chore: make qemu provider build on darwin

This is the first step in splitting up the darwin qemu provider feature into smaller, easier to review bits.

Make the minimal changes required to have the qemu provider build on darwin.

The following changes will come in the "first crash" order.
Currently the next step that needs fixing is the preflight checks. After that come the various networking bits.

* use a newer commit of the dhcpd fork that has the darwin compatible logic (see insomniacslk/dhcp#550)
* make sure that the (broken) darwin qemu logic only runs when `DARWIN_QEMU` env var is set
* avoid using the linux specific cni.ns package (this can be changed later, just has to be done for now so the thing compiles)
* use a cross-platform fallocate package

Signed-off-by: Orzelius <33936483+Orzelius@users.noreply.github.com>

Author: Orzelius

…/talosctl/cmd/mgmt/dhcpd_launch_linux.go cmd/talosctl/cmd/mgmt/dhcpd_launch.gocmd/talosctl/cmd/mgmt/dhcpd_launch_linux.go renamed to cmd/talosctl/cmd/mgmt/dhcpd_launch.go cmd/talosctl/cmd/mgmt/dhcpd_launch_linux.go renamed to cmd/talosctl/cmd/mgmt/dhcpd_launch.go

@@ -2,6 +2,8 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
+//go:build linux || darwin
+
 package mgmt
 
 import (

…d/talosctl/cmd/mgmt/qemu_launch_linux.go cmd/talosctl/cmd/mgmt/qemu_launch.gocmd/talosctl/cmd/mgmt/qemu_launch_linux.go renamed to cmd/talosctl/cmd/mgmt/qemu_launch.go cmd/talosctl/cmd/mgmt/qemu_launch_linux.go renamed to cmd/talosctl/cmd/mgmt/qemu_launch.go

@@ -2,7 +2,7 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-//go:build linux
+//go:build linux || darwin
 
 package mgmt
 

go.mod

@@ -31,7 +31,7 @@ replace (
 
 // fd-leak related replacements: https://github.com/siderolabs/talos/issues/9412
 // https://github.com/insomniacslk/dhcp/pull/550
-replace github.com/insomniacslk/dhcp => github.com/smira/dhcp v0.0.0-20241001122726-31e9ef21c016
+replace github.com/insomniacslk/dhcp => github.com/smira/dhcp v0.0.0-20250407153013-99942baa5d59
 
 // Kubernetes dependencies sharing the same version.
 require (
@@ -74,6 +74,7 @@ require (
 	github.com/coredns/coredns v1.12.1
 	github.com/coreos/go-iptables v0.8.0
 	github.com/cosi-project/runtime v0.10.2
+	github.com/detailyang/go-fallocate v0.0.0-20180908115635-432fa640bd2e
 	github.com/distribution/reference v0.6.0
 	github.com/docker/cli v28.0.4+incompatible
 	github.com/docker/docker v28.0.4+incompatible

