v1.8.3

Talos 1.8.3 (2024-11-14)

Welcome to the v1.8.3 release of Talos!

Starting with Talos v1.8.0, only standard assets would be published as github release assets. These include:

• cloud-images.json
• talosctl binaries
• kernel
• initramfs
• metal iso and disk images
• talosctl-cni-bundle

All other release assets can be downloaded from Image Factory.

Please try out the release binaries and report any issues at
https://github.com/nberlee/talos/issues.

Component Updates

Linux: 6.6.60
containerd: 2.0.0
runc: 1.2.1

Talos is built with Go 1.22.9.

Contributors

• Andrey Smirnov
• blablu
• Dmitry Sharshakov
• Joakim Nohlgård
• Noel Georgi
• Remko Molier
• Sam Stelfox

Changes

15 commits

• siderolabs/talos@6494aced3 release(v1.8.3): prepare release
• siderolabs/talos@01c9f4584 fix: arch linux search paths and names for QEMU provisioner
• siderolabs/talos@8b5c5f108 chore: fix nil pointer dereference in AWS uploader
• siderolabs/talos@fbf85dd0d fix: install disk matcher error
• siderolabs/talos@ff3fccea9 feat: add dm-cache dm-cache-smq kernel modules
• siderolabs/talos@6d872e41c feat: allow extra mounts for docker-based talosctl cluster create
• siderolabs/talos@8c193c8b1 fix: update permissions for logging directories in /var
• siderolabs/talos@5044a410c fix: mount /sys/kernel/security conditionally
• siderolabs/talos@83abb6644 fix: make route normalization keep family
• siderolabs/talos@228a94387 fix: do not trim 0 from process SELinux label
• siderolabs/talos@d4a3a2b62 fix: prevent panic in nocloud platform code
• siderolabs/talos@5c7b02d7e fix: update the CRI sandbox image reference
• siderolabs/talos@f8155c40d feat: add parsing of vlanNNNN:ethX style VLAN cmdline args
• siderolabs/talos@ea19f157f fix: generation of SecureBoot iso
• siderolabs/talos@fddaa60e2 feat: update Linux, runc, containerd, go

Changes from siderolabs/pkgs

7 commits

• siderolabs/pkgs@9c80a4a feat: update Linux to 6.6.60
• siderolabs/pkgs@747c6c7 feat: update containerd to v2.0.0
• siderolabs/pkgs@87c6526 feat: enable CONFIG_DM_CACHE
• siderolabs/pkgs@b4fa648 fix: enable nvme and 2.5gbit ethernet on nanopi-r5s
• siderolabs/pkgs@079ea13 feat: update Linux to 6.6.59
• siderolabs/pkgs@e4bc753 feat: update runc to v1.2.1
• siderolabs/pkgs@de3dbf5 feat: update Go to 1.22.9

Changes from siderolabs/tools

1 commit

• siderolabs/tools@653182a feat: update Go to 1.22.9

Dependency Changes

• github.com/docker/cli v27.1.1 new
• github.com/docker/docker v27.2.0 -> v27.1.1
• github.com/siderolabs/pkgs v1.8.0-24-ge72b2f4 -> v1.8.0-31-g9c80a4a
• github.com/siderolabs/talos/pkg/machinery v1.8.2 -> v1.8.3
• github.com/siderolabs/tools v1.8.0-2-g7719230 -> v1.8.0-3-g653182a

Previous release can be found at v1.8.2

v1.8.2

Talos 1.8.2 (2024-11-02)

Welcome to the v1.8.2 release of Talos!

When Talos is installed on NVMe, it may be unable mount correctly due to this issue in the new Disk Management. You may run into this issue when you already had installed Talos on eMMC and then moved to NVMe, and not reflashed the whole disk image onto the eMMC before flashing the spi.

To fix it, please follow the instructions again, starting from Download sbc ovberlay image (sbc-turingrk1) from talos and extract the spi image: and stop before bootstrapping the node.

Node Annotations

Talos Linux now supports configuring Kubernetes node annotations via machine configuration (.machine.nodeAnnotations) in a way similar to node labels.

Workload Apparmor Profile

Talos Linux can now apply the default AppArmor profiles to all workloads started via containerd, if the machine is installed with the AppArmor LSM enforced via the extraKernelArgs.

Eg:

machine:
    install:
        extraKernelArgs:
            - security=apparmor

Bridge Interface

Talos Linux now support configuring 'vlan_filtering' for bridge interfaces.

Machine Configuration via Kernel Command Line

Talos Linux supports supplying zstd-compressed, base64-encoded machine configuration small documents via the kernel command line parameter talos.config.inline.

CNI Plugins

Talos Linux now bundles by default the following standard CNI plugins:

• bridge
• firewall
• flannel
• host-local
• loopback
• portmap

The Talos bundled Flannel manifest was simplified to remove the install-cni step.

Accessing /dev/net/tun in Kubernetes Pods

Talos Linux ships with runc 1.2, which drops legacy rule to expose /dev/net/tun devices by default in the container.

