Created
November 6, 2025 01:15
-
-
Save usrbinkat/323b01530a5b86004ac36bda2cf10dba to your computer and use it in GitHub Desktop.
dbg talos image factory
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Node 1 (cp1) - Talos Image Factory Schematic | |
| # IP: 10.201.73.193 | |
| # Hostname: cp1 | |
| # Bond: ens1f0np0, ens1f1np1 (802.3ad LACP) | |
| # | |
| # This schematic configures network settings via kernel arguments so the node | |
| # can boot with working networking in environments without DHCP. | |
| # | |
| # USAGE: | |
| # 1. Upload schematic to Image Factory to get schematic ID: | |
| # curl -X POST --data-binary @cp1-talos-image-factory-cfg.yaml https://factory.talos.dev/schematics | |
| # | |
| # 2. Download ISO using returned schematic ID (example with v1.11.3): | |
| # SCHEMATIC_ID="<returned_id>" | |
| # TALOS_VERSION="v1.11.3" | |
| # curl -LO "https://factory.talos.dev/image/${SCHEMATIC_ID}/${TALOS_VERSION}/metal-amd64.iso" | |
| # | |
| # 3. Burn ISO to USB or mount as virtual media via IPMI | |
| # | |
| # 4. Boot node from ISO - networking will be automatically configured | |
| # | |
| # ALTERNATIVE: Get schematic ID without uploading (if already uploaded): | |
| # Calculate the SHA256 hash of this file's normalized content | |
| # | |
| customization: | |
| systemExtensions: | |
| officialExtensions: | |
| - siderolabs/amd-ucode | |
| - siderolabs/nvme-cli | |
| extraKernelArgs: | |
| # ========================================== | |
| # REQUIRED PARAMETERS | |
| # ========================================== | |
| # Platform specification (REQUIRED) | |
| - talos.platform=metal | |
| # Kernel Self Protection Project (KSPP) requirements | |
| - slab_nomerge | |
| - pti=on | |
| # ========================================== | |
| # SECURITY PARAMETERS (Recommended by KSPP) | |
| # ========================================== | |
| # Initialize memory on allocation (prevents info leaks) | |
| - init_on_alloc=1 | |
| # Initialize memory on free (prevents use-after-free attacks) | |
| - init_on_free=1 | |
| # ========================================== | |
| # NETWORK CONFIGURATION | |
| # ========================================== | |
| # Static IP configuration for node1 | |
| # Format: ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0>:<dns1> | |
| # Note: NTP is configured in machine config (machine.time.servers), not here | |
| - ip=10.201.73.193::10.201.73.1:255.255.255.0:cp1:bond0:none:173.37.87.157:72.163.47.11 | |
| # Bond interface configuration (802.3ad LACP) | |
| # Format: bond=<name>:<slaves>:<options>:<mtu> | |
| - bond=bond0:ens1f0np0,ens1f1np1:mode=802.3ad,xmit_hash_policy=layer2+3,miimon=100,lacp_rate=fast | |
| # ========================================== | |
| # CONSOLE & LOGGING | |
| # ========================================== | |
| # Console output (tty0 = VGA, ttyS0/ttyS1 = serial) | |
| # Talos default: console=tty0 console=ttyS0 | |
| - console=tty0 | |
| - console=ttyS0,115200n8 | |
| # Disable console blanking (useful for physical console monitoring) | |
| - consoleblank=0 | |
| # Print kernel messages to console | |
| - printk.devkmsg=on | |
| # ========================================== | |
| # BOOT & INSTALLATION PROTECTION | |
| # ========================================== | |
| # Allow boot from ISO even if Talos is already installed (0 = allow, 1 = halt) | |
| # Set to 0 to enable re-installation from ISO (our use case) | |
| # Set to 1 to prevent accidental re-installation after initial deployment | |
| - talos.halt_if_installed=0 | |
| # ========================================== | |
| # SYSTEM BEHAVIOR | |
| # ========================================== | |
| # Dashboard control (default: enabled, shows on tty2) | |
| # Uncomment to disable if running headless or custom monitoring | |
| # - talos.dashboard.disabled=1 | |
| # Kernel panic behavior (0 = no auto-reboot, useful for debugging) | |
| # Default Talos behavior: always reboot on panic | |
| # Uncomment and set value (in seconds) to delay reboot for log collection | |
| # - panic=30 | |
| # Device settle time (wait for RAID/storage to initialize) | |
| # Useful for complex storage controllers that need extra time | |
| # Format: Go duration (e.g., 3m, 30s) | |
| - talos.device.settle_time=10s | |
| # ========================================== | |
| # STORAGE & DISK PARAMETERS | |
| # ========================================== | |
| # NVMe I/O timeout (set to max to prevent premature timeouts) | |
| - nvme_core.io_timeout=4294967295 | |
| # ========================================== | |
| # NETWORK TUNING | |
| # ========================================== | |
| # Ignore physical interfaces (they're part of bond0) | |
| # Prevents DHCP timeouts during early boot (before bond is configured) | |
| - talos.network.interface.ignore=ens1f0np0 | |
| - talos.network.interface.ignore=ens1f1np1 | |
| # Disable predictable network interface names (use eth0, eth1, etc.) | |
| # Currently NOT set - we're using predictable names (ens1f0np0, etc.) | |
| # Uncomment if you prefer traditional naming: | |
| # - net.ifnames=0 | |
| # ========================================== | |
| # SECURITY & KERNEL HARDENING | |
| # ========================================== | |
| # Disable kexec (prevents kernel loading bypass) | |
| # Required for some compliance frameworks | |
| - sysctl.kernel.kexec_load_disabled=1 | |
| # ========================================== | |
| # DEBUGGING & TROUBLESHOOTING | |
| # ========================================== | |
| # Audit daemon control (default: enabled) | |
| # Uncomment to disable if running custom audit solution | |
| # - talos.auditd.disabled=1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment