The imager's `--insecure` flag covered BaseInstaller, ImageCache, and
SystemExtensions but not the Overlay or OverlayInstaller ContainerAssets.
When pulling those from a plain-HTTP local registry (e.g. for offline
or development builds), they always tried HTTPS and failed with
"http: server gave HTTP response to HTTPS client" even with the flag set.
This patch sets `ForceInsecure: cmdFlags.Insecure` on both overlay
asset references, matching how the other Inputs are handled.
Build-tool only — no effect on the running Talos OS. Lets `gmake installer`
work end-to-end against an insecure registry like 192.133.7.111:5001.
After upgrade kexec into v1.13.2, CM5 eMMC takes ~2m13s between the SDHCI
controller registering and mmc0 actually becoming usable. The Talos config
acquire state machine (`acquire.go::stateDisk`) checks STATE in the first
seconds of boot, sees `VolumePhaseMissing`, and transitions one-way to
`stateEmbedded` -> `stateMaintenanceEnter`. When STATE later becomes
ready, the state machine doesn't re-enter `stateDisk`, so the node stays
in maintenance forever despite the on-disk config.yaml being intact.
This patch makes stateDisk tolerate transient phase=missing for up to
5 minutes (stateMissingDiskTimeout) before falling through to embedded.
A 5-second ticker on the outer Run loop ensures the timeout can fire
even when no further volume-status events arrive (e.g. truly missing
STATE on a fresh install).
Validated 2026-05-25 via canonical 3-CP rolling upgrade on a freshly
flashed v1.12.4 home-test cluster: all 3 blades upgraded sequentially
to v1.13.2-7 (this patch), each came back stage=running with config
loaded automatically and k8s Ready within ~5 min, no manual remediation.
See doc-compute-blade-kubernetes/talos-upgrade-validation/session-2026-05-25/E2E-VALIDATED.md.
Fast-init hardware sees no change — STATE reaches ready within seconds
and the existing path runs.
This patch file mirrors a commit that already existed in checkouts/talos
(`a50511de7` — "grub: EFI-at-/boot fallback for BOOT-less SBC layout in
Upgrade path") but was never landed back into patches/siderolabs/talos/.
Extracted with `git format-patch` from the checkout so subsequent
`make patches` runs reproduce the same tree on a fresh clone.
Complements 0005 by handling the Upgrade code-path (in addition to the
fresh-install code-path 0005 already covers) for SBC layouts that don't
have a separate BOOT partition.
Two complementary fixes after end-to-end local installer build:
1. New talos/0001 patch — Replace hack/modules-arm64.txt with the
intersection of upstream's initramfs list and our RPi 6.12.47
build's actual modules (155 entries, down from upstream's 241).
Initramfs target was failing with exit 123 in xargs install -D
because upstream lists modules our kernel doesn't build (SATA,
HID device drivers, some upstream-only crypto helpers).
2. Makefile: add --network=host to the metal docker run.
The installer step already had it, but the metal step did not.
For local-registry builds (REGISTRY=127.0.0.1:5001), the imager
container needs --network=host to reach the host's registry to
pull the overlay image when generating the raw disk image.
Harmless on CI (no behavioural change against docker.io).
Validated locally end-to-end:
- kernel image: 234MB (RPi 6.12.47 with RP1 driver support)
- overlay image: 9.7MB (U-Boot + firmware + DTBs)
- imager image: 346MB
- installer-base: 105MB
- installer: ~100MB
- metal-arm64.raw.zst: 94MB (final flashable disk image)
The v1.13.2 rebase of pkgs 0001 only restored some RP1-related kernel
options (PINCTRL_RP1, COMMON_CLK_RP1, PINCTRL_BCM2712) because those
hunks happened to apply cleanly against upstream v1.13.0's 6.18.24-era
config-arm64. Several others were silently dropped, causing:
ld.lld: error: undefined symbol: rp1_get_platform
at the vmlinux link step (~19 min into local kernel build).