If you need to access /dev/net/tun in your Kubernetes pods (e.g. running Tailscale as a Kubernetes pod), you can add use device plugins to expose /dev/net/tun to the pod.

Diagnostics

Talos Linux now shows diagnostics information for common problems related to misconfiguration via talosctl health and Talos dashboard.

Disk Management

Talos Linux now supports configuration for the EPHEMERAL volume.

Extensions in Kubernetes Nodes

Talos Linux now publishes list of installed extensions as Kubernetes node labels/annotations.

The key format is extensions.talos.dev/<name> and the value is the extension version.
If the extension name is not valid as a label key, it will be skipped.
If the extension version is a valid label value, it will be put to the label; otherwise it will be put to the annotation.

For Talos machines booted of the Image Factory artifacts, this means that the schematic ID will be published as the annotation
extensions.talos.dev/schematic (as it is longer than 63 characters).

DNS Forwarding for CoreDNS pods

Usage of the host DNS resolver as upstream for Kubernetes CoreDNS pods is now enabled by default. You can disable it
with:

machine:
  features:
    hostDNS:
      enabled: true
      forwardKubeDNSToHost: false

Please note that on running cluster you will have to kill CoreDNS pods for this change to apply.

The IP address used to forward DNS queries has changed to the fixed 169.254.116.108 address.
For those upgrading from Talos 1.7 with forwardKubeDNSToHost enabled, the old Kubernetes service
can be cleaned up with kubectl delete -n kube-system service host-dns.

Installer

Talos Linux installer now never wipes the system disk on upgrades, which means that the flag
--preserve is always set for talosctl upgrade.

talos.halt_if_installed kernel argument

Starting with Talos 1.8, ISO's generated from Boot Assets would have a new kernel argument talos.halt_if_installed which would pause the boot sequence until boot timeout if Talos is already installed on the disk.
ISO generated for pre 1.8 versions would not have this kernel argument.

This can be also explicitly enabled by setting talos.halt_if_installed=1 in kernel argument.

Slim Kubelet Image

Kubelet container image includes various utilities that kubelet might use to perform various tasks.

Starting with Kubernetes 1.31.0, kubelet image now includes less utilities, as the in-tree CSI plugins were
removed in Kubernetes 1.31.0. This reduces kubelet image size and potential attack surface.

For Kubernetes < 1.31.0, there will be two images built:

• v1.x.y (default, fat)
• v1.x.y-slim (slim)

For Kubernetes >= 1.31.0, there will be same two images built, but the
default tag would point to slim image:

• v1.x.y (default, slim)
• v1.x.y-fat (fat)

KubeSpan

Extra announced endpoints can be added using the KubespanEndpointsConfig document.

Default Node Labels

Talos Linux on config generation now adds a label node.kubernetes.io/exclude-from-external-load-balancers by default for the control plane nodes.

PCI Devices

A list of PCI devices can now be obtained via PCIDevices resource, e.g. talosctl get pcidevices.

Metal images

Starting with Talos 1.8, console=ttyS0 kernel argument is removed from the metal images and installer. If running virtualized in QEMU (For eg: Proxmox), this can be added as an extra kernel argument if needed via Image Factory or using Imager.

This should fix slow boot or no console output issues on most bare metal hardware.

Removing parts of the configuration using $patch: delete syntax

Talos Linux now supports removing parts of the configuration using the $patch: delete syntax similar to the kubernetes.
More information can be found here.

kube-proxy

Talos Linux configures kube-proxy >= v1.31.0 to use 'nftables' backend by default.

Custom Trusted Roots

Talos Linux now supports adding custom trusted roots (CA certificates) via TrustedRootsConfig configuration documents.

Device Extra Settle Timeout

Talos Linux now supports a kernel command line argument talos.device.settle_time=3m to set the device extra settle timeout to workaround issues with broken drivers.

Component Updates

Kubernetes: 1.31.2
Linux: 6.6.58
containerd: 2.0.0-rc.6
runc: 1.2.0
etcd: 3.5.16
Flannel: 0.25.7
Flannel CNI plugin: 1.5.1
CoreDNS: 1.1.13

Talos is built with Go 1.22.8.

ZSTD Compression

Talos Linux now compresses kernel and initramfs using ZSTD.
Linux arm64 kernel is now compressed (previously it was uncompressed).

