siderolabs/image-factory v1.3.3 on GitHub

image-factory 1.3.3 (2026-06-01)

Welcome to the v1.3.3 release of image-factory!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/image-factory/issues.

Disk Images

Image Factory now supports generating disk images with 4096 byte sector size (custom size), set via schematic customization.

Embedded Machine Configuration

Image Factory now supports embedding machine configuration into generated images starting with Talos version 1.2.0 onwards.

Secure Boot Disk Images

Image Factory now generates disk images with Secure Boot supporting automatically enrolling keys (with if-safe setting, enabled for VMs in setup mode).

Contributors

Andrey Smirnov
Noel Georgi
Mateusz Urbanek
Erwan Leboucher
Maja Bojarska
Orzelius
Utku Ozdemir
Lukasz Raczylo
Dmitrii Sharshakov
Edward Sammut Alessi
buckaroo
immanuwell
Ansgar Dahlen
Artem Chernyshev
Benoît Knecht
David Orman
Dharsan Baskar
Dmitriy Matrenichev
Filip Boye-Kofi
Kevin Tijssen
Mickaël Canévet
Nico Berlee
YANG JOO WOONG
Zadkiel AHARONIAN
appkins
kastakhov

Changes

7 commits

425e59e release(v1.3.3): prepare release
b5d3d92 fix: vulnerability scans with extensions
916bcf6 feat: update go-vex
9920386 feat: update Image Factory with Talos 1.14.0-alpha.1
d49e952 feat: allow excluding Talos releases
147a3e8 feat: add scan report to factory client
2887e78 feat: add support for embedding machine configuration

Changes from siderolabs/go-vex

2 commits

7248c88 fix: support proper semver bounds
ac27d3c feat: support version ranges

Changes from siderolabs/pkgs

72 commits

0870a4b feat: bump dependencies
f9134e5 fix: enable CONFIG_BCM2712_MIP as built-in in arm64 kernel config
285c6ae fix: set usermode static helper to machine
bd2a754 feat: pre-generate drbd patches using spatch out of tree
898844e feat: update Linux to 6.18.33
a8dfbf7 fix: disable kernel modprobe path
c542950 fix: pull in tools with zstd sbom
c0ec8f3 feat: enable PPP and INFINIBAND_BNXT_RE
c62c4e1 feat: update containerd to 2.3.1
270f9f8 chore: update deps
4f7feb4 feat: enable more options for CRI-U checkpoint/restore
87994f7 feat: move autoloadable stuff as modules
80c27f3 fix: drop legacy network protocols
fbb7360 feat: drop legacy iptables/ebtables support
eac5f86 feat: bump kernel 6.18.32
d616f6c feat: update Linux to 6.18.31
02bcfce fix: macb silent TX stall on BCM2712/RP1 (v2 patches from netdev)
12ca698 feat: update ZFS & NVIDIA LTS
9fff943 feat: update Linux to 6.18.30
c5a1685 feat: move HWMON as modules
b2a45fb feat: move CONFIG_INTEL_IOATDMA as a module
ea8d35f feat: move ACPI device drivers as modules
501ba58 feat: move HID quirks as modules
b35312c feat: move PS/2 mouse drivers as modules
3a5d9d7 feat: move IPMI driver to be a module
792a69a feat: disable AGP drivers
99990b4 feat: move Hyper-V drivers as modules
fb697d6 feat: move Xen frontend drivers as modules
1df1713 feat: move ATA / MMC controllers as modules
f7f9341 feat: move USB class drivers as modules
ba873e9 feat: move USB host controllers as modules
8f25baa feat: move virtio bus stuff as modules
d0c5480 feat: bump kernel to 6.18.29
dfb09f0 feat: bump kernel 6.18.28
c97bc24 feat: update Go to 1.26.3
dfe8926 feat: add btrfsprogs
06ff9dc feat: update Linux to 6.18.27
2265fc9 feat(kernel): backport two PCI bridge realloc fixes from v6.19
5a21d99 feat: bump dependencies
cb3f406 feat: update containerd to 2.3.0
e192574 feat: update Linux to 6.18.26
e5e6cb8 feat: update DRBD to 9.3.2
77538b1 feat: update NVIDIA drivers
adeaafc feat: preserve System.map on kernel builds
c77f985 fix: disable legacy framebuffer drivers
8f3ef77 fix: enable safesetid LSM
f82d3af fix: disable CONFIG_DEVPORT
b189a96 fix: disable crypto user API
9a718f6 docs: list net macb silent TX stall fixes in kernel/build/patches/README.md
ca3599f fix: macb silent TX stall on BCM2712/RP1 (RFC patches from netdev)
6a53a93 feat: bump kernel to 6.18.25
f567bce feat: disable more stuff in Kconfig
ffd9790 feat: bump kernel to 6.18.24
b7c709a feat: bump deps
e5e5b3c feat: update Linux to 6.18.23
1a4cd20 fix: renovate config
d0ed6ed feat: update dependencies
6ea49c7 fix: support disabling module signature verification
6520ec4 feat: update containerd to 2.2.3
37ce992 feat: enable CONFIG_UHID and CONFIG_INPUT_JOYDEV as modules
cddd934 feat: update backportable dependencies
32e4077 feat: update OpenSSL
2d241e7 feat: update Go to 1.26.2 and small deps updates
7f540ce feat: disable dynamic SCS
3bef043 feat: update runc to 1.4.2
c6e6f10 feat: update Linux to 6.18.21
a9e8afa fix: libarchive install prefix
e4d0113 feat: update for musl 1.2.6
9142603 feat: update NVIDIA production to 595.58.03
22fa669 feat: update Linux to 6.18.19
03680ae feat: update containerd patch verifier role
bdc239e feat: enable CHECKPOINT_RESTORE option

