Skip to main content
Booting into an air-gapped environment is not easy, and will not be covered by this guide.

About Talos

Talos Linux is Linux designed for Kubernetes – secure, immutable, and minimal. Developed by Siderolabs

Why should you use Talos?

  • Talos is a container optimized linux distro; it is designed to be as minimal as possible while still maintaining practicality.
  • Talos allows customization through the means of a machine config file that is generated along with the secrets needed to authenticate with your cluster.
  • Talos will always end up configured exactly the same every time (it is immutable).
  • Talos can be managed declaritively just like kubernetes. Making it easier to automate and maintain at scale.

Why shouldn’t I used Ubuntu or Debian?

  • Debian-based Operating Systems are designed to be a general-purpose operating system.
  • Higher attack surface. Ubuntu server is a full linux distribution with a shell, multiple packages and services enabled by default. It is harder to guarantee that the system running kubernetes hasn’t been tampered with.
  • For larger clusters, managing nodes will require more complex configurations, automation, and oversight.

Getting Started with Talos

Prerequisites

Almost all of the configuration will be over the Command-Line Interface or CLI for short. I highly recommend installing homebrew/brew.sh if you don’t have it installed. Updating talosctl manually is difficult and tiring. If you have homebrew installed, you can install talosctl via: 
brew install siderolabs/tap/talosctl
Windows users can also use the brew command above if brew is installed, otherwise you can download the latest talosctl binary from here and put it in your $PATH each time it updates.

Building Your Factory Image

Talos provides this awesome factory that helps configure and package various boot assets required for each node: https://factory.talos.dev/ The factory will guide you through creating the ideal image for your node by configuring:
  • The Hardware Type
  • Talos Version
  • Architecture
  • Secure Boot
  • Extensions

Deciding What Extensions You Need

Extension NameDescription
amdgpu-firmwareProvides AMD GPU firmware binaries required for the amdgpu driver.
amd-ucodeProvides AMD CPU microcode binaries.
chelsio-firmwareProvides firmware for Chelsio NICs.
i915-ucodeProvides Intel GPU microcode binaries.
intel-ice-firmwareProvides Intel Ice network firmware binaries.
intel-ucodeProvides Intel CPU microcode binaries.
qlogic-firmwareProvides firmware for QLogic devices.
realtek-firmwareProvides Realtek firmware binaries.
Extension NameDescription
binfmt-miscProvides the kernel module for binfmt-misc, enabling execution of different binary formats.
bnx2-bnx2xProvides network drivers for Broadcom network devices (bnx2 and bnx2x).
btrfsProvides the BTRFS filesystem kernel module.
chelsio-driversProvides network drivers for Chelsio NICs.
drbdProvides Distributed Replicated Block Device (DRBD) kernel module.
gasket-driverProvides Google gasket driver kernel modules for PCIe and M.2 Google Coral accelerators.
nvidia-open-gpu-kernel-modulesProvides Nvidia open-source GPU driver kernel modules.
thunderboltProvides Thunderbolt/USB4 driver kernel modules.
usb-modem-driversProvides USB modem driver kernel modules.
v4l-uvc-driversProvides Video4Linux drivers for USB Video Class devices.
zfsProvides ZFS filesystem kernel modules. (Pool must exist before booting)
nonfree-kmod-nvidiaProvides proprietary Nvidia kernel modules.
Extension NameDescription
ecr-credential-providerProvides credentials for Kubelet to authenticate against AWS Elastic Container Registry.
gvisorProvides gVisor as a sandboxed container runtime.
gvisor-debugEnables gVisor debug logging.
kata-containersProvides Kata Containers runtime for lightweight virtualized containers.
nvidia-container-toolkitProvides Nvidia runtime and its dependencies using NVIDIA’s runtime handler.
qemu-guest-agentProvides the QEMU Guest Agent service.
spinProvides runtime support for WebAssembly (WASM) containers using Spin.
stargz-snapshotterProvides Stargz Snapshotter using containerd’s runtime handler.
vmtoolsd-guest-agentProvides the VMToolsd Guest Agent for interacting with virtual machine hosts.
wasmedgeProvides support for the WasmEdge WebAssembly runtime.
xen-guest-agentProvides the Xen Guest Agent for communication with Xen hypervisor hosts.
Extension NameDescription
iscsi-toolsProvides tools for iSCSI (Internet Small Computer System Interface).
mdadmProvides the mdadm tool for managing RAID arrays.
nut-clientProvides the Network UPS Tools (NUT) client for monitoring UPS devices. (Requires Config)
tailscaleTailscale connects your team’s devices and development environments for easy access to remote resources. (Requires Config)
util-linux-toolsProvides a minimal util-linux package.

Flashing Your Image

Assuming you have somehow managed to coerce your machine into booting from the ISO, Talos will be running in mainteance mode. It is running in RAM and will not install itself to any disk without a configuration.

Finding Your Disks

While your machine is in mainteance mode, you can use the CLI to fetch details about the machine. You will need to use the --insecure flag as the machine does not have any configuration associated with it. 
talosctl disks -n <your_node_ip> -e <your_node_ip> --insecure
Here is the output if the machine has Talos installed: 
NODE        DEV            MODEL                      SERIAL             TYPE   UUID                                   WWID                                                                   MODALIAS   NAME   SIZE     BUS_PATH                                                   SUBSYSTEM          READ_ONLY   SYSTEM_DISK
10.69.0.2   /dev/nvme0n1   CT1000P3SSD8               2318E6D1E1A3       NVME   -                                      nvme.c0a9-323331384536443145314133-435431303030503353534438-00000001   -          -      1.0 TB   /pci0000:00/0000:00:1c.4/0000:58:00.0/nvme/nvme0/nvme0n1   /sys/class/block
10.69.0.2   /dev/nvme1n1   KINGSTON OM8PGP41024Q-A0   50026B7382F40A20   NVME   00000000-0000-0000-0026-b7382f40a205   eui.00000000000000000026b7382f40a205                                   -          -      1.0 TB   /pci0000:00/0000:00:06.0/0000:01:00.0/nvme/nvme1/nvme1n1   /sys/class/block               *
10.69.0.2   /dev/nvme2n1   CT1000P3SSD8               2318E6D1804E       NVME   -

Scouring Your Talos Filesystem

talosctl provides the read, list & copy commands for looking and pulling information from the filesystem. This is particularly helpful for searching for the disk id’s for your drives when setting up a storage engine like longhorn or rook-ceph.

Accessing The Node (through other means)

In the case you need to interact with the node, you can create a privileged pod and enter an interactive session with it using the kubectl tool. 
kubectl run toolbox --image=debian:latest --privileged=true -it
  • -i will keep the output open regardless if nothing is attached.
  • -t will allocate a output for the container.