Releases: siderolabs/talos
v1.10.0-alpha.0
Talos 1.10.0-alpha.0 (2024-12-23)
Welcome to the v1.10.0-alpha.0 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
cgroups v1
Talos Linux no longer supports cgroupsv1
when running in non-container mode.
The kernel argument talos.unified_cgroup_hierarchy
is now ignored.
Driver Rebind
Talos 1.10 now supports a new machine config document named PCIDriverRebindConfig
that allows rebinding the driver of a PCI device to a different target driver.
See the documentation for more information.
Component Updates
- Linux: 6.12.6
- CNI plugins: 1.6.1
Talos is built with Go 1.23.4.
Contributors
- Andrey Smirnov
- Noel Georgi
- Dmitriy Matrenichev
- Dmitry Sharshakov
- Nico Berlee
- Utku Ozdemir
- Alexis La Goutte
- Andrew Symington
- Christian Luetke-Stetzkamp
- Devin Buhl
- Justin Garrison
- KillianCdP
- Marcel Hamer
- PRIHLOP
- Skyler Mäntysaari
- Tine Jozelj
- sflotat2607
Changes
64 commits
- b4aa5189d release(v1.10.0-alpha.0): prepare release
- bd85bd5b7 fix: fix
Failed to initialize SELinux labeling handle
udev error - 73c82e3e5 feat: bring Linux 6.12.6, CNI plugins 1.6.1
- c12b52491 docs: document Kubernetes service registry incompat with K8s 1.32
- a5660ed77 feat: pcirebind controller
- 4c3261626 docs: fix several typos
- fb3675321 fix: dashboard crash on CPU data
- dec0185c8 chore: reduce memory usage for secureboot functions
- cee6c60a0 fix: make talosctl time work with PTP time sync
- f75604313 chore: support gcr.io auth for cache and image gen
- 6ef2596da docs: improve Hetzner documentation
- 7d39b9ec2 feat: remove cgroupsv1 in non-container mode
- 8003536c7 fix: restore previous disk serial fetching
- 03116ef9b chore: prepare for Talos 1.10
- 00682fdd6 docs: activate 1.9 docs as default
- bea05f5c9 docs: update deploying-cilium.md
- 284ab1179 feat: support link altnames/aliases
- 5bfd829bf docs: fix 'containter' typo
- 8d151b771 docs: clarify TALOSCONFIG for AWS
- 0ef19171f fix: renovate typo
- c568adc7d fix: renovate config
- ec2e24fd9 fix: match MAC addresses case-insensitive (nocloud)
- 41a0c440a chore: rekres for renovate changes
- a49bb9ee4 feat: update Linux to 6.12.5
- b15917ecc chore: add more debugging logs for META and volumes
- 2b1b326f0 docs: mention different paths for OpenEBS
- 9470e842f test: cleanup failed Kubernetes pods
- c9c685150 fix: node identity flip
- 590c01657 feat: update containerd to v2.0.1
- 18fa5a258 docs: update image-cache doc for iso
- ab5bb6884 fix: generate and serve registries with port
- 58236066d fix: support image cache on VFAT USB stick
- e193a5071 fix: image cache integration test
- 08ee400fd test: fix flaky test NodeAddressSort
- d45e8d1d1 feat: update Kubernetes to 1.32.0
- 136b12912 chore: drop semicolon for supporting vfat filesystems
- 3e9e027ef test: add an option to boot from an USB stick
- ef8c3e3b3 docs: fix typo in multus.md
- d54414add fix: authorization config gen
- cce72cfe8 docs: replace deprecated Hetzner server plans
- 81805103d chore: enable proper parallel usage of TestDepth
- e1b824eba docs: update ceph-with-rook.md
- 470b75563 fix: use mtu network option for podman
- 61b1489a0 fix: order volume config by the requested size
- bc3039acd feat: update runc to 1.2.3
- 30016a0a8 fix: avoid nil-pointer-panic in
RegistriesConfigController
- fe0457152 fix: power on the machine on reboot request in qemu power api
- 10da553ef docs: build what's new for 1.9
- d946ccae3 feat: update Linux to 6.12.4
- 707a77bf6 test: fix user namespace test, TPM2 fixes
- c3537b2f5 feat: update Linux to 6.12.3
- cb4d9d673 docs: fix a few mistakes in release notes
- c4724fc97 chore: add integration tests for image-cache
- 07220fe7f fix: install iptables-nft to the host
- 14841750b chore: add version compatibility for Talos 1.10
- 852baf819 feat: support vlan/bond in v1, vlan in v2 for nocloud
- dd61ad861 fix: lock provisioning order of user disk partitions
- d0773ff09 chore: update Go to 1.23.4
- 7d6507189 feat: implement new address sorting algorithm
- 9081506d6 feat: add process scheduling options
- 77e9db4ab test: use two workers in qemu tests by default
- 5a4bdf62a feat: update Kubernetes to 1.32.0-rc.1
- d99bcc950 chore: refactor mergeDNSServers func
- 0cde08d8b docs: add Turing RK1 docs to Single Board Computer section
Changes from siderolabs/pkgs
17 commits
- siderolabs/pkgs@9051c9a feat: update Linux to 6.12.6
- siderolabs/pkgs@6695012 chore: rekres to simplify
.kres.yaml
defaults - siderolabs/pkgs@611ca38 chore: rekres to bring renovate under kres
- siderolabs/pkgs@a4c4215 fix: drop cgroupsv1 controllers
- siderolabs/pkgs@28c909d feat: update Linux firmware to 20241210
- siderolabs/pkgs@c40a9e9 feat: update Linux to 6.12.5
- siderolabs/pkgs@d54ca83 feat: update containerd to v2.0.1
- siderolabs/pkgs@86e3755 fix: add CONFIG_INTEL_MEI_GSC_PROXY as module
- siderolabs/pkgs@8c31321 feat: update ZFS to 2.2.7
- siderolabs/pkgs@605f493 feat: update runc to v1.2.3
- siderolabs/pkgs@1a55529 feat: update Linux to 6.12.4
- siderolabs/pkgs@52ba9a5 feat: update Linux 6.12.3
- siderolabs/pkgs@9cf35be feat: build host iptables with nftables support
- siderolabs/pkgs@71003a3 feat: update Go to 1.23.4
- siderolabs/pkgs@5b4d402 feat: build dvb kernel modules and CX23885
- siderolabs/pkgs@b330af9 chore: bring in KSPP recommendations
- siderolabs/pkgs@f81b190 feat: kernel driver support for RK3588 devices (Turing RK1)
Changes from siderolabs/tools
Dependency Changes
- github.com/containernetworking/plugins v1.6.0 -> v1.6.1
- github.com/foxboron/go-uefi fab4fdf2f2f3 -> 19dc140271bf
- github.com/opencontainers/runc v1.2.2 -> v1.2.3
- github.com/siderolabs/go-blockdevice/v2 v2.0.7 -> v2.0.8
- github.com/siderolabs/pkgs v1.9.0-12-g9576b97 -> v1.10.0-alpha.0-16-g9051c9a
- github.com/siderolabs/talos/pkg/machinery v1.9.0 -> v1.10.0-alpha.0
- github.com/siderolabs/tools v1.9.0-1-geaad82f -> v1.10.0-alpha.0
- golang.org/x/net v0.32.0 -> v0.33.0
Previous release can be found at v1.9.0
Images
ghcr.io/siderolabs/flannel:v0.26.1
registry.k8s.io/coredns/coredns:v1.12.0
gcr.io/etcd-development/etcd:v3.5.17
registry.k8s.io/kube-apiserver:v1.32.0
registry.k8s.io/kube-controller-manager:v1.32.0
registry.k8s.io/kube-scheduler:v1.32.0
registry.k8s.io/kube-proxy:v1.32.0
ghcr.io/siderolabs/kubelet:v1.32.0
ghcr.io/siderolabs/installer:v1.10.0-alpha.0
registry.k8s.io/pause:3.10
v1.9.0
Talos 1.9.0 (2024-12-17)
Welcome to the v1.9.0 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Auditd
Talos Linux now starts an auditd service by default.
Logs can be read with talosctl logs auditd
.
talosctl cgroups
The talosctl cgroups
command has been added to the talosctl
tool.
This command allows you to view the cgroup resource consumption and limits for a machine, e.g.
talosctl cgroups --preset memory
.
cgroups version 1
Support for cgroupsv1 is deprecated, and will be removed in Talos 1.10 (for non-container mode).
Custom search domains for Talos nodes
Talos now allows to supports specifying custom search domains for Talos nodes using
new config field machine.network.searchDomains
For the host it will look something like this:
nameserver 127.0.0.53
search my-custom-search-name.com my-custom-search-name2.com
For the pods it will look something like this:
search default.svc.cluster.local svc.cluster.local cluster.local my-custom-search-name.com my-custom-search-name2.com
nameserver 10.96.0.10
options ndots:5
Device Selectors
Talos now supports matching on permanent hardware (MAC) address of the network interfaces.
This is specifically useful to match bond members, as they change their hardware addresses when they become part of the bond.
Direct Rendering Manager (DRM)
Starting with Talos 1.9, the i915
and amdgpu
DRM drivers will be dropped from the Talos squashfs.
