title: CLI +title: talosctl --- +{/* +This file is automatically generated from source documentation. +Do not edit manually. For more information, see https://github.com/siderolabs/docs +*/} ## talosctl apply-config @@ -16,24 +20,20 @@ talosctl apply-config [flags] ### Options ``` - --cert-fingerprint strings list of server certificate fingeprints to accept (defaults to no check) - -p, --config-patch stringArray the list of config patches to apply to the local config file before sending it to the node - --dry-run check how the config change will be applied in dry-run mode - -f, --file string the filename of the updated configuration - -h, --help help for apply-config - -i, --insecure apply the config using the insecure (encrypted with no auth) maintenance service - -m, --mode auto, interactive, no-reboot, reboot, staged, try apply config mode (default auto) - --timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s) -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --cert-fingerprint strings list of server certificate fingeprints to accept (defaults to no check) + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + -p, --config-patch stringArray the list of config patches to apply to the local config file before sending it to the node + --context string Context to be used in command + --dry-run check how the config change will be applied in dry-run mode + -e, --endpoints strings override default endpoints in Talos configuration + -f, --file string the filename of the updated configuration + -h, --help help for apply-config + -i, --insecure apply the config using the insecure (encrypted with no auth) maintenance service + -m, --mode auto, no-reboot, reboot, staged, try apply config mode (default auto) + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s) ``` ### SEE ALSO @@ -62,19 +62,15 @@ talosctl bootstrap [flags] ### Options ``` - -h, --help help for bootstrap - --recover-from string recover etcd cluster from the snapshot - --recover-skip-hash-check skip integrity check when recovering etcd (use when recovering from data directory copy) -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for bootstrap + -n, --nodes strings target the specified nodes + --recover-from string recover etcd cluster from the snapshot + --recover-skip-hash-check skip integrity check when recovering etcd (use when recovering from data directory copy) + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -110,98 +106,308 @@ talosctl cgroups [flags] ### Options ``` - -h, --help help for cgroups - --preset string preset name (one of: [cpu cpuset io memory process swap]) - --schema-file string path to the columns schema file + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for cgroups + -n, --nodes strings target the specified nodes + --preset string preset name (one of: [cpu cpuset io memory process psi swap]) + --schema-file string path to the columns schema file + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --skip-cri-resolve do not resolve cgroup names via a request to CRI + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. +``` + +### SEE ALSO + +* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos + +## talosctl cluster create dev + +Creates a local QEMU-based cluster for Talos development. + +``` +talosctl cluster create dev [flags] +``` + +### Options + +``` + --airgapped limit VM network access to the provisioning network only + --arch string cluster architecture (default "amd64") + --bad-rtc launch VM with bad RTC state + --cidr string CIDR of the cluster network (IPv4, ULA network for IPv6 is derived in automated way) (default "10.5.0.0/24") + --cni-bin-path strings search path for CNI binaries (default [/.talos/cni/bin]) + --cni-bundle-url string URL to download CNI bundle from (default "https://github.com/siderolabs/talos/releases/download/v1.12.1/talosctl-cni-bundle-${ARCH}.tar.gz") + --cni-cache-dir string CNI cache directory path (default "/.talos/cni/cache") + --cni-conf-dir string CNI config directory path (default "/.talos/cni/conf.d") + --config-injection-method string a method to inject machine config: default is HTTP server, 'metal-iso' to mount an ISO + --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file + --config-patch-control-plane stringArray patch generated machineconfigs (applied to 'controlplane' type) + --config-patch-worker stringArray patch generated machineconfigs (applied to 'worker' type) + --control-plane-port int control plane port (load balancer and local API port) (default 6443) + --controlplanes int the number of controlplanes to create (default 1) + --cpus string the share of CPUs as fraction for each control plane/VM (default "2.0") + --cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0") + --custom-cni-url string install custom CNI from the URL (Talos cluster) + --disable-dhcp-hostname skip announcing hostname via DHCP + --disk int default limit on disk size in MB (each VM) (default 6144) + --disk-block-size uint disk block size (default 512) + --disk-encryption-key-types stringArray encryption key types to use for disk encryption (uuid, kms) (default [uuid]) + --disk-image-path string disk image to use + --disk-preallocate whether disk space should be preallocated (default true) + --dns-domain string the dns domain to use for cluster (default "cluster.local") + --encrypt-ephemeral enable ephemeral partition encryption + --encrypt-state enable state partition encryption + --encrypt-user-volumes enable ephemeral partition encryption + --endpoint string use endpoint instead of provider defaults + --extra-boot-kernel-args string add extra kernel args to the initial boot from vmlinuz and initramfs + --extra-disks int number of extra disks to create for each worker VM + --extra-disks-drivers strings driver for each extra disk (virtio, ide, ahci, scsi, nvme, megaraid) + --extra-disks-size int default limit on disk size in MB (each VM) (default 5120) + --extra-uefi-search-paths strings additional search paths for UEFI firmware (only applies when UEFI is enabled) + -h, --help help for dev + --image-cache-path string path to image cache + --image-cache-port uint16 port on which to serve image cache (default 5000) + --image-cache-tls-cert-file string path to image cache TLS cert + --image-cache-tls-key-file string path to image cache TLS key + --init-node-as-endpoint use init node as endpoint instead of any load balancer endpoint + --initrd-path string initramfs image to use (default "_out/initramfs-${ARCH}.xz") + --install-image string the installer image to use (default "ghcr.io/siderolabs/installer:v1.12.1") + --ipv4 enable IPv4 network in the cluster (default true) + --ipv6 enable IPv6 network in the cluster + --ipxe-boot-script string iPXE boot script (URL) to use + --iso-path string the ISO path to use for the initial boot + --kubeprism-port int KubePrism port (set to 0 to disable) (default 7445) + --kubernetes-version string desired kubernetes version to run (default "1.35.0") + --memory string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB) + --memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB) + --mtu int MTU of the cluster network (default 1500) + --nameservers strings list of nameservers to use + --no-masquerade-cidrs strings list of CIDRs to exclude from NAT + --omni-api-endpoint string the Omni API endpoint (must include a scheme, a hostname and a join token, e.g. 'https://siderolink.omni.example?jointoken=foobar') + --registry-insecure-skip-verify strings list of registry hostnames to skip TLS verification for + --registry-mirror strings list of registry mirrors to use in format: = + --skip-injecting-config skip injecting config from embedded metadata server, write config files to current directory + --skip-injecting-extra-cmdline skip injecting extra kernel cmdline parameters via EFI vars through bootloader + --skip-k8s-node-readiness-check skip k8s node readiness checks + --skip-kubeconfig skip merging kubeconfig from the created cluster + --talos-version string the desired Talos version to generate config for (default "v1.12.1") + --talosconfig string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --uki-path string the UKI image path to use for the initial boot + --usb-path string the USB stick image path to use for the initial boot + --use-vip use a virtual IP for the controlplane endpoint instead of the loadbalancer + --user-volumes strings list of user volumes to create for each VM in format: ::: + --vmlinuz-path string the compressed kernel image to use (default "_out/vmlinuz-${ARCH}") + --wait wait for the cluster to be ready before returning (default true) + --wait-timeout duration timeout to wait for the cluster to be ready (default 20m0s) + --wireguard-cidr string CIDR of the wireguard network + --with-apply-config enable apply config when the VM is starting in maintenance mode + --with-bootloader enable bootloader to load kernel and initramfs from disk image after install (default true) + --with-cluster-discovery enable cluster discovery (default true) + --with-debug enable debug in Talos config to send service logs to the console + --with-firewall string inject firewall rules into the cluster, value is default policy - accept/block + --with-init-node create the cluster with an init node + --with-iommu enable IOMMU support, this also add a new PCI root port and an interface attached to it + --with-json-logs enable JSON logs receiver and configure Talos to send logs there + --with-kubespan enable KubeSpan system + --with-network-bandwidth int specify bandwidth restriction (in kbps) on the bridge interface + --with-network-chaos enable to use network chaos parameters + --with-network-jitter duration specify jitter on the bridge interface + --with-network-latency duration specify latency on the bridge interface + --with-network-packet-corrupt float specify percent of corrupt packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0) + --with-network-packet-loss float specify percent of packet loss on the bridge interface. e.g. 50% = 0.50 (default: 0.0) + --with-network-packet-reorder float specify percent of reordered packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0) + --with-siderolink true enables the use of siderolink agent as configuration apply mechanism. true or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling (default none) + --with-tpm1_2 enable TPM 1.2 emulation support using swtpm + --with-tpm2 enable TPM 2.0 emulation support using swtpm + --with-uefi enable UEFI on x86_64 architecture (default true) + --with-uuid-hostnames use machine UUIDs as default hostnames + --workers int the number of workers to create (default 1) ``` ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --name string the name of the cluster (default "talos-default") + --state string directory path to store cluster state (default "/.talos/clusters") ``` ### SEE ALSO -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos +* [talosctl cluster create](#talosctl-cluster-create) - Create a local Talos cluster. -## talosctl cluster create +## talosctl cluster create docker -Creates a local docker-based or QEMU-based kubernetes cluster +Create a local Docker based kubernetes cluster ``` -talosctl cluster create [flags] +talosctl cluster create docker [flags] ``` ### Options ``` + --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file + --config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type) + --config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type) + --cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0") + --cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0") + -p, --exposed-ports string comma-separated list of ports/protocols to expose on init node. Ex -p :/ + -h, --help help for docker + --host-ip string Host IP to forward exposed ports to (default "0.0.0.0") + --image string the talos image to run (default "ghcr.io/siderolabs/talos:v1.12.1") + --kubernetes-version string desired kubernetes version to run (default "1.35.0") + --memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB) + --memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB) + --mount mount attach a mount to the container (docker --mount syntax) + --subnet string Docker network subnet CIDR (default "10.5.0.0/24") + --talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --workers int the number of workers to create (default 1) +``` + +### Options inherited from parent commands + +``` + --name string the name of the cluster (default "talos-default") + --state string directory path to store cluster state (default "/.talos/clusters") +``` + +### SEE ALSO + +* [talosctl cluster create](#talosctl-cluster-create) - Create a local Talos cluster. + +## talosctl cluster create qemu + +Create a local QEMU based Talos cluster. + +### Synopsis + +Create a local QEMU based Talos cluster. + +Available presets: + - iso: Configure Talos to boot from an ISO from the Image Factory. + - iso-secureboot: Configure Talos for Secureboot via ISO. Only available on Linux hosts. + - pxe: Configure Talos to boot via PXE from the Image Factory. + - disk-image: Configure Talos to boot from a disk image from the Image Factory. + - maintenance: Skip applying machine configuration and leave the machines in maintenance mode. The machine configuration files are written to the working directory. + +Note: exactly one of 'iso', 'iso-secureboot', 'pxe' or 'disk-image' presets must be specified. + + +``` +talosctl cluster create qemu [flags] +``` + +### Options + +``` + --cidr string CIDR of the cluster network (default "10.5.0.0/24") + --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file + --config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type) + --config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type) + --controlplanes int the number of controlplanes to create (default 1) + --cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0") + --cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0") + --disks disks list of disks to create in format ":" (disks after the first one are added only to worker machines) (default virtio:10GiB,virtio:6GiB) + -h, --help help for qemu + --image-factory-url string image factory url (default "https://factory.talos.dev/") + --kubernetes-version string desired kubernetes version to run (default "1.35.0") + --memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB) + --memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB) + --omni-api-endpoint string the Omni API endpoint (must include a scheme, a hostname and a join token, e.g. 'https://siderolink.omni.example?jointoken=foobar') + --presets strings list of presets to apply (default [iso]) + --schematic-id string image factory schematic id (defaults to an empty schematic) + --talos-version string the desired talos version (default "v1.12.1") + --talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --workers int the number of workers to create (default 1) +``` + +### Options inherited from parent commands + +``` + --name string the name of the cluster (default "talos-default") + --state string directory path to store cluster state (default "/.talos/clusters") +``` + +### SEE ALSO + +* [talosctl cluster create](#talosctl-cluster-create) - Create a local Talos cluster. + +## talosctl cluster create dev + +Creates a local QEMU-based cluster for Talos development. + +``` +talosctl cluster create dev [flags] +``` + +### Options + +``` + --airgapped limit VM network access to the provisioning network only --arch string cluster architecture (default "amd64") - --bad-rtc launch VM with bad RTC state (QEMU only) + --bad-rtc launch VM with bad RTC state --cidr string CIDR of the cluster network (IPv4, ULA network for IPv6 is derived in automated way) (default "10.5.0.0/24") - --cni-bin-path strings search path for CNI binaries (VM only) (default [/home/user/.talos/cni/bin]) - --cni-bundle-url string URL to download CNI bundle from (VM only) (default "https://github.com/siderolabs/talos/releases/download/v1.10.0-alpha.3/talosctl-cni-bundle-${ARCH}.tar.gz") - --cni-cache-dir string CNI cache directory path (VM only) (default "/home/user/.talos/cni/cache") - --cni-conf-dir string CNI config directory path (VM only) (default "/home/user/.talos/cni/conf.d") - --config-injection-method string a method to inject machine config: default is HTTP server, 'metal-iso' to mount an ISO (QEMU only) + --cni-bin-path strings search path for CNI binaries (default [/.talos/cni/bin]) + --cni-bundle-url string URL to download CNI bundle from (default "https://github.com/siderolabs/talos/releases/download/v1.12.1/talosctl-cni-bundle-${ARCH}.tar.gz") + --cni-cache-dir string CNI cache directory path (default "/.talos/cni/cache") + --cni-conf-dir string CNI config directory path (default "/.talos/cni/conf.d") + --config-injection-method string a method to inject machine config: default is HTTP server, 'metal-iso' to mount an ISO --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file - --config-patch-control-plane stringArray patch generated machineconfigs (applied to 'init' and 'controlplane' types) + --config-patch-control-plane stringArray patch generated machineconfigs (applied to 'controlplane' type) --config-patch-worker stringArray patch generated machineconfigs (applied to 'worker' type) - --control-plane-port int control plane port (load balancer and local API port, QEMU only) (default 6443) + --control-plane-port int control plane port (load balancer and local API port) (default 6443) --controlplanes int the number of controlplanes to create (default 1) - --cpus string the share of CPUs as fraction (each control plane/VM) (default "2.0") - --cpus-workers string the share of CPUs as fraction (each worker/VM) (default "2.0") + --cpus string the share of CPUs as fraction for each control plane/VM (default "2.0") + --cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0") --custom-cni-url string install custom CNI from the URL (Talos cluster) - --disable-dhcp-hostname skip announcing hostname via DHCP (QEMU only) + --disable-dhcp-hostname skip announcing hostname via DHCP --disk int default limit on disk size in MB (each VM) (default 6144) - --disk-block-size uint disk block size (VM only) (default 512) + --disk-block-size uint disk block size (default 512) --disk-encryption-key-types stringArray encryption key types to use for disk encryption (uuid, kms) (default [uuid]) --disk-image-path string disk image to use --disk-preallocate whether disk space should be preallocated (default true) --dns-domain string the dns domain to use for cluster (default "cluster.local") - --docker-disable-ipv6 skip enabling IPv6 in containers (Docker only) - --docker-host-ip string Host IP to forward exposed ports to (Docker provisioner only) (default "0.0.0.0") --encrypt-ephemeral enable ephemeral partition encryption --encrypt-state enable state partition encryption --encrypt-user-volumes enable ephemeral partition encryption --endpoint string use endpoint instead of provider defaults - -p, --exposed-ports string Comma-separated list of ports/protocols to expose on init node. Ex -p :/ (Docker provisioner only) - --extra-boot-kernel-args string add extra kernel args to the initial boot from vmlinuz and initramfs (QEMU only) + --extra-boot-kernel-args string add extra kernel args to the initial boot from vmlinuz and initramfs --extra-disks int number of extra disks to create for each worker VM --extra-disks-drivers strings driver for each extra disk (virtio, ide, ahci, scsi, nvme, megaraid) --extra-disks-size int default limit on disk size in MB (each VM) (default 5120) --extra-uefi-search-paths strings additional search paths for UEFI firmware (only applies when UEFI is enabled) - -h, --help help for create - --image string the image to use (default "ghcr.io/siderolabs/talos:latest") + -h, --help help for dev + --image-cache-path string path to image cache + --image-cache-port uint16 port on which to serve image cache (default 5000) + --image-cache-tls-cert-file string path to image cache TLS cert + --image-cache-tls-key-file string path to image cache TLS key --init-node-as-endpoint use init node as endpoint instead of any load balancer endpoint --initrd-path string initramfs image to use (default "_out/initramfs-${ARCH}.xz") - -i, --input-dir string location of pre-generated config files - --install-image string the installer image to use (default "ghcr.io/siderolabs/installer:latest") + --install-image string the installer image to use (default "ghcr.io/siderolabs/installer:v1.12.1") --ipv4 enable IPv4 network in the cluster (default true) - --ipv6 enable IPv6 network in the cluster (QEMU provisioner only) + --ipv6 enable IPv6 network in the cluster --ipxe-boot-script string iPXE boot script (URL) to use - --iso-path string the ISO path to use for the initial boot (VM only) + --iso-path string the ISO path to use for the initial boot --kubeprism-port int KubePrism port (set to 0 to disable) (default 7445) - --kubernetes-version string desired kubernetes version to run (default "1.33.0") - --memory int the limit on memory usage in MB (each control plane/VM) (default 2048) - --memory-workers int the limit on memory usage in MB (each worker/VM) (default 2048) - --mount mount attach a mount to the container (Docker only) + --kubernetes-version string desired kubernetes version to run (default "1.35.0") + --memory string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB) + --memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB) --mtu int MTU of the cluster network (default 1500) - --nameservers strings list of nameservers to use (default [8.8.8.8,1.1.1.1,2001:4860:4860::8888,2606:4700:4700::1111]) - --no-masquerade-cidrs strings list of CIDRs to exclude from NAT (QEMU provisioner only) + --nameservers strings list of nameservers to use + --no-masquerade-cidrs strings list of CIDRs to exclude from NAT + --omni-api-endpoint string the Omni API endpoint (must include a scheme, a hostname and a join token, e.g. 