v1.11.3

Talos 1.11.3 (2025-10-15)

Welcome to the v1.11.3 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

runc: 1.3.2
Kubernetes: 1.34.1
Linux: 6.12.52
linux-firmware: 20251011
CoreDNS: 1.12.4
etcd: 3.6.5
Flannel: 0.27.4

Talos is built with Go 1.24.9.

Contributors

• Noel Georgi
• Andrey Smirnov
• Chris Sanders
• Grzegorz Rozniecki

Changes

11 commits

• a0243ef77 release(v1.11.3): prepare release
• 560241c00 fix: make Akamai platform usable
• 1b23cad61 fix: cherry-pick of commit 0fbb0b0 from #11959
• 876719a92 fix: cherry-pick of commit cd9fb27 from #11943
• 9a30ab6f5 feat: bump go, kernel and runc
• 0fbb0b028 fix: provide nocloud metadata with missing network config
• 0dad32819 feat: update Flannel to v0.27.4
• 49182b386 fix: support secure HTTP proxy with gRPC dial
• a460f5726 feat: update etcd 3.6.5, CoreDNS 1.12.4
• 48ee8581b fix: don't set broadcast for /31 and /32 addresses
• 7668c52dd fix: provide refreshing CA pool (resolvers)

Changes from siderolabs/pkgs

5 commits

• siderolabs/pkgs@c316374 feat: bump go to 1.24.9
• siderolabs/pkgs@769a799 feat: update linux-firmware to 20251011
• siderolabs/pkgs@99ddfd5 feat: update runc to 1.3.2
• siderolabs/pkgs@4fecfeb feat: bump kernel to 6.12.52
• siderolabs/pkgs@934783f feat: bump go

Changes from siderolabs/tools

2 commits

• siderolabs/tools@05ee846 feat: bump go
• siderolabs/tools@efbbe9d feat: bump go

Dependency Changes

• github.com/siderolabs/pkgs v1.11.0-21-gf95c679 -> v1.11.0-26-gc316374
• github.com/siderolabs/talos/pkg/machinery v1.11.2 -> v1.11.3
• github.com/siderolabs/tools v1.11.0-2-g8556c73 -> v1.11.0-4-g05ee846

Previous release can be found at v1.11.2

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.12.4
gcr.io/etcd-development/etcd:v3.6.5
registry.k8s.io/kube-apiserver:v1.34.1
registry.k8s.io/kube-controller-manager:v1.34.1
registry.k8s.io/kube-scheduler:v1.34.1
registry.k8s.io/kube-proxy:v1.34.1
ghcr.io/siderolabs/kubelet:v1.34.1
ghcr.io/siderolabs/installer:v1.11.3
registry.k8s.io/pause:3.10

v1.12.0-alpha.1

Talos 1.12.0-alpha.1 (2025-10-01)

Welcome to the v1.12.0-alpha.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs
field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

Embedded Config

Talos Linux now supports embedding the machine configuration directly into the boot image.

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.

Extra Binaries

Talos Linux now ships with nft binary in the rootfs to support CNIs which shell out to nft command.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with talosctl get kernelparamstatus command.

Encrypted Volumes

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.

Component Updates

Linux: 6.16.9
Kubernetes: 1.34.1
CNI Plugins: 1.8.0
cryptsetup: 2.8.1
LVM2: 2_03_34
systemd-udevd: 257.8
runc: 1.3.1
CoreDNS: 1.12.4
etcd: 3.6.5

Talos is built with Go 1.25.1.

Contributors

• Andrey Smirnov
• Noel Georgi
• Amarachi Iheanacho
• Dmitrii Sharshakov
• Mateusz Urbanek
• Orzelius
• Oguz Kilcan
• George Gaál
• Utku Ozdemir
• 459below
• Alp Celik
• Andrew Longwill
• Chris Sanders
• Dmitry
• Febrian
• Fred Heinecke
• Giau. Tran Minh
• Guillaume LEGRAIN
• Jorik Jonker
• Justin Garrison
• Markus Freitag
• Max Makarov
• Mike Beaumont
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Sammy ETUR
• Serge Logvinov
• Skyler Mäntysaari
• Tom
• aurh1l
• frozenprocess
• kassad
• leppeK
• winnie

Changes

179 commits

• 3165a2b84 release(v1.12.0-alpha.1): prepare release
• e455c7ea9 chore: use testing/synctest in tests
• 7f048e962 feat: update dependencies
• fe36b3d32 fix: stop returning EINVAL on remount of detached mounts
• c6279e04c chore: use new mount/v3 package in efivarfs
• d5197effb feat: update etcd 3.6.5, CoreDNS 1.12.4
• 33714b715 feat: release cloud image using factory
• d10a2747e docs: deprecate JSON6902 patches and interactive installer
• 1e604cbf5 fix: don't set broadcast for /31 and /32 addresses
• 65a66097a refactor: split cluster create logic into smaller parts
• ab847310e fix: provide refreshing CA pool (resolvers)
• d63c3ed7d docs: update secureboot docs
• 493f7ed9d feat: support embedded config
• 251df70f6 feat: add a userspace OOM controller
• 7bae5b40b feat: implement link configuration
• 724857dec fix(ci): skip netbird extension for tests
• e06a08698 fix: default gateway as string
• 7ed07412e fix: uefi boot entry handling logic
• ea4ed165a refactor: efivarfs mock and tests
• 1fca111e2 feat: support setting wake-on-lan for Ethernet
• 94f78dbe7 docs: add a documentation for running Talos in KVM
• 46902f8fd docs: add TrueFullstaq to adopters
• a28e5cbd5 chore: update pkgs and tools
• 7cf403db8 docs: step-by-step scaleway documentation to get an image
• 687285fa2 docs: remove 'curl' in wget command
• 9db6dc06c feat: stop mounting state partition
• 53ce93aae test: try to clear connection refused more aggressively
• 51db5279c fix: bump trustd memory limit
• 25204dc8a fix(machined): change constants.MinimumGOAMD64Level using build tag
• 9cd2d794d feat: ship nft binary with Talos rootfs
• b1416c9fe feat: record last log the failed service
• 0b129f9ef feat: enforce more KSPP and hardening sysctls
• 11872643c chore: drop docs folder
• d30fdcd88 chore: pass in github token to imager
• b88f27d80 chore: make reset test code a bit better
• 1cde53d01 test: fix several issues with tests
• 16cd127a0 docs: add docs on updating image cache
• c3ae92b14 fix: build kernel checks only on linux
• 2120904ec feat: create detached tmpfs
• 6bbee6de5 docs: remove 'ceph-data' from volume examples/docs
• 07acb3bd2 fix: use correct order to determine SideroV1 keys directory path
• 2d57fa002 fix: trim zero bytes in the DHCP host & domain response
• 451cb5f78 docs: clarify disk partition confusion
• a2122ee5c feat: implement HostConfig multi-doc
• 69ab076b4 fix: re-create cgroups when restarting runners
• 297b5cc28 docs: add docs on node labels
• e168512dd fix: apply 'ro' flag to iso9660 filesystems
• 7f7acfbb9 docs: fix typo in doc
• d57882b18 feat: update Kubernetes to 1.34.1
• f85f82f32 test: fix flakiness in RawVolumes test
• 82569e319 feat: update Linux 6.16.6
• 2fd2ab4e4 fix: remove CoreDNS cpu limit
• ce9bc32a0 chore(ci): rekres to use new runner groups
• 8b64f68f6 test: improve test stability
• 272cb860d chore: drop the --input-dir flag from the cluster create command
• 1b6533675 docs: add note about ca-signed certs for secureboot
• d3f88f50c docs: document talos vip failover behavior
• 005fc8bd5 docs: add docs on syncing configs after a kube upgrade
• 4d876d9af feat: update Go to 1.25.1
• 2b556cd22 feat: implement multi-doc StaticHostConfig
• a7b776842 docs: replace Raspberry Pi 5 links with Talos builder
• a349b20ed docs: clarify that talos does not support intermediate ca
• 895133de9 feat: support configuring PCR states to bind disk encryption
• c1360103b docs: fix command for uploading image on Hetzner
• 43b5b9d89 fix: correctly handle status-code 204
• feeb0d312 feat: update runc to 1.3.1
• 421634a14 docs: add docs on multihoming
• 41af2d230 refactor: clean up internal cluster creation code
• 3000d9e43 fix: don't bootstrap talos cluster if there's no config present
• 79cb871d0 feat: use the id of the volume in the mapped luks2 name
• 6c322710d chore: refactor mount package
• ced7186e2 refactor: update COSI to 1.11.0
• de2e24fcd docs: clarify that install-cni image is deprecated
• bef8ef509 docs: add docs on cilium's compatibility with kubespan
• e5acb10fc feat: update pkgs
• c4c1daf0e docs: add info about br_netfilter
• 5c52ecac3 docs: clarify interactive dashboard resolution control
• 15ecb02a4 feat: update Linux kernel (memcg_v1, ublk)
• 53f18c2f6 fix: enable support for VMWare arm64
• 3bbe1c0da docs: add docs on grow flag
• b9fb09dcd release(v1.12.0-alpha.0): prepare release
• 6a389cad3 chore: update dependencies
• 9d98c2e89 feat: add a cgroup preset for PSI and --skip-cri-resolve
• 072f77b16 chore: prepare for future Talos 1.12-alpha.0 release
• 96f41ce88 docs: update qemu and docker docs
• a751cd6b7 docs: activate Talos v1.11 docs by default
• e8f1ec1c5 docs: fix broken create qemu command v1.11 docs
• 639f0dfdd feat: update Linux to 6.16.4
• 8aa7b3933 fix: bring back linux/armv7 build and update xz
• 9cae7ba6b feat: update CoreDNS to 1.12.3
• cfef3ad45 fix: drop linux/armv7 build
• 42ea2ac50 fix: update xz module (security)
• 4fcfd35b9 docs: fix module name example
• 50824599a chore: update some tools
• bcd297490 feat: allow Ed25119 in FIPS mode
• 5992138bb test: ignore one leaking goroutine
• d155326c1 docs: add sbc unofficial ports docs
• 285fa7d22 docs: add the deploy application docs
• 527791f09 feat: up...

