v1.7.0-beta.0

Talos 1.7.0-beta.0 (2024-04-05)

Welcome to the v1.7.0-beta.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

CA Rotation

Talos Linux now supports rotating the root CA certificate and key for Talos API and Kubernetes API.

Device Selectors

Talos Linux now supports physical: true qualifier for device selectors, it selects non-virtual network interfaces (i.e. en0 is selected, while bond0 is not).

DNS Caching

Talos Linux now provides a caching DNS resolver for host workloads (including host networking pods). It can be disabled with:

machine:
   features:
       hostDNS:
         enabled: false

Extension Services Config

Talos now supports supplying configuration files and environment variables for extension services.
The extension service configuration is a separate config document. An example is shown below:

---
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: nut-client
configFiles:
  - content: MONITOR ${upsmonHost} 1 remote pass password
    mountPath: /usr/local/etc/nut/upsmon.conf
environment:
  - UPS_NAME=ups

For documentation, see Extension Services Config Files.

Note: The use of environmentFile in extension service spec is now deprecated and will be removed in a future release of Talos.
Use ExtensionServiceConfig instead.

Kubernetes Upgrade

The command talosctl upgrade-k8s now supports specifying custom image references for Kubernetes components via --*-image flags.
The default behavior is unchanged, and the flags are optional.

KubeSpan

Talos Linux disables by default a KubeSpan feature to harvest additional endpoints from KubeSpan members.
This feature turned out to be less helpful than expected and caused unnecessary performance issues.

Previous behavior can be restored with:

machine:
  network:
    kubespan:
        harvestExtraEndpoints: true

Logging

Talos Linux now supports setting extra tags when sending logs in JSON format:

machine:
  logging:
    destinations:
      - endpoint: "udp://127.0.0.1:12345/"
        format: "json_lines"
        extraTags:
          server: s03-rack07

Time Sync

Default NTP server was updated to be time.cloudflare.com instead of pool.ntp.org.
Default server is only used if the user does not specify any NTP servers in the configuration.

Talos Linux can now sync to PTP devices (e.g. provided by the hypervisor) skipping the network time servers.
In order to activate PTP sync, set machine.time.servers to the PTP device name (e.g. /dev/ptp0):

machine:
  time:
    servers:
      - /dev/ptp0

OpenNebula

Talos Linux now supports OpenNebula platform.

Platforms

Talos Linux now supports Akamai Connected Cloud provider (platform akamai).

Kubernetes API Server Service Account Key

Talos Linux starting from this release uses RSA key for Kubernetes API Server Service Account instead of ECDSA key to provide better compatibility with external OpenID Connect implementations.

SBC

Talos has split the SBC's (Single Board Computers) into separate repositories.
There will not be any more SBC specific release assets as part of Talos release.

The default Talos Installer image will stop working for SBC's and will fail the upgrade, if used, starting from Talos v1.7.0.

The SBC's images and installers can be generated on the fly using Image Factory or using Imager for custom images.
The list of official SBC's images supported by Image Factory can be found in the Overlays repository.

Secure Boot Image

Talos Linux now provides a way to configure systemd-boot ISO 'secure-boot-enroll' option while generating a SecureBoot ISO image:

output:
    kind: iso
    isoOptions:
        sdBootEnrollKeys: force # default is still if-safe
    outFormat: raw

Syslog

Talos Linux now starts a basic syslog receiver listening on /dev/log.
The receiver can mostly parse both RFC3164 and RFC5424 messages and writes them as JSON formatted message.
The logs can be viewed via talosctl logs syslogd.

This is mostly implemented for extension services that log to syslog.

Component Updates

Linux: 6.6.24
etcd: 3.5.11
Kubernetes: 1.30.0-rc.1
containerd: 1.7.14
runc: 1.1.12
Flannel: 0.24.4

Talos is built with Go 1.22.2.

Hardware Watchdog Timers

Talos Linux now supports hardware watchdog timers configuration.
If enabled, and the machine becomes unresponsive, the hardware watchdog will reset the machine.

The watchdog can be enabled with the following configuration document:

apiVersion: v1alpha1
kind: WatchdogTimerConfig
device: /dev/watchdog0
timeout: 3m0s

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitriy Matrenichev
• Utku Ozdemir
• Andrey Smirnov
• Artem Chernyshev
• Dmitry Sharshakov
• Justin Garrison
• Radosław Piliszek
• Spencer Smith
• Anthony ARNAUD
• Steve Francis
• Anastasios Papagiannis
• Andrei Kvapil
• Andrian Zubovic
• AvnarJakob
• Cas de Reuver
• Christian Mohn
• Christian WALDBILLIG
• Dmitry Sharshakov
• Drew Hess
• Evan Johnson
• ExtraClock
• Fabiano Fidêncio
• Henno Schooljan
• Hervé Werner
• JJGadgets
• Jacob McSwain
• Jean-Tiare Le Bigot
• Jonomir
• Kai Hanssen
• Konrad Eriksson
• Louis SCHNEIDER
• Matthieu S
• Michael Stephenson
• Nico Berlee
• Niklas Wik
• Pip Oomen
• Saiyam Pathak
• Sebastiaan Gerritsen
• Sebastian Gaiser
• Serge Logvinov
• Tim Jones
• bri
• ebcrypto
• edwinavalos
• fazledyn-or
• goodmost
• james-dreebot
• pardomue
• shurkys
• stereobutter

