This repository contains a GitHub Actions workflow that builds Talos boot assets, using forks of the SideroLabs repos (pkgs, extensions, talos). It outputs container images to ghcr.io that can be consumed by a custom Image Factory deployment to produce bootable ISOs or installer images to upgrade existing nodes.
Of note, the workflow builds a few custom extensions, and then appends them to the SideroLabs extensions manifest, such that both official SideroLabs extensions and the custom extensions are available.
The pkgs fork upgrades the kernel to the latest stable release and provides a custom configuration with the following general changes compared to the SideroLabs configuration:
- no xen support
- no hyperv support
- AMD support (SEV, IOMMU, etc)
- only Intel and Mellanox network drivers
- only basic EFI fb graphics drivers
- no legacy SATA/PATA/ATA support
- no legacy network protocols
- netkit (for cilium)
- INET diag w/ destroy (for cilium socket lb)
Support for NVIDIA GPU Operator:
- module unloading
- ACPI TAD, PROC AGG, PCI SLOT, HOTPLUG MEM, BGRT, APEI MEM FAIL, EXTLOG, CONFIGFS, PFRUT, FHH
- memory hotplug and hotremove
- memory failure
- zone and device private
- pci p2pdma
- virtio mem
The workflow builds the latest production NVIDIA open kernel kernel modules as part of the pkgs build (to use the ephemeral kernel module signing key). The workflow then builds a custom NVIDIA driver container to bundle the kernel modules with the userspace components. Driver containers are managed by the NVIDIA gpu-operator. This new custom extension also depends on a new glibc extension which has now been upstreamed.
My ZFS extension is largely similar to the upstream version, but it includes a new tool (zfs-service) that handles importing and unmounting all zfs pools following the Talos service lifecycle, and supports encrypted datasets by passing the -l flag to zpool-import (see zpool-import.8).
Image Factory is a service by SideroLabs that consumes Talos boot assets and produces bootable media and installer container images based on a schema that essentially specifies the extensions to include and kernel boot arguments. The official instance is at https://factory.talos.dev.
My fork includes small patches to pull the installer, imager, and extensions manifest container images from ghcr.io/jfroy/siderolabs instead of ghcr.io/siderolabs.
To deploy Image Factory, you basically only need a container runtime (e.g. Docker Engine, podman, containerd, etc) and an image registry (e.g. a distribution instance, a cloud registry) that Image Factory can push to and that your Talos nodes can pull from. You will also need to generate an image cache signing key (e.g. openssl ecparam -name prime256v1 -genkey -noout -out image-factory.pem)
If you are going to produce Secure Boot images, you will also need a set of keys (UKI signing key and cert, PCR cert). You may generate those yourself (see loader.conf.5 for an example), or use talosctl gen secureboot.
The command line arguments are somewhat long, but here's my deployment for example:
/image-factory \
-cache-repository localhost:5000/cache \
-cache-signing-key-path /keys/image-factory.pem \
-container-signature-issuer-regexp (https://token\\.actions\\.githubusercontent\\.com)|(https://accounts\\.google.com) \
-container-signature-subject-regexp (https://github.com/jfroy/talos-boot-assets/\\.github/workflows/assets\\.yaml@refs/heads/release-.+)|(.+@siderolabs\\.com) \
-external-url https://<redacted domain>/ \
-http-port :8080 \
-image-registry ghcr.io \
-installer-external-repository <redacted domain>/installer \
-installer-internal-repository localhost:5000/installer \
-min-talos-version 1.8.2 \
-schematic-service-repository localhost:5000/schematics \
-secureboot \
-secureboot-pcr-key-path /keys/pcr-signing-key.pem \
-secureboot-signing-cert-path /keys/uki-signing-cert.pem \
-secureboot-signing-key-path /keys/uki-signing-key.pem \
-talos-versions-recheck-interval 1hNote in particular the regular expressions for the container signature. The first group (of each regex) matches what you will get by using cosign inside a GitHub Action workflow to perform identity-based signing1. The second group matches the signatures produced by SideroLabs for their extensions.
The workflow uses AWS buildkit spot instance nodes (one for each architecture). The nodes are created on demand using Terraform when the workflow runs. The GitHub Actions worker and the AWS nodes are connected to a tailnet for secure connectivity.