v1.8.0-beta.0

[smira]

Talos 1.8.0-beta.0 (2024-09-09)

Welcome to the v1.8.0-beta.0 release of Talos!
This is a pre-release of Talos

Starting with Talos v1.8.0, only standard assets would be published as github release assets. These include:

• cloud-images.json
• talosctl binaries
• kernel
• initramfs
• metal iso and disk images
• talosctl-cni-bundle

All other release assets can be downloaded from Image Factory.

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Node Annotations

Talos Linux now supports configuring Kubernetes node annotations via machine configuration (.machine.nodeAnnotations) in a way similar to node labels.

Workload Apparmor Profile

Talos Linux can now apply the default AppArmor profiles to all workloads started via containerd, if the machine is installed with the AppArmor LSM enforced via the extraKernelArgs.

Eg:

machine:
    install:
        extraKernelArgs:
            - security=apparmor

Bridge Interface

Talos Linux now support configuring 'vlan_filtering' for bridge interfaces.

Machine Configuration via Kernel Command Line

Talos Linux supports supplying zstd-compressed, base64-encoded machine configuration small documents via the kernel command line parameter talos.config.inline.

CNI Plugins

Talos Linux now bundles by default the following standard CNI plugins:

• bridge
• firewall
• flannel
• host-local
• loopback
• portmap

The Talos bundled Flannel manifest was simplified to remove the install-cni step.

Diagnostics

Talos Linux now shows diagnostics information for common problems related to misconfiguration via talosctl health and Talos dashboard.

Disk Management

Talos Linux now supports configuration for the EPHEMERAL volume.

Extensions in Kubernetes Nodes

Talos Linux now publishes list of installed extensions as Kubernetes node labels/annotations.

The key format is extensions.talos.dev/<name> and the value is the extension version.
If the extension name is not valid as a label key, it will be skipped.
If the extension version is a valid label value, it will be put to the label; otherwise it will be put to the annotation.

For Talos machines booted of the Image Factory artifacts, this means that the schematic ID will be published as the annotation
extensions.talos.dev/schematic (as it is longer than 63 characters).

DNS Forwarding for CoreDNS pods

Usage of the host DNS resolver as upstream for Kubernetes CoreDNS pods is now enabled by default. You can disable it
with:

machine:
  features:
    hostDNS:
      enabled: true
      forwardKubeDNSToHost: false

Please note that on running cluster you will have to kill CoreDNS pods for this change to apply.

The IP address used to forward DNS queries has changed to the fixed 169.254.116.108 address.
For those upgrading from Talos 1.7 with forwardKubeDNSToHost enabled, the old Kubernetes service
can be cleaned up with kubectl delete -n kube-system service host-dns.

Installer

Talos Linux installer now never wipes the system disk on upgrades, which means that the flag
--preserve is always set for talosctl upgrade.

talos.halt_if_installed kernel argument

Starting with Talos 1.8, ISO's generated from Boot Assets would have a new kernel argument talos.halt_if_installed which would pause the boot sequence until boot timeout if Talos is already installed on the disk.
ISO generated for pre 1.8 versions would not have this kernel argument.

This can be also explicitly enabled by setting talos.halt_if_installed=1 in kernel argument.

Slim Kubelet Image

Kubelet container image includes various utilities that kubelet might use to perform various tasks.

Starting with Kubernetes 1.31.0, kubelet image now includes less utilities, as the in-tree CSI plugins were
removed in Kubernetes 1.31.0. This reduces kubelet image size and potential attack surface.

For Kubernetes < 1.31.0, there will be two images built:

• v1.x.y (default, fat)
• v1.x.y-slim (slim)

For Kubernetes >= 1.31.0, there will be same two images built, but the
default tag would point to slim image:

• v1.x.y (default, slim)
• v1.x.y-fat (fat)

KubeSpan

Extra announced endpoints can be added using the KubespanEndpointsConfig document.

Default Node Labels

Talos Linux on config generation now adds a label node.kubernetes.io/exclude-from-external-load-balancers by default for the control plane nodes.

PCI Devices

A list of PCI devices can now be obtained via PCIDevices resource, e.g. talosctl get pcidevices.

Metal images

Starting with Talos 1.8, console=ttyS0 kernel argument is removed from the metal images and installer. If running virtualized in QEMU (For eg: Proxmox), this can be added as an extra kernel argument if needed via Image Factory or using Imager.

This should fix slow boot or no console output issues on most bare metal hardware.

NVIDIA GPU Support

Starting with Talos 1.8.0, SideroLabs would ships extensions for both LTS and Production versions of NVIDIA extensions.
For more details see the CHANGELOG of extensions.

Upgrades with an exisiting schematic id from Image Factory would keep the existing LTS version of the NVIDIA extension.

Removing parts of the configuration using $patch: delete syntax

Talos Linux now supports removing parts of the configuration using the $patch: delete syntax similar to the kubernetes.
More information can be found here.

Platform Support

Talos Linux now supports Apache CloudStack platform.

kube-proxy

Talos Linux configures kube-proxy >= v1.31.0 to use 'nftables' backend by default.

Secure Boot

Talos Linux now can optionally include well-known UEFI (Microsoft) SecureBoot keys into the auto-enrollment UEFI database.

Custom Trusted Roots

Talos Linux now supports adding custom trusted roots (CA certificates) via TrustedRootsConfig configuration documents.

Device Extra Settle Timeout

Talos Linux now supports a kernel command line argument talos.device.settle_time=3m to set the device extra settle timeout to workaround issues with broken drivers.

Component Updates

Kubernetes: 1.31.0
Linux: 6.6.49
containerd: 2.0.0-rc.4
runc: 1.2.0-rc.3
etcd: 3.5.15
Flannel: 0.25.6
Flannel CNI plugin: 1.5.1
CoreDNS: 1.1.13

Talos is built with Go 1.22.7.

