feat: use bootstrapped packages for building Talos

Makefile

@@ -17,14 +17,14 @@ ZSTD_COMPRESSION_LEVEL ?= 18
 CI_RELEASE_TAG := $(shell git log --oneline --format=%B -n 1 HEAD^2 -- 2>/dev/null | head -n 1 | sed -r "/^release\(.*\)/ s/^release\((.*)\):.*$$/\\1/; t; Q")
 
 ARTIFACTS := _out
-TOOLS ?= ghcr.io/siderolabs/tools:v1.10.0-alpha.0-7-g7200845
+TOOLS ?= ghcr.io/siderolabs/tools:v1.10.0-alpha.0-10-g9db33dd
 
 DEBUG_TOOLS_SOURCE := scratch
 EMBED_TARGET ?= embed
 
 PKGS_PREFIX ?= ghcr.io/siderolabs
-PKGS ?= v1.10.0-alpha.0-34-g5763e3e
-EXTRAS ?= v1.10.0-alpha.0-2-gf4a110f
+PKGS ?= v1.10.0-alpha.0-35-g85f8901
+EXTRAS ?= v1.10.0-alpha.0-3-g4102a78
 
 KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
 CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest
@@ -64,7 +64,7 @@ PKG_KMOD ?= $(PKGS_PREFIX)/kmod:$(PKGS)
 PKG_CNI ?= $(PKGS_PREFIX)/cni:$(PKGS)
 PKG_FLANNEL_CNI ?= $(PKGS_PREFIX)/flannel-cni:$(PKGS)
 PKG_KERNEL ?= $(PKGS_PREFIX)/kernel:$(PKGS)
-PKG_TALOSCTL_CNI_BUNDLE_INSTALL ?= $(PKGS_PREFIX)/talosctl-cni-bundle-install:$(EXTRAS)
+PKG_TALOSCTL_CNI_BUNDLE ?= $(PKGS_PREFIX)/talosctl-cni-bundle:$(EXTRAS)
 
 # renovate: datasource=github-tags depName=golang/go
 GO_VERSION ?= 1.23
@@ -267,7 +267,7 @@ COMMON_ARGS += --build-arg=PKG_RASPBERYPI_FIRMWARE=$(PKG_RASPBERYPI_FIRMWARE)
 COMMON_ARGS += --build-arg=PKG_CNI=$(PKG_CNI)
 COMMON_ARGS += --build-arg=PKG_FLANNEL_CNI=$(PKG_FLANNEL_CNI)
 COMMON_ARGS += --build-arg=PKG_KERNEL=$(PKG_KERNEL)
-COMMON_ARGS += --build-arg=PKG_TALOSCTL_CNI_BUNDLE_INSTALL=$(PKG_TALOSCTL_CNI_BUNDLE_INSTALL)
+COMMON_ARGS += --build-arg=PKG_TALOSCTL_CNI_BUNDLE=$(PKG_TALOSCTL_CNI_BUNDLE)
 COMMON_ARGS += --build-arg=ABBREV_TAG=$(ABBREV_TAG)
 COMMON_ARGS += --build-arg=ZSTD_COMPRESSION_LEVEL=$(ZSTD_COMPRESSION_LEVEL)
 COMMON_ARGS += --build-arg=MICROSOFT_SECUREBOOT_RELEASE=$(MICROSOFT_SECUREBOOT_RELEASE)

go.mod

@@ -1,6 +1,6 @@
 module github.com/siderolabs/talos
 
-go 1.23.5
+go 1.23.6
 
 replace (
 	// see e.g. https://github.com/grpc/grpc-go/issues/6696

go.work

@@ -1,4 +1,4 @@
-go 1.23.5
+go 1.23.6
 
 use (
 	.

hack/cleanup.sh

@@ -1,7 +1,4 @@
-#!/toolchain/bin/bash
-
-export PATH=/toolchain/bin
-
+#!/bin/bash
 PREFIX="${1}"
 
 function remove_symlinks() {
@@ -25,16 +22,16 @@ find ${PREFIX} -type f -name \*.la -delete
 find ${PREFIX} -type f \( -name \*.static -o -name \*.o \) -delete
 # Strip debug symbols from all libraries and binaries.
 find ${PREFIX}/{lib,usr/lib} -type f \( -name \*.so* -a ! -name \*dbg \) -exec strip --strip-unneeded {} ';' || true
-find ${PREFIX}/{bin,sbin,usr/bin,usr/sbin} -type f -exec strip --strip-all {} ';' || true
+find ${PREFIX}/{usr/bin,usr/sbin} -type f -exec strip --strip-all {} ';' || true
 