go.sum

@@ -175,6 +175,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/detailyang/go-fallocate v0.0.0-20180908115635-432fa640bd2e h1:lj77EKYUpYXTd8CD/+QMIf8b6OIOTsfEBSXiAzuEHTU=
+github.com/detailyang/go-fallocate v0.0.0-20180908115635-432fa640bd2e/go.mod h1:3ZQK6DMPSz/QZ73jlWxBtUhNA8xZx7LzUFSq/OfP8vk=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
@@ -685,8 +687,8 @@ github.com/siderolabs/wireguard-go v0.0.0-20240401105714-9c7067e9d4b9 h1:VSb26LY
 github.com/siderolabs/wireguard-go v0.0.0-20240401105714-9c7067e9d4b9/go.mod h1:7+dAh+K+Zo+AnP0mCypmwx7M6k2SyqRuLQMX91qZPr0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/smira/dhcp v0.0.0-20241001122726-31e9ef21c016 h1:pImpynwlfelZICjeAVIj4OdNsS+RadE4D+KC+RzpUt8=
-github.com/smira/dhcp v0.0.0-20241001122726-31e9ef21c016/go.mod h1:KclMyHxX06VrVr0DJmeFSUb1ankt7xTfoOA35pCkoic=
+github.com/smira/dhcp v0.0.0-20250407153013-99942baa5d59 h1:lBQLOP8ZZI6mbePwGX/bqXi3srwhYB/zcwqrnX+JJIc=
+github.com/smira/dhcp v0.0.0-20250407153013-99942baa5d59/go.mod h1:VvGYjkZoJyKqlmT1yzakUs4mfKMNB0XdODP0+rdml6k=
 github.com/smira/kobject v0.0.0-20240304111826-49c8d4613389 h1:f/5NRv5IGZxbjBhc5MnlbNmyuXBPxvekhBAUzyKWyLY=
 github.com/smira/kobject v0.0.0-20240304111826-49c8d4613389/go.mod h1:+SexPO1ZvdbbWUdUnyXEWv3+4NwHZjKhxOmQqHY4Pqc=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=

pkg/provision/providers/qemu_linux.go pkg/provision/providers/qemu.gopkg/provision/providers/qemu_linux.go renamed to pkg/provision/providers/qemu.go

@@ -2,17 +2,25 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-//go:build linux
+//go:build linux || darwin
 
 package providers
 
 import (
 	"context"
+	"errors"
+	"os"
+	"runtime"
 
 	"github.com/siderolabs/talos/pkg/provision"
 	"github.com/siderolabs/talos/pkg/provision/providers/qemu"
 )
 
 func newQemu(ctx context.Context) (provision.Provisioner, error) {
+	// TODO: remove once the provisioner works on darwin
+	_, darwinQemuEnvIsSet := os.LookupEnv("DARWIN_QEMU")
+	if runtime.GOOS == "darwin" && !darwinQemuEnvIsSet {
+		return nil, errors.New("qemu provisioner is not supported on this platform")
+	}
 	return qemu.NewProvisioner(ctx)
 }

pkg/provision/providers/qemu/launch.go

@@ -17,21 +17,10 @@ import (
 	"strings"
 	"time"
 
-	"github.com/alexflint/go-filemutex"
 	"github.com/containernetworking/cni/libcni"
-	"github.com/containernetworking/cni/pkg/types"
-	types100 "github.com/containernetworking/cni/pkg/types/100"
-	"github.com/containernetworking/plugins/pkg/ns"
-	"github.com/containernetworking/plugins/pkg/testutils"
-	"github.com/containernetworking/plugins/pkg/utils"
-	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/uuid"
-	"github.com/siderolabs/gen/xslices"
-	"github.com/siderolabs/go-blockdevice/v2/blkid"
-	sideronet "github.com/siderolabs/net"
 
 	"github.com/siderolabs/talos/pkg/provision"
-	"github.com/siderolabs/talos/pkg/provision/internal/cniutils"
 	"github.com/siderolabs/talos/pkg/provision/providers/vm"
 )
 
@@ -94,7 +83,7 @@ type LaunchConfig struct {
 	// filled by CNI invocation
 	tapName string
 	vmMAC   string
-	ns      ns.NetNS
+	nsPath  string
 
 	// signals
 	c chan os.Signal
@@ -108,190 +97,6 @@ type tpm2Config struct {
 	StateDir string
 }
 