There will be new system extensions named i915
and amdgpu
that would contain both the drivers and firmware packaged together.
Upgrades via Image Factory will automatically include the new extensions if previously i915-ucode
or amdgpu-firmware
were used.
Image Cache
Talos now supports providing a local Image Cache for container images.
Kube APIServer Authorization Config
Starting with Talos 1.9, .cluster.apiServer.authorizationConfig
field supports setting Kubernetes API server authorization modes
using the --authorization-config
flag.
The machine config field supports a list of authorizers
. For instance:
cluster:
apiServer:
authorizationConfig:
- type: Node
name: Node
- type: RBAC
name: rbac
For new cluster if the Kubernetes API server supports the --authorization-config
flag, it'll be used by default instead of the --authorization-mode
flag.
By default Talos will always add the Node
and RBAC
authorizers to the list.
When upgrading if either a user-provided authorization-mode
or authorization-webhook-*
flag is set via .cluster.apiServer.extraArgs
, it'll be used instead of the new AuthorizationConfig
.
Current authorization config can be viewed by running: talosctl get authorizationconfigs.kubernetes.talos.dev -o yaml
Node Address Sort
Talos supports new experimental address sort algorithm for NodeAddress
which are used to pick up default addresses for kubelet, etcd, etc.
It can be enabled with the following config patch:
machine:
features:
nodeAddressSortAlgorithm: v2
OCI Base Runtime Spec
Talos now allows to modify the OCI base runtime spec for the container runtime.
Registry Mirrors
In versions before Talos 1.9, there was a discrepancy between the way Talos itself and CRI plugin resolves registry mirrors:
Talos will never fall back to the default registry if endpoints are configured, while CRI plugin will.
Note: Talos Linux pulls images for the
installer
,kubelet
,etcd
, while all workload images are pulled by the CRI plugin.
In Talos 1.9 this was fixed, so that by default an upstream registry is used as a fallback in all cases, while new registry mirror
configuration option .skipFallback
can be used to disable this behavior both for Talos and CRI plugin.
talosctl disks
The command talosctl disks
was removed, please use talosctl get disks
, talosctl get systemdisk
, and talosctl get blockdevices
instead.
talosctl wipe
The new command talosctl wipe disk
allows to wipe a disk or a partition which is not used as a volume.
udevd
Talos previously used eudev
to provide udevd
, now it uses systemd-udevd
instead.
Component Updates
- Linux: 6.12.5
- containerd: 2.0.1
- Flannel: 0.26.1
- Kubernetes: 1.32.0
- runc: 1.2.3
- CoreDNS: 1.12.0
Talos is built with Go 1.23.4.
User Namespaces
Talos Linux now supports running Kubernetes pods with user namespaces enabled.
Refer to the documentation for more information.
Contributors
- Andrey Smirnov
- Noel Georgi
- Dmitriy Matrenichev
- Dmitry Sharshakov
- Joakim Nohlgård
- Utku Ozdemir
- Jean-Francois Roy
- Nico Berlee
- Steven Kreitzer
- blablu
- Adolfo Ochagavía
- Alessio Moiso
- Christian Luetke-Stetzkamp
- Dan Rue
- David Backeus
- Devin Buhl
- Devin Buhl
- Eddie Wang
- Florian Ströger
- Hexoplon
- Jakob Maležič
- Jasmin
- Justin Garrison
- KBAegis
- KillianCdP
- Mike Beaumont
- Mohammad Amin Mokhtari
- Nebula
- OliviaBarrington
- Philip Schmid
- Philipp Kleber
- Remko Molier
- Robby Ciliberto
- Roman Ivanov
- Ryan Borstelmann
- Rémi Paulmier
- Sam Stelfox
- Serge Logvinov
- Sergey Melnik
- Skyler Mäntysaari
- Spencer Smith
- SpiReCZ
- Steven Cassamajor
- Tim Jones
- Variant9
- adilTepe
- egrosdou01
- ekarlso
- naed3r
- nevermarine
- solidDoWant
- sophia-coldren
Changes
264 commits
- 3cb25ceb3 release(v1.9.0): prepare release
- b7a804ebe test: adjust extensions to use release-1.9 branch
- 4d5fbb375 feat: support link altnames/aliases
- 55d45bf7e docs: fix 'containter' typo
- c41ec53ba fix: renovate typo
- 2e73fdb41 fix: renovate config
- cfe54c4ff fix: match MAC addresses case-insensitive (nocloud)
- 632168edc chore: rekres for renovate changes
- 949404bc1 chore: add more debugging logs for META and volumes
- 7d73853ee feat: update Linux to 6.12.5
- 242a91fc0 test: cleanup failed Kubernetes pods
- 1522d1ee7 feat: update containerd to v2.0.1
- 39458050b fix: generate and serve registries with port
- 234d8cb58 fix: node identity flip
- 5a192c375 test: fix flaky test NodeAddressSort
- a38588d2c fix: image cache integration test
- a497e23c4 fix: support image cache on VFAT USB stick
- 56456de02 feat: update Kubernetes to 1.32.0
- 69bf7fdd9 chore: drop semicolon for supporting vfat filesystems
- aa88ad992 fix: authorization config gen
- c5a04caa9 test: add an option to boot from an USB stick
- 10fa5b74b fix: order volume config by the requested size
- f3a9b578b fix: use mtu network option for podman
- 4b1c59dab fix: avoid nil-pointer-panic in
RegistriesConfigController
- 454164a15 fix: power on the machine on reboot request in qemu power api
- f615c2d5d docs: build what's new for 1.9
- 7e57d5bd2 release(v1.9.0-beta.1): prepare release
- 830e95ace feat: update Linux to 6.12.4
- c715695c6 test: fix user namespace test, TPM2 fixes
- ebf1d844e feat: update Linux to 6.12.3
- 3a0c34538 fix: install iptables-nft to the host
- 50ea58813 docs: fix a few mistakes in release notes
- 58e18de0b chore: add version compatibility for Talos 1.10
- f96992490 chore: update Go to 1.23.4
- 67fdd10bd chore: add integration tests for image-cache
- 2c71086ba fix: lock provisioning order of user disk partitions
- 1c26aad56 feat: implement new address sorting algorithm
- 1343773e6 test: use two workers in qemu tests by default
- 246180feb feat: update Kubernetes to 1.32.0-rc.1
- 24f9875e4 feat: support vlan/bond in v1, vlan in v2 for nocloud
- 1c8701737 feat: add process scheduling options
- 580805bab release(v1.9.0-beta.0): prepare release
- ff13ccc5b docs: update the Cilium CNI deployment
- 191825a44 docs: update install-kubevirt.md
- 770be1642 feat: support image cache copying
- 8fb567dd1 docs: fix typo in virtualbox docs
- 60e4561b4 feat: add support for custom search domains
- 95c695880 fix: don't reset health status if service doesn't support health checks
- b7609edd1 chore: update pkgs/extras to final 1.9.0 tags
- c7b25430b fix: multiple small fixes for service runners
- e33d2f581 feat: support overriding base OCI spec for CRI
- 347b75846 chore: support saving cluster logs on destroy
- c254f261f fix: do not extract xattrs in unsquashfs
- fc3b31575 fix: multiple issues with opening encrypted volumes
- 145b02642 chore: deprecate cgroupsv1 in non-container mode
- siderolabs/talos@581c08...
v1.8.4
Talos 1.8.4 (2024-12-13)
Welcome to the v1.8.4 release of Talos!
Starting with Talos v1.8.0, only standard assets would be published as github release assets. These include:
cloud-images.json
talosctl
binarieskernel
initramfs
metal
iso and disk imagestalosctl-cni-bundle
All other release assets can be downloaded from Image Factory.
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.6.64
runc: 1.2.3
Kubernetes: 1.31.4
etcd: 3.5.17
Talos is built with Go 1.22.10.
