v1.10.0-alpha.3

[smira]

Talos 1.10.0-alpha.3 (2025-03-24)

Welcome to the v1.10.0-alpha.3 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

auditd

Kernel parameter talos.auditd.disabled=1 can be used to disable Talos built-in auditd service.

cgroups v1

Talos Linux no longer supports cgroupsv1 when running in non-container mode.
The kernel argument talos.unified_cgroup_hierarchy is now ignored.

Disk Image

Talos starting with 1.10 will have disk images that will use GRUB only for legacy BIOS and systemd-boot for modern UEFI systems.
On first boot Talos determines the boot method and will wipe the unused bootloader.

Secureboot disk-images will be sd-boot only.

For ARM64 imager will still generate GRUB bootloader for Talos < 1.10 and for Talos >= 1.10 all ARM64 boot assets will use systemd-boot.

Imager supports overwriting bootloader when generating a disk image via the Imager profile output option.

Eg:

output:
  kind: image
  imageOptions:
    bootloader: sd-boot # supported options are sd-boot, grub, dual-boot

Driver Rebind

Talos 1.10 now supports a new machine config document named PCIDriverRebindConfig that allows rebinding the driver of a PCI device to a different target driver.
See the documentation for more information.

Ethernet

Talos now provides ethtool-style Ethernet low-level configuration via network/EthernetConfig documents.
Current status of the interface can be read by talosctl get ethernetstatus.

Machine Install Extensions

.machine.install.extensions will have no effect starting from Talos 1.10, the machine config document field is still kept so upgrades from older versions are possible.
Use Boot Assets instead.

Extra Kernel Args

Talos 1.10 on fresh install on UEFI systems will now use systemd-boot and UKIs (Unified Kernel Images)[https://uapi-group.org/specifications/specs/unified_kernel_image/].
This means the kernel command line arguments are part of the UKI and cannot be modified without an upgrade to a new UKI.

Upgrades to Talos 1.10 will preseve the existing bootloader (GRUB for non-secureboot) and sd-boot for Secureboot and this change will have no effect.

To build a boot asset with extra kernel arguments whether an installer or a boot image use either Image Factory or
Imager.

This means kernel arguments not part of the UKI will not be preserved across updates and a proper installer image generated via Imager Factory or Imager is required.

Ingress Firewall

Talos Ingress Firewall now filters access to Kubernetes NodePort services correctly.

iSCSI Initiator

Talos now generates /etc/iscsi/initiatorname.iscsi file based on the node identity which is tied to the lifecycle of the node.
If using iscsi-tools extension, starting with Talos 1.10 would have a more deterministic IQN for the initiator node.
Make sure to update any iSCSI targets to use the new initiator IQN.

The iqn can be read by talosctl read /etc/iscsi/initiatorname.iscsi

ISO

Talos starting with 1.10 will have ISO's that will use GRUB only for legacy BIOS and systemd-boot for modern UEFI systems.

kube-apiserver Authorization Config

When using .cluster.apiServer.authorizationConfig the user provided order for the authorizers is honoured and Node and RBAC authorizers are always added to the end if not explicitly specified.

Eg: If user provides only Webhook authorizer, the final order will be Webhook, Node, RBAC.

To provide a specific order for Node or RBAC explicitly, user can provide the authorizer in the order they want.

Eg:

cluster:
  apiServer:
    authorizationConfig:
      - type: Node
        name: Node
      - type: Webhook
        name: Webhook
        webhook:
          connectionInfo:
            type: InClusterConfig
        ...
      - type: RBAC
        name: rbac

Usage of authorization-mode CLI argument will not support this form of customization.

NVMe NQN

Talos now generates /etc/nvme/hostnqn and /etc/nvme/hostid files based on the node identity which is tied to the lifecycle of the node.

The NQN can be read by talosctl read /etc/nvme/hostnqn

Fully bootstrapped builds

Talos 1.10 is built with a toolchain based on [Stageˣ], which is a project building fully bootstrapped software.
This change increases reproducibility, auditability and security of Talos builds.

This also changes Talos root filesystem structure for unified /usr, with other directories symlinking to /usr/bin and /usr/lib.
System extensions must move their directories accordingly for 1.10.

Component Updates

• Linux: 6.12.19
• CNI plugins: 1.6.2
• runc: 1.2.6
• containerd: 2.0.4
• etcd: 3.5.20
• Flannel: 0.26.4
• Kubernetes: 1.33.0-beta.0

Talos is built with Go 1.24.1.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitry Sharshakov
• Dmitriy Matrenichev
• Dmitrii Sharshakov
• Joakim Nohlgård
• 459below
• Enrique Hernández Bello
• Justin Garrison
• Mathspy
• Nico Berlee
• Skyler Mäntysaari
• Utku Ozdemir
• ihelmer07
• Adam Cirillo
• Alex Lubbock
• Alexis La Goutte
• Andrew Longwill
• Andrew Symington
• Artem Chernyshev
• Cazmill13
• Christian Luetke-Stetzkamp
• Christoph Hoopmann
• Dennis
• Devin Buhl
• Dominik Masur
• Ermeikin Sergei
• Florian Grignon
• Gabe Alford
• Ganawa Juanah
• Jason Benedicic
• Joakim Nohlgård
• Josef
• K Birt
• KillianCdP
• L.J. Hanson
• Louis SCHNEIDER
• Marcel Hamer
• Mikhail Petrov
• Motte
• Natalie Romana Albers
• Omar
• Orzelius
• PRIHLOP
• Ram
• Robin Elfrink
• Ryan Jacobs
• Serge Logvinov
• Shaderbug
• Stepan Rabotkin
• Thomas Gosteli
• Tim Olson
• Tine Jozelj
• Tobias Kohlbau
• TomyLobo
• Valtteri Huuskonen
• bzub
• greenpsi
• jvanthienen
• mehlc
• pphysch
• sflotat2607
• suse-coder

