svrnty/talos-rpi5
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 23 Wiki Activity

Compare commits

base: svrnty:d84ddc491afccc696595b001970a2dfe1cd899ac
Branches Tags
svrnty:main
svrnty:talos-v1.13.2-bump
svrnty:v1.13.2-k6.12.47-1
svrnty:v1.12.4-k6.12.47-13
svrnty:v1.12.4-k6.12.47-12
svrnty:v1.12.4-k6.12.47-11
svrnty:v1.12.4-k6.12.47-10
svrnty:v1.12.4-k6.12.47-9
svrnty:v1.12.4-k6.12.47-8
svrnty:v1.12.4-k6.12.47-7
svrnty:v1.12.4-k6.12.47-6
svrnty:v1.12.4-k6.12.47-5
svrnty:v1.12.4-k6.12.47-4
svrnty:v1.12.4-k6.12.47-3
svrnty:v1.12.4-k6.12.47-2
svrnty:v1.12.4-k6.12.47-1
svrnty:v1.12.3-k6.12.47-6
svrnty:v1.12.3-k6.12.47-5
svrnty:v1.12.3-k6.12.47-4
svrnty:v1.12.3-k6.12.47-3
svrnty:v1.12.3-k6.12.47-2
svrnty:v1.12.3-7
svrnty:v1.12.3-6
svrnty:v1.12.3-5
svrnty:v1.12.3-4
svrnty:v1.12.3-3
svrnty:v1.12.3-2
svrnty:v1.12.3-1
...
compare: svrnty:19625ba8c058997df07c3df8dbcaf5199fd8f948
Branches Tags
svrnty:main
svrnty:talos-v1.13.2-bump
svrnty:v1.13.2-k6.12.47-1
svrnty:v1.12.4-k6.12.47-13
svrnty:v1.12.4-k6.12.47-12
svrnty:v1.12.4-k6.12.47-11
svrnty:v1.12.4-k6.12.47-10
svrnty:v1.12.4-k6.12.47-9
svrnty:v1.12.4-k6.12.47-8
svrnty:v1.12.4-k6.12.47-7
svrnty:v1.12.4-k6.12.47-6
svrnty:v1.12.4-k6.12.47-5
svrnty:v1.12.4-k6.12.47-4
svrnty:v1.12.4-k6.12.47-3
svrnty:v1.12.4-k6.12.47-2
svrnty:v1.12.4-k6.12.47-1
svrnty:v1.12.3-k6.12.47-6
svrnty:v1.12.3-k6.12.47-5
svrnty:v1.12.3-k6.12.47-4
svrnty:v1.12.3-k6.12.47-3
svrnty:v1.12.3-k6.12.47-2
svrnty:v1.12.3-7
svrnty:v1.12.3-6
svrnty:v1.12.3-5
svrnty:v1.12.3-4
svrnty:v1.12.3-3
svrnty:v1.12.3-2
svrnty:v1.12.3-1

3 Commits
d84ddc491a ... 19625ba8c0

Author SHA1 Message Date
Mathias Beaulieu-Duncan
19625ba8c0 patches: add 0008 imager respect --insecure for Overlay assets 
The imager's `--insecure` flag covered BaseInstaller, ImageCache, and
SystemExtensions but not the Overlay or OverlayInstaller ContainerAssets.
When pulling those from a plain-HTTP local registry (e.g. for offline
or development builds), they always tried HTTPS and failed with
"http: server gave HTTP response to HTTPS client" even with the flag set.

This patch sets `ForceInsecure: cmdFlags.Insecure` on both overlay
asset references, matching how the other Inputs are handled.

Build-tool only — no effect on the running Talos OS. Lets `gmake installer`
work end-to-end against an insecure registry like 192.133.7.111:5001.
 2026-05-25 20:04:38 -04:00
Mathias Beaulieu-Duncan
40bfac268d patches: add 0007 acquire.go wait for STATE on slow-init disks (CM5 eMMC) 
After upgrade kexec into v1.13.2, CM5 eMMC takes ~2m13s between the SDHCI
controller registering and mmc0 actually becoming usable. The Talos config
acquire state machine (`acquire.go::stateDisk`) checks STATE in the first
seconds of boot, sees `VolumePhaseMissing`, and transitions one-way to
`stateEmbedded` -> `stateMaintenanceEnter`. When STATE later becomes
ready, the state machine doesn't re-enter `stateDisk`, so the node stays
in maintenance forever despite the on-disk config.yaml being intact.

