### Start Interactive Installer Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/configure-your-talos-cluster/system-configuration/editing-machine-configuration.mdx Launch the interactive TUI installer for Talos machine configuration using `--mode=interactive`. ```bash talosctl -n IP apply machineconfig --mode=interactive ``` -------------------------------- ### QEMU VM Configuration with CDROM Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/cloud-platforms/nocloud.mdx Example of starting a QEMU VM and attaching the generated cloud-init ISO image via the CDROM drive for nocloud configuration. ```bash qemu-system-x86_64 \ ... -cdrom iso/cidata.iso \ ... ``` -------------------------------- ### Example Output of talosctl get extensions Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu.mdx This is an example of the expected output when verifying installed NVIDIA system extensions. ```text NODE NAMESPACE TYPE ID VERSION NAME VERSION 172.31.41.27 runtime ExtensionStatus 000.ghcr.io-siderolabs-nvidia-container-toolkit-515.65.01-v1.10.0 1 nvidia-container-toolkit 515.65.01-v1.10.0 172.31.41.27 runtime ExtensionStatus 000.ghcr.io-siderolabs-nvidia-open-gpu-kernel-modules-515.65.01-v1.2.0 1 nvidia-open-gpu-kernel-modules 515.65.01-v1.2.0 ``` -------------------------------- ### Machine Configuration Example Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/reference/configuration/v1alpha1/config.mdx Defines machine-specific configuration, including installation settings like disk, image, and wipe behavior. ```yaml machine: type: controlplane # InstallConfig represents the installation options for preparing a node. install: disk: /dev/sda # The disk used for installations. image: ghcr.io/siderolabs/installer:latest # Allows for supplying the image used to perform the installation. wipe: false # Indicates if the installation disk should be wiped at installation time. grubUseUKICmdline: true # Indicates if legacy GRUB bootloader should use kernel cmdline from the UKI instead of building it on the host. # # Look up disk using disk attributes like model, size, serial and others. # diskSelector: # size: 4GB # Disk size. # model: WDC* # Disk model `/sys/block//device/model`. # busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0 # Disk bus path. ``` -------------------------------- ### Install QEMU on Ubuntu Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/local-platforms/qemu.mdx Use apt to install QEMU system and KVM on Ubuntu. ```bash apt install qemu-system-x86 qemu-kvm ``` -------------------------------- ### Example Output of talosctl get modules Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/configure-your-talos-cluster/hardware-and-drivers/nvidia-gpu.mdx This is an example of the expected output when verifying loaded NVIDIA kernel modules. ```text NODE NAMESPACE TYPE ID VERSION STATE 10.5.0.3 runtime LoadedKernelModule nvidia_uvm 1 Live 10.5.0.3 runtime LoadedKernelModule nvidia_drm 1 Live 10.5.0.3 runtime LoadedKernelModule nvidia_modeset 1 Live 10.5.0.3 runtime LoadedKernelModule nvidia 1 Live ``` -------------------------------- ### Example Docker Run Command for Omni with Nginx Source: https://github.com/siderolabs/docs/blob/main/public/omni/self-hosted/expose-omni-with-nginx-https.mdx A complete example of starting an Omni instance using Docker, configured for Nginx reverse proxy and including Auth0 authentication flags. Ensure to replace placeholders with your actual values. ```bash docker run \ --net=host \ --cap-add=NET_ADMIN \ --device /dev/net/tun \ -v $PWD/etcd:/_out/etcd \ -v $PWD/omni.asc:/omni.asc \ ghcr.io/siderolabs/omni: \ --name=$OMNI_NAME \ --private-key-source=file:///omni.asc \ --bind-addr=127.0.0.1:8080 \ --advertised-api-url=https://$OMNI_DOMAIN_NAME/ \ --siderolink-api-bind-addr=127.0.0.1:8090 \ --siderolink-api-advertised-url=https://api.$OMNI_DOMAIN_NAME:443 \ --k8s-proxy-bind-addr=127.0.0.1:8100 \ --advertised-kubernetes-proxy-url=https://kube.$OMNI_DOMAIN_NAME/ \ --account-id=$OMNI_ACCOUNT_UUID \ --auth-auth0-enabled=true \ --auth-auth0-domain= \ --auth-auth0-client-id= \ --initial-users= ``` -------------------------------- ### Check kubelet Logs (Example) Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/troubleshooting/troubleshooting.mdx Example command to retrieve kubelet logs from a node. ```bash talosctl -n 192.168.1.10 logs kubelet ``` -------------------------------- ### Start Virtual Machine Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/advanced-guides/install-kubevirt.mdx Starts a previously defined VirtualMachine resource. This action creates a VirtualMachineInstance. ```bash kubectl virt start fedora-vm ``` -------------------------------- ### Install virtctl using curl and wget Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/advanced-guides/install-kubevirt.mdx Installs the virtctl client by fetching the latest version and downloading the binary. ```bash export VERSION=$(curl https://storage.googleapis.com/kubevirt-prow/release/kubevirt/kubevirt/stable.txt) wget https://github.com/kubevirt/kubevirt/releases/download/${VERSION}/virtctl-${VERSION}-linux-amd64 ``` -------------------------------- ### Install talosctl with curl Source: https://github.com/siderolabs/docs/blob/main/public/skill.md Install the talosctl CLI tool by downloading and executing the installation script