Contributors
- Andrey Smirnov
- Dmitriy Matrenichev
- Christian Luetke-Stetzkamp
- Noel Georgi
- OliviaBarrington
- Steven Kreitzer
Changes
17 commits
- 3c151c8a0 release(v1.8.4): prepare release
- 1fb38e4c7 fix: use mtu network option for podman
- acd9fda42 fix: order volume config by the requested size
- c547557ae fix: install iptables-nft to the host
- 94b342bfe fix: lock provisioning order of user disk partitions
- df8fe4cdd feat: support vlan/bond in v1, vlan in v2 for nocloud
- 3a1727ee1 fix: don't reset health status if service doesn't support health checks
- 7ff796f65 fix: make
system_disk
condition work properly before install - 379eefdd6 fix: nocloud network link matching on MAC addresses
- c87ec03ff feat: allow for onlink directive (nocloud)
- aa14ae560 fix: small logrus fixes
- b90863a07 fix: properly halt installation if Talos already installed
- 6d20ade14 fix: make vmware platform common code build on all arches
- bc2d547f8 fix: allow CEL expressions config merge
- 5188f645e fix: install on non-empty disk
- 6f411ccba feat: update etcd to v3.5.17
- 7f91e3165 feat: update Linux 6.6.64, runc 1.2.3
Changes from siderolabs/pkgs
7 commits
- siderolabs/pkgs@0698d6e chore: bring in KSPP recommendations
- siderolabs/pkgs@9ab4a32 feat: update Linux to 6.6.64
- siderolabs/pkgs@77d6623 feat: update runc to v1.2.3
- siderolabs/pkgs@1afc88c feat: build host iptables with nftables support
- siderolabs/pkgs@4c15185 feat: update Linux to 6.6.62, runc to 1.2.2
- siderolabs/pkgs@88cc7d4 feat: enable CONFIG_INTEL_HFI_THERMAL + CONFIG_INTEL_TURBO_MAX_3
- siderolabs/pkgs@77a1abb feat: update Go to 1.22.10
Changes from siderolabs/tools
Dependency Changes
- github.com/siderolabs/go-blockdevice/v2 v2.0.3 -> v2.0.4
- github.com/siderolabs/pkgs v1.8.0-31-g9c80a4a -> v1.8.0-38-g0698d6e
- github.com/siderolabs/talos/pkg/machinery v1.8.3 -> v1.8.4
- github.com/siderolabs/tools v1.8.0-3-g653182a -> v1.8.0-4-gadfcf5a
- go.etcd.io/etcd/api/v3 v3.5.16 -> v3.5.17
- go.etcd.io/etcd/client/pkg/v3 v3.5.16 -> v3.5.17
- go.etcd.io/etcd/client/v3 v3.5.16 -> v3.5.17
- go.etcd.io/etcd/etcdutl/v3 v3.5.16 -> v3.5.17
- k8s.io/api v0.31.2 -> v0.31.4
- k8s.io/apiserver v0.31.2 -> v0.31.4
- k8s.io/client-go v0.31.2 -> v0.31.4
- k8s.io/component-base v0.31.2 -> v0.31.4
- k8s.io/kube-scheduler v0.31.2 -> v0.31.4
- k8s.io/kubectl v0.31.2 -> v0.31.4
- k8s.io/kubelet v0.31.2 -> v0.31.4
- k8s.io/pod-security-admission v0.31.2 -> v0.31.4
Previous release can be found at v1.8.3
Images
ghcr.io/siderolabs/flannel:v0.25.7
registry.k8s.io/coredns/coredns:v1.11.3
gcr.io/etcd-development/etcd:v3.5.17
registry.k8s.io/kube-apiserver:v1.31.4
registry.k8s.io/kube-controller-manager:v1.31.4
registry.k8s.io/kube-scheduler:v1.31.4
registry.k8s.io/kube-proxy:v1.31.4
ghcr.io/siderolabs/kubelet:v1.31.4
ghcr.io/siderolabs/installer:v1.8.4
registry.k8s.io/pause:3.10
v1.9.0-beta.1
Talos 1.9.0-beta.1 (2024-12-10)
Welcome to the v1.9.0-beta.1 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Auditd
Talos Linux now starts an auditd service by default.
Logs can be read with talosctl logs auditd
.
talosctl cgroups
The talosctl cgroups
command has been added to the talosctl
tool.
This command allows you to view the cgroup resource consumption and limits for a machine, e.g.
talosctl cgroups --preset memory
.
cgroups version 1
Support for cgroupsv1 is deprecated, and will be removed in Talos 1.10 (for non-container mode).
Custom search domains for Talos nodes
Talos now allows to supports specifying custom search domains for Talos nodes using
new config field machine.network.searchDomains
For the host it will look something like this:
nameserver 127.0.0.53
search my-custom-search-name.com my-custom-search-name2.com
For the pods it will look something like this:
search default.svc.cluster.local svc.cluster.local cluster.local my-custom-search-name.com my-custom-search-name2.com
nameserver 10.96.0.10
options ndots:5
Device Selectors
Talos now supports matching on permanent hardware (MAC) address of the network interfaces.
This is specifically useful to match bond members, as they change their hardware addresses when they become part of the bond.
Direct Rendering Manager (DRM)
Starting with Talos 1.9, the i915
and amdgpu
DRM drivers will be dropped from the Talos squashfs.
There will be new system extensions named i915
and amdgpu
that would contain both the drivers and firmware packaged together.
Upgrades via Image Factory will automatically include the new extensions if previously i915-ucode
or amdgpu-firmware
were used.
Image Cache
Talos now supports providing a local Image Cache for container images.
Kube APIServer Authorization Config
Starting with Talos 1.9, .cluster.apiServer.authorizationConfig
field supports setting Kubernetes API server authorization modes
using the --authorization-config
flag.
The machine config field supports a list of authorizers
. For instance:
cluster:
apiServer:
authorizationConfig:
- type: Node
name: Node
- type: RBAC
name: rbac
For new cluster if the Kubernetes API server supports the --authorization-config
flag, it'll be used by default instead of the --authorization-mode
flag.
By default Talos will always add the Node
and RBAC
authorizers to the list.
When upgrading if either a user-provided authorization-mode
or authorization-webhook-*
flag is set via .cluster.apiServer.extraArgs
, it'll be used instead of the new AuthorizationConfig
.
Current authorization config can be viewed by running: talosctl get authorizationconfigs.kubernetes.talos.dev -o yaml
Node Address Sort
Talos supports new experimental address sort algorithm for NodeAddress
which are used to pick up default addresses for kubelet, etcd, etc.
It can be enabled with the following config patch:
machine:
features:
nodeAddressSortAlgorithm: v2
### OCI Base Runtime Spec
Talos now allows to [modify the OCI base runtime spec for the container runtime](https://www.talos.dev/v1.9/advanced/oci-base-spec/).
### Registry Mirrors
In versions before Talos 1.9, there was a discrepancy between the way Talos itself and CRI plugin resolves registry mirrors:
Talos will never fall back to the default registry if endpoints are configured, while CRI plugin will.
> Note: Talos Linux pulls images for the `installer`, `kubelet`, `etcd`, while all workload images are pulled by the CRI plugin.
In Talos 1.9 this was fixed, so that by default an upstream registry is used as a fallback in all cases, while new registry mirror
configuration option `.skipFallback` can be used to disable this behavior both for Talos and CRI plugin.
### talosctl disks
The command `talosctl disks` was removed, please use `talosctl get disks`, `talosctl get systemdisk`, and `talosctl get blockdevices` instead.
### talosctl wipe
The new command `talosctl wipe disk` allows to wipe a disk or a partition which is not used as a volume.
### udevd
Talos previously used `eudev` to provide `udevd`, now it uses `systemd-udevd` instead.
### Component Updates
* Linux: 6.12.4
* containerd: 2.0.0
* Flannel: 0.26.1
* Kubernetes: 1.32.0-rc.1
* runc: 1.2.1
* CoreDNS: 1.12.0
Talos is built with Go 1.23.4.
### User Namespaces
Talos Linux now supports running Kubernetes pods with user namespaces enabled.
Refer to the [documentation](https://www.talos.dev/v1.9/kubernetes-guides/configuration/usernamespace/) for more information.