'https://siderolink.omni.example?jointoken=foobar') --registry-insecure-skip-verify strings list of registry hostnames to skip TLS verification for --registry-mirror strings list of registry mirrors to use in format: = --skip-injecting-config skip injecting config from embedded metadata server, write config files to current directory + --skip-injecting-extra-cmdline skip injecting extra kernel cmdline parameters via EFI vars through bootloader --skip-k8s-node-readiness-check skip k8s node readiness checks --skip-kubeconfig skip merging kubeconfig from the created cluster - --talos-version string the desired Talos version to generate config for (if not set, defaults to image version) - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --uki-path string the UKI image path to use for the initial boot (VM only) - --usb-path string the USB stick image path to use for the initial boot (VM only) + --talos-version string the desired Talos version to generate config for (default "v1.12.1") + --talosconfig string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --uki-path string the UKI image path to use for the initial boot + --usb-path string the USB stick image path to use for the initial boot --use-vip use a virtual IP for the controlplane endpoint instead of the loadbalancer --user-volumes strings list of user volumes to create for each VM in format: ::: --vmlinuz-path string the compressed kernel image to use (default "_out/vmlinuz-${ARCH}") @@ -212,44 +418,137 @@ talosctl cluster create [flags] --with-bootloader enable bootloader to load kernel and initramfs from disk image after install (default true) --with-cluster-discovery enable cluster discovery (default true) --with-debug enable debug in Talos config to send service logs to the console - --with-firewall string inject firewall rules into the cluster, value is default policy - accept/block (QEMU only) + --with-firewall string inject firewall rules into the cluster, value is default policy - accept/block --with-init-node create the cluster with an init node - --with-iommu enable IOMMU support, this also add a new PCI root port and an interface attached to it (qemu only) + --with-iommu enable IOMMU support, this also add a new PCI root port and an interface attached to it --with-json-logs enable JSON logs receiver and configure Talos to send logs there --with-kubespan enable KubeSpan system - --with-network-bandwidth int specify bandwidth restriction (in kbps) on the bridge interface when creating a qemu cluster - --with-network-chaos enable to use network chaos parameters when creating a qemu cluster - --with-network-jitter duration specify jitter on the bridge interface when creating a qemu cluster - --with-network-latency duration specify latency on the bridge interface when creating a qemu cluster - --with-network-packet-corrupt float specify percent of corrupt packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0) - --with-network-packet-loss float specify percent of packet loss on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0) - --with-network-packet-reorder float specify percent of reordered packets on the bridge interface when creating a qemu cluster. e.g. 50% = 0.50 (default: 0.0) + --with-network-bandwidth int specify bandwidth restriction (in kbps) on the bridge interface + --with-network-chaos enable to use network chaos parameters + --with-network-jitter duration specify jitter on the bridge interface + --with-network-latency duration specify latency on the bridge interface + --with-network-packet-corrupt float specify percent of corrupt packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0) + --with-network-packet-loss float specify percent of packet loss on the bridge interface. e.g. 50% = 0.50 (default: 0.0) + --with-network-packet-reorder float specify percent of reordered packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0) --with-siderolink true enables the use of siderolink agent as configuration apply mechanism. true or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling (default none) - --with-tpm2 enable TPM2 emulation support using swtpm + --with-tpm1_2 enable TPM 1.2 emulation support using swtpm + --with-tpm2 enable TPM 2.0 emulation support using swtpm --with-uefi enable UEFI on x86_64 architecture (default true) - --with-uuid-hostnames use machine UUIDs as default hostnames (QEMU only) + --with-uuid-hostnames use machine UUIDs as default hostnames --workers int the number of workers to create (default 1) ``` ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --name string the name of the cluster (default "talos-default") - -n, --nodes strings target the specified nodes - --provisioner string Talos cluster provisioner to use (default "docker") - --state string directory path to store cluster state (default "/home/user/.talos/clusters") + --name string the name of the cluster (default "talos-default") + --state string directory path to store cluster state (default "/.talos/clusters") ``` ### SEE ALSO -* [talosctl cluster](#talosctl-cluster) - A collection of commands for managing local docker-based or QEMU-based clusters +* [talosctl cluster create](#talosctl-cluster-create) - Create a local Talos cluster. + +## talosctl cluster create docker + +Create a local Docker based kubernetes cluster + +``` +talosctl cluster create docker [flags] +``` + +### Options + +``` + --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file + --config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type) + --config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type) + --cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0") + --cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0") + -p, --exposed-ports string comma-separated list of ports/protocols to expose on init node. Ex -p :/ + -h, --help help for docker + --host-ip string Host IP to forward exposed ports to (default "0.0.0.0") + --image string the talos image to run (default "ghcr.io/siderolabs/talos:v1.12.1") + --kubernetes-version string desired kubernetes version to run (default "1.35.0") + --memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB) + --memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB) + --mount mount attach a mount to the container (docker --mount syntax) + --subnet string Docker network subnet CIDR (default "10.5.0.0/24") + --talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --workers int the number of workers to create (default 1) +``` + +### Options inherited from parent commands + +``` + --name string the name of the cluster (default "talos-default") + --state string directory path to store cluster state (default "/.talos/clusters") +``` + +### SEE ALSO + +* [talosctl cluster create](#talosctl-cluster-create) - Create a local Talos cluster. + +## talosctl cluster create qemu + +Create a local QEMU based Talos cluster. + +### Synopsis + +Create a local QEMU based Talos cluster. + +Available presets: + - iso: Configure Talos to boot from an ISO from the Image Factory. + - iso-secureboot: Configure Talos for Secureboot via ISO. Only available on Linux hosts. + - pxe: Configure Talos to boot via PXE from the Image Factory. + - disk-image: Configure Talos to boot from a disk image from the Image Factory. + - maintenance: Skip applying machine configuration and leave the machines in maintenance mode. The machine configuration files are written to the working directory. + +Note: exactly one of 'iso', 'iso-secureboot', 'pxe' or 'disk-image' presets must be specified. + + +``` +talosctl cluster create qemu [flags] +``` + +### Options + +``` + --cidr string CIDR of the cluster network (default "10.5.0.0/24") + --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file + --config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type) + --config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type) + --controlplanes int the number of controlplanes to create (default 1) + --cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0") + --cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0") + --disks disks list of disks to create in format ":" (disks after the first one are added only to worker machines) (default virtio:10GiB,virtio:6GiB) + -h, --help help for qemu + --image-factory-url string image factory url (default "https://factory.talos.dev/") + --kubernetes-version string desired kubernetes version to run (default "1.35.0") + --memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB) + --memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB) + --omni-api-endpoint string the Omni API endpoint (must include a scheme, a hostname and a join token, e.g. 'https://siderolink.omni.example?jointoken=foobar') + --presets strings list of presets to apply (default [iso]) + --schematic-id string image factory schematic id (defaults to an empty schematic) + --talos-version string the desired talos version (default "v1.12.1") + --talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --workers int the number of workers to create (default 1) +``` + +### Options inherited from parent commands + +``` + --name string the name of the cluster (default "talos-default") + --state string directory path to store cluster state (default "/.talos/clusters") +``` + +### SEE ALSO + +* [talosctl cluster create](#talosctl-cluster-create) - Create a local Talos cluster. ## talosctl cluster destroy -Destroys a local docker-based or firecracker-based kubernetes cluster +Destroys a local Talos kubernetes cluster ``` talosctl cluster destroy [flags] @@ -267,14 +566,8 @@ talosctl cluster destroy [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --name string the name of the cluster (default "talos-default") - -n, --nodes strings target the specified nodes - --provisioner string Talos cluster provisioner to use (default "docker") - --state string directory path to store cluster state (default "/home/user/.talos/clusters") - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --name string the name of the cluster (default "talos-default") + --state string directory path to store cluster state (default "/.talos/clusters") ``` ### SEE ALSO @@ -292,20 +585,15 @@ talosctl cluster show [flags] ### Options ``` - -h, --help help for show + -h, --help help for show + --provisioner string Talos cluster provisioner to use (default "docker") ``` ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --name string the name of the cluster (default "talos-default") - -n, --nodes strings target the specified nodes - --provisioner string Talos cluster provisioner to use (default "docker") - --state string directory path to store cluster state (default "/home/user/.talos/clusters") - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --name string the name of the cluster (default "talos-default") + --state string directory path to store cluster state (default "/.talos/clusters") ``` ### SEE ALSO @@ -319,27 +607,16 @@ A collection of commands for managing local docker-based or QEMU-based clusters ### Options ``` - -h, --help help for cluster - --name string the name of the cluster (default "talos-default") - --provisioner string Talos cluster provisioner to use (default "docker") - --state string directory path to store cluster state (default "/home/user/.talos/clusters") -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -h, --help help for cluster + --name string the name of the cluster (default "talos-default") + --state string directory path to store cluster state (default "/.talos/clusters") ``` ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl cluster create](#talosctl-cluster-create) - Creates a local docker-based or QEMU-based kubernetes cluster -* [talosctl cluster destroy](#talosctl-cluster-destroy) - Destroys a local docker-based or firecracker-based kubernetes cluster +* [talosctl cluster create](#talosctl-cluster-create) - Create a local Talos cluster. +* [talosctl cluster destroy](#talosctl-cluster-destroy) - Destroys a local Talos kubernetes cluster * [talosctl cluster show](#talosctl-cluster-show) - Shows info about a local provisioned kubernetes cluster ## talosctl completion @@ -377,11 +654,11 @@ talosctl completion SHELL [flags] ## Load the talosctl completion code for bash into the current shell source <(talosctl completion bash) ## Write bash completion code to a file and source if from .bash_profile - talosctl completion bash > ~/.talos/completion.bash.inc - printf " + talosctl completion bash > "${TALOS_HOME:-$HOME/.talos}/completion.bash.inc" + printf ' # talosctl shell completion - source '$HOME/.talos/completion.bash.inc' - " >> $HOME/.bash_profile + source "${TALOS_HOME:-$HOME/.talos}/completion.bash.inc" + ' >> $HOME/.bash_profile source $HOME/.bash_profile # Load the talosctl completion code for fish[1] into the current shell talosctl completion fish | source @@ -399,16 +676,6 @@ talosctl completion SHELL [flags] -h, --help help for completion ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -433,11 +700,12 @@ talosctl config add [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -461,11 +729,12 @@ talosctl config context [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -489,11 +758,12 @@ talosctl config contexts [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -517,11 +787,12 @@ talosctl config endpoint ... [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -546,11 +817,12 @@ talosctl config info [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -578,11 +850,12 @@ talosctl config merge [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -608,11 +881,12 @@ talosctl config new [] [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -636,11 +910,12 @@ talosctl config node ... [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -666,11 +941,12 @@ talosctl config remove [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -684,17 +960,13 @@ Manage the client configuration file (talosconfig) ### Options ``` - -h, --help help for config -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for config + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -728,11 +1000,12 @@ talosctl conformance kubernetes [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -746,17 +1019,13 @@ Run conformance tests ### Options ``` - -h, --help help for conformance -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for conformance + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -775,18 +1044,14 @@ talosctl containers [flags] ### Options ``` - -h, --help help for containers - -k, --kubernetes use the k8s.io containerd namespace -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for containers + -k, --kubernetes use the k8s.io containerd namespace + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -799,12 +1064,12 @@ Copy data out from the node ### Synopsis -Creates an .tar.gz archive at the node starting at `` and +Creates an .tar.gz archive at the node starting at {"<"}src-path{">"} and streams it back to the client. -If '-' is given for ``, archive is written to stdout. -Otherwise archive is extracted to `` which should be an empty directory or -talosctl creates a directory if `` doesn't exist. Command doesn't preserve +If '-' is given for {"<"}local-path{">"}, archive is written to stdout. +Otherwise archive is extracted to {"<"}local-path{">"} which should be an empty directory or +talosctl creates a directory if {"<"}local-path{">"} doesn't exist. Command doesn't preserve ownership and access mode for the files in extract mode, while streamed .tar archive captures ownership and permission bits. @@ -815,17 +1080,13 @@ talosctl copy -| [flags] ### Options ``` - -h, --help help for copy -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for copy + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -842,14 +1103,14 @@ Provide a text-based UI to navigate node overview, logs and real-time metrics. Keyboard shortcuts: - - h, <Left> - switch one node to the left - - l, <Right> - switch one node to the right - - j, <Down> - scroll logs/process list down - - k, <Up> - scroll logs/process list up - - <C-d> - scroll logs/process list half page down - - <C-u> - scroll logs/process list half page up - - <C-f> - scroll logs/process list one page down - - <C-b> - scroll logs/process list one page up + - h, {"<"}Left{">"} - switch one node to the left + - l, {"<"}Right{">"} - switch one node to the right + - j, {"<"}Down{">"} - scroll logs/process list down + - k, {"<"}Up{">"} - scroll logs/process list up + - {"<"}C-d{">"} - scroll logs/process list half page down + - {"<"}C-u{">"} - scroll logs/process list half page up + - {"<"}C-f{">"} - scroll logs/process list one page down + - {"<"}C-b{">"} - scroll logs/process list one page up ``` @@ -859,20 +1120,16 @@ talosctl dashboard [flags] ### Options ``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration -h, --help help for dashboard + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -d, --update-interval duration interval between updates (default 3s) ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -888,19 +1145,15 @@ talosctl dmesg [flags] ### Options ``` - -f, --follow specify if the kernel log should be streamed - -h, --help help for dmesg - --tail specify if only new messages should be sent (makes sense only when combined with --follow) -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -f, --follow specify if the kernel log should be streamed + -h, --help help for dmesg + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --tail specify if only new messages should be sent (makes sense only when combined with --follow) + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -909,41 +1162,37 @@ talosctl dmesg [flags] ## talosctl edit -Edit a resource from the default editor. +Edit Talos node machine configuration with the default editor. ### Synopsis -The edit command allows you to directly edit any API resource -you can retrieve via the command line tools. +The edit command allows you to directly edit the machine configuration +of a Talos node using your preferred text editor. It will open the editor defined by your TALOS_EDITOR, or EDITOR environment variables, or fall back to 'vi' for Linux or 'notepad' for Windows. ``` -talosctl edit [] [flags] +talosctl edit machineconfig [flags] ``` ### Options ``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command --dry-run do not apply the change after editing and print the change summary instead + -e, --endpoints strings override default endpoints in Talos configuration -h, --help help for edit -m, --mode auto, no-reboot, reboot, staged, try apply config mode (default auto) --namespace string resource namespace (default is to use default namespace per resource) + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. --timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s) ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -965,11 +1214,12 @@ talosctl etcd alarm disarm [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -993,11 +1243,12 @@ talosctl etcd alarm list [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1017,11 +1268,12 @@ Manage etcd alarms ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1052,16 +1304,132 @@ talosctl etcd defrag [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. +``` + +### SEE ALSO + +* [talosctl etcd](#talosctl-etcd) - Manage etcd + +## talosctl etcd downgrade cancel + +Cancel etcd storage system downgrade. + +``` +talosctl etcd downgrade cancel [flags] +``` + +### Options + +``` + -h, --help help for cancel +``` + +### Options inherited from parent commands + +``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. +``` + +### SEE ALSO + +* [talosctl etcd downgrade](#talosctl-etcd-downgrade) - Manage etcd storage system downgrades + +## talosctl etcd downgrade enable + +Enable etcd storage system downgrade to the specified version. + +``` +talosctl etcd downgrade enable [flags] +``` + +### Options + +``` + -h, --help help for enable +``` + +### Options inherited from parent commands + +``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. +``` + +### SEE ALSO + +* [talosctl etcd downgrade](#talosctl-etcd-downgrade) - Manage etcd storage system downgrades + +## talosctl etcd downgrade validate + +Validate if the etcd storage system can be downgraded to the specified version. + +``` +talosctl etcd