ZSTD Compression

Talos Linux now compresses kernel and initramfs using ZSTD.
Linux arm64 kernel is now compressed (previously it was uncompressed).

Contributors

• Andrey Smirnov
• Dmitriy Matrenichev
• Noel Georgi
• Artem Chernyshev
• Utku Ozdemir
• Dmitry Sharshakov
• Justin Garrison
• Spencer Smith
• Steve Francis
• Bernard Gütermann
• Jean-Francois Roy
• Konrad Eriksson
• Serge Logvinov
• doctor_ew
• Amadeus Mader
• Andrew Rynhard
• Anthony ARNAUD
• Attila Oláh
• Birger J. Nordølum
• Caleb Woodbine
• Claus Albøge
• Daniel Höxtermann
• David Birks
• Dean
• Dennis Marttinen
• Eddie Zaneski
• Enrique Hernández Bello
• EricMa
• Evan Johnson
• Fabian Topfstedt
• Fredrik Lundhag
• George Gaál
• Grzegorz Rozniecki
• Grzegorz Rożniecki
• Igor Rzegocki
• Josia Scheytt
• Judah Rand
• Marcel Richter
• Marco Franssen
• Marcus Förster
• Matthias Riegler
• Matthieu Mottet
• Maxime Brunet
• Michael Trip
• Mike Beaumont
• Nick Meyer
• Nicklas Frahm
• Ole-Magnus Sæther
• Roman Ivanov
• Ron Olson
• Saravanan G
• Simon-Boyer
• Skyler Mäntysaari
• Steve Fan
• Steve Martinelli
• Steven Fackler
• Syoc
• Tim Jones
• USBAkimbo
• Will Bush
• cryptk
• darox
• dhaines-quera
• leppeK
• looklose

