Booting into an air-gapped environment is not easy, and will not be covered by this guide.
About Talos
Talos Linux is Linux designed for Kubernetes – secure, immutable, and minimal. Developed by Siderolabs
Why should you use Talos?
- Talos is a container optimized linux distro; it is designed to be as minimal as possible while still maintaining practicality.
- Talos allows customization through the means of a machine config file that is generated along with the secrets needed to authenticate with your cluster.
- Talos will always end up configured exactly the same every time (it is immutable).
- Talos can be managed declaritively just like kubernetes. Making it easier to automate and maintain at scale.
Why shouldn’t I used Ubuntu or Debian?
- Debian-based Operating Systems are designed to be a general-purpose operating system.
- Higher attack surface. Ubuntu server is a full linux distribution with a shell, multiple packages and services enabled by default. It is harder to guarantee that the system running kubernetes hasn’t been tampered with.
- For larger clusters, managing nodes will require more complex configurations, automation, and oversight.
Getting Started with Talos
Prerequisites
Almost all of the configuration will be over the Command-Line Interface orCLI for short.
I highly recommend installing homebrew/brew.sh if you don’t have it installed. Updating talosctl manually is difficult and tiring.
If you have homebrew installed, you can install talosctl via:
talosctl binary from here and put it in your $PATH each time it updates.
Building Your Factory Image
Talos provides this awesome factory that helps configure and package various boot assets required for each node: https://factory.talos.dev/ The factory will guide you through creating the ideal image for your node by configuring:- The Hardware Type
- Talos Version
- Architecture
- Secure Boot
- Extensions
Deciding What Extensions You Need
Firmware Extensions
Firmware Extensions
| Extension Name | Description |
|---|---|
| amdgpu-firmware | Provides AMD GPU firmware binaries required for the amdgpu driver. |
| amd-ucode | Provides AMD CPU microcode binaries. |
| chelsio-firmware | Provides firmware for Chelsio NICs. |
| i915-ucode | Provides Intel GPU microcode binaries. |
| intel-ice-firmware | Provides Intel Ice network firmware binaries. |
| intel-ucode | Provides Intel CPU microcode binaries. |
| qlogic-firmware | Provides firmware for QLogic devices. |
| realtek-firmware | Provides Realtek firmware binaries. |
Kernel Modules
Kernel Modules
| Extension Name | Description |
|---|---|
| binfmt-misc | Provides the kernel module for binfmt-misc, enabling execution of different binary formats. |
| bnx2-bnx2x | Provides network drivers for Broadcom network devices (bnx2 and bnx2x). |
| btrfs | Provides the BTRFS filesystem kernel module. |
| chelsio-drivers | Provides network drivers for Chelsio NICs. |
| drbd | Provides Distributed Replicated Block Device (DRBD) kernel module. |
| gasket-driver | Provides Google gasket driver kernel modules for PCIe and M.2 Google Coral accelerators. |
| nvidia-open-gpu-kernel-modules | Provides Nvidia open-source GPU driver kernel modules. |
| thunderbolt | Provides Thunderbolt/USB4 driver kernel modules. |
| usb-modem-drivers | Provides USB modem driver kernel modules. |
| v4l-uvc-drivers | Provides Video4Linux drivers for USB Video Class devices. |
| zfs | Provides ZFS filesystem kernel modules. (Pool must exist before booting) |
| nonfree-kmod-nvidia | Provides proprietary Nvidia kernel modules. |
Container and Virtualization Extensions
Container and Virtualization Extensions
| Extension Name | Description |
|---|---|
| ecr-credential-provider | Provides credentials for Kubelet to authenticate against AWS Elastic Container Registry. |
| gvisor | Provides gVisor as a sandboxed container runtime. |
| gvisor-debug | Enables gVisor debug logging. |
| kata-containers | Provides Kata Containers runtime for lightweight virtualized containers. |
| nvidia-container-toolkit | Provides Nvidia runtime and its dependencies using NVIDIA’s runtime handler. |
| qemu-guest-agent | Provides the QEMU Guest Agent service. |
| spin | Provides runtime support for WebAssembly (WASM) containers using Spin. |
| stargz-snapshotter | Provides Stargz Snapshotter using containerd’s runtime handler. |
| vmtoolsd-guest-agent | Provides the VMToolsd Guest Agent for interacting with virtual machine hosts. |
| wasmedge | Provides support for the WasmEdge WebAssembly runtime. |
| xen-guest-agent | Provides the Xen Guest Agent for communication with Xen hypervisor hosts. |
Networking and System Tools
Networking and System Tools
| Extension Name | Description |
|---|---|
| iscsi-tools | Provides tools for iSCSI (Internet Small Computer System Interface). |
| mdadm | Provides the mdadm tool for managing RAID arrays. |
| nut-client | Provides the Network UPS Tools (NUT) client for monitoring UPS devices. (Requires Config) |
| tailscale | Tailscale connects your team’s devices and development environments for easy access to remote resources. (Requires Config) |
| util-linux-tools | Provides a minimal util-linux package. |
Flashing Your Image
Assuming you have somehow managed to coerce your machine into booting from the ISO, Talos will be running in mainteance mode. It is running in RAM and will not install itself to any disk without a configuration.Finding Your Disks
While your machine is in mainteance mode, you can use theCLI to fetch details about the machine. You will need to use the --insecure flag as the machine does not have any configuration associated with it.
Scouring Your Talos Filesystem
talosctl provides the read, list & copy commands for looking and pulling information from the filesystem.
This is particularly helpful for searching for the disk id’s for your drives when setting up a storage engine like longhorn or rook-ceph.
Accessing The Node (through other means)
In the case you need to interact with the node, you can create a privileged pod and enter an interactive session with it using thekubectl tool.
-iwill keep the output open regardless if nothing is attached.-twill allocate a output for the container.