### Contributors
* Andrey Smirnov
* Noel Georgi
* Dmitriy Matrenichev
* Dmitry Sharshakov
* Joakim Nohlgård
* Utku Ozdemir
* Jean-Francois Roy
* Nico Berlee
* Steven Kreitzer
* blablu
* Adolfo Ochagavía
* Alessio Moiso
* Dan Rue
* David Backeus
* Devin Buhl
* Eddie Wang
* Florian Ströger
* Hexoplon
* Jakob Maležič
* Jasmin
* Justin Garrison
* KBAegis
* Mike Beaumont
* Mohammad Amin Mokhtari
* Nebula
* OliviaBarrington
* Philip Schmid
* Philipp Kleber
* Remko Molier
* Robby Ciliberto
* Roman Ivanov
* Ryan Borstelmann
* Rémi Paulmier
* Sam Stelfox
* Serge Logvinov
* Sergey Melnik
* Spencer Smith
* SpiReCZ
* Steven Cassamajor
* Tim Jones
* Variant9
* adilTepe
* egrosdou01
* ekarlso
* naed3r
* nevermarine
* solidDoWant
* sophia-coldren
### Changes
<details><summary>238 commits</summary>
<p>
* siderolabs/talos@7e57d5bd2 release(v1.9.0-beta.1): prepare release
* siderolabs/talos@830e95ace feat: update Linux to 6.12.4
* siderolabs/talos@c715695c6 test: fix user namespace test, TPM2 fixes
* siderolabs/talos@ebf1d844e feat: update Linux to 6.12.3
* siderolabs/talos@3a0c34538 fix: install iptables-nft to the host
* siderolabs/talos@50ea58813 docs: fix a few mistakes in release notes
* siderolabs/talos@58e18de0b chore: add version compatibility for Talos 1.10
* siderolabs/talos@f96992490 chore: update Go to 1.23.4
* siderolabs/talos@67fdd10bd chore: add integration tests for image-cache
* siderolabs/talos@2c71086ba fix: lock provisioning order of user disk partitions
* siderolabs/talos@1c26aad56 feat: implement new address sorting algorithm
* siderolabs/talos@1343773e6 test: use two workers in qemu tests by default
* siderolabs/talos@246180feb feat: update Kubernetes to 1.32.0-rc.1
* siderolabs/talos@24f9875e4 feat: support vlan/bond in v1, vlan in v2 for nocloud
* siderolabs/talos@1c8701737 feat: add process scheduling options
* siderolabs/talos@580805bab release(v1.9.0-beta.0): prepare release
* siderolabs/talos@ff13ccc5b docs: update the Cilium CNI deployment
* siderolabs/talos@191825a44 docs: update install-kubevirt.md
* siderolabs/talos@770be1642 feat: support image cache copying
* siderolabs/talos@8fb567dd1 docs: fix typo in virtualbox docs
* siderolabs/talos@60e4561b4 feat: add support for custom search domains
* siderolabs/talos@95c695880 fix: don't reset health status if service doesn't support health checks
* siderolabs/talos@b7609edd1 chore: update pkgs/extras to final 1.9.0 tags
* siderolabs/talos@c7b25430b fix: multiple small fixes for service runners
* siderolabs/talos@e33d2f581 feat: support overriding base OCI spec for CRI
* siderolabs/talos@347b75846 chore: support saving cluster logs on destroy
* siderolabs/talos@c254f261f fix: do not extract xattrs in unsquashfs
* siderolabs/talos@fc3b31575 fix: multiple issues with opening encrypted volumes
* siderolabs/talos@145b02642 chore: deprecate cgroupsv1 in non-container mode
* siderolabs/talos@581c0851d feat: update dependencies
* siderolabs/talos@e9058461e feat: add api-server authorization config
* siderolabs/talos@db1c70768 chore: move enabling SELinux by default to 1.10
* siderolabs/talos@ef69c9d39 feat: update Linux to 6.12.1
* siderolabs/talos@ccc5a8d34 chore: split `config.Registry` into the separate resource
* siderolabs/talos@c735d1492 fix: wait for udevd before starting sync
* siderolabs/talos@bef4d5150 fix: make `system_disk` condition work properly before install
* siderolabs/talos@af91c99ba chore: update image cache config
* siderolabs/talos@e10e90b05 fix: nocloud network link matching on MAC addresses
* siderolabs/talos@2a9130a2e fix: make Talos META partition match more precise
* siderolabs/talos@9adaf7f01 docs: update local-storage.md
* siderolabs/talos@7e19d5c4c docs: add kubevirt install
* siderolabs/talos@f1d1628c8 fix: properly halt installation if Talos already installed
* siderolabs/talos@177df62a0 fix: small logrus fixes
* siderolabs/talos@a9875b770 fix: return proper number from the `timeStampWriter`
* siderolabs/talos@e8a262490 fix: systemd-udevd restore old naming behavior
* siderolabs/talos@939c555f9 fix: imager disk image-cache generator
* siderolabs/talos@1bac0b183 feat: support generating disk images with image cache
* siderolabs/talos@84459d902 fix: make immage cache config apply immediately
* siderolabs/talos@56e1ee72e release(v1.9.0-alpha.3): prepare release
* siderolabs/talos@af5d6b8c4 fix: show SELinux labels on pseudo-fs
* siderolabs/talos@f46922fa9 chore: fix dockerfile warnings
* siderolabs/talos@a13f82c59 feat: udev: label device nodes
* siderolabs/talos@e899fb37f feat: label created files in /etc
* siderolabs/talos@5f68c17ed feat: implement image cache configuration
* siderolabs/talos@0ffb2187a feat: registry proxy
...
v1.9.0-beta.0
Talos 1.9.0-beta.0 (2024-12-02)
Welcome to the v1.9.0-beta.0 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Auditd
Talos Linux now starts a auditd service by default.
Logs can be read with talosctl logs auditd
.
talosctl cgroups
The talosctl cgroups
command has been added to the talosctl
tool.
This command allows you to view the cgroup resource consumption and limits for a machine, e.g.
talosctl cgroups --preset memory
.
cgroups version 1
Support for cgroupsv1 is deprecated, and will be removed in Talos 1.10 (for non-container mode).
Custom search domains for Talos nodes
Talos now allows to supports specifying custom search domains for Talos nodes using
new config field machine.network.searchDomains
For the host it will look something like this:
nameserver 127.0.0.53
search my-custom-search-name.com my-custom-search-name2.com
For the pods it will look something like this:
search default.svc.cluster.local svc.cluster.local cluster.local my-custom-search-name.com my-custom-search-name2.com
nameserver 10.96.0.10
options ndots:5
Device Selectors
Talos now supports matching on permanent hardware (MAC) address of the network interfaces.
This is specifically useful to match bond members, as they change their hardware addresses when they become part of the bond.
Direct Rendering Manager (DRM)
Starting with Talos 1.9, the i915
and amdgpu
DRM drivers will be dropped from the Talos squashfs.
There will be new system extensions named i915
and amdgpu
that would contain both the drivers and firmware packaged together.
Upgrades via Image Factory will automatically include the new extensions if previously i915-ucode
or amdgpu-firmware
were used.
Image Cache
Talos now supports providing a local Image Cache for container images.
Kube APIServer Authorization Config
Starting with Talos 1.9, .cluster.apiServer.authorizationConfig
field supports setting Kubernetes API server authorization modes
using the --authorization-config
flag.
The machine config field supports a list of authorizers
. For eg:
cluster:
apiServer:
authorizationConfig:
- type: Node
name: Node
- type RBAC
name: rbac
For new cluster if the Kubernetes API server supports the --authorization-config
flag, it'll be used by default instead of the --authorization-mode
flag.
By default Talos will always add the Node
and RBAC
authorizers to the list.
When upgrading if either a user-provided authorization-mode
or authorization-webhook-*
flag is set via .cluster.apiServer.extraArgs
, it'll be used instead of the new AuthorizationConfig
.
Current authorization config can be viewed by running: talosctl get authorizationconfigs.kubernetes.talos.dev -o yaml
OCI Base Runtime Spec
Talos now allows to modify the OCI base runtime spec for the container runtime.
Registry Mirrors
In versions before Talos 1.9, there was a discrepancy between the way Talos itself and CRI plugin resolves registry mirrors:
Talos will never fall back to the default registry if endpoints are configured, while CRI plugin will.
Note: Talos Linux pulls images for the
installer
,kubelet
,etcd
, while all workload images are pulled by the CRI plugin.
In Talos 1.9 this was fixed, so that by default an upstream registry is used as a fallback in all cases, while new registry mirror
configuration option .skipFallback
can be used to disable this behavior both for Talos and CRI plugin.
talosctl disks
The command talosctl disks
was removed, please use talosctl get disks
, talosctl get systemdisk
, and talosctl get blockdevices
instead.
talosctl wipe
The new command talosctl wipe disk
allows to wipe a disk or a partition which is not used as a volume.
udevd
Talos previously used eudev
to provide udevd
, now it uses systemd-udevd
instead.
Component Updates
- Linux: 6.12.1
- containerd: 2.0.0
- Flannel: 0.26.1
- Kubernetes: 1.32.0-rc.0
- runc: 1.2.1
- CoreDNS: 1.12.0
Talos is built with Go 1.23.3.
User Namespaces
Talos Linux now supports running Kubernetes pods with user namespaces enabled.
Refer to the documentation for more information.