downgrade validate [flags] +``` + +### Options + +``` + -h, --help help for validate +``` + +### Options inherited from parent commands + +``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. +``` + +### SEE ALSO + +* [talosctl etcd downgrade](#talosctl-etcd-downgrade) - Manage etcd storage system downgrades + +## talosctl etcd downgrade + +Manage etcd storage system downgrades + +### Options + +``` + -h, --help help for downgrade +``` + +### Options inherited from parent commands + +``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO * [talosctl etcd](#talosctl-etcd) - Manage etcd +* [talosctl etcd downgrade cancel](#talosctl-etcd-downgrade-cancel) - Cancel etcd storage system downgrade. +* [talosctl etcd downgrade enable](#talosctl-etcd-downgrade-enable) - Enable etcd storage system downgrade to the specified version. +* [talosctl etcd downgrade validate](#talosctl-etcd-downgrade-validate) - Validate if the etcd storage system can be downgraded to the specified version. ## talosctl etcd forfeit-leadership @@ -1080,11 +1448,12 @@ talosctl etcd forfeit-leadership [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1108,11 +1477,12 @@ talosctl etcd leave [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1136,11 +1506,12 @@ talosctl etcd members [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1170,11 +1541,12 @@ talosctl etcd remove-member [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1198,11 +1570,12 @@ talosctl etcd snapshot [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1230,11 +1603,12 @@ talosctl etcd status [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1243,22 +1617,18 @@ talosctl etcd status [flags] ## talosctl etcd -Manage etcd - -### Options - -``` - -h, --help help for etcd -``` - -### Options inherited from parent commands +Manage etcd + +### Options ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for etcd + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1266,6 +1636,7 @@ Manage etcd * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos * [talosctl etcd alarm](#talosctl-etcd-alarm) - Manage etcd alarms * [talosctl etcd defrag](#talosctl-etcd-defrag) - Defragment etcd database on the node +* [talosctl etcd downgrade](#talosctl-etcd-downgrade) - Manage etcd storage system downgrades * [talosctl etcd forfeit-leadership](#talosctl-etcd-forfeit-leadership) - Tell node to forfeit etcd cluster leadership * [talosctl etcd leave](#talosctl-etcd-leave) - Tell nodes to leave etcd cluster * [talosctl etcd members](#talosctl-etcd-members) - Get the list of etcd cluster members @@ -1284,21 +1655,17 @@ talosctl events [flags] ### Options ``` - --actor-id string filter events by the specified actor ID (default is no filter) - --duration duration show events for the past duration interval (one second resolution, default is to show no history) - -h, --help help for events - --since string show events after the specified event ID (default is to show no history) - --tail int32 show specified number of past events (use -1 to show full history, default is to show no history) -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --actor-id string filter events by the specified actor ID (default is no filter) + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + --duration duration show events for the past duration interval (one second resolution, default is to show no history) + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for events + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --since string show events after the specified event ID (default is to show no history) + --tail int32 show specified number of past events (use -1 to show full history, default is to show no history) + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1325,12 +1692,7 @@ talosctl gen ca [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files ``` ### SEE ALSO @@ -1362,8 +1724,8 @@ talosctl gen config [flags] --dns-domain string the dns domain to use for cluster (default "cluster.local") -h, --help help for config --install-disk string the disk to install to (default "/dev/sda") - --install-image string the image used to perform an installation (default "ghcr.io/siderolabs/installer:latest") - --kubernetes-version string desired kubernetes version to run (default "1.33.0") + --install-image string the image used to perform an installation (default "ghcr.io/siderolabs/installer:v1.12.1") + --kubernetes-version string desired kubernetes version to run (default "1.35.0") -o, --output string destination to output generated files. when multiple output types are specified, it must be a directory. for a single output type, it must either be a file path, or "-" for stdout -t, --output-types strings types of outputs to be generated. valid types are: ["controlplane" "worker" "talosconfig"] (default [controlplane,worker,talosconfig]) -p, --persist the desired persist value for configs (default true) @@ -1380,12 +1742,7 @@ talosctl gen config [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files ``` ### SEE ALSO @@ -1413,12 +1770,7 @@ talosctl gen crt [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files ``` ### SEE ALSO @@ -1445,12 +1797,7 @@ talosctl gen csr [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files ``` ### SEE ALSO @@ -1475,12 +1822,7 @@ talosctl gen key [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files ``` ### SEE ALSO @@ -1506,12 +1848,7 @@ talosctl gen keypair [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files ``` ### SEE ALSO @@ -1533,19 +1870,14 @@ talosctl gen secrets [flags] -p, --from-kubernetes-pki string use a Kubernetes PKI directory (e.g. /etc/kubernetes/pki) as input -h, --help help for secrets -t, --kubernetes-bootstrap-token string use the provided bootstrap token as input - -o, --output-file string path of the output file (default "secrets.yaml") + -o, --output-file string path of the output file, or "-" for stdout (default "secrets.yaml") --talos-version string the desired Talos version to generate secrets bundle for (backwards compatibility, e.g. v0.8) ``` ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files ``` ### SEE ALSO @@ -1573,13 +1905,8 @@ talosctl gen secureboot database [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - -o, --output string path to the directory storing the generated files (default "_out") - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files + -o, --output string path to the directory storing the generated files (default "_out") ``` ### SEE ALSO @@ -1603,13 +1930,8 @@ talosctl gen secureboot pcr [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - -o, --output string path to the directory storing the generated files (default "_out") - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files + -o, --output string path to the directory storing the generated files (default "_out") ``` ### SEE ALSO @@ -1634,13 +1956,8 @@ talosctl gen secureboot uki [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - -o, --output string path to the directory storing the generated files (default "_out") - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files + -o, --output string path to the directory storing the generated files (default "_out") ``` ### SEE ALSO @@ -1661,12 +1978,7 @@ Generates secrets for the SecureBoot process ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force will overwrite existing files - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -f, --force will overwrite existing files ``` ### SEE ALSO @@ -1687,16 +1999,6 @@ Generate CAs, certificates, and private keys -h, --help help for gen ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -1725,21 +2027,17 @@ talosctl get [] [flags] ### Options ``` - -h, --help help for get - -i, --insecure get resources using the insecure (encrypted with no auth) maintenance service - --namespace string resource namespace (default is to use default namespace per resource) - -o, --output string output mode (json, table, yaml, jsonpath) (default "table") - -w, --watch watch resource changes -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for get + -i, --insecure get resources using the insecure (encrypted with no auth) maintenance service + --namespace string resource namespace (default is to use default namespace per resource) + -n, --nodes strings target the specified nodes + -o, --output string output mode (json, table, yaml, jsonpath) (default "table") + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -w, --watch watch resource changes ``` ### SEE ALSO @@ -1757,29 +2055,64 @@ talosctl health [flags] ### Options ``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command --control-plane-nodes strings specify IPs of control plane nodes + -e, --endpoints strings override default endpoints in Talos configuration -h, --help help for health --init-node string specify IPs of init node --k8s-endpoint string use endpoint instead of kubeconfig default + -n, --nodes strings target the specified nodes --run-e2e run Kubernetes e2e test --server run server-side check (default true) + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. --wait-timeout duration timeout to wait for the cluster to be ready (default 20m0s) --worker-nodes strings specify IPs of worker nodes ``` +### SEE ALSO + +* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos + +## talosctl image cache-cert-gen + +Generate TLS certificates and CA patch required for securing image cache to Talos communication + +### Synopsis + +Generate TLS certificates and CA patch required for securing image cache to Talos communication + +``` +talosctl image cache-cert-gen [flags] +``` + +### Options + +``` + --advertised-address ipSlice The addresses to advertise. (default []) + --advertised-name strings The DNS names to advertise. + -h, --help help for cache-cert-gen + --tls-ca-file string TLS certificate authority file (default "ca.crt") + --tls-cert-file string TLS certificate file to use for serving (default "tls.crt") + --tls-key-file string TLS key file to use for serving (default "tls.key") +``` + ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos +* [talosctl image](#talosctl-image) - Manage CRI container images ## talosctl image cache-create @@ -1796,7 +2129,7 @@ talosctl image cache-create [flags] ### Examples ``` -talosctl images cache-create --images=ghcr.io/siderolabs/kubelet:v1.33.0 --image-cache-path=/tmp/talos-image-cache +talosctl images cache-create --images=ghcr.io/siderolabs/kubelet:v1.35.0 --image-cache-path=/tmp/talos-image-cache Alternatively, stdin can be piped to the command: talosctl images default | talosctl images cache-create --image-cache-path=/tmp/talos-image-cache --images=- @@ -1812,47 +2145,90 @@ talosctl images default | talosctl images cache-create --image-cache-path=/tmp/t --image-layer-cache-path string directory to save the image layer cache --images strings images to cache --insecure allow insecure registries - --platform string platform to use for the cache (default "linux/amd64") + --layout string Specifies the cache layout format: "oci" for an OCI image layout directory, or "flat" for a registry-like flat file structure (default "oci") + --platform strings platform to use for the cache (default [linux/amd64]) +``` + +### Options inherited from parent commands + +``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. +``` + +### SEE ALSO + +* [talosctl image](#talosctl-image) - Manage CRI container images + +## talosctl image cache-serve + +Serve an OCI image cache directory over HTTP(S) as a container registry + +### Synopsis + +Serve an OCI image cache directory over HTTP(S) as a container registry + +``` +talosctl image cache-serve [flags] +``` + +### Options + +``` + --address string address to serve the registry on (default "127.0.0.1:3172") + -h, --help help for cache-serve + --image-cache-path string directory to save the image cache in flat format + --mirror strings list of registry mirrors to add to the Talos config patch (default [docker.io,ghcr.io,registry.k8s.io]) + --tls-cert-file string TLS certificate file to use for serving + --tls-key-file string TLS key file to use for serving ``` ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO * [talosctl image](#talosctl-image) - Manage CRI container images -## talosctl image default +## talosctl image k8s-bundle -List the default images used by Talos +List the default Kubernetes images used by Talos ``` -talosctl image default [flags] +talosctl image k8s-bundle [flags] ``` ### Options ``` - -h, --help help for default + -h, --help help for k8s-bundle + --provisioner string include provisioner specific images (default "installer") ``` ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1876,12 +2252,13 @@ talosctl image list [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -1905,46 +2282,76 @@ talosctl image pull [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO * [talosctl image](#talosctl-image) - Manage CRI container images -## talosctl image +## talosctl image talos-bundle -Manage CRI container images +List the default system images and extensions used for Talos + +``` +talosctl image talos-bundle [talos-version] [flags] +``` ### Options ``` - -h, --help help for image - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") + -h, --help help for talos-bundle ``` ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. +``` + +### SEE ALSO + +* [talosctl image](#talosctl-image) - Manage CRI container images + +## talosctl image + +Manage CRI container images + +### Options + +``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for image + --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos +* [talosctl image cache-cert-gen](#talosctl-image-cache-cert-gen) - Generate TLS certificates and CA patch required for securing image cache to Talos communication * [talosctl image cache-create](#talosctl-image-cache-create) - Create a cache of images in OCI format into a directory -* [talosctl image default](#talosctl-image-default) - List the default images used by Talos +* [talosctl image cache-serve](#talosctl-image-cache-serve) - Serve an OCI image cache directory over HTTP(S) as a container registry +* [talosctl image k8s-bundle](#talosctl-image-k8s-bundle) - List the default Kubernetes images used by Talos * [talosctl image list](#talosctl-image-list) - List CRI images * [talosctl image pull](#talosctl-image-pull) - Pull an image into CRI +* [talosctl image talos-bundle](#talosctl-image-talos-bundle) - List the default system images and extensions used for Talos ## talosctl inject serviceaccount @@ -1972,16 +2379,6 @@ cat deployment.yaml | talosctl inject serviceaccount --roles="os:admin" -f - > d -r, --roles strings roles to add to the generated ServiceAccount manifests (default [os:reader]) ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl inject](#talosctl-inject) - Inject Talos API resources into Kubernetes manifests @@ -1996,16 +2393,6 @@ Inject Talos API resources into Kubernetes manifests -h, --help help for inject ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -2039,11 +2426,12 @@ talosctl inspect dependencies [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2057,17 +2445,13 @@ Inspect internals of Talos ### Options ``` - -h, --help help for inspect -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for inspect + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2094,20 +2478,16 @@ talosctl kubeconfig [local-path] [flags] ### Options ``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration -f, --force Force overwrite of kubeconfig if already present, force overwrite on kubeconfig merge --force-context-name string Force context name for kubeconfig merge -h, --help help for kubeconfig -m, --merge Merge with existing kubeconfig (default true) -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2125,25 +2505,21 @@ talosctl list [path] [flags] ### Options ``` - -d, --depth int32 maximum recursion depth (default 1) - -h, --help help for list - -H, --humanize humanize size and time in the output - -l, --long display additional file details - -r, --recurse recurse into subdirectories - -t, --type strings filter by specified types: - f regular file - d directory - l, L symbolic link -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -d, --depth int32 maximum recursion depth (default 1) + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for list + -H, --humanize humanize size and time in the output + -l, --long display additional file details + -n, --nodes strings target the specified nodes + -r, --recurse recurse into subdirectories + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -t, --type strings filter by specified types: + f regular file + d directory + l, L symbolic link ``` ### SEE ALSO @@ -2161,20 +2537,16 @@ talosctl logs [flags] ### Options ``` - -f, --follow specify if the logs should be streamed - -h, --help help for logs - -k, --kubernetes use the k8s.io containerd namespace - --tail int32 lines of log file to display (default is to show from the beginning) (default -1) -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -f, --follow specify if the logs should be streamed + -h, --help help for logs + -k, --kubernetes use the k8s.io containerd namespace + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --tail int32 lines of log file to display (default is to show from the beginning) (default -1) + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2202,16 +2574,6 @@ talosctl machineconfig gen [flags] -h, --help help for gen ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl machineconfig](#talosctl-machineconfig) - Machine config related commands @@ -2232,16 +2594,6 @@ talosctl machineconfig patch [flags] -p, --patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl machineconfig](#talosctl-machineconfig) - Machine config related commands @@ -2256,16 +2608,6 @@ Machine config related commands -h, --help help for machineconfig ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -2283,18 +2625,14 @@ talosctl memory [flags] ### Options ``` - -h, --help help for memory - -v, --verbose display extended memory statistics -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for memory + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -v, --verbose display extended memory statistics ``` ### SEE ALSO @@ -2318,12 +2656,13 @@ talosctl meta delete key [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2347,12 +2686,13 @@ talosctl meta write key value [flags] ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2366,18 +2706,14 @@ Write and delete keys in the META partition ### Options ``` - -h, --help help for meta - -i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for meta + -i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2397,17 +2733,13 @@ talosctl mounts [flags] ### Options ``` - -h, --help help for mounts -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for mounts + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2434,30 +2766,26 @@ talosctl netstat [flags] ### Options ``` - -a, --all display all sockets states (default: connected) - -x, --extend show detailed socket information - -h, --help help for netstat - -4, --ipv4 display only ipv4 sockets - -6, --ipv6 display only ipv6 sockets - -l, --listening display listening server sockets - -k, --pods show sockets used by Kubernetes pods - -p, --programs show process using socket - -w, --raw display only RAW sockets - -t, --tcp display only TCP sockets - -o, --timers display timers - -u, --udp display only UDP sockets - -U, --udplite display only UDPLite sockets - -v, --verbose display sockets of all supported transport protocols -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -a, --all display all sockets states (default: connected) + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -x, --extend show detailed socket information + -h, --help help for netstat + -4, --ipv4 display only ipv4 sockets + -6, --ipv6 display only ipv6 sockets + -l, --listening display listening server sockets + -n, --nodes strings target the specified nodes + -k, --pods show sockets used by Kubernetes pods + -p, --programs show process using socket + -w, --raw display only RAW sockets + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -t, --tcp display only TCP sockets + -o, --timers display timers + -u, --udp display only UDP sockets + -U, --udplite display only UDPLite sockets + -v, --verbose display sockets of all supported transport protocols ``` ### SEE ALSO @@ -2466,34 +2794,30 @@ talosctl netstat [flags] ## talosctl patch -Update field(s) of a resource using a JSON patch. +Patch machine configuration of a Talos node with a local patch. ``` -talosctl patch [] [flags] +talosctl patch machineconfig [flags] ``` ### Options ``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command --dry-run print the change summary and patch preview without applying the changes + -e, --endpoints strings override default endpoints in Talos configuration -h, --help help for patch -m, --mode auto, no-reboot, reboot, staged, try apply config mode (default auto) --namespace string resource namespace (default is to use default namespace per