-// withCNIOperationLocked ensures that CNI operations don't run concurrently.
-//
-// There are race conditions in the CNI plugins that can cause a failure if called concurrently.
-func withCNIOperationLocked[T any](config *LaunchConfig, f func() (T, error)) (T, error) {
-	var zeroT T
-
-	lock, err := filemutex.New(filepath.Join(config.StatePath, "cni.lock"))
-	if err != nil {
-		return zeroT, fmt.Errorf("failed to create CNI lock: %w", err)
-	}
-
-	if err = lock.Lock(); err != nil {
-		return zeroT, fmt.Errorf("failed to acquire CNI lock: %w", err)
-	}
-
-	defer func() {
-		if err := lock.Close(); err != nil {
-			log.Printf("failed to release CNI lock: %s", err)
-		}
-	}()
-
-	return f()
-}
-
-// withCNIOperationLockedNoResult ensures that CNI operations don't run concurrently.
-func withCNIOperationLockedNoResult(config *LaunchConfig, f func() error) error {
-	_, err := withCNIOperationLocked(config, func() (struct{}, error) {
-		return struct{}{}, f()
-	})
-
-	return err
-}
-
-// withCNI creates network namespace, launches CNI and passes control to the next function
-// filling config with netNS and interface details.
-//
-//nolint:gocyclo
-func withCNI(ctx context.Context, config *LaunchConfig, f func(config *LaunchConfig) error) error {
-	// random ID for the CNI, maps to single VM
-	containerID := uuid.New().String()
-
-	cniConfig := libcni.NewCNIConfigWithCacheDir(config.CNI.BinPath, config.CNI.CacheDir, nil)
-
-	// create a network namespace
-	ns, err := testutils.NewNS()
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		ns.Close()              //nolint:errcheck
-		testutils.UnmountNS(ns) //nolint:errcheck
-	}()
-
-	ips := make([]string, len(config.IPs))
-	for j := range ips {
-		ips[j] = sideronet.FormatCIDR(config.IPs[j], config.CIDRs[j])
-	}
-
-	gatewayAddrs := xslices.Map(config.GatewayAddrs, netip.Addr.String)
-
-	runtimeConf := libcni.RuntimeConf{
-		ContainerID: containerID,
-		NetNS:       ns.Path(),
-		IfName:      "veth0",
-		Args: [][2]string{
-			{"IP", strings.Join(ips, ",")},
-			{"GATEWAY", strings.Join(gatewayAddrs, ",")},
-			{"IgnoreUnknown", "1"},
-		},
-	}
-
-	// attempt to clean up network in case it was deployed previously
-	err = withCNIOperationLockedNoResult(
-		config,
-		func() error {
-			return cniConfig.DelNetworkList(ctx, config.NetworkConfig, &runtimeConf)
-		},
-	)
-	if err != nil {
-		return fmt.Errorf("error deleting CNI network: %w", err)
-	}
-
-	res, err := withCNIOperationLocked(
-		config,
-		func() (types.Result, error) {
-			return cniConfig.AddNetworkList(ctx, config.NetworkConfig, &runtimeConf)
-		},
-	)
-	if err != nil {
-		return fmt.Errorf("error provisioning CNI network: %w", err)
-	}
-
-	defer func() {
-		if e := withCNIOperationLockedNoResult(
-			config,
-			func() error {
-				return cniConfig.DelNetworkList(ctx, config.NetworkConfig, &runtimeConf)
-			},
-		); e != nil {
-			log.Printf("error cleaning up CNI: %s", e)
-		}
-	}()
-
-	currentResult, err := types100.NewResultFromResult(res)
-	if err != nil {
-		return fmt.Errorf("failed to parse cni result: %w", err)
-	}
-
-	vmIface, tapIface, err := cniutils.VMTapPair(currentResult, containerID)
-	if err != nil {
-		return errors.New(
-			"failed to parse VM network configuration from CNI output, ensure CNI is configured with a plugin " +
-				"that supports automatic VM network configuration such as tc-redirect-tap")
-	}
-
-	cniChain := utils.FormatChainName(config.NetworkConfig.Name, containerID)