Changes

210 commits

• 78f971370 release(v1.7.0-beta.0): prepare release
• 01d8b897c fix: make safeReset truly safe to call multiple times
• 653f838b0 feat: support multiple Docker cluster in talosctl cluster create
• 951904554 chore: bump dependencies (go 1.22.2)
• 862c76001 feat: add support for CoreDNS forwarding to host DNS
• e8ae5ef63 feat: add akamai platform support
• 5c0f74b37 fix: don't announce the VIP on acquire failure
• 2f0fe10d5 chore: update sbc docs
• 1b17008e9 fix: handle more OpenStack link types
• e7d804140 fix: always update firewall rules (kubespan)
• 78b9bd927 fix: report unsupported x86_64 microarchitecture level
• 71d90ba5f fix: retry in the fixed amount of time if grpc relay failed
• d320498a4 chore: bump dependencies
• 3195e5d15 fix: force Flannel CNI to use KubePrism Kubernetes API endpoint
• 917043fb5 chore: bump tools, pkgs and extra to stable
• f515741b5 chore: add equinix e2e-tests
• 117e60583 feat: add support for static extra fields for JSON logs
• 090143b03 fix: allow platform cmdline args to be platform-specific
• 7a68504b6 feat: support rotating Kubernetes CA
• fac3dd043 fix: don't set default endpoints on gen config
• 8dc4910c4 chore: enable "WG over GRPC" testing in siderolink agent tests
• bac366e43 chore: add ExtraInfo field for extensions
• 0fc24eeb0 feat: provide insecure flag to imager
• a6b2f5456 feat: update Kubernetes to 1.30.0-rc.0, etcd to 3.5.13
• 0361ff895 docs: quickstart video and brew install
• b752a8618 chore: talosctl: add openSUSE OVMF paths
• 945648914 feat: support hardware watchdog timers
• 949ad11a2 chore: import siderolink as siderolink-launch subcommand
• ee51f04af chore: azure e2e
• 55dd41c0d chore: update coredns to v1.11.2 in required section
• 8eacc4ba8 feat: support rotation of Talos API CA
• 92808e3bc feat: report Docker node resources in cluster show
• 84ec8c16f feat: support syncing to PTP clocks
• 7d43c9aa6 chore: annotate installer errors
• f737e6495 fix: populate routes to BGP neighbors (Equinix Metal)
• 19f15a840 chore: bump golangci-lint to 1.57.0
• 684011963 docs: add docs for overlays
• 9b6ec5929 chore: bump kernel
• 69f0466cd docs: remove repetitive words
• 113fb646e chore: use go-talos-support library
• 89fc68b45 fix: service lifecycle issues
• ead37abf0 test: disable volume tests
• c64523a7a feat: update Flannel to v0.24.4
• 15beb1478 feat: implement blockdevice watch controller
• 06e3bc0cb feat: implement Siderolink wireguard over GRPC
• 9afa70baf fix: patch correctly config in talosctl upgrade-k8s
• 3130caf95 chore: re-enable DRBD extension
• 3ba180d07 release(v1.7.0-alpha.1): prepare release
• 403ad93c3 feat: update dependencies
• 7376f34e8 fix: remove maintenance config when maintenance service is shut down
• 952801d8b fix: handle overlay partition options
• 465b9a4e6 fix: update discovery client wi...

v1.6.7

Talos 1.6.7 (2024-03-20)

Welcome to the v1.6.7 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

• Linux: 6.1.82
• Kubernetes: 1.29.3

Talos is built with Go 1.21.8.

Contributors

• Andrey Smirnov
• Utku Ozdemir
• Noel Georgi

Changes

7 commits

• 46c8ac102 release(v1.6.7): prepare release
• 9ef06f60f fix: service lifecycle issues
• 2c9159977 fix: patch correctly config in talosctl upgrade-k8s
• 16691dfd5 fix: remove maintenance config when maintenance service is shut down
• 5cbbbfa68 fix: fix nil panic on maintenance upgrade with partial config
• 3c942fe9d fix: etcd config validation for worker
• a5920a157 feat: update Kubernetes to 1.29.3, Linux to 6.1.82

Changes from siderolabs/pkgs

1 commit

• siderolabs/pkgs@df44f94 feat: update dependencies for Talos 1.6.7

Dependency Changes

• github.com/siderolabs/pkgs v1.6.0-26-g2961472 -> v1.6.0-27-gdf44f94
• github.com/siderolabs/talos/pkg/machinery v1.6.6 -> v1.6.7
• google.golang.org/protobuf v1.31.0 -> v1.33.0
• k8s.io/api v0.29.2 -> v0.29.3
• k8s.io/apimachinery v0.29.2 -> v0.29.3
• k8s.io/apiserver v0.29.2 -> v0.29.3
• k8s.io/client-go v0.29.2 -> v0.29.3
• k8s.io/component-base v0.29.2 -> v0.29.3
• k8s.io/cri-api v0.29.2 -> v0.29.3
• k8s.io/kube-scheduler v0.29.2 -> v0.29.3
• k8s.io/kubectl v0.29.2 -> v0.29.3
• k8s.io/kubelet v0.29.2 -> v0.29.3
• k8s.io/pod-security-admission v0.29.2 -> v0.29.3

Previous release can be found at v1.6.6

Images

ghcr.io/siderolabs/flannel:v0.23.0
ghcr.io/siderolabs/install-cni:v1.6.0-2-g9234398
registry.k8s.io/coredns/coredns:v1.11.1
gcr.io/etcd-development/etcd:v3.5.11
registry.k8s.io/kube-apiserver:v1.29.3
registry.k8s.io/kube-controller-manager:v1.29.3
registry.k8s.io/kube-scheduler:v1.29.3
registry.k8s.io/kube-proxy:v1.29.3
ghcr.io/siderolabs/kubelet:v1.29.3
ghcr.io/siderolabs/installer:v1.6.7
registry.k8s.io/pause:3.8

v1.7.0-alpha.1

Talos 1.7.0-alpha.1 (2024-03-14)

Welcome to the v1.7.0-alpha.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Device Selectors

Talos Linux now supports physical: true qualifier for device selectors, it selects non-virtual network interfaces (i.e. en0 is selected, while bond0 is not).

DNS Caching

Talos Linux now provides a caching DNS resolver for host workloads (including host networking pods). It can be disabled with:

machine:
   features:
       localDNS: false

Extension Services Config

Talos now supports supplying configuration files and environment variables for extension services.
The extension service configuration is a separate config document. An example is shown below:

---
apiVersion: v1alpha1
kind: ExtensionServiceConfig
name: nut-client
configFiles:
  - content: MONITOR ${upsmonHost} 1 remote pass password
    mountPath: /usr/local/etc/nut/upsmon.conf
environment:
  - UPS_NAME=ups

For documentation, see Extension Services Config Files.