Changes

295 commits

• 51b91d64e release(v1.8.0-beta.0): prepare release
• 899f1b900 feat: implement "$patch: delete" logic
• 545f75fd7 feat: acquire machine config inline from kernel cmdline
• 361283401 chore: version specific kube-scheduler health checks
• d64ce44e4 chore(ci): e2e gcp
• cd7c68266 chore: disallow duplicate documents on decoder level
• bcaf63628 feat: update dependencies
• dd4185b14 feat: add KubeSpan extra endpoint configuration
• 3038ccfa8 feat: add configuration for EPHEMERAL volume
• faffa4c3f fix: never unarchive initramfs when loading boot assets in talosctl
• 07b91797c fix: report internally service as unhealthy if not running
• bc8bf9e8a feat: update Linux 6.6.49
• 7edcbbb83 chore: support gcp in cloud-image-uploader
• 0a870200e chore: remove matrix links from docs
• db6ef1ee9 test: update Talos versions in Image Factory tests
• ec3844c46 release(v1.8.0-alpha.2): prepare release
• 6f7c3a8e5 fix: build of talosctl on non-Linux arches
• f0a59cec7 release(v1.8.0-alpha.2): prepare release
• c8aed3be4 fix: correctly add console args for ttyS0
• b453385bd feat: support volume configuration, provisioning, etc
• b6b16b35f chore: pause sequencer when talos installed and iso booted
• eade0a9f2 chore: bring in uio modules
• 81f9fcd9c fix: report errors correctly when pulling, fix EEXIST
• b309e87b4 docs: fix invalid input in field user_data
• c7474877a docs: kubeProxyReplacement from "disabled" to "false"
• be2ebf6b4 chore: bump dependencies
• 88601bff4 chore: drop calico from interactive installer
• 106c17d0b chore: aarch64 qemu local secureboot support
• da6263506 feat: update Flannel to v0.25.6
• 19a44c2b0 chore: drop console ttyS0 argument
• 75cecb421 feat: add Apache Cloudstack support
• 951cf66fd feat: add Cisco fnic driver
• 2d3bc94bf fix(ci): fix broken tests
• a9551b7ca fix: host DNS access with firewall enabled
• 4834a61a8 feat: report SELinux labels
• 8fe39eacb chore: move csi tests as go test
• e4f8cb854 fix: merge extension service config files by mountPath
• 5ba1df469 chore: add java package to protos
• 823480800 fix: add missing host/nvme-rdma
• 5b4b64979 fix: bump go-smbios for broken SMIOS tables
• f57d1f07e fix: add NVMe target kernel modules
• 5ff6cf82c fix: drop /opt mount for containers/tink
• 3c0db34d8 docs: update kubespan docs
• 3041d9075 fix: always handle PermissionDenied in dashboard resource watches
• 36f83eea9 chore: make qemu check flag consistent with code
• fe52cb074 chore: update protoc-gen-doc
• ee4290f68 fix: bind HostDNS to 169.254.x link-local address
• c312a46f6 chore: restructure k8s component health checks
• e193e7db9 docs: fix incorrect path for openebs in documentation
• beadbac21 docs: update Oracle Cloud Talos custom image docs
• 6f969e364 chore: improve cluster create UX on aarch64
• 45cc8688a chore: replace if blocks with min/max functions
• a5bd770bf fix: retry with another upstream if the previous failed
• 82e19f38a docs: add high-level overlay development guide
• 872599c9a chore: drop image assets from release
• 3c36c41a9 feat: provide device extra settle timeout
• 9e348ef35 feat: update Kubernetes to 1.31.0
• 61a1c946b feat: bundle (some) CNI plugins with Talos core
• 091da163b chore: support arm64 kexec from zboot kernel images
• 73511c1ef chore: fix release notes
• 2bf924c7b feat: update ISO VolumeID with Talos version
• 9a33dce10 docs: fix the VMWare docs
• 12562c2d5 docs: fix talos version in vmware.sh
• ee67da14c feat: scaleway routed ip
• eba5dafb9 fix: add dns-resolve-cache to the support bundle
• d4f8100bd docs: fix default openebs folder
• 60e163d54 docs: fix typo in doc
• 98d9abdd0 chore(ci): fix cilium ci tests
• beb9602e3 chore: bump github.com/docker/docker to v27.1.1+incompatible
• 0698a4921 docs: aws getting started re-write
• 4d7d7a589 chore(ci): update nvidia integration tests
• 60e901c1d chore: document slim kubelet image
• 622d66a98 chore: bump deps
• f9f5e0ef5 chore: fix k8s tests
• 2ac8d2274 chore: support unsupported flag for mkfs
• 9b9159d1e docs: update support matrix for nvidia drivers
• 9d3415850 fix: fix graph diffs in dashboard when node aliases are used
• 9a126d70e chore: generate deepcopy for SecureBootAssets type
• dff56d824 chore: remove arch-specific etcd image tag
• c9f1dece5 feat: update Kubernetes to 1.31.0-rc.1
• 49831c56f docs: replace removed Cilium/kubeProxyReplacement value
• 33a316369 docs: update aws.md for loop
• e02bd2093 feat: update Kubernetes to 1.31.0-rc.0
• 64914b086 chore: add test for crun extension
• 7a1c62b8b feat: publish installed extensions as node labels/annotations
• 3f2058aba fix: update containerd configuration and settings
• 81bd20f5a docs: remove deprecated jiva from openebs instructions
• 480ffb88a docs: fix the amd64 PXE boot script URL
• 20fe34dbd docs: fix docker getting started typo
• 0fd7dfd2a docs: update Equinix Guide
• 3d1474ac0 feat: update CoreDNS to 1.1.3
• 50e5f37ef chore: add test for apparmor
• 96492c097 docs: extend multus configuration for Cilium
• 19aa44c54 fix: generate kubeconfig using proper types
• 240104e45 feat: update Linux to 6.6.43
• 32db8db60 chore: lock microsoft secureboot certs
• 3ce5492f8 feat: runc memfd-bind service
• 341b55cd3 docs: update vmware.sh
• 117628aa6 chore: add test for gvisor extension with platform kvm
• fd01571c4 feat: update Linux, enable Broadcom MPI3 driver
• b333ec07d feat: update etcd to 3.5.15, Flannel to 0.25.5
• 087290178 feat: use ethtool ioctl to get link status when netlink api not available
• 395c64290 docs: update openebs-jiva helm repo
• f132d3f40 chore(ci): remove artifacts directory prefix for checksums
• fd54dc191 feat(talosctl): append microsoft secure boot certs
• fd6ddd11e feat: provide POD_IP env var to scheduler and controller-manager
• 407347a7a feat: update Kubernetes to 1.31.0-beta.0
• 1b8c9ccbb fix: enforce secureboot enroll option only for supported releases
• d52b89cb9 chore: ensure tls required on s3 buckets
• c288ace7b fix: be more smart when merging DNS resolver config
• d983e4430 fix: panic on shutdown
• 01404edff chore: reduce memory requirement for contrplane nodes
• 980f9ebc0 fix: fix log format in cluster provisioning
• ea626a963 feat: add label 'exclude-from-external-load-balancers' for cp nodes
• 1cf76cfbc docs: fix talosctl spelling
• b07338f54 feat: provide machine config document to update trusted CA roots
• f14c4795e fix: sort ports and merge adjacent ones in the nft rule
• cf5effabb feat: provide an option to enforce SecureBoot for TPM enrollment
• 736c1485e fix: change the UEFI firmware search path order
• a727a1d97 chore: make using action tracker easier
• 0aebeff35 docs: add missing backslashes
• 398151e64 fix: remove host bind mount for /tmp for trustd
• ce4c404e1 chore: redo FilterMessages as generic function
• fbde9c556 chore: bump deps
• 3bab15214 feat: update Kubernetes to 1.31.0-alpha.3
• c2a5213ee docs: add note about mayastor nvme_tcp init container check
• dad9c40c7 chore: simplify code
• 963612bcc chore: redo EncodeString and EncodeBytes using buffer interface
• d9db360ab fix: properly output multi-doc machine config in get mc
• 31af6b3f8 chore: fix the release step to include CNI bundle
• d7cd46643 chore: fix the push/tag steps
• c9aeeca3d chore: fix the Makefile
• 48cdbe0de release(v1.8.0-alpha.1): prepare release
• 2512ef435 test: fix the integrtion tests for apply-config
• 076f3c4f2 chore: improve link spec controller code
• 0454130ad feat: suppress controller runtime first N failures on the console
• 3d35e5468 chore: update hydrophone library
• 1f28726d4 chore: support version with and without v prefix
• 9a56b8527 chore(ci): fix parallel runs of tf pipelines
• be35f380c chore: update pkgs/tools/extras
• 93df23444 docs: update opengraph image for main landing pages
• d9d62d4da feat: update Linux to 6.6.36
• 6b0fe5b8c docs: update deploying cilium docs for v1.7 and v1.8
• 52611a90d feat: update Kubernetes to v1.30.2
• c19cc4ccb docs: clarify direct access needed to nodes in insecure mode
• b4c871e4b chore: bump dependencies
• cc345c8c9 feat: add support for configuring vlan filtering on the bridge
• 2d054ad35 chore: handle documents diff in apply-config dry run
• bd34f71f3 feat: add apparmor pkg
• 71857fd4d docs: fix typo: messure -> measure