 # Remove header files, man files, and any other non-runtime dependencies.
-rm -rf ${PREFIX}/{lib,usr/lib}/pkgconfig/ \
+rm -rf ${PREFIX}/usr/lib/pkgconfig/ \
        ${PREFIX}/{include,usr/include}/* \
        ${PREFIX}/{share,usr/share}/* \
        ${PREFIX}/usr/lib/cmake \
-       ${PREFIX}/lib/gconv/ \
+       ${PREFIX}/usr/lib/gconv/ \
        ${PREFIX}/usr/libexec/getconf \
        ${PREFIX}/var/db
 
 # Remove contents of /usr/bin except for udevadm
-find ${PREFIX}/usr/bin \( -type f -o -type l \) ! -name udevadm -delete
+# find ${PREFIX}/usr/bin \( -type f -o -type l \) ! -name udevadm -delete

hack/cloud-image-uploader/go.mod

@@ -1,6 +1,6 @@
 module github.com/siderolabs/cloud-image-uploader
 
-go 1.23.5
+go 1.23.6
 
 require (
 	cloud.google.com/go/storage v1.49.0

hack/docgen/go.mod

@@ -1,6 +1,6 @@
 module github.com/siderolabs/talos-hack-docgen
 
-go 1.23.5
+go 1.23.6
 
 // forked go-yaml that introduces RawYAML interface, which can be used to populate YAML fields using bytes
 // which are then encoded as a valid YAML blocks with proper indentiation

hack/gotagsrewrite/go.mod

@@ -1,6 +1,6 @@
 module github.com/siderolabs/gotagsrewrite
 
-go 1.23.5
+go 1.23.6
 
 require (
 	github.com/fatih/structtag v1.2.0

hack/labeled-squashfs.sh

@@ -1,6 +1,6 @@
-#!/toolchain/bin/bash
+#!/bin/bash
 
 set -e
 # set SELinux labels for files according to file_contexts supplied
-/toolchain/sbin/setfiles -r $1 -F -vv $3 $1
+/sbin/setfiles -r $1 -F -vv $3 $1
 mksquashfs $1 $2 -all-root -noappend -comp zstd -Xcompression-level $4 -no-progress

hack/module-sig-verify/go.mod

@@ -1,5 +1,5 @@
 module module-sig-verify
 
-go 1.23.5
+go 1.23.6
 
 require go.mozilla.org/pkcs7 v0.9.0

hack/release.toml

@@ -25,7 +25,7 @@ preface = """
 * etcd: 3.5.18
 * Flannel: 0.26.4
 
-Talos is built with Go 1.23.5.
+Talos is built with Go 1.23.6.
 """
 
     [notes.driver-rebind]

hack/structprotogen/go.mod

@@ -1,6 +1,6 @@
 module github.com/siderolabs/structprotogen
 
-go 1.23.5
+go 1.23.6
 
 require (
 	github.com/fatih/structtag v1.2.0

internal/app/init/main.go

@@ -28,6 +28,7 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/extensions"
+	"github.com/siderolabs/talos/pkg/machinery/imager/quirks"
 	"github.com/siderolabs/talos/pkg/machinery/version"
 )
 
@@ -73,7 +74,7 @@ func run() error {
 		return err
 	}
 
-	// Bind mount the lib/firmware if needed.
+	// Bind mount the usr/lib/firmware if needed.
 	if err := bindMountFirmware(); err != nil {
 		return err
 	}
@@ -199,17 +200,18 @@ func mountRootFS() error {
 }
 
 func bindMountFirmware() error {
-	if _, err := os.Stat(constants.FirmwarePath); err != nil {
+	firmwarePath := quirks.New("").FirmwarePath()
+	if _, err := os.Stat(firmwarePath); err != nil {
 		if os.IsNotExist(err) {
 			return nil
 		}
 
 		return err
 	}
 
-	log.Printf("bind mounting %s", constants.FirmwarePath)
+	log.Printf("bind mounting %s", firmwarePath)
 
-	return unix.Mount(constants.FirmwarePath, filepath.Join(constants.NewRoot, constants.FirmwarePath), "", unix.MS_BIND|unix.MS_RDONLY, "")
+	return unix.Mount(firmwarePath, filepath.Join(constants.NewRoot, firmwarePath), "", unix.MS_BIND|unix.MS_RDONLY, "")
 }
 
 func bindMountExtra() error {

internal/app/machined/pkg/controllers/k8s/templates/kube-proxy-template.yaml

@@ -57,7 +57,7 @@ spec:
       volumes:
         - name: lib-modules
           hostPath:
-            path: /lib/modules
+            path: /usr/lib/modules
         - name: ssl-certs-host
           hostPath:
             path: /etc/ssl/certs