Changes

271 commits

• 80e321653 release(v1.10.0-alpha.3): prepare release
• a834219ac chore: update dependencies
• 857779b90 docs: clarify custom CA certificate with KMS STATE encryption
• 39ed45ae6 docs: add information about Cilium exclusive CNI
• 087a85f40 feat: support running with SELinux enforcing
• d4aacb0d8 refactor: mount operation for STATE and user disks
• 44f3c7248 fix: kata extension
• 7ca5ab5e9 fix: shrink installer and imager images
• ea0994cfe fix: kexec with smbios type 11 string
• 8e20a5d28 fix: pass /usr/etc/in-container to apid, trustd and extension containers
• 9b9512ba8 feat: update Linux 6.12.19, containerd 2.0.4
• 433b0237b fix: correct structprotogen example
• 6e68a522a chore: fix conformance artifact name
• f592730d9 fix(ci): fix image cache test
• cc6c714ce feat: add Tegra modules to initrd
• 81d1fe0f8 fix: add missing TOOLS_PREFIX for WITH_DEBUG_SHELL builds
• 3e38bf6d4 fix: ignore missing config (nocloud) via cidata
• 27a4486a8 docs: fix typo cluser -> cluster
• ac79b1ea0 feat: pull in Intel STTMAC network drivers
• 9bb5c060c chore: bump go-kubernetes
• 2b8e08234 feat: deprecate .machine.install.extensions
• b7446372b docs: add documentation on unofficial SBC forks
• 9bec765c4 feat: talosctl kubeconfig write to stdout option
• 11ebb1078 fix: kexec when using sd-boot
• 61f1a32d2 test: allocate more resources for conformance runs
• b8b7b83f8 chore: extraKernelArgs validation for UKI's
• e2df0c6d3 docs: update siderolink.md
• f9b14e784 fix: reconnect on SideroLink tunnel on/off change
• 29f7b3bf3 test(ci): use k8s websocket executor for tests
• 9531c1c6d fix(ci): image-cache cron
• 90abdc489 feat: update Kubernetes to 1.33.0-beta.0
• 9a5914048 refactor: ephemeral mount
• e4fb1c06a docs: update for predictable interface naming
• 729fce306 feat: update Linux to 6.12.18
• b4d2e1c3c fix: typo in machinery CloudPlatforms
• 7e0475488 fix: qemu: archive cluster logs only after stopping VMs
• dab30a8b9 fix: ensure no goroutines escape in dns controller
• fce824e2f fix: change from "init6" to "inet6" in docs
• f51ebd1bc chore: fix the mount cache ids in the Dockerfile
• 4365aecbd test: use standard installer for e2e-iso
• 431178327 feat: update Kubernetes to v1.33.0-alpha.3
• 1259345e4 fix(ci): image-cache cron
• 18871a7eb chore: tidy labeled-squashfs.sh
• d45259f89 feat: update Flannel to 0.26.5
• e83ef0e2e docs: update proxmox.md
• 3def5f9a6 feat: update etcd to 3.5.19
• c3c0d2e42 test: fix dns test in race mode
• 17965c32f chore: update Go to 1.24.1
• 1fbb2d1a7 docs: update nvidia-gpu-proprietary.md
• d60972bdf chore: add installer-base to the list of signed images
• ab6cb3dfa chore: disable azure upload
• 2355218e4 release(v1.10.0-alpha.2): prepare release
• d4e3e957c fix(ci): fix integration tests
• 1849b5388 feat: update dependencies
• 88fc6bbeb test: fix UKI preserving talos.config and image cache
• ba8cd304d test: enable image-cache in the cron
• 28b5dc738 test: fix reproduciblity test
• 50998038b feat: prefer sd-boot for UEFI
• e831e52e0 feat: add support for qla2xx
• ec5c049a5 feat: update Kubernetes to 1.33.0-alpha.2
• ebfa82f35 docs: update deprecated command
• d79059a2c chore: fix shutdown typo in shutdown sequence
• a3f88d2ef fix: block NodePort services with ingress firewall
• fd8131cb8 feat: generate unified installer
• ebfdb91b4 fix: handle dynamic HTTP proxy settings for discovery client
• d45eaeb74 fix: correctly map link names/aliases when using VIP operator
• 7c4e47c0c chore: stop doing generate on each build
• b1d410cb6 feat: dual boot disk image
• 468e318ba fix: multiple fixes for dashboard/no data
• 3dd8d9aed docs: update resetting-a-machine.md to include example of reset
• 7af8f6b2f feat: validate docker image references in upgrade options
• c949f55e6 docs: remove typo on resetting a machine page
• f5c097041 feat: add description to schema object defs
• 79ee304e1 chore: update enumer to a version that fixes Go 1.24 compatibility
• 46d67fe44 chore: update Go to 1.24, update pkgs
• 7f1dd2669 fix(ci): fix integration-misc crons
• 26a773d3f docs: add a note about syslog sending messages to services
• 7ce053638 fix: ignore digest part of images when checking version
• ae1b00354 feat: support noclooud instance-id from dmi
• 58661dea7 docs: update getting-started.md
• 94cf9fb84 chore: fix spurious generate failures
• 32a34791e fix: typo in Makefile target talosctl-freebsd-arm64
• 1b4464c8a feat: update Kubernetes to 1.32.2
• 9463ac23e fix: make ingress firewall filter traffic to nodeports
• 8531d91a1 fix: blockdevice transport detection
• ce616d93a fix: path for ca-certificates
• f35b58779 fix: fix diff printing
• bf0f910a1 chore: provide more logging for dns requests
• 607998ba2 feat: support uki profiles via imager
• 711cf2d99 fix: ignore errors to stop pods
• 142d75483 fix: handle empty registry config
• 47f377b21 feat: implement the last ethtool feature - channels
• 88cf69b8c feat: multi profile UKIs
• 557faad75 feat: update Linux to 6.12.13
• 5dbf9e350 refactor: implement volume mount controller
• aa11e9abb fix: make image cache volume management less strict
• 26a62e342 docs: fix typo in Wireguard docs
• 0419f5d8b feat: implement features in ethtool-like support
• cd66fc6e8 feat: use bootstrapped packages for building Talos
• 2b5bd5d1d chore: upgrade siderolabs/go-loadbalancer
• 15191aa3e fix: extract cmdline multi profile UKIs
• 716f700da feat: provide initial support for ethtool configuration
• b726e2f9f feat: update Flannel to 0.26.4
• 98d56d4d6 chore: track opened grpc connections
• 5e28c8e03 fix: image cache volume provisioning
• c9667813d chore: remove containerd importer
• 270ffb69a fix: duplicate qemu drive ids
• 71ec41be1 fix: build of Talos on non-Linux host
• e2aa7c98c fix: installer with SecureBoot should contain UKIs
• 6e22c06c3 release(v1.10.0-alpha.1): prepare release
• 3a2d9867b fix: do not close client.Client.conn with finalizer
• 73f30ff25 feat: bump pkgs for udev update
• aea90cb8f docs: update hyper-v
• b7165615f fix: use local NTP for AWS platform
• 673ca4bcb fix: ensure proper closure of client.Client.conn with finalizer
• 19040ffd6 fix: handle of PE sections with duplicate names
• 83489d348 docs: add note about vmxnet and flannel conflict
• f1292f5e7 docs: add iscsi-tools extension to prerequisites
• 93b4a3740 test: bump timeout on rotate CA test
• 42e166984 feat: support kexec from uki
• 8da264946 docs: add Orange Pi 5 to Image Factory platforms and documentation
• c5fb62e2e feat: update Linux to 6.2.11
• 83d007c16 feat: update etcd to 3.5.18
• edf7c3288 fix: pe uki extract
• 70f72c5b0 docs: update multus.md
• 807a3cd29 refactor: all network merge controllers
• ec8c4660e docs: update vmware.md
• baf81cd49 fix(ci): k8s integration suite wait for resource
• cd5e54903 feat: generate iso's with both UKI and grub
• 75673b6a3 feat: provide stable symlinks in disk resources
• f407c88e4 fix(ci): wait for longhorn node resource
• 601cdccb9 feat: extract kernel/initrd from uki for grub
• ff175b9fb docs: update disk-encryption.md
• a8d84e315 docs: fix typos and add more explanations in docs
• 3a384240e fix: invalid date field in iqn/nqn
• 82c9ec158 chore(ci): add tests with longhorn v2 engine
• 689ea1dbf fix: bring back disk UUID
• 7a712fad2 fix: disks with 4k sector size and systemd-boot
• d62a34aaf feat: update tools/pkgs/extras
• b9a8ad6ac chore: de-hardcode list of extra images for image-cache test
• 683153a33 docs: remove the last mentions of preserve flag for Talos 1.8+
• 33c7f4195 docs: fix typo an MacOS to on MacOS
• 21cff3919 chore(ci): fio benchmark results as separate artifacts
• 0b7fc7cdf fix: abort node watch on hostname change
• 99ba53941 docs: remove the mention of preserve flag for Talos 1.8+
• bde516fde chore(ci): rework iscsi-tools extensions test
• e1efbf656 refactor: extract platform metadata into Talos machinery
• 79987c05d feat: generate iqn and nqn files
• 0cab6ed17 docs: update troubleshooting.md
• 921e10254 chore: update Go to 1.23.5
• 399d53b54 fix: ignore forbidden error when waiting for pod eviction
• 8dea57a81 fix: make etc binds read-only
• 63157dcb4 docs: update SideroLinkConfig example
• fc7080e34 chore: clear cache after updating upstreams
• 51e0f273f docs: update documentation for Talos 1.9.2
• e06b14112 feat: update Kubernetes to 1.32.1
• 4310b290d fix: generate UKI only if actually needed
• a8cd99102 docs: update OpenEBS Mayastor installation
• cf45f4764 docs: add Radxa ROCK 5B docs to Single Board Computer section
• b21bdc5e5 chore(ci): save csi tests fio results
• 01c86832c chore(ci): add test for OpenEBS MayaStor
• c77483510 test: update talosctl debug air-gapped
• ddd695d93 feat: update containerd to 2.0.2
• da2e81120 fix: add informer resync period for node status watcher
• 9b957df64 chore: uki code restructure
• e41a99525 fix: kube-apiserver authorizers order
• db4ca5668 feat: add a kernel parameter to disable built-in auditd
• faa149003 feat: update Linux to 6.12.9
• 8de19758d fix: a couple of imager panics/crashes
• 5bc3e34cb fix: detect GPT before ZFS
• ed7e47d15 refactor: drop usage of objcopy to generate UKIs
• edf5c5e29 fix: extfs repair and resize
• 6e32ea5b7 fix: merge of VolumeConfig documents with sizes
• 1be5f8ff2 feat: update Linux to 6.12.8
• e6a4583ba feat: support generating unsigned UKIs
• bbd6067d4 fix: partition alignment on disks with 4k sectors
• 84fcc976f fix: yet another dashboard panic
• 6d605fc85 fix: disable NRI plugin in a different way
• 499695e24 fix: request previous IP address in discovery
• cc84caf8c docs: update Cilium documentation