Contributors

• Andrey Smirnov
• Dmitriy Matrenichev
• Noel Georgi
• Artem Chernyshev
• Utku Ozdemir
• Dmitry Sharshakov
• Justin Garrison
• Spencer Smith
• Joakim Nohlgård
• Serge Logvinov
• Steve Francis
• Bernard Gütermann
• Jean-Francois Roy
• Konrad Eriksson
• Tim Jones
• doctor_ew
• Amadeus Mader
• Andrew Rynhard
• Anthony ARNAUD
• Attila Oláh
• Birger J. Nordølum
• Caleb Woodbine
• Claus Albøge
• Daniel Höxtermann
• David Birks
• Dean
• Dennis Marttinen
• Eddie Zaneski
• Enrique Hernández Bello
• EricMa
• Evan Johnson
• Fabian Topfstedt
• Florian Ströger
• Fredrik Lundhag
• George Gaál
• Grzegorz Rozniecki
• Grzegorz Rożniecki
• Hexoplon
• Igor Rzegocki
• Josia Scheytt
• Judah Rand
• Marcel Richter
• Marco Franssen
• Marcus Förster
• Matthias Riegler
• Matthieu Mottet
• Maxime Brunet
• Michael Trip
• Mike Beaumont
• Nick Meyer
• Nicklas Frahm
• Ole-Magnus Sæther
• Philip Schmid
• Philipp Kleber
• Roman Ivanov
• Ron Olson
• Saravanan G
• Simon-Boyer
• Skyler Mäntysaari
• Steve Fan
• Steve Martinelli
• Steven Fackler
• Syoc
• USBAkimbo
• Will Bush
• cryptk
• darox
• dhaines-quera
• ekarlso
• leppeK
• looklose

Changes

352 commits

• siderolabs/talos@88f861a08 release(v1.8.2): prepare release
• siderolabs/talos@cfc10106a fix: include iptables/netfilter ipv6 fix
• siderolabs/talos@d8e2daf77 fix: wait for udevd to be running before activating LVM
• siderolabs/talos@e105a3d74 fix: talosctl process null character
• siderolabs/talos@0e96e99b2 fix: rework the 'metal-iso' config acquisition
• siderolabs/talos@7ef579650 fix: improve error messages for invalid bridge/bond configuration
• siderolabs/talos@a3fcbe0ba chore: rename tpm2.PCRExtent -> tpm2.PCRExtend
• siderolabs/talos@a9e6e60ca fix: correct error message for invalid ip=
• siderolabs/talos@49de0abaa fix: update incorrect alias for PCIDevice resource
• siderolabs/talos@9b561ac3d feat: add Talos 1.9 compatibility guarantees
• siderolabs/talos@2ea3f85bc chore: update siderolabs/crypto module and return proper ALPN
• siderolabs/talos@ce4791251 feat: optionally decode hcloud userdata as base64
• siderolabs/talos@f20a6900d fix: json logging panic
• siderolabs/talos@d855bb8be fix: skip ram disks
• siderolabs/talos@b429e7f28 fix: do not use pflag csv comma reader for config-patch
• siderolabs/talos@ee44f2c51 test: skip no error test in Cilium
• siderolabs/talos@7d055af29 fix: scaleway metadata
• siderolabs/talos@9f62fe96c feat: update pkgs and Kubernetes
• siderolabs/talos@477752fe6 release(v1.8.1): prepare release
  ...

v1.7.6

Talos 1.7.6 (2024-08-07)

Welcome to the v1.7.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.6.43
Kubernetes: 1.30.3

Talos is built with Go 1.22.5.

Contributors

• Andrey Smirnov
• Jean-Francois Roy

Changes

5 commits

• siderolabs/talos@ae67123ac release(v1.7.6): prepare release
• siderolabs/talos@08fbf0896 fix: panic on shutdown
• siderolabs/talos@44827e43b fix: sort ports and merge adjacent ones in the nft rule
• siderolabs/talos@d692ab106 feat: provide an option to enforce SecureBoot for TPM enrollment
• siderolabs/talos@7287a112c feat: update Linux 6.6.43, Kubernetes 1.30.3, go 1.22.5

Changes from siderolabs/pkgs

8 commits

• siderolabs/pkgs@f0c088f feat: update Linux to 6.6.43
• siderolabs/pkgs@fb24a28 fix: enable TPROXY for nftables
• siderolabs/pkgs@4d7d88b feat: update Linux to 6.6.39
• siderolabs/pkgs@a302e94 fix: enable CONFIG_PROC_CHILDREN for amd64 kernel
• siderolabs/pkgs@034804e feat: update Linux to 6.6.36
• siderolabs/pkgs@44d273d feat: enable CONFIG_X86_AMD_PSTATE
• siderolabs/pkgs@3d1bd33 feat: update Go to 1.22.5
• siderolabs/pkgs@6637717 feat: update runc to 1.1.13

Changes from siderolabs/tools

1 commit

• siderolabs/tools@c844dc3 feat: update Go to 1.22.5

Dependency Changes

• github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 -> v1.6.0
• github.com/siderolabs/pkgs v1.7.0-21-gc58ed7f -> v1.7.0-29-gf0c088f
• github.com/siderolabs/talos/pkg/machinery v1.7.5 -> v1.7.6
• github.com/siderolabs/tools v1.7.0-3-g6c94771 -> v1.7.0-4-gc844dc3
• golang.org/x/net v0.25.0 -> v0.26.0
• golang.org/x/sync v0.6.0 -> v0.7.0
• golang.org/x/sys v0.20.0 -> v0.21.0
• golang.org/x/term v0.20.0 -> v0.21.0
• golang.org/x/text v0.15.0 -> v0.16.0
• k8s.io/api v0.30.1 -> v0.30.3
• k8s.io/apiserver v0.30.1 -> v0.30.3
• k8s.io/client-go v0.30.1 -> v0.30.3
• k8s.io/component-base v0.30.1 -> v0.30.3
• k8s.io/kube-scheduler v0.30.1 -> v0.30.3
• k8s.io/kubectl v0.30.1 -> v0.30.3
• k8s.io/kubelet v0.30.1 -> v0.30.3
• k8s.io/pod-security-admission v0.30.1 -> v0.30.3

Previous release can be found at v1.7.5

v1.7.5

Talos 1.7.5 (2024-06-22)

Welcome to the v1.7.5 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.6.33
Flannel: 0.25.3
Containerd: 1.7.18

Talos is built with Go 1.22.4.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitriy Matrenichev
• Marcel Richter

Changes

7 commits

• siderolabs/talos@47731624e release(v1.7.5): prepare release
• siderolabs/talos@6d6751f6a feat: update Linux to 6.6.33, Go to 1.22.4
• siderolabs/talos@2c4aa7342 chore: fix our dns server implementation
• siderolabs/talos@8ad20a6c1 fix: initial assignment of Hetzner Cloud Alias IP
• siderolabs/talos@90c3a0244 feat: update Flannel to v0.25.3
• siderolabs/talos@b14fe3973 fix: downgrade Azure IMDS required version
• siderolabs/talos@fa6c85259 fix: decrease maximum negative ttl for dns responses

Changes from siderolabs/extras

1 commit

• siderolabs/extras@7c627a8 feat: update Go to 1.22.4

Changes from siderolabs/pkgs

4 commits

• siderolabs/pkgs@c58ed7f feat: bump Go to 1.22.4
• siderolabs/pkgs@ab5d66b feat: update Linux to 6.6.33
• siderolabs/pkgs@0e1002e feat: enable SCTP support
• siderolabs/pkgs@e04adee feat: update containerd to 1.7.18

Changes from siderolabs/tools

1 commit

• siderolabs/tools@6c94771 feat: update Go to 1.22.4

Dependency Changes

• github.com/docker/docker v26.0.0 -> v26.0.2
• github.com/miekg/dns v1.1.58 -> v1.1.59
• github.com/siderolabs/extras v1.7.0-1-gbb76755 -> v1.7.0-2-g7c627a8
• github.com/siderolabs/pkgs v1.7.0-17-ga201d27 -> v1.7.0-21-gc58ed7f
• github.com/siderolabs/talos/pkg/machinery v1.7.4 -> v1.7.5
• github.com/siderolabs/tools v1.7.0-2-g345db93 -> v1.7.0-3-g6c94771
• google.golang.org/grpc v1.62.1 -> v1.63.2

Previous release can be found at v1.7.4

v1.7.4

Talos 1.7.4 (2024-05-30)

Welcome to the v1.7.4 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/nberlee/talos/issues.

Component Updates

Talos is built with Go 1.22.3.

Contributors

• Andrey Smirnov
• Dmitriy Matrenichev
• Dmitry Sharshakov

Changes

11 commits

• siderolabs/talos@cb3a83088 release(v1.7.4): prepare release
• siderolabs/talos@b0ad5904c fix: correct time adjustment in time.SyncController
• siderolabs/talos@b4e09d39d release(v1.7.3): prepare release
• siderolabs/talos@92ec41c22 fix: mount tracefs filesystem
• siderolabs/talos@1b3ac2ca6 fix: workaround problems with udevd races
• siderolabs/talos@1f2a870a7 fix: time sync over NTP from future era
• siderolabs/talos@4e9aa3007 fix: correctly handle dns messages in our dns implementation
• siderolabs/talos@8159a0057 fix: panic in osroot controller
• siderolabs/talos@b78fb4fea fix: update go-tail library to fix 'short read' error
• siderolabs/talos@2df5319ce test: add a test for watchdog timers
• siderolabs/talos@e529fccb2 feat: update Linux to 6.6.32

Dependency Changes

• github.com/beevik/ntp v1.3.1 -> v1.4.3
• github.com/siderolabs/talos/pkg/machinery v1.7.2 -> v1.7.4
• golang.org/x/net v0.23.0 -> v0.25.0
• golang.org/x/sys v0.18.0 -> v0.20.0
• golang.org/x/term v0.18.0 -> v0.20.0
• golang.org/x/text v0.14.0 -> v0.15.0

Previous release can be found at v1.7.2

v1.7.2

Talos 1.7.2 (2024-05-21)

Welcome to the v1.7.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Kubernetes: 1.30.1
Linux: 6.6.30
Arm Trusted Firmware: 2.10.4

Talos is built with Go 1.22.3.

Contributors

• Andrey Smirnov
• Artem Chernyshev
• Bernard Gütermann
• Dmitriy Matrenichev
• Noel Georgi
• Spencer Smith
• Utku Ozdemir

Changes

11 commits

• siderolabs/talos@f876025b3 release(v1.7.2): prepare release
• siderolabs/talos@53eff982f feat: update Kubernetes to 1.30.1
• siderolabs/talos@5bc446e85 chore: update project in GCP testing
• siderolabs/talos@abaff6084 fix: increase host dns packet ttl for pods
• siderolabs/talos@9189fdf4a chore: handle I/O error for xfs_repair
• siderolabs/talos@172569f56 fix: don't enable hostDNS for versions of Talos which do not have it
• siderolabs/talos@a91527ef7 chore: extract pkg/imager/quirks to pkg/machinery
• siderolabs/talos@5e1544432 fix: check for nil machine config during installation
• siderolabs/talos@44853ba0f feat: update Go to 1.22.3, Linux to 6.6.30
• siderolabs/talos@24c353235 fix: do not fail cli action tracker when boot id cannot be read
• siderolabs/talos@4aeb22f76 fix: use a fresh context for etcd unlock

Changes from siderolabs/pkgs

5 commits

• siderolabs/pkgs@9caa8be fix: disable CONFIG_EFI_DISABLE_PCI_DMA option
• siderolabs/pkgs@4af5dcd feat: update Linux to 6.6.30
• siderolabs/pkgs@996f95d feat: update zfs package to v2.2.4
• siderolabs/pkgs@5e3978f feat: enable NFT FIB lookups
• siderolabs/pkgs@a3c7fbf feat: update Go to 1.22.3

Changes from siderolabs/tools

1 commit

• siderolabs/tools@345db93 feat: update Go to 1.22.3

Dependency Changes

• github.com/siderolabs/pkgs v1.7.0-9-g76bd73c -> v1.7.0-14-g9caa8be
• github.com/siderolabs/talos/pkg/machinery v1.7.1 -> v1.7.2
• github.com/siderolabs/tools v1.7.0-1-g10b2a69 -> v1.7.0-2-g345db93
• k8s.io/api v0.30.0 -> v0.30.1
• k8s.io/apiserver v0.30.0 -> v0.30.1
• k8s.io/client-go v0.30.0 -> v0.30.1
• k8s.io/component-base v0.30.0 -> v0.30.1
• k8s.io/kube-scheduler v0.30.0 -> v0.30.1
• k8s.io/kubectl v0.30.0 -> v0.30.1
• k8s.io/kubelet v0.30.0 -> v0.30.1
• k8s.io/pod-security-admission v0.30.0 -> v0.30.1

Previous release can be found at v1.7.1

v1.7.1

Talos 1.7.1 (2024-05-05)

Welcome to the v1.7.1 release of Talos for the Turing RK1!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

[Documentation on What's New in Talos 1.7.0

CA Rotation

Talos Linux now supports rotating the root CA certificate and key for Talos API and Kubernetes API.

Device Selectors

Talos Linux now supports physical: true qualifier for device selectors, it selects non-virtual network interfaces (i.e. en0 is selected, while bond0 is not).

DNS Caching

Talos Linux now provides a caching DNS resolver for host workloads (including host networking pods). It can be disabled with:

machine:
  features:
    hostDNS:
      enabled: false

You can also enable dns caching for k8s pods with:

machine:
  features:
    hostDNS:
      enabled: true
      forwardKubeDNSToHost: true

Please note that on running cluster you will have to kill CoreDNS pods for this change to apply.

If you want to can also enable the resolving of member addresses through their host and node names:

machine:
  features:
    hostDNS:
      enabled: true
      resolveMemberNames: true

Extension Services Config

Talos now supports supplying configuration files and environment variables for extension services.
The extension service configuration is a separate config document. An example is shown below:

---
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: nut-client
configFiles:
  - content: MONITOR ${upsmonHost} 1 remote pass password
    mountPath: /usr/local/etc/nut/upsmon.conf
environment:
  - UPS_NAME=ups

For documentation, see Extension Services Config Files.

Note: The use of environmentFile in extension service spec is now deprecated and will be removed in a future release of Talos.
Use ExtensionServiceConfig instead.

IPTables

Talos Linux now forces kubelet and kube-proxy to use iptables-nft instead of iptables-legacy (xtables) which was the default
before Talos 1.7.0.

Container images based on iptables-wrapper should work without changes, but if there was a direct call to legacy mode of iptables, make sure
to update to use iptables-nft.

Kubernetes Upgrade

The command talosctl upgrade-k8s now supports specifying custom image references for Kubernetes components via --*-image flags.
The default behavior is unchanged, and the flags are optional.

KubeSpan

Talos Linux disables by default a KubeSpan feature to harvest additional endpoints from KubeSpan members.
This feature turned out to be less helpful than expected and caused unnecessary performance issues.

Previous behavior can be restored with:

machine:
  network:
    kubespan:
        harvestExtraEndpoints: true

Logging

Talos Linux now supports setting extra tags when sending logs in JSON format:

machine:
  logging:
    destinations:
      - endpoint: "udp://127.0.0.1:12345/"
        format: "json_lines"
        extraTags:
          server: s03-rack07

Time Sync

Default NTP server was updated to be time.cloudflare.com instead of pool.ntp.org.
Default server is only used if the user does not specify any NTP servers in the configuration.

