siderolabs
diff --git a/‎Dockerfile‎
Lines changed: 6 additions & 6 deletions b/‎Dockerfile‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎internal/app/machined/pkg/controllers/block/internal/volumes/volumeconfig/system_volumes.go‎
Lines changed: 1 addition & 0 deletions b/‎internal/app/machined/pkg/controllers/block/internal/volumes/volumeconfig/system_volumes.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎internal/app/machined/pkg/controllers/block/internal/volumes/volumeconfig/system_volumes_test.go‎
Lines changed: 0 additions & 1 deletion b/‎internal/app/machined/pkg/controllers/block/internal/volumes/volumeconfig/system_volumes_test.go‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎internal/app/machined/pkg/controllers/files/cri_registry_config.go‎
Lines changed: 2 additions & 19 deletions b/‎internal/app/machined/pkg/controllers/files/cri_registry_config.go‎
Lines changed: 2 additions & 19 deletions
diff --git a/‎internal/app/machined/pkg/controllers/files/etcfile.go‎
Lines changed: 11 additions & 119 deletions b/‎internal/app/machined/pkg/controllers/files/etcfile.go‎
Lines changed: 11 additions & 119 deletions
diff --git a/‎internal/app/machined/pkg/controllers/files/etcfile_test.go‎
Lines changed: 2 additions & 13 deletions b/‎internal/app/machined/pkg/controllers/files/etcfile_test.go‎
Lines changed: 2 additions & 13 deletions
@@ -789,8 +789,8 @@ END
 # symlinks to avoid accidentally cleaning them up.
 RUN --mount=type=bind,source=hack/cleanup.sh,target=/usr/bin/cleanup.sh <<END
     cleanup.sh /rootfs
-    mkdir -pv /rootfs/{boot/EFI,etc/{iscsi,nvme,cri/conf.d/hosts},usr/lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
-    mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders,etc/selinux/targeted/contexts/files}
+    mkdir -pv /rootfs/{boot/EFI,usr/lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
+    mkdir -pv /rootfs/{etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders}
     mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
     # Go standard library is shipped with Talos, thus it must be tracked in SBOM
     install -D /usr/share/spdx/golang.spdx.json /rootfs/usr/share/spdx/golang.spdx.json
@@ -806,7 +806,7 @@ COPY --chmod=0644 hack/lvm.conf /rootfs/etc/lvm/lvm.conf
 COPY --link --chmod=0644 --from=base /src/pkg/machinery/version/os-release /rootfs/etc/os-release
 RUN <<END
     ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
-    touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part,cri/conf.d/base-spec.json,ssl/certs/ca-certificates.crt,selinux/targeted/contexts/files/file_contexts,iscsi/initiatorname.iscsi,nvme/{hostid,hostnqn}}
+    touch /rootfs/etc/extensions.yaml
     ln -s ca-certificates.crt /rootfs/etc/ssl/certs/ca-certificates
     ln -s /etc/ssl /rootfs/etc/pki
     ln -s /etc/ssl /rootfs/usr/share/ca-certificates
@@ -878,8 +878,8 @@ END
 # symlinks to avoid accidentally cleaning them up.
 RUN --mount=type=bind,source=hack/cleanup.sh,target=/usr/bin/cleanup.sh <<END
     cleanup.sh /rootfs
-    mkdir -pv /rootfs/{boot/EFI,etc/{iscsi,nvme,cri/conf.d/hosts},usr/lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
-    mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders,etc/selinux/targeted/contexts/files}
+    mkdir -pv /rootfs/{boot/EFI,usr/lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
+    mkdir -pv /rootfs/{etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders}
     mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
     # Go standard library is shipped with Talos, thus it must be tracked in SBOM
     install -D /usr/share/spdx/golang.spdx.json /rootfs/usr/share/spdx/golang.spdx.json
@@ -895,7 +895,7 @@ COPY --chmod=0644 hack/lvm.conf /rootfs/etc/lvm/lvm.conf
 COPY --link --chmod=0644 --from=base /src/pkg/machinery/version/os-release /rootfs/etc/os-release
 RUN <<END
     ln -s /usr/share/zoneinfo/Etc/UTC /rootfs/etc/localtime
-    touch /rootfs/etc/{extensions.yaml,resolv.conf,hosts,machine-id,cri/conf.d/cri.toml,cri/conf.d/01-registries.part,cri/conf.d/20-customization.part,cri/conf.d/base-spec.json,ssl/certs/ca-certificates.crt,selinux/targeted/contexts/files/file_contexts,iscsi/initiatorname.iscsi,nvme/{hostid,hostnqn}}
+    touch /rootfs/etc/extensions.yaml
     ln -s ca-certificates.crt /rootfs/etc/ssl/certs/ca-certificates
     ln -s /etc/ssl /rootfs/etc/pki
     ln -s /etc/ssl /rootfs/usr/share/ca-certificates
 