Changes from siderolabs/talos

220 commits

027c93d25 release(v1.14.0-alpha.1): prepare release
4eb862d09 feat: add LVMService for VG/LV/PV removal
b88f16a52 fix: use POSIX shell idioms for error propagation
5290eb374 fix: suppress ICMP redirects by default
7b4aba2e5 fix: marshal kube-scheduler config correctly with int types
894be9bf5 fix: touch rootfs files with SOURCE_DATE_EPOCH
cde82224e fix: ignore cgroups with zero rank in OOM handler
bc0372411 fix: bring in a change to BCM2712_MIP
f572c33f1 chore: fail on makefile error
e317d4b47 fix: drop modprobe path and enforce usermode helper
89e53f610 fix(machined): make built-in mod state always 'permanent'
cfbec9bd5 test: skip UEFI vars wipe if TPM is enabled
1e31deda3 fix: create parent directories when extracting tar archives
14dc188bd chore: verify go-containerregistry preserves symlinks
951922dfb fix: guard apply config API call
3e173adf4 feat: move kube-controller-manager config to multi-doc
b5cda3438 fix: reset QEMU UEFI variable store when disk is wiped
4a17ac6ac chore: script for tracking fixes made in upstream toolchain/tools/pkgs
d71edeead feat: add LVM status resource definitions
4aeba1cde fix: perform backwards-compatible kernel args cleanup
9b7b2bf36 feat: implement support for btrfs user volumes
03ee8ee3a feat(machined): support instance tags on Akamai
d19f9ade0 fix: memorymodules resource reporting
a6edcf6f3 chore: move out adv library
40e66eac7 fix: bump Go golang.org/x modules
e23ca4a0a chore(ci): add upgrade tests for trustedboot
e3003c0ec chore: bump tpm nonce size to match the algorithm used
8fd04da1f feat: add bnxt_re module to the rootfs
1cfab00f1 fix: update etcd experimental args
ad96fc6ae fix: relax hostname config validation
efd735334 chore(ci): add missing labels, move release metadata check to job
9ec045059 feat: update containerd to 2.3.1
42f4144a1 feat: introduce new KubeSchedulerConfig
f2b7f39db refactor: move Args type out of config/v1alpha1
b959dcb3e fix: bump Kubernetes to 1.36.1 in one more place
8ecc77f1a feat: update default Kubernetes version to 1.36.1
cbd9c3745 chore: rekres to secure slack workflows
6a92fc653 test: update Canal version used in the tests
be12d3d08 feat: support 4k sector size disk images
a7e8f4c28 chore(ci): fix cloud image upload job name
4319399f6 feat: introduce more modular Linux kernel
ed5df89f6 feat(ci): rotate credentials
a6a984ff7 chore(ci): fix the job conditions
ecb7d4588 feat: enable Flannel nftables mode
9919ff781 feat: update Linux to 6.18.32
1a7d136e4 feat: add Azure Secure Boot imager profile
df68e7391 feat: implement kernel module status resource
e98ee99d4 fix: streamline config validation flow
d7f0a2fd4 feat: update Linux to 6.18.31
2b66e25a5 chore: update image signer
5aa1795f9 chore: drop e2e step dependencies
d42b3b396 feat: update Linux to 6.18.30
c3f6f3507 feat: implement static host resolving via host DNS
2f06a68ef refactor: split host DNS handler
e99c5be5a feat: implement DNS over HTTP(S)
cf6065238 chore: stop publishing installer to ghcr
0edabd29c fix: restore some shared (and some lower tier slave) mount propagation
f1578dc63 fix: image verification issue with registry.k8s.io
46b1f8a24 fix: rework how scheduler config is marshaled
820a9fa59 chore: fix typos in comments
649a384a9 feat: move more kernel stuff to modules
4f3ab2012 chore(ci): try fixing homebrew action
600c0ab5d feat(ci): validate that extensions PKGS and TOOLS sync with talos