Note: The use of environmentFile in extension service spec is now deprecated and will be removed in a future release of Talos.
Use ExtensionServiceConfig instead.

Kubernetes Upgrade

The command talosctl upgrade-k8s now supports specifying custom image references for Kubernetes components via --*-image flags.
The default behavior is unchanged, and the flags are optional.

KubeSpan

Talos Linux disables by default a KubeSpan feature to harvest additional endpoints from KubeSpan members.
This feature turned out to be less helpful than expected and caused unnecessary performance issues.

Previous behavior can be restored with:

machine:
  network:
    kubespan:
        harvestExtraEndpoints: true

NTP

Default NTP server was updated to be time.cloudflare.com instead of pool.ntp.org.
Default server is only used if the user does not specify any NTP servers in the configuration.

OpenNebula

Talos Linux now supports OpenNebula platform.

Known Problems

DRBD extension is disabled in this release due to incompatibility with the latest Linux kernel.

Kubernetes API Server Service Account Key

Talos Linux starting from this release uses RSA key for Kubernetes API Server Service Account instead of ECDSA key to provide better compatibility with external OpenID Connect implementations.

SBC

Talos core will drop support for SBC's and will not include the SBC binaries in the release.
Overlays are being developed to support SBC's.

Secure Boot Image

Talos Linux now provides a way to configure systemd-boot ISO 'secure-boot-enroll' option while generating a SecureBoot ISO image:

output:
    kind: iso
    isoOptions:
        sdBootEnrollKeys: force # default is still if-safe
    outFormat: raw

Syslog

Talos Linux now starts a basic syslog receiver listening on /dev/log.
The receiver can mostly parse both RFC3164 and RFC5424 messages and writes them as JSON formatted message.
The logs can be viewed via talosctl logs syslogd.

This is mostly implemented for extension services that log to syslog.

Component Updates

Linux: 6.6.21
etcd: 3.5.11
Kubernetes: 1.30.0-beta.0
containerd: 1.7.14
runc: 1.1.12
Flannel: 0.24.1

Talos is built with Go 1.22.1.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitriy Matrenichev
• Utku Ozdemir
• Andrey Smirnov
• Artem Chernyshev
• Radosław Piliszek
• Spencer Smith
• Anthony ARNAUD
• Justin Garrison
• Steve Francis
• Anastasios Papagiannis
• Andrei Kvapil
• Andrian Zubovic
• AvnarJakob
• Cas de Reuver
• Christian Mohn
• Christian WALDBILLIG
• Dmitry Sharshakov
• Dmitry Sharshakov
• Drew Hess
• ExtraClock
• Fabiano Fidêncio
• Henno Schooljan
• Hervé Werner
• JJGadgets
• Jacob McSwain
• Jonomir
• Kai Hanssen
• Louis SCHNEIDER
• Matthieu S
• Michael Stephenson
• Nico Berlee
• Pip Oomen
• Saiyam Pathak
• Sebastiaan Gerritsen
• Sebastian Gaiser
• Serge Logvinov
• Tim Jones
• bri
• ebcrypto
• edwinavalos
• fazledyn-or
• james-dreebot
• pardomue
• shurkys
• stereobutter

Changes

163 commits

• 3ba180d07 release(v1.7.0-alpha.1): prepare release
• 403ad93c3 feat: update dependencies
• 7376f34e8 fix: remove maintenance config when maintenance service is shut down
• 952801d8b fix: handle overlay partition options
• 465b9a4e6 fix: update discovery client with the fix for keepalive interval
• 1e9f866ac feat: update Kubernetes to v1.30.0-beta.0
• d118a852b feat: implement Install for imager overlays
• cd5a5a447 chore: migrate to go-grpc-middleware/v2
• e3c2a6398 feat: set default NTP server to time.cloudflare.com
• 32e087760 chore: print all available logs containers in logs command completions
• e89d755c5 fix: etcd config validation for worker
• 1aa3c9182 docs: add DreeBot to ADOPTERS.md
• 1bb6027cc fix: fix nil panic on maintenance upgrade with partial config
• aa70bfb9d docs: add Redpill Linpro to adopters list
• f02aeec92 fix: do not fail cluster create when input dir does not contain talosconfig
• 1ec6683e0 chore: use go-copy
• 3c8f51d70 chore: move cli formatters and version modules to machinery
• 8152a6dd6 feat: update Go to 1.22.1
• 8c7953991 docs: update replicated-local-storage-with-openebs-jiva.md
• f23bd8144 fix: syslog parser
• bbed07e03 feat: update Linux to 6.6.18
• 8125e754b feat: imager overlay
• 0b9b4da12 feat: update Kubernetes to 1.30.0-alpha.3
• 3a764029e docs: fix typo in word governor
• d81d49000 chore: update CoreDNS renovate source
• b2ad5dc5f fix: workaround a race in CNI setup (talosctl cluster create)
• 457507803 fix: provide auth when pulling images in the imager
• e707175ab docs: update config patch in cilium docs
• f8c556a1c chore: listen for dns requests on 127.0.0.53
• 8872a7a21 fix: ignore 'no such device' in addition to 'no such file'
• 1cb544353 chore: uki der certs in iso
• 67ac6933d fix: handle errors to watch apid/trustd certs
• c79d69c2e fix: only set gateway if set in context (opennebula)
• 4575dd8e7 chore: allow not preallocated disks for QEMU cluster
• 0bddfea81 chore: add oceanbox.io to adopters
• 136427592 chore: use proper talos_version_contract for TF tests
• 6bf50fdc1 chore: disable x/net/trace in gRPC to enable dead code elimination
• 815a8e9cc feat: add partial config support to talosctl cluster create
• 64e9703f8 chore: add tests for the Kata Containers extension
• 9b6291925 feat: update pkgs
• 66f3ffdd4 fix: ensure that Talos runs in a pod (container)
• 9dbc33972 feat: add basic syslog implementation
• 0b7a27e6a feat: allow access to all resources over siderolink in maintenance mode
• 53721883d feat: support AWS KMS for the SecureBoot signing
• 7ee999f8a fix: disable KubeSpan endpoint harvesting by default
• 7b87c7fe9 chore: bump Go dependencies
• 8e9596d3c docs: rpi talosctl install update
• 493bb60f8 fix: correctly handle partial configs in DNSUpstreamController
• 6deb10ae2 chore: deprecate environmentFile for extensions
• f8b4ee82a chore: update extensions test
• 1366ce14a feat: update Kubernetes to v1.30.0-alpha.2
• 559308ef7 fix: use MachineStatus resource to check for boot done
• 15e8bca2b feat: support environment in ExtensionServicesConfig
• 3fe82ec46 feat: custom image settings for k8s upgrade
• fa3b93370 chore: replace fmt.Errorf with errors.New where possible
• d4521ee9c feat: update kernel with sfc driver and LSM updates
• 2f0421b40 fix: run xfs_repair on invalid argument error
• f868fb8e8 docs: update vmware tools url
• fa2d34dd8 chore: enable v6 support on the same port
• 83e0b0c19 chore: adjust dns sockets settings
• a1ec1705b chore: update Go to 1.22.0
• 76b50fcd4 chore: add Ænix to the Adopters list
• 5324d3916 chore: bump stuff
• 087b50f42 feat: support systemd-boot ISO enroll keys option
• afa71d6b0 chore: use "handle-like" resource in DNSResolveCacheController
• 013e13070 fix: error with decoding config document with wrong apiVersion
• 1e77bb1c3 chore: allow custom pkgs to build talos
• 3f8a85f1b fix: unlock the upgrade mutex properly
• 61c3331b1 docs: update indentation in vip.md
• 383e528df chore: allow uuid-based hostnames in talosctl cluster create
• 1e6c8c4de feat: extensions services config
• 989ca3ade feat: add OpenNebula platform support
• siderolabs/talos@...

v1.6.6

Talos 1.6.6 (2024-03-06)

Welcome to the v1.6.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

• Linux: 6.1.80

Talos is built with Go 1.21.8.

Contributors

• Andrey Smirnov

Changes

5 commits

• 7dceba060 release(v1.6.6): prepare release
• e4f712689 fix: workaround a race in CNI setup (talosctl cluster create)
• 38b5aed50 fix: provide auth when pulling images in the imager
• 4af77b5fd fix: handle errors to watch apid/trustd certs
• 2df2586f9 feat: update Linux to 6.1.80, Go to 1.21.8

Changes from siderolabs/extras

1 commit

• siderolabs/extras@9234398 chore: update Go to 1.21.8

Changes from siderolabs/pkgs

1 commit

• siderolabs/pkgs@2961472 feat: update Linux to 6.1.80, firmware to 20240220

Changes from siderolabs/tools

1 commit

• siderolabs/tools@ae30965 feat: update Go to 1.21.8

Dependency Changes

• github.com/alexflint/go-filemutex v1.2.0 new
• github.com/siderolabs/extras v1.6.0-1-g113887a -> v1.6.0-2-g9234398
• github.com/siderolabs/pkgs v1.6.0-25-g6868f38 -> v1.6.0-26-g2961472
• github.com/siderolabs/talos/pkg/machinery v1.6.5 -> v1.6.6
• github.com/siderolabs/tools v1.6.0-2-g5e034ec -> v1.6.0-3-gae30965

Previous release can be found at v1.6.5

Images

ghcr.io/siderolabs/flannel:v0.23.0
ghcr.io/siderolabs/install-cni:v1.6.0-2-g9234398
registry.k8s.io/coredns/coredns:v1.11.1
gcr.io/etcd-development/etcd:v3.5.11
registry.k8s.io/kube-apiserver:v1.29.2
registry.k8s.io/kube-controller-manager:v1.29.2
registry.k8s.io/kube-scheduler:v1.29.2
registry.k8s.io/kube-proxy:v1.29.2
ghcr.io/siderolabs/kubelet:v1.29.2
ghcr.io/siderolabs/installer:v1.6.6
registry.k8s.io/pause:3.8

v1.6.5

Talos 1.6.5 (2024-02-22)

Welcome to the v1.6.5 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Kubernetes Upgrade

The command talosctl upgrade-k8s now supports specifying custom image references for Kubernetes components via --*-image flags.
The default behavior is unchanged, and the flags are optional.

Component Updates

Kubernetes: 1.29.2
Linux: 6.1.78

Talos is built with Go 1.21.6.

Contributors

• Andrey Smirnov
• Noel Georgi
• Anastasios Papagiannis
• Andrian Zubovic
• Matthieu S
• Utku Ozdemir
• pardomue

Changes

14 commits

• 22803bc5d release(v1.6.5): prepare release
• e5c198a32 feat: update pkgs
• 54c60ddfb feat: allow access to all resources over siderolink in maintenance mode
• c7f5ff73e fix: use MachineStatus resource to check for boot done
• 7d1378240 feat: support AWS KMS for the SecureBoot signing
• c6e7a95cc feat: custom image settings for k8s upgrade
• 0f5e946f4 fix: ensure that Talos runs in a pod (container)
• fd93ce1b6 feat: update kernel with sfc driver and LSM updates
• 36836878f fix: run xfs_repair on invalid argument error
• 6ea29d927 feat: support systemd-boot ISO enroll keys option
• e993215fe fix: unlock the upgrade mutex properly
• 5515a6bab fix: use a separate cgroup for each extension service
• e7935e6b9 feat: update Linux to 6.1.78
• 959627850 feat: update Kubernetes default to 1.29.2

Changes from siderolabs/pkgs

9 commits

• siderolabs/pkgs@6868f38 feat: enable PSI (pressure stall information)
• siderolabs/pkgs@777cae9 feat: update Linux to 6.1.78
• siderolabs/pkgs@f71ff75 feat: enable VRF module
• siderolabs/pkgs@a7e36fb feat: add support for Solarflare SFC9100 and SFC9200 family
• siderolabs/pkgs@7146892 feat: enable CONFIG_SECURITY_PATH and CONFIG_BPF_LSM
• siderolabs/pkgs@73f3c03 feat: backport iPXE update from main
• siderolabs/pkgs@8ff728c chore: set PREEMPT_NONE as recommended for servers
• siderolabs/pkgs@b849795 fix: enable KFD support in kernel
• siderolabs/pkgs@0b8a78b feat: bring Linux to 6.1.76

Dependency Changes

• github.com/aws/aws-sdk-go-v2/service/kms v1.26.5 new
• github.com/siderolabs/pkgs v1.6.0-16-gb77ffb7 -> v1.6.0-25-g6868f38
• github.com/siderolabs/talos/pkg/machinery v1.6.4 -> v1.6.5
• k8s.io/api v0.29.1 -> v0.29.2
• k8s.io/apiserver v0.29.1 -> v0.29.2
• k8s.io/client-go v0.29.1 -> v0.29.2
• k8s.io/component-base v0.29.1 -> v0.29.2
• k8s.io/kube-scheduler v0.29.1 -> v0.29.2
• k8s.io/kubectl v0.29.1 -> v0.29.2
• k8s.io/kubelet v0.29.1 -> v0.29.2
• k8s.io/pod-security-admission v0.29.2 new

Previous release can be found at v1.6.4

Images

ghcr.io/siderolabs/flannel:v0.23.0
ghcr.io/siderolabs/install-cni:v1.6.0-1-g113887a
registry.k8s.io/coredns/coredns:v1.11.1
gcr.io/etcd-development/etcd:v3.5.11
registry.k8s.io/kube-apiserver:v1.29.2
registry.k8s.io/kube-controller-manager:v1.29.2
registry.k8s.io/kube-scheduler:v1.29.2
registry.k8s.io/kube-proxy:v1.29.2
ghcr.io/siderolabs/kubelet:v1.29.2
ghcr.io/siderolabs/installer:v1.6.5
registry.k8s.io/pause:3.8

v1.5.6

Talos 1.5.6 (2024-02-02)

Welcome to the v1.5.6 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.1.74
containerd: 1.6.28
runc: 1.1.12

See CVE-2024-21626 for the runc update.

Talos is built with Go 1.20.13.

Contributors

• Andrey Smirnov
• Dmitriy Matrenichev
• Hervé Werner
• Jonomir
• Noel Georgi

Changes

12 commits

• 26f0153ef release(v1.5.6): prepare release
• e7475d8fd fix: take into account the moment seen when cleaning up CRI images
• 9b819ee1e fix: watch bufer overrun for RouteStatus
• 730913fdb fix: update kmsg with utf-8 fix
• a3b48c696 fix: disk UUID & WWID always empty in talosctl disks
• e4a23412f fix: skip writing the file if the contents haven't changed
• 8516708a5 fix: retry blockdevice open in the installer
• d82b14eae fix: be more tolerant to error handling in Mounts API
• d35002777 fix: ignore kernel command line in container mode
• 06424ad5d fix: allow extra kernel args for secureboot installer
• 985ed8de6 fix: set max msg recv size when proxying
• 1e5913806 feat: update runc 1.1.12, containerd 1.6.28, Linux 6.1.74

Changes from siderolabs/gen

2 commits

• siderolabs/gen@efca710 chore: add FilterInPlace method to maps and update module
• siderolabs/gen@36a3ae3 feat: update module

Changes from siderolabs/go-kmsg

2 commits

• siderolabs/go-kmsg@e358d13 fix: decode escape sequences while reading from kmsg
• siderolabs/go-kmsg@4297bd5 feat: add BSD support

Changes from siderolabs/pkgs

2 commits

• siderolabs/pkgs@a550ab9 feat: update Go to 1.20.13
• siderolabs/pkgs@ae26536 feat: update containerd 1.6.28, runc 1.1.12, Linux 6.1.74

Changes from siderolabs/tools

1 commit

• siderolabs/tools@02895ed feat: update Go to 1.20.13

Dependency Changes

• github.com/containerd/containerd v1.6.23 -> v1.6.28
• github.com/google/go-cmp v0.5.9 -> v0.6.0
• github.com/google/uuid v1.3.0 -> v1.3.1
• github.com/siderolabs/gen v0.4.5 -> v0.4.7
• github.com/siderolabs/go-kmsg v0.1.3 -> v0.1.4
• github.com/siderolabs/pkgs v1.5.0-15-gab5b0e5 -> v1.5.0-17-ga550ab9
• github.com/siderolabs/talos/pkg/machinery v1.5.5 -> v1.5.6
• github.com/siderolabs/tools v1.5.0-3-gc95372c -> v1.5.0-4-g02895ed
• golang.org/x/net v0.17.0 -> v0.18.0
• golang.org/x/sys v0.13.0 -> v0.16.0
• golang.org/x/term v0.13.0 -> v0.16.0
• golang.org/x/text v0.13.0 -> v0.14.0
• google.golang.org/grpc v1.58.3 -> v1.59.0

Previous release can be found at v1.5.5

Images

ghcr.io/siderolabs/flannel:v0.22.1
ghcr.io/siderolabs/install-cni:v1.5.0-3-gb43c4e4
registry.k8s.io/coredns/coredns:v1.10.1
gcr.io/etcd-development/etcd:v3.5.10
registry.k8s.io/kube-apiserver:v1.28.3
registry.k8s.io/kube-controller-manager:v1.28.3
registry.k8s.io/kube-scheduler:v1.28.3
registry.k8s.io/kube-proxy:v1.28.3
ghcr.io/siderolabs/kubelet:v1.28.3
ghcr.io/siderolabs/installer:v1.5.6
registry.k8s.io/pause:3.6

v1.7.0-alpha.0

Talos 1.7.0-alpha.0 (2024-02-01)

Welcome to the v1.7.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Device Selectors

Talos Linux now supports physical: true qualifier for device selectors, it selects non-virtual network interfaces (i.e. en0 is selected, while bond0 is not).