• fa5300d91 chore: revert: drop deprecated allowSchedulingOnMasters
• 0abb3dabf docs: fix command to wait for ceph-rook HEALTH_OK
• 32c67c27c chore: drop deprecated allowSchedulingOnMasters
• ae6d065be fix: mount selinuxfs only when SELinux is enabled
• 5ccbf4bcd feat: enable configfs
• 59582496d feat: bring in partity with sd-257
• 83d84a831 chore(ci): better zfs checks
• 650eb3a4f refactor: rewrite cloud uploader to use AWS SDK Go v2
• 01bf8449b fix: update field name for bus path disk selector
• e915c98d5 fix: exclude disks with empty transport for disk selector
• b7a7fdc4b refactor: generate /etc/os-release file static way
• e79c9e127 chore(ci): drop equinix metal e2e-test
• 418945444 fix: build of talosctl on non-Linux platforms
• 4761a9e6a chore: update dependencies
• f98efb333 fix: ignore member not found error on leave cluster
• b72bda0a4 fix: talosctl support and race tests
• 27233cf0f test: use node informer instead of raw watch
• 5dc15e8db fix: update go-blockdevice to v2.0.9
• 5f3acd0f2 fix: use correct default search domain
• 7e5d36d46 fix: pci driver rebind config validation
• 4b97bbc3f fix: pull in containerd CNI deadlock fix
• 066480722 test: fix apparmor tests
• 82ea44a6b fix: reduce installer image
• 78b3e7f4f fix: get next rule number for IPv6 in the appropriate chain
• 675854aa0 docs: fix two typos
• f70b7386a test: add a xfs makefs test
• 8212e4864 refactor: use quirks in kernel args
• b4aa5189d release(v1.10.0-alpha.0): prepare release
• bd85bd5b7 fix: fix Failed to initialize SELinux labeling handle udev error
• 73c82e3e5 feat: bring Linux 6.12.6, CNI plugins 1.6.1
• c12b52491 docs: document Kubernetes service registry incompat with K8s 1.32
• a5660ed77 feat: pcirebind controller
• 4c3261626 docs: fix several typos
• fb3675321 fix: dashboard crash on CPU data
• dec0185c8 chore: reduce memory usage for secureboot functions
• cee6c60a0 fix: make talosctl time work with PTP time sync
• f75604313 chore: support gcr.io auth for cache and image gen
• 6ef2596da docs: improve Hetzner documentation
• 7d39b9ec2 feat: remove cgroupsv1 in non-container mode
• 8003536c7 fix: restore previous disk serial fetching
• 03116ef9b chore: prepare for Talos 1.10
• 00682fdd6 docs: activate 1.9 docs as default
• bea05f5c9 docs: update deploying-cilium.md
• 284ab1179 feat: support link altnames/aliases
• 5bfd829bf docs: fix 'containter' typo
• 8d151b771 docs: clarify TALOSCONFIG for AWS
• 0ef19171f fix: renovate typo
• c568adc7d fix: renovate config
• ec2e24fd9 fix: match MAC addresses case-insensitive (nocloud)
• 41a0c440a chore: rekres for renovate changes
• a49bb9ee4 feat: update Linux to 6.12.5
• b15917ecc chore: add more debugging logs for META and volumes
• 2b1b326f0 docs: mention different paths for OpenEBS
• 9470e842f test: cleanup failed Kubernetes pods
• c9c685150 fix: node identity flip
• 590c01657 feat: update containerd to v2.0.1
• 18fa5a258 docs: update image-cache doc for iso
• ab5bb6884 fix: generate and serve registries with port
• 58236066d fix: support image cache on VFAT USB stick
• e193a5071 fix: image cache integration test
• 08ee400fd test: fix flaky test NodeAddressSort
• d45e8d1d1 feat: update Kubernetes to 1.32.0
• 136b12912 chore: drop semicolon for supporting vfat filesystems
• 3e9e027ef test: add an option to boot from an USB stick
• ef8c3e3b3 docs: fix typo in multus.md
• d54414add fix: authorization config gen
• cce72cfe8 docs: replace deprecated Hetzner server plans
• 81805103d chore: enable proper parallel usage of TestDepth
• e1b824eba docs: update ceph-with-rook.md
• 470b75563 fix: use mtu network option for podman
• 61b1489a0 fix: order volume config by the requested size
• bc3039acd feat: update runc to 1.2.3
• 30016a0a8 fix: avoid nil-pointer-panic in RegistriesConfigController
• fe0457152 fix: power on the machine on reboot request in qemu power api
• 10da553ef docs: build what's new for 1.9
• d946ccae3 feat: update Linux to 6.12.4
• 707a77bf6 test: fix user namespace test, TPM2 fixes
• c3537b2f5 feat: update Linux to 6.12.3
• cb4d9d673 docs: fix a few mistakes in release notes
• c4724fc97 chore: add integration tests for image-cache
• 07220fe7f fix: install iptables-nft to the host
• 14841750b chore: add version compatibility for Talos 1.10
• 852baf819 feat: support vlan/bond in v1, vlan in v2 for nocloud
• dd61ad861 fix: lock provisioning order of user disk partitions
• d0773ff09 chore: update Go to 1.23.4
• 7d6507189 feat: implement new address sorting algorithm
• 9081506d6 feat: add process scheduling options
• 77e9db4ab test: use two workers in qemu tests by default
• 5a4bdf62a feat: update Kubernetes to 1.32.0-rc.1
• d99bcc950 chore: refactor mergeDNSServers func
• 0cde08d8b docs: add Turing RK1 docs to Single Board Computer section

