Understanding Talos - Kashall's Home Cluster

Booting into an air-gapped environment is not easy, and will not be covered by this guide.

About Talos

Talos Linux is Linux designed for Kubernetes – secure, immutable, and minimal.

Developed by Siderolabs

Why should you use Talos?

Talos is a container optimized linux distro; it is designed to be as minimal as possible while still maintaining practicality.
Talos allows customization through the means of a machine config file that is generated along with the secrets needed to authenticate with your cluster.
Talos will always end up configured exactly the same every time (it is immutable).
Talos can be managed declaritively just like kubernetes. Making it easier to automate and maintain at scale.

Why shouldn’t I used Ubuntu or Debian?

Debian-based Operating Systems are designed to be a general-purpose operating system.
Higher attack surface. Ubuntu server is a full linux distribution with a shell, multiple packages and services enabled by default. It is harder to guarantee that the system running kubernetes hasn’t been tampered with.
For larger clusters, managing nodes will require more complex configurations, automation, and oversight.

Getting Started with Talos

Prerequisites

Almost all of the configuration will be over the Command-Line Interface or CLI for short.

I highly recommend installing homebrew/brew.sh if you don’t have it installed. Updating talosctl manually is difficult and tiring.

If you have homebrew installed, you can install talosctl via:

brew install siderolabs/tap/talosctl

Windows users can also use the brew command above if brew is installed, otherwise you can download the latest talosctl binary from here and put it in your $PATH each time it updates.

Building Your Factory Image

Talos provides this awesome factory that helps configure and package various boot assets required for each node: https://factory.talos.dev/

The factory will guide you through creating the ideal image for your node by configuring:

The Hardware Type
Talos Version
Architecture
Secure Boot
Extensions

Deciding What Extensions You Need

Firmware Extensions

Extension Name	Description
amdgpu-firmware	Provides AMD GPU firmware binaries required for the `amdgpu` driver.
amd-ucode	Provides AMD CPU microcode binaries.
chelsio-firmware	Provides firmware for Chelsio NICs.
i915-ucode	Provides Intel GPU microcode binaries.
intel-ice-firmware	Provides Intel Ice network firmware binaries.
intel-ucode	Provides Intel CPU microcode binaries.
qlogic-firmware	Provides firmware for QLogic devices.
realtek-firmware	Provides Realtek firmware binaries.

Kernel Modules

Extension Name	Description
binfmt-misc	Provides the kernel module for `binfmt-misc`, enabling execution of different binary formats.
bnx2-bnx2x	Provides network drivers for Broadcom network devices (bnx2 and bnx2x).
btrfs	Provides the BTRFS filesystem kernel module.
chelsio-drivers	Provides network drivers for Chelsio NICs.
drbd	Provides Distributed Replicated Block Device (DRBD) kernel module.
gasket-driver	Provides Google gasket driver kernel modules for PCIe and M.2 Google Coral accelerators.
nvidia-open-gpu-kernel-modules	Provides Nvidia open-source GPU driver kernel modules.
thunderbolt	Provides Thunderbolt/USB4 driver kernel modules.
usb-modem-drivers	Provides USB modem driver kernel modules.
v4l-uvc-drivers	Provides Video4Linux drivers for USB Video Class devices.
zfs	Provides ZFS filesystem kernel modules. (Pool must exist before booting)
nonfree-kmod-nvidia	Provides proprietary Nvidia kernel modules.

Container and Virtualization Extensions

Extension Name	Description
ecr-credential-provider	Provides credentials for Kubelet to authenticate against AWS Elastic Container Registry.
gvisor	Provides gVisor as a sandboxed container runtime.
gvisor-debug	Enables gVisor debug logging.
kata-containers	Provides Kata Containers runtime for lightweight virtualized containers.
nvidia-container-toolkit	Provides Nvidia runtime and its dependencies using NVIDIA’s runtime handler.
qemu-guest-agent	Provides the QEMU Guest Agent service.
spin	Provides runtime support for WebAssembly (WASM) containers using Spin.
stargz-snapshotter	Provides Stargz Snapshotter using containerd’s runtime handler.
vmtoolsd-guest-agent	Provides the VMToolsd Guest Agent for interacting with virtual machine hosts.
wasmedge	Provides support for the WasmEdge WebAssembly runtime.
xen-guest-agent	Provides the Xen Guest Agent for communication with Xen hypervisor hosts.

Networking and System Tools

Extension Name	Description
iscsi-tools	Provides tools for iSCSI (Internet Small Computer System Interface).
mdadm	Provides the `mdadm` tool for managing RAID arrays.
nut-client	Provides the Network UPS Tools (NUT) client for monitoring UPS devices. (Requires Config)
tailscale	Tailscale connects your team’s devices and development environments for easy access to remote resources. (Requires Config)
util-linux-tools	Provides a minimal util-linux package.

Flashing Your Image

Assuming you have somehow managed to coerce your machine into booting from the ISO, Talos will be running in mainteance mode. It is running in RAM and will not install itself to any disk without a configuration.

Finding Your Disks

While your machine is in mainteance mode, you can use the CLI to fetch details about the machine. You will need to use the --insecure flag as the machine does not have any configuration associated with it.

talosctl disks -n <your_node_ip> -e <your_node_ip> --insecure

Here is the output if the machine has Talos installed:

NODE        DEV            MODEL                      SERIAL             TYPE   UUID                                   WWID                                                                   MODALIAS   NAME   SIZE     BUS_PATH                                                   SUBSYSTEM          READ_ONLY   SYSTEM_DISK
10.69.0.2   /dev/nvme0n1   CT1000P3SSD8               2318E6D1E1A3       NVME   -                                      nvme.c0a9-323331384536443145314133-435431303030503353534438-00000001   -          -      1.0 TB   /pci0000:00/0000:00:1c.4/0000:58:00.0/nvme/nvme0/nvme0n1   /sys/class/block
10.69.0.2   /dev/nvme1n1   KINGSTON OM8PGP41024Q-A0   50026B7382F40A20   NVME   00000000-0000-0000-0026-b7382f40a205   eui.00000000000000000026b7382f40a205                                   -          -      1.0 TB   /pci0000:00/0000:00:06.0/0000:01:00.0/nvme/nvme1/nvme1n1   /sys/class/block               *
10.69.0.2   /dev/nvme2n1   CT1000P3SSD8               2318E6D1804E       NVME   -

Scouring Your Talos Filesystem

talosctl provides the read, list & copy commands for looking and pulling information from the filesystem.

This is particularly helpful for searching for the disk id’s for your drives when setting up a storage engine like longhorn or rook-ceph.

Accessing The Node (through other means)

In the case you need to interact with the node, you can create a privileged pod and enter an interactive session with it using the kubectl tool.

kubectl run toolbox --image=debian:latest --privileged=true -it

-i will keep the output open regardless if nothing is attached.
-t will allocate a output for the container.

Guides

​About Talos

​Why should you use Talos?

​Why shouldn’t I used Ubuntu or Debian?

​Getting Started with Talos

​Prerequisites

​Building Your Factory Image

​Deciding What Extensions You Need

​Flashing Your Image

​Finding Your Disks

​Scouring Your Talos Filesystem

​Accessing The Node (through other means)

About Talos

Why should you use Talos?

Why shouldn’t I used Ubuntu or Debian?

Getting Started with Talos

Prerequisites

Building Your Factory Image

Deciding What Extensions You Need

Flashing Your Image

Finding Your Disks

Scouring Your Talos Filesystem

Accessing The Node (through other means)