Skip to content

Commit

Permalink
feat: update etcd to 3.5.16
Browse files Browse the repository at this point in the history
See https://github.com/etcd-io/etcd/releases/tag/v3.5.16

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit 5c6277d)
  • Loading branch information
smira committed Sep 13, 2024
1 parent 51b91d6 commit 5eb5ff5
Show file tree
Hide file tree
Showing 6 changed files with 234 additions and 30 deletions.
16 changes: 8 additions & 8 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -162,10 +162,10 @@ require (
github.com/vishvananda/netlink v1.3.0
github.com/vmware/vmw-guestinfo v0.0.0-20220317130741-510905f0efa3
github.com/vultr/metadata v1.1.0
go.etcd.io/etcd/api/v3 v3.5.15
go.etcd.io/etcd/client/pkg/v3 v3.5.15
go.etcd.io/etcd/client/v3 v3.5.15
go.etcd.io/etcd/etcdutl/v3 v3.5.15
go.etcd.io/etcd/api/v3 v3.5.16
go.etcd.io/etcd/client/pkg/v3 v3.5.16
go.etcd.io/etcd/client/v3 v3.5.16
go.etcd.io/etcd/etcdutl/v3 v3.5.16
go.uber.org/zap v1.27.0
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
golang.org/x/net v0.29.0
Expand Down Expand Up @@ -329,10 +329,10 @@ require (
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
go.etcd.io/bbolt v1.3.11 // indirect
go.etcd.io/etcd/client/v2 v2.305.15 // indirect
go.etcd.io/etcd/pkg/v3 v3.5.15 // indirect
go.etcd.io/etcd/raft/v3 v3.5.15 // indirect
go.etcd.io/etcd/server/v3 v3.5.15 // indirect
go.etcd.io/etcd/client/v2 v2.305.16 // indirect
go.etcd.io/etcd/pkg/v3 v3.5.16 // indirect
go.etcd.io/etcd/raft/v3 v3.5.16 // indirect
go.etcd.io/etcd/server/v3 v3.5.16 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
Expand Down
32 changes: 16 additions & 16 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -710,22 +710,22 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
go.etcd.io/etcd/api/v3 v3.5.15 h1:3KpLJir1ZEBrYuV2v+Twaa/e2MdDCEZ/70H+lzEiwsk=
go.etcd.io/etcd/api/v3 v3.5.15/go.mod h1:N9EhGzXq58WuMllgH9ZvnEr7SI9pS0k0+DHZezGp7jM=
go.etcd.io/etcd/client/pkg/v3 v3.5.15 h1:fo0HpWz/KlHGMCC+YejpiCmyWDEuIpnTDzpJLB5fWlA=
go.etcd.io/etcd/client/pkg/v3 v3.5.15/go.mod h1:mXDI4NAOwEiszrHCb0aqfAYNCrZP4e9hRca3d1YK8EU=
go.etcd.io/etcd/client/v2 v2.305.15 h1:VG2xbf8Vz1KJh65Ar2V5eDmfkp1bpzkSEHlhJM3usp8=
go.etcd.io/etcd/client/v2 v2.305.15/go.mod h1:Ad5dRjPVb/n5yXgAWQ/hXzuXXkBk0Y658ocuXYaUU48=
go.etcd.io/etcd/client/v3 v3.5.15 h1:23M0eY4Fd/inNv1ZfU3AxrbbOdW79r9V9Rl62Nm6ip4=
go.etcd.io/etcd/client/v3 v3.5.15/go.mod h1:CLSJxrYjvLtHsrPKsy7LmZEE+DK2ktfd2bN4RhBMwlU=
go.etcd.io/etcd/etcdutl/v3 v3.5.15 h1:EBMtdngexC5s65NY4QKr7dCpXmzdfSVnnueJ4URg6vY=
go.etcd.io/etcd/etcdutl/v3 v3.5.15/go.mod h1:4Kia4UPkWnD+qrUodawwd1ZcvteGTW97BpXI5zkSUS4=
go.etcd.io/etcd/pkg/v3 v3.5.15 h1:/Iu6Sr3iYaAjy++8sIDoZW9/EfhcwLZwd4FOZX2mMOU=
go.etcd.io/etcd/pkg/v3 v3.5.15/go.mod h1:e3Acf298sPFmTCGTrnGvkClEw9RYIyPtNzi1XM8rets=
go.etcd.io/etcd/raft/v3 v3.5.15 h1:jOA2HJF7zb3wy8H/pL13e8geWqkEa/kUs0waUggZC0I=
go.etcd.io/etcd/raft/v3 v3.5.15/go.mod h1:k3r7P4seEiUcgxOPLp+mloJWV3Q4QLPGNvy/OgC8OtM=
go.etcd.io/etcd/server/v3 v3.5.15 h1:x35jrWnZgsRwMsFsUJIUdT1bvzIz1B+29HjMfRYVN/E=
go.etcd.io/etcd/server/v3 v3.5.15/go.mod h1:l9jX9oa/iuArjqz0RNX/TDbc70dLXxRZo/nmPucrpFo=
go.etcd.io/etcd/api/v3 v3.5.16 h1:WvmyJVbjWqK4R1E+B12RRHz3bRGy9XVfh++MgbN+6n0=
go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28=
go.etcd.io/etcd/client/pkg/v3 v3.5.16 h1:ZgY48uH6UvB+/7R9Yf4x574uCO3jIx0TRDyetSfId3Q=
go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E=
go.etcd.io/etcd/client/v2 v2.305.16 h1:kQrn9o5czVNaukf2A2At43cE9ZtWauOtf9vRZuiKXow=
go.etcd.io/etcd/client/v2 v2.305.16/go.mod h1:h9YxWCzcdvZENbfzBTFCnoNumr2ax3F19sKMqHFmXHE=
go.etcd.io/etcd/client/v3 v3.5.16 h1:sSmVYOAHeC9doqi0gv7v86oY/BTld0SEFGaxsU9eRhE=
go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50=
go.etcd.io/etcd/etcdutl/v3 v3.5.16 h1:E2CuxEdP8tteS7cn+6e6at93EYYN8X+Q5a16UXjkDeg=
go.etcd.io/etcd/etcdutl/v3 v3.5.16/go.mod h1:X22QojXcHZNS3TPAitpcYW7rwTvnmchFwAKkSSz0Ncw=
go.etcd.io/etcd/pkg/v3 v3.5.16 h1:cnavs5WSPWeK4TYwPYfmcr3Joz9BH+TZ6qoUtz6/+mc=
go.etcd.io/etcd/pkg/v3 v3.5.16/go.mod h1:+lutCZHG5MBBFI/U4eYT5yL7sJfnexsoM20Y0t2uNuY=
go.etcd.io/etcd/raft/v3 v3.5.16 h1:zBXA3ZUpYs1AwiLGPafYAKKl/CORn/uaxYDwlNwndAk=
go.etcd.io/etcd/raft/v3 v3.5.16/go.mod h1:P4UP14AxofMJ/54boWilabqqWoW9eLodl6I5GdGzazI=
go.etcd.io/etcd/server/v3 v3.5.16 h1:d0/SAdJ3vVsZvF8IFVb1k8zqMZ+heGcNfft71ul9GWE=
go.etcd.io/etcd/server/v3 v3.5.16/go.mod h1:ynhyZZpdDp1Gq49jkUg5mfkDWZwXnn3eIqCqtJnrD/s=
go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 h1:A/5uWzF44DlIgdm/PQFwfMkW0JX+cIcQi/SwLAmZP5M=
go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
Expand Down
2 changes: 1 addition & 1 deletion hack/release.toml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Kubernetes: 1.31.0
Linux: 6.6.49
containerd: 2.0.0-rc.4
runc: 1.2.0-rc.3
etcd: 3.5.15
etcd: 3.5.16
Flannel: 0.25.6
Flannel CNI plugin: 1.5.1
CoreDNS: 1.1.13
Expand Down
2 changes: 1 addition & 1 deletion pkg/machinery/constants/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -413,7 +413,7 @@ const (