v1.11.2

Talos 1.11.2 (2025-09-25)

Welcome to the v1.11.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

runc: 1.3.1
Kubernetes: 1.34.1
Linux: 6.12.48
linux-firmware: 20250917

Talos is built with Go 1.24.6.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Oguz Kilcan
• Serge Logvinov

Changes

17 commits

• 511b4d2e8 release(v1.11.2): prepare release
• ac452574e fix: default gateway as string
• 7cec0e042 fix: uefi boot entry handling logic
• 637154ed2 docs: drop invalid v1.12 docs
• a6d2f65a6 chore(ci): rekres to use new runner groups
• cd82ee204 refactor: efivarfs mock and tests
• 996d97de6 chore: update pkgs
• bbf860c5c docs: update component updates
• 24c1bcecf fix: bump trustd memory limit
• 56d6d6f75 chore: pass in github token to imager
• 682df89d7 fix: use correct order to determine SideroV1 keys directory path
• a838881fa fix: trim zero bytes in the DHCP host & domain response
• 9c962ae9c fix: re-create cgroups when restarting runners
• de243f9ae test: fix flakiness in RawVolumes test
• ec8fde596 feat: update Kubernetes to 1.34.1
• 797897dfb test: improve test stability
• 98273666e feat: update runc to 1.3.1

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@f95c679 chore: update kernel to 6.12.48
• siderolabs/pkgs@0bd4cb9 chore: update linuxfirmware and rekres
• siderolabs/pkgs@0c8a195 feat: update runc to 1.3.1

Dependency Changes

• github.com/siderolabs/pkgs v1.11.0-18-g1a25681 -> v1.11.0-21-gf95c679
• github.com/siderolabs/talos/pkg/machinery v1.11.1 -> v1.11.2
• k8s.io/api v0.34.0 -> v0.34.1
• k8s.io/apiextensions-apiserver v0.34.0 -> v0.34.1
• k8s.io/apiserver v0.34.0 -> v0.34.1
• k8s.io/client-go v0.34.0 -> v0.34.1
• k8s.io/component-base v0.34.0 -> v0.34.1
• k8s.io/kube-scheduler v0.34.0 -> v0.34.1
• k8s.io/kubectl v0.34.0 -> v0.34.1
• k8s.io/kubelet v0.34.0 -> v0.34.1
• k8s.io/pod-security-admission v0.34.0 -> v0.34.1

Previous release can be found at v1.11.1

Images

ghcr.io/siderolabs/flannel:v0.27.2
registry.k8s.io/coredns/coredns:v1.12.3
gcr.io/etcd-development/etcd:v3.6.4
registry.k8s.io/kube-apiserver:v1.34.1
registry.k8s.io/kube-controller-manager:v1.34.1
registry.k8s.io/kube-scheduler:v1.34.1
registry.k8s.io/kube-proxy:v1.34.1
ghcr.io/siderolabs/kubelet:v1.34.1
ghcr.io/siderolabs/installer:v1.11.2
registry.k8s.io/pause:3.10

v1.11.1

Talos 1.11.1 (2025-09-08)

Welcome to the v1.11.1 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.12.45
CoreDNS: 1.12.3

Talos is built with Go 1.24.6.

Contributors

• Andrey Smirnov
• Markus Freitag
• Olivier Doucet
• Sammy ETUR

Changes

7 commits

• 8e85c8362 release(v1.11.1): prepare release
• ff8644cd2 fix: correctly handle status-code 204
• 7d5fe2d0f feat: update Linux kernel (memcg_v1, ublk)
• 9e310a9dd fix: enable support for VMWare arm64
• f7620f028 feat: update CoreDNS to 1.12.3
• 01bf2f6f9 feat: add SOCKS5 proxy support to dynamic proxy dialer
• 8a578bc4a feat: update Linux to 6.12.45

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@1a25681 feat: enable ublk support
• siderolabs/pkgs@95f0be4 fix: enable memcg v1
• siderolabs/pkgs@e1c333c feat: update Linux to 6.12.45

Dependency Changes

• cloud.google.com/go/compute/metadata v0.7.0 -> v0.8.0
• github.com/aws/aws-sdk-go-v2/config v1.29.17 -> v1.31.2
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 -> v1.18.4
• github.com/aws/smithy-go v1.22.4 -> v1.22.5
• github.com/miekg/dns v1.1.67 -> v1.1.68
• github.com/siderolabs/pkgs v1.11.0-15-g2ac857a -> v1.11.0-18-g1a25681
• github.com/siderolabs/talos/pkg/machinery v1.11.0 -> v1.11.1
• golang.org/x/net v0.42.0 -> v0.43.0
• golang.org/x/sys v0.34.0 -> v0.35.0
• golang.org/x/term v0.33.0 -> v0.34.0
• golang.org/x/text v0.27.0 -> v0.28.0
• google.golang.org/grpc v1.73.0 -> v1.75.0
• google.golang.org/protobuf v1.36.6 -> v1.36.8

Previous release can be found at v1.11.0

Images

ghcr.io/siderolabs/flannel:v0.27.2
registry.k8s.io/coredns/coredns:v1.12.3
gcr.io/etcd-development/etcd:v3.6.4
registry.k8s.io/kube-apiserver:v1.34.0
registry.k8s.io/kube-controller-manager:v1.34.0
registry.k8s.io/kube-scheduler:v1.34.0
registry.k8s.io/kube-proxy:v1.34.0
ghcr.io/siderolabs/kubelet:v1.34.0
ghcr.io/siderolabs/installer:v1.11.1
registry.k8s.io/pause:3.10

v1.12.0-alpha.0

Talos 1.12.0-alpha.0 (2025-09-02)

Welcome to the v1.12.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.16.4

Talos is built with Go 1.25.0.