Talos Linux can now sync to PTP devices (e.g. provided by the hypervisor) skipping the network time servers.
In order to activate PTP sync, set machine.time.servers to the PTP device name (e.g. /dev/ptp0):

machine:
  time:
    servers:
      - /dev/ptp0

OpenNebula

Talos Linux now supports OpenNebula platform.

Platforms

Talos Linux now supports Akamai Connected Cloud provider (platform akamai).

Kubernetes API Server Service Account Key

Talos Linux starting from this release uses RSA key for Kubernetes API Server Service Account instead of ECDSA key to provide better compatibility with external OpenID Connect implementations.

SBC

Talos has split the SBC's (Single Board Computers) into separate repositories.
There will not be any more SBC specific release assets as part of Talos release.

The default Talos Installer image will stop working for SBC's and will fail the upgrade, if used, starting from Talos v1.7.0.

The SBC's images and installers can be generated on the fly using Image Factory or using Imager for custom images, please use ghcr.io/nberlee/imager.
The list of official SBC's images supported by Image Factory can be found in the Overlays repository.

The Turing RK1 SBC-overlay can be found in this repo. The v1.7.1-rk3588 installer tag comes by default with the SBC overlay.

Secure Boot Image

Talos Linux now provides a way to configure systemd-boot ISO 'secure-boot-enroll' option while generating a SecureBoot ISO image:

output:
    kind: iso
    isoOptions:
        sdBootEnrollKeys: force # default is still if-safe
    outFormat: raw

Syslog

Talos Linux now starts a basic syslog receiver listening on /dev/log.
The receiver can mostly parse both RFC3164 and RFC5424 messages and writes them as JSON formatted message.
The logs can be viewed via talosctl logs syslogd.

This is mostly implemented for extension services that log to syslog.

UBSAN Cilium Kernel patch

Talos 1.7 includes UBSAN, which leads to dmesg warnings when Cilium initiates due to an array out-of-bound issue. This fork incorporates a fix from kernel-next upstream to address this problem.

Component Updates

Linux: 6.6.29
containerd: 1.7.16
etcd: 3.5.11
Kubernetes: 1.30.0
runc: 1.1.12
Flannel: 0.25.1
Turing-RK1: arm-trusted-firmware: 2.10.3
Turing-RK1: Rockchip 3588 DDR binary blob: 1.16

Talos is built with Go 1.22.2.

Hardware Watchdog Timers

Talos Linux now supports hardware watchdog timers configuration.
If enabled, and the machine becomes unresponsive, the hardware watchdog will reset the machine.

The watchdog can be enabled with the following configuration document:

apiVersion: v1alpha1
kind: WatchdogTimerConfig
device: /dev/watchdog0
timeout: 3m0s

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitriy Matrenichev
• Utku Ozdemir
• Andrey Smirnov
• Artem Chernyshev
• Dmitry Sharshakov
• Justin Garrison
• Radosław Piliszek
• Spencer Smith
• Anthony ARNAUD
• Steve Francis
• Anastasios Papagiannis
• Andrei Kvapil
• Andrian Zubovic
• AvnarJakob
• Cas de Reuver
• Christian Mohn
• Christian WALDBILLIG
• Dennis Marttinen
• Dmitry Sharshakov
• Drew Hess
• Evan Johnson
• ExtraClock
• Fabiano Fidêncio
• Henno Schooljan
• Hervé Werner
• JJGadgets
• Jacob McSwain
• Jean-Tiare Le Bigot
• Jonomir
• Kai Hanssen
• Konrad Eriksson
• Louis SCHNEIDER
• Matthieu S
• Michael Stephenson
• Nico Berlee
• Niklas Wik
• Pip Oomen
• Saiyam Pathak
• Sebastiaan Gerritsen
• Sebastian Gaiser
• Serge Logvinov
• Tim Jones
• bri
• ebcrypto
• edwinavalos
• fazledyn-or
• goodmost
• james-dreebot
• pardomue
• shurkys
• stereobutter
• Igor Rzegocki