// DefaultEtcdVersion is the default target version of etcd.
// renovate: datasource=github-releases depName=etcd-io/etcd
DefaultEtcdVersion = "v3.5.15"
DefaultEtcdVersion = "v3.5.16"

// EtcdRootTalosKey is the root etcd key for Talos-specific storage.
EtcdRootTalosKey = "talos:v1"
Expand Down
206 changes: 205 additions & 1 deletion website/content/v1.8/introduction/what-is-new/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,208 @@ description: "List of new and shiny features in Talos Linux."

See also [upgrade notes]({{< relref "../../talos-guides/upgrading-talos/">}}) for important changes.

TBD
## Important Changes

### Release Artifacts

Starting with Talos v1.8.0, only standard assets would be published as github release assets.
These include:

* `cloud-images.json`
* `talosctl` binaries
* `kernel`
* `initramfs`
* `metal` iso and disk images
* `talosctl-cni-bundle`

All other release assets can be downloaded from [Image Factory]({{< relref "../../talos-guides/install/boot-assets#image-factory" >}}).

### Serial Console for `metal` Platform

Starting from Talos 1.8, the `console=ttyS0` kernel argument is no longer included by default in the metal images and installer.
If you are running Talos virtualized in QEMU (e.g., Proxmox), you can add this as an extra kernel argument if needed.
You can refer to the [Image Factory or Imager documentation]({{< relref "../../talos-guides/install/boot-assets" >}}) for instructions on how to do this.
This change addresses issues such as slow boot or lack of console output on bare metal hardware without a serial console.