DNS Caching

Talos Linux now provides a caching DNS resolver for host workloads (including host networking pods). It can be disabled with:

machine:
   features:
       localDNS: false

Known Problems

ZFS and DRBD extensions are disabled in this release due to incompatibility with the latest Linux kernel.

Kubernetes API Server Service Account Key

Talos Linux starting from this release uses RSA key for Kubernetes API Server Service Account instead of ECDSA key to provide better compatibility with external OpenID Connect implementations.

Component Updates

Linux: 6.6.14
etcd: 3.5.11
Kubernetes: 1.29.1
containerd: 1.7.13
runc: 1.1.12
Flannel: 0.24.1

Talos is built with Go 1.21.6.

Contributors

• Andrey Smirnov
• Dmitriy Matrenichev
• Utku Ozdemir
• Noel Georgi
• Andrey Smirnov
• Radosław Piliszek
• Artem Chernyshev
• Spencer Smith
• Steve Francis
• Anthony ARNAUD
• Cas de Reuver
• Christian Mohn
• Drew Hess
• ExtraClock
• Hervé Werner
• JJGadgets
• Jacob McSwain
• Jonomir
• Sebastian Gaiser
• Serge Logvinov
• Tim Jones
• edwinavalos
• stereobutter

Changes

82 commits

• 029d7f7b9 release(v1.7.0-alpha.0): prepare release
• 2ff81c06b feat: update runc 1.1.12, containerd 1.7.13
• 9d8cd4d05 chore: drop deprecated method EtcdRemoveMember
• 17567f19b fix: take into account the moment seen when cleaning up CRI images
• aa03204b8 docs: document the process of building custom kernel packages
• 7af48bd55 feat: use RSA key for kube-apiserver service account key
• a5e13c696 fix: retry blockdevice open in the installer
• 593afeea3 fix: run the interactive installer loop to report errors
• 87be76b87 fix: be more tolerant to error handling in Mounts API
• 03add7503 docs: add section on using imager with extensions from tarball
• ee0fb5eff docs: consolidate certificate management articles
• 9c14dea20 chore: bump coredns
• ebeef2852 feat: implement local caching dns server
• 4a3691a27 docs: fix broken links in metal-network-configuration.md
• c4ed189a6 docs: provide sane defaults for each release series in vmware script
• 8138d54c6 docs: clarify node taints/labels for worker nodes
• b44551ccd feat: update Linux to 6.6.13
• 385707c5f docs: update vmware.sh
• d1a79b845 docs: fix small typo in etcd maintenance guide
• cf0603330 docs: copy generated JSON schema to host
• f11139c22 docs: document local path provisioner install
• e0dfbb8fb fix: allow META encoded values to be compressed
• d677901b6 feat: implement device selector for 'physical'
• 7d1117289 docs: add missing talosconfig flag
• 8a1732bcb fix: pull in mptspi driver
• c1e45071f refactor: use etcd configuration from the EtcdSpec resource
• 4e9b688d3 fix: use correct TTL for talosconfig in talosctl config new
• fb5ad0555 feat: update Kubernetes default to 1.29.1
• fe24139f3 docs: fork docs for v1.7
• 1c2d10ccc chore: bump dependencies
• a599e3867 chore: allow custom registry to build installer/imager
• 3911ddf7b docs: add how-to for cert management
• b0ee0bfba fix: strategic patch merging for audit policy
• 474eccdc4 fix: watch bufer overrun for RouteStatus
• cc06b5d7a fix: fix .der output in talosctl gen secureboot
• 1dbb4abf4 fix: update discovery service client to v0.1.6
• 9782319c3 fix: support KubePrism settings in Kubernetes Discovery
• 6c5a0c281 feat: generate a single JSON schema for multidoc config
• f70b47ddd fix: force KubePrism to connect using IPv4
• d5321e085 fix: update kmsg with utf-8 fix
• 7fa7362dd fix: fix nodes on dashboard footer when node names are used in --nodes
• ba88678f1 fix: merge ports and ingress configs correctly in NetworkRuleConfig
• dea9bda2d fix: disk UUID & WWID always empty in talosctl disks
• 8dc112f36 chore: pull in NBD modules
• f6926faab fix: default priority for ipv6
• e8758dcba chore: support http downloads for assets in talosctl cluster create
• 265f21be0 fix: replace the filemap implementation to not buffer in memory
• 8db3c5b3c fix: pick correctly base installer image layers
• 0a30ef784 fix: imager should support different Talos versions
• d6342cda5 docs: update latest version to v1.6.1
• e6e422b92 chore: bump dependencies
• 5a19d078a fix: properly overwrite files on install
• 9eb6cea78 docs: secureboot sd-boot menu clarification
• 01f0cbe61 feat: support iPXE direct booting in talosctl cluster create
• 3ba84701d feat: pull in kernel modules for mlx Infiniband and VFIO
• ba993e0ed docs: announce that SecureBoot is available
• 241bc9312 fix: update the way secureboot signer fetches certificate (azure)
• 59b62398f chore: modernize machined/pkg/controllers/k8s
• 760f793d5 fix: use correct prefix when installing SBC files
• 0b94550c4 chore: fix the gvisor test
• 3a787c1d6 docs: update 1.6 docs with Noel's feedback
• d803e40ef docs: provide documentation for Talos 1.6
• 9a185a30f feat: update Kubernetes to v1.29.0
• 5934815d2 chore: split more kernel modules on amd64
• 10c59a6b9 fix: leave discovery service later in the reset sequence
• 0c86ca1cc chore: enable kubespan+firewall for cilium tests
• 98fd722d5 feat: provide compatibility for future Talos 1.7
• 131a1b167 fix: add a KubeSpan option to disable extra endpoint harvesting
• 4547ad9af feat: send actor id to the SideroLink events sink
• 04e774547 docs: cap max heading level
• 6bb1e99aa chore: optimize pcap dump
• 4f9d3b975 feat: update Kubernetes to v1.29.0-rc.2
• 46121c9fe docs: rework machine config documentation generation
• e128d3c82 fix: talosctl cluster create not to enforce kubeprism always
• 320064c5a feat: update Go 1.21.5, Linux 6.1.65, etcd 3.5.11
• 270604bea fix: support user disks via symlinks
• 4f195dd27 chore: fix the release.toml
• 474fa0480 fix: store and execute desired action on emergency action
• 515ae2a18 docs: extend hetzner-cloud docs for arm64
• eecc4dbd5 fix: trim leading spaces\newlines in inline manifest contents
• dbf274ddf fix: skip writing the file if the contents haven't changed
• 6329222bd fix: do not panic in merge.Merge if map value is nil

