feat: add /system directory

Dockerfile

@@ -332,7 +332,7 @@ COPY hack/containerd.toml /rootfs/etc/cri/containerd.toml
 RUN touch /rootfs/etc/resolv.conf
 RUN touch /rootfs/etc/hosts
 RUN touch /rootfs/etc/os-release
-RUN mkdir -pv /rootfs/{boot,usr/local/share,mnt}
+RUN mkdir -pv /rootfs/{boot,usr/local/share,mnt,system}
 RUN mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni,usr/libexec/kubernetes}
 RUN ln -s /etc/ssl /rootfs/etc/pki
 RUN ln -s /etc/ssl /rootfs/usr/share/ca-certificates

internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go

@@ -96,8 +96,8 @@ func EnforceKSPPRequirements(seq runtime.Sequence, data interface{}) runtime.Tas
 // SetupSystemDirectory represents the SetupSystemDirectory task.
 func SetupSystemDirectory(seq runtime.Sequence, data interface{}) runtime.TaskExecutionFunc {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
-		for _, p := range []string{"etc", "log"} {
-			if err = os.MkdirAll(filepath.Join(constants.SystemRunPath, p), 0700); err != nil {
+		for _, p := range []string{constants.SystemEtcPath, constants.SystemRunPath, constants.SystemVarPath} {
+			if err = os.MkdirAll(p, 0700); err != nil {
 				return err
 			}
 		}
@@ -297,18 +297,18 @@ BUG_REPORT_URL="https://github.com/talos-systems/talos/issues"
 
 // Hosts creates a persistent and writable /etc/hosts file.
 func Hosts() (err error) {
-	return createBindMount("/run/system/etc/hosts", "/etc/hosts")
+	return createBindMount(filepath.Join(constants.SystemEtcPath, "hosts"), "/etc/hosts")
 }
 
 // ResolvConf creates a persistent and writable /etc/resolv.conf file.
 func ResolvConf() (err error) {
-	return createBindMount("/run/system/etc/resolv.conf", "/etc/resolv.conf")
+	return createBindMount(filepath.Join(constants.SystemEtcPath, "resolv.conf"), "/etc/resolv.conf")
 }
 
 // OSRelease renders a valid /etc/os-release file and writes it to disk. The
 // node's OS Image field is reported by the node from /etc/os-release.
 func OSRelease() (err error) {
-	if err = createBindMount("/run/system/etc/os-release", "/etc/os-release"); err != nil {
+	if err = createBindMount(filepath.Join(constants.SystemEtcPath, "os-release"), "/etc/os-release"); err != nil {
 		return err
 	}
 
@@ -348,7 +348,7 @@ func OSRelease() (err error) {
 		return err
 	}
 
-	return ioutil.WriteFile("/run/system/etc/os-release", writer.Bytes(), 0644)
+	return ioutil.WriteFile(filepath.Join(constants.SystemEtcPath, "os-release"), writer.Bytes(), 0644)
 }
 
 // createBindMount creates a common way to create a writable source file with a

internal/app/machined/pkg/system/services/containerd.go

@@ -7,6 +7,7 @@ package services
 import (
 	"context"
 	"fmt"
+	"path/filepath"
 
 	"github.com/containerd/containerd"
 	"google.golang.org/grpc/health/grpc_health_v1"
@@ -58,8 +59,8 @@ func (c *Containerd) Runner(r runtime.Runtime) (runner.Runner, error) {
 		ProcessArgs: []string{
 			"/bin/containerd",
 			"--address", constants.SystemContainerdAddress,
-			"--state", "/run/system/containerd",
-			"--root", "/run/system/lib/containerd",
+			"--state", filepath.Join(constants.SystemRunPath, "containerd"),
+			"--root", filepath.Join(constants.SystemVarPath, "lib", "containerd"),
 		},
 	}
 

internal/app/machined/pkg/system/services/kubelet.go

@@ -105,10 +105,6 @@ func (k *Kubelet) PreFunc(ctx context.Context, r runtime.Runtime) error {
 		return err
 	}
 
-	if err := os.MkdirAll("/run/kubelet", 0700); err != nil {
-		return err
-	}
-
 	client, err := containerdapi.New(constants.ContainerdAddress)
 	if err != nil {
 		return err
@@ -168,8 +164,7 @@ func (k *Kubelet) Runner(r runtime.Runtime) (runner.Runner, error) {
 		{Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: "/etc/cni", Source: "/etc/cni", Options: []string{"rbind", "rshared", "rw"}},
 		{Type: "bind", Destination: "/usr/libexec/kubernetes", Source: "/usr/libexec/kubernetes", Options: []string{"rbind", "rshared", "rw"}},
-		{Type: "bind", Destination: "/run", Source: "/run/kubelet", Options: []string{"rbind", "rprivate", "rw"}},
-		{Type: "bind", Destination: "/run/containerd", Source: "/run/containerd", Options: []string{"rbind", "rprivate", "ro"}},
+		{Type: "bind", Destination: "/var/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}},
 		{Type: "bind", Destination: "/var/lib/containerd", Source: "/var/lib/containerd", Options: []string{"rbind", "rshared", "rw"}},
 		{Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}},
 		{Type: "bind", Destination: "/var/log/pods", Source: "/var/log/pods", Options: []string{"rbind", "rshared", "rw"}},

internal/pkg/mount/mount.go

@@ -338,8 +338,8 @@ func share(p *Point) error {
 func overlay(p *Point) error {
 	parts := strings.Split(p.target, "/")
 	prefix := strings.Join(parts[1:], "-")
-	diff := fmt.Sprintf(filepath.Join(constants.SystemVarPath, "%s-diff"), prefix)
-	workdir := fmt.Sprintf(filepath.Join(constants.SystemVarPath, "%s-workdir"), prefix)
+	diff := fmt.Sprintf(filepath.Join(constants.SystemOverlaysPath, "%s-diff"), prefix)
+	workdir := fmt.Sprintf(filepath.Join(constants.SystemOverlaysPath, "%s-workdir"), prefix)
 
 	for _, target := range []string{diff, workdir} {
 		if err := ensureDirectory(target); err != nil {

internal/pkg/mount/overlay.go

@@ -9,7 +9,7 @@ import (
 )
 
 // OverlayMountPoints returns the mountpoints required to boot the system.
-// These moiuntpoints are used as overlays on top of the read only rootfs.
+// These mountpoints are used as overlays on top of the read only rootfs.
 func OverlayMountPoints() (mountpoints *Points, err error) {
 	mountpoints = NewMountPoints()
 

internal/pkg/mount/pseudo.go

@@ -15,6 +15,7 @@ func PseudoMountPoints() (mountpoints *Points, err error) {
 	pseudo.Set("proc", NewMountPoint("proc", "/proc", "proc", unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV, ""))
 	pseudo.Set("sys", NewMountPoint("sysfs", "/sys", "sysfs", 0, ""))
 	pseudo.Set("run", NewMountPoint("tmpfs", "/run", "tmpfs", 0, ""))
+	pseudo.Set("system", NewMountPoint("tmpfs", "/system", "tmpfs", 0, ""))
 	pseudo.Set("tmp", NewMountPoint("tmpfs", "/tmp", "tmpfs", 0, ""))
 
 	return pseudo, nil

internal/pkg/provision/providers/docker/node.go

@@ -83,6 +83,7 @@ func (p *provisioner) createNode(ctx context.Context, clusterReq provision.Clust
 			"/var/lib/kubelet":    {},
 			"/etc/cni":            {},
 			"/run":                {},
+			"/system":             {},
 		},
 	}
 

pkg/constants/constants.go

@@ -263,13 +263,21 @@ const (
 	// DefaultCertificateValidityDuration is the default duration for a certificate.
 	DefaultCertificateValidityDuration = 24 * time.Hour
 
-	// SystemVarPath is the path to write runtime system related files and
-	// directories.
-	SystemVarPath = "/var/system"
-
-	// SystemRunPath is the path to write temporary runtime system related files
+	// SystemPath is the path to write temporary runtime system related files
 	// and directories.
-	SystemRunPath = "/run/system"
+	SystemPath = "/system"
+
+	// SystemOverlaysPath is the path where overlay mounts are created.
+	SystemOverlaysPath = "/var/system/overlays"
+
+	// SystemRunPath is the path to the system run directory.
+	SystemRunPath = SystemPath + "/run"
+
+	// SystemVarPath is the path to the system var directory.
+	SystemVarPath = SystemPath + "/var"
+
+	// SystemEtcPath is the path to the system etc directory.
+	SystemEtcPath = SystemPath + "/etc"
 
 	// DefaultInstallerImageName is the default container image name for
 	// the installer.
@@ -283,9 +291,6 @@ const (
 	// the talos image.
 	DefaultTalosImageRepository = "docker.io/autonomy/talos"
 
-	// DefaultLogPath is the default path to the log storage directory.
-	DefaultLogPath = SystemRunPath + "/log"
-
 	// DefaultCNI is the default CNI.
 	DefaultCNI = "flannel"