Contributors

• Andrey Smirnov
• Dmitrii Sharshakov
• Noel Georgi
• Orzelius
• Oguz Kilcan
• Amarachi Iheanacho
• Mateusz Urbanek
• 459below
• Alp Celik
• Andrew Longwill
• Dmitry
• George Gaál
• Guillaume LEGRAIN
• Justin Garrison
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Tom
• Utku Ozdemir
• kassad

Changes

99 commits

• b9fb09dcd release(v1.12.0-alpha.0): prepare release
• 6a389cad3 chore: update dependencies
• 9d98c2e89 feat: add a cgroup preset for PSI and --skip-cri-resolve
• 072f77b16 chore: prepare for future Talos 1.12-alpha.0 release
• 96f41ce88 docs: update qemu and docker docs
• a751cd6b7 docs: activate Talos v1.11 docs by default
• e8f1ec1c5 docs: fix broken create qemu command v1.11 docs
• 639f0dfdd feat: update Linux to 6.16.4
• 8aa7b3933 fix: bring back linux/armv7 build and update xz
• 9cae7ba6b feat: update CoreDNS to 1.12.3
• cfef3ad45 fix: drop linux/armv7 build
• 42ea2ac50 fix: update xz module (security)
• 4fcfd35b9 docs: fix module name example
• 50824599a chore: update some tools
• bcd297490 feat: allow Ed25119 in FIPS mode
• 5992138bb test: ignore one leaking goroutine
• d155326c1 docs: add sbc unofficial ports docs
• 285fa7d22 docs: add the deploy application docs
• 527791f09 feat: update Kubernetes to 1.34.0
• a1c0e237d feat: update Linux to 6.15.11, Go to 1.25
• 4d7fc25f8 docs: switch order of wipe disk command
• 7368a994d feat: add SOCKS5 proxy support to dynamic proxy dialer
• d63591069 chore: silence linter warnings
• 07eb4d7ec fix: set default ram unit to MiB instead of MB
• 6b732adc4 feat: update Linux to 6.12.43
• b6410914f feat: add human readable byte size cli flags
• ec70cef99 feat: update NVIDIA drivers and kernel
• 0879efa69 feat: update Kubernetes default to v1.34.0-rc.2
• f504639df feat: add a user-facing create qemu command
• 558e0b09a test: fix the Image Factory PXE boot test
• d73f0a2e5 docs: make readme badges consistent
• f1369af98 chore: use new filesystem api on STATE partition
• 366cedbe7 docs: link to kubernetes linux swap tuning
• 2f5a16f5e fix: make --with-uuid-hostnames functionality available to qemu provider
• 70612c1f9 refactor: split the PlatformConfigController
• 511748339 docs: add system extension tier documentation
• 009fb1540 test: don't run nvidia tests on integration/aws
• 99674ef20 docs: apply fixes for what is new
• 92db677b5 fix: image cache lockup on a missing volume
• 9c97ed886 fix: version contract parsing in encryption keys handling
• 1fc670a08 fix: dial with proxy
• 18447d0af feat: update Linux to 6.12.41
• f65f39b78 fix: provide mitigation CVE-1999-0524
• 8817cc60c fix: actually use SIDEROV1_KEYS_DIR env var if it's provided
• b08b20a10 feat: use key provider with fallback option for auth type SideroV1
• 7a52d7489 fix: kubernetes upgrade options for kubelet
• ea8289f55 feat: add a user facing docker command
• 54ad64765 chore: re-enable vulncheck
• 26bbddea9 fix: darwin build
• b5d5ef79e fix: set secs field in DHCPv4 packets
• c07911933 chore: refactor how tools are being installed
• 34f25815c docs: fork docs for v1.12
• b66b995d3 feat: update default Kubernetes to v1.34.0-rc.1
• b967c587d docs: fix clone URL to include .git
• b72c68398 docs: edit the insecure, etcd-metrics, inline and extramanifests
• e5b9c1fff docs: remov RAS Syndrome
• 701fe774b docs: fix cilium links and bump to 1.18.0
• d306713a1 feat: update Go to 1.24.6
• 721595a00 chore: add deadcode elimination linter
• dc4865915 refactor: stop using text/template in machined code paths
• 545be55ed feat: add a pause function to dashboard
• 06a6c0fe3 refactor: fix deadcode elimination with godbus
• 2dce8f8d4 refactor: replace containerd/containerd/v2 module for proper DCE
• 9b11d8608 chore: rekres to configure slack notify workflow for CI failures
• 5ce6a660f docs: augment the pod security docs
• ada51ff69 fix: unmarshal encryption STATE from META
• b9e9b2e07 docs: add what is new notes for 1.11
• 53055bdf4 docs: fix typo in kubevirt page
• 8d12db480 fix: one more attempt to fix volume mount race on restart
• 34d37a268 chore: rekres to use correct slack channel for slack-notify
• 326a00538 feat: implement talos.config.early command line arg
• a5f3000f2 feat: implement encryption locking to STATE
• c1e65a342 docs: remove talos API flags from mgmt commands
• 181d0bbf5 feat: bootedentry resource
• 7ad439ac3 fix: enforce minimum size on user volumes if not set explicitly
• 50e37aefd fix: live reload of TLS client config for discovery client
• 87efd75ef feat: update containerd to 2.1.4
• 724b9de6d feat: add F71808E watchdog driver
• 8af96f7af docs: add ETCD downgrade documentation
• 44edd205d docs: add remark about 'exclude-from-external-load-balancers' label
• 727101926 fix(ci): use a random suffix for ami names
• d621ce372 fix: grype scan
• d62e255c2 fix: issues with reading GPT
• 5d0883e14 feat: update PCI DB module to v0.3.2
• 3751c8ccf test: wait for service account test job longer
• a592eb9f9 feat: update Linux to 6.12.40
• 4c40e6d3f feat: update etcd to 3.6.4
• 2bc37bd2c docs: fix error in kernel module guide
• bfc57fb86 chore: tag aws snapshots created via ci with the image name
• 06ef7108a fix: issue with volume remount on service restart
• 03efbff18 docs: add SBOM documentation
• af8a2869d fix: do not download artifacts for cron Grype scan
• 5f442159b feat: unify disk encryption configuration
• 38e176e59 chore(ci): fix datasource versioning
• 85d6b9198 feat: update etcd to v3.5.22
• dd7bd2dab docs: rewrite the getting started and prod docs for v1.10 and v1.11
• 136a899aa chore: regenerate release step with signing fixes
• 450b30d5a chore(ci): add more nvidia test matrix
• 451c2c4c3 test: add talosctl:latest to the image cache

Changes from siderolabs/go-debug

1 commit

• siderolabs/go-debug@e21721b chore: add support for Go 1.25

Changes from siderolabs/go-loadbalancer

1 commit

• siderolabs/go-loadbalancer@5e7a8b2 feat: add jitter and initial health check wait support to upstreams