• f75f16b0a chore(ci): fix cluster name generation
• c603d2bf9 chore: output more info when ExecuteCommandInPod fails
• 4b5a7445e docs: fix missing Akamai platform in supported matrix
• 4701498a1 chore(ci): run e2e-aws-nvidia with zfs extension enabled
• 86a3222ae chore: use new disks api for iscsi tests
• 5ffc3f14b feat: show siderolink status on dashboard
• 6f6a5d105 chore: upgrade to rtnetlink/v2 library
• 1fb8453c2 chore: update Go modules
• 8e15621e8 chore(ci): add conformance pipelines
• 7fcb521a6 feat: use hydrophone instead of sonobuoy
• d1a0c1f98 test: fix the integration test for no META name
• 535006334 chore: fix our dns server implementation
• c6f90d014 chore: replace sync.Map with concurrent.HashTrieMap
• e8ced2c2d chore: drop k8s timeout in the default kubeconfig
• 7cbdce73f fix: detect CD devices, fix user disks wipe test
• aca475c66 chore: small usability fixes
• 26cf566dc chore: bump our coredns fork
• 5e66e117e fix: initial assignment of Hetzner Cloud Alias IP
• f07b79f4a feat: provide disk detection based on new blockdevices
• 8ee087268 chore(ci): drop crashdump, save logs as artifacts
• 7c9a14383 fix: volume discovery improvements
• 80ca8ff71 fix: update the cgroups for Talos core services
• fe317f1e1 docs: fix typo in QEMU guest agent support on Proxmox
• 8dbe2128a feat: implement Talos diagnostics
• 357d7754f fix: clean up VM runners on cluster destroy
• 41f92e0ba chore: update Go to 1.22.4, other updates
• 4621e9bb7 chore: add stale and lock issue workflows
• 82d9cd322 fix: add upgrade errata for arm64/zboot kernels
• 9a23d846c fix: downgrade Azure IMDS required version
• 30860210c test: fix hardware test not to require PCI devices
• 9fcc9b841 feat: update Flannel to v0.25.3
• 9d395b9de chore: use bun instead of npm
• a1684bdf8 chore: speed up go generate for enumer
• 4dd0aa712 feat: implement PCI device bus enumeration
• b0466e0ab fix: disable kexec on GCP/Azure
• 911c25574 chore: fix go.work resolution
• 2f088ede0 docs: add another example for installing cilium
• 3967e0777 feat: update etcd to 3.5.14
• 3367ded9f fix: correct time adjustment in time.SyncController
• 893e64fcb fix: replace nslookup with dig in integration tests
• 0359c8537 chore: unify toml packages being used
• 4feb94ca0 feat: add multidoc check to the Talos quirks module
• 0b4a9777f docs: update talosctl install instructions for 1.8
• da8305ffb test: add a test for watchdog timers
• da7f27640 fix: mount tracefs filesystem
• 7b37e5b63 chore(ci): fix integration extensions
• de7553d77 fix(ci): cron jobs
• eb510d9fd chore: require enabled bootloader for docker provisioner
• a9cf9b789 fix: correctly handle dns messages in our dns implementation
• c2b19dcb9 chore: move to containerd 2.0 API
• 92a274e9a fix: workaround problems with udevd races
• 31b24ea3d chore(ci): split integration misc
• 8a1371337 fix: produce stable order of bonds with equinix
• 6406193f4 test: add Equnix Metal sample metadata with two bonds
• 01ea82053 fix: time sync over NTP from future era
• 5aea42427 fix(ci): fix crons by setting up buildx always
• 84706c3e2 docs: default to brew docs for talosctl
• fcd65ff65 feat: enable forwardKubeDNSToHost by default
• 2e64e9e4e fix: require accepted CAs on worker nodes
• 23c1c4560 fix(ci): fix crons fby rekres
• 2d50392c5 feat: update containerd to 2.0.0-rc.2, runc to 1.2.0-rc.1
• a12e4bb24 chore(ci): fix github action crons
• e7bd9cd2b fix: decrease maximum negative ttl for dns responses
• 9c3ebad9f chore(ci): kresify gh actions
• ff60f6fde refactor: make some of the extensions package public
• ce8c86d64 fix: panic in osroot controller
• e1711cd3c chore: stop using containerd package for cri namespace
• d4307043f fix: update go-tail library to fix 'short read' error
• 7cd13ef4a docs: add documentation on using Multus with Talos
• 4784da3ef feat: use new circular buffer compressed chunks feature
• 78b48eb3a feat: include EDAC drivers
• 0bf2d69fb feat: update Kubernetes to 1.30.1
• 53f548913 fix: increase host dns packet ttl for pods
• dedb6d360 fix: update github.com/siderolabs/siderolink to v0.3.7
• 43939f1a6 docs: fix typos, add docker socket info
• 6663068bb chore: update project in GCP testing
• b86edc677 chore: update office hours in talos repo
• cfa25d22d chore: remove docs prior to 1.0 from website navigation
• 120705459 chore: handle I/O error for xfs_repair
• b7afe2669 feat: update Linux 6.6.30
• 26519ceed docs: update proxmox.md
• 851b91a0e fix: don't enable hostDNS for versions of Talos which do not have it
• 42ac5cd0c fix: check for nil machine config during installation
• 1d29111d4 chore: update Go to 1.22.3
• f4d7b9d9a feat: gather plaform dns names
• 0b0f9995a docs: add resource information, some grammar fixes
• 763dae250 fix: add cluster name to the worker machine config
• 4aac5b4ec feat: mount /sys/kernel/security into kubelet
• 817f18153 docs: remove mention of enabling KubePrism after v1.6
• c08d79732 docs: fix the variable name typo
• 478b862b4 fix: do not fail cli action tracker when boot id cannot be read
• be510f9eb docs: fix grpc_tunnel value to true
• b7b8a8d8f docs: add logs example for the certificate errors troubleshooting
• 8df5b85ec release(v1.8.0-alpha.0): prepare release
• 07f78182c fix: use a fresh context for etcd unlock
• 84cd7dbec feat: update Linux to 6.6.29
• 70fdca6a4 chore: update minimum hardware requirement for vmware ova
• b690ffeb8 test: improve DNS resolver test stability
• 5aa0299b6 style: use correct capitalization for openstack
• 4c0c626b7 feat: use zstd compression in place of xz
• 98906ed6e fix: use reboot delay only in case of error
• 05fd042bb test: improve the reset integration tests
• 8cdf0f7cb docs: fix typo in Cilium instructions
• dd1d279da fix: allow more flags in talosctl cluster create --input-dir
• ef4394e58 chore: update kernel and other packages
• ccdb4c8b1 chore: update google.golang.org/grpc to 1.63.2
• c5b59df69 fix: wait for devices to be discovered before probing filesystems
• 0821b9c50 feat: add --non-masquerade-cidrs flag to talosctl cluster create
• 2bf613ad3 fix: add endpoints for "virtual" host-dns service
• f4163aefe fix: bump priority of OpenStack routes if IPv6 and default gateway
• 6fbd1263c feat: report process MAC labels
• d46032821 fix: return proper value from Bridge.STP instead of plain nil
• bac1d00c3 chore: prepare for Talos 1.8
• d6c8067e1 docs: make 1.7 docs the default
• d7c3a0735 docs: add what's new for v1.7
• 908f67fa1 feat: add host dns support for resolving member addrs
• 0d20b637d feat: update Kubernetes to 1.30.0
• ec69d7a78 chore: replace math/rand with math/rand/v2
• 89040ce43 chore: update go-blockdevice/v2 library to the latest version
• 0a785802e fix: overlay installer operations
• b1b63f658 fix: mark overlay installer executable
• 3433fa13b feat: use container DNS when in container mode
• 5d07ac5a7 fix: close apid inter-backend connections gracefully for real
• 7ba18555b docs: fix typos in Akamai and AWS platform docs
• 3dd1f4e88 chore: extract pkg/imager/quirks to pkg/machinery
• 78bc3a433 docs: update Cilium docs
• 831f3d39e feat: update Flannel to v0.25.1
• ea5b3ff0c feat: update Kubernetes to v1.30.0-rc.2
• 54dac5ed4 feat: update Linux 6.6.24, containerd 1.7.15
• c51f146da docs: update Akamai platform docs
• 9550f5ff7 docs: fix getAuthenticationMethod and completePathFromNode docs
• bfbd02abf fix: assign different priority to IPv6 default gateway on OpenStack
• c8f674bd3 test: add a test for 'spin' container runtime
• 5390ccd48 chore: replace []byte with string and use go:embed for templates
• ba7cdc8c8 chore: optimize DNSResolveCacheController
• 145f24063 fix: don't modify a global map of profiles
• 6fe91ad9c feat: provide Kubernets/Talos version compatibility for 1.8
• 909a5800e fix: generate secureboot ISO .der certificate correctly
• b0fdc3c8c fix: make static pods check output consistent
• c6ad0fcce fix: validate that workers don't get cluster CA key
• 3735add87 fix: reconnect to the logs stream in dashboard after reboot
• 9aa1e1b79 fix: present all accepted CAs to the kube-apiserver
• 336e61174 fix: close the apid connection to other machines gracefully
• ff2c427b0 fix: pre-create nftables chain to make kubelet use nftables
• 5622f0e45 docs: change localDNS to hostDNS in release notes yaml section

