Proposal: Disable default debug logging for gVisor extension to prevent disk exhaustion

[pioklopk-gif]

Current behavior:
The Talos gVisor extension currently defaults to debug = "true" and log_level = "debug" in /etc/cri/conf.d/runsc.toml. When combined with a mutating admission controller (like Kyverno) that runs many pods under gVisor, it generates a massive amount of logs in /var/log/runsc/.

In my case, this led to 35GB of logs per node in just two days, causing critical DiskPressure and crashing the entire cluster.

Proposed change:
Set the default log_level to error and debug to false in the extension's default template. Debugging should be an opt-in feature, not a default, to ensure cluster stability out of the box.

Temporary fix applied:
I managed to stabilize my nodes by applying the following MachineConfig patch:
YAML

machine:
files:
- content: |
log_path = "/var/log/runsc/%ID%/shim.log"
log_level = "error"

    [runsc_config]
      debug = "false"
      debug-log = "/var/log/runsc/%ID%/gvisor.%COMMAND%.log"
  path: /etc/cri/conf.d/runsc.toml
  permissions: 0644
  op: overwrite

Thanks
Piotr Kloc

[smira]

Talos doesn't ship debug settings by default: https://github.com/siderolabs/extensions/blob/main/container-runtime/gvisor/runsc.toml

Are you sure you're not using gvisor-debug extension?

[pioklopk-gif]

10.10.10.10 runtime ExtensionStatus 1 1 gvisor 20260202.0
10.10.10.10 runtime ExtensionStatus 2 1 gvisor-debug v1.0.0

So maybe should I delete the gvisor-debug extension right ?

Piotr Kloc

[smira]

yes, you should if you don't want debug logging.