Re-added:
- CONFIG_MFD_RP1=y (defines rp1_get_platform)
- CONFIG_COMMON_CLK_RP1_SDIO=y
- CONFIG_FB_BCM2708=y (RPi framebuffer)
- CONFIG_PWM_PIO_RP1=y (RPi PWM via PIO)
- CONFIG_PWM_BRCMSTB=y (was "not set")
Local build now succeeds: svrnty/talos-rpi5-kernel:v1.13.0-local
loaded into local Docker (234MB).
- Makefile: TALOS_VERSION v1.12.4 -> v1.13.2, PKG_VERSION v1.12.0 -> v1.13.0
- siderolabs/talos 0001 (modules-arm64.txt): removed; hack/modules-arm64.txt
is a CI assertion file with no build-time references. Will be regenerated
from a real RPi 6.12.47 kernel build as a follow-up.
- siderolabs/talos 0005 (BOOT partition GRUB): rebased onto v1.13.2's
Install/Upgrade refactor. installEFI struct field is gone upstream; ported
the BOOT-partition probe + EFI-at-/boot fallback to work with the new
efiFound local var and added a bootFromEFI struct field for runGrubInstall.
- siderolabs/pkgs 0001: rebased onto v1.13.0. Kernel config header bumped
to 6.12.47. config-arm64 not fully regenerated for RPi 6.12.47 yet -- some
upstream v1.13 6.18.x symbols (LIBIE_ADMINQ, IDPF, etc) remain in the file
but the kernel's Kconfig silently drops unknown options during build.
On fresh SBC images, the EFI partition has sd-boot UKI files but no
GRUB config. During upgrade, Probe() found sd-boot and used it, which
failed because RPi5/CM5 firmware lacks EFI SetVariableRT support.
Add arm64 guard to Probe(): when no GRUB config is found, skip sd-boot
probing and return a fresh GRUB config. This transitions from sd-boot
to GRUB on the first upgrade from a fresh flash.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Patch 0005 fixes talosctl upgrade on SBC layouts (RPi5/CM5) where
the disk has no separate BOOT (XFS) partition — only EFI (VFAT).
Falls back to mounting EFI at /boot for probe, install, and revert.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Talos assumes bare metal kernels support open_tree on anonymous FS
(added in 6.15). The RPi downstream kernel (6.12.x) does not, causing
shadow bind mount failures for /etc files and cascading network init
failures. This patch removes the InContainer() gate so the capability
check runs on all platforms.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ip6_gre.ko exists in Talos upstream module list (v1.12.4) but not
in the RPi downstream kernel build. Only add it to the removal side
of the patch, not our custom module list.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Talos v1.12.4 added kernel/net/ipv6/ip6_gre.ko to modules-arm64.txt.
Update our patch to match. Also silence gmake checkouts-clean stdout
in auto-update.sh to prevent it leaking into GITHUB_OUTPUT.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Force GRUB instead of sd-boot on arm64 and pass --no-nvram to
grub-install, working around the SetVariableRT firmware limitation
that prevents in-place upgrades on RPi5/CM5 hardware.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove the 16K page override from the kernel patch, preserving
upstream Talos's default 4K pages. RPi5 hardware works correctly
with 4K pages — the RPi Foundation's 16K default is a TLB
performance optimization (~5%), not a hardware requirement.
Benefits:
- Correct memory accounting (4x less overhead per page)
- Full software compatibility (jemalloc, Longhorn, F2FS, etc.)
- No OOM surprises on control-plane nodes
- Aligned with upstream Talos kernel config
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Patch was stale — regenerated from the working checkout to match
the v1.12.3 hack/modules-arm64.txt index.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The talos patch was incorrectly replaced with pkgs-repo changes
(Pkgfile, kernel config). Restored the correct patch that modifies
hack/modules-arm64.txt in the talos checkout.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Regenerated patches to match current upstream checkouts:
- pkgs: updated kernel version, checksums, and config-arm64
- talos: reworked to patch Pkgfile, kernel config, and pkg.yaml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