This patch makes stateDisk tolerate transient phase=missing for up to
5 minutes (stateMissingDiskTimeout) before falling through to embedded.
A 5-second ticker on the outer Run loop ensures the timeout can fire
even when no further volume-status events arrive (e.g. truly missing
STATE on a fresh install).

Validated 2026-05-25 via canonical 3-CP rolling upgrade on a freshly
flashed v1.12.4 home-test cluster: all 3 blades upgraded sequentially
to v1.13.2-7 (this patch), each came back stage=running with config
loaded automatically and k8s Ready within ~5 min, no manual remediation.
See doc-compute-blade-kubernetes/talos-upgrade-validation/session-2026-05-25/E2E-VALIDATED.md.

Fast-init hardware sees no change — STATE reaches ready within seconds
and the existing path runs.
 2026-05-25 20:04:30 -04:00
Mathias Beaulieu-Duncan
8fada1ebfe patches: restore 0006 grub EFI-at-/boot fallback for BOOT-less SBC Upgrade 
This patch file mirrors a commit that already existed in checkouts/talos
(`a50511de7` — "grub: EFI-at-/boot fallback for BOOT-less SBC layout in
Upgrade path") but was never landed back into patches/siderolabs/talos/.
Extracted with `git format-patch` from the checkout so subsequent
`make patches` runs reproduce the same tree on a fresh clone.

Complements 0005 by handling the Upgrade code-path (in addition to the
fresh-install code-path 0005 already covers) for SBC layouts that don't
have a separate BOOT partition.
 2026-05-25 20:04:17 -04:00
3 changed files with 248 additions and 0 deletions
Show Stats Expand all files Collapse all files

92
patches/siderolabs/talos/0006-grub-EFI-at-boot-fallback-for-BOOT-less-SBC-layout-i.patch Normal file
View File

@ -0,0 +1,92 @@
From a50511de74db08a0b4426be88bb52ce860a008a4 Mon Sep 17 00:00:00 2001
From: builder <build@svrnty.io>
Date: Fri, 22 May 2026 16:10:42 -0400
Subject: [PATCH] grub: EFI-at-/boot fallback for BOOT-less SBC layout in
Upgrade path
---
.../v1alpha1/bootloader/grub/upgrade.go | 43 +++++++++++++++----
1 file changed, 35 insertions(+), 8 deletions(-)
diff --git a/internal/app/machined/pkg/runtime/v1alpha1/bootloader/grub/upgrade.go b/internal/app/machined/pkg/runtime/v1alpha1/bootloader/grub/upgrade.go
index 9e3f86b84..e99bf2939 100644
--- a/internal/app/machined/pkg/runtime/v1alpha1/bootloader/grub/upgrade.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/bootloader/grub/upgrade.go
@@ -6,6 +6,7 @@ package grub
import (
"context"
+ "fmt"
"path/filepath"
"github.com/siderolabs/go-blockdevice/v2/blkid"
@@ -18,12 +19,12 @@ import (
// Upgrade copies new boot assets and updates grub configuration on an existing installation.
func (c *Config) Upgrade(opts options.InstallOptions) (*options.InstallResult, error) {
- mountSpecs := []mount.Spec{
- {
- PartitionLabel: constants.BootPartitionLabel,
- FilesystemType: partition.FilesystemTypeXFS,
- MountTarget: filepath.Join(opts.MountPrefix, constants.BootMountPoint),
- },
+ var mountSpecs []mount.Spec
+
+ bootMountSpec := mount.Spec{
+ PartitionLabel: constants.BootPartitionLabel,
+ FilesystemType: partition.FilesystemTypeXFS,
+ MountTarget: filepath.Join(opts.MountPrefix, constants.BootMountPoint),
}
efiMountSpec := mount.Spec{
@@ -32,6 +33,23 @@ func (c *Config) Upgrade(opts options.InstallOptions) (*options.InstallResult, e
MountTarget: filepath.Join(opts.MountPrefix, constants.EFIMountPoint),
}
+ // check if the BOOT partition is present (absent on SBC layouts like RPi5/CM5)
+ if err := mount.PartitionOp(
+ opts.BootDisk,
+ []mount.Spec{bootMountSpec},
+ func() error {
+ return nil
+ },
+ []blkid.ProbeOption{
+ blkid.WithSkipLocking(true),
+ },
+ nil,
+ nil,
+ opts.BlkidInfo,
+ ); err == nil {
+ mountSpecs = append(mountSpecs, bootMountSpec)
+ }
+
var efiFound bool
// check if the EFI partition is present
@@ -49,12 +67,21 @@ func (c *Config) Upgrade(opts options.InstallOptions) (*options.InstallResult, e
opts.BlkidInfo,
); err == nil {
efiFound = true
- }
- if efiFound {
+ if len(mountSpecs) == 0 {
+ // No BOOT partition (SBC layout): mount EFI at /boot so GRUB
+ // can find kernel/initramfs/grub.cfg in the expected place.
+ efiMountSpec.MountTarget = filepath.Join(opts.MountPrefix, constants.BootMountPoint)
+ c.bootFromEFI = true
+ }
+
mountSpecs = append(mountSpecs, efiMountSpec)
}
+ if len(mountSpecs) == 0 {
+ return nil, fmt.Errorf("neither BOOT nor EFI partition found on disk %s", opts.BootDisk)
+ }
+
err := mount.PartitionOp(
opts.BootDisk,
mountSpecs,
--
2.50.1 (Apple Git-155)