from talos.dev. ```bash curl -sL https://talos.dev/install | sh ``` -------------------------------- ### Deploy Example Audit Pod Source: https://github.com/siderolabs/docs/blob/main/public/kubernetes-guides/security/seccomp-profiles.mdx Apply the example audit pod YAML from the Kubernetes documentation to test Seccomp profiling. ```bash kubectl apply -f https://k8s.io/examples/pods/security/seccomp/ga/audit-pod.yaml ``` -------------------------------- ### Build and Push Talos Installer Images Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/custom-images-and-development/developing-talos.mdx Builds and pushes Talos installer base, imager, and installer images to a local registry. Replace 'targetarch' with your target architecture. ```bash make installer-base IMAGE_REGISTRY=127.0.0.1:5005 PUSH=true make imager IMAGE_REGISTRY=127.0.0.1:5005 PUSH=true INSTALLER_ARCH=targetarch make installer IMAGE_REGISTRY=127.0.0.1:5005 PUSH=true ``` -------------------------------- ### Install virtctl using krew Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/advanced-guides/install-kubevirt.mdx Installs the virtctl client as a kubectl plugin using krew. ```bash kubectl krew install virt ``` -------------------------------- ### Install omnictl with curl Source: https://github.com/siderolabs/docs/blob/main/public/skill.md Install the omnictl CLI tool by downloading and executing the installation script from talos.dev. ```bash curl -sL https://talos.dev/install-omnictl | sh ``` -------------------------------- ### Install QEMU on macOS Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/local-platforms/qemu.mdx Install QEMU using the Homebrew package manager on macOS. ```bash brew install qemu ``` -------------------------------- ### Generate Installer Image with Extensions Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/boot-assets.mdx Create a custom installer image containing system extensions for bare-metal installations. Kernel arguments are configured separately in the machine configuration. ```sh docker run --rm -t \ -v "$PWD/_out:/out" \ ghcr.io/siderolabs/imager:${release_v1_14} \ installer \ --platform=metal \ --system-extension-image ghcr.io/siderolabs/gvisor:20231214.0-${release_v1_14}@sha256:548b2b121611424f6b1b6cfb72a1669421ffaf2f1560911c324a546c7cee655e \ --system-extension-image ghcr.io/siderolabs/intel-ucode:20231114@sha256:ea564094402b12a51045173c7523f276180d16af9c38755a894cf355d72c249d ``` -------------------------------- ### Verify Tool Installation Source: https://github.com/siderolabs/docs/blob/main/contributing-guides/contribute-to-the-siderolabs-docs.md Check if Git, Make, and Docker are installed on your system. ```bash git --version make --version docker --version ``` -------------------------------- ### Talos Debug Command Examples Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/reference/cli.mdx Examples demonstrating how to run a debug container from a local tar archive or an image reference. ```bash # Run a debug container from a local tar archive (image will be loaded into Talos from the archive) talosctl debug ./debug-tools.tar --args /bin/sh # Run a debug container from an image reference (Talos will pull the image if not present) talosctl debug docker.io/library/alpine:latest --args /bin/sh ``` -------------------------------- ### Create Installer Image with Extension Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/custom-images-and-development/kernel-module.mdx Generate the final installer image that includes your custom system extension. ```bash make image-installer \ REGISTRY=127.0.0.1:5005 \ IMAGER_ARGS="--base-installer-image=${BASE_INSTALLER_IMAGE} \ --system-extension-image=${EXTENSION_IMAGE}" ``` -------------------------------- ### Download Installation Media Source: https://github.com/siderolabs/docs/blob/main/public/omni/reference/cli.mdx Downloads installer media from the server. Accepts an image name and optional flags for architecture and extensions. ```bash omnictl download iso --arch amd64 ``` ```bash omnictl download iso --arch amd64 --extensions intel-ucode --extensions qemu-guest-agent ``` ```bash omnictl download "vultr" ``` ```bash omnictl download "rpi_generic" ``` ```bash omnictl download [flags] ``` -------------------------------- ### Install Wiz Kubernetes Connector with Helm Source: https://github.com/siderolabs/docs/blob/main/public/kubernetes-guides/security/wiz-kubernetes-connector.mdx Install the 'wiz-kubernetes-connector' Helm chart into the 'wiz' namespace using a values file. ```bash helm install wiz-kubernetes-connector wiz/wiz-kubernetes-connector \ --namespace wiz \ --values wiz-values.yaml ``` -------------------------------- ### Push Installer Image to Registry Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/boot-assets.mdx Push the generated installer image to a container registry. Replace `` with your registry username. ```sh crane push _out/metal-amd64-installer.tar \ ghcr.io//installer:${release_v1_14} ``` -------------------------------- ### Example output and manual stop for talosctl qemu-launch Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/local-platforms/qemu.mdx This example shows the output of `ps -elf | grep '[t]alosctl qemu-launch'` and demonstrates how to manually stop multiple QEMU VMs using their PIDs. ```bash ps -elf | grep '[t]alosctl qemu-launch' 0 S root 157615 2835 0 80 0 - 184934 - 07:53 ? 