feat: refactor /etc mounts#13558
Open
frezbo wants to merge 1 commit into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
Refactors Talos’ /etc handling to stop using per-file bind mounts and instead compose /etc as a read-only overlay backed by the static rootfs /etc plus a writable (anonymous) tmpfs, with /etc/cni and /etc/kubernetes mounted as standalone tmpfs due to overlay stacking limits (especially when extensions add additional overlay layers).
Changes:
- Added fsopen support for ordered
FSCONFIG_SET_FDparameters and introduced an overlay helper that builds overlay lower layers from mount FDs. - Added machined runtime logic to seed required
/etcfiles/dirs and mount the/etcoverlay early, then mount writable tmpfs on/etc/cniand/etc/kubernetes. - Removed
/etcbind-mount machinery in controllers/tests and adjusted SELinux policy + rootfs build steps to match the new/etcmodel.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/xfs/fsopen/options_linux.go | Adds WithFdParameter option to pass FSCONFIG_SET_FD parameters into fsopen. |
| pkg/xfs/fsopen/fsopen_linux.go | Stores ordered fd params and applies them via unix.FsconfigSetFd during filesystem creation. |
| pkg/machinery/constants/constants.go | Removes /etc/cni and /etc/kubernetes from the generic overlay mount list. |
| internal/pkg/selinux/policy/selinux/services/kubelet.cil | Allows filesystem association for k8s_conf_t to support context-labeled tmpfs mounts. |
| internal/pkg/selinux/policy/selinux/services/cri.cil | Adds tmpfs association for cni_conf_t and allows container runtime remount behavior for k8s_conf_t. |
| internal/pkg/selinux/policy/selinux/common/files.cil | Labels managed /etc tmpfs as etc_t, adds filesystem association, and introduces a neverallow guard against non-init writes to etc_t. |
| internal/pkg/mount/v3/helpers.go | Adds helper to mount read-only overlay using layer file descriptors (fsconfig lowerdir+ via FD). |
| internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go | Switches /etc to a managed tmpfs + overlay model and wires in overlay setup. |
| internal/app/machined/pkg/runtime/v1alpha2/etc_overlay.go | New implementation that seeds /etc, mounts the /etc overlay, and mounts writable tmpfs at /etc/cni and /etc/kubernetes. |
| internal/app/machined/pkg/controllers/files/etcfile.go | Removes per-file bind mounts; writes directly into the managed /etc tmpfs root. |
| internal/app/machined/pkg/controllers/files/etcfile_test.go | Updates tests to validate writes into EtcRoot only (overlay surfacing is now machined’s responsibility). |
| internal/app/machined/pkg/controllers/files/cri_registry_config.go | Drops bind mount creation for CRI hosts directory; relies on overlay surfacing. |
| internal/app/machined/pkg/controllers/block/internal/volumes/volumeconfig/system_volumes.go | Minor formatting change while iterating overlay volume resources. |
| Dockerfile | Stops pre-creating many /etc placeholders in the rootfs; only keeps extensions.yaml placeholder. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Member
|
Would storing /etc/cni as tmpfs mean cni plugins would need to be re-copied on every system reboot? |
Member
Author
no, plugins are in |
frezbo
force-pushed
the
feat/etc-refactor
branch
from
923ca81 to
f8ea540
Compare
frezbo
force-pushed
the
feat/etc-refactor
branch
5 times, most recently
from
5c6bbea to
dc025e9
Compare
frezbo
removed
the
integration/release-gate
frezbo
force-pushed
the
feat/etc-refactor
branch
from
dc025e9 to
12fce05
Compare
Stop using individual bind mounts for `/etc` files and use a writable overlay backed by rootfs `/etc`. This allows in future to support files under `/etc` as machine config documents. Drop all bind mount support, containers now also follow same pattern. Also move `/etc/cni` and `/etc/kuberentes` as tmpfs, since we cannot have a nested overlay over size of two, when system has an extension(s), `/etc` being an overlay means, it's already two levels in, so `/etc/cni` and `/etc/kubernetes` cannot be overlayed on top again. Signed-off-by: Noel Georgi <git@frezbo.dev>
frezbo
force-pushed
the
feat/etc-refactor
branch
from
12fce05 to
617aa63
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stop using individual bind mounts for
/etcfiles and use an overlay backed by rootfs/etcand an anonymous tmpfs. This allows in future to support files under/etcas machine config documents.Drop all bind mount support, containers now also follow same pattern.
Also move
/etc/cniand/etc/kuberentesas tmpfs, since we cannot have a nested overlay over size of two, when system has an extension(s),/etcbeing an overlay means, it's already two levels in, so/etc/cniand/etc/kubernetescannot be overlayed on top again.