From e3e37df468cd6f9a906aa7d0f1f3649464c7464b Mon Sep 17 00:00:00 2001 From: Noel Georgi Date: Tue, 13 Jan 2026 16:50:56 +0530 Subject: [PATCH] docs: imager rootless support Mention imager now supporting rootless and drop and privileged flags. Signed-off-by: Noel Georgi --- .../custom-images-and-development/overlays.mdx | 2 +- .../images-container-runtime/image-cache.mdx | 4 ++-- .../metal-network-configuration.mdx | 2 +- .../bare-metal-platforms/network-config.mdx | 2 +- .../platform-specific-installations/boot-assets.mdx | 10 ++-------- .../single-board-computers/rpi_generic.mdx | 2 +- 6 files changed, 8 insertions(+), 14 deletions(-) diff --git a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/overlays.mdx b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/overlays.mdx index cae746b..9bf14b6 100644 --- a/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/overlays.mdx +++ b/public/talos/v1.13/build-and-extend-talos/custom-images-and-development/overlays.mdx @@ -94,7 +94,7 @@ export USERNAME=octocat export BOARD=nanopi-r5s export TAG=664638a -docker run --rm -t -v ./_out:/out -v /dev:/dev --privileged ghcr.io/siderolabs/imager:${TALOS_VERSION} \ +docker run --rm -t -v ./_out:/out ghcr.io/siderolabs/imager:${TALOS_VERSION} \ "${BOARD}" --arch arm64 \ --base-installer-image="ghcr.io/siderolabs/installer-base:${TALOS_VERSION}" \ --overlay-name="${BOARD}" \ diff --git a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache.mdx b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache.mdx index 44b170b..24750e3 100644 --- a/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache.mdx +++ b/public/talos/v1.13/configure-your-talos-cluster/images-container-runtime/image-cache.mdx @@ -52,7 +52,7 @@ The ISO image can built with the [imager](../../platform-specific-installations/ {` mkdir -p _out/ -docker run --rm -t -v $PWD/_out:/secureboot:ro -v $PWD/_out:/out -v $PWD/image-cache.oci:/image-cache.oci:ro -v /dev:/dev --privileged ghcr.io/siderolabs/imager:${release_v1_13} iso --image-cache /image-cache.oci +docker run --rm -t -v $PWD/_out:/secureboot:ro -v $PWD/_out:/out -v $PWD/image-cache.oci:/image-cache.oci:ro ghcr.io/siderolabs/imager:${release_v1_13} iso --image-cache /image-cache.oci `} @@ -76,7 +76,7 @@ The disk image can be built with the [imager](../../platform-specific-installati {` mkdir -p _out/ -docker run --rm -t -v $PWD/_out:/secureboot:ro -v $PWD/_out:/out -v $PWD/image-cache.oci:/image-cache.oci:ro -v /dev:/dev --privileged ghcr.io/siderolabs/imager:${release_v1_13} metal --image-cache /image-cache.oci +docker run --rm -t -v $PWD/_out:/secureboot:ro -v $PWD/_out:/out -v $PWD/image-cache.oci:/image-cache.oci:ro ghcr.io/siderolabs/imager:${release_v1_13} metal --image-cache /image-cache.oci `} diff --git a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx index 575e035..ebf1b13 100644 --- a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx +++ b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/metal-network-configuration.mdx @@ -390,7 +390,7 @@ Following the [boot assets](../../platform-specific-installations/boot-assets) g {` -docker run --rm -t -v $PWD/_out:/out -v /dev:/dev --privileged ghcr.io/siderolabs/imager:${release_v1_13} metal --meta "0xa=$(cat network.yaml)" +docker run --rm -t -v $PWD/_out:/out ghcr.io/siderolabs/imager:${release_v1_13} metal --meta "0xa=$(cat network.yaml)" `} diff --git a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/network-config.mdx b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/network-config.mdx index 320a2ff..8b49416 100644 --- a/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/network-config.mdx +++ b/public/talos/v1.13/platform-specific-installations/bare-metal-platforms/network-config.mdx @@ -66,7 +66,7 @@ The initial platform network configuration for the `metal` platform can be also {` docker run --rm -i ghcr.io/siderolabs/imager:${release_v1_13} iso --arch amd64 --tar-to-stdout --meta 0x0a='{...