Contributors
- Andrey Smirnov
- Noel Georgi
- Dmitriy Matrenichev
- Dmitry Sharshakov
- Joakim Nohlgård
- Jean-Francois Roy
- Nico Berlee
- Steven Kreitzer
- Utku Ozdemir
- blablu
- Adolfo Ochagavía
- Alessio Moiso
- Dan Rue
- David Backeus
- Devin Buhl
- Eddie Wang
- Florian Ströger
- Hexoplon
- Jakob Maležič
- Jasmin
- Justin Garrison
- KBAegis
- Mike Beaumont
- Mohammad Amin Mokhtari
- Nebula
- OliviaBarrington
- Philip Schmid
- Philipp Kleber
- Remko Molier
- Robby Ciliberto
- Roman Ivanov
- Ryan Borstelmann
- Rémi Paulmier
- Sam Stelfox
- Serge Logvinov
- Sergey Melnik
- Spencer Smith
- SpiReCZ
- Steven Cassamajor
- Tim Jones
- Variant9
- adilTepe
- egrosdou01
- ekarlso
- naed3r
- nevermarine
- solidDoWant
- sophia-coldren
Changes
223 commits
- 580805bab release(v1.9.0-beta.0): prepare release
- ff13ccc5b docs: update the Cilium CNI deployment
- 191825a44 docs: update install-kubevirt.md
- 770be1642 feat: support image cache copying
- 8fb567dd1 docs: fix typo in virtualbox docs
- 60e4561b4 feat: add support for custom search domains
- 95c695880 fix: don't reset health status if service doesn't support health checks
- b7609edd1 chore: update pkgs/extras to final 1.9.0 tags
- c7b25430b fix: multiple small fixes for service runners
- e33d2f581 feat: support overriding base OCI spec for CRI
- 347b75846 chore: support saving cluster logs on destroy
- c254f261f fix: do not extract xattrs in unsquashfs
- fc3b31575 fix: multiple issues with opening encrypted volumes
- 145b02642 chore: deprecate cgroupsv1 in non-container mode
- 581c0851d feat: update dependencies
- e9058461e feat: add api-server authorization config
- db1c70768 chore: move enabling SELinux by default to 1.10
- ef69c9d39 feat: update Linux to 6.12.1
- ccc5a8d34 chore: split
config.Registry
into the separate resource - c735d1492 fix: wait for udevd before starting sync
- bef4d5150 fix: make
system_disk
condition work properly before install - af91c99ba chore: update image cache config
- e10e90b05 fix: nocloud network link matching on MAC addresses
- 2a9130a2e fix: make Talos META partition match more precise
- 9adaf7f01 docs: update local-storage.md
- 7e19d5c4c docs: add kubevirt install
- f1d1628c8 fix: properly halt installation if Talos already installed
- 177df62a0 fix: small logrus fixes
- a9875b770 fix: return proper number from the
timeStampWriter
- e8a262490 fix: systemd-udevd restore old naming behavior
- 939c555f9 fix: imager disk image-cache generator
- 1bac0b183 feat: support generating disk images with image cache
- 84459d902 fix: make immage cache config apply immediately
- 56e1ee72e release(v1.9.0-alpha.3): prepare release
- af5d6b8c4 fix: show SELinux labels on pseudo-fs
- f46922fa9 chore: fix dockerfile warnings
- a13f82c59 feat: udev: label device nodes
- e899fb37f feat: label created files in /etc
- 5f68c17ed feat: implement image cache configuration
- 0ffb2187a feat: registry proxy
- 77cf84fb5 feat: support generating iso with imagecache
- 5de6275b8 chore: image cache generator improvements
- 1a8cc5f8b feat: add SELinux labels to volumes
- 61b9129e0 fix: add directory entries and filemode to tarball
- 4caeae21e refactor: optimize flags and SetLabel
- 6074a870a feat: add e2fsprogs to talos rootfs
- 7ffcf5b93 docs: update getting started
- c4c1a0d7c fix: make vmware platform common code build on all arches
- cc768037f feat: implement block device wipe
- 6fb518ae5 fix: don't activate LVM volumes in agent mode
- 0e3ed3072 fix: no longer leak
Close
reader - 4dc58cfdf chore: small fixes
- f400ae911 fix: small fixes for image cache generation
- 93754b7de fix: config and platform manifest generation
- 95b2fc946 feat: image cache gen
- e4c6186c6 chore: remove i915/amdgpu drivers
- 744ad12a6 docs: update replicated-local-storage-with-openebs.md
- fd713e451 feat: add permanent hardware addr to device selectors
- d55a96e8c refactor: remove SELinux client_u and client_r
- siderolabs/talos@3a5b55...
v1.9.0-alpha.3
Talos 1.9.0-alpha.3 (2024-11-25)
Welcome to the v1.9.0-alpha.3 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
AppArmor
Talos Linux starting with v1.9 will ship with SELinux LSM enabled by default.
If you need to use AppArmor LSM add the following to the machine configuration:
machine:
install:
extraKernelArgs:
- -selinux
- lsm=lockdown,capability,yama,apparmor,bpf
- apparmor=1
Auditd
Talos Linux now starts a auditd service by default.
Logs can be read with talosctl logs auditd
.
talosctl cgroups
The talosctl cgroups
command has been added to the talosctl
tool.
This command allows you to view the cgroup resource consumption and limits for a machine, e.g.
talosctl cgroups --preset memory
.
Device Selectors
Talos now supports matching on permanent hardware (MAC) address of the network interfaces.
This is specifically useful to match bond members, as they change their hardware addresses when they become part of the bond.
Direct Rendering Manager (DRM)
Starting with Talos 1.9, the i915
and amdgpu
DRM drivers will be dropped from the Talos squashfs.
There will be new system extensions named i915
and amdgpu
that would contain both the drivers and firmware packaged together.
Upgrades via Image Factory will automatically include the new extensions if previously i915-ucode
or amdgpu-firmware
were used.
Registry Mirrors
In versions before Talos 1.9, there was a discrepancy between the way Talos itself and CRI plugin resolves registry mirrors:
Talos will never fall back to the default registry if endpoints are configured, while CRI plugin will.
Note: Talos Linux pulls images for the
installer
,kubelet
,etcd
, while all workload images are pulled by the CRI plugin.
In Talos 1.9 this was fixed, so that by default an upstream registry is used as a fallback in all cases, while new registry mirror
configuration option .skipFallback
can be used to disable this behavior both for Talos and CRI plugin.
talosctl disks
The command talosctl disks
was removed, please use talosctl get disks
, talosctl get systemdisk
, and talosctl get blockdevices
instead.
talosctl wipe
The new command talosctl wipe disk
allows to wipe a disk or a partition which is not used as a volume.
udevd
Talos previously used eudev
to provide udevd
, now it uses systemd-udevd
instead.
Component Updates
- Linux: 6.6.60
- containerd: 2.0.0
- Flannel: 0.26.0
- Kubernetes: 1.32.0-beta.0
- runc: 1.2.1
Talos is built with Go 1.23.3.
User Namespaces
Talos Linux now supports running Kubernetes pods with user namespaces enabled.
Refer to the documentation for more information.
Contributors
- Andrey Smirnov
- Noel Georgi
- Dmitry Sharshakov
- Dmitriy Matrenichev
- Joakim Nohlgård
- Jean-Francois Roy
- Utku Ozdemir
- blablu
- Adolfo Ochagavía
- Alessio Moiso
- Dan Rue
- David Backeus
- Eddie Wang
- Florian Ströger
- Hexoplon
- Jakob Maležič
- KBAegis
- Mike Beaumont
- Nebula
- Nico Berlee
- OliviaBarrington
- Philip Schmid
- Philipp Kleber
- Remko Molier
- Robby Ciliberto
- Roman Ivanov
- Ryan Borstelmann
- Sam Stelfox
- Serge Logvinov
- Sergey Melnik
- Spencer Smith
- SpiReCZ
- Steven Cassamajor
- Steven Kreitzer
- Tim Jones
- Variant9
- adilTepe
- ekarlso
- naed3r
- nevermarine
- solidDoWant
- sophia-coldren
Changes
190 commits
- 56e1ee72e release(v1.9.0-alpha.3): prepare release
- af5d6b8c4 fix: show SELinux labels on pseudo-fs
- f46922fa9 chore: fix dockerfile warnings
- a13f82c59 feat: udev: label device nodes
- e899fb37f feat: label created files in /etc
- 5f68c17ed feat: implement image cache configuration
- 0ffb2187a feat: registry proxy
- 77cf84fb5 feat: support generating iso with imagecache
- 5de6275b8 chore: image cache generator improvements
- 1a8cc5f8b feat: add SELinux labels to volumes
- 61b9129e0 fix: add directory entries and filemode to tarball
- 4caeae21e refactor: optimize flags and SetLabel
- 6074a870a feat: add e2fsprogs to talos rootfs
- 7ffcf5b93 docs: update getting started
- c4c1a0d7c fix: make vmware platform common code build on all arches
- cc768037f feat: implement block device wipe
- 6fb518ae5 fix: don't activate LVM volumes in agent mode
- 0e3ed3072 fix: no longer leak
Close
reader - 4dc58cfdf chore: small fixes
- f400ae911 fix: small fixes for image cache generation
- 93754b7de fix: config and platform manifest generation
- 95b2fc946 feat: image cache gen
- e4c6186c6 chore: remove i915/amdgpu drivers
- 744ad12a6 docs: update replicated-local-storage-with-openebs.md
- fd713e451 feat: add permanent hardware addr to device selectors
- d55a96e8c refactor: remove SELinux client_u and client_r
- 3a5b55fd2 fix: allow CEL expressions config merge
- f1b15f580 chore: remove replace for safchain/ethtool
- f9697a9a0 fix: register controlplane node with NoSchedule taint
- 30f8b5a9f fix: registry mirror fallback handling
- 0f41e7743 feat: allow for onlink directive (nocloud)
- e26d0043e chore: code cleanup
- 43fe3807a feat: implement tracking of blockdevice secondaries
- 8a7476c3a fix: install on non-empty disk
- 8b4253d18 feat: update etcd to v3.5.17
- 5a0fd5b88 refactor: move early initialization functions to pre-initialize phase
- 9916e2cd8 chore: update pkgs/tools/extras for Go 1.23.3
- 20bbf0235 docs: update vultr documentation
- aea98940b fix: arch linux search paths and names for QEMU provisioner
- 682718d4c fix: use imager incoming version for extension validation
- 9a02ecc49 feat: rewrite install disk selector to use CEL expressions
- eba35f441 docs: add note about PSP in Rook-Ceph guide
- 38b80fb1d docs: add missing
--talosconfig
parameter to end of Hetzner guide - a07f66c91 docs: gcp: fix controlplane nodes tags
- 4fe6dc8a0 chore: clean dns code
- 0290a3881 release(v1.9.0-alpha.2): prepare release
- a309f6aa5 chore: fix nil pointer dereference in AWS uploader
- 333737f17 test: fix unpriviliged process runner test
- 200116705 chore(ci): save support zip always after tests
- 6a42c3b8e release(v1.9.0-alpha.1): prepare release
- fb72e4b7b fix(ci): skip test if
UserNamespacesSupport
feature gate is not set - 11380f933 feat: display current CPU frequency on dashboard
- fbce267ae feat: check bridged interfaces should not have addresses
- 942962bf0 docs: add docs on usernamespace support in k8s
- 0406a05a9 chore: update pkgs to ones built with gcc 14.2
- 2e127627d docs: add apparmor enablement release notes
- aa9311f3d fix: install disk matcher error
- 1800f8104 fix: selinux handling and apparmor tests
- 313bffadf feat: update Kubernetes to v1.32.0-beta.0
- bbfa14451 feat: update containerd to v2.0.0
- 8e02b9fcb docs: update manual k8s upgrade docs
- 474949dc7 feat: add dm-cache dm-cache-smq kernel modules
- 5112547d6 chore: generate support zip for crashdump
- a867f85e4 feat: label system socket and runtime files
- 398f714cf feat: update Linux 6.6.59, runc 1.2.1
- 05c620957 feat: allow extra mounts for docker-based
talosctl cluster create
- cedabeddf chore: cleanup code
- 61d363e1d chore: update go-auditlib
- 960a04049 feat: start enabling SELinux
- 7f3aaa21c fix: update permissions for logging directories in /var
- 0e6c983b8 fix: mount /sys/kernel/security conditionally
- 74b0e8c37 fix: make route normalization keep family
- 0a3761c22 fix: talosctl windows arm64
- 4b10c5328 chore: add Windows ARM64 build for talosctl
- 9abf16108 feat: add auditd service
- d464ca869 chore: drop runc memfd bind added in #9069
- b54d26c2c fix: mount pseudo sub-mountpoints in init
- 7aeb15f73 chore: disable coredns cache for cluster domain
- d8b652150 docs: add warning about NVMe bus path bug
- 3e16ab135 feat: update Kubernetes to v1.32.0-alpha.3
- 0b8b35677 feat: add BridgePort property to network machine configuration
- b37950625 fix: use more correct condition to skip generating hosts files
- 62ec7ec33 refactor: replace the old v1 mount package with new one
- 0ece13c62 docs: update network-config.md (cont)
- 93827f048 docs: update network-config.md
- siderol...