internal/app/machined/pkg/system/runner/process/process_test.go

@@ -60,7 +60,7 @@ func (suite *ProcessSuite) TearDownSuite() {
 func (suite *ProcessSuite) TestRunSuccess() {
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "test",
-		ProcessArgs: []string{"/bin/sh", "-c", "exit 0"},
+		ProcessArgs: []string{"/bin/bash", "-c", "exit 0"},
 	}, runner.WithLoggingManager(suite.loggingManager))
 
 	suite.Assert().NoError(r.Open())
@@ -75,7 +75,7 @@ func (suite *ProcessSuite) TestRunSuccess() {
 func (suite *ProcessSuite) TestRunLogs() {
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "logtest",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo -n \"Test 1\nTest 2\n\""},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo -n \"Test 1\nTest 2\n\""},
 	}, runner.WithLoggingManager(suite.loggingManager))
 
 	suite.Assert().NoError(r.Open())
@@ -103,7 +103,7 @@ func (suite *ProcessSuite) TestRunRestartFailed() {
 
 	r := restart.New(process.NewRunner(false, &runner.Args{
 		ID:          "restarter",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo \"ran\"; test -f " + testFile},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo \"ran\"; test -f " + testFile},
 	}, runner.WithLoggingManager(suite.loggingManager)), restart.WithType(restart.UntilSuccess), restart.WithRestartInterval(time.Millisecond))
 
 	suite.Assert().NoError(r.Open())
@@ -156,7 +156,7 @@ func (suite *ProcessSuite) TestStopFailingAndRestarting() {
 
 	r := restart.New(process.NewRunner(false, &runner.Args{
 		ID:          "endless",
-		ProcessArgs: []string{"/bin/sh", "-c", "test -f " + testFile},
+		ProcessArgs: []string{"/bin/bash", "-c", "test -f " + testFile},
 	}, runner.WithLoggingManager(suite.loggingManager)), restart.WithType(restart.Forever), restart.WithRestartInterval(5*time.Millisecond))
 
 	suite.Assert().NoError(r.Open())
@@ -200,7 +200,7 @@ func (suite *ProcessSuite) TestStopFailingAndRestarting() {
 func (suite *ProcessSuite) TestStopSigKill() {
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "nokill",
-		ProcessArgs: []string{"/bin/sh", "-c", "trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/bash", "-c", "trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithGracefulShutdownTimeout(10*time.Millisecond),
@@ -240,7 +240,7 @@ func (suite *ProcessSuite) TestPriority() {
 
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "nokill",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithGracefulShutdownTimeout(10*time.Millisecond),
@@ -294,7 +294,7 @@ func (suite *ProcessSuite) TestIOPriority() {
 
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "nokill",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithGracefulShutdownTimeout(10*time.Millisecond),
@@ -347,7 +347,7 @@ func (suite *ProcessSuite) TestSchedulingPolicy() {
 
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "nokill",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithGracefulShutdownTimeout(10*time.Millisecond),

internal/app/machined/pkg/system/services/kubelet.go

@@ -129,7 +129,7 @@ func (k *Kubelet) Runner(r runtime.Runtime) (runner.Runner, error) {
 		{Type: "bind", Destination: "/dev", Source: "/dev", Options: []string{"rbind", "rshared", "rw"}},
 		{Type: "sysfs", Destination: "/sys", Source: "/sys", Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: constants.CgroupMountPath, Source: constants.CgroupMountPath, Options: []string{"rbind", "rshared", "rw"}},
-		{Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "ro"}},
+		{Type: "bind", Destination: "/usr/lib/modules", Source: "/usr/lib/modules", Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: "/etc/kubernetes", Source: "/etc/kubernetes", Options: []string{"bind", "rshared", "rw"}},
 		{Type: "bind", Destination: constants.KubeletCredentialProviderBinDir, Source: constants.KubeletCredentialProviderBinDir, Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: "/etc/nfsmount.conf", Source: "/etc/nfsmount.conf", Options: []string{"bind", "ro"}},

internal/integration/api/extensions_qemu.go

@@ -68,14 +68,14 @@ func (suite *ExtensionsSuiteQEMU) TearDownTest() {
 // TestExtensionsExpectedPaths verifies expected paths are present.
 func (suite *ExtensionsSuiteQEMU) TestExtensionsExpectedPaths() {
 	expectedPaths := []string{
-		"/lib/firmware/amdgpu",
-		"/lib/firmware/amd-ucode",
-		"/lib/firmware/bnx2x",
-		"/lib/firmware/cxgb3",
-		"/lib/firmware/cxgb4/configs",
-		"/lib/firmware/i915",
-		"/lib/firmware/intel/ice/ddp",
-		"/lib/firmware/intel-ucode",
+		"/usr/lib/firmware/amdgpu",
+		"/usr/lib/firmware/amd-ucode",
+		"/usr/lib/firmware/bnx2x",
+		"/usr/lib/firmware/cxgb3",
+		"/usr/lib/firmware/cxgb4/configs",
+		"/usr/lib/firmware/i915",
+		"/usr/lib/firmware/intel/ice/ddp",
+		"/usr/lib/firmware/intel-ucode",
 	}
 
 	node := suite.RandomDiscoveredNodeInternalIP(machine.TypeWorker)

internal/integration/base/api.go

@@ -538,7 +538,7 @@ func (apiSuite *APISuite) AssertExpectedModules(ctx context.Context, node string
 
 	apiSuite.Require().NoError(scanner.Err())
 
-	fileReader, err = apiSuite.Client.Read(nodeCtx, fmt.Sprintf("/lib/modules/%s/modules.dep", constants.DefaultKernelVersion))
+	fileReader, err = apiSuite.Client.Read(nodeCtx, fmt.Sprintf("/usr/lib/modules/%s/modules.dep", constants.DefaultKernelVersion))
 	apiSuite.Require().NoError(err)
 
 	defer func() {

internal/pkg/extensions/compress.go

@@ -12,7 +12,6 @@ import (
 	"os/exec"
 	"path/filepath"
 
-	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/imager/quirks"
 )
 
@@ -23,28 +22,36 @@ import (
 // We need to repackage the ucode blobs matching the glob into the destination concatenating
 // them all together.
 // The resulting blobs should be placed into uncompressed cpio archive prepended to the normal (compressed) initramfs.
-var earlyCPUUcode = []struct {
+func earlyCPUUcode(quirks quirks.Quirks) []struct {
 	glob, dst string
-}{
-	{"/lib/firmware/intel-ucode/*", "kernel/x86/microcode/GenuineIntel.bin"},
-	{"/lib/firmware/amd-ucode/microcode_amd*.bin", "kernel/x86/microcode/AuthenticAMD.bin"},
+} {
+	fwPath := quirks.FirmwarePath()
+
+	return []struct {
+		glob, dst string
+	}{
+		{fwPath + "/intel-ucode/*", "kernel/x86/microcode/GenuineIntel.bin"},
+		{fwPath + "/amd-ucode/microcode_amd*.bin", "kernel/x86/microcode/AuthenticAMD.bin"},
+	}
 }
 
 // List of paths to be moved to the future initramfs.
-var initramfsPaths = []string{
-	constants.FirmwarePath,
+func initramfsPaths(quirks quirks.Quirks) []string {
+	return []string{
+		quirks.FirmwarePath(),
+	}
 }
 
 // Compress builds the squashfs image in the specified destination folder.
 //
 // Components which should be placed to the initramfs are moved to the initramfsPath.
 // Ucode components are moved into a separate designated location.
 func (ext *Extension) Compress(squashPath, initramfsPath string, quirks quirks.Quirks) (string, error) {
-	if err := ext.handleUcode(initramfsPath); err != nil {
+	if err := ext.handleUcode(initramfsPath, quirks); err != nil {
 		return "", err
 	}
 
-	for _, path := range initramfsPaths {
+	for _, path := range initramfsPaths(quirks) {
 		if _, err := os.Stat(filepath.Join(ext.RootfsPath(), path)); err == nil {
 			if err = moveFiles(filepath.Join(ext.RootfsPath(), path), filepath.Join(initramfsPath, path)); err != nil {
 				return "", err
@@ -87,8 +94,8 @@ func appendBlob(dst io.Writer, srcPath string) error {
 	return os.Remove(srcPath)
 }
 
-func (ext *Extension) handleUcode(initramfsPath string) error {
-	for _, ucode := range earlyCPUUcode {
+func (ext *Extension) handleUcode(initramfsPath string, quirks quirks.Quirks) error {
+	for _, ucode := range earlyCPUUcode(quirks) {
 		matches, err := filepath.Glob(filepath.Join(ext.RootfsPath(), ucode.glob))
 		if err != nil {
 			return err

internal/pkg/extensions/extensions_test.go

@@ -34,5 +34,5 @@ func TestCompress(t *testing.T) {
 	assert.NoError(t, err)
 
 	assert.FileExists(t, squashFile)
-	assert.FileExists(t, filepath.Join(initramfsDest, "lib", "firmware", "amd", "cpu"))
+	assert.FileExists(t, filepath.Join(initramfsDest, "usr", "lib", "firmware", "amd", "cpu"))
 }