114
patches/siderolabs/talos/0007-Wait-for-STATE-volume-on-slow-init-disks-in-config-a.patch Normal file
View File

@ -0,0 +1,114 @@
From 27501076fcb1e183e68313ef0e14092d7f403063 Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Mon, 25 May 2026 17:10:13 -0400
Subject: [PATCH] Wait for STATE volume on slow-init disks in config acquire
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On slow-init storage (notably RPi CM5 eMMC, which takes ~2 minutes 13
seconds from kernel boot to mmc0/CQE-enabled), the config acquire state
machine's stateDisk step sees STATE in phase=missing during the early
boot window and immediately transitions to stateEmbedded. With no
embedded config either, the node falls through to maintenance mode and
stays there even after the STATE volume later reaches phase=ready —
the state machine is one-way and never re-enters stateDisk.
Result: in-place upgrades to v1.13.2 on CM5 hardware leave the node in
maintenance with its on-disk config.yaml intact but unread, until a
human runs `talosctl apply-config --insecure` to re-feed the same file
that's already on the STATE filesystem.
This patch makes stateDisk tolerate transient phase=missing for up to
5 minutes (stateMissingDiskTimeout) before falling through. The outer
Run loop gets a 5-second ticker so the timeout can fire even when no
further volume-status events arrive (e.g. truly missing STATE on a
fresh install). Fast-init hardware sees no change — STATE reaches ready
within seconds and the existing path runs.
Tested on RPi CM5 (eMMC, 6.12.47 RPi-downstream kernel) — boot path
that previously dropped to maintenance now waits ~2m15s, sees STATE
reach ready, and continues to stateDone with the persisted config.
---
.../pkg/controllers/config/acquire.go | 37 ++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/internal/app/machined/pkg/controllers/config/acquire.go b/internal/app/machined/pkg/controllers/config/acquire.go
index a70fddb..7a3758f 100644
--- a/internal/app/machined/pkg/controllers/config/acquire.go
+++ b/internal/app/machined/pkg/controllers/config/acquire.go
@@ -18,6 +18,7 @@ import (
"path/filepath"
"slices"
"strings"
+ "time"
"github.com/cosi-project/runtime/pkg/controller"
"github.com/cosi-project/runtime/pkg/safe"
@@ -86,8 +87,16 @@ type AcquireController struct {
diskConfig config.Provider
storedEmbeddedConfig []byte
skipMaskingEmbeddedConfig bool
+ firstSeenStateMissing time.Time
}
+// stateMissingDiskTimeout is how long stateDisk will wait for the STATE volume
+// to leave the "missing" phase before falling through to embedded/maintenance.
+// On slow-init storage (e.g. RPi CM5 eMMC) the volume can take ~2-3 minutes to
+// appear after kernel boot; transitioning to embedded too eagerly leaves the
+// node permanently in maintenance even though the on-disk config is intact.
+const stateMissingDiskTimeout = 5 * time.Minute
+
// Name implements controller.Controller interface.
func (ctrl *AcquireController) Name() string {
return "config.AcquireController"
@@ -177,11 +186,17 @@ func (ctrl *AcquireController) Run(ctx context.Context, r controller.Runtime, lo
// initialize with empty sources
ctrl.configSourcesUsed = []string{}
+ // periodic wake-up so stateDisk can re-check slow-init volumes and trip
+ // its timeout even when no resource events fire.
+ tick := time.NewTicker(5 * time.Second)
+ defer tick.Stop()
+
for {
select {
case <-ctx.Done():
return nil
case <-r.EventCh():
+ case <-tick.C:
}
// check the spec first
@@ -262,7 +277,27 @@ func (ctrl *AcquireController) stateDisk(ctx context.Context, r controller.Runti
// wait for the status to be available
return nil, nil, nil
case stateVolumeStatus.TypedSpec().Phase == block.VolumePhaseMissing:
- // STATE is missing, proceed to stateEmbedded
+ // STATE is reported missing. On slow-init storage (e.g. RPi CM5 eMMC)
+ // the volume can take a couple of minutes to appear after kernel boot,
+ // so wait up to stateMissingDiskTimeout for it to reach ready before
+ // falling through to embedded/maintenance.
+ if ctrl.firstSeenStateMissing.IsZero() {
+ ctrl.firstSeenStateMissing = time.Now()
+ }
+
+ if time.Since(ctrl.firstSeenStateMissing) < stateMissingDiskTimeout {
+ logger.Info("STATE volume not yet available, waiting",
+ zap.Duration("elapsed", time.Since(ctrl.firstSeenStateMissing)),
+ zap.Duration("timeout", stateMissingDiskTimeout),
+ )
+
+ return nil, nil, nil
+ }
+
+ logger.Warn("STATE volume still missing after timeout, proceeding to embedded",
+ zap.Duration("waited", time.Since(ctrl.firstSeenStateMissing)),
+ )
+
return ctrl.stateEmbedded, nil, nil
case stateVolumeStatus.TypedSpec().Phase == block.VolumePhaseReady:
// STATE is ready, proceed to to the action
--
2.50.1 (Apple Git-155)