Changes since v1.10.0-alpha.2

50 commits

• 80e321653 release(v1.10.0-alpha.3): prepare release
• a834219ac chore: update dependencies
• 857779b90 docs: clarify custom CA certificate with KMS STATE encryption
• 39ed45ae6 docs: add information about Cilium exclusive CNI
• 087a85f40 feat: support running with SELinux enforcing
• d4aacb0d8 refactor: mount operation for STATE and user disks
• 44f3c7248 fix: kata extension
• 7ca5ab5e9 fix: shrink installer and imager images
• ea0994cfe fix: kexec with smbios type 11 string
• 8e20a5d28 fix: pass /usr/etc/in-container to apid, trustd and extension containers
• 9b9512ba8 feat: update Linux 6.12.19, containerd 2.0.4
• 433b0237b fix: correct structprotogen example
• 6e68a522a chore: fix conformance artifact name
• f592730d9 fix(ci): fix image cache test
• cc6c714ce feat: add Tegra modules to initrd
• 81d1fe0f8 fix: add missing TOOLS_PREFIX for WITH_DEBUG_SHELL builds
• 3e38bf6d4 fix: ignore missing config (nocloud) via cidata
• 27a4486a8 docs: fix typo cluser -> cluster
• ac79b1ea0 feat: pull in Intel STTMAC network drivers
• 9bb5c060c chore: bump go-kubernetes
• 2b8e08234 feat: deprecate .machine.install.extensions
• b7446372b docs: add documentation on unofficial SBC forks
• 9bec765c4 feat: talosctl kubeconfig write to stdout option
• 11ebb1078 fix: kexec when using sd-boot
• 61f1a32d2 test: allocate more resources for conformance runs
• b8b7b83f8 chore: extraKernelArgs validation for UKI's
• e2df0c6d3 docs: update siderolink.md
• f9b14e784 fix: reconnect on SideroLink tunnel on/off change
• 29f7b3bf3 test(ci): use k8s websocket executor for tests
• 9531c1c6d fix(ci): image-cache cron
• 90abdc489 feat: update Kubernetes to 1.33.0-beta.0
• 9a5914048 refactor: ephemeral mount
• e4fb1c06a docs: update for predictable interface naming
• 729fce306 feat: update Linux to 6.12.18
• b4d2e1c3c fix: typo in machinery CloudPlatforms
• 7e0475488 fix: qemu: archive cluster logs only after stopping VMs
• dab30a8b9 fix: ensure no goroutines escape in dns controller
• fce824e2f fix: change from "init6" to "inet6" in docs
• f51ebd1bc chore: fix the mount cache ids in the Dockerfile
• 4365aecbd test: use standard installer for e2e-iso
• 431178327 feat: update Kubernetes to v1.33.0-alpha.3
• 1259345e4 fix(ci): image-cache cron
• 18871a7eb chore: tidy labeled-squashfs.sh
• d45259f89 feat: update Flannel to 0.26.5
• e83ef0e2e docs: update proxmox.md
• 3def5f9a6 feat: update etcd to 3.5.19
• c3c0d2e42 test: fix dns test in race mode
• 17965c32f chore: update Go to 1.24.1
• 1fbb2d1a7 docs: update nvidia-gpu-proprietary.md
• d60972bdf chore: add installer-base to the list of signed images

Changes from siderolabs/crypto

1 commit

• siderolabs/crypto@0d45dee chore: bump deps

Changes from siderolabs/discovery-api

1 commit

• siderolabs/discovery-api@64513a6 feat: rekres, regenerate proto files

Changes from siderolabs/discovery-client

1 commit

• siderolabs/discovery-client@b3632c4 feat: support extra dial options in the client

Changes from siderolabs/extras

7 commits

• siderolabs/extras@c201b87 feat: update dependencies
• siderolabs/extras@4102a78 feat: build hermetically using new bldr and pkgs
• siderolabs/extras@f4a110f fix: build tc-redirect-tap as static binary
• siderolabs/extras@0840abb fix: pull in fixed CNI plugins from pkgs
• siderolabs/extras@52c217f feat: update dependencies
• siderolabs/extras@f755eb4 chore: rekres to simplify .kres.yaml defaults
• siderolabs/extras@e5382fc chore: kresify renovate

Changes from siderolabs/gen

1 commit

• siderolabs/gen@5ae3afe chore: update hashtriemap implementation from the latest upstream

Changes from siderolabs/go-circular

2 commits

• siderolabs/go-circular@015a398 fix: replace static buffer allocation on growth
• siderolabs/go-circular@ed8685e test: add more assertions for write length result

Changes from siderolabs/go-debug

1 commit

• siderolabs/go-debug@ea108ca chore: add support for Go 1.24

Changes from siderolabs/go-kubeconfig

1 commit

• siderolabs/go-kubeconfig@cc42d09 chore: rekres and update

Changes from siderolabs/go-kubernetes

3 commits

• siderolabs/go-kubernetes@9ba5654 fix: fix ignoring alpha/beta version parsing
• siderolabs/go-kubernetes@0fe1db4 feat: update for new changes in Kubernetes 1.33.0-alpha.3
• siderolabs/go-kubernetes@804cb44 feat: add support for Kubernetes to 1.33

Changes from siderolabs/go-loadbalancer

1 commit

• siderolabs/go-loadbalancer@589c33a chore: upgrade upstream.List and loadbalancer.TCP to Go 1.23

Changes from siderolabs/go-pointer

1 commit

• siderolabs/go-pointer@347ee9b chore: rekres, update dependencies

Changes from siderolabs/go-talos-support

1 commit

• siderolabs/go-talos-support@0f784bd fix: avoid deadlock on context cancel

Changes from siderolabs/pkgs

69 commits

• siderolabs/pkgs@55d99ea feat: update dependencies
• siderolabs/pkgs@668d25b fix: trim qemu-tools
• siderolabs/pkgs@143f50d feat(containerd): provide ctr as part of the build
• siderolabs/pkgs@990a9e8 feat: update Linux 6.12.19, Linux firmware 20250311
• siderolabs/pkgs@9af76d3 feat: update containerd 2.0.4, runc 1.2.6
• siderolabs/pkgs@5a0d262 feat: add CONFIG_DWMAC_DWC_QOS_ETH to arm64 config
• siderolabs/pkgs@9e9a817 feat(kernel): add support for intel based edge device
• siderolabs/pkgs@4d4aaad fix: patch containerd with restart fix
• siderolabs/pkgs@dbdeff4 feat: enable kernel drivers for tegra194, tegra234 SoCs
• siderolabs/pkgs@499e56f feat(kernel): enable v3d as kernel module
• siderolabs/pkgs@988ec60 feat: add intel pmt/pmc
• siderolabs/pkgs@8e2c6d8 feat: update Linux to 6.12.18
• siderolabs/pkgs@5246c32 feat(kernel): add -@ to dtc flags for arm64 to enable overlay support
• siderolabs/pkgs@068171e chore: unify buildkits
• siderolabs/pkgs@a4ac508 feat: add panfrost kernel module
• siderolabs/pkgs@5d6ca21 fix: backport MGLRU patch from Linux 6.13
• siderolabs/pkgs@1d84473 feat: update dependencies
• siderolabs/pkgs@831bc76 feat(kernel): enable TPM SPI support in kernel config for arm64
• siderolabs/pkgs@023f092 feat: enable nfsd support in the kernel
• siderolabs/pkgs@347ad26 feat: update Linux 6.12.17, containerd 2.0.3
• siderolabs/pkgs@40241af feat: enable qla2xxx module
• siderolabs/pkgs@6fb00b4 fix: pull in kmod from tools
• siderolabs/pkgs@cc5317a fix: patch Linux with blackhole patch
• siderolabs/pkgs@08389dd chore: support vmdk and cp format for qemu-img
• siderolabs/pkgs@7774b08 feat: update Linux to 6.12.16, validate package structure
• siderolabs/pkgs@40d288c fix: imager deps
• siderolabs/pkgs@351a1a1 feat: add tools needed for imager
• siderolabs/pkgs@80351ca fix: reproducibility tests
• siderolabs/pkgs@e1f11f0 fix: remove patches and other files from copy-only packages
• siderolabs/pkgs@8fff06b chore: bump xfsprogs to 6.12.0
• siderolabs/pkgs@76a0316 chore: systemd 257.3, runc 1.2.5, ipxe
• siderolabs/pkgs@359807b feat: copy built packages, improve hermetic build
• siderolabs/pkgs@117a1d6 feat: update Linux to 6.12.13
• siderolabs/pkgs@85f8901 feat: make pkgs build bootstrapped
• siderolabs/pkgs@5763e3e feat: update systemd to 257.2
• siderolabs/pkgs@1e24b31 feat: update Linux to 6.12.11
• siderolabs/pkgs@38749d1 fix: build CNI plugins statically linked
• siderolabs/pkgs@5da83db feat: bump NVIDIA driver versions
• siderolabs/pkgs@5934363 fix: certificates CA
• siderolabs/pkgs@57f492d feat: bump dependencies
• siderolabs/pkgs@45b9ebe feat: update Linux to 6.2.10
• siderolabs/pkgs@e00ad67 chore: rekres to fix reproducibility build
• siderolabs/pkgs@cfb4b0a feat: update Go to 1.23.5
• siderolabs/pkgs@72f19a2 feat: update containerd to v2.0.2
• siderolabs/pkgs@17a80ee feat: update Linux to 6.12.9
• siderolabs/pkgs@c9d718d fix: adjust kernel options around ACPI/PCI/EFI
• siderolabs/pkgs@eb9d566 feat: update Linux to 6.12.8
• siderolabs/pkgs@73e4353 fix: update config-arm64 to add Rasperry Pi watchdog support
• siderolabs/pkgs@0ab2427 fix: dvb was missing I2C_MUX support and si2168 driver
• siderolabs/pkgs@c3ac8e2 chore: drop unused cert copy
• siderolabs/pkgs@e7eddcf feat: bump dependencies
• siderolabs/pkgs@0b00e86 fix: patch containerd with CNI deadlock fix
• siderolabs/pkgs@9051c9a feat: update Linux to 6.12.6
• siderolabs/pkgs@6695012 chore: rekres to simplify .kres.yaml defaults
• siderolabs/pkgs@611ca38 chore: rekres to bring renovate under kres
• siderolabs/pkgs@a4c4215 fix: drop cgroupsv1 controllers
• siderolabs/pkgs@28c909d feat: update Linux firmware to 20241210
• siderolabs/pkgs@c40a9e9 feat: update Linux to 6.12.5
• siderolabs/pkgs@d54ca83 feat: update containerd to v2.0.1
• siderolabs/pkgs@86e3755 fix: add CONFIG_INTEL_MEI_GSC_PROXY as module
• siderolabs/pkgs@8c31321 feat: update ZFS to 2.2.7
• siderolabs/pkgs@605f493 feat: update runc to v1.2.3
• siderolabs/pkgs@1a55529 feat: update Linux to 6.12.4
• siderolabs/pkgs@52ba9a5 feat: update Linux 6.12.3
• siderolabs/pkgs@9cf35be feat: build host iptables with nftables support
• siderolabs/pkgs@71003a3 feat: update Go to 1.23.4
• siderolabs/pkgs@5b4d402 feat: build dvb kernel modules and CX23885
• siderolabs/pkgs@b330af9 chore: bring in KSPP recommendations
• siderolabs/pkgs@f81b190 feat: kernel driver support for RK3588 devices (Turing RK1)

Changes from siderolabs/proto-codec

1 commit

• siderolabs/proto-codec@3235c29 chore: bump deps

Changes from siderolabs/siderolink

2 commits

• siderolabs/siderolink@a7af143 feat: support packets filtering before writing them to the tun device
• siderolabs/siderolink@38e459e chore: bump deps

Changes from siderolabs/tools

24 commits

• siderolabs/tools@6d456ca fix: revert util-linux to 2.40.4
• siderolabs/tools@5bba094 feat: update dependencies
• siderolabs/tools@eeb1f9d fix: revert swig update
• siderolabs/tools@6b082a6 chore: unify buildkits
• siderolabs/tools@87acb27 feat: update dependencies
• siderolabs/tools@fcee25b fix: revert kmod to 33
• siderolabs/tools@6a71711 fix: do not install man and locale for exported packages
• siderolabs/tools@3389ba2 chore: move zlib to be an external package
• siderolabs/tools@d93b780 chore: expose more tools
• siderolabs/tools@46be459 chore: remove systemd version
• siderolabs/tools@f33fbe4 fix: install policycoreutils under correct prefix
• siderolabs/tools@758d61c chore: update dependencies
• siderolabs/tools@f398a04 chore: update dependencies, hermetic build
• siderolabs/tools@9db33dd feat: update to Go 1.23.6
• siderolabs/tools@ef0a679 fix: do not install anything to /usr/lib64
• siderolabs/tools@35748ea feat: fully bootstrapped build
• siderolabs/tools@7200845 feat: update dependencies
• siderolabs/tools@bc30a2a feat: update Go to 1.23.5
• siderolabs/tools@533b595 chore: rekres to fix reproducibility
• siderolabs/tools@01568a5 chore: use Make and Go from the toolchain image
• siderolabs/tools@0393558 feat: bump dependencies
• siderolabs/tools@7811a5f chore: rekres to simplify .kres.yaml defaults
• siderolabs/tools@0b8b905 chore: kresify renovate config
• siderolabs/tools@fe34fb3 feat: update Go to 1.23.4

Dependency Changes

• cloud.google.com/go/compute/metadata v0.5.2 -> v0.6.0
• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 -> v1.17.1
• github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 -> v1.8.2
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.3.0 -> v1.3.1
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.0 -> v1.3.1
• github.com/aws/aws-sdk-go-v2/config v1.28.5 -> v1.29.9
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 -> v1.16.30
• github.com/aws/aws-sdk-go-v2/service/kms v1.37.6 -> v1.38.1
• github.com/aws/smithy-go v1.22.1 -> v1.22.3
• github.com/containerd/cgroups/v3 v3.0.4 -> v3.0.5
• github.com/containerd/containerd/v2 v2.0.1 -> v2.0.4
• github.com/containerd/platforms v1.0.0-rc.0 -> v1.0.0-rc.1
• github.com/containernetworking/plugins v1.6.0 -> v1.6.2
• github.com/cosi-project/runtime v0.7.6 -> v0.10.1
• github.com/docker/cli v27.3.1 -> v28.0.2
• github.com/docker/docker v27.3.1 -> v28.0.2
• github.com/elastic/go-libaudit/v2 v2.6.1 -> v2.6.2
• github.com/florianl/go-tc v0.4.4 -> v0.4.5
• github.com/foxboron/go-uefi fab4fdf2f2f3 -> 69fb7dba244f
• github.com/gdamore/tcell/v2 v2.7.4 -> v2.8.1
• github.com/google/cadvisor v0.51.0 -> v0.52.1
• github.com/google/cel-go v0.22.1 -> v0.24.1
• github.com/google/go-containerregistry v0.20.2 -> v0.20.3
• github.com/google/go-tpm v0.9.1 -> v0.9.3
• github.com/google/nftables v0.2.0 -> v0.3.0
• github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 -> v2.3.1
• github.com/hetznercloud/hcloud-go/v2 v2.17.0 -> v2.20.1
• github.com/insomniacslk/dhcp a3a4c1f04475 -> 8abf58130905
• github.com/klauspost/compress v1.17.11 -> v1.18.0
• github.com/klauspost/cpuid/v2 v2.2.9 -> v2.2.10
• github.com/mdlayher/netlink v1.7.2 -> fbb4dce95f42
• github.com/mdp/qrterminal/v3 v3.2.0 -> v3.2.1
• github.com/miekg/dns v1.1.62 -> v1.1.64
• github.com/opencontainers/image-spec v1.1.0 -> v1.1.1
• github.com/opencontainers/runc v1.2.2 -> v1.2.6
• github.com/opencontainers/runtime-spec v1.2.0 -> v1.2.1
• github.com/prometheus/procfs v0.15.1 -> v0.16.0
• github.com/rivo/tview c76f7879f592 -> 73a5bd7d6839
• github.com/safchain/ethtool v0.5.9 -> v0.5.10
• github.com/scaleway/scaleway-sdk-go v1.0.0-beta.30 -> v1.0.0-beta.32
• github.com/siderolabs/crypto v0.5.0 -> v0.5.1
• github.com/siderolabs/discovery-api v0.1.5 -> v0.1.6
• github.com/siderolabs/discovery-client v0.1.10 -> v0.1.11
• github.com/siderolabs/extras v1.9.0 -> v1.10.0-alpha.0-4-gc201b87
• github.com/siderolabs/gen v0.7.0 -> v0.8.0
• github.com/siderolabs/go-blockdevice/v2 v2.0.7 -> v2.0.16
• github.com/siderolabs/go-circular v0.2.1 -> v0.2.2
• github.com/siderolabs/go-debug v0.4.0 -> v0.5.0
• github.com/siderolabs/go-kubeconfig v0.1.0 -> v0.1.1
• github.com/siderolabs/go-kubernetes v0.2.17 -> v0.2.20
• github.com/siderolabs/go-loadbalancer v0.3.4 -> v0.4.0
• github.com/siderolabs/go-pointer v1.0.0 -> v1.0.1
• github.com/siderolabs/go-talos-support v0.1.1 -> v0.1.2
• github.com/siderolabs/pkgs v1.9.0-12-g9576b97 -> v1.10.0-alpha.0-68-g55d99ea
• github.com/siderolabs/proto-codec v0.1.1 -> v0.1.2
• github.com/siderolabs/siderolink v0.3.11 -> v0.3.13
• github.com/siderolabs/talos/pkg/machinery v1.9.0 -> v1.10.0-alpha.3
• github.com/siderolabs/tools v1.9.0-1-geaad82f -> v1.10.0-alpha.0-23-g6d456ca
• github.com/spf13/cobra v1.8.1 -> v1.9.1
• github.com/spf13/pflag v1.0.5 -> v1.0.6
• github.com/thejerf/suture/v4 v4.0.5 -> v4.0.6
• go.etcd.io/etcd/api/v3 v3.5.17 -> v3.5.20
• go.etcd.io/etcd/client/pkg/v3 v3.5.17 -> v3.5.20
• go.etcd.io/etcd/client/v3 v3.5.17 -> v3.5.20
• go.etcd.io/etcd/etcdutl/v3 v3.5.17 -> v3.5.20
• go.uber.org/goleak v1.3.0 new
• golang.org/x/net v0.32.0 -> v0.37.0
• golang.org/x/oauth2 v0.24.0 -> v0.28.0
• golang.org/x/sync v0.10.0 -> v0.12.0
• golang.org/x/sys v0.28.0 -> v0.31.0
• golang.org/x/term v0.27.0 -> v0.30.0
• golang.org/x/text v0.21.0 -> v0.23.0
• golang.org/x/time v0.8.0 -> v0.11.0
• golang.zx2c4.com/wireguard/wgctrl 925a1e7659e6 -> a9ab2273dd10
• google.golang.org/grpc v1.68.1 -> v1.71.0
• google.golang.org/protobuf v1.35.2 -> v1.36.5
• k8s.io/api v0.32.0 -> v0.33.0-beta.0
• k8s.io/apimachinery v0.32.0 -> v0.33.0-beta.0
• k8s.io/apiserver v0.32.0 -> v0.33.0-beta.0
• k8s.io/client-go v0.32.0 -> v0.33.0-beta.0
• k8s.io/component-base v0.32.0 -> v0.33.0-beta.0
• k8s.io/cri-api v0.32.0 -> v0.33.0-beta.0
• k8s.io/kube-scheduler v0.32.0 -> v0.33.0-beta.0
• k8s.io/kubectl v0.32.0 -> v0.33.0-beta.0
• k8s.io/kubelet v0.32.0 -> v0.33.0-beta.0
• k8s.io/pod-security-admission v0.32.0 -> v0.33.0-beta.0
• kernel.org/pub/linux/libs/security/libcap/cap v1.2.72 -> v1.2.75