Changes since v1.8.0-alpha.2

15 commits

• 51b91d64e release(v1.8.0-beta.0): prepare release
• 899f1b900 feat: implement "$patch: delete" logic
• 545f75fd7 feat: acquire machine config inline from kernel cmdline
• 361283401 chore: version specific kube-scheduler health checks
• d64ce44e4 chore(ci): e2e gcp
• cd7c68266 chore: disallow duplicate documents on decoder level
• bcaf63628 feat: update dependencies
• dd4185b14 feat: add KubeSpan extra endpoint configuration
• 3038ccfa8 feat: add configuration for EPHEMERAL volume
• faffa4c3f fix: never unarchive initramfs when loading boot assets in talosctl
• 07b91797c fix: report internally service as unhealthy if not running
• bc8bf9e8a feat: update Linux 6.6.49
• 7edcbbb83 chore: support gcp in cloud-image-uploader
• 0a870200e chore: remove matrix links from docs
• db6ef1ee9 test: update Talos versions in Image Factory tests

Changes from siderolabs/discovery-client

2 commits

• siderolabs/discovery-client@ca662d2 feat: export default GRPC dial options for the client
• siderolabs/discovery-client@7a767fa chore: bump Go, deps and rekres

Changes from siderolabs/extras

8 commits

• siderolabs/extras@969a41f feat: update to pkgs 1.8.0
• siderolabs/extras@43a2821 feat: bump deps
• siderolabs/extras@6f4a373 chore: use Go 1.22.6
• siderolabs/extras@e7d16d8 chore: bump deps
• siderolabs/extras@cab51d8 feat: update dependencies
• siderolabs/extras@0efb05f feat: update Go to 1.22.4
• siderolabs/extras@01ad9f5 feat: update Go to 1.22.3
• siderolabs/extras@fa6663c feat: update Go to 1.22.2

Changes from siderolabs/gen

2 commits

• siderolabs/gen@7654108 chore: add hashtriemap implementation
• siderolabs/gen@8485864 chore: optimize maps.Values and maps.Keys

Changes from siderolabs/go-api-signature

4 commits

• siderolabs/go-api-signature@8807c5e fix: account for time truncation to a second resolution
• siderolabs/go-api-signature@1b35ea8 chore: bump deps and fix data race
• siderolabs/go-api-signature@4bf0f02 fix: get rid of data race in the key sign interceptor
• siderolabs/go-api-signature@782aac0 chore: bump deps

Changes from siderolabs/go-circular

3 commits

• siderolabs/go-circular@cbce5c3 feat: add persistence support
• siderolabs/go-circular@3c48c53 feat: implement extra compressed chunks
• siderolabs/go-circular@835f04c chore: rekres, update dependencies