}' | tar xz -docker run --rm -i --privileged ghcr.io/siderolabs/imager:${release_v1_13} image --platform metal --arch amd64 --tar-to-stdout --meta 0x0a='{...}' | tar xz +docker run --rm -i ghcr.io/siderolabs/imager:${release_v1_13} image --platform metal --arch amd64 --tar-to-stdout --meta 0x0a='{...}' | tar xz `} diff --git a/public/talos/v1.13/platform-specific-installations/boot-assets.mdx b/public/talos/v1.13/platform-specific-installations/boot-assets.mdx index 6e5dab0..36eb8b9 100644 --- a/public/talos/v1.13/platform-specific-installations/boot-assets.mdx +++ b/public/talos/v1.13/platform-specific-installations/boot-assets.mdx @@ -251,6 +251,8 @@ talosctl upgrade \\ A custom disk image, boot asset can be generated by using the Talos Linux `imager` container: ghcr.io/siderolabs/imager:{release_v1_13}. The `imager` container image can be checked by [verifying its signature](../security/verifying-images). +Imager supports running as rootless container via Podman or Docker without requiring any special privileges. + The generation process can be run with a simple `docker run` command: @@ -258,8 +260,6 @@ The generation process can be run with a simple `docker run` command: docker run --rm -t \\ -v "$PWD/_out:/secureboot:ro" \\ -v "$PWD/_out:/out" \\ - -v /dev:/dev \\ - --privileged \\ ghcr.io/siderolabs/imager:${release_v1_13} \\ [optional: customization] `} @@ -271,7 +271,6 @@ A quick guide to the flags used for `docker run`: * `-t` attaches a terminal for colorized output, it can be removed if used in scripts * `-v $PWD/_out:/secureboot:ro` mounts the SecureBoot keys into the container (can be skipped if not generating SecureBoot image) * `-v $PWD/_out:/out` mounts the output directory (where the generated image will be placed) into the container -* `-v /dev:/dev --privileged` is required to generate disk images (loop devices are used), but not required for ISOs, installer container images The `` argument to the `imager` defines the base profile to be used for the image generation. There are several built-in profiles: @@ -532,8 +531,6 @@ Now we can generate the metal image with the following command: {` docker run --rm -t \\ -v "$PWD/_out:/out" \\ - -v /dev:/dev \\ - --privileged \\ ghcr.io/siderolabs/imager:${release_v1_13} \\ rpi_generic \\ --arch arm64 \\ @@ -646,8 +643,6 @@ Next, let's generate AWS disk image with that system extension: {` docker run --rm -t \\ -v "$PWD/_out:/out" \\ - -v /dev:/dev \\ - --privileged \\ ghcr.io/siderolabs/imager:${release_v1_13} \\ aws \\ --system-extension-image ghcr.io/siderolabs/gvisor:20231214.0-${release_v1_13}@sha256:548b2b121611424f6b1b6cfb72a1669421ffaf2f1560911c324a546c7cee655e @@ -742,7 +737,6 @@ Now we can generate the ISO image which embeds this machine configuration with t {` docker run --rm -t \\ -v "$PWD/_out:/out" \\ - --privileged \\ ghcr.io/siderolabs/imager:${release_v1_13} \\ iso \\ --embedded-config-path=/out/machine.yaml diff --git a/public/talos/v1.13/platform-specific-installations/single-board-computers/rpi_generic.mdx b/public/talos/v1.13/platform-specific-installations/single-board-computers/rpi_generic.mdx index 25cfa22..b10dc7d 100644 --- a/public/talos/v1.13/platform-specific-installations/single-board-computers/rpi_generic.mdx +++ b/public/talos/v1.13/platform-specific-installations/single-board-computers/rpi_generic.mdx @@ -199,7 +199,7 @@ Now we can generate the metal image with the following command: {` -$ docker run --rm -t -v $PWD/_out:/out -v /dev:/dev --privileged ghcr.io/siderolabs/imager:${release_v1_13} rpi_generic \ +$ docker run --rm -t -v $PWD/_out:/out ghcr.io/siderolabs/imager:${release_v1_13} rpi_generic \ --arch arm64 \ --overlay-image ghcr.io/siderolabs/sbc-raspberrypi:v0.1.0@sha256:849ace01b9af514d817b05a9c5963a35202e09a4807d12f8a3ea83657c76c863 \ --overlay-name=rpi_generic \