00:00:00 talosctl qemu-launch 0 S root 157617 2835 0 80 0 - 185062 - 07:53 ? 00:00:00 talosctl qemu-launch sudo kill -s SIGTERM 157615 sudo kill -s SIGTERM 157617 ``` -------------------------------- ### Start tsidp Service Source: https://github.com/siderolabs/docs/blob/main/public/omni/security-and-authentication/oidc-login-with-tailscale.mdx Start only the tsidp service to begin the OIDC client setup process. This allows you to register Omni as a client. ```bash docker compose up tsidp ``` -------------------------------- ### Example kernel arguments status output Source: https://github.com/siderolabs/docs/blob/main/public/omni/infrastructure-and-extensions/modify-kernel-arguments.mdx This is an example of the output from `omnictl get kernelargsstatus`, showing the current status, arguments, and any unmet conditions. ```yaml event: updated metadata: namespace: default type: KernelArgsStatuses.omni.sidero.dev id: $MACHINE_ID version: 5 owner: KernelArgsStatusController phase: running created: 2025-10-29T12:58:17Z updated: 2025-10-29T13:28:32Z spec: args: - talos.environment=foo=bar currentargs: - console=tty0 - console=ttyS0 unmetconditions: [] currentcmdline: talos.platform=metal console=tty0 console=ttyS0 init_on_alloc=1 slab_nomerge pti=on consoleblank=0 nvme_core.io_timeout=4294967295 printk.devkmsg=on selinux=1 siderolink.api=grpc://omni.example.org:8090?jointoken=w7uVuW3zbVKIYQ....VfCfSCD talos.events.sink=[fdae:41e4:649b:9303::1]:8090 talos.logging.kernel=tcp://[fdae:41e4:649b:9303::1]:8092 ``` -------------------------------- ### Example output and manual stop for qemu-system Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/local-platforms/qemu.mdx This example displays the output of `ps -elf | grep qemu-system` and shows how to manually stop QEMU VMs using their PIDs. Note that the PID might be the same for multiple instances if they are part of the same process group. ```bash ps -elf | grep qemu-system 2 S root 1061663 1061168 26 80 0 - 1786238 - 14:05 ? 01:53:56 qemu-system-x86_64 -m 2048 -drive format=raw,if=virtio,file=/home/username/.talos/clusters/talos-default/bootstrap-master.disk -smp cpus=2 -cpu max -nographic -netdev tap,id=net0,ifname=tap0,script=no,downscript=no -device virtio-net-pci,netdev=net0,mac=1e:86:c6:b4:7c:c4 -device virtio-rng-pci -no-reboot -boot order=cn,reboot-timeout=5000 -smbios type=1,uuid=7ec0a73c-826e-4eeb-afd1-39ff9f9160ca -machine q35,accel=kvm 2 S root 1061663 1061170 67 80 0 - 621014 - 21:23 ? 00:00:07 qemu-system-x86_64 -m 2048 -drive format=raw,if=virtio,file=/homeusername/.talos/clusters/talos-default/pxe-1.disk -smp cpus=2 -cpu max -nographic -netdev tap,id=net0,ifname=tap0,script=no,downscript=no -device virtio-net-pci,netdev=net0,mac=36:f3:2f:c3:9f:06 -device virtio-rng-pci -no-reboot -boot order=cn,reboot-timeout=5000 -smbios type=1,uuid=ce12a0d0-29c8-490f-b935-f6073ab916a6 -machine q35,accel=kvm sudo kill -s SIGTERM 1061663 sudo kill -s SIGTERM 1061663 ``` -------------------------------- ### Get Resource Using Alias Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/learn-more/controllers-resources.mdx Use resource type aliases, like `ns` for `namespaces`, to simplify commands when retrieving resources. This example shows how to get a namespace using its alias. ```bash $ talosctl get ns config ``` -------------------------------- ### Check for Embedded Configuration (Output) Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/boot-assets.mdx Example output from 'talosctl get extensions' showing the 'embedded-config' extension. ```shell NODE NAMESPACE TYPE ID VERSION NAME VERSION 172.20.0.5 runtime ExtensionStatus 0 1 embedded-config 5484261e2ab5d34501ce9ad7875c6c0919875cd44863ee2a8a4d06bf0bd0eef7 ``` -------------------------------- ### Install kube-router with All Features Source: https://github.com/siderolabs/docs/blob/main/public/kubernetes-guides/cni/kube-router.mdx Apply the upstream manifest to install kube-router with pod networking, network policies, and service proxy. ```bash kubectl apply -f https://raw.githubusercontent.com/cloudnativelabs/kube-router/master/daemonset/kubeadm-kuberouter-all-features.yaml ``` -------------------------------- ### Get Talos VM Disk Name Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/virtualized-platforms/kvm.mdx Fetches the name of the VM's disk where Talos will be installed. ```bash talosctl get disks --nodes $CP_IP --insecure ``` -------------------------------- ### Define and Start KVM Network Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/virtualized-platforms/kvm.mdx Define the KVM network using the XML configuration file, start the network, and enable it for autostart on boot. ```bash virsh net-define my-talos-net.xml virsh net-start my-talos-net virsh net-autostart my-talos-net ``` -------------------------------- ### Example Equinix Metal Device Creation Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/bare-metal-platforms/equinix-metal.mdx An example of the `metal device create` command with specific parameters. This demonstrates how to provide project ID, metro, plan, hostname, and userdata file for device provisioning. ```sh metal device create -p -f da11 -O custom_ipxe -P c3.small.x86 -H steve.test.11 --userdata-file ./controlplane.yaml --ipxe-script-url "https://pxe.factory.talos.dev/pxe/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba/${release_v1_14}/equinixMetal-amd64" ``` -------------------------------- ### Get Talos Discovered Volumes Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/learn-more/talos-for-linux-admins.mdx Lists volumes discovered by Talos, typically used during the installation or bootstrap process. ```bash talosctl get discoveredvolume ``` -------------------------------- ### Create VM Step Source: https://github.com/siderolabs/docs/blob/main/public/omni/infrastructure-and-extensions/writing-infrastructure-providers.mdx Defines a provisioning step to create a virtual machine (VM) in the provider using the previously uploaded image and configuration details. ```golang provision.NewStep("createVM", func(ctx context.Context, logger *zap.Logger, pctx provision.Context[*resources.Machine]) error { return p.fakeClient.CreateVM(&VMConfig{ Name: pctx.GetRequestID(), ISO: pctx.State.TypedSpec().Value.ImageID, DiskSize: pctx.State.TypedSpec().Value.DiskSize, Cores: pctx.State.TypedSpec().Value.Cores, Memory: pctx.State.TypedSpec().Value.Memory, KernelArgs: pctx.ConnectionParams.KernelArgs, // includes Omni join configs }) }) ``` -------------------------------- ### Prepare Cloud-Init Configuration Files Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/cloud-platforms/nocloud.mdx Steps to prepare the `user-data`, `meta-data`, and `network-config` files required for a cloud-init ISO. These files provide the machine configuration and network settings to Talos. ```bash mkdir -p iso mv _out/controlplane.yaml iso/user-data echo "local-hostname: controlplane-1" > iso/meta-data cat > iso/network-config << EOF version: 1 config: - type: physical name: eth0 mac_address: "52:54:00:12:34:00" subnets: - type: static address: 192.168.1.10 netmask: 255.255.255.0 gateway: 192.168.1.254 EOF ``` -------------------------------- ### Get Omni Kernel Arguments Source: https://github.com/siderolabs/docs/blob/main/public/omni/self-hosted/run-omni-airgapped.mdx Retrieves the necessary Omni kernel arguments using the `omnictl` command. This is required for customizing the installation media. ```bash omnictl jointoken kernel-args ``` -------------------------------- ### Set up Cross-Build Environment Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/custom-images-and-development/developing-talos.mdx Run this Docker command to set up the QEMU user-mode emulation environment for cross-compilation. This is necessary for building Talos for different architectures. ```bash docker run --rm --privileged multiarch/qemu-user-static --reset -p yes ``` -------------------------------- ### Enable Break Glass Configuration Flag Source: https://github.com/siderolabs/docs/blob/main/public/omni/security-and-authentication/break-glass-emergency-access.mdx For on-premises Omni installations, enable break glass mode by passing the --enable-break-glass-configs flag when starting Omni. ```bash omnictl --enable-break-glass-configs ``` -------------------------------- ### talosctl image cache-create Examples Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/reference/cli.mdx Examples demonstrating how to create an image cache using 'talosctl image cache-create', including direct image specification and piping from stdin. ```bash talosctl images cache-create --images=ghcr.io/siderolabs/kubelet:v1.36.0 --image-cache-path=/tmp/talos-image-cache Alternatively, stdin can be piped to the command: talosctl images default | talosctl images cache-create --image-cache-path=/tmp/talos-image-cache --images=- ``` -------------------------------- ### Get Current META Network Configuration Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx Example of retrieving the current META network configuration for key 0x0a using talosctl, showing the output format. ```yaml # talosctl get meta 0x0a -o yaml ... spec: value: '{"addresses": ...}' ``` -------------------------------- ### Kubelet Configuration Example Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/reference/configuration/v1alpha1/config.mdx Configure the Kubelet image, extra arguments, and other settings. The `image` field is optional. `extraArgs` is used for additional flags. ```yaml machine: kubelet: image: ghcr.io/siderolabs/kubelet:v1.36.0 # The `image` field is an optional reference to an alternative kubelet image. # The `extraArgs` field is used to provide additional flags to the kubelet. extraArgs: feature-gates: ServerSideApply=true # # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list. # clusterDNS: # - 10.96.0.10 # - 169.254.2.53 # # The `extraMounts` field is used to add additional mounts to the kubelet container. # extraMounts: # - destination: /var/lib/example # Destination is the absolute path where the mount will be placed in the container. # type: bind # Type specifies the mount kind. # source: /var/lib/example # Source specifies the source path of the mount. # # Options are fstab style mount options. # options: # - bind # - rshared # - rw # # The `extraConfig` field is used to provide kubelet configuration overrides. # extraConfig: # serverTLSBootstrap: true # # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration. # credentialProviderConfig: # apiVersion: kubelet.config.k8s.io/v1 # kind: CredentialProviderConfig # providers: # - apiVersion: credentialprovider.kubelet.k8s.io/v1 # defaultCacheDuration: 12h # matchImages: # - '*.dkr.ecr.