42
patches/siderolabs/talos/0008-imager-respect-insecure-for-Overlay-and-OverlayInsta.patch Normal file
View File

@ -0,0 +1,42 @@
From e2bacf8336c63a4d11a54f3978fc15e8bf4362ce Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Mon, 25 May 2026 17:20:32 -0400
Subject: [PATCH] imager: respect --insecure for Overlay and OverlayInstaller
assets
The --insecure flag on talosctl imager (and the imager docker image) only
applied to BaseInstaller, ImageCache, and SystemExtensions assets.
Overlay.Image and Input.OverlayInstaller never received ForceInsecure,
so pulling overlay images from an insecure (HTTP) registry failed with
'http: server gave HTTP response to HTTPS client' even when --insecure
was passed.
Set ForceInsecure on both overlay-related ContainerAsset references
when the flag is present, matching how the other inputs are handled.
---
cmd/installer/cmd/imager/root.go | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/cmd/installer/cmd/imager/root.go b/cmd/installer/cmd/imager/root.go
index d65b56089..ea16a45b3 100644
--- a/cmd/installer/cmd/imager/root.go
+++ b/cmd/installer/cmd/imager/root.go
@@ -120,12 +120,14 @@ var rootCmd = &cobra.Command{
prof.Overlay = &profile.OverlayOptions{
Name: cmdFlags.OverlayName,
Image: profile.ContainerAsset{
- ImageRef: cmdFlags.OverlayImage,
+ ImageRef: cmdFlags.OverlayImage,
+ ForceInsecure: cmdFlags.Insecure,
},
ExtraOptions: extraOverlayOptions,
}
prof.Input.OverlayInstaller.ImageRef = cmdFlags.OverlayImage
+ prof.Input.OverlayInstaller.ForceInsecure = cmdFlags.Insecure
}
prof.Input.SystemExtensions = xslices.Map(
--
2.50.1 (Apple Git-155)