resource) + -n, --nodes strings target the specified nodes -p, --patch stringArray the patch to be applied to the resource file, use @file to read a patch from file. --patch-file string a file containing a patch to be applied to the resource. + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. --timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s) ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -2537,22 +2861,18 @@ talosctl pcap [flags] ### Options ``` - --bpf-filter string bpf filter to apply, tcpdump -dd format - --duration duration duration of the capture - -h, --help help for pcap - -i, --interface string interface name to capture packets on (default "eth0") - -o, --output string if not set, decode packets to stdout; if set write raw pcap data to a file, use '-' for stdout - --promiscuous put interface into promiscuous mode -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --bpf-filter string bpf filter to apply, tcpdump -dd format + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + --duration duration duration of the capture + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for pcap + -i, --interface string interface name to capture packets on (default "eth0") + -n, --nodes strings target the specified nodes + -o, --output string if not set, decode packets to stdout; if set write raw pcap data to a file, use '-' for stdout + --promiscuous put interface into promiscuous mode + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2570,19 +2890,15 @@ talosctl processes [flags] ### Options ``` - -h, --help help for processes - -s, --sort string Column to sort output by. [rss|cpu] (default "rss") - -w, --watch Stream running processes -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for processes + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + -s, --sort string Column to sort output by. [rss|cpu] (default "rss") + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -w, --watch Stream running processes ``` ### SEE ALSO @@ -2600,17 +2916,13 @@ talosctl read [flags] ### Options ``` - -h, --help help for read -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for read + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2628,21 +2940,17 @@ talosctl reboot [flags] ### Options ``` - --debug debug operation from kernel logs. --wait is set to true when this flag is set - -h, --help help for reboot - -m, --mode string select the reboot mode: "default", "powercycle" (skips kexec) (default "default") - --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) - --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + --debug debug operation from kernel logs. --wait is set to true when this flag is set + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for reboot + -m, --mode string select the reboot mode: "default", "powercycle" (skips kexec), "force" (skips graceful teardown) (default "default") + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) + --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) ``` ### SEE ALSO @@ -2660,28 +2968,24 @@ talosctl reset [flags] ### Options ``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command --debug debug operation from kernel logs. --wait is set to true when this flag is set + -e, --endpoints strings override default endpoints in Talos configuration --graceful if true, attempt to cordon/drain node and leave etcd (if applicable) (default true) -h, --help help for reset --insecure reset using the insecure (encrypted with no auth) maintenance service + -n, --nodes strings target the specified nodes --reboot if true, reboot the node after resetting instead of shutting down + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. --system-labels-to-wipe strings if set, just wipe selected system disk partitions by label but keep other partitions intact + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) --user-disks-to-wipe strings if set, wipes defined devices in the list --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) --wipe-mode all, system-disk, user-disks disk reset mode (default all) ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -2697,18 +3001,14 @@ talosctl restart [flags] ### Options ``` - -h, --help help for restart - -k, --kubernetes use the k8s.io containerd namespace -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for restart + -k, --kubernetes use the k8s.io containerd namespace + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2726,17 +3026,13 @@ talosctl rollback [flags] ### Options ``` - -h, --help help for rollback -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for rollback + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2763,29 +3059,25 @@ talosctl rotate-ca [flags] ### Options ``` + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command --control-plane-nodes strings specify IPs of control plane nodes --dry-run dry-run mode (no changes to the cluster) (default true) + -e, --endpoints strings override default endpoints in Talos configuration -h, --help help for rotate-ca --init-node string specify IPs of init node --k8s-endpoint string use endpoint instead of kubeconfig default --kubernetes rotate Kubernetes API CA (default true) + -n, --nodes strings target the specified nodes -o, --output talosconfig path to the output new talosconfig (default "talosconfig") + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. --talos rotate Talos API CA (default true) + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. --with-docs patch all machine configs adding the documentation for each field (default true) --with-examples patch all machine configs with the commented examples (default true) --worker-nodes strings specify IPs of worker nodes ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -2807,17 +3099,13 @@ talosctl service [ [start|stop|restart|status]] [flags] ### Options ``` - -h, --help help for service -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for service + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2835,21 +3123,17 @@ talosctl shutdown [flags] ### Options ``` - --debug debug operation from kernel logs. --wait is set to true when this flag is set - --force if true, force a node to shutdown without a cordon/drain - -h, --help help for shutdown - --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) - --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + --debug debug operation from kernel logs. --wait is set to true when this flag is set + -e, --endpoints strings override default endpoints in Talos configuration + --force if true, force a node to shutdown without a cordon/drain + -h, --help help for shutdown + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) + --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) ``` ### SEE ALSO @@ -2867,18 +3151,14 @@ talosctl stats [flags] ### Options ``` - -h, --help help for stats - -k, --kubernetes use the k8s.io containerd namespace -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for stats + -k, --kubernetes use the k8s.io containerd namespace + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2918,20 +3198,16 @@ talosctl support [flags] ### Options ``` - -h, --help help for support - -w, --num-workers int number of workers per node (default 1) - -O, --output string output file to write support archive to - -v, --verbose verbose output -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for support + -n, --nodes strings target the specified nodes + -w, --num-workers int number of workers per node (default 1) + -O, --output string output file to write support archive to + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -v, --verbose verbose output ``` ### SEE ALSO @@ -2949,18 +3225,14 @@ talosctl time [--check server] [flags] ### Options ``` - -c, --check string checks server time against specified ntp server - -h, --help help for time -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --check string checks server time against specified ntp server + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for time + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -2978,25 +3250,21 @@ talosctl upgrade [flags] ### Options ``` - --debug debug operation from kernel logs. --wait is set to true when this flag is set - -f, --force force the upgrade (skip checks on etcd health and members, might lead to data loss) - -h, --help help for upgrade - -i, --image string the container image to use for performing the install (default "ghcr.io/siderolabs/installer:v1.10.0-alpha.3") - --insecure upgrade using the insecure (encrypted with no auth) maintenance service - -m, --reboot-mode string select the reboot mode during upgrade. Mode "powercycle" bypasses kexec. Valid values are: ["default" "powercycle"]. (default "default") - -s, --stage stage the upgrade to perform it after a reboot - --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) - --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + --debug debug operation from kernel logs. --wait is set to true when this flag is set + -e, --endpoints strings override default endpoints in Talos configuration + -f, --force force the upgrade (skip checks on etcd health and members, might lead to data loss) + -h, --help help for upgrade + -i, --image string the container image to use for performing the install (default "ghcr.io/siderolabs/installer:v1.12.1") + --insecure upgrade using the insecure (encrypted with no auth) maintenance service + -n, --nodes strings target the specified nodes + -m, --reboot-mode string select the reboot mode during upgrade. Mode "powercycle" bypasses kexec. Valid values are: ["default" "powercycle"]. (default "default") + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + -s, --stage stage the upgrade to perform it after a reboot + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) + --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) ``` ### SEE ALSO @@ -3019,31 +3287,27 @@ talosctl upgrade-k8s [flags] ``` --apiserver-image string kube-apiserver image to use (default "registry.k8s.io/kube-apiserver") + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command --controller-manager-image string kube-controller-manager image to use (default "registry.k8s.io/kube-controller-manager") --dry-run skip the actual upgrade and show the upgrade plan instead --endpoint string the cluster control plane endpoint + -e, --endpoints strings override default endpoints in Talos configuration --from string the Kubernetes control plane version to upgrade from -h, --help help for upgrade-k8s --kubelet-image string kubelet image to use (default "ghcr.io/siderolabs/kubelet") + -n, --nodes strings target the specified nodes --pre-pull-images pre-pull images before upgrade (default true) --proxy-image string kube-proxy image to use (default "registry.k8s.io/kube-proxy") --scheduler-image string kube-scheduler image to use (default "registry.k8s.io/kube-scheduler") - --to string the Kubernetes control plane version to upgrade to (default "1.33.0") + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --to string the Kubernetes control plane version to upgrade to (default "1.35.0") --upgrade-kubelet upgrade kubelet service (default true) --with-docs patch all machine configs adding the documentation for each field (default true) --with-examples patch all machine configs with the commented examples (default true) ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -3059,21 +3323,17 @@ talosctl usage [path1] [path2] ... [pathN] [flags] ### Options ``` - -a, --all write counts for all files, not just directories - -d, --depth int32 maximum recursion depth - -h, --help help for usage - -H, --humanize humanize size and time in the output - -t, --threshold int threshold exclude entries smaller than SIZE if positive, or entries greater than SIZE if negative -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -a, --all write counts for all files, not just directories + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -d, --depth int32 maximum recursion depth + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for usage + -H, --humanize humanize size and time in the output + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -t, --threshold int threshold exclude entries smaller than SIZE if positive, or entries greater than SIZE if negative ``` ### SEE ALSO @@ -3097,16 +3357,6 @@ talosctl validate [flags] --strict treat validation warnings as errors ``` -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - ### SEE ALSO * [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos @@ -3122,20 +3372,16 @@ talosctl version [flags] ### Options ``` - --client Print client version only - -h, --help help for version - -i, --insecure use Talos maintenance mode API - --short Print the short version -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + --client Print client version only + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for version + -i, --insecure use Talos maintenance mode API + -n, --nodes strings target the specified nodes + --short Print the short version + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -3161,17 +3407,19 @@ talosctl wipe disk ... [flags] ``` --drop-partition drop partition after wipe (if applicable) -h, --help help for disk + -i, --insecure use Talos maintenance mode API --method string wipe method to use [FAST ZEROES] (default "FAST") ``` ### Options inherited from parent commands ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -3185,17 +3433,13 @@ Wipe block device or volumes ### Options ``` - -h, --help help for wipe -``` - -### Options inherited from parent commands - -``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -c, --cluster string Cluster to connect to if a proxy endpoint is used. + --context string Context to be used in command + -e, --endpoints strings override default endpoints in Talos configuration + -h, --help help for wipe + -n, --nodes strings target the specified nodes + --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. + --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. ``` ### SEE ALSO @@ -3210,12 +3454,7 @@ A CLI for out-of-band management of Kubernetes nodes created by Talos ### Options ``` - --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for talosctl - -n, --nodes strings target the specified nodes - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. + -h, --help help for talosctl ``` ### SEE ALSO @@ -3231,7 +3470,7 @@ A CLI for out-of-band management of Kubernetes nodes created by Talos * [talosctl copy](#talosctl-copy) - Copy data out from the node * [talosctl dashboard](#talosctl-dashboard) - Cluster dashboard with node overview, logs and real-time metrics * [talosctl dmesg](#talosctl-dmesg) - Retrieve kernel logs -* [talosctl edit](#talosctl-edit) - Edit a resource from the default editor. +* [talosctl edit](#talosctl-edit) - Edit Talos node machine configuration with the default editor. * [talosctl etcd](#talosctl-etcd) - Manage etcd * [talosctl events](#talosctl-events) - Stream runtime events * [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys @@ -3248,7 +3487,7 @@ A CLI for out-of-band management of Kubernetes nodes created by Talos * [talosctl meta](#talosctl-meta) - Write and delete keys in the META partition * [talosctl mounts](#talosctl-mounts) - List mounts * [talosctl netstat](#talosctl-netstat) - Show network connections and sockets -* [talosctl patch](#talosctl-patch) - Update field(s) of a resource using a JSON patch. +* [talosctl patch](#talosctl-patch) - Patch machine configuration of a Talos node with a local patch. * [talosctl pcap](#talosctl-pcap) - Capture the network packets from the node. * [talosctl processes](#talosctl-processes) - List running processes * [talosctl read](#talosctl-read) - Read a file on the machine @@ -3268,4 +3507,3 @@ A CLI for out-of-band management of Kubernetes nodes created by Talos * [talosctl validate](#talosctl-validate) - Validate config * [talosctl version](#talosctl-version) - Prints the version * [talosctl wipe](#talosctl-wipe) - Wipe block device or volumes - diff --git a/public/talos/v1.13/reference/configuration/cli.mdx b/public/talos/v1.13/reference/configuration/cli.mdx deleted file mode 100644 index b310b9af..00000000 --- a/public/talos/v1.13/reference/configuration/cli.mdx +++ /dev/null @@ -1,3291 +0,0 @@ ---- -description: Talosctl CLI tool reference. -title: talosctl ---- - -{/* -This file is automatically generated from source documentation. -Do not edit manually. For more information, see https://github.com/siderolabs/docs -*/} - - -## talosctl apply-config - -Apply a new configuration to a node - -``` -talosctl apply-config [flags] -``` - -### Options - -``` - --cert-fingerprint strings list of server certificate fingeprints to accept (defaults to no check) - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - -p, --config-patch stringArray the list of config patches to apply to the local config file before sending it to the node - --context string Context to be used in command - --dry-run check how the config change will be applied in dry-run mode - -e, --endpoints strings override default endpoints in Talos configuration - -f, --file string the filename of the updated configuration - -h, --help help for apply-config - -i, --insecure apply the config using the insecure (encrypted with no auth) maintenance service - -m, --mode auto, no-reboot, reboot, staged, try apply config mode (default auto) - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s) -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl bootstrap - -Bootstrap the etcd cluster on the specified node. - -### Synopsis - -When Talos cluster is created etcd service on control plane nodes enter the join loop waiting -to join etcd peers from other control plane nodes. One node should be picked as the bootstrap node. -When bootstrap command is issued, the node aborts join process and bootstraps etcd cluster as a single node cluster. -Other control plane nodes will join etcd cluster once Kubernetes is bootstrapped on the bootstrap node. - -This command should not be used when "init" type node are used. - -Talos etcd cluster can be recovered from a known snapshot with '--recover-from=' flag. - -``` -talosctl bootstrap [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for bootstrap - -n, --nodes strings target the specified nodes - --recover-from string recover etcd cluster from the snapshot - --recover-skip-hash-check skip integrity check when recovering etcd (use when recovering from data directory copy) - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl cgroups - -Retrieve cgroups usage information - -### Synopsis - -The cgroups command fetches control group v2 (cgroupv2) usage details from the machine. -Several presets are available to focus on specific cgroup subsystems: - -* cpu -* cpuset -* io -* memory -* process -* swap - -You can specify the preset using the --preset flag. - -Alternatively, a custom schema can be provided using the --schema-file flag. -To see schema examples, refer to https://github.com/siderolabs/talos/tree/main/cmd/talosctl/cmd/talos/cgroupsprinter/schemas. - - -``` -talosctl cgroups [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for cgroups - -n, --nodes strings target the specified nodes - --preset string preset name (one of: [cpu cpuset io memory process psi swap]) - --schema-file string path to the columns schema file - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --skip-cri-resolve do not resolve cgroup names via a request to CRI - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl cluster create dev - -Creates a local qemu based cluster for Talos development - -``` -talosctl cluster create dev [flags] -``` - -### Options - -``` - --airgapped limit VM network access to the provisioning network only - --arch string cluster architecture (default "amd64") - --bad-rtc launch VM with bad RTC state - --cidr string CIDR of the cluster network (IPv4, ULA network for IPv6 is derived in automated way) (default "10.5.0.0/24") - --cni-bin-path strings search path for CNI binaries (default [/.talos/cni/bin]) - --cni-bundle-url string URL to download CNI bundle from (default "https://github.com/siderolabs/talos/releases/download/v1.12.0-beta.1/talosctl-cni-bundle-${ARCH}.tar.gz") - --cni-cache-dir string CNI cache directory path (default "/.talos/cni/cache") - --cni-conf-dir string CNI config directory path (default "/.talos/cni/conf.d") - --config-injection-method string a method to inject machine config: default is HTTP server, 'metal-iso' to mount an ISO - --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file - --config-patch-control-plane stringArray patch generated machineconfigs (applied to 'controlplane' type) - --config-patch-worker stringArray patch generated machineconfigs (applied to 'worker' type) - --control-plane-port int control plane port (load balancer and local API port) (default 6443) - --controlplanes int the number of controlplanes to create (default 1) - --cpus string the share of CPUs as fraction for each control plane/VM (default "2.0") - --cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0") - --custom-cni-url string install