Conversation
…cally Talos machine configuration embedded in NoCloud user-data carries the cluster's PKI and API credentials and must be protected accordingly. Previously the cidata image landed at the platform default (typically 0644) and was hard-capped at a 16 MiB FAT32 volume regardless of payload — a controlplane.yaml that inlined extra config or extensions would surface a low-level diskfs failure rather than a clear error. - nocloudcidata.Builder.Build now chmods the cidata image to 0600 right after diskfs.Create, before any FAT32 content is written. Aligns with Talos's own security checklist guidance to treat machine config as root-secret material. - Image size is now derived from the payload: payload + 4 MiB FAT32 overhead, floored at the 16 MiB working size diskfs needs, rounded up to the nearest MiB. Cap at 64 MiB (CidataMaxSize); payloads larger than that surface a clear "exceeds the maximum cidata image size" error instead of an opaque diskfs failure. Tests cover the 0600 mode, a 32 MiB user-data payload that previously would not fit in the fixed 16 MiB image, and the over-cap rejection with no partial image left on disk. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Talos machine configuration embedded in NoCloud user-data carries the cluster's PKI and API credentials. Previously the cidata image landed at the platform default mode (typically 0644 / world-readable), and was hard-capped at a 16 MiB FAT32 volume regardless of payload size — a
controlplane.yamlthat inlined custom config or extensions would surface as an opaque diskfs failure instead of a clear error.This is PR 2 of 5 from the session 057 plan. Independent of PR 1 (#65) — different files, can land in either order.
What changed
nocloudcidata.Builder.Buildchmods the cidata image to 0600 right afterdiskfs.Create, before any FAT32 content is written. Aligns with Talos's published security checklist guidance to treat machine config as root-secret material.roundUpMiB(max(payload + 4 MiB overhead, 16 MiB)), capped atCidataMaxSize = 64 MiB. Payloads beyond the cap fail with a clear"exceeds the maximum cidata image size"error instead of a low-level diskfs failure. The 16 MiB floor preserves the working FAT32 size diskfs needs for small payloads.Why now
Session 057's review (and Talos's own security docs) flag the machine config as the root secret of the cluster. Default file mode on a shared CI runner or laptop is 0644; that ships PKI to anyone with shell access. Fixing it before a real cluster lands is cheaper than after.
Out of scope
output.dirconstraint tightening (PR 3).Test plan
go test ./internal/adapters/nocloudcidata/...— passes.go test ./...fromtools/labctl/— full suite passes.moon run labctl:check --summary minimal— format/lint/test pass.CidataMaxSizepayload errors with no partial image on disk.🤖 Generated with Claude Code