feat: add UnattendedInstall config and controller

Replace the deprecated v1alpha1 `.machine.install` section with a new
`UnattendedInstall` multi-document config kind, driven by a dedicated
`UnattendedInstallController` (single-flight, no reboot) that exposes an
`UnattendedInstallStatus` resource.

- Deprecate `.machine.install`; no longer required in validation.
- Gate behind version contract (>= 1.14); `talosctl gen config` and
  `cluster create` emit `UnattendedInstall` by default for new contracts,
  translating `--install-disk` into a CEL disk selector.
- Source `legacyBIOSSupport`/`grubUseUKICmdline` from the new document in
  the installer, falling back to `.machine.install`.
- Skip the legacy install sequence (and its reboot) when the document is
  present; install is reconciled out-of-band.

Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>

Author: shanduur

api/resource/definitions/runtime/runtime.proto

@@ -216,6 +216,13 @@ message ServicePIDSpec {
   string mount_namespace = 2;
 }
 
+// UnattendedInstallStatusSpec describes the unattended install status.
+message UnattendedInstallStatusSpec {
+  string image = 2;
+  string phase = 4;
+  string error = 5;
+}
+
 // UniqueMachineTokenSpec is the spec for the machine unique token. Token can be empty if machine wasn't assigned any.
 message UniqueMachineTokenSpec {
   string token = 1;

cmd/installer/cmd/installer/install.go

@@ -73,14 +73,30 @@ func runInstallCmd(ctx context.Context) (err error) {
 			}
 		}
 
-		if config.Machine() != nil && config.Machine().Install().LegacyBIOSSupport() {
-			options.LegacyBIOSSupport = true
-		}
+		// defaults from the deprecated .machine.install section (if present).
+		legacyBIOSSupport := config.Machine() != nil && config.Machine().Install().LegacyBIOSSupport()
 
 		// if we don't have v1alpha1 config (we are in maintenance mode),
 		// or if we have v1alpha1 config, and GrubUseUKICmdline is set to true,
 		// then we should set the option to true
-		if config.Machine() == nil || config.Machine().Install().GrubUseUKICmdline() {
+		grubUseUKICmdline := config.Machine() == nil || config.Machine().Install().GrubUseUKICmdline()
+
+		// the UnattendedInstall document takes precedence over the deprecated .machine.install section.
+		if unattended := config.UnattendedInstallConfig(); unattended != nil {
+			if v := unattended.InstallLegacyBIOSSupport(); v != nil {
+				legacyBIOSSupport = *v
+			}
+
+			if v := unattended.InstallGrubUseUKICmdline(); v != nil {
+				grubUseUKICmdline = *v
+			}
+		}
+
+		if legacyBIOSSupport {
+			options.LegacyBIOSSupport = true
+		}
+
+		if grubUseUKICmdline {
 			options.GrubUseUKICmdline = true
 		}
 	}

hack/release.toml

@@ -270,6 +270,20 @@ Volume encryption now supports an `allowDiscards` option (disabled by default) w
 through to the underlying device when the encrypted volume is opened.
 
 This only enables passing discards through to the underlying device; Talos does not perform any fstrim/discard operation by itself.
+"""
+
+    [notes.unattended_install]
+        title = "Unattended Install Configuration"
+        description = """\
+Talos introduces a new `UnattendedInstall` multi-document config kind which replaces the deprecated `.machine.install`
+section of the v1alpha1 config. The document carries the installer `image` and a `provisioning` section with a CEL
+`volumeSelector` to match the install disk, plus `wipe`, `legacyBIOSSupport`, and `grubUseUKICmdline` options.
+
+When the `UnattendedInstall` document is present, the install is driven by the new `UnattendedInstallController`
+(exposing an `UnattendedInstallStatus` resource) instead of the legacy install sequence.
+
+`talosctl gen config` and `talosctl cluster create` now generate the `UnattendedInstall` document by default.
+The `.machine.install` field remains supported for backwards compatibility and is still used for older version contracts.
 """
 
 [make_deps]

