feat: implement new DHCP network configuration

Fixes #11661

Fixes #10958

This also implement proper client identifier handling.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

Author: smira

api/lock.binpb

@@ -118,6 +118,13 @@ enum NethelpersBondXmitHashPolicy {
   BOND_XMIT_POLICY_ENCAP34 = 4;
 }
 
+// NethelpersClientIdentifier is a DHCP client identifier.
+enum NethelpersClientIdentifier {
+  CLIENT_IDENTIFIER_NONE = 0;
+  CLIENT_IDENTIFIER_MAC = 1;
+  CLIENT_IDENTIFIER_DUID = 2;
+}
+
 // NethelpersConntrackState is a conntrack state.
 enum NethelpersConntrackState {
   NETHELPERS_CONNTRACKSTATE_UNSPECIFIED = 0;

api/resource/definitions/enums/enums.proto

@@ -87,17 +87,24 @@ message BridgeVLANSpec {
   bool filtering_enabled = 1;
 }
 
+// ClientIdentifierSpec is a shared DHCP4/DHCP6 client identifier spec.
+message ClientIdentifierSpec {
+  talos.resource.definitions.enums.NethelpersClientIdentifier client_identifier = 1;
+  string duid_raw_hex = 2;
+}
+
 // DHCP4OperatorSpec describes DHCP4 operator options.
 message DHCP4OperatorSpec {
   uint32 route_metric = 1;
   bool skip_hostname_request = 2;
+  ClientIdentifierSpec client_identifier = 3;
 }
 
 // DHCP6OperatorSpec describes DHCP6 operator options.
 message DHCP6OperatorSpec {
-  string duid = 1;
   uint32 route_metric = 2;
   bool skip_hostname_request = 3;
+  ClientIdentifierSpec client_identifier = 4;
 }
 
 // DNSResolveCacheSpec describes DNS servers status.

api/resource/definitions/network/network.proto

@@ -274,7 +274,9 @@ func (m *Maker[T]) applyOmniConfigs() error {
 
 func (m *Maker[T]) finalizeMachineConfigs() (*bundle.Bundle, error) {
 	// These options needs to be generated after the implementing maker has made changes to the cluster request.
-	m.GenOps = slices.Concat(m.GenOps, m.Provisioner.GenOptions(m.ClusterRequest.Network, m.VersionContract))
+	provisionGenOps, provisionBundleOps := m.Provisioner.GenOptions(m.ClusterRequest.Network, m.VersionContract)
+	m.GenOps = slices.Concat(m.GenOps, provisionGenOps)
+	m.ConfigBundleOps = slices.Concat(m.ConfigBundleOps, provisionBundleOps)
 	m.GenOps = slices.Concat(m.GenOps, []generate.Option{generate.WithEndpointList(m.Endpoints)})
 
 	m.ConfigBundleOps = append(m.ConfigBundleOps,

cmd/talosctl/cmd/mgmt/cluster/create/clusterops/configmaker/internal/makers/common.go

@@ -14,6 +14,7 @@ import (
 	"github.com/siderolabs/talos/cmd/talosctl/cmd/mgmt/cluster/create/clusterops"
 	"github.com/siderolabs/talos/cmd/talosctl/cmd/mgmt/cluster/create/clusterops/configmaker/internal/makers"
 	"github.com/siderolabs/talos/pkg/machinery/config"
+	"github.com/siderolabs/talos/pkg/machinery/config/bundle"
 	"github.com/siderolabs/talos/pkg/machinery/config/encoder"
 	"github.com/siderolabs/talos/pkg/machinery/config/generate"
 	"github.com/siderolabs/talos/pkg/machinery/config/generate/secrets"
@@ -24,8 +25,8 @@ type testProvisioner struct {
 	provision.Provisioner
 }
 
-func (p testProvisioner) GenOptions(r provision.NetworkRequest, _ *config.VersionContract) []generate.Option {
-	return []generate.Option{func(o *generate.Options) error { return nil }}
+func (p testProvisioner) GenOptions(r provision.NetworkRequest, _ *config.VersionContract) ([]generate.Option, []bundle.Option) {
+	return []generate.Option{func(o *generate.Options) error { return nil }}, nil
 }
 
 func (p testProvisioner) GetTalosAPIEndpoints(provision.NetworkRequest) []string {

cmd/talosctl/cmd/mgmt/cluster/create/clusterops/configmaker/internal/makers/common_test.go