-
-	ipt, err := iptables.New()
-	if err != nil {
-		return fmt.Errorf("failed to initialize iptables: %w", err)
-	}
-
-	// don't masquerade traffic with "broadcast" destination from the VM
-	//
-	// no need to clean up the rule, as CNI drops the whole chain
-	if err = ipt.InsertUnique("nat", cniChain, 1, "--destination", "255.255.255.255/32", "-j", "ACCEPT"); err != nil {
-		return fmt.Errorf("failed to insert iptables rule to allow broadcast traffic: %w", err)
-	}
-
-	for _, cidr := range config.NoMasqueradeCIDRs {
-		if err = ipt.InsertUnique("nat", cniChain, 1, "--destination", cidr.String(), "-j", "ACCEPT"); err != nil {
-			return fmt.Errorf("failed to insert iptables rule to allow non-masquerade traffic to cidr %q: %w", cidr.String(), err)
-		}
-	}
-
-	config.tapName = tapIface.Name
-	config.vmMAC = vmIface.Mac
-	config.ns = ns
-
-	for j := range config.CIDRs {
-		nameservers := make([]netip.Addr, 0, len(config.Nameservers))
-
-		// filter nameservers by IPv4/IPv6 matching IPs
-		for i := range config.Nameservers {
-			if config.IPs[j].Is6() {
-				if config.Nameservers[i].Is6() {
-					nameservers = append(nameservers, config.Nameservers[i])
-				}
-			} else {
-				if config.Nameservers[i].Is4() {
-					nameservers = append(nameservers, config.Nameservers[i])
-				}
-			}
-		}
-
-		// dump node IP/mac/hostname for dhcp
-		if err = vm.DumpIPAMRecord(config.StatePath, vm.IPAMRecord{
-			IP:               config.IPs[j],
-			Netmask:          byte(config.CIDRs[j].Bits()),
-			MAC:              vmIface.Mac,
-			Hostname:         config.Hostname,
-			Gateway:          config.GatewayAddrs[j],
-			MTU:              config.MTU,
-			Nameservers:      nameservers,
-			TFTPServer:       config.TFTPServer,
-			IPXEBootFilename: config.IPXEBootFileName,
-		}); err != nil {
-			return err
-		}
-	}
-
-	return f(config)
-}
-
-func checkPartitions(config *LaunchConfig) (bool, error) {
-	info, err := blkid.ProbePath(config.DiskPaths[0], blkid.WithSectorSize(config.DiskBlockSizes[0]))
-	if err != nil {
-		return false, fmt.Errorf("error probing disk: %w", err)
-	}
-
-	return info.Name == "gpt" && len(info.Parts) > 0, nil
-}
-
 // launchVM runs qemu with args built based on config.
 //
 //nolint:gocyclo,cyclop
@@ -521,9 +326,7 @@ func launchVM(config *LaunchConfig) error {
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 
-	if err := ns.WithNetNSPath(config.ns.Path(), func(_ ns.NetNS) error {
-		return cmd.Start()
-	}); err != nil {
+	if err := startQemuCmd(config, cmd); err != nil {
 		return err
 	}
 
@@ -608,7 +411,7 @@ func Launch() error {
 		config.sdStubExtraCmdlineConfig = fmt.Sprintf(" talos.config=http://%s/config.yaml", httpServer.GetAddr())
 	}
 
-	return withCNI(ctx, &config, func(config *LaunchConfig) error {
+	return withNetworkContext(ctx, &config, func(config *LaunchConfig) error {
 		for {
 			for config.controller.PowerState() != PoweredOn {
 				select {

pkg/provision/providers/qemu/launch_darwin.go

@@ -0,0 +1,23 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package qemu
+
+import (
+	"context"
+	"os/exec"
+)
+
+func withNetworkContext(ctx context.Context, config *LaunchConfig, f func(config *LaunchConfig) error) error {
+	panic("not implemented")
+}
+
+func checkPartitions(config *LaunchConfig) (bool, error) {
+	panic("not implemented")
+}
+
+// startQemuCmd on darwin just runs cmd.Start
+func startQemuCmd(_ *LaunchConfig, cmd *exec.Cmd) error {
+	return cmd.Start()
+}