v1.8.3
Talos 1.8.3 (2024-11-13)
Welcome to the v1.8.3 release of Talos!
Starting with Talos v1.8.0, only standard assets would be published as github release assets. These include:
cloud-images.json
talosctl
binarieskernel
initramfs
metal
iso and disk imagestalosctl-cni-bundle
All other release assets can be downloaded from Image Factory.
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.6.60
containerd: 2.0.0
runc: 1.2.1
Talos is built with Go 1.22.9.
Contributors
- Andrey Smirnov
- blablu
- Dmitry Sharshakov
- Joakim Nohlgård
- Noel Georgi
- Remko Molier
- Sam Stelfox
Changes
15 commits
- 6494aced3 release(v1.8.3): prepare release
- 01c9f4584 fix: arch linux search paths and names for QEMU provisioner
- 8b5c5f108 chore: fix nil pointer dereference in AWS uploader
- fbf85dd0d fix: install disk matcher error
- ff3fccea9 feat: add dm-cache dm-cache-smq kernel modules
- 6d872e41c feat: allow extra mounts for docker-based
talosctl cluster create
- 8c193c8b1 fix: update permissions for logging directories in /var
- 5044a410c fix: mount /sys/kernel/security conditionally
- 83abb6644 fix: make route normalization keep family
- 228a94387 fix: do not trim 0 from process SELinux label
- d4a3a2b62 fix: prevent panic in nocloud platform code
- 5c7b02d7e fix: update the CRI sandbox image reference
- f8155c40d feat: add parsing of vlanNNNN:ethX style VLAN cmdline args
- ea19f157f fix: generation of SecureBoot iso
- fddaa60e2 feat: update Linux, runc, containerd, go
Changes from siderolabs/pkgs
7 commits
- siderolabs/pkgs@9c80a4a feat: update Linux to 6.6.60
- siderolabs/pkgs@747c6c7 feat: update containerd to v2.0.0
- siderolabs/pkgs@87c6526 feat: enable CONFIG_DM_CACHE
- siderolabs/pkgs@b4fa648 fix: enable nvme and 2.5gbit ethernet on nanopi-r5s
- siderolabs/pkgs@079ea13 feat: update Linux to 6.6.59
- siderolabs/pkgs@e4bc753 feat: update runc to v1.2.1
- siderolabs/pkgs@de3dbf5 feat: update Go to 1.22.9
Changes from siderolabs/tools
Dependency Changes
- github.com/docker/cli v27.1.1 new
- github.com/docker/docker v27.2.0 -> v27.1.1
- github.com/siderolabs/pkgs v1.8.0-24-ge72b2f4 -> v1.8.0-31-g9c80a4a
- github.com/siderolabs/talos/pkg/machinery v1.8.2 -> v1.8.3
- github.com/siderolabs/tools v1.8.0-2-g7719230 -> v1.8.0-3-g653182a
Previous release can be found at v1.8.2
Images
ghcr.io/siderolabs/flannel:v0.25.7
registry.k8s.io/coredns/coredns:v1.11.3
gcr.io/etcd-development/etcd:v3.5.16
registry.k8s.io/kube-apiserver:v1.31.2
registry.k8s.io/kube-controller-manager:v1.31.2
registry.k8s.io/kube-scheduler:v1.31.2
registry.k8s.io/kube-proxy:v1.31.2
ghcr.io/siderolabs/kubelet:v1.31.2
ghcr.io/siderolabs/installer:v1.8.3
registry.k8s.io/pause:3.10
v1.9.0-alpha.2
Talos 1.9.0-alpha.2 (2024-11-08)
Welcome to the v1.9.0-alpha.2 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
AppArmor
Talos Linux starting with v1.9 will ship with SELinux LSM enabled by default.
If you need to use AppArmor LSM add the following to the machine configuration:
machine:
install:
extraKernelArgs:
- -selinux
- lsm=lockdown,capability,yama,apparmor,bpf
- apparmor=1
Auditd
Talos Linux now starts a auditd service by default.
Logs can be read with talosctl logs auditd
.
talosctl cgroups
The talosctl cgroups
command has been added to the talosctl
tool.
This command allows you to view the cgroup resource consumption and limits for a machine, e.g.
talosctl cgroups --preset memory
.
udevd
Talos previously used udevd
to provide udevd
, now it uses systemd-udevd
instead.
Component Updates
Linux: 6.6.59
containerd: 2.0.0
Flannel: 0.26.0
Kubernetes: 1.32.0-beta.0
runc: 1.2.1
Talos is built with Go 1.23.2.
User Namespaces
Talos Linux now supports running Kubernetes pods with user namespaces enabled.
Refer to the documentation for more information.