@@ -23,10 +23,6 @@ replace (
 	gopkg.in/yaml.v3 => github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c
 )
 
-// fd-leak related replacements: https://github.com/siderolabs/talos/issues/9412
-// https://github.com/insomniacslk/dhcp/pull/550
-replace github.com/insomniacslk/dhcp => github.com/smira/dhcp v0.0.0-20250407153013-99942baa5d59
-
 // deadcode elimination fix replacement: https://github.com/siderolabs/talos/issues/11296
 // upstream PR: https://github.com/containerd/containerd/pull/12175
 // this a fork with containerd 2.1 branch + the commit from the PR above
@@ -106,7 +102,7 @@ require (
 	github.com/hashicorp/go-getter/v2 v2.2.3
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hetznercloud/hcloud-go/v2 v2.25.1
-	github.com/insomniacslk/dhcp v0.0.0-20250109001534-8abf58130905
+	github.com/insomniacslk/dhcp v0.0.0-20251007151141-da879a2c3546
 	github.com/jeromer/syslogparser v1.1.0
 	github.com/jsimonetti/rtnetlink/v2 v2.0.5
 	github.com/jxskiss/base62 v1.1.0

go.mod

@@ -371,6 +371,8 @@ github.com/hugelgupf/vmtest v0.0.0-20240307030256-5d9f3d34a58d h1:nP8SfQJqruIVSW
 github.com/hugelgupf/vmtest v0.0.0-20240307030256-5d9f3d34a58d/go.mod h1:B63hDJMhTupLWCHwopAyEo7wRFowx9kOc8m8j1sfOqE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/insomniacslk/dhcp v0.0.0-20251007151141-da879a2c3546 h1:zj09ZbgBgcPaft1b/RftIAT+ALx85M2yzJyOvliRbGQ=
+github.com/insomniacslk/dhcp v0.0.0-20251007151141-da879a2c3546/go.mod h1:qfvBmyDNp+/liLEYWRvqny/PEz9hGe2Dz833eXILSmo=
 github.com/jarcoal/httpmock v1.4.0 h1:BvhqnH0JAYbNudL2GMJKgOHe2CtKlzJ/5rWKyp+hc2k=
 github.com/jarcoal/httpmock v1.4.0/go.mod h1:ftW1xULwo+j0R0JJkJIIi7UKigZUXCLLanykgjwBXL0=
 github.com/jeromer/syslogparser v1.1.0 h1:HES0EviO9iPvCu56LjVFVhbM3o0BckDlIbQfkkaRJAw=
@@ -667,8 +669,6 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/smira/containerd/v2 v2.0.0-20250806103510-dcf2fc86e156 h1:vxHt7VLqjFtY3c80Al/RTPAxxu7XVQuTeTNkRZb2AOQ=
 github.com/smira/containerd/v2 v2.0.0-20250806103510-dcf2fc86e156/go.mod h1:8C5QV9djwsYDNhxfTCFjWtTBZrqjditQ4/ghHSYjnHM=
-github.com/smira/dhcp v0.0.0-20250407153013-99942baa5d59 h1:lBQLOP8ZZI6mbePwGX/bqXi3srwhYB/zcwqrnX+JJIc=
-github.com/smira/dhcp v0.0.0-20250407153013-99942baa5d59/go.mod h1:VvGYjkZoJyKqlmT1yzakUs4mfKMNB0XdODP0+rdml6k=
 github.com/smira/kobject v0.0.0-20240304111826-49c8d4613389 h1:f/5NRv5IGZxbjBhc5MnlbNmyuXBPxvekhBAUzyKWyLY=
 github.com/smira/kobject v0.0.0-20240304111826-49c8d4613389/go.mod h1:+SexPO1ZvdbbWUdUnyXEWv3+4NwHZjKhxOmQqHY4Pqc=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=

go.sum

@@ -407,6 +407,7 @@ func (ctrl *LinkConfigController) processDevicesConfiguration(
 	}
 }
 