Changes from siderolabs/discovery-client

1 commit

• siderolabs/discovery-client@ff8f4be fix: enable gRPC keepalives

Changes from siderolabs/extras

1 commit

• siderolabs/extras@8909d6f chore: update Go to 1.21.5

Changes from siderolabs/go-api-signature

20 commits

• siderolabs/go-api-signature@370cebf fix: always print the login URL on key renew flow
• siderolabs/go-api-signature@d28609a feat: move in the cli grpc interceptor logic, support service account in env
• siderolabs/go-api-signature@4602acc chore: add a dummy workflow
• siderolabs/go-api-signature@cfd21b6 fix: support validating signatures generated with the time in the future
• siderolabs/go-api-signature@74dd3dc chore: bump deps
• siderolabs/go-api-signature@d78bedb chore: bump deps
• siderolabs/go-api-signature@a034e9f feat: replace scopes with roles
• siderolabs/go-api-signature@5b4f3bb chore: run rekres
• siderolabs/go-api-signature@9dba116 chore: remove time.Sleep hack
• siderolabs/go-api-signature@e84e686 chore: bump dependencies
• siderolabs/go-api-signature@8baaf8a chore: bump deps
• siderolabs/go-api-signature@5f27e1e chore: add renovate bot and bump deps
• siderolabs/go-api-signature@69886dc feat: allow custom validations on PGP key
• siderolabs/go-api-signature@63d4da3 fix: limit clock skew for short-lived keys
• siderolabs/go-api-signature@cdb9722 feat: add support for +-5 min clock skew
• siderolabs/go-api-signature@7b80a50 refactor: use options pattern in RegisterPGPPublicKey
• siderolabs/go-api-signature@c647861 feat: add scopes to RegisterPublicKeyRequest
• siderolabs/go-api-signature@5d3647e feat: provide more client PGP functions
• siderolabs/go-api-signature@2b682ec feat: initial version
• siderolabs/go-api-signature@a4c2943 chore: initia...

v1.6.4

Talos 1.6.4 (2024-02-01)

Welcome to the v1.6.4 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

containerd: 1.7.13
runc: 1.1.12

See CVE-2024-21626 for the runc update.

Talos is built with Go 1.21.6.

Contributors

• Andrey Smirnov
• Andrey Smirnov
• Dmitriy Matrenichev
• Utku Ozdemir
• Noel Georgi
• Artem Chernyshev

Changes

7 commits

• 431bcada7 release(v1.6.4): prepare release
• 040c535c6 fix: retry blockdevice open in the installer
• 00b34b254 fix: take into account the moment seen when cleaning up CRI images
• c5ad166be fix: be more tolerant to error handling in Mounts API
• b438f8a9b fix: run the interactive installer loop to report errors
• 12e83b7e3 docs: clarify node taints/labels for worker nodes
• 7840f8a89 feat: update containerd 1.7.13, runc 1.1.12

Changes from siderolabs/go-api-signature

20 commits

• siderolabs/go-api-signature@370cebf fix: always print the login URL on key renew flow
• siderolabs/go-api-signature@d28609a feat: move in the cli grpc interceptor logic, support service account in env
• siderolabs/go-api-signature@4602acc chore: add a dummy workflow
• siderolabs/go-api-signature@cfd21b6 fix: support validating signatures generated with the time in the future
• siderolabs/go-api-signature@74dd3dc chore: bump deps
• siderolabs/go-api-signature@d78bedb chore: bump deps
• siderolabs/go-api-signature@a034e9f feat: replace scopes with roles
• siderolabs/go-api-signature@5b4f3bb chore: run rekres
• siderolabs/go-api-signature@9dba116 chore: remove time.Sleep hack
• siderolabs/go-api-signature@e84e686 chore: bump dependencies
• siderolabs/go-api-signature@8baaf8a chore: bump deps
• siderolabs/go-api-signature@5f27e1e chore: add renovate bot and bump deps
• siderolabs/go-api-signature@69886dc feat: allow custom validations on PGP key
• siderolabs/go-api-signature@63d4da3 fix: limit clock skew for short-lived keys
• siderolabs/go-api-signature@cdb9722 feat: add support for +-5 min clock skew
• siderolabs/go-api-signature@7b80a50 refactor: use options pattern in RegisterPGPPublicKey
• siderolabs/go-api-signature@c647861 feat: add scopes to RegisterPublicKeyRequest
• siderolabs/go-api-signature@5d3647e feat: provide more client PGP functions
• siderolabs/go-api-signature@2b682ec feat: initial version
• siderolabs/go-api-signature@a4c2943 chore: initial commit

Changes from siderolabs/pkgs

1 commit

• siderolabs/pkgs@b77ffb7 chore: bump runc+containerd

Dependency Changes

• github.com/containerd/containerd v1.7.11 -> v1.7.13
• github.com/opencontainers/runtime-spec v1.1.0-rc.1 -> v1.1.0
• github.com/siderolabs/go-api-signature v0.3.1 new
• github.com/siderolabs/pkgs v1.6.0-15-gf51aedb -> v1.6.0-16-gb77ffb7
• github.com/siderolabs/talos/pkg/machinery v1.6.3 -> v1.6.4

Previous release can be found at v1.6.3

Images

ghcr.io/siderolabs/flannel:v0.23.0
ghcr.io/siderolabs/install-cni:v1.6.0-1-g113887a
registry.k8s.io/coredns/coredns:v1.11.1
gcr.io/etcd-development/etcd:v3.5.11
registry.k8s.io/kube-apiserver:v1.29.1
registry.k8s.io/kube-controller-manager:v1.29.1
registry.k8s.io/kube-scheduler:v1.29.1
registry.k8s.io/kube-proxy:v1.29.1
ghcr.io/siderolabs/kubelet:v1.29.1
ghcr.io/siderolabs/installer:v1.6.4
registry.k8s.io/pause:3.8

v1.6.3

Talos 1.6.3 (2024-01-24)

Welcome to the v1.6.3 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.1.74
Kubernetes: 1.29.1

Talos is built with Go 1.21.6.