Changes

248 commits

• siderolabs/talos@70fb41fff release(v1.7.0): prepare release
• siderolabs/talos@27e8455d7 chore: update extension filter for xen-guest-agent
• siderolabs/talos@3a2612df5 feat: update Linux to 6.6.28
• siderolabs/talos@d9760fc9b docs: add what's new for v1.7
• siderolabs/talos@83ad8d65c feat: add host dns support for resolving member addrs
• siderolabs/talos@24141f078 feat: update Kubernetes to 1.30.0
• siderolabs/talos@865239188 chore: update go-blockdevice/v2 library to the latest version
• siderolabs/talos@b72f0d7f9 fix: overlay installer operations
• siderolabs/talos@81cd2b16e fix: mark overlay installer executable
• siderolabs/talos@a690e30ef feat: update Flannel to v0.25.1
• siderolabs/talos@fa5c7ee70 fix: close apid inter-backend connections gracefully for real
• siderolabs/talos@d821322c7 feat: use container DNS when in container mode
• siderolabs/talos@77581447c release(v1.7.0-beta.1): prepare release
• siderolabs/talos@1c0a91728 chore: disable max of one commit
• siderolabs/talos@50d475b41 feat: update Kubernetes to v1.30.0-rc.2
• siderolabs/talos@a5b4a8a91 feat: update Linux 6.6.24, containerd 1.7.15
• siderolabs/talos@eea41cdae fix: assign different priority to IPv6 default gateway on OpenStack
• siderolabs/talos@d5932a390 chore: optimize DNSResolveCacheController
• siderolabs/talos@eca03b03c fix: don't modify a global map of profiles
• siderolabs/talos@4da63d1dd test: add a test for 'spin' container runtime
• siderolabs/talos@fb84efce3 feat: provide Kubernets/Talos version compatibility for 1.8
• siderolabs/talos@7d24ddd73 fix: generate secureboot ISO .der certificate correctly
• siderolabs/talos@028a5b4b1 fix: reconnect to the logs stream in dashboard after reboot
• siderolabs/talos@5019c9fa7 fix: present all accepted CAs to the kube-apiserver
• siderolabs/talos@09ef5b3c9 fix: validate that workers don't get cluster CA key
• siderolabs/talos@4f7cb9c3a fix: make static pods check output consistent
• siderolabs/talos@dd7d8d3aa fix: close the apid connection to other machines gracefully
• siderolabs/talos@41a54e8a0 fix: pre-create nftables chain to make kubelet use nftables
• siderolabs/talos@abf302fb5 docs: change localDNS to hostDNS in release notes yaml section
• siderolabs/talos@78f971370 release(v1.7.0-beta.0): prepare release
• siderolabs/talos@01d8b897c fix: make safeReset truly safe to call multiple time...

v1.6.7

Talos 1.6.7 (2024-03-21)

Welcome to the v1.6.7 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/nberlee/talos/issues.

Component Updates

• Linux: 6.6.22
• Kubernetes: 1.29.3

Talos is built with Go 1.21.8.

Contributors

• Andrey Smirnov
• Utku Ozdemir
• Nico Berlee
• Noel Georgi

Changes

8 commits

• siderolabs/talos@6f8d7fd60 feat: adds board Turing RK1
• siderolabs/talos@46c8ac102 release(v1.6.7): prepare release
• siderolabs/talos@9ef06f60f fix: service lifecycle issues
• siderolabs/talos@2c9159977 fix: patch correctly config in talosctl upgrade-k8s
• siderolabs/talos@16691dfd5 fix: remove maintenance config when maintenance service is shut down
• siderolabs/talos@5cbbbfa68 fix: fix nil panic on maintenance upgrade with partial config
• siderolabs/talos@3c942fe9d fix: etcd config validation for worker
• siderolabs/talos@a5920a157 feat: update Kubernetes to 1.29.3, Linux to 6.1.82

Changes from siderolabs/pkgs

1 commit

• siderolabs/pkgs@df44f94 feat: update dependencies for Talos 1.6.7

Dependency Changes

• github.com/siderolabs/pkgs v1.6.0-26-g2961472 -> v1.6.0-27-gdf44f94
• github.com/siderolabs/talos/pkg/machinery v1.6.6 -> v1.6.7
• google.golang.org/protobuf v1.31.0 -> v1.33.0
• k8s.io/api v0.29.2 -> v0.29.3
• k8s.io/apimachinery v0.29.2 -> v0.29.3
• k8s.io/apiserver v0.29.2 -> v0.29.3
• k8s.io/client-go v0.29.2 -> v0.29.3
• k8s.io/component-base v0.29.2 -> v0.29.3
• k8s.io/cri-api v0.29.2 -> v0.29.3
• k8s.io/kube-scheduler v0.29.2 -> v0.29.3
• k8s.io/kubectl v0.29.2 -> v0.29.3
• k8s.io/kubelet v0.29.2 -> v0.29.3
• k8s.io/pod-security-admission v0.29.2 -> v0.29.3

Previous release can be found at v1.6.6

v1.6.6

Talos 1.6.6 (2024-03-06)

Welcome to the v1.6.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

• Linux: 6.6.21
• Turing RK1: update upstream u-boot patches to latest
• Turing RK1: updated kernel patches including thermal control
  Talos is built with Go 1.21.8.