+//nolint:gocyclo
 func (ctrl *LinkConfigController) processLinkConfigs(logger *zap.Logger, linkMap map[string]*network.LinkSpecSpec, cfg *config.MachineConfig, linkNameResolver *network.LinkResolver) {
 	if cfg == nil {
 		return
@@ -446,6 +447,20 @@ func (ctrl *LinkConfigController) processLinkConfigs(logger *zap.Logger, linkMap
 			logger.Error("unknown link config type", zap.String("linkName", linkName), zap.String("type", fmt.Sprintf("%T", specificLinkConfig)))
 		}
 	}
+
+	// if we have DHCP config, bring up the link implicitly if it hasn't been configured yet
+	for _, dhcpConfig := range cfg.Config().NetworkDHCPConfigs() {
+		linkName := dhcpConfig.Name()
+		linkName = linkNameResolver.Resolve(linkName)
+
+		if _, exists := linkMap[linkName]; !exists {
+			linkMap[linkName] = &network.LinkSpecSpec{
+				Name:        linkName,
+				Up:          true,
+				ConfigLayer: network.ConfigMachineConfiguration,
+			}
+		}
+	}
 }
 
 type vlaner interface {

internal/app/machined/pkg/controllers/network/link_config.go

@@ -0,0 +1,112 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package operator
+
+import (
+	"context"
+	"encoding/hex"
+	"fmt"
+	"net"
+
+	"github.com/cosi-project/runtime/pkg/safe"
+	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/insomniacslk/dhcp/dhcpv4"
+	"github.com/insomniacslk/dhcp/dhcpv6"
+	"github.com/insomniacslk/dhcp/iana"
+	"go.uber.org/zap"
+
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
+	"github.com/siderolabs/talos/pkg/machinery/resources/network"
+)
+
+// GetDHCPv6ClientIdentifier returns the DHCPv6 client identifier to use.
+func GetDHCPv6ClientIdentifier(ctx context.Context, st state.State, logger *zap.Logger, linkName string, spec network.ClientIdentifierSpec) ([]dhcpv6.Modifier, error) {
+	switch spec.ClientIdentifier {
+	case nethelpers.ClientIdentifierNone:
+		return nil, nil //nolint:nilerr
+	case nethelpers.ClientIdentifierMAC:
+		link, err := safe.StateGetByID[*network.LinkStatus](ctx, st, linkName)
+		if err != nil {
+			return nil, fmt.Errorf("error getting link %q: %w", linkName, err)
+		}
+
+		if len(link.TypedSpec().HardwareAddr) == 0 {
+			return nil, fmt.Errorf("link %q has no hardware address", linkName)
+		}
+
+		duid := dhcpv6.DUIDLL{
+			HWType:        iana.HWTypeEthernet,
+			LinkLayerAddr: net.HardwareAddr(link.TypedSpec().HardwareAddr),
+		}
+
+		return []dhcpv6.Modifier{dhcpv6.WithClientID(&duid)}, nil
+	case nethelpers.ClientIdentifierDUID:
+		if spec.DUIDRawHex == "" {
+			return nil, fmt.Errorf("duidRawHex must be set when clientIdentifier is DUID")
+		}
+
+		duidBin, err := hex.DecodeString(spec.DUIDRawHex)
+		if err != nil {
+			logger.Error("failed to parse DUID, ignored", zap.String("link", linkName))
+
+			return nil, nil //nolint:nilerr
+		}
+
+		duid, err := dhcpv6.DUIDFromBytes(duidBin)
+		if err != nil {
+			logger.Error("failed to parse DUID, ignored", zap.String("link", linkName))
+
+			return nil, nil //nolint:nilerr
+		}
+
+		return []dhcpv6.Modifier{dhcpv6.WithClientID(duid)}, nil
+	default:
+		return nil, fmt.Errorf("unknown client identifier %d", spec.ClientIdentifier)
+	}
+}
+
+// GetDHCP4ClientIdentifier returns the DHCP client identifier to use.
+func GetDHCP4ClientIdentifier(ctx context.Context, st state.State, logger *zap.Logger, linkName string, spec network.ClientIdentifierSpec) ([]dhcpv4.Modifier, error) {
+	switch spec.ClientIdentifier {
+	case nethelpers.ClientIdentifierNone:
+		return nil, nil //nolint:nilerr
+	case nethelpers.ClientIdentifierMAC:
+		link, err := safe.StateGetByID[*network.LinkStatus](ctx, st, linkName)
+		if err != nil {
+			return nil, fmt.Errorf("error getting link %q: %w", linkName, err)
+		}
+
+		if len(link.TypedSpec().HardwareAddr) == 0 {
+			return nil, fmt.Errorf("link %q has no hardware address", linkName)
+		}
+
+		// per RFC 2132, section 9.14
+		identifier := append([]byte{byte(iana.HWTypeEthernet)}, link.TypedSpec().HardwareAddr...)
+
+		return []dhcpv4.Modifier{dhcpv4.WithOption(dhcpv4.OptClientIdentifier(identifier))}, nil
+	case nethelpers.ClientIdentifierDUID:
+		if spec.DUIDRawHex == "" {
+			return nil, fmt.Errorf("duidRawHex must be set when clientIdentifier is DUID")
+		}
+
+		duidBin, err := hex.DecodeString(spec.DUIDRawHex)
+		if err != nil {
+			logger.Error("failed to parse DUID, ignored", zap.String("link", linkName))
+
+			return nil, nil //nolint:nilerr
+		}
+
+		_, err = dhcpv6.DUIDFromBytes(duidBin)
+		if err != nil {
+			logger.Error("failed to parse DUID, ignored", zap.String("link", linkName))
+
+			return nil, nil //nolint:nilerr
+		}
+
+		return []dhcpv4.Modifier{dhcpv4.WithOption(dhcpv4.OptClientIdentifier(duidBin))}, nil
+	default:
+		return nil, fmt.Errorf("unknown client identifier %d", spec.ClientIdentifier)
+	}
+}

