Skip to content

docs(talos): warn against changing op: on the machine files block#575

Merged
Aleksei Sviridkin (lexfrei) merged 3 commits into
mainfrom
docs/talos-files-op-warning
Jul 3, 2026
Merged

docs(talos): warn against changing op: on the machine files block#575
Aleksei Sviridkin (lexfrei) merged 3 commits into
mainfrom
docs/talos-files-op-warning

Conversation

@lexfrei

@lexfrei Aleksei Sviridkin (lexfrei) commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

What

Adds a warning next to the Talos machine.files block in the bare-metal bootstrap docs (talm and talosctl variants).

Why

Talos rejects op: create for any file outside /var, except the special-cased CRI customization part, so the /etc/lvm/lvm.conf entry must use op: overwrite. If the op is changed, the WriteUserFiles boot step fails, the node reboot-loops, and talosctl bootstrap reports only the opaque bootstrap is not available yet — making the root cause hard to find. Hit during a real bare-metal install.

Summary by CodeRabbit

  • Documentation
    • Added clarification warning callouts for Talos configuration patch op operations, explaining that op: create is restricted to /var (with an allowed exception) and that specific files like /etc/lvm/lvm.conf require op: overwrite.
    • Notes that incorrect op values can lead to node boot failure/boot loops and may block talosctl bootstrap.

@netlify

netlify Bot commented Jun 11, 2026

Copy link
Copy Markdown

Deploy Preview for cozystack ready!

Name Link
🔨 Latest commit abdb5d1
🔍 Latest deploy log https://app.netlify.com/projects/cozystack/deploys/6a476b4cdc3bbd0008e252cd
😎 Deploy Preview https://deploy-preview-575--cozystack.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 868dcd90-9ee4-471f-8623-d9fed15b34e6

📥 Commits

Reviewing files that changed from the base of the PR and between b40c7ed and abdb5d1.

📒 Files selected for processing (2)
  • content/en/docs/next/install/kubernetes/talos-bootstrap.md
  • content/en/docs/next/install/kubernetes/talosctl.md

📝 Walkthrough

Walkthrough

This PR adds warning callouts to two Talos installation docs explaining op field constraints in configuration patches, including the /var limitation, the /etc/cri/conf.d/20-customization.part exception, and failure behavior when unsupported operations are used.

Changes

Talos Configuration Documentation

Layer / File(s) Summary
Talos op field constraints documentation
content/en/docs/next/install/kubernetes/talos-bootstrap.md, content/en/docs/next/install/kubernetes/talosctl.md
Warning callouts document that op: create is disallowed for files outside /var except /etc/cri/conf.d/20-customization.part, and that using unsupported operations for other /etc paths can trigger boot loops and prevent talosctl bootstrap.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Suggested reviewers: kvaps, NickVolynkin

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the primary change: adding documentation warnings about not changing the 'op' field in Talos machine files block, which is the main focus of both documentation updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/talos-files-op-warning

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds warning alerts to the Talos installation documentation (talos-bootstrap.md and talosctl.md) to caution users against changing the op: field on specific configuration entries, explaining that Talos rejects op: create outside of /var. The review comments suggest improving the phrasing "reboots on a loop" to "enters a reboot loop" for better readability in both files.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

```

{{% alert title="Do not change op: on these entries" color="warning" %}}
Talos rejects `op: create` for any file outside `/var` with `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and reboots on a loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The phrase "reboots on a loop" is slightly unidiomatic. Consider changing it to "enters a reboot loop" or "reboots in a loop" for better readability.

Suggested change
Talos rejects `op: create` for any file outside `/var` with `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and reboots on a loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause.
Talos rejects `op: create` for any file outside `/var` with `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and enters a reboot loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworded to "enters a reboot loop". Fixed in e2a0505.

```

{{% alert title="Do not change op: on these entries" color="warning" %}}
Talos rejects `op: create` for any file outside `/var` with `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and reboots on a loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The phrase "reboots on a loop" is slightly unidiomatic. Consider changing it to "enters a reboot loop" or "reboots in a loop" for better readability.

Suggested change
Talos rejects `op: create` for any file outside `/var` with `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and reboots on a loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause.
Talos rejects `op: create` for any file outside `/var` with `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and enters a reboot loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworded to "enters a reboot loop". Fixed in e2a0505.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
content/en/docs/next/install/kubernetes/talosctl.md (1)

129-131: ⚡ Quick win

Consider clarifying the error message format.

