feat: add airgapped mode to QEMU backed talos

Add new `--airgapped` flag to talos cluster create (qemu)
to disable NAT in the VMs to effectively become airgapped.

Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>

Author: shanduur

.github/workflows/ci.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-10-16T09:22:23Z by kres 7a9d88c.
+# Generated on 2025-10-22T12:39:45Z by kres 46e133d.
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
@@ -625,6 +625,20 @@ jobs:
         if: github.event_name == 'schedule'
         run: |
           make talosctl-cni-bundle
+      - name: integration-images-list
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make integration-images-list
+      - name: e2e-airgapped-no-proxy
+        env:
+          GITHUB_STEP_NAME: ${{ github.job}}-e2e-no-proxy
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_AIRGAPPED: no-proxy
+          WITH_CLUSTER_DISCOVERY: "false"
+        run: |
+          sudo -E make e2e-qemu
       - name: e2e-airgapped-http-proxy
         env:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-http-proxy

.github/workflows/integration-airgapped-cron.yaml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-10-01T17:01:09Z by kres bc281a9.
+# Generated on 2025-10-22T12:39:45Z by kres 46e133d.
 
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
@@ -77,6 +77,20 @@ jobs:
         if: github.event_name == 'schedule'
         run: |
           make talosctl-cni-bundle
+      - name: integration-images-list
+        env:
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+        run: |
+          make integration-images-list
+      - name: e2e-airgapped-no-proxy
+        env:
+          GITHUB_STEP_NAME: ${{ github.job}}-e2e-no-proxy
+          IMAGE_REGISTRY: registry.dev.siderolabs.io
+          SHORT_INTEGRATION_TEST: "yes"
+          WITH_AIRGAPPED: no-proxy
+          WITH_CLUSTER_DISCOVERY: "false"
+        run: |
+          sudo -E make e2e-qemu
       - name: e2e-airgapped-http-proxy
         env:
           GITHUB_STEP_NAME: ${{ github.job}}-e2e-http-proxy

.kres.yaml

@@ -998,6 +998,19 @@ spec:
         - name: talosctl-cni-bundle
           conditions:
             - only-on-schedule
+        - name: integration-images-list
+          command: integration-images-list
+          environment:
+            IMAGE_REGISTRY: registry.dev.siderolabs.io
+        - name: e2e-airgapped-no-proxy
+          command: e2e-qemu
+          withSudo: true
+          environment:
+            GITHUB_STEP_NAME: ${{ github.job}}-e2e-no-proxy
+            SHORT_INTEGRATION_TEST: yes
+            WITH_AIRGAPPED: no-proxy
+            WITH_CLUSTER_DISCOVERY: "false"
+            IMAGE_REGISTRY: registry.dev.siderolabs.io
         - name: e2e-airgapped-http-proxy
           command: e2e-qemu
           withSudo: true

Makefile

@@ -482,10 +482,15 @@ uki-certs: talosctl ## Generate test certificates for SecureBoot/PCR Signing
 	@$(TALOSCTL_EXECUTABLE) gen secureboot pcr
 	@$(TALOSCTL_EXECUTABLE) gen secureboot database
 
-.PHONY: cache-create
-cache-create: installer imager ## Generate image cache.
+.PHONY: integration-images-list
+integration-images-list: ## Generate list of integration images.
 	@docker run --entrypoint /usr/local/bin/e2e.test registry.k8s.io/conformance:$(KUBECTL_VERSION) --list-images | \
-		$(TALOSCTL_EXECUTABLE) images integration --installer-tag=$(IMAGE_TAG_IN) --registry-and-user=$(REGISTRY_AND_USERNAME) | \
+		$(TALOSCTL_EXECUTABLE) images integration --installer-tag=$(IMAGE_TAG_IN) --registry-and-user=$(REGISTRY_AND_USERNAME) \
+		> $(ARTIFACTS)/integration-images.txt
+
+.PHONY: cache-create
+cache-create: installer imager integration-images-list ## Generate image cache.
+	@cat $(ARTIFACTS)/integration-images.txt | \
 		$(TALOSCTL_EXECUTABLE) images cache-create --image-cache-path=/tmp/cache.tar --images=- --force
 	@crane push /tmp/cache.tar $(REGISTRY_AND_USERNAME)/image-cache:$(IMAGE_TAG_OUT)
 	@$(MAKE) image-iso IMAGER_ARGS="--image-cache=$(REGISTRY_AND_USERNAME)/image-cache:$(IMAGE_TAG_OUT) --extra-kernel-arg='console=ttyS0'"

cmd/talosctl/cmd/mgmt/cluster/create/clusterops/configmaker/internal/makers/qemu.go