@@ -174,6 +174,7 @@ func GetOverlayVolumesTransformer(inContainer bool) func(configconfig.Config) ([
 		}
 
 		var resources []VolumeResource
+
 		for _, overlay := range constants.Overlays {
 			resources = append(resources, VolumeResource{
 				VolumeID: overlay.Path,
 
@@ -63,7 +63,6 @@ func TestGetSystemVolumeTransformers(t *testing.T) {
 		constants.EphemeralPartitionLabel,
 		"/var/run",
 		"/var/log",
-		"/etc/cni",
 	} {
 		assert.Condition(t, func() bool {
 			for _, r := range allResources {
 
@@ -27,12 +27,11 @@ import (
 
 // CRIRegistryConfigController generates parts of the CRI config for registry configuration.
 type CRIRegistryConfigController struct {
-	// Path to /etc directory, read-only filesystem.
+	// Path to /etc directory; the host path that containerd reads. Files written to
+	// EtcRoot surface here read-only through the composed /etc overlay (see setupEtcOverlay).
 	EtcPath string
 	// EtcRoot is the root for /etc filesystem operations.
 	EtcRoot xfs.Root
-
-	bindMountCreated bool
 }
 
 // Name implements controller.Controller interface.
@@ -69,22 +68,6 @@ func (ctrl *CRIRegistryConfigController) Run(ctx context.Context, r controller.R
 	src := filepath.Join(constants.CRIConfdPath, "hosts")
 	dest := filepath.Join(ctrl.EtcPath, src)
 
-	if !ctrl.bindMountCreated {
-		if ctrl.EtcRoot.FSType() == "os" {
-			shadowPath := filepath.Join(ctrl.EtcRoot.Source(), src)
-
-			if err := createBindMountDir(shadowPath, dest); err != nil {
-				return fmt.Errorf("bind mount failed for %q -> %q: %w", shadowPath, dest, err)
-			}
-		} else {
-			if err := createBindMountDirFd(ctrl.EtcRoot, src, dest); err != nil {
-				return fmt.Errorf("bind mount failed for %q: %w", dest, err)
-			}
-		}
-
-		ctrl.bindMountCreated = true
-	}
-
 	for {
 		select {
 		case <-ctx.Done():
 
@@ -16,23 +16,18 @@ import (
 	"github.com/cosi-project/runtime/pkg/resource"
 	"github.com/cosi-project/runtime/pkg/safe"
 	"go.uber.org/zap"
-	"golang.org/x/sys/unix"
 
-	"github.com/siderolabs/talos/internal/pkg/mount/v3"
 	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/machinery/resources/files"
 	"github.com/siderolabs/talos/pkg/xfs"
 )
 
 // EtcFileController watches EtcFileSpecs, creates/updates files.
 type EtcFileController struct {
-	// Path to /etc directory, read-only filesystem.
-	EtcPath string
-	// EtcRoot is the root for /etc filesystem operations.
+	// EtcRoot is the root for /etc filesystem operations. Files written here surface
+	// read-only at /etc through the composed /etc overlay (see setupEtcOverlay), so no
+	// per-file bind mounts are needed.
 	EtcRoot xfs.Root
-
-	// Cache of bind mounts created.
-	bindMounts map[string]any
 }
 
 // Name implements controller.Controller interface.
@@ -63,12 +58,8 @@ func (ctrl *EtcFileController) Outputs() []controller.Output {
 
 // Run implements controller.Controller interface.
 //
-//nolint:gocyclo,cyclop
+//nolint:gocyclo
 func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, logger *zap.Logger) error {
-	if ctrl.bindMounts == nil {
-		ctrl.bindMounts = make(map[string]any)
-	}
-
 	for {
 		select {
 		case <-ctx.Done():
@@ -96,56 +87,24 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, lo
 
 		for spec := range list.All() {
 			filename := spec.Metadata().ID()
-			_, mountExists := ctrl.bindMounts[filename]
-
-			dst := filepath.Join(ctrl.EtcPath, filename)
-			src := filename
 
 			switch spec.Metadata().Phase() {
 			case resource.PhaseTearingDown:
-				if mountExists {
-					logger.Debug("removing bind mount", zap.String("src", src), zap.String("dst", dst))
-
-					if err = unix.Unmount(dst, 0); err != nil && !errors.Is(err, os.ErrNotExist) {
-						return fmt.Errorf("failed to unmount bind mount %q: %w", dst, err)
-					}
+				logger.Debug("removing file", zap.String("name", filename))
 
