svrnty/talos-rpi5
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 23 Wiki Activity
40bfac268d
talos-rpi5/patches/siderolabs/talos/0004-Fallback-to-classic-bind-mounts-on-kernels-without-o.patch
Mathias Beaulieu-Duncan 6cffb4e311
All checks were successful
Build Talos CM5 Image / build (push) Successful in 2m56s
Details
Check Upstream Updates / check-and-build (push) Successful in 4s
Details
Add opentree fallback patch for RPi downstream kernel (<6.15) 
Talos assumes bare metal kernels support open_tree on anonymous FS
(added in 6.15). The RPi downstream kernel (6.12.x) does not, causing
shadow bind mount failures for /etc files and cascading network init
failures. This patch removes the InContainer() gate so the capability
check runs on all platforms.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-14 14:25:03 -05:00

46 lines
2.3 KiB
Diff
Raw Blame History

From 98366401143dcc31c056a7d96242775f9ba013ca Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Sat, 14 Feb 2026 14:05:15 -0500
Subject: [PATCH 4/4] Fallback to classic bind mounts on kernels without
open_tree support
The open_tree syscall on anonymous filesystem file descriptors was added
in kernel 6.15.0. Talos previously only checked for this capability when
running in container mode, assuming bare metal always had a sufficiently
new kernel. However, platforms like RPi5/CM5 use the RPi downstream
kernel (6.12.x) which lacks this feature, causing shadow bind mount
failures for /etc files and cascading network initialization failures.
Remove the InContainer() gate so the OpentreeOnAnonymousFS() capability
check runs on all platforms, enabling the classic (OSRoot) fallback when
the kernel does not support the newer mount API.
---
.../pkg/runtime/v1alpha2/v1alpha2_controller.go | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
index 29b297654..653a45d57 100644
--- a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
+++ b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
@@ -113,11 +113,12 @@ func (ctrl *Controller) Run(ctx context.Context, drainer *runtime.Drainer) error
networkBindMountTarget = constants.SystemResolvedPath
- // While running in container, we don't have control over kernel version
- // shipped with the machine. If the kernel does not support open_tree syscall
- // on anonymous filesystem file descriptors, we need to fallback to the classic,
- // less secure mode. This capability was added in kernel 6.15.0.
- if ctrl.v1alpha1Runtime.State().Platform().Mode().InContainer() {
+ // If the kernel does not support open_tree syscall on anonymous filesystem
+ // file descriptors, we need to fallback to the classic, less secure mode.
+ // This capability was added in kernel 6.15.0. This check is needed for
+ // containers (where the host kernel is unknown) and for bare metal platforms
+ // running older kernels such as the RPi downstream kernel (6.12.x).
+ {
opentreeOnAnonymous, err := runtime.KernelCapabilities().OpentreeOnAnonymousFS()
if err != nil {
return err
--
2.50.1 (Apple Git-155)
Reference in New Issue View Git Blame Copy Permalink