Changes from siderolabs/go-debug

1 commit

• siderolabs/go-debug@c8f9b12 chore: add support for Go 1.23

Changes from siderolabs/go-kubernetes

3 commits

• siderolabs/go-kubernetes@0e767c5 chore: k8s 1.31 kube-scheduler health endpoints
• siderolabs/go-kubernetes@ee8c6b8 fix: add one more removed feature gate for 1.31
• siderolabs/go-kubernetes@37dd61f feat: add support for Kubernetes 1.31

Changes from siderolabs/go-loadbalancer

1 commit

• siderolabs/go-loadbalancer@0639758 chore: bump deps

Changes from siderolabs/go-pcidb

1 commit

• siderolabs/go-pcidb@2e79017 feat: rekres, update PCI IDs

Changes from siderolabs/go-smbios

2 commits

• siderolabs/go-smbios@e781237 fix: stop decoding without error if EOF encountered during header read
• siderolabs/go-smbios@6a719a6 chore: rekres, bump deps

Changes from siderolabs/go-tail

1 commit

• siderolabs/go-tail@7cb7294 fix: remove unexpected short read error

Changes from siderolabs/go-talos-support

3 commits

• siderolabs/go-talos-support@58f4f0f chore: bump Go dependencies
• siderolabs/go-talos-support@f9d46fd fix: add dns-resolve-cache to the list of logs gathered
• siderolabs/go-talos-support@69891cf chore: remove containerd dependency

Changes from siderolabs/grpc-proxy

5 commits

• siderolabs/grpc-proxy@ec3b59c fix: address all gRPC deprecations
• siderolabs/grpc-proxy@02f82db chore: rekres, bump deps
• siderolabs/grpc-proxy@62b29be chore: rekres, update dependencies
• siderolabs/grpc-proxy@2decdd1 chore: add no-op github workflow
• siderolabs/grpc-proxy@77d7adc chore: bump deps

Changes from siderolabs/pkgs

59 commits

• siderolabs/pkgs@1ef6797 feat: update Go 1.22.7, other bumps
• siderolabs/pkgs@2c6abb8 feat: bump releases
• siderolabs/pkgs@6ee4e56 fix: reproducible build for ipmitool
• siderolabs/pkgs@4ce5bc6 feat: add uio_pci_generic kernel module
• siderolabs/pkgs@18d3b85 feat: add uinput kernel module
• siderolabs/pkgs@4fd2541 feat: bump dependencies
• siderolabs/pkgs@467d127 feat: enable Cisco FCoE HBA Driver (fnic)
• siderolabs/pkgs@4e6dec2 feat: enable more PCI options
• siderolabs/pkgs@5f919c5 fix: add virtio-net GSO issue patch
• siderolabs/pkgs@7b2e46b feat: update Linux to 6.6.45
• siderolabs/pkgs@a6db229 fix: strip CNI plugins
• siderolabs/pkgs@124d35b chore: bump deps
• siderolabs/pkgs@af6b4e6 chore: bump nvidia drivers
• siderolabs/pkgs@5e8a15a chore: bump deps
• siderolabs/pkgs@99650c8 fix: enable TPROXY for nftables
• siderolabs/pkgs@75adbde feat: support lts and production nvidia modules
• siderolabs/pkgs@a97d58f feat: add Intel management engine modules for Intel Arc support
• siderolabs/pkgs@4e940f8 feat: update Linux to 6.6.43
• siderolabs/pkgs@7f9c802 fix(kernel): array-index-out-of-bounds error on bpf
• siderolabs/pkgs@8cc6455 feat: add driver for Broadcom MPI3
• siderolabs/pkgs@d01fb35 feat: update Linux to 6.6.39
• siderolabs/pkgs@25f3a99 fix: update ca-certificates in pkgs
• siderolabs/pkgs@60a91b2 fix: enable CONFIG_PROC_CHILDREN for amd64 kernel
• siderolabs/pkgs@ce49757 feat: update flannel-cni plugin to v1.5.1
• siderolabs/pkgs@289ed6b feat: bump deps
• siderolabs/pkgs@8d6b19a feat: update Linux to 6.6.36
• siderolabs/pkgs@b671d46 feat: update containerd/runc to the next rc versions
• siderolabs/pkgs@c7e9591 feat: enable CONFIG_X86_AMD_PSTATE
• siderolabs/pkgs@84bad89 feat: add 'apparmor' package
• siderolabs/pkgs@4d9869a feat: update Linux to 6.6.33
• siderolabs/pkgs@e5990e8 feat: enable CONFIG_KSM
• siderolabs/pkgs@a37f382 fix: network for Rockchip boards like Rock64
• siderolabs/pkgs@95218c7 fix: enable PAGE_TABLE_CHECK
• siderolabs/pkgs@cbd9cd7 feat: enable SCTP support
• siderolabs/pkgs@c309452 feat: bump dependencies
• siderolabs/pkgs@3a56032 chore: rekres
• siderolabs/pkgs@db7f60c feat: bump Linux to 6.6.32
• siderolabs/pkgs@c647a05 feat: update ipxe to the latest
• siderolabs/pkgs@f350879 feat: update containerd to 2.0.0-rc.2, runc to 1.2.0-rc.1
• siderolabs/pkgs@f8392fb feat: update Linux firmware to 20240513
• siderolabs/pkgs@f414bbd fix: disable CONFIG_EFI_DISABLE_PCI_DMA option
• siderolabs/pkgs@9ebfd1b feat: enable EDAC drivers
• siderolabs/pkgs@f9559de fix: drbd module installation
• siderolabs/pkgs@492638d feat: update dependencies
• siderolabs/pkgs@bd70572 feat: update Go to 1.22.3
• siderolabs/pkgs@edb600a feat: update zfs package to v2.2.4
• siderolabs/pkgs@6775002 feat: enable NFT FIB lookups
• siderolabs/pkgs@28c5696 feat: update Linux to 6.6.29
• siderolabs/pkgs@9c8a02c feat: update containerd to 1.7.16
• siderolabs/pkgs@ca6249b feat: compress amd64 Linux kernel using zstd
• siderolabs/pkgs@718a7da feat: enable SELinux
• siderolabs/pkgs@207481f feat(intel): add support for power management and ACPI options for Intel CPUs
• siderolabs/pkgs@dfa7dce feat: update Linux to 6.6.28
• siderolabs/pkgs@7b30b61 fix: use proper EFI zBoot image
• siderolabs/pkgs@010913b feat: update Linux 6.6.26, containerd 1.7.15
• siderolabs/pkgs@da397fa feat: enable BFQ IO scheduler
• siderolabs/pkgs@c839801 feat: enable zboot on arm64 with zstd compression
• siderolabs/pkgs@1b28e2c feat: go 1.22.2, Linux 6.6.24
• siderolabs/pkgs@05db2a8 fix: revert musl to 1.2.4