custom CNI from the URL (Talos cluster) - --disable-dhcp-hostname skip announcing hostname via DHCP - --disk int default limit on disk size in MB (each VM) (default 6144) - --disk-block-size uint disk block size (default 512) - --disk-encryption-key-types stringArray encryption key types to use for disk encryption (uuid, kms) (default [uuid]) - --disk-image-path string disk image to use - --disk-preallocate whether disk space should be preallocated (default true) - --dns-domain string the dns domain to use for cluster (default "cluster.local") - --encrypt-ephemeral enable ephemeral partition encryption - --encrypt-state enable state partition encryption - --encrypt-user-volumes enable ephemeral partition encryption - --endpoint string use endpoint instead of provider defaults - --extra-boot-kernel-args string add extra kernel args to the initial boot from vmlinuz and initramfs - --extra-disks int number of extra disks to create for each worker VM - --extra-disks-drivers strings driver for each extra disk (virtio, ide, ahci, scsi, nvme, megaraid) - --extra-disks-size int default limit on disk size in MB (each VM) (default 5120) - --extra-uefi-search-paths strings additional search paths for UEFI firmware (only applies when UEFI is enabled) - -h, --help help for dev - --image-cache-path string path to image cache - --image-cache-port uint16 port on which to serve image cache (default 5000) - --image-cache-tls-cert-file string path to image cache TLS cert - --image-cache-tls-key-file string path to image cache TLS key - --init-node-as-endpoint use init node as endpoint instead of any load balancer endpoint - --initrd-path string initramfs image to use (default "_out/initramfs-${ARCH}.xz") - --install-image string the installer image to use (default "ghcr.io/siderolabs/installer:v1.12.0-beta.1") - --ipv4 enable IPv4 network in the cluster (default true) - --ipv6 enable IPv6 network in the cluster - --ipxe-boot-script string iPXE boot script (URL) to use - --iso-path string the ISO path to use for the initial boot - --kubeprism-port int KubePrism port (set to 0 to disable) (default 7445) - --kubernetes-version string desired kubernetes version to run (default "1.35.0-alpha.3") - --memory string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB) - --memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB) - --mtu int MTU of the cluster network (default 1500) - --nameservers strings list of nameservers to use, by default use embedded DNS forwarder - --no-masquerade-cidrs strings list of CIDRs to exclude from NAT - --omni-api-endpoint string the Omni API endpoint (must include a scheme, a port and a join token) - --registry-insecure-skip-verify strings list of registry hostnames to skip TLS verification for - --registry-mirror strings list of registry mirrors to use in format: {"<"}registry host{">"}={"<"}mirror URL{">"} - --skip-injecting-config skip injecting config from embedded metadata server, write config files to current directory - --skip-injecting-extra-cmdline skip injecting extra kernel cmdline parameters via EFI vars through bootloader - --skip-k8s-node-readiness-check skip k8s node readiness checks - --skip-kubeconfig skip merging kubeconfig from the created cluster - --talos-version string the desired Talos version to generate config for (default "v1.12.0-beta.1") - --talosconfig string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --uki-path string the UKI image path to use for the initial boot - --usb-path string the USB stick image path to use for the initial boot - --use-vip use a virtual IP for the controlplane endpoint instead of the loadbalancer - --user-volumes strings list of user volumes to create for each VM in format: {"<"}name1{">"}:{"<"}size1{">"}:{"<"}name2{">"}:{"<"}size2{">"} - --vmlinuz-path string the compressed kernel image to use (default "_out/vmlinuz-${ARCH}") - --wait wait for the cluster to be ready before returning (default true) - --wait-timeout duration timeout to wait for the cluster to be ready (default 20m0s) - --wireguard-cidr string CIDR of the wireguard network - --with-apply-config enable apply config when the VM is starting in maintenance mode - --with-bootloader enable bootloader to load kernel and initramfs from disk image after install (default true) - --with-cluster-discovery enable cluster discovery (default true) - --with-debug enable debug in Talos config to send service logs to the console - --with-firewall string inject firewall rules into the cluster, value is default policy - accept/block - --with-init-node create the cluster with an init node - --with-iommu enable IOMMU support, this also add a new PCI root port and an interface attached to it - --with-json-logs enable JSON logs receiver and configure Talos to send logs there - --with-kubespan enable KubeSpan system - --with-network-bandwidth int specify bandwidth restriction (in kbps) on the bridge interface - --with-network-chaos enable to use network chaos parameters - --with-network-jitter duration specify jitter on the bridge interface - --with-network-latency duration specify latency on the bridge interface - --with-network-packet-corrupt float specify percent of corrupt packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0) - --with-network-packet-loss float specify percent of packet loss on the bridge interface. e.g. 50% = 0.50 (default: 0.0) - --with-network-packet-reorder float specify percent of reordered packets on the bridge interface. e.g. 50% = 0.50 (default: 0.0) - --with-siderolink true enables the use of siderolink agent as configuration apply mechanism. true or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling (default none) - --with-tpm1_2 enable TPM 1.2 emulation support using swtpm - --with-tpm2 enable TPM 2.0 emulation support using swtpm - --with-uefi enable UEFI on x86_64 architecture (default true) - --with-uuid-hostnames use machine UUIDs as default hostnames - --workers int the number of workers to create (default 1) -``` - -### Options inherited from parent commands - -``` - --name string the name of the cluster (default "talos-default") - --state string directory path to store cluster state (default "/.talos/clusters") -``` - -### SEE ALSO - -* [talosctl cluster create](#talosctl-cluster-create) - Creates a local qemu based cluster for Talos development - -## talosctl cluster create docker - -Create a local Docker based kubernetes cluster - -``` -talosctl cluster create docker [flags] -``` - -### Options - -``` - --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file - --config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type) - --config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type) - --cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0") - --cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0") - -p, --exposed-ports string comma-separated list of ports/protocols to expose on init node. Ex -p {"<"}hostPort{">"}:{"<"}containerPort{">"}/{"<"}protocol (tcp or udp){">"} - -h, --help help for docker - --host-ip string Host IP to forward exposed ports to (default "0.0.0.0") - --image string the talos image to run (default "ghcr.io/siderolabs/talos:v1.12.0-beta.1") - --kubernetes-version string desired kubernetes version to run (default "1.35.0-alpha.3") - --memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB) - --memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB) - --mount mount attach a mount to the container (docker --mount syntax) - --subnet string Docker network subnet CIDR (default "10.5.0.0/24") - --talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --workers int the number of workers to create (default 1) -``` - -### Options inherited from parent commands - -``` - --name string the name of the cluster (default "talos-default") - --state string directory path to store cluster state (default "/.talos/clusters") -``` - -### SEE ALSO - -* [talosctl cluster create](#talosctl-cluster-create) - Creates a local qemu based cluster for Talos development - -## talosctl cluster create qemu - -Create a local QEMU based Talos cluster -Available presets: - - iso: Configure Talos to boot from an ISO from the Image Factory. - - iso-secureboot: Configure Talos for Secureboot via ISO. Only available on Linux hosts. - - pxe: Configure Talos to boot via PXE from the Image Factory. - - disk-image: Configure Talos to boot from a disk image from the Image Factory. - - maintenance: Skip applying machine configuration and leave the machines in maintenance mode. The machine configuration files are written to the working directory. - -Note: exactly one of 'iso', 'iso-secureboot', 'pxe' or 'disk-image' presets must be specified. - - -``` -talosctl cluster create qemu [flags] -``` - -### Options - -``` - --cidr string CIDR of the cluster network (default "10.5.0.0/24") - --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file - --config-patch-controlplanes stringArray patch generated machineconfigs (applied to 'controlplane' type) - --config-patch-workers stringArray patch generated machineconfigs (applied to 'worker' type) - --controlplanes int the number of controlplanes to create (default 1) - --cpus-controlplanes string the share of CPUs as fraction for each control plane/VM (default "2.0") - --cpus-workers string the share of CPUs as fraction for each worker/VM (default "2.0") - --disks disks list of disks to create in format "{"<"}driver1{">"}:{"<"}size1{">"}" (disks after the first one are added only to worker machines) (default virtio:10GiB,virtio:6GiB) - -h, --help help for qemu - --image-factory-url string image factory url (default "https://factory.talos.dev/") - --kubernetes-version string desired kubernetes version to run (default "1.35.0-alpha.3") - --memory-controlplanes string(mb,gb) the limit on memory usage for each control plane/VM (default 2.0GiB) - --memory-workers string(mb,gb) the limit on memory usage for each worker/VM (default 2.0GiB) - --omni-api-endpoint string the Omni API endpoint (must include a scheme, a port and a join token) - --presets strings list of presets to apply (default [iso]) - --schematic-id string image factory schematic id (defaults to an empty schematic) - --talos-version string the desired talos version (default "v1.12.0-beta.1") - --talosconfig-destination string The location to save the generated Talos configuration file to. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --workers int the number of workers to create (default 1) -``` - -### Options inherited from parent commands - -``` - --name string the name of the cluster (default "talos-default") - --state string directory path to store cluster state (default "/.talos/clusters") -``` - -### SEE ALSO - -* [talosctl cluster create](#talosctl-cluster-create) - Creates a local qemu based cluster for Talos development - -## talosctl cluster destroy - -Destroys a local Talos kubernetes cluster - -``` -talosctl cluster destroy [flags] -``` - -### Options - -``` - -f, --force force deletion of cluster directory if there were errors - -h, --help help for destroy - --save-cluster-logs-archive-path string save cluster logs archive to the specified file on destroy - --save-support-archive-path string save support archive to the specified file on destroy -``` - -### Options inherited from parent commands - -``` - --name string the name of the cluster (default "talos-default") - --state string directory path to store cluster state (default "/.talos/clusters") -``` - -### SEE ALSO - -* [talosctl cluster](#talosctl-cluster) - A collection of commands for managing local docker-based or QEMU-based clusters - -## talosctl cluster show - -Shows info about a local provisioned kubernetes cluster - -``` -talosctl cluster show [flags] -``` - -### Options - -``` - -h, --help help for show - --provisioner string Talos cluster provisioner to use (default "docker") -``` - -### Options inherited from parent commands - -``` - --name string the name of the cluster (default "talos-default") - --state string directory path to store cluster state (default "/.talos/clusters") -``` - -### SEE ALSO - -* [talosctl cluster](#talosctl-cluster) - A collection of commands for managing local docker-based or QEMU-based clusters - -## talosctl cluster - -A collection of commands for managing local docker-based or QEMU-based clusters - -### Options - -``` - -h, --help help for cluster - --name string the name of the cluster (default "talos-default") - --state string directory path to store cluster state (default "/.talos/clusters") -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl cluster destroy](#talosctl-cluster-destroy) - Destroys a local Talos kubernetes cluster -* [talosctl cluster show](#talosctl-cluster-show) - Shows info about a local provisioned kubernetes cluster - -## talosctl completion - -Output shell completion code for the specified shell (bash, fish or zsh) - -### Synopsis - -Output shell completion code for the specified shell (bash, fish or zsh). -The shell code must be evaluated to provide interactive -completion of talosctl commands. This can be done by sourcing it from -the .bash_profile. - -Note for zsh users: [1] zsh completions are only supported in versions of zsh >= 5.2 - -``` -talosctl completion SHELL [flags] -``` - -### Examples - -``` -# Installing bash completion on macOS using homebrew -## If running Bash 3.2 included with macOS - brew install bash-completion -## or, if running Bash 4.1+ - brew install bash-completion@2 -## If talosctl is installed via homebrew, this should start working immediately. -## If you've installed via other means, you may need add the completion to your completion directory - talosctl completion bash > $(brew --prefix)/etc/bash_completion.d/talosctl - -# Installing bash completion on Linux -## If bash-completion is not installed on Linux, please install the 'bash-completion' package -## via your distribution's package manager. -## Load the talosctl completion code for bash into the current shell - source <(talosctl completion bash) -## Write bash completion code to a file and source if from .bash_profile - talosctl completion bash > "${TALOS_HOME:-$HOME/.talos}/completion.bash.inc" - printf ' - # talosctl shell completion - source "${TALOS_HOME:-$HOME/.talos}/completion.bash.inc" - ' >> $HOME/.bash_profile - source $HOME/.bash_profile -# Load the talosctl completion code for fish[1] into the current shell - talosctl completion fish | source -# Set the talosctl completion code for fish[1] to autoload on startup - talosctl completion fish > ~/.config/fish/completions/talosctl.fish -# Load the talosctl completion code for zsh[1] into the current shell - source <(talosctl completion zsh) -# Set the talosctl completion code for zsh[1] to autoload on startup - talosctl completion zsh > "${fpath[1]}/_talosctl" -``` - -### Options - -``` - -h, --help help for completion -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl config add - -Add a new context - -``` -talosctl config add {"<"}context{">"} [flags] -``` - -### Options - -``` - --ca string the path to the CA certificate - --crt string the path to the certificate - -h, --help help for add - --key string the path to the key -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) - -## talosctl config context - -Set the current context - -``` -talosctl config context {"<"}context{">"} [flags] -``` - -### Options - -``` - -h, --help help for context -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) - -## talosctl config contexts - -List defined contexts - -``` -talosctl config contexts [flags] -``` - -### Options - -``` - -h, --help help for contexts -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) - -## talosctl config endpoint - -Set the endpoint(s) for the current context - -``` -talosctl config endpoint {"<"}endpoint{">"}... [flags] -``` - -### Options - -``` - -h, --help help for endpoint -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) - -## talosctl config info - -Show information about the current context - -``` -talosctl config info [flags] -``` - -### Options - -``` - -h, --help help for info - -o, --output string output format (json|yaml|text). Default text. (default "text") -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) - -## talosctl config merge - -Merge additional contexts from another client configuration file - -### Synopsis - -Contexts with the same name are renamed while merging configs. - -``` -talosctl config merge {"<"}from{">"} [flags] -``` - -### Options - -``` - -h, --help help for merge -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) - -## talosctl config new - -Generate a new client configuration file - -``` -talosctl config new [{"<"}path{">"}] [flags] -``` - -### Options - -``` - --crt-ttl duration certificate TTL (default 8760h0m0s) - -h, --help help for new - --roles strings roles (default [os:admin]) -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) - -## talosctl config node - -Set the node(s) for the current context - -``` -talosctl config node {"<"}endpoint{">"}... [flags] -``` - -### Options - -``` - -h, --help help for node -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) - -## talosctl config remove - -Remove contexts - -``` -talosctl config remove {"<"}context{">"} [flags] -``` - -### Options - -``` - --dry-run dry run - -h, --help help for remove - -y, --noconfirm do not ask for confirmation -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) - -## talosctl config - -Manage the client configuration file (talosconfig) - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for config - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl config add](#talosctl-config-add) - Add a new context -* [talosctl config context](#talosctl-config-context) - Set the current context -* [talosctl config contexts](#talosctl-config-contexts) - List defined contexts -* [talosctl config endpoint](#talosctl-config-endpoint) - Set the endpoint(s) for the current context -* [talosctl config info](#talosctl-config-info) - Show information about the current context -* [talosctl config merge](#talosctl-config-merge) - Merge additional contexts from another client configuration file -* [talosctl config new](#talosctl-config-new) - Generate a new client configuration file -* [talosctl config node](#talosctl-config-node) - Set the node(s) for the current context -* [talosctl config remove](#talosctl-config-remove) - Remove contexts - -## talosctl conformance kubernetes - -Run Kubernetes conformance tests - -``` -talosctl conformance kubernetes [flags] -``` - -### Options - -``` - -h, --help help for kubernetes - --mode string conformance test mode: [fast, certified] (default "fast") -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl conformance](#talosctl-conformance) - Run conformance tests - -## talosctl conformance - -Run conformance tests - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for conformance - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl conformance kubernetes](#talosctl-conformance-kubernetes) - Run Kubernetes conformance tests - -## talosctl containers - -List containers - -``` -talosctl containers [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for containers - -k, --kubernetes use the k8s.io containerd namespace - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl copy - -Copy data out from the node - -### Synopsis - -Creates an .tar.gz archive at the node starting at {"<"}src-path{">"} and -streams it back to the client. - -If '-' is given for {"<"}local-path{">"}, archive is written to stdout. -Otherwise archive is extracted to {"<"}local-path{">"} which should be an empty directory or -talosctl creates a directory if {"<"}local-path{">"} doesn't exist. Command doesn't preserve -ownership and access mode for the files in extract mode, while streamed .tar archive -captures ownership and permission bits. - -``` -talosctl copy {"<"}src-path{">"} -|{"<"}local-path{">"} [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for copy - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl dashboard - -Cluster dashboard with node overview, logs and real-time metrics - -### Synopsis - -Provide a text-based UI to navigate node overview, logs and real-time metrics. - -Keyboard shortcuts: - - - h, {"<"}Left{">"} - switch one node to the left - - l, {"<"}Right{">"} - switch one node to the right - - j, {"<"}Down{">"} - scroll logs/process list down - - k, {"<"}Up{">"} - scroll logs/process list up - - {"<"}C-d{">"} - scroll logs/process list half page down - - {"<"}C-u{">"} - scroll logs/process list half page up - - {"<"}C-f{">"} - scroll logs/process list one page down - - {"<"}C-b{">"} - scroll logs/process list one page up - - -``` -talosctl dashboard [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for dashboard - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - -d, --update-interval duration interval between updates (default 3s) -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl dmesg - -Retrieve kernel logs - -``` -talosctl dmesg [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --follow specify if the kernel log should be streamed - -h, --help help for dmesg - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --tail specify if only new messages should be sent (makes sense only when combined with --follow) - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl edit - -Edit Talos node machine configuration with the default editor. - -### Synopsis - -The edit command allows you to directly edit the machine configuration -of a Talos node using your preferred text editor. - -It will open the editor defined by your TALOS_EDITOR, -or EDITOR environment variables, or fall back to 'vi' for Linux -or 'notepad' for Windows. - -``` -talosctl edit machineconfig [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --dry-run do not apply the change after editing and print the change summary instead - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for edit - -m, --mode auto, no-reboot, reboot, staged, try apply config mode (default auto) - --namespace string resource namespace (default is to use default namespace per resource) - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s) -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl etcd alarm disarm - -Disarm the etcd alarms for the node. - -``` -talosctl etcd alarm disarm [flags] -``` - -### Options - -``` - -h, --help help for disarm -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd alarm](#talosctl-etcd-alarm) - Manage etcd alarms - -## talosctl etcd alarm list - -List the etcd alarms for the node. - -``` -talosctl etcd alarm list [flags] -``` - -### Options - -``` - -h, --help help for list -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd alarm](#talosctl-etcd-alarm) - Manage etcd alarms - -## talosctl etcd alarm - -Manage etcd alarms - -### Options - -``` - -h, --help help for alarm -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd](#talosctl-etcd) - Manage etcd -* [talosctl etcd alarm disarm](#talosctl-etcd-alarm-disarm) - Disarm the etcd alarms for the node. -* [talosctl etcd alarm list](#talosctl-etcd-alarm-list) - List the etcd alarms for the node. - -## talosctl etcd defrag - -Defragment etcd database on the node - -### Synopsis - -Defragmentation is a maintenance operation that releases unused space from the etcd database file. -Defragmentation is a resource heavy operation and should be performed only when necessary on a single node at a time. - -``` -talosctl etcd defrag [flags] -``` - -### Options - -``` - -h, --help help for defrag -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd](#talosctl-etcd) - Manage etcd - -## talosctl etcd downgrade cancel - -Cancel etcd storage system downgrade. - -``` -talosctl etcd downgrade cancel [flags] -``` - -### Options - -``` - -h, --help help for cancel -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd downgrade](#talosctl-etcd-downgrade) - Manage etcd storage system downgrades - -## talosctl etcd downgrade enable - -Enable etcd storage system downgrade to the specified version. - -``` -talosctl etcd downgrade enable {"<"}version{">"} [flags] -``` - -### Options - -``` - -h, --help help for enable -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd downgrade](#talosctl-etcd-downgrade) - Manage etcd storage system downgrades - -## talosctl etcd downgrade validate - -Validate if the etcd storage system can be downgraded to the specified version. - -``` -talosctl etcd downgrade validate {"<"}version{">"} [flags] -``` - -### Options - -``` - -h, --help help for validate -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd downgrade](#talosctl-etcd-downgrade) - Manage etcd storage system downgrades - -## talosctl etcd downgrade - -Manage etcd storage system downgrades - -### Options - -``` - -h, --help help for downgrade -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd](#talosctl-etcd) - Manage etcd -* [talosctl etcd downgrade cancel](#talosctl-etcd-downgrade-cancel) - Cancel etcd storage system downgrade. -* [talosctl etcd downgrade enable](#talosctl-etcd-downgrade-enable) - Enable etcd storage system downgrade to the specified version. -* [talosctl etcd downgrade validate](#talosctl-etcd-downgrade-validate) - Validate if the etcd storage system can be downgraded to the specified version. - -## talosctl etcd forfeit-leadership - -Tell node to forfeit etcd cluster leadership - -``` -talosctl etcd forfeit-leadership [flags] -``` - -### Options - -``` - -h, --help help for forfeit-leadership -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd](#talosctl-etcd) - Manage etcd - -## talosctl etcd leave - -Tell nodes to leave etcd cluster - -``` -talosctl etcd leave [flags] -``` - -### Options - -``` - -h, --help help for leave -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd](#talosctl-etcd) - Manage etcd - -## talosctl etcd members - -Get the list of etcd cluster members - -``` -talosctl etcd members [flags] -``` - -### Options - -``` - -h, --help help for members -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd](#talosctl-etcd) - Manage etcd - -## talosctl etcd remove-member - -Remove the node from etcd cluster - -### Synopsis - -Use this command only if you want to remove a member which is in broken state. -If there is no access to the node, or the node can't access etcd to call etcd leave. -Always prefer etcd leave over this command. - -``` -talosctl etcd remove-member {"<"}member ID{">"} [flags] -``` - -### Options - -``` - -h, --help help for remove-member -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd](#talosctl-etcd) - Manage etcd - -## talosctl etcd snapshot - -Stream snapshot of the etcd node to the path. - -``` -talosctl etcd snapshot {"<"}path{">"} [flags] -``` - -### Options - -``` - -h, --help help for snapshot -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd](#talosctl-etcd) - Manage etcd - -## talosctl etcd status - -Get the status of etcd cluster member - -### Synopsis - -Returns the status of etcd member on the node, use multiple nodes to get status of all members. - -``` -talosctl etcd status [flags] -``` - -### Options - -``` - -h, --help help for status -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl etcd](#talosctl-etcd) - Manage etcd - -## talosctl etcd - -Manage etcd - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for etcd - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl etcd alarm](#talosctl-etcd-alarm) - Manage etcd alarms -* [talosctl etcd defrag](#talosctl-etcd-defrag) - Defragment etcd database on the node -* [talosctl etcd downgrade](#talosctl-etcd-downgrade) - Manage etcd storage system downgrades -* [talosctl etcd forfeit-leadership](#talosctl-etcd-forfeit-leadership) - Tell node to forfeit etcd cluster leadership -* [talosctl etcd leave](#talosctl-etcd-leave) - Tell nodes to leave etcd cluster -* [talosctl etcd members](#talosctl-etcd-members) - Get the list of etcd cluster members -* [talosctl etcd remove-member](#talosctl-etcd-remove-member) - Remove the node from etcd cluster -* [talosctl etcd snapshot](#talosctl-etcd-snapshot) - Stream snapshot of the etcd node to the path. -* [talosctl etcd status](#talosctl-etcd-status) - Get the status of etcd cluster member - -## talosctl events - -Stream runtime events - -``` -talosctl events [flags] -``` - -### Options - -``` - --actor-id string filter events by the specified actor ID (default is no filter) - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --duration duration show events for the past duration interval (one second resolution, default is to show no history) - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for events - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --since string show events after the specified event ID (default is to show no history) - --tail int32 show specified number of past events (use -1 to show full history, default is to show no history) - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl gen ca - -Generates a self-signed X.509 certificate authority - -``` -talosctl gen ca [flags] -``` - -### Options - -``` - -h, --help help for ca - --hours int the hours from now on which the certificate validity period ends (default 87600) - --organization string X.509 distinguished name for the Organization - --rsa generate in RSA format -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files -``` - -### SEE ALSO - -* [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys - -## talosctl gen config - -Generates a set of configuration files for Talos cluster - -### Synopsis - -The cluster endpoint is the URL for the Kubernetes API. If you decide to use -a control plane node, common in a single node control plane setup, use port 6443 as -this is the port that the API server binds to on every control plane node. For an HA -setup, usually involving a load balancer, use the IP and port of the load balancer. - -``` -talosctl gen config {"<"}cluster name{">"} {"<"}cluster endpoint{">"} [flags] -``` - -### Options - -``` - --additional-sans strings additional Subject-Alt-Names for the APIServer certificate - --config-patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file - --config-patch-control-plane stringArray patch generated machineconfigs (applied to 'init' and 'controlplane' types) - --config-patch-worker stringArray patch generated machineconfigs (applied to 'worker' type) - --dns-domain string the dns domain to use for cluster (default "cluster.local") - -h, --help help for config - --install-disk string the disk to install to (default "/dev/sda") - --install-image string the image used to perform an installation (default "ghcr.io/siderolabs/installer:v1.12.0-beta.1") - --kubernetes-version string desired kubernetes version to run (default "1.35.0-alpha.3") - -o, --output string destination to output generated files. when multiple output types are specified, it must be a directory. for a single output type, it must either be a file path, or "-" for stdout - -t, --output-types strings types of outputs to be generated. valid types are: ["controlplane" "worker" "talosconfig"] (default [controlplane,worker,talosconfig]) - -p, --persist the desired persist value for configs (default true) - --registry-mirror strings list of registry mirrors to use in format: {"<"}registry host{">"}={"<"}mirror URL{">"} - --talos-version string the desired Talos version to generate config for (backwards compatibility, e.g. v0.8) - --version string the desired machine config version to generate (default "v1alpha1") - --with-cluster-discovery enable cluster discovery feature (default true) - --with-docs renders all machine configs adding the documentation for each field (default true) - --with-examples renders all machine configs with the commented examples (default true) - --with-kubespan enable KubeSpan feature - --with-secrets string use a secrets file generated using 'gen secrets' -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files -``` - -### SEE ALSO - -* [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys - -## talosctl gen crt - -Generates an X.509 Ed25519 certificate - -``` -talosctl gen crt [flags] -``` - -### Options - -``` - --ca string path to the PEM encoded CERTIFICATE - --csr string path to the PEM encoded CERTIFICATE REQUEST - -h, --help help for crt - --hours int the hours from now on which the certificate validity period ends (default 24) - --name string the basename of the generated file -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files -``` - -### SEE ALSO - -* [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys - -## talosctl gen csr - -Generates a CSR using an Ed25519 private key - -``` -talosctl gen csr [flags] -``` - -### Options - -``` - -h, --help help for csr - --ip string generate the certificate for this IP address - --key string path to the PEM encoded EC or RSA PRIVATE KEY - --roles strings roles (default [os:admin]) -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files -``` - -### SEE ALSO - -* [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys - -## talosctl gen key - -Generates an Ed25519 private key - -``` -talosctl gen key [flags] -``` - -### Options - -``` - -h, --help help for key - --name string the basename of the generated file -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files -``` - -### SEE ALSO - -* [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys - -## talosctl gen keypair - -Generates an X.509 Ed25519 key pair - -``` -talosctl gen keypair [flags] -``` - -### Options - -``` - -h, --help help for keypair - --ip string generate the certificate for this IP address - --organization string X.509 distinguished name for the Organization -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files -``` - -### SEE ALSO - -* [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys - -## talosctl gen secrets - -Generates a secrets bundle file which can later be used to generate a config - -``` -talosctl gen secrets [flags] -``` - -### Options - -``` - --from-controlplane-config string use the provided controlplane Talos machine configuration as input - -p, --from-kubernetes-pki string use a Kubernetes PKI directory (e.g. /etc/kubernetes/pki) as input - -h, --help help for secrets - -t, --kubernetes-bootstrap-token string use the provided bootstrap token as input - -o, --output-file string path of the output file, or "-" for stdout (default "secrets.yaml") - --talos-version string the desired Talos version to generate secrets bundle for (backwards compatibility, e.g. v0.8) -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files -``` - -### SEE ALSO - -* [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys - -## talosctl gen secureboot database - -Generates a UEFI database to enroll the signing certificate - -``` -talosctl gen secureboot database [flags] -``` - -### Options - -``` - --enrolled-certificate string path to the certificate to enroll (default "_out/uki-signing-cert.pem") - -h, --help help for database - --include-well-known-uefi-certs include well-known UEFI (Microsoft) certificates in the database - --signing-certificate string path to the certificate used to sign the database (default "_out/uki-signing-cert.pem") - --signing-key string path to the key used to sign the database (default "_out/uki-signing-key.pem") -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files - -o, --output string path to the directory storing the generated files (default "_out") -``` - -### SEE ALSO - -* [talosctl gen secureboot](#talosctl-gen-secureboot) - Generates secrets for the SecureBoot process - -## talosctl gen secureboot pcr - -Generates a key which is used to sign TPM PCR values - -``` -talosctl gen secureboot pcr [flags] -``` - -### Options - -``` - -h, --help help for pcr -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files - -o, --output string path to the directory storing the generated files (default "_out") -``` - -### SEE ALSO - -* [talosctl gen secureboot](#talosctl-gen-secureboot) - Generates secrets for the SecureBoot process - -## talosctl gen secureboot uki - -Generates a certificate which is used to sign boot assets (UKI) - -``` -talosctl gen secureboot uki [flags] -``` - -### Options - -``` - --common-name string common name for the certificate (default "Test UKI Signing Key") - -h, --help help for uki -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files - -o, --output string path to the directory storing the generated files (default "_out") -``` - -### SEE ALSO - -* [talosctl gen secureboot](#talosctl-gen-secureboot) - Generates secrets for the SecureBoot process - -## talosctl gen secureboot - -Generates secrets for the SecureBoot process - -### Options - -``` - -h, --help help for secureboot - -o, --output string path to the directory storing the generated files (default "_out") -``` - -### Options inherited from parent commands - -``` - -f, --force will overwrite existing files -``` - -### SEE ALSO - -* [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys -* [talosctl gen secureboot database](#talosctl-gen-secureboot-database) - Generates a UEFI database to enroll the signing certificate -* [talosctl gen secureboot pcr](#talosctl-gen-secureboot-pcr) - Generates a key which is used to sign TPM PCR values -* [talosctl gen secureboot uki](#talosctl-gen-secureboot-uki) - Generates a certificate which is used to sign boot assets (UKI) - -## talosctl gen - -Generate CAs, certificates, and private keys - -### Options - -``` - -f, --force will overwrite existing files - -h, --help help for gen -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl gen ca](#talosctl-gen-ca) - Generates a self-signed X.509 certificate authority -* [talosctl gen config](#talosctl-gen-config) - Generates a set of configuration files for Talos cluster -* [talosctl gen crt](#talosctl-gen-crt) - Generates an X.509 Ed25519 certificate -* [talosctl gen csr](#talosctl-gen-csr) - Generates a CSR using an Ed25519 private key -* [talosctl gen key](#talosctl-gen-key) - Generates an Ed25519 private key -* [talosctl gen keypair](#talosctl-gen-keypair) - Generates an X.509 Ed25519 key pair -* [talosctl gen secrets](#talosctl-gen-secrets) - Generates a secrets bundle file which can later be used to generate a config -* [talosctl gen secureboot](#talosctl-gen-secureboot) - Generates secrets for the SecureBoot process - -## talosctl get - -Get a specific resource or list of resources (use 'talosctl get rd' to see all available resource types). - -### Synopsis - -Similar to 'kubectl get', 'talosctl get' returns a set of resources from the OS. -To get a list of all available resource definitions, issue 'talosctl get rd' - -``` -talosctl get {"<"}type{">"} [{"<"}id{">"}] [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for get - -i, --insecure get resources using the insecure (encrypted with no auth) maintenance service - --namespace string resource namespace (default is to use default namespace per resource) - -n, --nodes strings target the specified nodes - -o, --output string output mode (json, table, yaml, jsonpath) (default "table") - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - -w, --watch watch resource changes -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl health - -Check cluster health - -``` -talosctl health [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --control-plane-nodes strings specify IPs of control plane nodes - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for health - --init-node string specify IPs of init node - --k8s-endpoint string use endpoint instead of kubeconfig default - -n, --nodes strings target the specified nodes - --run-e2e run Kubernetes e2e test - --server run server-side check (default true) - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --wait-timeout duration timeout to wait for the cluster to be ready (default 20m0s) - --worker-nodes strings specify IPs of worker nodes -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl image cache-cert-gen - -Generate TLS certificates and CA patch required for securing image cache to Talos communication - -### Synopsis - -Generate TLS certificates and CA patch required for securing image cache to Talos communication - -``` -talosctl image cache-cert-gen [flags] -``` - -### Options - -``` - --advertised-address ipSlice The addresses to advertise. (default []) - --advertised-name strings The DNS names to advertise. - -h, --help help for cache-cert-gen - --tls-ca-file string TLS certificate authority file (default "ca.crt") - --tls-cert-file string TLS certificate file to use for serving (default "tls.crt") - --tls-key-file string TLS key file to use for serving (default "tls.key") -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl image](#talosctl-image) - Manage CRI container images - -## talosctl image cache-create - -Create a cache of images in OCI format into a directory - -### Synopsis - -Create a cache of images in OCI format into a directory - -``` -talosctl image cache-create [flags] -``` - -### Examples - -``` -talosctl images cache-create --images=ghcr.io/siderolabs/kubelet:v1.35.0-alpha.3 --image-cache-path=/tmp/talos-image-cache - -Alternatively, stdin can be piped to the command: -talosctl images default | talosctl images cache-create --image-cache-path=/tmp/talos-image-cache --images=- - -``` - -### Options - -``` - --force force overwrite of existing image cache - -h, --help help for cache-create - --image-cache-path string directory to save the image cache in OCI format - --image-layer-cache-path string directory to save the image layer cache - --images strings images to cache - --insecure allow insecure registries - --layout string Specifies the cache layout format: "oci" for an OCI image layout directory, or "flat" for a registry-like flat file structure (default "oci") - --platform strings platform to use for the cache (default [linux/amd64]) -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl image](#talosctl-image) - Manage CRI container images - -## talosctl image cache-serve - -Serve an OCI image cache directory over HTTP(S) as a container registry - -### Synopsis - -Serve an OCI image cache directory over HTTP(S) as a container registry - -``` -talosctl image cache-serve [flags] -``` - -### Options - -``` - --address string