@@ -219,7 +219,7 @@ func (m *Qemu) AddExtraConfigBundleOpts() error {
 
 // ModifyClusterRequest implements ExtraOptionsProvider.
 func (m *Qemu) ModifyClusterRequest() error {
-	nameserverIPs, err := getNameserverIPs(m.EOps.Nameservers)
+	nameserverIPs, err := getNameserverIPs(m.EOps.Nameservers, m.GatewayIPs)
 	if err != nil {
 		return err
 	}
@@ -259,6 +259,11 @@ func (m *Qemu) ModifyClusterRequest() error {
 	m.ClusterRequest.Network.PacketReorder = m.EOps.PacketReorder
 	m.ClusterRequest.Network.PacketCorrupt = m.EOps.PacketCorrupt
 	m.ClusterRequest.Network.Bandwidth = m.EOps.Bandwidth
+	m.ClusterRequest.Network.Airgapped = m.EOps.Airgapped
+	m.ClusterRequest.Network.ImageCachePath = m.EOps.ImageCachePath
+	m.ClusterRequest.Network.ImageCacheTLSCertFile = m.EOps.ImageCacheTLSCertFile
+	m.ClusterRequest.Network.ImageCacheTLSKeyFile = m.EOps.ImageCacheTLSKeyFile
+	m.ClusterRequest.Network.ImageCachePort = m.EOps.ImageCachePort
 
 	m.ClusterRequest.KernelPath = m.EOps.NodeVmlinuzPath
 	m.ClusterRequest.InitramfsPath = m.EOps.NodeInitramfsPath
@@ -659,9 +664,13 @@ func (m *Qemu) initJSONLogs() {
 	m.ConfigBundleOps = slices.Concat(m.ConfigBundleOps, []bundle.Option{bundle.WithPatch([]configpatcher.Patch{configpatcher.NewStrategicMergePatch(cfg)})})
 }
 
-func getNameserverIPs(nameservers []string) ([]netip.Addr, error) {
+func getNameserverIPs(nameservers []string, gatewayIPs []netip.Addr) ([]netip.Addr, error) {
 	nameserverIPs := make([]netip.Addr, len(nameservers))
 
+	if len(nameservers) == 0 {
+		return gatewayIPs, nil
+	}
+
 	for i := range nameserverIPs {
 		ip, err := netip.ParseAddr(nameservers[i])
 		if err != nil {

cmd/talosctl/cmd/mgmt/cluster/create/clusterops/options.go

@@ -140,6 +140,11 @@ type Qemu struct {
 	DebugShellEnabled         bool
 	WithIOMMU                 bool
 	ConfigInjectionMethod     string
+	Airgapped                 bool
+	ImageCachePath            string
+	ImageCacheTLSCertFile     string
+	ImageCacheTLSKeyFile      string
+	ImageCachePort            uint16
 }
 
 // GetCommon returns the default common options.
@@ -181,15 +186,16 @@ func GetQemu() Qemu {
 		PreallocateDisks:  false,
 		BootloaderEnabled: true,
 		UefiEnabled:       true,
-		Nameservers:       []string{"8.8.8.8", "1.1.1.1", "2001:4860:4860::8888", "2606:4700:4700::1111"},
+		Nameservers:       []string{},
 		DiskBlockSize:     512,
 		TargetArch:        runtime.GOARCH,
 		CniBinPath:        []string{filepath.Join(clustercmd.DefaultCNIDir, "bin")},
 		CniConfDir:        filepath.Join(clustercmd.DefaultCNIDir, "conf.d"),
 		CniCacheDir:       filepath.Join(clustercmd.DefaultCNIDir, "cache"),
 		CniBundleURL: fmt.Sprintf("https://github.com/%s/talos/releases/download/%s/talosctl-cni-bundle-%s.tar.gz",
 			images.Username, version.Trim(version.Tag), constants.ArchVariable),
-		Disks: disks,
+		Disks:          disks,
+		ImageCachePort: 5000,
 	}
 }
 