Changes from siderolabs/pkgs

16 commits

• siderolabs/pkgs@2447e11 feat: update Linux to 6.16, GCC to 15
• siderolabs/pkgs@2cfb920 feat: update Linux to 6.15.11, update tools, rekres
• siderolabs/pkgs@ab4e975 feat: update Linux to 6.12.43
• siderolabs/pkgs@cd67e36 chore: update kernel config to support max SMP CPUs
• siderolabs/pkgs@e3b2094 fix: fix build for new NVIDIA drivers
• siderolabs/pkgs@fd5fdfd feat: update Nvidia LTS to 580.65.06 and production to 570.172.08
• siderolabs/pkgs@0edf426 fix: backport CVE kernel patches to 6.12
• siderolabs/pkgs@26d8fef feat: enable Infiniband IRDMA support
• siderolabs/pkgs@16b5fac fix: re-enable CPUSETS_V1 cgroups controller
• siderolabs/pkgs@fd53886 feat: update backportable dependencies
• siderolabs/pkgs@d5f7467 feat: update Go to 1.24.6
• siderolabs/pkgs@0bd019f feat: update containerd to 2.1.4
• siderolabs/pkgs@0ba8b5b feat: enable F71808E watchdog driver
• siderolabs/pkgs@895a86b fix: enable ISCSI IBFT
• siderolabs/pkgs@a76a67c feat: update Linux to 6.12.40
• siderolabs/pkgs@8b0a561 feat: enable bootloader control on amd64

Changes from siderolabs/tools

6 commits

• siderolabs/tools@7c659e9 feat: update to GCC 15
• siderolabs/tools@83fd7b7 feat: migrate from pkg-config to pkgconf
• siderolabs/tools@edafd5f feat: update toolchain for new Go and Linux headers
• siderolabs/tools@65789c7 chore: drop unused vars from Pkgfile
• siderolabs/tools@52db66e chore: drop protobuf-related stuff from tools
• siderolabs/tools@e3c3ef2 feat: update Go to 1.24.6

Dependency Changes

...

v1.11.0

Talos 1.11.0 (2025-09-01)

Welcome to the v1.11.0 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Azure

Talos on Azure now defaults to MTU of 1400 bytes for the eth0 interface to avoid packet fragmentation issues.
The default MTU can be overriden via machine configuration.

Boot

Talos boot partition size increased to 2 GiB to accommodate large images (with many system extensions included).

Kernel Command Line

Talos now exposes the kernel command line as a KernelCmdline resource (talosctl get cmdline).

Disk Encryption

Disk encryption for system volumes is now managed by the VolumeConfig machine configuration document.
Legacy configuration in valpha1 machine configuration is still supported.

New per-key option lockToSTATE is added to the VolumeConfig document, which allows to lock the volume encryption key to the secret salt in the STATE volume.
So, if the STATE volume is wiped or replaced, the volume encryption key will not be usable anymore.

Disk Wipe

Talos now supports talosctl disk wipe command in maintenance mode (talosctl disk wipe <disk> --insecure).

Early Inline Configuration

Talos now supports passing early inline configuration via the talos.config.early kernel parameter.
This allows to pass the configuration before the platform config source is probed, which is useful for early boot configuration.
The value of this parameter has the same format as the talos.config.inline parameter, i.e. it should be base64 encoded and zstd-compressed.

ETCD downgrade API

Added ETCD downgrade API mimicking the ETCD API and etcdctl interfaces.
This API allows to downgrade ETCD cluster (storage format) to a previous version.

IMA support removed

Talos now drops the IMA (Integrity Measurement Architecture) support. This feature was not used in Talos for any meaningful security purpose
and has historically caused performance issues. See #11133 for more details.

Kubernetes Version Validation

Talos now validates the Kubernetes version in the image specified in the machine configuration.
Previously this check was performed only on upgrade, but now it is consistently applied to upgrade, initial provisioning, and machine configuration updates.

This implies that all image references should contain the tag, even if the image is pinned by digest.

Qemu provisioner on MacOS

On MacOS talosctl cluster create command now supports the Qemu provisioner in addition to the Docker provisioner.

Kernel Modules

Talosctl now returns the loaded modules, not the modules configured to be loaded (talosctl get modules).

SBOM

Talos now publishes Software Bill of Materials (SBOM) in the SPDX format.

Swap Suport

Talos now supports swap on block devices.
This feature can be enable by using SwapVolumeConfig document in the machine configuration.

Component Updates

Linux: 6.12.43
Kubernetes: 1.34.0
runc: 1.3.0
etcd: 3.6.4
containerd: 2.1.4
Flannel CNI plugin: 1.7.1-flannel1
Flannel: 0.27.2
CoreDNS: 1.12.2
xfsprogs: 6.15.0
systemd-udevd and systemd-boot: 257.7
lvm2: 2.03.33
cryptsetup: 2.8.0

Talos is built with Go 1.24.6.

VMware

Talos VMWare platform now supports arm64 architecture in addition to amd64.

Volumes

Talos now supports raw user volumes, allowing to allocate unformatted disk space as partition.
In addition to that, support for existing volumes has been added, allowing to mount existing partitions without formatting them.

Zswap Support

Talos now supports zswap, a compressed cache for swap pages.
This feature can be enabled by using ZswapConfig document in the machine configuration.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitrii Sharshakov
• Orzelius
• Mateusz Urbanek
• Orzelius
• Justin Garrison
• Oguz Kilcan
• Spencer Smith
• Steve Francis
• Till Hoffmann
• Utku Ozdemir
• Andrew Longwill
• Artem Chernyshev
• Michael Robbins
• Alexandre GV
• Marat Bakeev
• Olav Thoresen
• Thibault VINCENT
• Alp Celik
• Alvaro "Chamo" Linares Cabre
• Amarachi Iheanacho
• Brian Brookman
• Bryan Mora
• Clément Nussbaumer
• Damien
• David R
• Dennis Marttinen
• Dmitriy Matrenichev
• Guillaume LEGRAIN
• Joakim Nohlgård
• Jorik Jonker
• Justin Seely
• Luke Cousins
• Marco Mihai Condrache
• Markus Reiter
• Martyn Ranyard
• Michael Moerz
• Mike
• Tan Siewert
• Tom Keur
• jvanthienen-gluo
• killcity
• yashutanu