address to serve the registry on (default "127.0.0.1:3172") - -h, --help help for cache-serve - --image-cache-path string directory to save the image cache in flat format - --mirror strings list of registry mirrors to add to the Talos config patch (default [docker.io,ghcr.io,registry.k8s.io]) - --tls-cert-file string TLS certificate file to use for serving - --tls-key-file string TLS key file to use for serving -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl image](#talosctl-image) - Manage CRI container images - -## talosctl image default - -List the default images used by Talos - -``` -talosctl image default [flags] -``` - -### Options - -``` - -h, --help help for default - --provisioner string include provisioner specific images (default "installer") -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl image](#talosctl-image) - Manage CRI container images - -## talosctl image list - -List CRI images - -``` -talosctl image list [flags] -``` - -### Options - -``` - -h, --help help for list -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl image](#talosctl-image) - Manage CRI container images - -## talosctl image pull - -Pull an image into CRI - -``` -talosctl image pull {"<"}image{">"} [flags] -``` - -### Options - -``` - -h, --help help for pull -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl image](#talosctl-image) - Manage CRI container images - -## talosctl image source-bundle - -List the source images used for building Talos - -``` -talosctl image source-bundle {"<"}talos-version{">"} [flags] -``` - -### Options - -``` - -h, --help help for source-bundle -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl image](#talosctl-image) - Manage CRI container images - -## talosctl image - -Manage CRI container images - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for image - --namespace system namespace to use: system (etcd and kubelet images) or `cri` for all Kubernetes workloads (default "cri") - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl image cache-cert-gen](#talosctl-image-cache-cert-gen) - Generate TLS certificates and CA patch required for securing image cache to Talos communication -* [talosctl image cache-create](#talosctl-image-cache-create) - Create a cache of images in OCI format into a directory -* [talosctl image cache-serve](#talosctl-image-cache-serve) - Serve an OCI image cache directory over HTTP(S) as a container registry -* [talosctl image default](#talosctl-image-default) - List the default images used by Talos -* [talosctl image list](#talosctl-image-list) - List CRI images -* [talosctl image pull](#talosctl-image-pull) - Pull an image into CRI -* [talosctl image source-bundle](#talosctl-image-source-bundle) - List the source images used for building Talos - -## talosctl inject serviceaccount - -Inject Talos API ServiceAccount into Kubernetes manifests - -``` -talosctl inject serviceaccount [--roles='{"<"}ROLE_1{">"},{"<"}ROLE_2{">"}'] -f {"<"}manifest.yaml{">"} [flags] -``` - -### Examples - -``` -talosctl inject serviceaccount --roles="os:admin" -f deployment.yaml > deployment-injected.yaml - -Alternatively, stdin can be piped to the command: -cat deployment.yaml | talosctl inject serviceaccount --roles="os:admin" -f - > deployment-injected.yaml - -``` - -### Options - -``` - -f, --file string file with Kubernetes manifests to be injected with ServiceAccount - -h, --help help for serviceaccount - -r, --roles strings roles to add to the generated ServiceAccount manifests (default [os:reader]) -``` - -### SEE ALSO - -* [talosctl inject](#talosctl-inject) - Inject Talos API resources into Kubernetes manifests - -## talosctl inject - -Inject Talos API resources into Kubernetes manifests - -### Options - -``` - -h, --help help for inject -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl inject serviceaccount](#talosctl-inject-serviceaccount) - Inject Talos API ServiceAccount into Kubernetes manifests - -## talosctl inspect dependencies - -Inspect controller-resource dependencies as graphviz graph. - -### Synopsis - -Inspect controller-resource dependencies as graphviz graph. - -Pipe the output of the command through the "dot" program (part of graphviz package) -to render the graph: - - talosctl inspect dependencies | dot -Tpng > graph.png - - -``` -talosctl inspect dependencies [flags] -``` - -### Options - -``` - -h, --help help for dependencies - --with-resources display live resource information with dependencies -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl inspect](#talosctl-inspect) - Inspect internals of Talos - -## talosctl inspect - -Inspect internals of Talos - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for inspect - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl inspect dependencies](#talosctl-inspect-dependencies) - Inspect controller-resource dependencies as graphviz graph. - -## talosctl kubeconfig - -Download the admin kubeconfig from the node - -### Synopsis - -Download the admin kubeconfig from the node. -If merge flag is true, config will be merged with ~/.kube/config or [local-path] if specified. -Otherwise, kubeconfig will be written to PWD or [local-path] if specified. - -If merge flag is false and [local-path] is "-", config will be written to stdout. - -``` -talosctl kubeconfig [local-path] [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force Force overwrite of kubeconfig if already present, force overwrite on kubeconfig merge - --force-context-name string Force context name for kubeconfig merge - -h, --help help for kubeconfig - -m, --merge Merge with existing kubeconfig (default true) - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl list - -Retrieve a directory listing - -``` -talosctl list [path] [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -d, --depth int32 maximum recursion depth (default 1) - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for list - -H, --humanize humanize size and time in the output - -l, --long display additional file details - -n, --nodes strings target the specified nodes - -r, --recurse recurse into subdirectories - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - -t, --type strings filter by specified types: - f regular file - d directory - l, L symbolic link -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl logs - -Retrieve logs for a service - -``` -talosctl logs {"<"}service name{">"} [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -f, --follow specify if the logs should be streamed - -h, --help help for logs - -k, --kubernetes use the k8s.io containerd namespace - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --tail int32 lines of log file to display (default is to show from the beginning) (default -1) - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl machineconfig gen - -Generates a set of configuration files for Talos cluster - -### Synopsis - -The cluster endpoint is the URL for the Kubernetes API. If you decide to use -a control plane node, common in a single node control plane setup, use port 6443 as -this is the port that the API server binds to on every control plane node. For an HA -setup, usually involving a load balancer, use the IP and port of the load balancer. - -``` -talosctl machineconfig gen {"<"}cluster name{">"} {"<"}cluster endpoint{">"} [flags] -``` - -### Options - -``` - -h, --help help for gen -``` - -### SEE ALSO - -* [talosctl machineconfig](#talosctl-machineconfig) - Machine config related commands - -## talosctl machineconfig patch - -Patch a machine config - -``` -talosctl machineconfig patch {"<"}machineconfig-file{">"} [flags] -``` - -### Options - -``` - -h, --help help for patch - -o, --output string output destination. if not specified, output will be printed to stdout - -p, --patch stringArray patch generated machineconfigs (applied to all node types), use @file to read a patch from file -``` - -### SEE ALSO - -* [talosctl machineconfig](#talosctl-machineconfig) - Machine config related commands - -## talosctl machineconfig - -Machine config related commands - -### Options - -``` - -h, --help help for machineconfig -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl machineconfig gen](#talosctl-machineconfig-gen) - Generates a set of configuration files for Talos cluster -* [talosctl machineconfig patch](#talosctl-machineconfig-patch) - Patch a machine config - -## talosctl memory - -Show memory usage - -``` -talosctl memory [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for memory - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - -v, --verbose display extended memory statistics -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl meta delete - -Delete a key from the META partition. - -``` -talosctl meta delete key [flags] -``` - -### Options - -``` - -h, --help help for delete -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl meta](#talosctl-meta) - Write and delete keys in the META partition - -## talosctl meta write - -Write a key-value pair to the META partition. - -``` -talosctl meta write key value [flags] -``` - -### Options - -``` - -h, --help help for write -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl meta](#talosctl-meta) - Write and delete keys in the META partition - -## talosctl meta - -Write and delete keys in the META partition - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for meta - -i, --insecure write|delete meta using the insecure (encrypted with no auth) maintenance service - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl meta delete](#talosctl-meta-delete) - Delete a key from the META partition. -* [talosctl meta write](#talosctl-meta-write) - Write a key-value pair to the META partition. - -## talosctl mounts - -List mounts - -``` -talosctl mounts [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for mounts - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl netstat - -Show network connections and sockets - -### Synopsis - -Show network connections and sockets. - -You can pass an optional argument to view a specific pod's connections. -To do this, format the argument as "namespace/pod". -Note that only pods with a pod network namespace are allowed. -If you don't pass an argument, the command will show host connections. - -``` -talosctl netstat [flags] -``` - -### Options - -``` - -a, --all display all sockets states (default: connected) - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -x, --extend show detailed socket information - -h, --help help for netstat - -4, --ipv4 display only ipv4 sockets - -6, --ipv6 display only ipv6 sockets - -l, --listening display listening server sockets - -n, --nodes strings target the specified nodes - -k, --pods show sockets used by Kubernetes pods - -p, --programs show process using socket - -w, --raw display only RAW sockets - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - -t, --tcp display only TCP sockets - -o, --timers display timers - -u, --udp display only UDP sockets - -U, --udplite display only UDPLite sockets - -v, --verbose display sockets of all supported transport protocols -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl patch - -Patch machine configuration of a Talos node with a local patch. - -``` -talosctl patch machineconfig [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --dry-run print the change summary and patch preview without applying the changes - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for patch - -m, --mode auto, no-reboot, reboot, staged, try apply config mode (default auto) - --namespace string resource namespace (default is to use default namespace per resource) - -n, --nodes strings target the specified nodes - -p, --patch stringArray the patch to be applied to the resource file, use @file to read a patch from file. - --patch-file string a file containing a patch to be applied to the resource. - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --timeout duration the config will be rolled back after specified timeout (if try mode is selected) (default 1m0s) -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl pcap - -Capture the network packets from the node. - -### Synopsis - -The command launches packet capture on the node and streams back the packets as raw pcap file. - -Default behavior is to decode the packets with internal decoder to stdout: - - talosctl pcap -i eth0 - -Raw pcap file can be saved with `--output` flag: - - talosctl pcap -i eth0 --output eth0.pcap - -Output can be piped to tcpdump: - - talosctl pcap -i eth0 -o - | tcpdump -vvv -r - - -BPF filter can be applied, but it has to compiled to BPF instructions first using tcpdump. -Correct link type should be specified for the tcpdump: EN10MB for Ethernet links and RAW -for e.g. Wireguard tunnels: - - talosctl pcap -i eth0 --bpf-filter "$(tcpdump -dd -y EN10MB 'tcp and dst port 80')" - - talosctl pcap -i kubespan --bpf-filter "$(tcpdump -dd -y RAW 'port 50000')" - -As packet capture is transmitted over the network, it is recommended to filter out the Talos API traffic, -e.g. by excluding packets with the port 50000. - - -``` -talosctl pcap [flags] -``` - -### Options - -``` - --bpf-filter string bpf filter to apply, tcpdump -dd format - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --duration duration duration of the capture - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for pcap - -i, --interface string interface name to capture packets on (default "eth0") - -n, --nodes strings target the specified nodes - -o, --output string if not set, decode packets to stdout; if set write raw pcap data to a file, use '-' for stdout - --promiscuous put interface into promiscuous mode - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl processes - -List running processes - -``` -talosctl processes [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for processes - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - -s, --sort string Column to sort output by. [rss|cpu] (default "rss") - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - -w, --watch Stream running processes -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl read - -Read a file on the machine - -``` -talosctl read {"<"}path{">"} [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for read - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl reboot - -Reboot a node - -``` -talosctl reboot [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --debug debug operation from kernel logs. --wait is set to true when this flag is set - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for reboot - -m, --mode string select the reboot mode: "default", "powercycle" (skips kexec), "force" (skips graceful teardown) (default "default") - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) - --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl reset - -Reset a node - -``` -talosctl reset [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --debug debug operation from kernel logs. --wait is set to true when this flag is set - -e, --endpoints strings override default endpoints in Talos configuration - --graceful if true, attempt to cordon/drain node and leave etcd (if applicable) (default true) - -h, --help help for reset - --insecure reset using the insecure (encrypted with no auth) maintenance service - -n, --nodes strings target the specified nodes - --reboot if true, reboot the node after resetting instead of shutting down - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --system-labels-to-wipe strings if set, just wipe selected system disk partitions by label but keep other partitions intact - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) - --user-disks-to-wipe strings if set, wipes defined devices in the list - --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) - --wipe-mode all, system-disk, user-disks disk reset mode (default all) -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl restart - -Restart a process - -``` -talosctl restart {"<"}id{">"} [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for restart - -k, --kubernetes use the k8s.io containerd namespace - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl rollback - -Rollback a node to the previous installation - -``` -talosctl rollback [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for rollback - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl rotate-ca - -Rotate cluster CAs (Talos and Kubernetes APIs). - -### Synopsis - -The command can rotate both Talos and Kubernetes root CAs (for the API). -By default both CAs are rotated, but you can choose to rotate just one or another. -The command starts by generating new CAs, and gracefully applying it to the cluster. - -For Kubernetes, the command only rotates the API server issuing CA, and other Kubernetes -PKI can be rotated by applying machine config changes to the controlplane nodes. - -``` -talosctl rotate-ca [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --control-plane-nodes strings specify IPs of control plane nodes - --dry-run dry-run mode (no changes to the cluster) (default true) - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for rotate-ca - --init-node string specify IPs of init node - --k8s-endpoint string use endpoint instead of kubeconfig default - --kubernetes rotate Kubernetes API CA (default true) - -n, --nodes strings target the specified nodes - -o, --output talosconfig path to the output new talosconfig (default "talosconfig") - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talos rotate Talos API CA (default true) - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --with-docs patch all machine configs adding the documentation for each field (default true) - --with-examples patch all machine configs with the commented examples (default true) - --worker-nodes strings specify IPs of worker nodes -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl service - -Retrieve the state of a service (or all services), control service state - -### Synopsis - -Service control command. If run without arguments, lists all the services and their state. -If service ID is specified, default action 'status' is executed which shows status of a single list service. -With actions 'start', 'stop', 'restart', service state is updated respectively. - -``` -talosctl service [{"<"}id{">"} [start|stop|restart|status]] [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for service - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl shutdown - -Shutdown a node - -``` -talosctl shutdown [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --debug debug operation from kernel logs. --wait is set to true when this flag is set - -e, --endpoints strings override default endpoints in Talos configuration - --force if true, force a node to shutdown without a cordon/drain - -h, --help help for shutdown - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) - --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl stats - -Get container stats - -``` -talosctl stats [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for stats - -k, --kubernetes use the k8s.io containerd namespace - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl support - -Dump debug information about the cluster - -### Synopsis - -Generated bundle contains the following debug information: - -- For each node: - - - Kernel logs. - - All Talos internal services logs. - - All kube-system pods logs. - - Talos COSI resources without secrets. - - COSI runtime state graph. - - Processes snapshot. - - IO pressure snapshot. - - Mounts list. - - PCI devices info. - - Talos version. - -- For the cluster: - - - Kubernetes nodes and kube-system pods manifests. - - -``` -talosctl support [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for support - -n, --nodes strings target the specified nodes - -w, --num-workers int number of workers per node (default 1) - -O, --output string output file to write support archive to - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - -v, --verbose verbose output -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl time - -Gets current server time - -``` -talosctl time [--check server] [flags] -``` - -### Options - -``` - --check string checks server time against specified ntp server - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for time - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl upgrade - -Upgrade Talos on the target node - -``` -talosctl upgrade [flags] -``` - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --debug debug operation from kernel logs. --wait is set to true when this flag is set - -e, --endpoints strings override default endpoints in Talos configuration - -f, --force force the upgrade (skip checks on etcd health and members, might lead to data loss) - -h, --help help for upgrade - -i, --image string the container image to use for performing the install (default "ghcr.io/siderolabs/installer:v1.12.0-beta.1") - --insecure upgrade using the insecure (encrypted with no auth) maintenance service - -n, --nodes strings target the specified nodes - -m, --reboot-mode string select the reboot mode during upgrade. Mode "powercycle" bypasses kexec. Valid