*.amazonaws.com' # - '*.dkr.ecr.*.amazonaws.com.cn' # - '*.dkr.ecr-fips.*.amazonaws.com' # - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov' # - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov' # name: ecr-credential-provider # # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet. # nodeIP: # # The `validSubnets` field configures the networks to pick kubelet node IP from. # validSubnets: # - 10.0.0.0/8 # - '!10.0.0.3/32' # - fdc7::/16 ``` -------------------------------- ### Example output and manual stop for talosctl loadbalancer-launch Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/local-platforms/qemu.mdx This example shows the output of `ps -elf | grep '[t]alosctl loadbalancer-launch'` and demonstrates how to manually stop the load balancer using its PID. ```bash ps -elf | grep '[t]alosctl loadbalancer-launch' 4 S root 157609 2835 0 80 0 - 184998 - 07:53 ? 00:00:07 talosctl loadbalancer-launch --loadbalancer-addr 10.5.0.1 --loadbalancer-upstreams 10.5.0.2 sudo kill -s SIGTERM 157609 ``` -------------------------------- ### List System Extensions Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/custom-images-and-development/system-extensions.mdx Use `talosctl get extensions` to retrieve a list of all system extensions installed on the nodes. This command provides a summary view of each extension. ```bash $ talosctl get extensions NODE NAMESPACE TYPE ID VERSION NAME VERSION 172.20.0.2 runtime ExtensionStatus 000.ghcr.io-talos-systems-gvisor-54b831d 1 gvisor 20220117.0-v1.0.0 172.20.0.2 runtime ExtensionStatus 001.ghcr.io-talos-systems-intel-ucode-54b831d 1 intel-ucode microcode-20210608-v1.0.0 ``` -------------------------------- ### Install ServiceMonitor CRD for Prometheus Source: https://github.com/siderolabs/docs/blob/main/public/kubernetes-guides/advanced-guides/kueue.mdx Apply the Prometheus ServiceMonitor CRD to allow Prometheus to scrape job metrics. This is the final step for metrics collection setup. ```bash kubectl apply --server-side -f https://github.com/kubernetes-sigs/kueue/releases/download/v0.14.2/prometheus.yaml ``` -------------------------------- ### Multus CNI Error Example Source: https://github.com/siderolabs/docs/blob/main/public/kubernetes-guides/cni/multus.mdx This log snippet illustrates a common error encountered when the Multus DaemonSet volume mount is incorrectly configured, preventing pod network setup. ```text Normal Scheduled 3s default-scheduler Successfully assigned virtualmachines/samplepod to virt2 Warning FailedCreatePodSandBox 3s kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "3a6a58386dfbf2471a6f86bd41e4e9a32aac54ccccd1943742cb67d1e9c58b5b": plugin type="multus-shim" name="multus-cni-network" failed (add): CmdAdd (shim): CNI request failed with status 400: 'ContainerID:"3a6a58386dfbf2471a6f86bd41e4e9a32aac54ccccd1943742cb67d1e9c58b5b" Netns:"/var/run/netns/cni-1d80f6e3-fdab-4505-eb83-7deb17431293" IfName:"eth0" Args:"IgnoreUnknown=1;K8S_POD_NAMESPACE=virtualmachines;K8S_POD_NAME=samplepod;K8S_POD_INFRA_CONTAINER_ID=3a6a58386dfbf2471a6f86bd41e4e9a32aac54ccccd1943742cb67d1e9c58b5b;K8S_POD_UID=8304765e-fd7e-4968-9144-c42c53be04f4" Path:"" ERRORED: error configuring pod [virtualmachines/samplepod] networking: [virtualmachines/samplepod/8304765e-fd7e-4968-9144-c42c53be04f4:cbr0]: error adding container to network "cbr0": DelegateAdd: cannot set "" interface name to "eth0": validateIfName: no net namespace /var/run/netns/cni-1d80f6e3-fdab-4505-eb83-7deb17431293 found: failed to Statfs "/var/run/netns/cni-1d80f6e3-fdab-4505-eb83-7deb17431293": no such file or directory ': StdinData: {"capabilities":{"portMappings":true},"clusterNetwork":"/host/etc/cni/net.d/10-flannel.conflist","cniVersion":"0.3.1","logLevel":"verbose","logToStderr":true,"name":"multus-cni-network","type":"multus-shim"} ``` -------------------------------- ### Bring Up Vagrant VMs with Libvirt Provider Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/virtualized-platforms/vagrant-libvirt.mdx Initiates the creation and startup of your Vagrant environment using the libvirt provider. Ensure libvirt is installed and configured on your host machine. ```bash vagrant up --provider=libvirt ``` -------------------------------- ### Build Installer Base and Imager Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/custom-images-and-development/kernel-module.mdx Build the `installer-base` and `imager` components, specifying the custom kernel image and registry. These are necessary for creating custom installation media. ```bash make installer-base imager PLATFORM=linux/amd64 \ INSTALLER_ARCH=amd64 \ REGISTRY=127.0.0.1:5005 \ PKG_KERNEL=${KERNEL_IMAGE} \ PUSH=true ``` -------------------------------- ### List SBOMs with talosctl Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/advanced-guides/SBOM.mdx Use `talosctl get sboms` to list all available SBOM items on a Talos Linux system. This command shows details for core components and installed extensions. ```sh talosctl get sboms NODE NAMESPACE TYPE ID VERSION VERSION LICENSE 172.20.0.2 runtime SBOMItem Talos 1 v1.14.0 172.20.0.2 runtime SBOMItem apparmor 1 v3.1.7 GPL-2.0-or-later 172.20.0.2 runtime SBOMItem cel.dev/expr 1 v0.24.0 ... ``` -------------------------------- ### Get Kubernetes Access (Merge Kubeconfig) Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/getting-started/prodnotes.mdx Merge the kubeconfig into your default kubeconfig file to start using kubectl with your Talos Linux cluster. This command must be run against a single control plane node. ```bash talosctl kubeconfig --nodes ``` -------------------------------- ### Talos ISO Boot with Embedded META Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx Example of creating a Talos ISO with embedded network configuration, showing the generated kernel command line with INSTALLER_META_BASE64. ```sh $ docker run --rm -t -v $PWD/_out:/out ghcr.io/siderolabs/imager:${release_v1_14} iso --meta "0xa=$(cat network.yaml)" ... kernel command line: ... talos.environment=INSTALLER_META_BASE64=MHhhPWZvbw== ``` -------------------------------- ### Watch Services Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/learn-more/controllers-resources.mdx Use the `--watch` flag with `talosctl get` to monitor changes to resources in real-time. This example watches for changes to services (`svc`) and displays event types like creation (`+`), deletion (`-`), and updates. ```bash $ talosctl get svc -w ``` -------------------------------- ### Serve Cached Images Locally Source: https://github.com/siderolabs/docs/blob/main/public/omni/self-hosted/run-image-factory-on-prem.mdx Starts a local HTTPS server to serve cached container images from the admin machine. This is necessary for pushing images to an internal registry in an air-gapped setup. Ensure no port conflicts with the registry endpoint. ```bash export IP=$(hostname -I | awk '{print $1}') talosctl image cache-cert-gen \ --advertised-address $IP talosctl image cache-serve \ --address $IP:5000 \ --image-cache-path ./image-cache \ --tls-cert-file tls.crt \ --tls-key-file tls.key & ``` -------------------------------- ### Full Omni Configuration Example with Auth0 Source: https://github.com/siderolabs/docs/blob/main/public/omni/self-hosted/omni-configuration-example.mdx A complete Omni configuration file demonstrating all sections, including account identification, Auth0 authentication, service endpoints, storage, and feature flags. Replace placeholder values with your deployment specifics. ```yaml # Account identification. # Generate this UUID once and never change it after initial setup. account: id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 # Authentication configuration. auth: auth0: enabled: true clientID: your-auth0-client-id domain: your-tenant.auth0.com initialUsers: - admin@example.com - operator@example.com initialServiceAccount: enabled: true # Service endpoints and TLS configuration. services: api: endpoint: 0.0.0.0:443 advertisedURL: https://omni.example.com certFile: /etc/omni/tls/tls.crt keyFile: /etc/omni/tls/tls.key kubernetesProxy: endpoint: 0.0.0.0:8095 advertisedURL: https://omni-k8s.example.com certFile: /etc/omni/tls/tls.crt keyFile: /etc/omni/tls/tls.key machineAPI: advertisedURL: grpc://omni-siderolink.example.com:8090 siderolink: joinTokensMode: strict wireGuard: advertisedEndpoint: 203.0.113.10:50180 workloadProxy: enabled: true subdomain: proxy useOmniSubdomain: true # Storage backends. storage: default: kind: etcd etcd: embedded: true embeddedDBPath: /var/lib/omni/etcd/ privateKeySource: "vault://secret/omni-private-key" sqlite: path: /var/lib/omni/sqlite.db # Etcd backup configuration with S3 storage. etcdBackup: s3Enabled: true # Feature flags. features: enableBreakGlassConfigs: true ``` -------------------------------- ### Preview Documentation Locally Source: https://github.com/siderolabs/docs/blob/main/contributing-guides/contribute-to-the-siderolabs-docs.md Build and preview the documentation site locally to review your changes before committing. ```bash make preview ``` -------------------------------- ### Example Cluster Template Structure Source: https://github.com/siderolabs/docs/blob/main/public/omni/reference/cluster-templates.mdx This YAML defines a complete cluster template, including Cluster, ControlPlane, Workers, and Machine documents. It showcases various configurations like labels, Kubernetes and Talos versions, disk encryption, system extensions, kernel arguments, and machine-specific installations. ```yaml kind: Cluster name: example labels: my-label: my-value kubernetes: version: v1.26.0 talos: version: v1.3.2 features: diskEncryption: true patches: - name: kubespan-enabled inline: machine: network: kubespan: enabled: true systemExtensions: - siderolabs/hello-world-service kernelArgs: - talos.dashboard.disabled=1 --- kind: ControlPlane machines: - 27c16241-96bf-4f17-9579-ea3a6c4a3ca8 - 4bd92fba-998d-4ef3-ab43-638b806dd3fe - 8fdb574a-a252-4d7d-94f0-5cdea73e140a --- kind: Workers machines: - b885f565-b64f-4c7a-a1ac-d2c8c2781373 - a54f21dc-6e48-4fc1-96aa-3d7be5e2612b --- kind: Workers name: xlarge machines: - 1f721dee-6dbb-4e71-9832-226d73da3841 systemExtensions: - siderolabs/hello-world-service --- kind: Machine name: 27c16241-96bf-4f17-9579-ea3a6c4a3ca8 --- kind: Machine name: 4bd92fba-998d-4ef3-ab43-638b806dd3fe install: disk: /dev/vda --- kind: Machine name: 8fdb574a-a252-4d7d-94f0-5cdea73e140a install: disk: /dev/vda --- kind: Machine name: b885f565-b64f-4c7a-a1ac-d2c8c2781373 install: disk: /dev/vda systemExtensions: - siderolabs/hello-world-service --- kind: Machine name: a54f21dc-6e48-4fc1-96aa-3d7be5e2612b locked: true install: disk: /dev/vda --- kind: Machine name: 1f721dee-6dbb-4e71-9832-226d73da3841 install: disk: /dev/vda kernelArgs: - net.ifnames=0 - talos.dashboard.disabled=1 ``` -------------------------------- ### Example SAML Configuration Flags for Omni Source: https://github.com/siderolabs/docs/blob/main/public/omni/security-and-authentication/using-saml-with-omni/configure-workspace-one-access-for-omni.mdx Use these flags when starting the Omni container to enable SAML authentication. The `--auth-saml-url` should be replaced with the IdP metadata URL obtained from Workspace ONE Access. The `--auth-saml-label-rules` flag maps the 'groups' attribute from the SAML assertion to a specific label format for role assignment. ```bash --auth-saml-enabled=true --auth-saml-url=https://{workspace-one-host}/SAAS/API/1.0/GET/metadata/idp.xml --auth-saml-label-rules='{"groups": "groups"}' ``` -------------------------------- ### Create Working Directory Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/virtualized-platforms/kvm.mdx Create a dedicated directory for your Talos KVM project files and navigate into it. ```bash mkdir -p ~/talos-kvm/configs cd ~/talos-kvm ``` -------------------------------- ### Clone Extensions Repository Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/custom-images-and-development/kernel-module.mdx Start by cloning the extensions repository to begin creating a system extension. ```bash git clone https://github.com/siderolabs/extensions.git cd extensions mkdir my-module ``` -------------------------------- ### Set VM UEFI Mode to Setup Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/virtualized-platforms/xenorchestra.mdx Force the VM's UEFI mode to setup using either varstore-sb-state or xe vm-set-uefi-mode. Replace with the actual VM UUID. ```bash varstore-sb-state setup ``` ```bash xe vm-set-uefi-mode mode=setup uuid= ``` -------------------------------- ### Verify Omnictl Installation on Windows Source: https://github.com/siderolabs/docs/blob/main/public/omni/getting-started/install-and-configure-omnictl.mdx After manually installing `omnictl` on Windows, verify the installation by running the `omnictl --version` command. This confirms that the tool is correctly installed and accessible from the command line. ```powershell omnictl --version ``` -------------------------------- ### Etcd Configuration Example Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/reference/configuration/v1alpha1/config.mdx Configure the etcd image, CA certificates, and extra arguments for etcd. Use this to customize etcd deployment within the cluster. ```yaml cluster: etcd: image: registry.k8s.io/etcd:v3.6.9 # The container image used to create the etcd service. # The `ca` is the root certificate authority of the PKI. ca: crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t key: LS0tIEVYQU1QTEUgS0VZIC0tLQ== # Extra arguments to supply to etcd. extraArgs: election-timeout: "5000" # # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from. # advertisedSubnets: # - 10.0.0.0/8 ``` -------------------------------- ### Create Docker Buildx Builder Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/custom-images-and-development/developing-talos.mdx Sets up a buildx builder with network access to the host for pushing to a local container registry. Ensure buildx is installed. ```bash docker buildx create --driver docker-container --driver-opt network=host --name local1 --buildkitd-flags '--allow-insecure-entitlement security.insecure' --use ``` -------------------------------- ### Generate Talos Configuration for Installer Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/custom-images-and-development/kernel-module.mdx Generate a Talos configuration that specifies your custom installer image for a fresh installation. ```bash talosctl gen config --install-image $REGISTRY/$USER/installer:$TAG \ test https://192.168.100.100:6443 # cluster name and endpoint ``` -------------------------------- ### Install Talos CLI Tools Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/cloud-platforms/aws.mdx Installs necessary command-line tools for Talos installation on macOS or Linux using Homebrew. ```bash brew install siderolabs/tap/talosctl kubectl jq curl xz ``` -------------------------------- ### Sample Provider Log Output Source: https://github.com/siderolabs/docs/blob/main/public/omni/omni-cluster-setup/setting-up-the-bare-metal-infrastructure-provider.mdx Example of the log output from the bare metal infrastructure provider, showing initialization messages and component startup. ```json {"level":"info","ts":1734439242.1502001,"caller":"provider/provider.go:80","msg":"starting provider","options":{"Name":"Bare Metal","Description":"Bare metal infrastructure provider","OmniAPIEndpoint":"..."