cmd/talosctl/cmd/mgmt/cluster/create/cmd_dev.go

@@ -98,6 +98,11 @@ func getCreateCmd() *cobra.Command {
 		withUUIDHostnamesFlag         = "with-uuid-hostnames"
 		withSiderolinkAgentFlag       = "with-siderolink"
 		configInjectionMethodFlag     = "config-injection-method"
+		airgappedFlag                 = "airgapped"
+		imageCachePathFlag            = "image-cache-path"
+		imageCacheTLSCertFileFlag     = "image-cache-tls-cert-file"
+		imageCacheTLSKeyFileFlag      = "image-cache-tls-key-file"
+		imageCachePortFlag            = "image-cache-port"
 
 		// The following flags are the gen options - the options that are only used in machine configuration (i.e., not during the qemu/docker provisioning).
 		// They are not applicable when no machine configuration is generated, hence mutually exclusive with the --input-dir flag.
@@ -131,6 +136,7 @@ func getCreateCmd() *cobra.Command {
 		packetReorderFlag,
 		packetCorruptFlag,
 		bandwidthFlag,
+		airgappedFlag,
 
 		// The following might work but need testing first.
 		configInjectionMethodFlag,
@@ -209,7 +215,7 @@ func getCreateCmd() *cobra.Command {
 		qemu.MarkHidden("with-debug-shell") //nolint:errcheck
 		qemu.StringSliceVar(&qOps.ExtraUEFISearchPaths, extraUEFISearchPathsFlag, qOps.ExtraUEFISearchPaths, "additional search paths for UEFI firmware (only applies when UEFI is enabled)")
 		qemu.StringSliceVar(&qOps.NetworkNoMasqueradeCIDRs, networkNoMasqueradeCIDRsFlag, qOps.NetworkNoMasqueradeCIDRs, "list of CIDRs to exclude from NAT")
-		qemu.StringSliceVar(&qOps.Nameservers, nameserversFlag, qOps.Nameservers, "list of nameservers to use")
+		qemu.StringSliceVar(&qOps.Nameservers, nameserversFlag, qOps.Nameservers, "list of nameservers to use, by default use embedded DNS forwarder")
 		qemu.UintVar(&qOps.DiskBlockSize, diskBlockSizeFlag, qOps.DiskBlockSize, "disk block size")
 		qemu.StringVar(&qOps.TargetArch, targetArchFlag, qOps.TargetArch, "cluster architecture")
 		qemu.StringSliceVar(&qOps.CniBinPath, cniBinPathFlag, qOps.CniBinPath, "search path for CNI binaries")
@@ -239,6 +245,11 @@ func getCreateCmd() *cobra.Command {
 			"enables the use of siderolink agent as configuration apply mechanism. `true` or `wireguard` enables the agent, `tunnel` enables the agent with grpc tunneling")
 		qemu.StringVar(&qOps.ConfigInjectionMethod,
 			configInjectionMethodFlag, qOps.ConfigInjectionMethod, "a method to inject machine config: default is HTTP server, 'metal-iso' to mount an ISO")
+		qemu.BoolVar(&qOps.Airgapped, airgappedFlag, qOps.Airgapped, "limit VM network access to the provisioning network only")
+		qemu.StringVar(&qOps.ImageCachePath, imageCachePathFlag, qOps.ImageCachePath, "path to image cache")
+		qemu.StringVar(&qOps.ImageCacheTLSCertFile, imageCacheTLSCertFileFlag, qOps.ImageCacheTLSCertFile, "path to image cache TLS cert")
+		qemu.StringVar(&qOps.ImageCacheTLSKeyFile, imageCacheTLSKeyFileFlag, qOps.ImageCacheTLSKeyFile, "path to image cache TLS key")
+		qemu.Uint16Var(&qOps.ImageCachePort, imageCachePortFlag, qOps.ImageCachePort, "port on which to serve image cache")
 
 		return qemu
 	}

cmd/talosctl/cmd/mgmt/debug/air-gapped.go

@@ -7,7 +7,6 @@ package debug
 import (
 	"context"
 	"crypto/tls"
-	stdx509 "crypto/x509"
 	"embed"
 	"fmt"
 	"io"
@@ -21,10 +20,10 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/siderolabs/crypto/x509"
 	"github.com/spf13/cobra"
 	"golang.org/x/sync/errgroup"
 