internal/app/machined/pkg/controllers/runtime/unattended_install.go

@@ -0,0 +1,268 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package runtime
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"sync"
+
+	"github.com/cosi-project/runtime/pkg/controller"
+	"github.com/cosi-project/runtime/pkg/safe"
+	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/optional"
+	"go.uber.org/zap"
+
+	v1alpha1runtime "github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
+	"github.com/siderolabs/talos/internal/pkg/install"
+	"github.com/siderolabs/talos/pkg/images"
+	talosconfig "github.com/siderolabs/talos/pkg/machinery/config/config"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/block/blockhelpers"
+	"github.com/siderolabs/talos/pkg/machinery/resources/block"
+	"github.com/siderolabs/talos/pkg/machinery/resources/config"
+	crires "github.com/siderolabs/talos/pkg/machinery/resources/cri"
+	"github.com/siderolabs/talos/pkg/machinery/resources/runtime"
+)
+
+// UnattendedInstallController performs an unattended install driven by the UnattendedInstall config document.
+//
+// It mirrors the legacy `.machine.install` install behavior, but is driven entirely by the multi-document
+// config. It does NOT reboot the node after a successful install; reboot is handled separately.
+type UnattendedInstallController struct {
+	V1Alpha1Mode v1alpha1runtime.Mode
+
+	// State is the resource state used to match the install disk.
+	State state.State
+
+	// InstalledFunc reports whether the node is already installed to disk.
+	InstalledFunc func() bool
+
+	// InstallFunc performs the actual install of the given image to the given disk.
+	//
+	// It is a field to allow the install side-effect to be stubbed in tests.
+	InstallFunc func(ctx context.Context, disk, image string, wipe bool) error
+
+	// installMu provides single-flight semantics for the install: only one install may run at a time.
+	installMu sync.Mutex
+	// installDone records, in-memory, that the installer has already run this boot, so it is never run
+	// twice even if the status resource read lags behind a just-written value.
+	installDone bool
+}
+
+// NewUnattendedInstallController creates an UnattendedInstallController wired to the runtime, with the
+// default install behavior (run the installer container, waiting for the image cache around it).
+func NewUnattendedInstallController(rt v1alpha1runtime.Runtime) *UnattendedInstallController {
+	resources := rt.State().V1Alpha2().Resources()
+
+	return &UnattendedInstallController{
+		V1Alpha1Mode:  rt.State().Platform().Mode(),
+		State:         resources,
+		InstalledFunc: rt.State().Machine().Installed,
+		InstallFunc: func(ctx context.Context, disk, image string, wipe bool) error {
+			if err := crires.WaitForImageCache(ctx, resources); err != nil {
+				return fmt.Errorf("failed to wait for the image cache: %w", err)
+			}
+
+			if err := install.RunInstallerContainer(
+				disk,
+				rt.State().Platform().Name(),
+				image,
+				rt.Config(),
+				rt.ConfigContainer(),
+				resources,
+				crires.RegistryBuilder(resources),
+				install.WithForce(true),
+				install.WithZero(wipe),
+			); err != nil {
+				return err
+			}
+
+			return crires.WaitForImageCacheCopy(ctx, resources)
+		},
+	}
+}
+
+// Name implements controller.Controller interface.
+func (ctrl *UnattendedInstallController) Name() string {
+	return "runtime.UnattendedInstallController"
+}
+
+// Inputs implements controller.Controller interface.
+func (ctrl *UnattendedInstallController) Inputs() []controller.Input {
+	return []controller.Input{
+		{
+			Namespace: config.NamespaceName,
+			Type:      config.MachineConfigType,
+			ID:        optional.Some(config.ActiveID),
+			Kind:      controller.InputWeak,
+		},
+		{
+			Namespace: block.NamespaceName,
+			Type:      block.DiskType,
+			Kind:      controller.InputWeak,
+		},
+	}
+}
+
+// Outputs implements controller.Controller interface.
+func (ctrl *UnattendedInstallController) Outputs() []controller.Output {
+	return []controller.Output{
+		{
+			Type: runtime.UnattendedInstallStatusType,
+			Kind: controller.OutputExclusive,
+		},
+	}
+}
+
+// Run implements controller.Controller interface.
+func (ctrl *UnattendedInstallController) Run(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-r.EventCh():
+		}
+
+		// no on-disk install in container mode.
+		if ctrl.V1Alpha1Mode == v1alpha1runtime.ModeContainer {
+			continue
+		}
+
+		cfg, err := safe.ReaderGetByID[*config.MachineConfig](ctx, r, config.ActiveID)
+		if err != nil && !state.IsNotFoundError(err) {