} {"level":"info","ts":1734439242.1973493,"caller":"ipxe/handler.go:310","msg":"patch iPXE binaries","component":"ipxe_handler"} {"level":"info","ts":1734439242.2833045,"caller":"ipxe/handler.go:316","msg":"successfully patched iPXE binaries","component":"ipxe_handler"} {"level":"info","ts":1734439242.2870164,"caller":"provider/provider.go:221","msg":"start component","component":"COSI runtime"} {"level":"info","ts":1734439242.28702,"caller":"provider/provider.go:221","msg":"start component","component":"TFTP server"} {"level":"info","ts":1734439242.287044,"caller":"provider/provider.go:221","msg":"start component","component":"DHCP proxy"} {"level":"info","ts":1734439242.2870617,"caller":"provider/provider.go:221","msg":"start component","component":"machine status poller"} {"level":"info","ts":1734439242.2870378,"caller":"provider/provider.go:221","msg":"start component","component":"server"} ``` -------------------------------- ### Deploy Example Workload Source: https://github.com/siderolabs/docs/blob/main/public/kubernetes-guides/advanced-guides/hpa.mdx Applies a sample workload to the Kubernetes cluster. This is a prerequisite for testing HPA. ```bash kubectl apply -f https://raw.githubusercontent.com/siderolabs/example-workload/refs/heads/main/deploy/example-svc-nodeport.yaml ``` -------------------------------- ### Install MetalLB with Helm Source: https://github.com/siderolabs/docs/blob/main/public/omni/self-hosted/run-omni-on-k8s.mdx Installs MetalLB using Helm. This command adds the MetalLB Helm repository and installs the chart. ```bash helm repo add metallb https://metallb.github.io/metallb --force-update helm install \ metallb metallb/metallb \ --version v0.15.3 \ --namespace metallb-system \ --create-namespace ``` -------------------------------- ### Install sbctl CLI Source: https://github.com/siderolabs/docs/blob/main/public/kubernetes-guides/csi/simplyblock-storage.mdx Installs the Simplyblock control plane CLI using pip. Ensure you have Python and pip installed. ```bash pip install sbctl --upgrade ``` -------------------------------- ### Rebuild and Run Integration Tests Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/custom-images-and-development/developing-talos.mdx First, rebuild the integration test binary by removing the old one and running 'make'. Then, execute the tests against a QEMU provisioned cluster, specifying the Talosctl path. ```bash rm -f _out/integration-test-linux-amd64; make _out/integration-test-linux-amd64 ``` ```bash _out/integration-test-linux-amd64 \ -talos.provisioner=qemu \ -test.v \ -test.short \ -talos.talosctlpath=$PWD/_out/talosctl-linux-amd64 ``` -------------------------------- ### Installer SecureBoot Image Reference Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/bare-metal-platforms/secureboot.mdx Reference for the installer image used for SecureBoot installations. Ensure the release version is correctly specified. ```yaml factory.talos.dev/installer-secureboot/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:${release_v1_14} ``` -------------------------------- ### Install Kubernetes Dashboard Helm Chart Source: https://github.com/siderolabs/docs/blob/main/public/omni/cluster-management/expose-a-workload-via-service-proxy.mdx Installs the Kubernetes dashboard using Helm. Ensure you have a values.yaml file configured for your installation. ```bash helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard helm install dashboard -f values.yaml kubernetes-dashboard/kubernetes-dashboard ``` -------------------------------- ### Talos Secure Boot Installer Image Configuration Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/virtualized-platforms/xenorchestra.mdx Use this value in your Talos machine configuration when installing with the Secure Boot installer image. ```text factory.talos.dev/nocloud-installer-secureboot/53b20d86399013eadfd44ee49804c1fef069bfdee3b43f3f5a2f57c03338ac:v1.14 ``` -------------------------------- ### CPU cgroup Usage Example Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/build-and-extend-talos/cluster-operations-and-maintenance/cgroups-analysis.mdx This example displays CPU usage statistics for various cgroups. It shows columns like CpuWeight, CpuUser, User/%, CpuSystem, System/%, and Throttled, providing insights into resource allocation and consumption. ```text ├──dashboard 8 11 [ max 100000] 22.231337s 68.63% 5.328927s 43.76% 0s ├──runtime 20 7 [ max 100000] 7.282253s 22.48% 5.924559s 48.65% 0s ├──trustd 10 10 [ max 100000] 1.254353s 3.87% 220.698ms 1.81% 0s └──udevd 10 10 [ max 100000] 78.726ms 0.24% 233.244ms 1.92% 0s ``` -------------------------------- ### Start Service Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/reference/api.mdx Starts a specific service on a machine. ```APIDOC ## POST /machine/servicestart ### Description Starts a specified service on the machine. ### Method POST ### Endpoint /machine/servicestart ### Parameters #### Request Body - **id** (string) - Required - The ID of the service to start. ``` -------------------------------- ### Push Custom Installer Image Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/single-board-computers/rpi_generic.mdx Push the generated custom installer image to a container registry. This image will be used to install Talos on the Raspberry Pi. ```sh crane push _out/metal-arm64-installer.tar ghcr.io//installer:${release_v1_14} ``` -------------------------------- ### Push Installer Image to Registry Source: https://github.com/siderolabs/docs/blob/main/public/talos/v1.14/platform-specific-installations/bare-metal-platforms/secureboot.mdx After generating the installer image, push it to a container registry accessible by Talos during installation. Replace with your registry username or organization. ```sh crane push _out/installer-amd64-secureboot.tar ghcr.io//installer-amd64-secureboot:${release_v1_14} ```