-					delete(ctrl.bindMounts, filename)
+				if err = xfs.Remove(ctrl.EtcRoot, filename); err != nil && !errors.Is(err, os.ErrNotExist) {
+					return fmt.Errorf("failed to remove %q: %w", filename, err)
 				}
 
-				logger.Debug("removing file", zap.String("src", src))
-
-				if err = xfs.Remove(ctrl.EtcRoot, src); err != nil && !errors.Is(err, os.ErrNotExist) {
-					return fmt.Errorf("failed to remove %q: %w", src, err)
-				}
-
-				// now remove finalizer as the link was deleted
+				// now remove finalizer as the file was deleted
 				if err = r.RemoveFinalizer(ctx, spec.Metadata(), ctrl.Name()); err != nil {
 					return fmt.Errorf("error removing finalizer: %w", err)
 				}
 			case resource.PhaseRunning:
-				if !mountExists {
-					logger.Debug("creating bind mount", zap.String("src", src), zap.String("dst", dst))
-
-					if ctrl.EtcRoot.FSType() == "os" {
-						shadow := filepath.Join(ctrl.EtcRoot.Source(), src)
+				logger.Debug("writing file contents", zap.String("name", filename), zap.Stringer("version", spec.Metadata().Version()))
 
-						if err = createBindMountFile(shadow, dst, spec.TypedSpec().Mode); err != nil {
-							return fmt.Errorf("failed to create shadow bind mount %q -> %q (mode: os): %w", shadow, dst, err)
-						}
-					} else {
-						if err = createBindMountFileFd(ctrl.EtcRoot, src, dst, spec.TypedSpec().Mode); err != nil {
-							return fmt.Errorf("failed to create shadow bind mount %q -> %q (mode: fd): %w", src, dst, err)
-						}
-					}
-
-					ctrl.bindMounts[filename] = struct{}{}
-				}
-
-				logger.Debug("writing file contents", zap.String("src", src), zap.Stringer("version", spec.Metadata().Version()))
-
-				if err = UpdateFile(ctrl.EtcRoot, src, spec.TypedSpec().Contents, spec.TypedSpec().Mode, spec.TypedSpec().SelinuxLabel); err != nil {
-					return fmt.Errorf("error updating %q: %w", src, err)
+				if err = UpdateFile(ctrl.EtcRoot, filename, spec.TypedSpec().Contents, spec.TypedSpec().Mode, spec.TypedSpec().SelinuxLabel); err != nil {
+					return fmt.Errorf("error updating %q: %w", filename, err)
 				}
 
 				if err = safe.WriterModify(ctx, r, files.NewEtcFileStatus(files.NamespaceName, filename), func(r *files.EtcFileStatus) error {
@@ -178,73 +137,6 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, lo
 	}
 }
 
-// createBindMountFile creates a common way to create a writable source file with a
-// bind mounted destination. This is most commonly used for well known files
-// under /etc that need to be adjusted during startup.
-func createBindMountFile(src, dst string, mode os.FileMode) (err error) {
-	if err = os.MkdirAll(filepath.Dir(src), 0o755); err != nil {
-		return fmt.Errorf("mkdir all failed: %w", err)
-	}
-
-	var f *os.File
-
-	if f, err = os.OpenFile(src, os.O_WRONLY|os.O_CREATE, mode); err != nil {
-		return fmt.Errorf("open file failed: %w", err)
-	}
-
-	if err = f.Close(); err != nil {
-		return fmt.Errorf("close file failed: %w", err)
-	}
-
-	return mount.BindReadonly(src, dst)
-}
-
-// createBindMountDir creates a common way to create a writable source dir with a
-// bind mounted destination. This is most commonly used for well known directories
-// under /etc that need to be adjusted during startup.
-func createBindMountDir(src, dst string) (err error) {
-	if err = os.MkdirAll(src, 0o755); err != nil {
-		return err
-	}
-
-	return mount.BindReadonly(src, dst)
-}
-
-// createBindMountFileFd creates a common way to create a writable source file with a
-// bind mounted destination. This is most commonly used for well known files
-// under /etc that need to be adjusted during startup.
-func createBindMountFileFd(root xfs.Root, src, dst string, mode os.FileMode) (err error) {
-	if err = xfs.MkdirAll(root, filepath.Dir(src), 0o755); err != nil {
-		return err
-	}
-
-	fsrc, err := xfs.OpenFile(root, src, os.O_WRONLY|os.O_CREATE, mode)
-	if err != nil {
-		return err
-	}
-	defer fsrc.Close() //nolint:errcheck
-
-	return mount.BindReadonlyFd(int(fsrc.Fd()), dst)
-}
-
-// createBindMountDirFd creates a common way to create a writable source dir with a
-// bind mounted destination. This is most commonly used for well known directories
-// under /etc that need to be adjusted during startup.
-func createBindMountDirFd(root xfs.Root, src, dst string) (err error) {
-	if err = xfs.MkdirAll(root, src, 0o755); err != nil {
-		return fmt.Errorf("mkdir all failed: %w", err)
-	}
-
-	f, err := xfs.OpenFile(root, src, os.O_RDONLY, 0)
-	if err != nil {
-		return fmt.Errorf("open file failed: %w", err)
-	}
-
-	defer f.Close() //nolint:errcheck
-
-	return mount.BindReadonlyFd(int(f.Fd()), dst)
-}
-
 // UpdateFile is like `os.WriteFile`, but it will only update the file if the
 // contents have changed.
 func UpdateFile(root xfs.Root, filename string, contents []byte, mode os.FileMode, selinuxLabel string) error {
 