Contributors

• Andrey Smirnov

Changes

4 commits

• d53e07c1a release(v1.6.3): prepare release
• 815fef8c3 fix: allow META encoded values to be compressed
• 56e87f55b feat: update Kubernetes default to 1.29.1
• 63fc46f0a feat: update Linux to 6.1.74

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@f51aedb fix: disable nct6883 on arm64
• siderolabs/pkgs@7ddbdb4 fix: enable FUSION_SPI driver
• siderolabs/pkgs@00d2978 feat: update Linux to 6.1.74

Dependency Changes

• github.com/siderolabs/pkgs v1.6.0-12-g0078a66 -> v1.6.0-15-gf51aedb
• github.com/siderolabs/talos/pkg/machinery v1.6.2 -> v1.6.3
• k8s.io/api v0.29.0 -> v0.29.1
• k8s.io/apimachinery v0.29.0 -> v0.29.1
• k8s.io/apiserver v0.29.0 -> v0.29.1
• k8s.io/client-go v0.29.0 -> v0.29.1
• k8s.io/component-base v0.29.0 -> v0.29.1
• k8s.io/cri-api v0.29.0 -> v0.29.1
• k8s.io/kube-scheduler v0.29.0 -> v0.29.1
• k8s.io/kubectl v0.29.0 -> v0.29.1
• k8s.io/kubelet v0.29.0 -> v0.29.1

Previous release can be found at v1.6.2

Images

ghcr.io/siderolabs/flannel:v0.23.0
ghcr.io/siderolabs/install-cni:v1.6.0-1-g113887a
registry.k8s.io/coredns/coredns:v1.11.1
gcr.io/etcd-development/etcd:v3.5.11
registry.k8s.io/kube-apiserver:v1.29.1
registry.k8s.io/kube-controller-manager:v1.29.1
registry.k8s.io/kube-scheduler:v1.29.1
registry.k8s.io/kube-proxy:v1.29.1
ghcr.io/siderolabs/kubelet:v1.29.1
ghcr.io/siderolabs/installer:v1.6.3
registry.k8s.io/pause:3.8

v1.6.2

Talos 1.6.2 (2024-01-18)

Welcome to the v1.6.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.1.73

Talos is built with Go 1.21.6.

Contributors

• Andrey Smirnov
• Utku Ozdemir
• Dmitriy Matrenichev
• Drew Hess
• Hervé Werner
• JJGadgets
• Jonomir
• Serge Logvinov

Changes

16 commits

• 26eee7553 release(v1.6.2): prepare release
• f87a0468b fix: strategic patch merging for audit policy
• 36b913dba fix: watch bufer overrun for RouteStatus
• 3576d113c fix: fix .der output in talosctl gen secureboot
• 0191c3b2c fix: support KubePrism settings in Kubernetes Discovery
• 8fa6e93f0 fix: force KubePrism to connect using IPv4
• e05eebca1 fix: update kmsg with utf-8 fix
• 37bfa60dd fix: merge ports and ingress configs correctly in NetworkRuleConfig
• 306c5cad2 fix: fix nodes on dashboard footer when node names are used in --nodes
• 530332d24 fix: disk UUID & WWID always empty in talosctl disks
• 440f56341 chore: pull in NBD modules
• 3ebdbabaf fix: default priority for ipv6
• b47619543 fix: replace the filemap implementation to not buffer in memory
• 0ec551597 fix: imager should support different Talos versions
• 4b3168624 feat: support iPXE direct booting in talosctl cluster create
• d98699c07 feat: update Linux 6.1.73, go 1.21.6

Changes from siderolabs/go-kmsg

2 commits

• siderolabs/go-kmsg@e358d13 fix: decode escape sequences while reading from kmsg
• siderolabs/go-kmsg@4297bd5 feat: add BSD support

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@0078a66 feat: enable NBD
• siderolabs/pkgs@31b9d61 feat: enable nct6683 sensors as module
• siderolabs/pkgs@f8c6a35 feat: go 1.21.6, linux 6.1.73

Changes from siderolabs/tools

1 commit

• siderolabs/tools@5e034ec feat: update Go to 1.21.6

Dependency Changes

• github.com/pin/tftp 2f79be2dba4e new
• github.com/siderolabs/go-kmsg v0.1.3 -> v0.1.4
• github.com/siderolabs/pkgs v1.6.0-9-g8fa73db -> v1.6.0-12-g0078a66
• github.com/siderolabs/talos/pkg/machinery v1.6.1 -> v1.6.2
• github.com/siderolabs/tools v1.6.0-1-g336d248 -> v1.6.0-2-g5e034ec
• golang.org/x/sys v0.15.0 -> v0.16.0

Previous release can be found at v1.6.1

Images

ghcr.io/siderolabs/flannel:v0.23.0
ghcr.io/siderolabs/install-cni:v1.6.0-1-g113887a
registry.k8s.io/coredns/coredns:v1.11.1
gcr.io/etcd-development/etcd:v3.5.11
registry.k8s.io/kube-apiserver:v1.29.0
registry.k8s.io/kube-controller-manager:v1.29.0
registry.k8s.io/kube-scheduler:v1.29.0
registry.k8s.io/kube-proxy:v1.29.0
ghcr.io/siderolabs/kubelet:v1.29.0
ghcr.io/siderolabs/installer:v1.6.2
registry.k8s.io/pause:3.8