Go to file

Mathias Beaulieu-Duncan 8178ba195e Add known issues, roadmap, and conditional Go toolchain patch - Document SetVariableRT upgrade failure, 16K page size implications, serial console issue, and SBC install disk behavior - Add production roadmap (4K pages, GRUB boot, serial fix, NVMe) - Make overlay Go patch conditional: apply only on Go 1.24.x, skip on 1.25+ where CVEs are already fixed upstream Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>		2026-02-13 18:05:51 -05:00
.gitea/workflows	Replace cosign with buildx attestations for Docker Scout compliance	2026-02-13 17:05:20 -05:00
config	Initial commit: Talos CM5 builder with Gitea CI/CD	2026-02-09 17:58:17 -05:00
patches	Fix 21 Go stdlib CVEs and enable supply chain attestations	2026-02-13 15:36:13 -05:00
scripts	Fix double-v badge bug and add table segment updates in README sync	2026-02-13 17:33:33 -05:00
.gitignore	Initial commit: Talos CM5 builder with Gitea CI/CD	2026-02-09 17:58:17 -05:00
cosign.pub	Add SBOM attestations to installer/release images, remove Scout	2026-02-13 16:48:56 -05:00
LICENSE	Add LICENSE, update README, upgrade provenance to max-mode	2026-02-13 15:57:11 -05:00
Makefile	Add known issues, roadmap, and conditional Go toolchain patch	2026-02-13 18:05:51 -05:00
README.md	Add known issues, roadmap, and conditional Go toolchain patch	2026-02-13 18:05:51 -05:00
TECHNICAL.md	Replace cosign with buildx attestations for Docker Scout compliance	2026-02-13 17:05:20 -05:00

README.md

Talos CM5 Builder

Custom Talos Linux images for Raspberry Pi 5 / CM5 on Compute Blade hardware.

The official Talos Image Factory does not support CM5 — the mainline kernel lacks CM5 device trees and RP1 driver support. This builder uses the RPi downstream kernel (via talos-rpi5/talos-builder patches) to produce working CM5 images with our extensions and overclock config.

Current versions

Component	Version
Talos Linux
RPi Kernel
iscsi-tools
util-linux-tools

Image tags

Release images are published to docker.io/svrnty/talos-rpi5 with the format:

v<talos>-k<kernel>-<revision>

For example: v1.12.3-k6.12.47-2

Segment	Meaning
`v1.12.3`	Upstream Talos Linux version
`k6.12.47`	RPi downstream kernel version
`2`	Build revision (bumped for config/patch changes on the same upstream versions)

Usage

Install from raw disk image

Download metal-arm64.raw.zst from the latest release and flash to eMMC:

zstd -d metal-arm64.raw.zst -o metal-arm64.raw
# Flash to eMMC/SD via your preferred tool (dd, balenaEtcher, etc.)

Upgrade an existing node

Warning: In-place upgrades via talosctl upgrade may fail on RPi5/CM5 hardware with a SetVariableRT EFI firmware error. See Known issues below. For now, the recommended upgrade path is to re-flash the disk image.

# Re-flash method (reliable)
zstd -d metal-arm64.raw.zst -o metal-arm64.raw
# Flash to eMMC/SD via your preferred tool

# In-place method (experimental — may fail, see known issues)
talosctl upgrade --image docker.io/svrnty/talos-rpi5:v1.12.3-k6.12.47-2

What's included

RPi downstream kernel with CM5/RP1 support
16K page size (RPi Foundation default — see known issues for implications)
Overclock: 2.6GHz (arm_freq=2600, over_voltage_delta=50000, arm_boost=1)
Extensions: iscsi-tools, util-linux-tools

Known issues

In-place upgrade fails (SetVariableRT)

talosctl upgrade may fail during the bootloader installation step with:

Firmware does not support SetVariableRT. Can not remount with rw

The RPi5/CM5 EFI firmware does not support runtime EFI variable writes, which the Talos bootloader update requires. Re-flashing the disk image is the reliable upgrade path for now. We are investigating GRUB-based boot as a fix (see Roadmap).

Upstream: talos-builder#21

16K memory pages

The RPi downstream kernel defaults to 16K page size instead of upstream Talos's 4K. This means:

Higher per-page memory overhead — workloads that allocate many small buffers (e.g. Longhorn v2 data engine) consume significantly more RAM
Potential OOM on control-plane nodes — systems running etcd + kube-apiserver + workloads may hit memory pressure, especially on 4GB/8GB boards
Incompatibility with some software that assumes 4K pages

We plan to switch to 4K pages for production readiness (see Roadmap).

Upstream: talos-builder#3, talos-builder#11

No serial console output after boot

Serial output goes silent after the EFI stub decompresses the kernel and exits boot services. This affects headless debugging on CM5 boards where serial is the primary console.

Upstream: talos-builder#4

Install disk config ignored on SBCs

Talos ignores the machine.install.disk config field on SBC platforms. You must flash the disk image directly to your target disk (eMMC, SD, NVMe). Booting from USB or NVMe also requires flashing directly to that disk — the image targets SD (mmcblk0) by default.

Upstream: talos-builder#22

Roadmap

This project targets production-ready Talos clusters on RPi5/CM5 hardware. Key milestones:

Switch to 4K page size — Align with upstream Talos kernel config to reduce memory overhead and improve workload compatibility. Requires testing RPi peripheral drivers with 4K pages.
Reliable in-place upgrades — Investigate GRUB-based boot or alternative bootloader strategies to work around the SetVariableRT firmware limitation, enabling talosctl upgrade on RPi5/CM5.
Serial console fix — Debug U-Boot/kernel handoff to restore serial output after EFI stub exit.
NVMe boot support — Produce images that target NVMe directly, or document a supported NVMe boot flow.

Building

For local builds, CI/CD setup, runner configuration, and project structure, see TECHNICAL.md.

License

This project is licensed under the Mozilla Public License 2.0.

It builds upon the following MPL 2.0 licensed upstream projects:

siderolabs/talos — Talos Linux OS
siderolabs/pkgs — Talos package definitions
talos-rpi5/sbc-raspberrypi5 — Raspberry Pi 5 SBC overlay

Our patches to these projects are in the patches/ directory and are distributed under the same MPL 2.0 terms.