+			return fmt.Errorf("error getting machine config: %w", err)
+		}
+
+		var doc talosconfig.UnattendedInstallConfig
+
+		if cfg != nil {
+			doc = cfg.Config().UnattendedInstallConfig()
+		}
+
+		r.StartTrackingOutputs()
+
+		if doc != nil {
+			if err = ctrl.reconcile(ctx, r, logger, doc); err != nil {
+				return err
+			}
+		}
+
+		if err = safe.CleanupOutputs[*runtime.UnattendedInstallStatus](ctx, r); err != nil {
+			return err
+		}
+	}
+}
+
+//nolint:gocyclo
+func (ctrl *UnattendedInstallController) reconcile(
+	ctx context.Context,
+	r controller.Runtime,
+	logger *zap.Logger,
+	doc talosconfig.UnattendedInstallConfig,
+) error {
+	// Once we have recorded a completed install for this boot, the install target is fixed.
+	// A new disk later matching the selector must not flip the reported disk or trigger a reinstall.
+	if existing, err := safe.ReaderGetByID[*runtime.UnattendedInstallStatus](ctx, r, runtime.UnattendedInstallStatusID); err != nil {
+		if !state.IsNotFoundError(err) {
+			return fmt.Errorf("error getting unattended install status: %w", err)
+		}
+	} else if existing.TypedSpec().Phase == runtime.UnattendedInstallPhaseInstalled {
+		// re-affirm the status (so CleanupOutputs retains it): the install target is fixed and a new
+		// disk later matching the selector must not trigger a reinstall.
+		return ctrl.setStatus(ctx, r, doc, runtime.UnattendedInstallPhaseInstalled, nil)
+	}
+
+	// resolve the target disk from the CEL selector against the discovered disks.
+	// the selector still matches after the install, so the disk is re-resolved and reported in the
+	// status after a reboot (the status resource is in-memory and gone after reboot).
+	matchExpr := doc.VolumeSelector()
+
+	matchedDisks, err := blockhelpers.MatchDisks(ctx, ctrl.State, &matchExpr)
+	if err != nil {
+		return fmt.Errorf("failed to match install disk: %w", err)
+	}
+
+	var disk string
+
+	if len(matchedDisks) > 0 {
+		if len(matchedDisks) > 1 {
+			logger.Warn("multiple disks matched the install selector, using the first one",
+				zap.Int("matched", len(matchedDisks)),
+				zap.String("disk", matchedDisks[0].TypedSpec().DevPath),
+			)
+		}
+
+		if disk, err = filepath.EvalSymlinks(matchedDisks[0].TypedSpec().DevPath); err != nil {
+			return fmt.Errorf("failed to resolve disk symlink: %w", err)
+		}
+	}
+
+	if ctrl.InstalledFunc() {
+		return ctrl.setStatus(ctx, r, doc, runtime.UnattendedInstallPhaseInstalled, nil)
+	}
+
+	if len(matchedDisks) == 0 {
+		// disks may not have been discovered yet; record and wait for the next event.
+		return ctrl.setStatus(ctx, r, doc, runtime.UnattendedInstallPhasePending, fmt.Errorf("no disk matched the selector"))
+	}
+
+	// single-flight: only one install may run at a time.
+	if !ctrl.installMu.TryLock() {
+		// an install is already in progress; keep the status and wait for it to complete.
+		return ctrl.setStatus(ctx, r, doc, runtime.UnattendedInstallPhaseInstalling, nil)
+	}
+	defer ctrl.installMu.Unlock()
+
+	// the installer already ran this boot: don't run it again, just keep the status as installed.
+	if ctrl.installDone {
+		return ctrl.setStatus(ctx, r, doc, runtime.UnattendedInstallPhaseInstalled, nil)
+	}
+
+	installerImage := doc.InstallerImage()
+	if installerImage == "" {
+		installerImage = images.InstallerImage("metal")
+	}
+
+	if err = ctrl.setStatus(ctx, r, doc, runtime.UnattendedInstallPhaseInstalling, nil); err != nil {
+		return err
+	}
+
+	logger.Info("installing Talos", zap.String("disk", disk), zap.String("image", installerImage))
+
+	if err = ctrl.InstallFunc(ctx, disk, installerImage, doc.VolumeWipe()); err != nil {
+		// record the failure; returning the error restarts the controller and retries with backoff.
+		_ = ctrl.setStatus(ctx, r, doc, runtime.UnattendedInstallPhaseFailed, err) //nolint:errcheck
+
+		return fmt.Errorf("failed to run installer: %w", err)
+	}
+
+	ctrl.installDone = true
+
+	logger.Info("install successful")
+
+	return ctrl.setStatus(ctx, r, doc, runtime.UnattendedInstallPhaseInstalled, nil)
+}
+
+func (ctrl *UnattendedInstallController) setStatus(
+	ctx context.Context,
+	r controller.Runtime,
+	doc talosconfig.UnattendedInstallConfig,
+	phase string,
+	statusErr error,
+) error {
+	return safe.WriterModify(ctx, r, runtime.NewUnattendedInstallStatus(), func(status *runtime.UnattendedInstallStatus) error {
+		status.TypedSpec().Image = doc.InstallerImage()
+		status.TypedSpec().Phase = phase
+
+		if statusErr != nil {
+			status.TypedSpec().Error = statusErr.Error()
+		} else {
+			status.TypedSpec().Error = ""
+		}
+
+		return nil
+	})
+}