image-factory 0.9.0 (2025-11-26)
Welcome to the v0.9.0 release of image-factory!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/image-factory/issues.
Contributors
- Andrey Smirnov
- Noel Georgi
- Mateusz Urbanek
- Amarachi Iheanacho
- Dmitrii Sharshakov
- Orzelius
- Andrey Smirnov
- Oguz Kilcan
- Andrey Smirnov
- Laura Brehm
- Alexey Palazhchenko
- Justin Garrison
- Utku Ozdemir
- Dmitriy Matrenichev
- George Gaál
- Michael Smith
- Nicole Hubbard
- Serge Logvinov
- 459below
- Adrian L Lange
- Aleksandr Gamzin
- Alp Celik
- Andrew Longwill
- Andrew Rynhard
- Artem Chernyshev
- Chris Sanders
- Dmitry
- Febrian
- Florian Grignon
- Fred Heinecke
- Giau. Tran Minh
- Grzegorz Rozniecki
- Guillaume LEGRAIN
- Jorik Jonker
- Markus Freitag
- Max Makarov
- Mike Beaumont
- Misha Aksenov
- MrMrRubic
- Olivier Doucet
- Pranav
- Sammy ETUR
- Skyler Mäntysaari
- SuitDeer
- Tom
- aurh1l
- frozenprocess
- frozensprocess
- kassad
- leppeK
- samoreno
- theschles
- winnie
Changes
16 commits
fa266e0release(v0.9.0): prepare release6799661feat: show booter command in final wizardfb22bcefeat: support selecting bootloadere881e4bfeat: bump depsd1bec57feat: implement schematic GET APIf1dad9dfeat: better test matrixbc4f959fix: remove secureboot talosctl presetdb5e4dcfeat: add a prompt about usingtalosctl cluster create qemu2c5037cchore: bump deps1559666feat: replace hardcoded artifact image constants with CLI-configurable valuesc27ee27fix: return 400 when an invalid image name is requested58125d4feat: support proxying external installer registryd782950feat: support serving TLS froom Image Factory743fe7ffeat: support disable cosign signature verification3a20123chore: rekres with parallel jobs241963fchore(ci): use runner groups
Changes from siderolabs/crypto
41 commits
4154a77feat: implement dynamic certificate reloaderdae07fachore: update to Go 1.2562a079bfix: update TLS config, add tests for TLS interactionsc2b4e26fix: remove code duplication and fix Ed255119 CA generation2a07632fix: enforce FIPS-140-3 compliance17107aefix: add generic CSR generator and OpenSSL interop53659fcrefactor: split into files0d45deechore: bump deps58b2f92chore: use HTTP/2 ALPN by defaultc240482feat: provide dynamic client CA matching2f4f911feat: add PEMEncodedCertificate wrapper1c94bb3chore: bump dependencies8f77da3feat: add a method to load PEM key from filec03ff58feat: add a way to represent redacted x509 private keysc3225eefeat: allow CSR template subject field to be overridden8570669chore: rename to siderolabs/cryptoe9df1b8feat: add support for generating keys from RSA-SHA256 CAs510b0d2chore: add json tags6fa2d93fix: deepcopy nil fields asnil9a63cbafix: add back support for generating ECDSA keys with P-256 and SHA512893bc66fix: use SHA256 for ECDSA-P256deec8d4chore: implement DeepCopy methods for PEMEncoded* typesd3cb772feat: make possible to change KeyUsage6bc5bb5chore: remove unused argumentcd18ef6feat: add support for several organizations97c888bchore: add options to CSR7776057chore: fix typos80df078chore: remove named result parameters15bdd28chore: minor updates4f80b97fix: verify CSR signature before issuing a certificate39584f1feat: support for key/certificate types RSA, Ed25519, ECDSAcf75519fix: function NewKeyPair should create certificate with proper subject751c95afeat: add 'PEMEncodedKey' which allows to transport keys in YAML562c3b6feat: add support for public RSA key in RSAKeybda0e9cfeat: enable more conversions between encoded and raw versionse0dd56afeat: add NotBefore option for x509 cert creation12a4897feat: add support for SPKI fingerprint generation and matchingd0c3eeffix: implement NewKeyPair196679efeat: movepkg/grpc/tlsfromgithub.com/talos-systems/talosas./tls1ff6242chore: initial version as imported from talos-systems/talos835063echore: initial commit
Changes from siderolabs/gen
Changes from siderolabs/go-debug
Changes from siderolabs/pkgs
55 commits
22a9943feat: update dependencies1768ccffeat: enable VDPA settings3913216feat: enable USERFAULTFD in the kernel4ae050afeat: update Go to 1.25.40abcf01feat: update containerd to 2.1.570404aafeat: bump dependenciesf70250ffeat: add nvidia gdrcopy gdrdrv kernel modulea7d7c1afeat: enable CONFIG_PCI_P2PDMA for GPUDirect RDMAda97c36feat: update linux-firmware6d58d7ffeat: bump depsb535af8feat: update dependenciesa098092feat: update Linux to 6.17.3, tt-kmd to 2.4.1661e578feat: add xe extension8ddac2dfeat: bump go332303efix: rollback libseccomp versionf62ebcachore: update dependencies56f8ae3feat: update Linux to 6.17.1, NVIDIA LTS to 580.95.0520b1849fix: revert "feat" support adding extra trusted certificates in the kernel"1e3d375feat: bump goddfd7affeat: bump dependencies4dc7709feat: update runc to 1.3.261d8b44chore: fix renovate config for urcu & hailort5bda512feat: upgrade Linux to 6.17202a8e6feat: update Linux to 6.16.93a0900ffeat: enable SRv6 LWTUNNEL and BPF support628efc8chore: update linuxfirmware and rekres9d1fb02feat: support adding extra trusted certificates in the kernel7fe686dfix: build nftables with embedded gmpfede0a7feat: add nft binary0dae01afeat: update NVIDIA to 580.82.079ac2392feat: enable Kernel config options for IPVS Maglev hashing scheduler support3c5315cfeat: update dependencies122fa66feat: update Linux to 6.16.6ab1e866feat: update Go to 1.25.17d6ef1bfeat: update runc to 1.3.1e067c20feat: enable USB audio supportc4faa38feat: bump dependencies453cdfcfeat: enable ublk support9824684fix: enable memcg v12447e11feat: update Linux to 6.16, GCC to 152cfb920feat: update Linux to 6.15.11, update tools, rekresab4e975feat: update Linux to 6.12.43cd67e36chore: update kernel config to support max SMP CPUse3b2094fix: fix build for new NVIDIA driversfd5fdfdfeat: update Nvidia LTS to 580.65.06 and production to 570.172.080edf426fix: backport CVE kernel patches to 6.1226d8feffeat: enable Infiniband IRDMA support16b5facfix: re-enable CPUSETS_V1 cgroups controllerfd53886feat: update backportable dependenciesd5f7467feat: update Go to 1.24.60bd019ffeat: update containerd to 2.1.40ba8b5bfeat: enable F71808E watchdog driver895a86bfix: enable ISCSI IBFTa76a67cfeat: update Linux to 6.12.408b0a561feat: enable bootloader control on amd64
Changes from siderolabs/talos
291 commits
3d997d742release(v1.12.0-beta.0): prepare releasee62384ba3fix: re-creating STATE after partition drop6919d232adocs: update kernel args size887b296dctest: randomize MAC addresses used in the unit-tests6063fbf91feat: update dependencies542a67a06feat: add riscv64 build of talosctl68560b53afix: split volume/disk locators2c3d30e94docs: fix image-cache-path flag description93f2e87c2feat: shorthand for generating secrets to stdout5e1de0035feat: implement time and resolvers multi-doc configuration399240be3feat: drop partitions on reset with system partitions wipe5cca96655feat: add new rockchip sbcs00fe50d86fix: uefi bootorder setting3a881184bchore: improve error handling for system disk reset859194e67chore: extract system+user volume config transformers, test308c6bc41feat: add full disk volumes82ac1119efeat: implement new registry configuration106f45799feat: update Linux kernel with userfaultfd/VDPA721a1e0d7chore: rename+improveclient.ErrEventNotSupported43f4e317ffix: race between VolumeConfigController and UserVolumeConfigController66c01a706chore: deprecate interactive installer mode957770f65feat(machined): add panic/force mode reboot60be0daf8feat: implement multi-doc Wireguard configcf014cb5dfix: only set default bootloader if none is sete9b016f80fix: use strict platform match when pulling imagesfafab391bfeat: update Kubernetes to 1.35.0-alpha.37bf3aaca9feat: allow glibc aarch64 so files in extensionsc8561ee2dfeat: implement bridge multi-document configf4ad3077bfeat: implement bond multi-doc configuration75fe47582fix: stop attaching to tearing down mount parentsc93a9c6b4fix: improve OOM controller stability and make test strict on false positives021bbfefbfeat: update Go 1.25.4, containerd 2.1.5e25db484ftest: disable parallelism in Longhorn tests54b93aff0feat: update Linux 6.17.7, runc 1.3.32af69ff35fix: provide minimal platform metadata always92eeaa482fix: update YAML libraryaa24da9aafix: bump kubelet credendial provider config to v1335f91761feat: add short -c flag for --cluster4c095281bfix: set a timeout for SideroLink provision API call75e4c4a59fix: log duplication on log senderse3cbc92c0fix: add video kernel module to armd69305a67fix: userspace wireguard handlingee5fee7c8fix: image-signer commandsbe028b67afeat: add support for multi-doc VLAN configf3df0f80bfeat: add directory backed UserVolumes0327e7790feat: add support for dashboard custom console parameterfed948b8arelease(v1.12.0-alpha.2): prepare releasefb4bfe851chore: fix LVM testf4ee0d112chore: disable VIP operator test288f63872feat: bump depsb66482c52feat: allow disabling injection of extra cmdline in cluster create704b5f99efeat: update Kubernetes to 1.35.0-alpha.21dffa5d99feat: implement virtual IP operator config43b1d7537fix: validate provisioner when destroying local clustersb494c54c8fix: talos import on non-linux61e95cb4bfeat: support bootloader option for ISOd11072726fix: provide offset for partitions in discovered volumes39eeae963feat: update dependencies9890a9a31test: fix OOM testc0772b8edfeat: add airgapped mode to QEMU backed talosac60a9e27fix: update test for PCI driver rebind/IOMMU6c98f4cdbfeat: implement new DHCP network configurationda92a756dfix: drop 'ro' falg from defaults28fd2390cfix: imager build on arm644e12df8c5test: integration test for OOM controller7e498fabafeat: use image signereccb21dd3feat: add presets to the 'cluster create qemu' commandec0a813fafeat: unify cmdline handling GRUB/systemd-boot37e4c40c6fix: skip module signature tests on docker provisioner only8124efb42fix: cache e2e4adcda0f5fix: reserve the apid and trustd ports from the ephemeral port rangeced57b047feat: support optionally disabling module sig verification1e5c4ed64fix: build talosctl image cache-serve non-linuxdbdd2b237feat: add static registry to talosctl77d8cc7c5chore: pushlatesttag only on main59d9b1c75feat: update dependenciesbf6ad5171feat: add back install scriptda451c5bachore: drop documentation except for fresh reference2f23fedebfix: file leak in reading cgroupsb412ffdbcdocs: update README.md for docs link8dc51bae7feat: add drm_gpuvm and drm_gpusvm_helper modules4ca58aeb8fix: make Akamai platform usable061f8e76ffeat: bump pkgsa9fa852dafeat: update uefi image to talos linux logo04753ba69feat: update go to 1.25.29a42b05bdfeat: implement link aliasingd732bd0bechore(ci): run only nvidia tests for NVIDIA workflows8d1468209fix: stop populating apiserver cert SANs02473244cfix: wait for mount status to be proper mode825622d90fix: resource proto definitions2c6003e79docs: add Project Calico installation in two mode4fb4c8678feat: add disk.EnableUUID to generated ova33fb48f8ffix: add dashboard spinner053fd0bd4feat: update Linux to 6.1734e107e1bdocs: fix broken linkdfbece56bdocs: update the kubespan docs8b041a72cdocs: update scaleway.md435dcbf82fix: provide nocloud metadata with missing network configec3bd878frefactor: remove the go-blockdevice v1 completely33544bde9fix: minor improvements to fsfd2eebf7ffeat: create merge patch from diff of two machine configseadbdda94fix: uefi boot order settingcd9fb2743fix: support secure HTTP proxy with gRPC dialadf87b4b9feat: update Flannel to v0.27.45dfb7e1fefeat: serve etcd image from registry.k8s.io5ca841804fix: nftables flaky testa940e45a7feat: generate list of images required to build talos3472d6e79fix: revert "chore: use new mount/v3 package in efivarfs"42c0bdbf3feat: add provisioner flag to images default command6bc0b1bcffeat: drop and lock deprecated features362a8e63bfix: change the compression format6e58f58aafix: mkdir artifacts path3165a2b84release(v1.12.0-alpha.1): prepare releasee455c7ea9chore: use testing/synctest in tests7f048e962feat: update dependenciesfe36b3d32fix: stop returning EINVAL on remount of detached mountsc6279e04cchore: use new mount/v3 package in efivarfsd5197effbfeat: update etcd 3.6.5, CoreDNS 1.12.433714b715feat: release cloud image using factoryd10a2747edocs: deprecate JSON6902 patches and interactive installer1e604cbf5fix: don't set broadcast for /31 and /32 addresses65a66097arefactor: split cluster create logic into smaller partsab847310efix: provide refreshing CA pool (resolvers)d63c3ed7ddocs: update secureboot docs493f7ed9dfeat: support embedded config251df70f6feat: add a userspace OOM controller7bae5b40bfeat: implement link configuration724857decfix(ci): skip netbird extension for testse06a08698fix: default gateway as string7ed07412efix: uefi boot entry handling logicea4ed165arefactor: efivarfs mock and tests1fca111e2feat: support setting wake-on-lan for Ethernet94f78dbe7docs: add a documentation for running Talos in KVM46902f8fddocs: add TrueFullstaq to adoptersa28e5cbd5chore: update pkgs and tools7cf403db8docs: step-by-step scaleway documentation to get an image687285fa2docs: remove 'curl' in wget command9db6dc06cfeat: stop mounting state partition53ce93aaetest: try to clear connection refused more aggressively51db5279cfix: bump trustd memory limit25204dc8afix(machined): changeconstants.MinimumGOAMD64Levelusing build tag9cd2d794dfeat: ship nft binary with Talos rootfsb1416c9fefeat: record last log the failed service0b129f9effeat: enforce more KSPP and hardening sysctls11872643cchore: drop docs folderd30fdcd88chore: pass in github token to imagerb88f27d80chore: make reset test code a bit better1cde53d01test: fix several issues with tests16cd127a0docs: add docs on updating image cachec3ae92b14fix: build kernel checks only on linux2120904ecfeat: create detached tmpfs6bbee6de5docs: remove 'ceph-data' from volume examples/docs07acb3bd2fix: use correct order to determine SideroV1 keys directory path2d57fa002fix: trim zero bytes in the DHCP host & domain response451cb5f78docs: clarify disk partition confusiona2122ee5cfeat: implement HostConfig multi-doc69ab076b4fix: re-create cgroups when restarting runners297b5cc28docs: add docs on node labelse168512ddfix: apply 'ro' flag to iso9660 filesystems7f7acfbb9docs: fix typo in docd57882b18feat: update Kubernetes to 1.34.1f85f82f32test: fix flakiness in RawVolumes test82569e319feat: update Linux 6.16.62fd2ab4e4fix: remove CoreDNS cpu limitce9bc32a0chore(ci): rekres to use new runner groups8b64f68f6test: improve test stability272cb860dchore: drop the --input-dir flag from the cluster create command1b6533675docs: add note about ca-signed certs for securebootd3f88f50cdocs: document talos vip failover behavior005fc8bd5docs: add docs on syncing configs after a kube upgrade4d876d9affeat: update Go to 1.25.12b556cd22feat: implement multi-doc StaticHostConfiga7b776842docs: replace Raspberry Pi 5 links with Talos buildera349b20eddocs: clarify that talos does not support intermediate ca895133de9feat: support configuring PCR states to bind disk encryptionc1360103bdocs: fix command for uploading image on Hetzner43b5b9d89fix: correctly handle status-code 204feeb0d312feat: update runc to 1.3.1421634a14docs: add docs on multihoming41af2d230refactor: clean up internal cluster creation code3000d9e43fix: don't bootstrap talos cluster if there's no config present79cb871d0feat: use the id of the volume in the mapped luks2 name6c322710dchore: refactor mount packageced7186e2refactor: update COSI to 1.11.0de2e24fcddocs: clarify that install-cni image is deprecatedbef8ef509docs: add docs on cilium's compatibility with kubespane5acb10fcfeat: update pkgsc4c1daf0edocs: add info about br_netfilter5c52ecac3docs: clarify interactive dashboard resolution control15ecb02a4feat: update Linux kernel (memcg_v1, ublk)53f18c2f6fix: enable support for VMWare arm643bbe1c0dadocs: add docs on grow flagb9fb09dcdrelease(v1.12.0-alpha.0): prepare release6a389cad3chore: update dependencies9d98c2e89feat: add a cgroup preset for PSI and --skip-cri-resolve072f77b16chore: prepare for future Talos 1.12-alpha.0 release96f41ce88docs: update qemu and docker docsa751cd6b7docs: activate Talos v1.11 docs by defaulte8f1ec1c5docs: fix broken create qemu command v1.11 docs639f0dfddfeat: update Linux to 6.16.48aa7b3933fix: bring back linux/armv7 build and update xz9cae7ba6bfeat: update CoreDNS to 1.12.3cfef3ad45fix: drop linux/armv7 build42ea2ac50fix: update xz module (security)4fcfd35b9docs: fix module name example50824599achore: update some toolsbcd297490feat: allow Ed25119 in FIPS mode5992138bbtest: ignore one leaking goroutined155326c1docs: add sbc unofficial ports docs285fa7d22docs: add the deploy application docs527791f09feat: update Kubernetes to 1.34.0a1c0e237dfeat: update Linux to 6.15.11, Go to 1.254d7fc25f8docs: switch order of wipe disk command7368a994dfeat: add SOCKS5 proxy support to dynamic proxy dialerd63591069chore: silence linter warnings07eb4d7ecfix: set default ram unit to MiB instead of MB6b732adc4feat: update Linux to 6.12.43b6410914ffeat: add human readable byte size cli flagsec70cef99feat: update NVIDIA drivers and kernel0879efa69feat: update Kubernetes default to v1.34.0-rc.2f504639dffeat: add a user-facing create qemu command558e0b09atest: fix the Image Factory PXE boot testd73f0a2e5docs: make readme badges consistentf1369af98chore: use new filesystem api on STATE partition366cedbe7docs: link to kubernetes linux swap tuning2f5a16f5efix: make --with-uuid-hostnames functionality available to qemu provider70612c1f9refactor: split the PlatformConfigController511748339docs: add system extension tier documentation009fb1540test: don't run nvidia tests on integration/aws99674ef20docs: apply fixes for what is new92db677b5fix: image cache lockup on a missing volume9c97ed886fix: version contract parsing in encryption keys handling1fc670a08fix: dial with proxy18447d0affeat: update Linux to 6.12.41f65f39b78fix: provide mitigation CVE-1999-05248817cc60cfix: actually use SIDEROV1_KEYS_DIR env var if it's providedb08b20a10feat: use key provider with fallback option for auth type SideroV17a52d7489fix: kubernetes upgrade options for kubeletea8289f55feat: add a user facing docker command54ad64765chore: re-enable vulncheck26bbddea9fix: darwin buildb5d5ef79efix: set secs field in DHCPv4 packetsc07911933chore: refactor how tools are being installed34f25815cdocs: fork docs for v1.12b66b995d3feat: update default Kubernetes to v1.34.0-rc.1b967c587ddocs: fix clone URL to include.gitb72c68398docs: edit the insecure, etcd-metrics, inline and extramanifestse5b9c1fffdocs: remov RAS Syndrome701fe774bdocs: fix cilium links and bump to 1.18.0d306713a1feat: update Go to 1.24.6721595a00chore: add deadcode elimination linterdc4865915refactor: stop usingtext/templateinmachinedcode paths545be55edfeat: add a pause function to dashboard06a6c0fe3refactor: fix deadcode elimination with godbus2dce8f8d4refactor: replace containerd/containerd/v2 module for proper DCE9b11d8608chore: rekres to configure slack notify workflow for CI failures5ce6a660fdocs: augment the pod security docsada51ff69fix: unmarshal encryption STATE from METAb9e9b2e07docs: add what is new notes for 1.1153055bdf4docs: fix typo in kubevirt page8d12db480fix: one more attempt to fix volume mount race on restart34d37a268chore: rekres to use correct slack channel for slack-notify326a00538feat: implementtalos.config.earlycommand line arga5f3000f2feat: implement encryption locking to STATEc1e65a342docs: remove talos API flags from mgmt commands181d0bbf5feat: bootedentry resource7ad439ac3fix: enforce minimum size on user volumes if not set explicitly50e37aefdfix: live reload of TLS client config for discovery client87efd75effeat: update containerd to 2.1.4724b9de6dfeat: add F71808E watchdog driver8af96f7afdocs: add ETCD downgrade documentation44edd205ddocs: add remark about 'exclude-from-external-load-balancers' label727101926fix(ci): use a random suffix for ami namesd621ce372fix: grype scand62e255c2fix: issues with reading GPT5d0883e14feat: update PCI DB module to v0.3.23751c8ccftest: wait for service account test job longera592eb9f9feat: update Linux to 6.12.404c40e6d3ffeat: update etcd to 3.6.42bc37bd2cdocs: fix error in kernel module guidebfc57fb86chore: tag aws snapshots created via ci with the image name06ef7108afix: issue with volume remount on service restart03efbff18docs: add SBOM documentationaf8a2869dfix: do not download artifacts for cron Grype scan5f442159bfeat: unify disk encryption configuration38e176e59chore(ci): fix datasource versioning85d6b9198feat: update etcd to v3.5.22dd7bd2dabdocs: rewrite the getting started and prod docs for v1.10 and v1.11136a899aachore: regenerate release step with signing fixes450b30d5achore(ci): add more nvidia test matrix451c2c4c3test: add talosctl:latest to the image cache
Dependency Changes
- github.com/klauspost/compress v1.18.0 -> v1.18.1
- github.com/minio/minio-go/v7 v7.0.95 -> v7.0.97
- github.com/siderolabs/crypto v0.6.4 new
- github.com/siderolabs/gen v0.8.5 -> v0.8.6
- github.com/siderolabs/go-blockdevice/v2 v2.0.19 -> v2.0.20
- github.com/siderolabs/go-debug v0.6.0 -> v0.6.1
- github.com/siderolabs/pkgs v1.11.0-18-g1a25681 -> v1.12.0
- github.com/siderolabs/talos v1.11.1 -> v1.12.0-beta.0
- github.com/siderolabs/talos/pkg/machinery v1.11.1 -> v1.12.0-beta.0
- github.com/sigstore/cosign/v3 v3.0.2 new
- github.com/sigstore/sigstore v1.9.5 -> 181c5d3339b3
- go.yaml.in/yaml/v4 v4.0.0-rc.3 new
- golang.org/x/net v0.44.0 -> v0.47.0
- golang.org/x/sync v0.17.0 -> v0.18.0
- golang.org/x/sys v0.36.0 -> v0.38.0
- golang.org/x/text v0.29.0 -> v0.31.0
Previous release can be found at v0.8.4