76080416b feat: redact more machine config secrets and audit redactors
aabf63957 docs: drop controlplane endpoint examples
b48a2bef4 test: relax kernel-default routing rule assertion
d2208b034 refactor(talosctl): propagate command context throughout, handle interrupts
0760b5c28 fix: normalize source name for syft consistency
c49ac0ec2 docs: document release policy
ec7e6ef9f feat: bump in-toto indirect dependency
21858a674 feat: update kernel to 6.18.29
5a49dc61d feat: migrate Image Cache config to multi-doc
574298ec1 fix: handle empty GCP operation errors
366b10b79 feat: dockerfile improvements
9a1d9d0af feat: bump go 1.26.3
6eec1c229 feat: support DNS over TLS for upstream resolvers
dee139aef feat: revert update CoreDNS to 1.14.3
087bc4c18 chore: lint packages under tools
9e7516fae fix: clarify documentation for image verification pattern
41c8e9dc4 feat: bump dependencies
2b6c06ef5 feat: update CoreDNS to 1.14.3
6b6f7978b feat: update containerd to 2.3.0
f9c4f90da feat(ci): longhorn v2 ublk tests
84d169c62 fix: make dnsd retry listening
689974bd5 fix: volume mount permissions
ff0f66bdf fix: skip reserved routing rule priorities
850e2c754 feat: drop fakeroot, use go helper
0c1bd701a feat: add golangci-lint fmt target
53bd66956 feat: support conditional start of IPv6 dns servers
b31d93e0d feat: auto-enroll SecureBoot keys for disk images
849a68006 test: update pkgs to test new extensions
c30a6dfcb fix: preserve DHCP DNS servers
5b81b20d3 feat: apply DHCP search domains
4e5ff8fa2 fix(ci): zfs test
14abe5140 fix: handle gateways which are not on-link routes in dhcp4
e1f759af8 chore: fix lint issues automatically
664c5f643 chore: update tools
c64df2b61 fix: add missing kernel modules in rootfs
f73c24594 feat: run depmod with verification on rootfs build
1371596d7 fix: provide proper AWS platform metadata
4f11f021d feat: implement etcd encryption config (kube-apiserver)
876f83643 feat: add support for HTTP Probes
9b776d598 feat: update etcd to 3.6.11
631a1bc5e fix: bring in hardened kernel
a349dac03 fix: stale discovered volume children
13ce01879 fix: re-enable kexec on arm64
32539d4ac fix: deadlock in the makefs ext4 with populated source
0f3e1966a fix: panic in Kubernetes manifest sync
3bae01ac1 fix: do not pick up a system disk from a loop device
dedb7a96c fix(talosctl): protect k8sNames map writes with mutex
cc2be213a fix: drop explicit platform matcher
1dffebaf2 fix: mount throws EPERM on virtiofs with SELinux
48a481c29 fix: replace Canal manifest with a more recent one
6a445406e fix: make lacp active nilable
0d1d95c7d fix: bump go-kmsg to fix the timestamp drift
bd344fd53 fix: reset the ticker when the KubeSpan is disabled/enabled
462015bcd release(v1.14.0-alpha.0): prepare release
8a037a56e test: fix flaky tests
08c81d838 feat: bump kernel to 6.18.25
fe40b6e58 fix(ci): fetch empty pr labels
837a9ed07 feat: move host DNS config into ResolverConfig
96a8ecd1e feat: default to factory installer image
f19eef78b fix: revert add extraArgs from service-account-issuer
6821225b6 fix: revert use append instead of prepend in service-account-issuer
b43c3a124 feat: add quirk for talosctl factory downloads
df0b9a8da refactor: make all controller unit-test follow modern patterns
c2948cef2 feat: support auth for Image Factory in cluster create
560bcf0ca feat: enforce TLS 1.3 minmum version for Kubernetes components
3db14309e fix(talosctl): ensure uncordon runs after reboot/upgrade errors
