Skip to main content
System extensions in Talos provide ways to add files to the root filesystem and make it possible to run privileged containers as services. But Talos still requires that kernel modules be signed with a trusted signing key to be loaded at run time. To add a kernel module to Talos you will need to create a system extension that is built with the kernel and signed by the same signing key. System extensions without kernel modules work without this requirement, but there are a couple extra step s needed when adding kernel modules.

Create a package hello

Talos is built from the pkgs repo and the first step will be to add your custom package to that repo to be built with Talos. You can look at other packages in that repository for examples of what should be included. The only file required to create a package is a pkg.yaml file in a folder. Let’s create an example package to walk through each step. Clone the repo and create a folder.
Now add the package to the .kres.yaml file in the root of the repository. We use this file for templating and generating Makefiles. Put your out-of-tree kernel module below the comment for dependent packages.
Run the following command to generate a new Makefile.
Now you have a make target to build your module and a directory to store your module configuration. The next step is to create a pkg.yaml file to tell bldr how to create a container with the files you need. The bldr tool has assumptions about directory structure and steps you can read about in the GitHub repo. This example does not build a kernel module, but it can be used as a basis for your own packages. Please also see existing pkg.yaml files in the pkgs repo

Build the package and kernel

After you’ve created a pkg.yaml file you can test building your package with the make target you generated earlier. Because Talos requires kernel modules to be signed with a signing key only available during the Talos kernel build process we need to build the kernel and package at the same time. We also need a container registry available to store the built assets. Follow the steps in developing Talos to create a docker builder and run a local container registry before running this command.
If this is successful it should output two pieces of information we need to collect for the next steps. We need to save the kernel and package images. The output will look something like this:
For easier reference in this guide I will save these images as $KERNEL_IMAGE and $PKG_IMAGE variables.

Create an extension

System extensions are the way to add software and files to a Talos Linux root filesystem. Just like packages they are built as containers and then layered with Talos to create a bootable squashfs image. The only unique thing about building a system extension with a kernel module is we need to build it against the kernel we just built in the previous step. If we don’t do this then our kernel module won’t be signed and cannot be loaded at runtime. The process is very similar to creating a package. Start by cloning the extensions repo:
Add your extension to the .kres.yaml file.
Then generate a new Makefile with additional target.
Now create the manifest.yaml file for the metadata of your extension in the my-module folder.
Create a pkg.yaml file in the my-module folder which works similarly to our pkg.yaml file for our package, but this time starts from the base image we built in the first step. The local directory is mounted into the container at /pkg so we can copy files from that directory.
Lastly create a vars.yaml file to store a version variable in the my-module folder. This isn’t strictly required, but it is a convention used which will let the automated build work.

Build extension

You now have a complete extension config and can build it with the kernel from your previous pkg build.
This will create a system extension image and push it to your local registry. Copy the image that get’s pushed and save it as ${EXTENSION_IMAGE}.

Test the extension

Now we need to create installation media to boot Talos. We will build and use imager to include our extension. Clone the Talos repo.
Build the installer, and remember to use the kernel image from the first step.
This will create two images - installer-base and imager and push them to your local registry. Export the installer-base image and save it as $BASE_INSTALLER_IMAGE. Create an installer image from your extension and the installer-base you just created with the following command.
We’ll have a new container image tar file in the _out/ folder of our repository. Load and push the container image to a registry with crane. Make sure you replace $REGISTRY, $USER, and $TAG with the values you want.
And if you don’t have crane:

Test the installer with fresh install

Now you can boot a machine from generic Talos installation media. This is only used to get access to the API so we can apply a configuration that will use our installer image. We’ll assume this machine has an IP address of 192.168.100.100 Generate a configuration that uses your installer image.
Now create a configuration patch that loads your kernel module by name. This should be the name of the .ko file you built in the package and put in the /modules directory.
Apply the machine config and patch to your test machine.
The machine will reboot as Talos is installed. When the machine boots you should see logs that the module was loaded from dmesg.

Test installer with existing machine

If you already have Talos running on a machine you can apply the installer during an upgrade to have the extension installed.
Make sure you still create a patch to load the kernel module and apply it to the machine.
Apply the machine config and patch to your test machine.