## Disk Management

The disk management backend has been rewritten to support more complex configurations, but the existing configuration should continue to work as before.

The detailed information about the new disk management subsystem can be found in the [disk management guide]({{< relref "../../talos-guides/configuration/disk-management" >}}).

### `EPHEMERAL` Volume

Talos Linux introduces support for configuring the `EPHEMERAL` volume (`/var`): location (disk), minimum and maximum size, etc.
You can find more information about the configuration in the [disk management guide]({{< relref "../../talos-guides/configuration/disk-management#machine-configuration" >}}).

### Upgrades

In Talos Linux installer, the system disk is never wiped during upgrades.
This means that the `--preserve` flag is now automatically set for `talosctl upgrade` command.

## Kubernetes

### Slim Kubelet Image

Starting from Kubernetes 1.31.0, the `kubelet` container image has been optimized to include fewer utilities.
This change was made as the in-tree CSI plugins were removed in Kubernetes 1.31.0.
The reduction in utilities results in a smaller image size and reduces the potential attack surface.

For Kubernetes versions prior to 1.31.0, two images will be built: the default "fat" image (`v1.x.y`) and a slim image (`v1.x.y-slim`).

For Kubernetes versions 1.31.0 and later, the default tag will point to the slim image, while the "fat" image will be tagged as `v1.x.y-fat`.

### Node Annotations

Talos Linux now supports configuring Kubernetes node annotations via machine configuration (`.machine.nodeAnnotations`) in a way similar to node labels.

### CNI Plugins

Talos Linux now bundles by default the following standard CNI plugins (required by default Flannel installation):

* `bridge`
* `firewall`
* `flannel`
* `host-local`
* `loopback`
* `portmap`

The Talos bundled Flannel manifest was simplified to remove the `install-cni` step.

> Note: Custom CNI plugins can be still copied over to the `/opt/cni/bin` directory using init containers as before.
### Default Node Labels

Talos Linux now includes a default label `node.kubernetes.io/exclude-from-external-load-balancers` for control plane nodes during configuration generation.

### `kube-proxy` Backend

Talos Linux configures kube-proxy >= v1.31.0 to use 'nftables' backend by default.

### Talos Extensions as Kubernetes Node Labels/Annotations

Talos Linux now includes the list of installed extensions as Kubernetes node labels or annotations.

The key format for the labels is `extensions.talos.dev/<name>`, and the value represents the version of the extension.
If the extension name is not a valid label key, it will be skipped.
If the extension version is a valid label value, it will be added as a label; otherwise, it will be added as an annotation.

For Talos machines booted from the Image Factory artifacts, the schematic ID will be published as the annotation `extensions.talos.dev/schematic` since it exceeds the maximum length of 63 characters for label keys.

### DNS Forwarding for CoreDNS pods

Use of the host DNS resolver as the upstream for Kubernetes CoreDNS pods is now enabled by default in new clusters.

To disable this feature, you can use the following configuration:

```yaml
machine:
features:
hostDNS:
enabled: true
forwardKubeDNSToHost: false
```
Please note that for running clusters, you will need to kill the CoreDNS pods for this change to take effect.
The IP address used for forwarding DNS queries has been changed to the fixed address `169.254.116.108`.
If you are upgrading from Talos 1.7 with `forwardKubeDNSToHost` enabled, you can clean up the old Kubernetes service by running `kubectl delete -n kube-system service host-dns`.

## Hardware Support

### PCI Devices

A list of PCI devices can now be obtained via `PCIDevices` resource, e.g. `talosctl get pcidevices`.

### NVIDIA GPU Support

Starting from Talos 1.8.0, SideroLabs will include extensions for both LTS and Production versions of NVIDIA extensions.

The NVIDIA drivers and the container toolkits now ships an LTS and Production version as per [NVIDIA driver lifecycle](https://docs.nvidia.com/datacenter/tesla/drivers/index.html#lifecycle).

The new extensions names are

* nvidia-container-toolkit-production
* nvidia-container-toolkit-lts
* nvidia-open-gpu-kernel-modules-production
* nvidia-open-gpu-kernel-modules-lts
* nonfree-kmod-nvidia-lts
* nonfree-kmod-nvidia-production

For Talos 1.8, the `-lts` variant follows `535.x` and the `-production` variant follows `550.x` upstream driver versions.

If you are upgrading and already have a schematic ID from the Image Factory, the LTS version of the NVIDIA extension will be retained.

### Device Extra Settle Timeout

Talos Linux now supports a kernel command line argument `talos.device.settle_time=3m` to set the device extra settle timeout to workaround issues with broken drivers.