Changes

279 commits

• d9d89a3a8 release(v1.11.0): prepare release
• 364b48690 feat: update pkgs/tools for pcre2 10.46
• be70ea03f feat: update pkgs for NVIDIA prod 570.172.08
• a5f80b4fe fix: bring back linux/armv7 build and update xz
• 751dae432 fix: drop linux/armv7 build
• 8cbd75320 fix: update xz module (security)
• 803ed1ef9 feat: update Kubernetes to 1.34.0
• a80898da9 feat: update Linux to 6.12.43
• 30c14aa71 feat: update Kubernetes default to v1.34.0-rc.2
• ed7d8cbac docs: link to kubernetes linux swap tuning
• 1ee82120e docs: apply fixes for what is new
• 36102eae1 release(v1.11.0-rc.0): prepare release
• 0f22913d9 fix: image cache lockup on a missing volume
• 46cf25c7c feat: update Linux to 6.12.41
• 62f6c97fe fix: provide mitigation CVE-1999-0524
• 350319063 fix: actually use SIDEROV1_KEYS_DIR env var if it's provided
• 430a27dc2 fix: kubernetes upgrade options for kubelet
• e3a9097c4 fix: set secs field in DHCPv4 packets
• babddd0e4 fix: dial with proxy
• 23efda4db feat: use key provider with fallback option for auth type SideroV1
• e2a5a9b3f chore: re-enable vulncheck
• f5d700a0c release(v1.11.0-beta.2): prepare release
• 6186d1821 chore: disable vulncheck temporarily
• e4a2a8d9c feat: update default Kubernetes to v1.34.0-rc.1
• 4c4236d7e feat: update Go to 1.24.6
• a01a390f6 chore: add deadcode elimination linter
• 49fad0ede feat: add a pause function to dashboard
• 21e8e9dc9 refactor: replace containerd/containerd/v2 module for proper DCE
• bbd01b6b7 refactor: fix deadcode elimination with godbus
• e8d9c81cc refactor: stop using text/template in machined code paths
• 85589662a fix: unmarshal encryption STATE from META
• f10a626d2 docs: add what is new notes for 1.11
• 5a15ce88b release(v1.11.0-beta.1): prepare release
• 614ca2e22 fix: one more attempt to fix volume mount race on restart
• 4b86dfe6f feat: implement encryption locking to STATE
• 8ae76c320 feat: implement talos.config.early command line arg
• 19f8c605e docs: remove talos API flags from mgmt commands
• fa1d6fef8 feat: bootedentry resource
• 7dee810d4 fix: live reload of TLS client config for discovery client
• a5dc22466 fix: enforce minimum size on user volumes if not set explicitly
• 7836e924d feat: update containerd to 2.1.4
• 5012550ec feat: add F71808E watchdog driver
• 10ddc4cdd fix: grype scan
• d108e0a08 fix(ci): use a random suffix for ami names
• 504225546 fix: issues with reading GPT
• bdaf08dd4 feat: update PCI DB module to v0.3.2
• 667dcebec test: wait for service account test job longer
• ae176a4b7 feat: update etcd to 3.6.4
• 201b6801f fix: issue with volume remount on service restart
• 2a911402b chore: tag aws snapshots created via ci with the image name
• d8bd84b56 docs: add SBOM documentation
• 7eec61993 feat: unify disk encryption configuration
• 4ff2bf9e0 feat: update etcd to v3.5.22
• 31a67d379 fix: do not download artifacts for cron Grype scan
• c6b6e0bb3 docs: rewrite the getting started and prod docs for v1.10 and v1.11
• ca1c656e6 chore(ci): add more nvidia test matrix
• 7a2e0f068 feat: sync pkgs, update Linux to 6.12.40
• 85e7989cf release(v1.11.0-beta.0): prepare release
• 3039162dc feat: update Flannel to v0.27.2
• 7e6052e63 feat: increase boot partition to 2 GiB
• cb7ca17bb feat: implement ExistingVolumeConfig
• a857c696f chore(machined): remove deprecated Endpoints
• a60101c55 fix: fill serial using helpers
• 5420e9979 refactor: output default selection for profiles
• 023a24cd4 test: use Grype to scan SBOM for vulnerabilities
• 96896fddb chore: build less images by default
• 75b5dec06 fix: sd-boot kexec with disk images
• 10546d6f8 feat: update Kuberentes 1.34.0-beta.0
• siderolabs/talos@3...

v1.10.7

Talos 1.10.7 (2025-08-26)

Welcome to the v1.10.7 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.12.43
Kubernetes: 1.33.4

Talos is built with Go 1.24.6.

Contributors

• Andrey Smirnov

Changes

6 commits

• 71de2e23b release(v1.10.7): prepare release
• d7936dec6 fix: image cache lockup on a missing volume
• f6541fa71 fix: live reload of TLS client config for discovery client
• 29cfd9fd0 fix: enforce minimum size on user volumes if not set explicitly
• 83dcca3c7 feat: add F71808E watchdog driver
• 3f05c3922 feat: update Linux and Kubernetes

Changes from siderolabs/discovery-client

3 commits

• siderolabs/discovery-client@0bffa6f fix: allow TLS config to be passed as a function
• siderolabs/discovery-client@09c6687 chore: fix project name in release.toml
• siderolabs/discovery-client@71b0c6d fix: add FIPS-140-3 strict compliance

Changes from siderolabs/pkgs

5 commits

• siderolabs/pkgs@88700c7 feat: update Linux to 6.12.43
• siderolabs/pkgs@4cf5eeb fix: re-enable CPUSETS_V1 cgroups controller
• siderolabs/pkgs@8a14125 feat: update backportable dependencies
• siderolabs/pkgs@69b9cdc feat: enable F71808E watchdog driver
• siderolabs/pkgs@7ffefa9 feat: update Go to 1.24.6

Changes from siderolabs/tools

1 commit

• siderolabs/tools@306d9d9 feat: update Go to 1.24.6

Dependency Changes

• github.com/siderolabs/discovery-client v0.1.11 -> v0.1.13
• github.com/siderolabs/pkgs v1.10.0-29-g2e6dd0a -> v1.10.0-34-g88700c7
• github.com/siderolabs/talos/pkg/machinery v1.10.6 -> v1.10.7
• github.com/siderolabs/tools v1.10.0-5-g31fd099 -> v1.10.0-6-g306d9d9
• google.golang.org/grpc v1.71.3 -> v1.73.0
• k8s.io/api v0.33.2 -> v0.33.4
• k8s.io/apiserver v0.33.2 -> v0.33.4
• k8s.io/client-go v0.33.2 -> v0.33.4
• k8s.io/component-base v0.33.2 -> v0.33.4
• k8s.io/kube-scheduler v0.33.2 -> v0.33.4
• k8s.io/kubectl v0.33.2 -> v0.33.4
• k8s.io/kubelet v0.33.2 -> v0.33.4
• k8s.io/pod-security-admission v0.33.2 -> v0.33.4

Previous release can be found at v1.10.6

Images

ghcr.io/siderolabs/flannel:v0.26.7
registry.k8s.io/coredns/coredns:v1.12.1
gcr.io/etcd-development/etcd:v3.5.21
registry.k8s.io/kube-apiserver:v1.33.4
registry.k8s.io/kube-controller-manager:v1.33.4
registry.k8s.io/kube-scheduler:v1.33.4
registry.k8s.io/kube-proxy:v1.33.4
ghcr.io/siderolabs/kubelet:v1.33.4
ghcr.io/siderolabs/installer:v1.10.7
registry.k8s.io/pause:3.10

v1.11.0-rc.0

Talos 1.11.0-rc.0 (2025-08-19)

Welcome to the v1.11.0-rc.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Azure

Talos on Azure now defaults to MTU of 1400 bytes for the eth0 interface to avoid packet fragmentation issues.
The default MTU can be overriden with machine configuration.

Boot

Talos increases the boot partition size to 2 GiB to accommodate larger images (with many system extensions included).

Kernel Command Line

Talos now exposes the kernel command line as a KernelCmdline resource (talosctl get cmdline).

Disk Encryption

Disk encryption for system volumes is now managed by the VolumeConfig machine configuration document.
Legacy configuration in valpha1 machine configuration is still supported.

New per-key option lockToSTATE is added to the VolumeConfig document, which allows to lock the volume encryption key to the secret salt in the STATE volume.
So, if the STATE volume is wiped or replaced, the volume encryption key will not be usable anymore.

Disk Wipe

Talos now supports talosctl disk wipe command in maintenance mode (talosctl disk wipe <disk> --insecure).

Early Inline Configuration

Talos now supports passing early inline configuration via the talos.config.early kernel parameter.
This allows to pass the configuration before the platform config source is probed, which is useful for early boot configuration.
The value of this parameter has same format as the talos.config.inline parameter, i.e. it should be base64 encoded and zstd-compressed.

ETCD downgrade API

Added ETCD downgrade API mimicking the ETCD API and etcdctl interfaces.
This API allows to downgrade ETCD cluster (storage format) to a previous version.

IMA support removed

Talos now drops the IMA (Integrity Measurement Architecture) support. This feature was not used in Talos for any meaningful security purpose
and has historically caused performance issues. See #11133 for more details.

Kubernetes Version Validation

Talos now validates Kubernetes version in the image submitted in the machine configuration.
Previously this check was performed only on upgrade, but now it is consistently applied to upgrade, initial provisioning, and machine configuration updates.

This implies that all image references should contain the tag, even if the image is pinned by digest.

Qemu provisioner on MacOS

On MacOS talosctl cluster create command now supports the Qemu provisioner in addition to the Docker provisioner.

Kernel Modules

Talosctl now returns the loaded modules, not the modules configured to be loaded (talosctl get modules).