internal/app/machined/pkg/controllers/network/operator/client_identifier.go

@@ -35,6 +35,7 @@ type DHCP4 struct {
 
 	linkName            string
 	routeMetric         uint32
+	clientIdentifier    network.ClientIdentifierSpec
 	skipHostnameRequest bool
 	requestMTU          bool
 
@@ -57,6 +58,7 @@ func NewDHCP4(logger *zap.Logger, linkName string, config network.DHCP4OperatorS
 		linkName:            linkName,
 		routeMetric:         config.RouteMetric,
 		skipHostnameRequest: config.SkipHostnameRequest,
+		clientIdentifier:    config.ClientIdentifier,
 		// <3 azure
 		// When including dhcp.OptionInterfaceMTU we don't get a dhcp offer back on azure.
 		// So we'll need to explicitly exclude adding this option for azure.
@@ -522,7 +524,7 @@ func (d *DHCP4) requestRenew(ctx context.Context, hostname network.HostnameStatu
 		opts = append(opts, dhcpv4.OptionHostName, dhcpv4.OptionDomainName)
 	}
 
-	mods := []dhcpv4.Modifier{dhcpv4.WithRequestedOptions(opts...), WithNumSecunds(secs)}
+	mods := []dhcpv4.Modifier{dhcpv4.WithRequestedOptions(opts...), WithNumSeconds(secs)}
 
 	if !sendHostnameRequest {
 		// If the node has a hostname, always send it to the DHCP
@@ -536,6 +538,13 @@ func (d *DHCP4) requestRenew(ctx context.Context, hostname network.HostnameStatu
 		}
 	}
 
+	clientIdentifierModes, err := GetDHCP4ClientIdentifier(ctx, d.state, d.logger, d.linkName, d.clientIdentifier)
+	if err != nil {
+		return 0, fmt.Errorf("failed to get client identifier: %w", err)
+	}
+
+	mods = append(mods, clientIdentifierModes...)
+
 	client, err := d.newClient()
 	if err != nil {
 		return 0, err
@@ -594,8 +603,8 @@ func collapseSummary(summary string) string {
 	return strings.Join(lines, ", ")
 }
 
-// WithNumSecunds sets the secs field of a DHCPv4 packet.
-func WithNumSecunds(secs uint16) dhcpv4.Modifier {
+// WithNumSeconds sets the secs field of a DHCPv4 packet.
+func WithNumSeconds(secs uint16) dhcpv4.Modifier {
 	return func(d *dhcpv4.DHCPv4) {
 		d.NumSeconds = secs
 	}