values are: ["default" "powercycle"]. (default "default") - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - -s, --stage stage the upgrade to perform it after a reboot - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --timeout duration time to wait for the operation is complete if --debug or --wait is set (default 30m0s) - --wait wait for the operation to complete, tracking its progress. always set to true when --debug is set (default true) -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl upgrade-k8s - -Upgrade Kubernetes control plane in the Talos cluster. - -### Synopsis - -Command runs upgrade of Kubernetes control plane components between specified versions. - -``` -talosctl upgrade-k8s [flags] -``` - -### Options - -``` - --apiserver-image string kube-apiserver image to use (default "registry.k8s.io/kube-apiserver") - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - --controller-manager-image string kube-controller-manager image to use (default "registry.k8s.io/kube-controller-manager") - --dry-run skip the actual upgrade and show the upgrade plan instead - --endpoint string the cluster control plane endpoint - -e, --endpoints strings override default endpoints in Talos configuration - --from string the Kubernetes control plane version to upgrade from - -h, --help help for upgrade-k8s - --kubelet-image string kubelet image to use (default "ghcr.io/siderolabs/kubelet") - -n, --nodes strings target the specified nodes - --pre-pull-images pre-pull images before upgrade (default true) - --proxy-image string kube-proxy image to use (default "registry.k8s.io/kube-proxy") - --scheduler-image string kube-scheduler image to use (default "registry.k8s.io/kube-scheduler") - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - --to string the Kubernetes control plane version to upgrade to (default "1.35.0-alpha.3") - --upgrade-kubelet upgrade kubelet service (default true) - --with-docs patch all machine configs adding the documentation for each field (default true) - --with-examples patch all machine configs with the commented examples (default true) -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl usage - -Retrieve a disk usage - -``` -talosctl usage [path1] [path2] ... [pathN] [flags] -``` - -### Options - -``` - -a, --all write counts for all files, not just directories - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -d, --depth int32 maximum recursion depth - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for usage - -H, --humanize humanize size and time in the output - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. - -t, --threshold int threshold exclude entries smaller than SIZE if positive, or entries greater than SIZE if negative -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl validate - -Validate config - -``` -talosctl validate [flags] -``` - -### Options - -``` - -c, --config string the path of the config file - -h, --help help for validate - -m, --mode string the mode to validate the config for (valid values are metal, cloud, and container) - --strict treat validation warnings as errors -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl version - -Prints the version - -``` -talosctl version [flags] -``` - -### Options - -``` - --client Print client version only - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for version - -i, --insecure use Talos maintenance mode API - -n, --nodes strings target the specified nodes - --short Print the short version - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos - -## talosctl wipe disk - -Wipe a block device (disk or partition) which is not used as a volume - -### Synopsis - -Wipe a block device (disk or partition) which is not used as a volume. - -Use device names as arguments, for example: vda or sda5. - -``` -talosctl wipe disk {"<"}device names{">"}... [flags] -``` - -### Options - -``` - --drop-partition drop partition after wipe (if applicable) - -h, --help help for disk - -i, --insecure use Talos maintenance mode API - --method string wipe method to use [FAST ZEROES] (default "FAST") -``` - -### Options inherited from parent commands - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl wipe](#talosctl-wipe) - Wipe block device or volumes - -## talosctl wipe - -Wipe block device or volumes - -### Options - -``` - -c, --cluster string Cluster to connect to if a proxy endpoint is used. - --context string Context to be used in command - -e, --endpoints strings override default endpoints in Talos configuration - -h, --help help for wipe - -n, --nodes strings target the specified nodes - --siderov1-keys-dir string The path to the SideroV1 auth PGP keys directory. Defaults to 'SIDEROV1_KEYS_DIR' env variable if set, otherwise '$HOME/.talos/keys'. Only valid for Contexts that use SideroV1 auth. - --talosconfig string The path to the Talos configuration file. Defaults to 'TALOSCONFIG' env variable if set, otherwise '$HOME/.talos/config' and '/var/run/secrets/talos.dev/config' in order. -``` - -### SEE ALSO - -* [talosctl](#talosctl) - A CLI for out-of-band management of Kubernetes nodes created by Talos -* [talosctl wipe disk](#talosctl-wipe-disk) - Wipe a block device (disk or partition) which is not used as a volume - -## talosctl - -A CLI for out-of-band management of Kubernetes nodes created by Talos - -### Options - -``` - -h, --help help for talosctl -``` - -### SEE ALSO - -* [talosctl apply-config](#talosctl-apply-config) - Apply a new configuration to a node -* [talosctl bootstrap](#talosctl-bootstrap) - Bootstrap the etcd cluster on the specified node. -* [talosctl cgroups](#talosctl-cgroups) - Retrieve cgroups usage information -* [talosctl cluster](#talosctl-cluster) - A collection of commands for managing local docker-based or QEMU-based clusters -* [talosctl completion](#talosctl-completion) - Output shell completion code for the specified shell (bash, fish or zsh) -* [talosctl config](#talosctl-config) - Manage the client configuration file (talosconfig) -* [talosctl conformance](#talosctl-conformance) - Run conformance tests -* [talosctl containers](#talosctl-containers) - List containers -* [talosctl copy](#talosctl-copy) - Copy data out from the node -* [talosctl dashboard](#talosctl-dashboard) - Cluster dashboard with node overview, logs and real-time metrics -* [talosctl dmesg](#talosctl-dmesg) - Retrieve kernel logs -* [talosctl edit](#talosctl-edit) - Edit Talos node machine configuration with the default editor. -* [talosctl etcd](#talosctl-etcd) - Manage etcd -* [talosctl events](#talosctl-events) - Stream runtime events -* [talosctl gen](#talosctl-gen) - Generate CAs, certificates, and private keys -* [talosctl get](#talosctl-get) - Get a specific resource or list of resources (use 'talosctl get rd' to see all available resource types). -* [talosctl health](#talosctl-health) - Check cluster health -* [talosctl image](#talosctl-image) - Manage CRI container images -* [talosctl inject](#talosctl-inject) - Inject Talos API resources into Kubernetes manifests -* [talosctl inspect](#talosctl-inspect) - Inspect internals of Talos -* [talosctl kubeconfig](#talosctl-kubeconfig) - Download the admin kubeconfig from the node -* [talosctl list](#talosctl-list) - Retrieve a directory listing -* [talosctl logs](#talosctl-logs) - Retrieve logs for a service -* [talosctl machineconfig](#talosctl-machineconfig) - Machine config related commands -* [talosctl memory](#talosctl-memory) - Show memory usage -* [talosctl meta](#talosctl-meta) - Write and delete keys in the META partition -* [talosctl mounts](#talosctl-mounts) - List mounts -* [talosctl netstat](#talosctl-netstat) - Show network connections and sockets -* [talosctl patch](#talosctl-patch) - Patch machine configuration of a Talos node with a local patch. -* [talosctl pcap](#talosctl-pcap) - Capture the network packets from the node. -* [talosctl processes](#talosctl-processes) - List running processes -* [talosctl read](#talosctl-read) - Read a file on the machine -* [talosctl reboot](#talosctl-reboot) - Reboot a node -* [talosctl reset](#talosctl-reset) - Reset a node -* [talosctl restart](#talosctl-restart) - Restart a process -* [talosctl rollback](#talosctl-rollback) - Rollback a node to the previous installation -* [talosctl rotate-ca](#talosctl-rotate-ca) - Rotate cluster CAs (Talos and Kubernetes APIs). -* [talosctl service](#talosctl-service) - Retrieve the state of a service (or all services), control service state -* [talosctl shutdown](#talosctl-shutdown) - Shutdown a node -* [talosctl stats](#talosctl-stats) - Get container stats -* [talosctl support](#talosctl-support) - Dump debug information about the cluster -* [talosctl time](#talosctl-time) - Gets current server time -* [talosctl upgrade](#talosctl-upgrade) - Upgrade Talos on the target node -* [talosctl upgrade-k8s](#talosctl-upgrade-k8s) - Upgrade Kubernetes control plane in the Talos cluster. -* [talosctl usage](#talosctl-usage) - Retrieve a disk usage -* [talosctl validate](#talosctl-validate) - Validate config -* [talosctl version](#talosctl-version) - Prints the version -* [talosctl wipe](#talosctl-wipe) - Wipe block device or volumes diff --git a/public/talos/v1.13/reference/configuration/network/ethernetconfig.mdx b/public/talos/v1.13/reference/configuration/network/ethernetconfig.mdx index 572e6cf4..bdf4d896 100644 --- a/public/talos/v1.13/reference/configuration/network/ethernetconfig.mdx +++ b/public/talos/v1.13/reference/configuration/network/ethernetconfig.mdx @@ -57,7 +57,7 @@ channels: - + @@ -75,7 +75,7 @@ channels: - + diff --git a/public/talos/v1.13/reference/configuration/v1alpha1/config.mdx b/public/talos/v1.13/reference/configuration/v1alpha1/config.mdx index da6896a3..abea0199 100644 --- a/public/talos/v1.13/reference/configuration/v1alpha1/config.mdx +++ b/public/talos/v1.13/reference/configuration/v1alpha1/config.mdx @@ -82,7 +82,7 @@ machine: # # Look up disk using disk attributes like model, size, serial and others. # diskSelector: # size: 4GB # Disk size. - # model: WDC* # Disk model `/sys/block/{"<"}dev{">"}/device/model`. + # model: WDC* # Disk model `/sys/block//device/model`. # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path. ``` @@ -356,7 +356,7 @@ KubeletConfig represents the kubelet config values. ```yaml machine: kubelet: - image: ghcr.io/siderolabs/kubelet:v1.35.0-alpha.3 # The `image` field is an optional reference to an alternative kubelet image. + image: ghcr.io/siderolabs/kubelet:v1.35.0 # The `image` field is an optional reference to an alternative kubelet image. # The `extraArgs` field is used to provide additional flags to the kubelet. extraArgs: feature-gates: ServerSideApply=true @@ -694,21 +694,6 @@ NetworkConfig represents the machine's networking config values. -```yaml -machine: - network: - nameservers: - - 9.8.7.6 - - 8.7.6.5 - searchDomains: - - example.org - - example.com - - # # Configures KubeSpan feature. - # kubespan: - # enabled: true # Enable the KubeSpan feature. -``` -
`features` map[string]boolConfiguration for Ethernet features.

Set of features available and whether they can be enabled or disabled is driver specific.
Use `talosctl get ethernetstatus {"<"}link{">"} -o yaml` to get the list of available features and
their current status.		Configuration for Ethernet features.

Set of features available and whether they can be enabled or disabled is driver specific.
Use `talosctl get ethernetstatus -o yaml` to get the list of available features and
their current status.
`wakeOnLan` []WOLModeWake-on-LAN modes to enable.

If this field is omitted, Wake-on-LAN configuration is not changed.
An empty list disables Wake-on-LAN.

This is similar to `ethtool -s {"<"}link{">"} wol {"<"}options{">"}` command.		Wake-on-LAN modes to enable.

If this field is omitted, Wake-on-LAN configuration is not changed.
An empty list disables Wake-on-LAN.

This is similar to `ethtool -s wol ` command.		 `phy`
`unicast`
`multicast`
`broadcast`
`arp`
`magic`
`magicsecure`
`filter`
@@ -847,7 +832,7 @@ machine: # # Look up disk using disk attributes like model, size, serial and others. # diskSelector: # size: 4GB # Disk size. - # model: WDC* # Disk model `/sys/block/{"<"}dev{">"}/device/model`. + # model: WDC* # Disk model `/sys/block//device/model`. # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path. ``` @@ -914,7 +899,7 @@ machine: install: diskSelector: size: '>= 1TB' # Disk size. - model: WDC* # Disk model `/sys/block/{"<"}dev{">"}/device/model`. + model: WDC* # Disk model `/sys/block//device/model`. # # Disk bus path. # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 @@ -941,37 +926,37 @@ machine: - + - + - + - + - + - + @@ -2024,7 +2009,7 @@ APIServerConfig represents the kube apiserver configuration options. ```yaml cluster: apiServer: - image: registry.k8s.io/kube-apiserver:v1.35.0-alpha.3 # The container image used in the API server manifest. + image: registry.k8s.io/kube-apiserver:v1.35.0 # The container image used in the API server manifest. # Extra arguments to supply to the API server. extraArgs: feature-gates: ServerSideApply=true @@ -2377,7 +2362,7 @@ ControllerManagerConfig represents the kube controller manager configuration opt ```yaml cluster: controllerManager: - image: registry.k8s.io/kube-controller-manager:v1.35.0-alpha.3 # The container image used in the controller manager manifest. + image: registry.k8s.io/kube-controller-manager:v1.35.0 # The container image used in the controller manager manifest. # Extra arguments to supply to the controller manager. extraArgs: feature-gates: ServerSideApply=true @@ -2518,7 +2503,7 @@ ProxyConfig represents the kube proxy configuration options. ```yaml cluster: proxy: - image: registry.k8s.io/kube-proxy:v1.35.0-alpha.3 # The container image used in the kube-proxy manifest. + image: registry.k8s.io/kube-proxy:v1.35.0 # The container image used in the kube-proxy manifest. mode: ipvs # proxy mode of kube-proxy. # Extra arguments to supply to kube-proxy. extraArgs: @@ -2579,7 +2564,7 @@ SchedulerConfig represents the kube scheduler configuration options. ```yaml cluster: scheduler: - image: registry.k8s.io/kube-scheduler:v1.35.0-alpha.3 # The container image used in the scheduler manifest. + image: registry.k8s.io/kube-scheduler:v1.35.0 # The container image used in the scheduler manifest. # Extra arguments to supply to the scheduler. extraArgs: feature-gates: AllBeta=true @@ -2877,7 +2862,7 @@ EtcdConfig represents the etcd configuration options. ```yaml cluster: etcd: - image: registry.k8s.io/etcd:v3.6.6 # The container image used to create the etcd service. + image: registry.k8s.io/etcd:v3.6.7 # The container image used to create the etcd service. # The `ca` is the root certificate authority of the PKI. ca: crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t @@ -2948,7 +2933,7 @@ CoreDNS represents the CoreDNS config values. ```yaml cluster: coreDNS: - image: registry.k8s.io/coredns/coredns:v1.13.1 # The `image` field is an override to the default coredns image. + image: registry.k8s.io/coredns/coredns:v1.13.2 # The `image` field is an override to the default coredns image. ``` diff --git a/public/talos/v1.13/security/ca-rotation.mdx b/public/talos/v1.13/security/ca-rotation.mdx index b09d339a..d6c1b779 100644 --- a/public/talos/v1.13/security/ca-rotation.mdx +++ b/public/talos/v1.13/security/ca-rotation.mdx @@ -29,7 +29,7 @@ Both rotation flows are described in detail below. ## Talos API -### Automated Talos API CA Rotation +### Automated Talos API CA rotation Talos API CA rotation doesn't interrupt connections within the cluster, and it doesn't require a reboot of the nodes. @@ -108,7 +108,7 @@ If other client access `talosconfig` files needs to be generated, use `talosctl > Note: if using [Talos API access from Kubernetes](../../../kubernetes-guides/advanced-guides/talos-api-access-from-k8s) feature, pods might need to be restarted manually to pick up new `talosconfig`. -### Manual Steps for Talos API CA Rotation +### Manual steps for Talos API CA rotation 1. Generate new Talos CA (e.g. use `talosctl gen secrets` and use Talos CA). 2. Patch machine configuration on all nodes updating `.machine.acceptedCAs` with new CA certificate. @@ -120,7 +120,7 @@ If other client access `talosconfig` files needs to be generated, use `talosctl ## Kubernetes API -### Automated Kubernetes API CA Rotation +### Automated Kubernetes API CA rotation The automated process only rotates Kubernetes API CA, used by the `kube-apiserver`, `kubelet`, etc. Other Kubernetes secrets might need to be rotated manually as required. @@ -182,7 +182,7 @@ New `kubeconfig` can be fetched with `talosctl kubeconfig` command from the clus Kubernetes pods might need to be restarted manually to pick up changes to the Kubernetes API CA. -### Manual Steps for Kubernetes API CA Rotation +### Manual steps for Kubernetes API CA rotation Steps are similar [to the Talos API CA rotation](#manual-steps-for-talos-api-ca-rotation), but use: diff --git a/public/talos/v1.13/security/cert-management.mdx b/public/talos/v1.13/security/cert-management.mdx index a08c257b..24646df0 100644 --- a/public/talos/v1.13/security/cert-management.mdx +++ b/public/talos/v1.13/security/cert-management.mdx @@ -16,9 +16,9 @@ Each time you download the `kubeconfig` file from a Talos Linux cluster, the cli The `talosconfig` file should be renewed at least once a year, using the `talosctl config new` command, as shown below, or by one of the other methods. -## Generating New Client Configuration +## Generating new client configuration -### Using Controlplane Node +### Using control plane node If you have a valid (not expired) `talosconfig` with `os:admin` role, a new client configuration file can be generated with `talosctl config new` against @@ -30,7 +30,7 @@ talosctl -n CP1 config new talosconfig-reader --roles os:reader --crt-ttl 24h A specific [role](./rbac) and certificate lifetime can be specified. -### From Secrets Bundle +### From secrets bundle If a secrets bundle (`secrets.yaml` from `talosctl gen secrets`) was saved while [generating machine configuration](../getting-started/#configure-talos): @@ -41,7 +41,7 @@ talosctl gen config --with-secrets secrets.yaml --output-types talosconfig -o ta > Note: `` and `` arguments don't matter, as they are not used for `talosconfig`. -### From Control Plane Machine Configuration +### From control plane machine configuration In order to create a new key pair for client configuration, you will need the root Talos API CA. The base64 encoded CA can be found in the control plane node's configuration file. diff --git a/public/talos/v1.13/security/iam-roles-for-service-accounts.mdx b/public/talos/v1.13/security/iam-roles-for-service-accounts.mdx index 7d5532e2..3dfc89fd 100644 --- a/public/talos/v1.13/security/iam-roles-for-service-accounts.mdx +++ b/public/talos/v1.13/security/iam-roles-for-service-accounts.mdx @@ -204,7 +204,7 @@ Patch your Talos `machineconfig` to use the new Service Account issuer and signi talosctl apply-config --nodes --file machineconfig-patch.yaml ``` -## Step 3: Install Required Kubernetes Components +## Step 3: Install required Kubernetes components Two components are required on the cluster: `cert-manager` and `amazon-eks-pod-identity-webhook`. diff --git a/public/talos/v1.13/security/verifying-images.mdx b/public/talos/v1.13/security/verifying-images.mdx index 96a5603f..69dc0d22 100644 --- a/public/talos/v1.13/security/verifying-images.mdx +++ b/public/talos/v1.13/security/verifying-images.mdx @@ -11,7 +11,7 @@ Sidero Labs signs the container images generated for the Talos release with [cos * `ghcr.io/siderolabs/imager` (Talos install image generator) * all [system extension images](https://github.com/siderolabs/extensions/) -## Verifying Container Image Signatures +## Verifying container image signatures The `cosign` tool can be used to verify the signatures of the Talos container images: @@ -29,7 +29,7 @@ The following checks were performed on each of these signatures: The image should be signed using [cosign certificate authority flow](https://docs.sigstore.dev/certificate_authority/certificate-issuing-overview/) by a Sidero Labs employee with and email from `siderolabs.com` domain. -## Reproducible Builds +## Reproducible builds Talos builds for `kernel`, `initramfs`, `talosctl`, ISO image, and container images are reproducible. So you can verify that the build is the same as the one as provided on [GitHub releases page](https://github.com/siderolabs/talos/releases).
`name` stringDisk name `/sys/block/{"<"}dev{">"}/device/name`.Disk name `/sys/block//device/name`.
`model` stringDisk model `/sys/block/{"<"}dev{">"}/device/model`.Disk model `/sys/block//device/model`.
`serial` stringDisk serial number `/sys/block/{"<"}dev{">"}/serial`.Disk serial number `/sys/block//serial`.
`modalias` stringDisk modalias `/sys/block/{"<"}dev{">"}/device/modalias`.Disk modalias `/sys/block//device/modalias`.
`uuid` stringDisk UUID `/sys/block/{"<"}dev{">"}/uuid`.Disk UUID `/sys/block//uuid`.
`wwid` stringDisk WWID `/sys/block/{"<"}dev{">"}/wwid`.Disk WWID `/sys/block//wwid`.