Contributors
- Andrey Smirnov
- Noel Georgi
- Dmitriy Matrenichev
- Dmitry Sharshakov
- Joakim Nohlgård
- Jean-Francois Roy
- Utku Ozdemir
- blablu
- Adolfo Ochagavía
- Dan Rue
- David Backeus
- Eddie Wang
- Florian Ströger
- Hexoplon
- Jakob Maležič
- KBAegis
- Mike Beaumont
- Nebula
- Nico Berlee
- Philip Schmid
- Philipp Kleber
- Remko Molier
- Robby Ciliberto
- Ryan Borstelmann
- Serge Logvinov
- Spencer Smith
- Steven Cassamajor
- Tim Jones
- adilTepe
- ekarlso
- naed3r
- nevermarine
- solidDoWant
Changes
145 commits
- 0290a3881 release(v1.9.0-alpha.2): prepare release
- a309f6aa5 chore: fix nil pointer dereference in AWS uploader
- 333737f17 test: fix unpriviliged process runner test
- 200116705 chore(ci): save support zip always after tests
- 6a42c3b8e release(v1.9.0-alpha.1): prepare release
- fb72e4b7b fix(ci): skip test if
UserNamespacesSupport
feature gate is not set - 11380f933 feat: display current CPU frequency on dashboard
- fbce267ae feat: check bridged interfaces should not have addresses
- 942962bf0 docs: add docs on usernamespace support in k8s
- 0406a05a9 chore: update pkgs to ones built with gcc 14.2
- 2e127627d docs: add apparmor enablement release notes
- aa9311f3d fix: install disk matcher error
- 1800f8104 fix: selinux handling and apparmor tests
- 313bffadf feat: update Kubernetes to v1.32.0-beta.0
- bbfa14451 feat: update containerd to v2.0.0
- 8e02b9fcb docs: update manual k8s upgrade docs
- 474949dc7 feat: add dm-cache dm-cache-smq kernel modules
- 5112547d6 chore: generate support zip for crashdump
- a867f85e4 feat: label system socket and runtime files
- 398f714cf feat: update Linux 6.6.59, runc 1.2.1
- 05c620957 feat: allow extra mounts for docker-based
talosctl cluster create
- cedabeddf chore: cleanup code
- 61d363e1d chore: update go-auditlib
- 960a04049 feat: start enabling SELinux
- 7f3aaa21c fix: update permissions for logging directories in /var
- 0e6c983b8 fix: mount /sys/kernel/security conditionally
- 74b0e8c37 fix: make route normalization keep family
- 0a3761c22 fix: talosctl windows arm64
- 4b10c5328 chore: add Windows ARM64 build for talosctl
- 9abf16108 feat: add auditd service
- d464ca869 chore: drop runc memfd bind added in #9069
- b54d26c2c fix: mount pseudo sub-mountpoints in init
- 7aeb15f73 chore: disable coredns cache for cluster domain
- d8b652150 docs: add warning about NVMe bus path bug
- 3e16ab135 feat: update Kubernetes to v1.32.0-alpha.3
- 0b8b35677 feat: add BridgePort property to network machine configuration
- b37950625 fix: use more correct condition to skip generating hosts files
- 62ec7ec33 refactor: replace the old v1 mount package with new one
- 0ece13c62 docs: update network-config.md (cont)
- 93827f048 docs: update network-config.md
- 423b1e5fb fix: do not trim 0 from process SELinux label
- 2136358d6 feat: introduce metal agent mode
- 0e15955fc chore: small refactoring
- 66012a7f2 feat: remove wrapperd and launch processes directly
- 3a0a17ae6 fix: prevent panic in nocloud platform code
- dc0c6acbd refactor: remove unmaintained github.com/vishvananda/netlink
- 78353f791 feat: add parsing of vlanNNNN:ethX style VLAN cmdline args
- 9db7a36bf fix: generation of SecureBoot iso
- c755b6d7e fix: update the CRI sandbox image reference
- cec290b35 feat: allow extensions to log to console
- b7801df82 fix: wait for udevd to be running before activating LVM
- d4cb478a5 docs: improve field description for BridgeSTP, BridgeVLAN
- 7329824b2 docs: add Mynewsdesk to ADOPTERS.md
- a13cf76a3 chore: simplify
DNSUpstreamController
andDNSUpstream
resource - 62d185473 fix: talosctl process null character
- 77d7368ea feat: update containerd to v2.0.0-rc.6
- d39393879 fix: rework the 'metal-iso' config acquisition
- 1993afca9 chore: create /usr/etc in a different step
- 8680351c1 chore: move system extensions' udev rules
- 3067f64c8 feat: update Flannel to v0.26.0
- 8658d6865 docs: typo in deploying cilium
- 49bbadc4b docs: add documentation on performance tuning
- 534b0ce18 feat: update runc to 1.2.0 final
- 217253523 docs: fix image factory links
- 375e3da73 feat: update Kubernetes to 1.32.0-alpha.2
- 9e6f64df0 fix: improve error messages for invalid bridge/bond configuration
- 7c8c72c2b fix: correct error message for invalid ip=
- ead46997c chore: rename tpm2.PCRExtent -> tpm2.PCRExtend
- 867c4b812 docs: fix typo in prodnotes.md
- 1b22df48a chore: support debug shell for advanced development
- c14b44622 feat: update Kubernetes to v1.32.0-alpha.1
- 29780d35a test: add an integration test for verifying process parameters
- 3d342af44 fix: update incorrect alias for PCIDevice resource
- f7d35a5e0 release(v1.9.0-alpha.0): prepare release
- e0434d77d feat: update dependencies
- 5c5a24886 feat: add Talos 1.9 compatibility guarantees
- bc4c21f41 test: add json logs test environment
- 71faa3294 docs: nvidia proprietary/oss hardware requirement
- 59a78da42 chore: add proto-codec/codec
- 7ff1cedfe chore: update siderolabs/crypto module and return proper ALPN
- ccbd5aed3 feat: optionally decode hcloud userdata as base64
- 34f652ce8 feat: add well-known app.kubernetes.io labels to control-plane pods
- fc89dc216 fix: support
extra-disks
when using iso - f2bff814d chore: add arm64 target for integration-test
- 5853bb0ea fix: json logging panic
- a859cff36 chore: use virtio driver for disks in arm64
- db248de88 chore(ci): add config for lldpd extension
- 9f0de9f43 test: update provision upgrade tests for Talos 1.9
- 39fe285e6 fix: skip ram disks
- a9bff3a1d test: skip no error test in Cilium
- 4d902021b fix: do not use pflag csv comma reader for config-patch
- 5371788ce fix: typo in documentation
- 8a228ba6b docs: add egress documentation
- 182325cb0 test: skip lvm test if not enough user disks available
- 519a48302 fix: wipe system partitions correctly via kernel args
- 0a2b4556c fix: volume encryption with failing keyslots
- 6affbd318 fix: update grpc-go the latest patch release
- 77a4a4adc fix: scaleway metadata
- 7acadc0c8 fix: do not stop udevd before unmounting volumes
- 6a081055b feat: update Flannel to v0.25.7
- 2362f6d3e fix: improve container detection
- b67bc73fd fix: fix mdadm system extension
- f08669c7a feat: bring in lpfc kernel module driver
- 6a014374b feat: enable QEDF driver
- f711907e0 fix: make /var/run empty on reboots
- 7d02eb60f docs: fix typo in CloudStack docs
- 74861573a fix: multiple fixes for LVM activation
- 74c12c20e feat: replace eudev with systemd-udevd
- 0a4df4ef8 docs: fi...
v1.8.2
Talos 1.8.2 (2024-10-28)
Welcome to the v1.8.2 release of Talos!
Starting with Talos v1.8.0, only standard assets would be published as github release assets. These include:
cloud-images.json
talosctl
binarieskernel
initramfs
metal
iso and disk imagestalosctl-cni-bundle
All other release assets can be downloaded from Image Factory.
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.6.58
containerd: 2.0.0-rc.6
runc: 1.2.0
Kubernetes: 1.31.2
Talos is built with Go 1.22.8.
Contributors
- Andrey Smirnov
- Dmitriy Matrenichev
- Joakim Nohlgård
- Noel Georgi
- Philip Schmid
- Philipp Kleber
- Serge Logvinov
Changes
18 commits
- 88f861a08 release(v1.8.2): prepare release
- cfc10106a fix: include iptables/netfilter ipv6 fix
- d8e2daf77 fix: wait for udevd to be running before activating LVM
- e105a3d74 fix: talosctl process null character
- 0e96e99b2 fix: rework the 'metal-iso' config acquisition
- 7ef579650 fix: improve error messages for invalid bridge/bond configuration
- a3fcbe0ba chore: rename tpm2.PCRExtent -> tpm2.PCRExtend
- a9e6e60ca fix: correct error message for invalid ip=
- 49de0abaa fix: update incorrect alias for PCIDevice resource
- 9b561ac3d feat: add Talos 1.9 compatibility guarantees
- 2ea3f85bc chore: update siderolabs/crypto module and return proper ALPN
- ce4791251 feat: optionally decode hcloud userdata as base64
- f20a6900d fix: json logging panic
- d855bb8be fix: skip ram disks
- b429e7f28 fix: do not use pflag csv comma reader for config-patch
- ee44f2c51 test: skip no error test in Cilium
- 7d055af29 fix: scaleway metadata
- 9f62fe96c feat: update pkgs and Kubernetes
Changes from siderolabs/crypto
Changes from siderolabs/go-circular
Changes from siderolabs/pkgs
8 commits
- siderolabs/pkgs@e72b2f4 fix: apply netfilter ipv6 fix
- siderolabs/pkgs@9aac1a8 feat: update containerd to v2.0.0-rc.6
- siderolabs/pkgs@9668729 feat: update Linux to 6.6.58
- siderolabs/pkgs@9bc27b3 feat: update runc to 1.2.0
- siderolabs/pkgs@f7cc89e fix: default IOMMU mode to 'lazy'
- siderolabs/pkgs@7ca4e2c feat: update Linux to 6.6.57, update Linux firmware
- siderolabs/pkgs@e2c4848 feat: update Linux 6.6.56 and protect /proc/mem
- siderolabs/pkgs@c7729c3 feat: enable CONFIG_XFRM_STATISTICS
Changes from siderolabs/siderolink
Dependency Changes
- github.com/klauspost/compress v1.17.10 -> v1.17.11
- github.com/siderolabs/crypto v0.4.4 -> v0.5.0
- github.com/siderolabs/go-circular v0.2.0 -> v0.2.1
- github.com/siderolabs/pkgs v1.8.0-16-g71d23b4 -> v1.8.0-24-ge72b2f4
- github.com/siderolabs/siderolink v0.3.10 -> v0.3.11
- github.com/siderolabs/talos/pkg/machinery v1.8.1 -> v1.8.2
- golang.org/x/time v0.6.0 -> v0.7.0
- k8s.io/api v0.31.1 -> v0.31.2
- k8s.io/apiserver v0.31.1 -> v0.31.2
- k8s.io/client-go v0.31.1 -> v0.31.2
- k8s.io/component-base v0.31.1 -> v0.31.2
- k8s.io/kube-scheduler v0.31.1 -> v0.31.2
- k8s.io/kubectl v0.31.1 -> v0.31.2
- k8s.io/kubelet v0.31.1 -> v0.31.2
- k8s.io/pod-security-admission v0.31.1 -> v0.31.2
Previous release can be found at v1.8.1
Images
ghcr.io/siderolabs/flannel:v0.25.7
registry.k8s.io/coredns/coredns:v1.11.3
gcr.io/etcd-development/etcd:v3.5.16
registry.k8s.io/kube-apiserver:v1.31.2
registry.k8s.io/kube-controller-manager:v1.31.2
registry.k8s.io/kube-scheduler:v1.31.2
registry.k8s.io/kube-proxy:v1.31.2
ghcr.io/siderolabs/kubelet:v1.31.2
ghcr.io/siderolabs/installer:v1.8.2
registry.k8s.io/pause:3.9
v1.9.0-alpha.0
Talos 1.9.0-alpha.0 (2024-10-18)
Welcome to the v1.9.0-alpha.0 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
talosctl cgroups
The talosctl cgroups
command has been added to the talosctl
tool.