SBOM

Talos now publishes Software Bill of Materials (SBOM) in the SPDX format.

Swap Suport

Talos now supports swap on block devices.
This feature can be enable by using SwapVolumeConfig document in the machine configuration.

Component Updates

Linux: 6.12.41
Kubernetes: 1.34.0-rc.1
runc: 1.3.0
etcd: 3.6.4
containerd: 2.1.4
Flannel CNI plugin: 1.7.1-flannel1
Flannel: 0.27.2
CoreDNS: 1.12.2
xfsprogs: 6.15.0
systemd-udevd and systemd-boot: 257.7
lvm2: 2.03.33
cryptsetup: 2.8.0

Talos is built with Go 1.24.6.

VMware

Talos VMWare platform now supports arm64 architecture in addition to amd64.

Volumes

Talos now supports raw user volumes, allowing to allocate unformatted disk space as partition.
In addition to that, support for existing volumes has been added, allowing to mount existing partitions without formatting them.

Zswap Support

Talos now supports zswap, a compressed cache for swap pages.
This feature can be enabled by using ZswapConfig document in the machine configuration.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitrii Sharshakov
• Orzelius
• Mateusz Urbanek
• Orzelius
• Justin Garrison
• Oguz Kilcan
• Spencer Smith
• Steve Francis
• Till Hoffmann
• Utku Ozdemir
• Andrew Longwill
• Artem Chernyshev
• Michael Robbins
• Alexandre GV
• Marat Bakeev
• Olav Thoresen
• Thibault VINCENT
• Alp Celik
• Alvaro "Chamo" Linares Cabre
• Amarachi Iheanacho
• Brian Brookman
• Bryan Mora
• Clément Nussbaumer
• Damien
• David R
• Dennis Marttinen
• Dmitriy Matrenichev
• Joakim Nohlgård
• Jorik Jonker
• Justin Seely
• Luke Cousins
• Marco Mihai Condrache
• Markus Reiter
• Martyn Ranyard
• Michael Moerz
• Mike
• Tan Siewert
• Tom Keur
• jvanthienen-gluo
• killcity
• yashutanu

Changes

268 commits

• 36102eae1 release(v1.11.0-rc.0): prepare release
• 0f22913d9 fix: image cache lockup on a missing volume
• 46cf25c7c feat: update Linux to 6.12.41
• 62f6c97fe fix: provide mitigation CVE-1999-0524
• 350319063 fix: actually use SIDEROV1_KEYS_DIR env var if it's provided
• 430a27dc2 fix: kubernetes upgrade options for kubelet
• e3a9097c4 fix: set secs field in DHCPv4 packets
• babddd0e4 fix: dial with proxy
• 23efda4db feat: use key provider with fallback option for auth type SideroV1
• e2a5a9b3f chore: re-enable vulncheck
• f5d700a0c release(v1.11.0-beta.2): prepare release
• 6186d1821 chore: disable vulncheck temporarily
• e4a2a8d9c feat: update default Kubernetes to v1.34.0-rc.1
• 4c4236d7e feat: update Go to 1.24.6
• a01a390f6 chore: add deadcode elimination linter
• 49fad0ede feat: add a pause function to dashboard
• 21e8e9dc9 refactor: replace containerd/containerd/v2 module for proper DCE
• bbd01b6b7 refactor: fix deadcode elimination with godbus
• e8d9c81cc refactor: stop using text/template in machined code paths
• 85589662a fix: unmarshal encryption STATE from META
• f10a626d2 docs: add what is new notes for 1.11
• 5a15ce88b release(v1.11.0-beta.1): prepare release
• 614ca2e22 fix: one more attempt to fix volume mount race on restart
• 4b86dfe6f feat: implement encryption locking to STATE
• 8ae76c320 feat: implement talos.config.early command line arg
• 19f8c605e docs: remove talos API flags from mgmt commands
• fa1d6fef8 feat: bootedentry resource
• 7dee810d4 fix: live reload of TLS client config for discovery client
• a5dc22466 fix: enforce minimum size on user volumes if not set explicitly
• 7836e924d feat: update containerd to 2.1.4
• 5012550ec feat: add F71808E watchdog driver
• 10ddc4cdd fix: grype scan
• d108e0a08 fix(ci): use a random suffix for ami names
• 504225546 fix: issues with reading GPT
• bdaf08dd4 feat: update PCI DB module to v0.3.2
• 667dcebec test: wait for service account test job longer
• ae176a4b7 feat: update etcd to 3.6.4
• 201b6801f fix: issue with volume remount on service restart
• 2a911402b chore: tag aws snapshots created via ci with the image name
• d8bd84b56 docs: add SBOM documentation
• 7eec61993 feat: unify disk encryption configuration
• 4ff2bf9e0 feat: update etcd to v3.5.22
• 31a67d379 fix: do not download artifacts for cron Grype scan
• c6b6e0bb3 docs: rewrite the getting started and prod docs for v1.10 and v1.11
• ca1c656e6 chore(ci): add more nvidia test matrix
• 7a2e0f068 feat: sync pkgs, update Linux to 6.12.40
• 85e7989cf release(v1.11.0-beta.0): prepare release
• 3039162dc feat: update Flannel to v0.27.2
• 7e6052e63 feat: increase boot partition to 2 GiB
• cb7ca17bb feat: implement ExistingVolumeConfig
• a857c696f chore(machined): remove deprecated Endpoints
• a60101c55 fix: fill serial using helpers
• 5420e9979 refactor: output default selection for profiles
• 023a24cd4 test: use Grype to scan SBOM for vulnerabilities
• 96896fddb chore: build less images by default
• 75b5dec06 fix: sd-boot kexec with disk images
• 10546d6f8 feat: update Kuberentes 1.34.0-beta.0
• 3f35b83ae fix: ignore absent extensions SBOM directory
• 9920da3e1 feat: add etcd downgrade API
• c38682279 feat: bump pkgs and tools, read extensions' SBOMs, rekres
• 9c0d2706c docs: add release notes about v3.6.x bug
• d21994210 test: refactor various merge controller tests
• da5a4449f feat: implement raw volume support
• 41adda1cf docs: add secure boot setup mode note for Xen
• 993b4ade8 docs: fix typo in hugo config: pre-releaase
• 130b7fd6e test: fix flaky TestDNS
• 35b45ae6e feat(talosctl): support tpm operation on mac
• siderolabs/talos@24...

v1.11.0-beta.2

Talos 1.11.0-beta.2 (2025-08-12)

Welcome to the v1.11.0-beta.2 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Azure

Talos on Azure now defaults to MTU of 1400 bytes for the eth0 interface to avoid packet fragmentation issues.
The default MTU can be overriden with machine configuration.

Boot

Talos increases the boot partition size to 2 GiB to accommodate larger images (with many system extensions included).

Kernel Command Line

Talos now exposes the kernel command line as a KernelCmdline resource (talosctl get cmdline).

Disk Encryption

Disk encryption for system volumes is now managed by the VolumeConfig machine configuration document.
Legacy configuration in valpha1 machine configuration is still supported.

New per-key option lockToSTATE is added to the VolumeConfig document, which allows to lock the volume encryption key to the secret salt in the STATE volume.
So, if the STATE volume is wiped or replaced, the volume encryption key will not be usable anymore.

Disk Wipe

Talos now supports talosctl disk wipe command in maintenance mode (talosctl disk wipe <disk> --insecure).

Early Inline Configuration

Talos now supports passing early inline configuration via the talos.config.early kernel parameter.
This allows to pass the configuration before the platform config source is probed, which is useful for early boot configuration.
The value of this parameter has same format as the talos.config.inline parameter, i.e. it should be base64 encoded and zstd-compressed.

ETCD downgrade API

Added ETCD downgrade API mimicking the ETCD API and etcdctl interfaces.
This API allows to downgrade ETCD cluster (storage format) to a previous version.

IMA support removed

Talos now drops the IMA (Integrity Measurement Architecture) support. This feature was not used in Talos for any meaningful security purpose
and has historically caused performance issues. See #11133 for more details.

Kubernetes Version Validation

Talos now validates Kubernetes version in the image submitted in the machine configuration.
Previously this check was performed only on upgrade, but now it is consistently applied to upgrade, initial provisioning, and machine configuration updates.

This implies that all image references should contain the tag, even if the image is pinned by digest.

Qemu provisioner on MacOS

On MacOS talosctl cluster create command now supports the Qemu provisioner in addition to the Docker provisioner.

Kernel Modules

Talosctl now returns the loaded modules, not the modules configured to be loaded (talosctl get modules).

SBOM

Talos now publishes Software Bill of Materials (SBOM) in the SPDX format.

Swap Suport

Talos now supports swap on block devices.
This feature can be enable by using SwapVolumeConfig document in the machine configuration.

Component Updates

Linux: 6.12.40
Kubernetes: 1.34.0-rc.1
runc: 1.3.0
etcd: 3.6.4
containerd: 2.1.4
Flannel CNI plugin: 1.7.1-flannel1
Flannel: 0.27.2
CoreDNS: 1.12.2
xfsprogs: 6.15.0
systemd-udevd and systemd-boot: 257.7
lvm2: 2.03.33
cryptsetup: 2.8.0

Talos is built with Go 1.24.6.

VMware

Talos VMWare platform now supports arm64 architecture in addition to amd64.

Volumes

Talos now supports raw user volumes, allowing to allocate unformatted disk space as partition.
In addition to that, support for existing volumes has been added, allowing to mount existing partitions without formatting them.

Zswap Support

Talos now supports zswap, a compressed cache for swap pages.
This feature can be enabled by using ZswapConfig document in the machine configuration.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitrii Sharshakov
• Orzelius
• Mateusz Urbanek
• Orzelius
• Justin Garrison
• Spencer Smith
• Steve Francis
• Till Hoffmann
• Utku Ozdemir
• Andrew Longwill
• Artem Chernyshev
• Michael Robbins
• Alexandre GV
• Marat Bakeev
• Olav Thoresen
• Thibault VINCENT
• Alvaro "Chamo" Linares Cabre
• Amarachi Iheanacho
• Brian Brookman
• Bryan Mora
• Clément Nussbaumer
• Damien
• David R
• Dennis Marttinen
• Dmitriy Matrenichev
• Joakim Nohlgård
• Jorik Jonker
• Justin Seely
• Luke Cousins
• Marco Mihai Condrache
• Markus Reiter
• Martyn Ranyard
• Michael Moerz
• Mike
• Oguz Kilcan
• Tan Siewert
• Tom Keur
• jvanthienen-gluo
• killcity
• yashutanu

Changes

258 commits

• f5d700a0c release(v1.11.0-beta.2): prepare release
• 6186d1821 chore: disable vulncheck temporarily
• e4a2a8d9c feat: update default Kubernetes to v1.34.0-rc.1
• 4c4236d7e feat: update Go to 1.24.6
• a01a390f6 chore: add deadcode elimination linter
• 49fad0ede feat: add a pause function to dashboard
• 21e8e9dc9 refactor: replace containerd/containerd/v2 module for proper DCE
• bbd01b6b7 refactor: fix deadcode elimination with godbus
• e8d9c81cc refactor: stop using text/template in machined code paths
• 85589662a fix: unmarshal encryption STATE from META
• f10a626d2 docs: add what is new notes for 1.11
• 5a15ce88b release(v1.11.0-beta.1): prepare release
• 614ca2e22 fix: one more attempt to fix volume mount race on restart
• 4b86dfe6f feat: implement encryption locking to STATE
• 8ae76c320 feat: implement talos.config.early command line arg
• 19f8c605e docs: remove talos API flags from mgmt commands
• fa1d6fef8 feat: bootedentry resource
• 7dee810d4 fix: live reload of TLS client config for discovery client
• a5dc22466 fix: enforce minimum size on user volumes if not set explicitly
• 7836e924d feat: update containerd to 2.1.4
• 5012550ec feat: add F71808E watchdog driver
• 10ddc4cdd fix: grype scan
• d108e0a08 fix(ci): use a random suffix for ami names
• 504225546 fix: issues with reading GPT
• bdaf08dd4 feat: update PCI DB module to v0.3.2
• 667dcebec test: wait for service account test job longer
• ae176a4b7 feat: update etcd to 3.6.4
• 201b6801f fix: issue with volume remount on service restart
• 2a911402b chore: tag aws snapshots created via ci with the image name
• d8bd84b56 docs: add SBOM documentation
• 7eec61993 feat: unify disk encryption configuration
• 4ff2bf9e0 feat: update etcd to v3.5.22
• 31a67d379 fix: do not download artifacts for cron Grype scan
• c6b6e0bb3 docs: rewrite the getting started and prod docs for v1.10 and v1.11
• ca1c656e6 chore(ci): add more nvidia test matrix
• 7a2e0f068 feat: sync pkgs, update Linux to 6.12.40
• 85e7989cf release(v1.11.0-beta.0): prepare release
• 3039162dc feat: update Flannel to v0.27.2
• 7e6052e63 feat: increase boot partition to 2 GiB
• cb7ca17bb feat: implement ExistingVolumeConfig
• a857c696f chore(machined): remove deprecated Endpoints
• a60101c55 fix: fill serial using helpers
• 5420e9979 refactor: output default selection for profiles
• 023a24cd4 test: use Grype to scan SBOM for vulnerabilities
• 96896fddb chore: build less images by default
• 75b5dec06 fix: sd-boot kexec with disk images
• 10546d6f8 feat: update Kuberentes 1.34.0-beta.0
• 3f35b83ae fix: ignore absent extensions SBOM directory
• 9920da3e1 feat: add etcd downgrade API
• c38682279 feat: bump pkgs and tools, read extensions' SBOMs, rekres
• 9c0d2706c docs: add release notes about v3.6.x bug
• d21994210 test: refactor various merge controller tests
• da5a4449f feat: implement raw volume support
• 41adda1cf docs: add secure boot setup mode note for Xen
• 993b4ade8 docs: fix typo in hugo config: pre-releaase
• 130b7fd6e test: fix flaky TestDNS
• 35b45ae6e feat(talosctl): support tpm operation on mac
• 24628db20 feat: update Kubernetes to v1.34.0-alpha.3
• ff68286d1 feat: include hwrandom modules
• a5b07c9a5 test: split tests and lint from the default pipeline
• a957ef416 feat: add SBOMs to the imager container
• 506212a71 feat: include AMD encrypted mem modules into base
• a966321cc fix: add more bootloader probe logs on upgrade
• b38fa568a feat: add validation for secrets bundle
• 2d89bcc71 feat: bump Linux, Go and other packages
• 0b8c180b8 fix: rename instances to referenceCount
• 378fe4f2f feat: support writing EFI boot order
• siderolabs/tal...

v1.11.0-beta.1

Talos 1.11.0-beta.1 (2025-08-04)

Welcome to the v1.11.0-beta.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Azure

Talos on Azure now defaults to MTU of 1400 bytes for the eth0 interface to avoid packet fragmentation issues.
The default MTU can be overriden with machine configuration.

Boot

Talos increases the boot partition size to 2 GiB to accommodate larger images (with many system extensions included).

Kernel Command Line

Talos now exposes the kernel command line as a KernelCmdline resource (talosctl get cmdline).

Disk Encryption

Disk encryption for system volumes is now managed by the VolumeConfig machine configuration document.
Legacy configuration in valpha1 machine configuration is still supported.

New per-key option lockToSTATE is added to the VolumeConfig document, which allows to lock the volume encryption key to the secret salt in the STATE volume.
So, if the STATE volume is wiped or replaced, the volume encryption key will not be usable anymore.

Disk Wipe

Talos now supports talosctl disk wipe command in maintenance mode (talosctl disk wipe <disk> --insecure).

Early Inline Configuration

Talos now supports passing early inline configuration via the talos.config.early kernel parameter.
This allows to pass the configuration before the platform config source is probed, which is useful for early boot configuration.
The value of this parameter has same format as the talos.config.inline parameter, i.e. it should be base64 encoded and zstd-compressed.

ETCD downgrade API

Added ETCD downgrade API mimicking the ETCD API and etcdctl interfaces.
This API allows to downgrade ETCD cluster (storage format) to a previous version.

IMA support removed

Talos now drops the IMA (Integrity Measurement Architecture) support. This feature was not used in Talos for any meaningful security purpose
and has historically caused performance issues. See #11133 for more details.

Kubernetes Version Validation

Talos now validates Kubernetes version in the image submitted in the machine configuration.
Previously this check was performed only on upgrade, but now it is consistently applied to upgrade, initial provisioning, and machine configuration updates.

This implies that all image references should contain the tag, even if the image is pinned by digest.

Qemu provisioner on MacOS

On MacOS talosctl cluster create command now supports the Qemu provisioner in addition to the Docker provisioner.

Kernel Modules

Talosctl now returns the loaded modules, not the modules configured to be loaded (talosctl get modules).

SBOM

Talos now publishes Software Bill of Materials (SBOM) in the SPDX format.

Swap Suport

Talos now supports swap on block devices.
This feature can be enable by using SwapVolumeConfig document in the machine configuration.

Component Updates

Linux: 6.12.40
Kubernetes: 1.34.0-beta.0
runc: 1.3.0
etcd: 3.6.4
containerd: 2.1.4
Flannel CNI plugin: 1.7.1-flannel1
Flannel: 0.27.2
CoreDNS: 1.12.2
xfsprogs: 6.15.0
systemd-udevd and systemd-boot: 257.7
lvm2: 2.03.33
cryptsetup: 2.8.0

Talos is built with Go 1.24.5.

VMware

Talos VMWare platform now supports arm64 architecture in addition to amd64.

Volumes

Talos now supports raw user volumes, allowing to allocate unformatted disk space as partition.
In addition to that, support for existing volumes has been added, allowing to mount existing partitions without formatting them.

Zswap Support

Talos now supports zswap, a compressed cache for swap pages.
This feature can be enabled by using ZswapConfig document in the machine configuration.

Contributors

• Andrey Smirnov
• Noel Georgi
• Dmitrii Sharshakov
• Orzelius
• Mateusz Urbanek
• Orzelius
• Justin Garrison
• Spencer Smith
• Steve Francis
• Till Hoffmann
• Utku Ozdemir
• Andrew Longwill
• Artem Chernyshev
• Michael Robbins
• Alexandre GV
• Marat Bakeev
• Olav Thoresen
• Thibault VINCENT
• Alvaro "Chamo" Linares Cabre
• Amarachi Iheanacho
• Brian Brookman
• Bryan Mora
• Clément Nussbaumer
• Damien
• David R
• Dennis Marttinen
• Dmitriy Matrenichev
• Joakim Nohlgård
• Jorik Jonker
• Justin Seely
• Luke Cousins
• Marco Mihai Condrache
• Markus Reiter
• Martyn Ranyard
• Michael Moerz
• Mike
• Oguz Kilcan
• Tan Siewert
• Tom Keur
• jvanthienen-gluo
• killcity
• yashutanu

Changes

247 commits

• 5a15ce88b release(v1.11.0-beta.1): prepare release
• 614ca2e22 fix: one more attempt to fix volume mount race on restart
• 4b86dfe6f feat: implement encryption locking to STATE
• 8ae76c320 feat: implement talos.config.early command line arg
• 19f8c605e docs: remove talos API flags from mgmt commands
• fa1d6fef8 feat: bootedentry resource
• 7dee810d4 fix: live reload of TLS client config for discovery client
• a5dc22466 fix: enforce minimum size on user volumes if not set explicitly
• 7836e924d feat: update containerd to 2.1.4
• 5012550ec feat: add F71808E watchdog driver
• 10ddc4cdd fix: grype scan
• d108e0a08 fix(ci): use a random suffix for ami names
• 504225546 fix: issues with reading GPT
• bdaf08dd4 feat: update PCI DB module to v0.3.2
• 667dcebec test: wait for service account test job longer
• ae176a4b7 feat: update etcd to 3.6.4
• 201b6801f fix: issue with volume remount on service restart
• 2a911402b chore: tag aws snapshots created via ci with the image name
• d8bd84b56 docs: add SBOM documentation
• 7eec61993 feat: unify disk encryption configuration
• 4ff2bf9e0 feat: update etcd to v3.5.22
• 31a67d379 fix: do not download artifacts for cron Grype scan
• c6b6e0bb3 docs: rewrite the getting started and prod docs for v1.10 and v1.11
• ca1c656e6 chore(ci): add more nvidia test matrix
• 7a2e0f068 feat: sync pkgs, update Linux to 6.12.40
• 85e7989cf release(v1.11.0-beta.0): prepare release
• 3039162dc feat: update Flannel to v0.27.2
• 7e6052e63 feat: increase boot partition to 2 GiB
• cb7ca17bb feat: implement ExistingVolumeConfig
• a857c696f chore(machined): remove deprecated Endpoints
• a60101c55 fix: fill serial using helpers
• 5420e9979 refactor: output default selection for profiles
• 023a24cd4 test: use Grype to scan SBOM for vulnerabilities
• 96896fddb chore: build less images by default
• 75b5dec06 fix: sd-boot kexec with disk images
• 10546d6f8 feat: update Kuberentes 1.34.0-beta.0
• 3f35b83ae fix: ignore absent extensions SBOM directory
• 9920da3e1 feat: add etcd downgrade API
• c38682279 feat: bump pkgs and tools, read extensions' SBOMs, rekres
• 9c0d2706c docs: add release notes about v3.6.x bug
• d21994210 test: refactor various merge controller tests
• da5a4449f feat: implement raw volume support
• 41adda1cf docs: add secure boot setup mode note for Xen
• 993b4ade8 docs: fix typo in hugo config: pre-releaase
• 130b7fd6e test: fix flaky TestDNS
• 35b45ae6e feat(talosctl): support tpm operation on mac
• 24628db20 feat: update Kubernetes to v1.34.0-alpha.3
• ff68286d1 feat: include hwrandom modules
• a5b07c9a5 test: split tests and lint from the default pipeline
• a957ef416 feat: add SBOMs to the imager container
• 506212a71 feat: include AMD encrypted mem modules into base
• a966321cc fix: add more bootloader probe logs on upgrade
• b38fa568a feat: add validation for secrets bundle
• 2d89bcc71 feat: bump Linux, Go and other packages
• 0b8c180b8 fix: rename instances to referenceCount
• 378fe4f2f feat: support writing EFI boot order
• 9f0792632 fix: improve volume provisioning errors
• b8fcf3c71 fix: change module instance evaluation
• d680e560d docs: create FUNDING.yml
• 641505584 feat: support project quota support for user volumes
• 52656cc3c feat: allow taloscl disk wipe in maintenance mode
• 850579448 feat: export SBOM as resources
• 4f3a2ffab test: update unit-test runner
• d531b682c fix: provide FIPS 140-3 compliance
• 3e3129d36 feat: include packages into SBOM
• 54bd50be3 fix: talos endpoint might not be created in Kubernetes
• 8789a02c3 feat: present loaded kernel modules
• 33ecbaec6 test: update apply config tests
• siderol...