Contributors

• Andrey Smirnov
• Nico Berlee

Changes

6 commits

• siderolabs/talos@3945bda80 feat: adds board Turing RK1
• siderolabs/talos@7dceba060 release(v1.6.6): prepare release
• siderolabs/talos@e4f712689 fix: workaround a race in CNI setup (talosctl cluster create)
• siderolabs/talos@38b5aed50 fix: provide auth when pulling images in the imager
• siderolabs/talos@4af77b5fd fix: handle errors to watch apid/trustd certs
• siderolabs/talos@2df2586f9 feat: update Linux to 6.1.80, Go to 1.21.8

Changes from siderolabs/extras

1 commit

• siderolabs/extras@9234398 chore: update Go to 1.21.8

Changes from siderolabs/pkgs

1 commit

• siderolabs/pkgs@2961472 feat: update Linux to 6.1.80, firmware to 20240220

Changes from siderolabs/tools

1 commit

• siderolabs/tools@ae30965 feat: update Go to 1.21.8

Dependency Changes

• github.com/alexflint/go-filemutex v1.2.0 new
• github.com/siderolabs/extras v1.6.0-1-g113887a -> v1.6.0-2-g9234398
• github.com/siderolabs/pkgs v1.6.0-25-g6868f38 -> v1.6.0-26-g2961472
• github.com/siderolabs/talos/pkg/machinery v1.6.5 -> v1.6.6
• github.com/siderolabs/tools v1.6.0-2-g5e034ec -> v1.6.0-3-gae30965

Previous release can be found at v1.6.5

v1.6.5

Talos 1.6.5 (2024-02-21)

Welcome to the v1.6.5 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Turing RK1: fan speed

The fanspeed curve has been adjusted to be more idle in lite cpu load utilization scenarios.

Kubernetes Upgrade

The command talosctl upgrade-k8s now supports specifying custom image references for Kubernetes components via --*-image flags.
The default behavior is unchanged, and the flags are optional.

Component Updates

Kubernetes: 1.29.2
Linux: 6.6.17
arm-trusted-firmware: 2.10.2

Talos is built with Go 1.21.6.

Turing RK1: USB2

USB2 support has been restored. It was broken in Talos 1.6.4.

Contributors

• Andrey Smirnov
• Noel Georgi
• Nico Berlee
• Anastasios Papagiannis
• Andrian Zubovic
• Matthieu S
• Utku Ozdemir
• pardomue

Changes

16 commits

• siderolabs/talos@714580853 feat: adds board Turing RK1
• siderolabs/talos@3a0a5014e github ci
• siderolabs/talos@22803bc5d release(v1.6.5): prepare release
• siderolabs/talos@e5c198a32 feat: update pkgs
• siderolabs/talos@54c60ddfb feat: allow access to all resources over siderolink in maintenance mode
• siderolabs/talos@c7f5ff73e fix: use MachineStatus resource to check for boot done
• siderolabs/talos@7d1378240 feat: support AWS KMS for the SecureBoot signing
• siderolabs/talos@c6e7a95cc feat: custom image settings for k8s upgrade
• siderolabs/talos@0f5e946f4 fix: ensure that Talos runs in a pod (container)
• siderolabs/talos@fd93ce1b6 feat: update kernel with sfc driver and LSM updates
• siderolabs/talos@36836878f fix: run xfs_repair on invalid argument error
• siderolabs/talos@6ea29d927 feat: support systemd-boot ISO enroll keys option
• siderolabs/talos@e993215fe fix: unlock the upgrade mutex properly
• siderolabs/talos@5515a6bab fix: use a separate cgroup for each extension service
• siderolabs/talos@e7935e6b9 feat: update Linux to 6.1.78
• siderolabs/talos@959627850 feat: update Kubernetes default to 1.29.2

Changes from siderolabs/pkgs

9 commits

• siderolabs/pkgs@6868f38 feat: enable PSI (pressure stall information)
• siderolabs/pkgs@777cae9 feat: update Linux to 6.1.78
• siderolabs/pkgs@f71ff75 feat: enable VRF module
• siderolabs/pkgs@a7e36fb feat: add support for Solarflare SFC9100 and SFC9200 family
• siderolabs/pkgs@7146892 feat: enable CONFIG_SECURITY_PATH and CONFIG_BPF_LSM
• siderolabs/pkgs@73f3c03 feat: backport iPXE update from main
• siderolabs/pkgs@8ff728c chore: set PREEMPT_NONE as recommended for servers
• siderolabs/pkgs@b849795 fix: enable KFD support in kernel
• siderolabs/pkgs@0b8a78b feat: bring Linux to 6.1.76

Dependency Changes

• github.com/aws/aws-sdk-go-v2/service/kms v1.26.5 new
• github.com/siderolabs/pkgs v1.6.0-16-gb77ffb7 -> v1.6.0-25-g6868f38
• k8s.io/api v0.29.1 -> v0.29.2
• k8s.io/apiserver v0.29.1 -> v0.29.2
• k8s.io/client-go v0.29.1 -> v0.29.2
• k8s.io/component-base v0.29.1 -> v0.29.2
• k8s.io/kube-scheduler v0.29.1 -> v0.29.2
• k8s.io/kubectl v0.29.1 -> v0.29.2
• k8s.io/kubelet v0.29.1 -> v0.29.2
• k8s.io/pod-security-admission v0.29.2 new

Previous release can be found at v1.6.4