This command allows you to view the cgroup resource consumption and limits for a machine, e.g.
talosctl cgroups --preset memory
.
udevd
Talos previously used udevd
to provide udevd
, now it uses systemd-udevd
instead.
Component Updates
Linux: 6.6.57
containerd: 2.0.0-rc.5
Flannel: 0.25.7
Talos is built with Go 1.23.2.
Contributors
- Andrey Smirnov
- Dmitriy Matrenichev
- Noel Georgi
- Dmitry Sharshakov
- Jean-Francois Roy
- Adolfo Ochagavía
- Dan Rue
- Eddie Wang
- Florian Ströger
- Hexoplon
- Mike Beaumont
- Philip Schmid
- Philipp Kleber
- Robby Ciliberto
- Ryan Borstelmann
- Serge Logvinov
- Spencer Smith
- Steven Cassamajor
- Tim Jones
- adilTepe
- ekarlso
- naed3r
Changes
72 commits
- f7d35a5e0 release(v1.9.0-alpha.0): prepare release
- e0434d77d feat: update dependencies
- 5c5a24886 feat: add Talos 1.9 compatibility guarantees
- bc4c21f41 test: add json logs test environment
- 71faa3294 docs: nvidia proprietary/oss hardware requirement
- 59a78da42 chore: add proto-codec/codec
- 7ff1cedfe chore: update siderolabs/crypto module and return proper ALPN
- ccbd5aed3 feat: optionally decode hcloud userdata as base64
- 34f652ce8 feat: add well-known app.kubernetes.io labels to control-plane pods
- fc89dc216 fix: support
extra-disks
when using iso - f2bff814d chore: add arm64 target for integration-test
- 5853bb0ea fix: json logging panic
- a859cff36 chore: use virtio driver for disks in arm64
- db248de88 chore(ci): add config for lldpd extension
- 9f0de9f43 test: update provision upgrade tests for Talos 1.9
- 39fe285e6 fix: skip ram disks
- a9bff3a1d test: skip no error test in Cilium
- 4d902021b fix: do not use pflag csv comma reader for config-patch
- 5371788ce fix: typo in documentation
- 8a228ba6b docs: add egress documentation
- 182325cb0 test: skip lvm test if not enough user disks available
- 519a48302 fix: wipe system partitions correctly via kernel args
- 0a2b4556c fix: volume encryption with failing keyslots
- 6affbd318 fix: update grpc-go the latest patch release
- 77a4a4adc fix: scaleway metadata
- 7acadc0c8 fix: do not stop udevd before unmounting volumes
- 6a081055b feat: update Flannel to v0.25.7
- 2362f6d3e fix: improve container detection
- b67bc73fd fix: fix mdadm system extension
- f08669c7a feat: bring in lpfc kernel module driver
- 6a014374b feat: enable QEDF driver
- f711907e0 fix: make /var/run empty on reboots
- 7d02eb60f docs: fix typo in CloudStack docs
- 74861573a fix: multiple fixes for LVM activation
- 74c12c20e feat: replace eudev with systemd-udevd
- 0a4df4ef8 docs: fix nvidia CRI config example
- afc1e1a46 docs: fix typo in extraMounts directory
- a341bdb06 fix: prevent file descriptors leaks to child processes
- dec653bfe chore: better lvm2 tests
- 908fd8789 feat: support cgroup deep analysis in
talosctl
- aa846cc18 feat: add support for CI Network config in nocloud
- 10f2539f2 chore: disable cloud-images cron workflow
- b07a8b36b chore: ignore more plugins for system containerd
- 392c4798f feat: prepare for Talos 1.9
- ea7bf9fb4 docs: update storage.md
- 4ab8dee69 fix: build talosctl without
tcell_minimal
- 2fa019bd9 docs: enable 'edit on GitHub' link
- d2ccbc2b1 docs: update hetzner documentation for CCM
- d498f647c docs: fix Kernel Self Protection Project (KSPP) references
- 0ec75463e docs: make Talos 1.8 current release
- 9b77698cf fix: update blockdevice library to v2.0.2
- e46227ab9 docs: fix kubespan name inconsistency
- 6b15ca19c fix: audit and fix cgroup reservations
- 32b5d01ed chore: bump lvm2
- 6484581eb feat: allow /sbin/ldconfig in extensions
- 9fa08e843 chore: refactor tests
- d8ab4981b feat: support lvm auto activation
- 8166a58b3 fix: filter out non-printable characters in process line
- 806b6aaf5 docs: add SECURITY.md
- 7bd26df30 docs: document
/dev/net/tun
compatibility - 18daedb51 fix: strategic merge patch delete for map keys
- f3370529a docs: correct typo
- 8d6884a8e test: add a test for inline machine config trusted roots
- d4a6d017d fix: ignore invalid NTP responses
- 869f8379f feat: update default Kubernetes version to 1.31.1
- 780a1f198 fix: update CoreDNS health check
- 79cd03158 chore: account for resource sorting in dns upstream resource
- e17fafaca chore: drop
activateLogicalVolumes
sequencer step - a294b366f fix: parse SideroLink API endpoint correctly
- a9269ac7b fix: remove extra logging on ethtool ioctl failures
- 5c6277d17 feat: update etcd to 3.5.16
- c1ed2984b docs: add what's new for Talos 1.8
Changes from siderolabs/crypto
Changes from siderolabs/discovery-client
Changes from siderolabs/extras
2 commits
- siderolabs/extras@eab6e58 feat: update dependencies
- siderolabs/extras@1459d78 feat: update pkgs for 1.9
Changes from siderolabs/go-blockdevice
Changes from siderolabs/go-circular
Changes from siderolabs/go-kubernetes
Changes from siderolabs/grpc-proxy
2 commits
- siderolabs/grpc-proxy@de1c628 fix: copy data from big frame msg
- siderolabs/grpc-proxy@ef47ec7 chore: upgrade Codec implementations and usages to Codec2
Changes from siderolabs/pkgs
25 commits
- siderolabs/pkgs@be92da0 feat: update Linux to 6.6.57, update Linux firmware
- siderolabs/pkgs@0b67a13 feat: bump dependencies
- siderolabs/pkgs@dd5f928 feat: update Linux 6.6.56 and protect /proc/mem
- siderolabs/pkgs@b1bf972 feat: enable CONFIG_XFRM_STATISTICS
- siderolabs/pkgs@c63beae feat: update Linux to 6.6.54
- siderolabs/pkgs@f474a55 fix: libselinux: support running without /etc/selinux
- siderolabs/pkgs@ba0341e fix: systemd-udevd: search for config in /usr/etc
- siderolabs/pkgs@2b193f1 feat: add lpfc kernel module
- siderolabs/pkgs@1adb946 feat: enable QEDF driver
- siderolabs/pkgs@dbbe3d0 feat: update containerd to v2.0.0-rc.5
- siderolabs/pkgs@f19590e feat: update Go to 1.23.2
- siderolabs/pkgs@e2a561f fix: drop the LVM2 udev lvm rule
- siderolabs/pkgs@ae205aa fix: force LVM to use
/run
as state directory - siderolabs/pkgs@232a153 feat: replace eudev with systemd-udevd
- siderolabs/pkgs@40fb82a feat: add libselinux, libsepol, pcre2 and libcap
- siderolabs/pkgs@6f40fbb feat: update xfsprogs 6.10.1
- siderolabs/pkgs@a1709c7 feat: enable module unloading and memory hotplug (for NVIDIA UVM)
- siderolabs/pkgs@2c5785b feat: enable transparent huge pages in madvise mode
- siderolabs/pkgs@ca2e8c8 fix: lvm2 modprobe path
- siderolabs/pkgs@6b334a6 feat: update Linux to 6.6.52
- siderolabs/pkgs@e90ae7e feat: update Linux firmware to 20240909
- siderolabs/pkgs@79a4f92 feat: enable INET_DIAG
- siderolabs/pkgs@c9f7eb9 feat: update Linux to 6.6.51
- siderolabs/pkgs@126b6a4 fix: add mpt3sas UBSAN patches
- siderolabs/pkgs@a09bf93 chore: drop UBSAN patch
Changes from siderolabs/proto-codec
3 commits
- siderolabs/proto-codec@0d84c65 chore: add support for gogo protobuf generator
- siderolabs/proto-codec@19f8d2e chore: add kres
- siderolabs/proto-codec@e038bb4 Initial commit
Changes from siderolabs/siderolink
Changes from siderolabs/tools
5 commits
- siderolabs/tools@2058296 feat: bump dependencies
- siderolabs/tools@1151610 feat: update ...