+	"github.com/siderolabs/talos/cmd/talosctl/pkg/mgmt/helpers"
 	"github.com/siderolabs/talos/pkg/cli"
 	"github.com/siderolabs/talos/pkg/machinery/config/container"
 	"github.com/siderolabs/talos/pkg/machinery/config/encoder"
@@ -55,7 +54,7 @@ var airgappedCmd = &cobra.Command{
 	RunE: func(cmd *cobra.Command, args []string) error {
 		return cli.WithContext(
 			context.Background(), func(ctx context.Context) error {
-				caPEM, certPEM, keyPEM, err := generateSelfSignedCert()
+				caPEM, certPEM, keyPEM, err := helpers.GenerateSelfSignedCert([]net.IP{airgappedFlags.advertisedAddress})
 				if err != nil {
 					return nil
 				}
@@ -123,25 +122,6 @@ func generateConfigPatch(caPEM []byte) error {
 	return os.WriteFile(patchFile, patchBytes, 0o644)
 }
 
-func generateSelfSignedCert() ([]byte, []byte, []byte, error) {
-	ca, err := x509.NewSelfSignedCertificateAuthority(x509.ECDSA(true))
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	serverIdentity, err := x509.NewKeyPair(ca,
-		x509.Organization("test"),
-		x509.CommonName("server"),
-		x509.IPAddresses([]net.IP{airgappedFlags.advertisedAddress}),
-		x509.ExtKeyUsage([]stdx509.ExtKeyUsage{stdx509.ExtKeyUsageServerAuth}),
-	)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	return ca.CrtPEM, serverIdentity.CrtPEM, serverIdentity.KeyPEM, nil
-}
-
 func runHTTPServer(ctx context.Context, certPEM, keyPEM []byte) error {
 	certificate, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {

cmd/talosctl/cmd/mgmt/dhcpd_launch.go

@@ -33,7 +33,7 @@ var dhcpdLaunchCmd = &cobra.Command{
 	RunE: func(cmd *cobra.Command, args []string) error {
 		var ips []net.IP
 
-		for _, ip := range strings.Split(dhcpdLaunchCmdFlags.addr, ",") {
+		for ip := range strings.SplitSeq(dhcpdLaunchCmdFlags.addr, ",") {
 			ips = append(ips, net.ParseIP(ip))
 		}
 

cmd/talosctl/cmd/mgmt/dnsd_launch.go

@@ -0,0 +1,52 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+//go:build linux || darwin
+
+package mgmt
+
+import (
+	"net"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/sync/errgroup"
+
+	"github.com/siderolabs/talos/pkg/provision/providers/vm"
+)
+
+var dnsdLaunchCmdFlags struct {
+	addr       string
+	resolvConf string
+}
+
+// dnsdLaunchCmd represents the dnsd-launch command.
+var dnsdLaunchCmd = &cobra.Command{
+	Use:    "dnsd-launch",
+	Short:  "Internal command used by VM provisioners",
+	Long:   ``,
+	Args:   cobra.NoArgs,
+	Hidden: true,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		var ips []net.IP
+
+		for ip := range strings.SplitSeq(dnsdLaunchCmdFlags.addr, ",") {
+			ips = append(ips, net.ParseIP(ip))
+		}
+
+		var eg errgroup.Group
+
+		eg.Go(func() error {
+			return vm.DNSd(ips, dnsdLaunchCmdFlags.resolvConf)
+		})
+
+		return eg.Wait()
+	},
+}
+
+func init() {
+	dnsdLaunchCmd.Flags().StringVar(&dnsdLaunchCmdFlags.addr, "addr", "localhost:53", "IP addresses to listen on")
+	dnsdLaunchCmd.Flags().StringVar(&dnsdLaunchCmdFlags.resolvConf, "resolv-conf", "/etc/resolv.conf", "path to resolv file")
+	addCommand(dnsdLaunchCmd)
+}