Previous release can be found at v1.9.0

Images

ghcr.io/siderolabs/flannel:v0.26.5
registry.k8s.io/coredns/coredns:v1.12.0
gcr.io/etcd-development/etcd:v3.5.20
registry.k8s.io/kube-apiserver:v1.33.0-beta.0
registry.k8s.io/kube-controller-manager:v1.33.0-beta.0
registry.k8s.io/kube-scheduler:v1.33.0-beta.0
registry.k8s.io/kube-proxy:v1.33.0-beta.0
ghcr.io/siderolabs/kubelet:v1.33.0-beta.0
ghcr.io/siderolabs/installer:v1.10.0-alpha.3
registry.k8s.io/pause:3.10

---

This discussion was created from the release v1.10.0-alpha.3.

[hkraal]

I tried upgrading a v1.9.4 test node to this release using https://factory.talos.dev/?arch=amd64&cmdline-set=true&extensions=-&extensions=siderolabs%2Fxen-guest-agent&platform=nocloud&target=cloud&version=1.10.0-alpha.3;

talosctl upgrade --image factory.talos.dev/nocloud-installer/53b20d86399013eadfd44ee49804c1fef069bfdee3b43f3f3f5a2f57c03338ac:v1.10.0-alpha.3 --preserve

The machine doesn't come up when booting to 1.10.0-alpha.3 first sign of trouble is the DNS resolve cache but the boot process really stops progressing after starting /sbin/dashboard.

As I noticed that the xen-guest-agent got bumped to 0.5.0-dev I tried upgrading without the xen extension (https://factory.talos.dev/?arch=amd64&board=undefined&cmdline-set=true&extensions=-&platform=nocloud&secureboot=undefined&target=cloud&version=1.10.0-alpha.3) but that yielded the same result.

[hegerdes]

Same just happend to me for a new cluster on hetzner.
Nothing to fancy in the conf, but I was using terraform to generate the conf. Should I open an dedicated issue @smira?

Machine Conf

version: v1alpha1
debug: false
persist: true
machine:
    type: controlplane
    token: xxx
    ca:
        crt: xxx
        key: xxx
    certSANs: [deleted]
    kubelet:
        image: ghcr.io/siderolabs/kubelet:v1.33.0
        extraArgs:
            cloud-provider: external
            rotate-server-certificates: "true"
        extraMounts:
            - destination: /var/openebs/local
              type: bind
              source: /var/openebs/local
              options:
                - rbind
                - rshared
                - rw
        extraConfig:
            failSwapOn: true
            featureGates:
                UserNamespacesPodSecurityStandards: true
                UserNamespacesSupport: true
            maxParallelImagePulls: 8
            maxPods: 220
            nodeStatusMaxImages: 100
            readOnlyPort: 0
            serializeImagePulls: false
            serverTLSBootstrap: true
        defaultRuntimeSeccompProfileEnabled: true
        nodeIP:
            validSubnets:
                - 10.0.0.0/16
                - 2000::/3
        disableManifestsDirectory: true
    network:
        nameservers:
            - 1.1.1.1
            - 1.0.0.1
            - 2606:4700:4700::1111
            - 2606:4700:4700::1001
        extraHostEntries:
            - ip: 10.0.0.10
              aliases: [deleted]
        kubespan:
            enabled: true
    install:
        disk: /dev/sda
        image: ghcr.io/siderolabs/installer:v1.9.2
        wipe: false
    sysctls:
        kernel.pid_max: "4194304"
        kernel.randomize_va_space: "2"
        net.ipv4.icmp_echo_ignore_broadcasts: "1"
        net.ipv4.icmp_ignore_bogus_error_responses: "1"
        net.ipv4.ip_local_port_range: 10240 65535
        net.ipv4.tcp_fastopen: "1"
        net.ipv4.tcp_rfc1337: "1"
        net.ipv4.tcp_syncookies: "1"
        user.max_user_namespaces: "15000"
        vm.nr_hugepages: "1024"
        vm.overcommit_memory: "1"
    features:
        rbac: true
        stableHostname: true
        kubernetesTalosAPIAccess:
            enabled: true
            allowedRoles:
                - os:reader
                - os:etcd:backup
            allowedKubernetesNamespaces:
                - kube-system
                - cluster-autoscaler
        apidCheckExtKeyUsage: true
        diskQuotaSupport: true
        kubePrism:
            enabled: true
            port: 7445
        hostDNS:
            enabled: true
            forwardKubeDNSToHost: true
            resolveMemberNames: true
    nodeLabels:
        openebs.io/engine: mayastor
        pool: talos-controlplane-amd64

[smira]

yes, please, and attach the talosctl support bundle please (if API is available)

[hegerdes]

Okay, I whished I would have created the support bundle before I did a retry. Seems like it is a sporadic issue and now does not trigger anymore. I will definitely try again and if it happens I will created the matching issue. Issue in #10845

[ojsef39]

Just upgraded my controlplane to v1.10.0 and im facing the same issue

[OffBy0x01]

Seeing the same issue on v1.10.0 nocloud + proxmox (8.2.2):

Have gone back to 1.9.5 for time being.