## Security

### Workload Apparmor Profile

Talos Linux can now apply the default AppArmor profiles to all workloads started via `containerd`, if the machine is installed with the AppArmor LSM enabled in the kernel args (`security=apparmor`).

### Secure Boot

Talos Linux now can optionally include well-known UEFI (Microsoft) SecureBoot keys into the auto-enrollment UEFI database.

### Custom Trusted Roots

Talos Linux now supports adding [custom trusted roots]({{< relref "../../talos-guides/configuration/certificate-authorities" >}}) (CA certificates) via
a [`TrustedRootsConfig`]({{< relref "../../reference/configuration/security/trustedrootsconfig" >}}) configuration document.

## Networking

### Bridge

Talos Linux now support configuring [`vlan_filtering`]({{< relref "../../reference/configuration/v1alpha1/config#Config.machine.network.interfaces..bridge.vlan" >}}) for bridge interfaces.

### KubeSpan

Extra announced endpoints can be added using the [`KubespanEndpointsConfig` document]({{< relref "../../talos-guides/network/kubespan#configuration" >}}).

## Machine Configuration

### Machine Configuration via Kernel Command Line

Talos Linux supports supplying zstd-compressed, base64-encoded machine configuration small documents via the [kernel command line parameter]({{< relref "../../reference/kernel" >}}) `talos.config.inline`.

### Strategic Merge Patches with `$patch: delete`

Talos Linux now supports removing parts of the machine configuration by [patching]({{< relref "../../talos-guides/configuration/patching#strategic-merge-patches" >}}) using the `$patch: delete` syntax similar to the Kubernetes strategic merge patch.

## Miscellaneous

### Diagnostics

Talos Linux now shows diagnostics information for common problems related to misconfiguration via `talosctl health` and Talos dashboard.

### `talos.halt_if_installed` kernel argument

Starting with Talos 1.8, ISO's generated from Boot Assets would have a new kernel argument `talos.halt_if_installed` which would pause the boot sequence until boot timeout if Talos is already installed on the disk.
ISOs generated for pre 1.8 versions would not have this kernel argument.

This can be also explicitly enabled by setting `talos.halt_if_installed=1` in kernel argument.

### Platform Support

Talos Linux now supports [Apache CloudStack platform]({{< relref "../../talos-guides/install/cloud-platforms/cloudstack" >}}).

### ZSTD Compression

Talos Linux now compresses kernel and initramfs using `zstd` (previously `xz` was used).
Linux arm64 kernel is now compressed (previously it was uncompressed).

## Component Updates

* Kubernetes: 1.31.1
* Linux: 6.6.49
* containerd: 2.0.0-rc.4
* runc: 1.2.0-rc.3
* etcd: 3.5.16
* Flannel: 0.25.6
* Flannel CNI plugin: 1.5.1
* CoreDNS: 1.1.13

Talos is built with Go 1.22.7.
Original file line number Diff line number Diff line change
Expand Up @@ -2987,7 +2987,7 @@ discovery:
{{< /highlight >}}</details> | |
|`etcd` |<a href="#Config.cluster.etcd">EtcdConfig</a> |Etcd specific configuration options. <details><summary>Show example(s)</summary>{{< highlight yaml >}}
etcd:
image: gcr.io/etcd-development/etcd:v3.5.15 # The container image used to create the etcd service.
image: gcr.io/etcd-development/etcd:v3.5.16 # The container image used to create the etcd service.
# The `ca` is the root certificate authority of the PKI.
ca:
crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
Expand Down Expand Up @@ -3673,7 +3673,7 @@ EtcdConfig represents the etcd configuration options.
{{< highlight yaml >}}
cluster:
etcd:
image: gcr.io/etcd-development/etcd:v3.5.15 # The container image used to create the etcd service.
image: gcr.io/etcd-development/etcd:v3.5.16 # The container image used to create the etcd service.
# The `ca` is the root certificate authority of the PKI.
ca:
crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
Expand All @@ -3691,7 +3691,7 @@ cluster:
| Field | Type | Description | Value(s) |
|-------|------|-------------|----------|
|`image` |string |The container image used to create the etcd service. <details><summary>Show example(s)</summary>{{< highlight yaml >}}
image: gcr.io/etcd-development/etcd:v3.5.15
image: gcr.io/etcd-development/etcd:v3.5.16
{{< /highlight >}}</details> | |
|`ca` |PEMEncodedCertificateAndKey |<details><summary>The `ca` is the root certificate authority of the PKI.</summary>It is composed of a base64 encoded `crt` and `key`.</details> <details><summary>Show example(s)</summary>{{< highlight yaml >}}
ca:
Expand Down

0 comments on commit 5eb5ff5

Please sign in to comment.