Changes from siderolabs/protoenc

19 commits

• siderolabs/protoenc@684f268 chore: bump deps, add repeated <-> single field example
• siderolabs/protoenc@82f0774 fix: encode (u)int(16|8)s as varints
• siderolabs/protoenc@d8ddbd5 chore: add more tests
• siderolabs/protoenc@dceb5a6 fix: proper order for custom EncoderDecoder
• siderolabs/protoenc@3617e19 fix: add missing test and proper check for map[string]interface{}
• siderolabs/protoenc@647e9da chore: various additions
• siderolabs/protoenc@3e56913 fix: support pointer to structs in marshal/unmarshal
• siderolabs/protoenc@49a85fa chore: add support for map[string]interface{}
• siderolabs/protoenc@bf5e39b chore: support (u)int(8|16) fields ans slices, fix map issues,
• siderolabs/protoenc@d618d0d chore: no longer treat T and *T as the same types in RegisterEncoderDecoder
• siderolabs/protoenc@aa7ee6c chore: add fast path for ints, fixed ints and floats
• siderolabs/protoenc@6427893 chore: bump Go and fix lint issues
• siderolabs/protoenc@94427a5 chore: even more various fixes and small refactorings
• siderolabs/protoenc@76e5695 chore: various fixes and small refactorings
• siderolabs/protoenc@8a48bf0 feat: implement custom encoders/decoders
• siderolabs/protoenc@549761b chore: various embedding fixes
• siderolabs/protoenc@ab9b1ff chore: add side-by-side tests with official proto.Marshal and Unmarshal
• siderolabs/protoenc@2519db3 feat: implement Marshal/Unmarshal functions for protobuf encoding
• siderolabs/protoenc@485db9f Initial commit

Changes from siderolabs/siderolink

4 commits

• siderolabs/siderolink@e76747b chore: migrate to rtnetlink/2
• siderolabs/siderolink@3a587fc fix: do not ever skip updates which have remove flag
• siderolabs/siderolink@be00ff5 chore: redo event filtering as a sequence of iterators
• siderolabs/siderolink@a936b60 chore: handle peer events in batches

Changes from siderolabs/tools

15 commits

• siderolabs/tools@a0c06c6 feat: update Go to 1.22.7
• siderolabs/tools@50e55e6 feat: bump dependencies
• siderolabs/tools@2b8dab4 feat: add policycoreutils for building squashfs with SELinux
• siderolabs/tools@ef48079 feat: add fakeroot as a build dependency
• siderolabs/tools@86b5363 feat: add secilc
• siderolabs/tools@41ed4b2 fix: fix Tcl tag hashes
• siderolabs/tools@a764e8d chore: bump deps
• siderolabs/tools@7d807bd chore: bump deps
• siderolabs/tools@31ad71b feat: update dependencies
• siderolabs/tools@d2746e5 feat: update Go to 1.22.4
• siderolabs/tools@06ba64e feat: update dependencies
• siderolabs/tools@7e5a248 feat: update dependencies
• siderolabs/tools@c34ec5b feat: update Go to 1.22.3
• siderolabs/tools@3c25a6f fix: update pkg-config configure flag
• siderolabs/tools@bd405ff feat: update go to 1.22.2