The phrase "with create operation not allowed outside of /var" embeds what appears to be a Talos error message in prose. For clarity, consider either:

  • Formatting it as a direct quote: "Talos rejects op: create for any file outside /var, returning the error create operation not allowed outside of /var", or
  • Paraphrasing without backticks: "Talos rejects op: create for any file outside /var (except the special-cased /etc/cri/conf.d/20-customization.part)"

The current phrasing mixes quotation and paraphrase.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/next/install/kubernetes/talosctl.md` around lines 129 - 131,
The sentence mixing prose and an embedded Talos error should be clarified:
either rephrase it to quote the exact error (e.g., "Talos rejects `op: create`
for any file outside `/var`, returning the error `create operation not allowed
outside of /var`") or fully paraphrase without backticks (e.g., "Talos rejects
op: create for any file outside /var (except the special-cased
/etc/cri/conf.d/20-customization.part)"); update the text that references op:
create, /var, /etc/cri/conf.d/20-customization.part, /etc/lvm/lvm.conf,
WriteUserFiles, and the talosctl bootstrap message so the error string is
consistently quoted or removed from inline prose for clarity.
content/en/docs/next/install/kubernetes/talos-bootstrap.md (1)

105-107: ⚡ Quick win

Consider clarifying the error message format.

The phrase "with create operation not allowed outside of /var" embeds what appears to be a Talos error message in prose. For clarity, consider either:

  • Formatting it as a direct quote: "Talos rejects op: create for any file outside /var, returning the error create operation not allowed outside of /var", or
  • Paraphrasing without backticks: "Talos rejects op: create for any file outside /var (except the special-cased /etc/cri/conf.d/20-customization.part)"

The current phrasing mixes quotation and paraphrase.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@content/en/docs/next/install/kubernetes/talos-bootstrap.md` around lines 105
- 107, The sentence embedding the Talos error mixes prose and an inline
code-like error; update the sentence in the alert so the Talos error is clearly
distinguished — either quote the exact error string or paraphrase it without
backticks. Specifically, revise the phrase that currently reads 'with `create
operation not allowed outside of /var`' so it becomes either a direct quoted
error (e.g., "returning the error 'create operation not allowed outside of
/var'") or a paraphrase (e.g., "(Talos rejects op: create for any file outside
/var, except /etc/cri/conf.d/20-customization.part)"); keep references to op:
create, /var, /etc/cri/conf.d/20-customization.part, /etc/lvm/lvm.conf,
WriteUserFiles, and talosctl bootstrap intact for context.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@content/en/docs/next/install/kubernetes/talos-bootstrap.md`:
- Around line 105-107: The sentence embedding the Talos error mixes prose and an
inline code-like error; update the sentence in the alert so the Talos error is
clearly distinguished — either quote the exact error string or paraphrase it
without backticks. Specifically, revise the phrase that currently reads 'with
`create operation not allowed outside of /var`' so it becomes either a direct
quoted error (e.g., "returning the error 'create operation not allowed outside
of /var'") or a paraphrase (e.g., "(Talos rejects op: create for any file
outside /var, except /etc/cri/conf.d/20-customization.part)"); keep references
to op: create, /var, /etc/cri/conf.d/20-customization.part, /etc/lvm/lvm.conf,
WriteUserFiles, and talosctl bootstrap intact for context.

In `@content/en/docs/next/install/kubernetes/talosctl.md`:
- Around line 129-131: The sentence mixing prose and an embedded Talos error
should be clarified: either rephrase it to quote the exact error (e.g., "Talos
rejects `op: create` for any file outside `/var`, returning the error `create
operation not allowed outside of /var`") or fully paraphrase without backticks
(e.g., "Talos rejects op: create for any file outside /var (except the
special-cased /etc/cri/conf.d/20-customization.part)"); update the text that
references op: create, /var, /etc/cri/conf.d/20-customization.part,
/etc/lvm/lvm.conf, WriteUserFiles, and the talosctl bootstrap message so the
error string is consistently quoted or removed from inline prose for clarity.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cb6ab64e-9bb7-48d2-9766-878aac319cbf

📥 Commits

Reviewing files that changed from the base of the PR and between 7a5ab3c and b40c7ed.

📒 Files selected for processing (2)
  • content/en/docs/next/install/kubernetes/talos-bootstrap.md
  • content/en/docs/next/install/kubernetes/talosctl.md

Talos rejects op: create for files outside /var, so the lvm.conf
customization must stay op: overwrite. A wrong op fails the
WriteUserFiles boot step and reboot-loops the node with an opaque
"bootstrap is not available yet".

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>
Phrase the rejected-create error as a returned error string and replace
'reboots on a loop' with 'enters a reboot loop' for readability.

Signed-off-by: Aleksei Sviridkin <f@lex.la>

@IvanHunters IvanHunters left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approve.

The warning is factually correct and appropriately scoped — it doesn't overstate the behavior. Verified against Talos:

  • the create operation not allowed outside of /var error string matches siderolabs/talos#12529
  • the /etc/cri/conf.d/20-customization.part special-case matches the Talos containerd guide
  • the opaque bootstrap is not available yet failure mode is attested in siderolabs/talos#11132

Hugo alert shortcode is correct and the prior bot suggestions are addressed.

Non-blocking: the callout is duplicated byte-for-byte in both files — just something to keep in sync if the behavior ever changes.

@lexfrei Aleksei Sviridkin (lexfrei) merged commit 701d0f6 into main Jul 3, 2026
4 of 6 checks passed
@lexfrei Aleksei Sviridkin (lexfrei) deleted the docs/talos-files-op-warning branch July 3, 2026 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants