Yesterday I noticed the following question on the TuringPi Discord server:

Hi everybody, does anyone happen to have a gist or some public docs on how to get system extensions working with Talos on RK1?

I’m running v1.7.5 of this patched fork of Talos and spent 2-3 hours today trying to get the siderolabs/iscsi-tools and siderolabs/util-linux-tools running, but I don’t really understand the sequence of steps required to build the needed custom image.

I tried following the official Talos docs, but I’m either missing something or just straight up don’t understand what’s written there 😄

Any tip would be great!

While I could easily answer the question - I had done that a few times myself since Talos 1.7.1 - it was also a gentle reminder that I should write down the proper instructions instead of relying on my shell history. So here we go, step by step.

Building the Image

The first step is building the actual Talos image which will require some information about the system extensions to include:

docker run --rm -t \
  -v $PWD/_out:/out \
  ghcr.io/nberlee/imager:v1.7.5 installer \
  --arch arm64 \
  --board turing_rk1 \
  --platform metal \
  --base-installer-image ghcr.io/nberlee/installer:v1.7.5-rk3588 \
  --system-extension-image ghcr.io/nberlee/rk3588:v1.7.5@sha256:ba2b580d472c3a3fdaadf13943425b557d834b5d713ef6fe12cb36b691660487 \
  --system-extension-image ghcr.io/siderolabs/iscsi-tools:v0.1.4@sha256:717337c7437f0cf22124ecd86e89602b54aeae9938e8656d18cefb6c60d2410a \
  --system-extension-image ghcr.io/siderolabs/util-linux-tools:2.40.1@sha256:0f9a492b52ee161c192a7be5f99c7efe0b6d3fa8455e516149eaf76c48cb39c7

As you can see, some extensions have the same version number as the Talos images. I believe they contain modules for the kernel, so it’s probably safe to assume that they should go hand in hand. The SHA256 values can be found on the corresponding GitHub pages.

Uploading the Image to the Registry

The next step, once building the image succeeded, is uploading the result to the container registry of your choice. To do so, the tool crane is needed, which is part of Google’s go-containerregistry. The command for uploading looks as follows:

crane push _out/installer-arm64.tar docker.io/docbobo/talos-installer:v1.7.5

For the sake of this post, I am using docker.io as the registry, even though I usually keep my images in-house.

Finally… the Upgrade

The last step is running the upgrade for each node:

talosctl upgrade --preserve -i docker.io/docbobo/talos-installer:v1.7.5 -n <node-ip>

This could probably be completely automated, but given the potential for issues, I’d like to do that one my one. Super important here is the --preserve flag, because I’d like to keep my data around.