Dependency Changes

• cloud.google.com/go/compute/metadata v0.2.3 -> v0.5.0
• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 -> v1.13.0
• github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 -> v1.7.0
• github.com/aws/aws-sdk-go-v2/config v1.27.10 -> v1.27.33
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 -> v1.16.13
• github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 -> v1.35.7
• github.com/aws/smithy-go v1.20.2 -> v1.20.4
• github.com/beevik/ntp v1.3.1 -> v1.4.3
• github.com/containerd/containerd/api v1.8.0-rc.3 new
• github.com/containerd/containerd/v2 v2.0.0-rc.4 new
• github.com/containerd/errdefs v0.1.0 new
• github.com/containerd/platforms v0.2.1 new
• github.com/containerd/typeurl/v2 v2.1.1 -> v2.2.0
• github.com/containernetworking/cni v1.1.2 -> v1.2.3
• github.com/containernetworking/plugins v1.4.1 -> v1.5.1
• github.com/coreos/go-iptables v0.7.0 -> v0.8.0
• github.com/cosi-project/runtime v0.4.1 -> v0.5.5
• github.com/docker/docker v26.0.0 -> v27.2.0
• github.com/fatih/color v1.16.0 -> v1.17.0
• github.com/foxboron/go-uefi 48be911532c2 -> e2076f0e58ca
• github.com/google/go-containerregistry v0.19.1 -> v0.20.2
• github.com/google/go-tpm ee6cbcd136f8 -> v0.9.1
• github.com/hashicorp/go-getter/v2 v2.2.1 -> v2.2.3
• github.com/hetznercloud/hcloud-go/v2 v2.7.0 -> v2.13.1
• github.com/insomniacslk/dhcp c728f5dd21c8 -> a3a4c1f04475
• github.com/jsimonetti/rtnetlink/v2 v2.0.2 new
• github.com/klauspost/compress v1.17.9 new
• github.com/klauspost/cpuid/v2 v2.2.7 -> v2.2.8
• github.com/miekg/dns v1.1.58 -> v1.1.62
• github.com/opencontainers/runc v1.2.0-rc.3 new
• github.com/pelletier/go-toml/v2 v2.2.3 new
• github.com/pkg/xattr v0.4.10 new
• github.com/prometheus/procfs v0.13.0 -> v0.15.1
• github.com/rivo/tview a22293bda944 -> fd649dbf1223
• github.com/rs/xid v1.5.0 -> v1.6.0
• github.com/safchain/ethtool v0.3.0 -> v0.4.1
• github.com/scaleway/scaleway-sdk-go v1.0.0-beta.25 -> v1.0.0-beta.30
• github.com/siderolabs/discovery-client v0.1.8 -> v0.1.9
• github.com/siderolabs/extras v1.7.0-1-gbb76755 -> v1.8.0
• github.com/siderolabs/gen v0.4.8 -> v0.5.0
• github.com/siderolabs/go-api-signature v0.3.2 -> v0.3.6
• github.com/siderolabs/go-blockdevice/v2 3265299b0192 -> v2.0.1
• github.com/siderolabs/go-circular v0.1.0 -> v0.2.0
• github.com/siderolabs/go-debug v0.3.0 -> v0.4.0
• github.com/siderolabs/go-kubernetes v0.2.9 -> v0.2.12
• github.com/siderolabs/go-loadbalancer v0.3.3 -> v0.3.4
• github.com/siderolabs/go-pcidb v0.2.0 -> v0.3.0
• github.com/siderolabs/go-smbios v0.3.2 -> v0.3.3
• github.com/siderolabs/go-tail v0.1.0 -> v0.1.1
• github.com/siderolabs/go-talos-support v0.1.0 -> v0.1.1
• github.com/siderolabs/grpc-proxy v0.4.0 -> v0.4.1
• github.com/siderolabs/pkgs v1.7.0-6-g29106c0 -> v1.8.0
• github.com/siderolabs/protoenc v0.2.1 new
• github.com/siderolabs/siderolink v0.3.5 -> v0.3.9
• github.com/siderolabs/talos/pkg/machinery v1.7.0 -> v1.8.0-beta.0
• github.com/siderolabs/tools v1.7.0-1-g10b2a69 -> v1.8.0-1-ga0c06c6
• github.com/spf13/cobra v1.8.0 -> v1.8.1
• github.com/vishvananda/netlink v1.2.1-beta.2 -> v1.3.0
• go.etcd.io/etcd/api/v3 v3.5.13 -> v3.5.15
• go.etcd.io/etcd/client/pkg/v3 v3.5.13 -> v3.5.15
• go.etcd.io/etcd/client/v3 v3.5.13 -> v3.5.15
• go.etcd.io/etcd/etcdutl/v3 v3.5.13 -> v3.5.15
• golang.org/x/net v0.23.0 -> v0.29.0
• golang.org/x/oauth2 v0.18.0 -> v0.23.0
• golang.org/x/sync v0.6.0 -> v0.8.0
• golang.org/x/sys v0.18.0 -> v0.25.0
• golang.org/x/term v0.18.0 -> v0.24.0
• golang.org/x/text v0.14.0 -> v0.18.0
• golang.org/x/time v0.5.0 -> v0.6.0
• google.golang.org/grpc v1.62.1 -> v1.66.0
• google.golang.org/protobuf v1.33.0 -> v1.34.2
• k8s.io/api v0.30.0 -> v0.31.0
• k8s.io/apimachinery v0.30.0 -> v0.31.0
• k8s.io/apiserver v0.30.0 -> v0.31.0
• k8s.io/client-go v0.30.0 -> v0.31.0
• k8s.io/component-base v0.30.0 -> v0.31.0
• k8s.io/cri-api v0.30.0 -> v0.32.0-alpha.0
• k8s.io/klog/v2 v2.120.1 -> v2.130.1
• k8s.io/kube-scheduler v0.30.0 -> v0.31.0
• k8s.io/kubectl v0.30.0 -> v0.31.0
• k8s.io/kubelet v0.30.0 -> v0.31.0
• k8s.io/pod-security-admission v0.30.0 -> v0.31.0
• kernel.org/pub/linux/libs/security/libcap/cap v1.2.69 -> v1.2.70
• sigs.k8s.io/hydrophone b92baf7e0b04 new

Previous release can be found at v1.7.0

Images

ghcr.io/siderolabs/flannel:v0.25.6
registry.k8s.io/coredns/coredns:v1.11.3
gcr.io/etcd-development/etcd:v3.5.15
registry.k8s.io/kube-apiserver:v1.31.0
registry.k8s.io/kube-controller-manager:v1.31.0
registry.k8s.io/kube-scheduler:v1.31.0
registry.k8s.io/kube-proxy:v1.31.0
ghcr.io/siderolabs/kubelet:v1.31.0
ghcr.io/siderolabs/installer:v1.8.0-beta.0
registry.k8s.io/pause:3.9

---

This discussion was created from the release v1.8.0-beta.0.

[infinitydon]

As regards:

Talos Linux now bundles by default the following standard CNI plugins:

bridge
firewall
flannel
host-local
loopback
portmap

I think other plugins like ipvlan, macvlan and host-device plugins should be included, these are used extensively with Multus.

Also I believe they should be included in the install irrespetive of the choice of CNI plugin that is used with Talos

[usrbinkat]

+1 because of multus requirements, else document the correct way to layer these on.

[smira]

As it was before, you can still copy them over to /opt/cni/bin by using init containers.

This is what all other CNIs do (e.g. Cilium CNI).

Talos ships with bare minimum to run Flannel in the default configuration.