@@ -6,7 +6,6 @@ package files_test
 
 import (
 	"os"
-	"path/filepath"
 	"testing"
 	"time"
 
@@ -25,7 +24,6 @@ import (
 type EtcFileSuite struct {
 	ctest.DefaultSuite
 
-	etcPath string
 	etcRoot xfs.Root
 }
 
@@ -34,25 +32,19 @@ func (suite *EtcFileSuite) TestFiles() {
 	etcFileSpec.TypedSpec().Contents = []byte("foo")
 	etcFileSpec.TypedSpec().Mode = 0o644
 
-	// create "read-only" mock (in Talos it's part of rootfs)
-	suite.T().Logf("mock created %q", filepath.Join(suite.etcPath, etcFileSpec.Metadata().ID()))
-	suite.Require().NoError(os.WriteFile(filepath.Join(suite.etcPath, etcFileSpec.Metadata().ID()), nil, 0o644))
-
 	suite.Create(etcFileSpec)
 
 	// controller should put a finalizer on the spec, bumping the version
 	expectedVersion := etcFileSpec.Metadata().Version().Next()
 
+	// the controller writes into the managed EtcRoot tmpfs; /etc surfacing is the overlay's
+	// job (composed in machined, not exercised here).
 	ctest.AssertResource(suite, "test1", func(r *files.EtcFileStatus, asrt *assert.Assertions) {
 		asrt.Equal(expectedVersion.String(), r.TypedSpec().SpecVersion)
 
 		rwb, err := xfs.ReadFile(suite.etcRoot, "test1")
 		asrt.NoError(err)
 		asrt.Equal("foo", string(rwb))
-
-		rob, err := os.ReadFile(filepath.Join(suite.etcPath, "test1"))
-		asrt.NoError(err)
-		asrt.Equal("foo", string(rob))
 	})
 
 	rtestutils.Destroy[*files.EtcFileSpec](suite.Ctx(), suite.T(), suite.State(), []string{etcFileSpec.Metadata().ID()})
@@ -72,8 +64,6 @@ func TestEtcFileSuite(t *testing.T) {
 			ok, err := runtime.KernelCapabilities().OpentreeOnAnonymousFS()
 			s.Require().NoError(err)
 
-			etcSuite.etcPath = s.T().TempDir()
-
 			if ok {
 				etcSuite.etcRoot = &xfs.UnixRoot{FS: opentree.NewFromPath(s.T().TempDir())}
 			} else {
@@ -83,7 +73,6 @@ func TestEtcFileSuite(t *testing.T) {
 			s.Require().NoError(etcSuite.etcRoot.OpenFS())
 
 			s.Require().NoError(s.Runtime().RegisterController(&filesctrl.EtcFileController{
-				EtcPath: etcSuite.etcPath,
 				EtcRoot: etcSuite.etcRoot,
 			}))
 		},
Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,7 @@ func GetOverlayVolumesTransformer(inContainer bool) func(configconfig.Config) ([`
`174`	`174`	`}`
`175`	`175`
`176`	`176`	`var resources []VolumeResource`
	`177`	`+`
`177`	`178`	`for _, overlay := range constants.Overlays {`
`178`	`179`	`resources = append(resources, VolumeResource{`
`179`	`180`	`VolumeID: overlay.Path,`