ecf2fa855 feat: update Kubernetes to v1.36.0
71557eadd fix(ci): skip misc jobs not on pull request
026313b7c docs: rename security-insights.yml to lowercase for LFX detection
dc4ffd490 fix(ci): fix jobs not interpolating matrix due to condition
25e2f37e2 chore: generate comments for fields in resource proto
149592fa5 fix: watch kubelet's kubeconfig and time out for cache sync
1f315e6e9 feat: update Linux to 6.18.23
0198eedc2 feat: add NTS (Network Time Security) support for NTP time sync
6830a8b97 fix(ci): matrix jobs cleanups
71aeb347f test: fix OOM test flake
9b9542cc5 test: fix a flake in the manifest sync test
863d882b6 test: add image verification for factory.talos.dev
bba0b4aee chore(ci): nvidia update helm values
3399ff4de fix: propagate route table down to the resource
c684ec60e chore: prepare for Talos 1.14 release
ed9545d0d chore(ci): bump gpu operator version
4de3e4393 fix(ci): cron triggered workflows
212182e6f chore: bump container registry library
c028db0b8 fix: do not flip machine stage to rebooting during shutdown
6ce62d9e8 fix(ci): workflow runs with workflow_run
509cd9733 fix: boot entry detection
5e3f30188 feat(ci): rework to schedule daily runs after a cron
7fa4d3919 fix: zfs extensions test
1ef8e630a test: allow more tests to run in FIPS strict mode
bdcc9321b fix: reduce memory dashboard usage
2d177af82 chore: update Syft to v1.42.4+patches
0d8362119 fix: return failed precondition on upgrade when not installed
be58eafab fix: wrong slot of encryption key was logged
015081c76 feat: update dependencies
9fbb7c95d fix: audit trustd code for security
986e97fc7 feat: update Flannel to 0.28.4
f3817d1d1 chore: update sign images to support image name suffix
e776721f3 feat: update Kubernetes 1.36.0-rc.1
f6e7346fa fix: encode extra args fields in resources with new id
3c7bb80ba chore: bump tools
3ba35c9b9 chore(ci): nvidia try UKI boot
e3e8f01ca chore: bump tools
181584a5f fix: handle boot failure
c464c7e88 fix: upgrade API in maintenance mode (legacy)
b7512d912 feat: update Kubernetes to 1.36.0-rc.0
4ba11156f refactor: allow overriding out image name suffix
c81aa125c fix: panic in reading PCR values
6a3ab87c5 feat(ci): add nvidia arm64 matrix
21f459aab fix(talosctl): always use default GRPC dial options
ca208e514 fix: validate hostDNS forwarding requires hostDNS to be enabled
9fcb9e05b feat: bump go to 1.26.2
0bfdf7f70 fix: create correct blackhole routes for IPv4
52b920032 feat: add client-side Kubernetes node drain to reboot and upgrade commands
968ec1e0c refactor: propagate NAME properly, allow to set on build
acc69c346 fix: set the minimum TLS version to 1.3
0cfa6e302 chore: bump some tool dependencies
4229bb9d2 feat: add dis-vulncheck tool
d697f5538 fix: don't set xattrs while decompressing extensions
34fb2cbe5 refactor: remove manual shell completion and replace with cobra completion
79fa2e300 feat: allow more nvidia and nvme files from extensions
414f78a29 feat: allow glibc ld files in etc
1bbba4301 feat: update Flannel to v0.28.2
55815e0fa fix: handle ISOs with zeroes in volume labels
7b6ab0c1c feat: add flag to force fallback to legacy upgrade
5e24d5265 feat: add resource view to talosctl dashboard
649ab7fe4 fix: add os:meta:writer role to the dashboard
10cdfa909 fix: drop talosctl install
087ced85f fix: unseal with "slow" TPM
11ab0a8c5 fix: drop unused type from ExternalVolume schema
e2df0f6ce fix: always grow disks
919d8c365 chore: drop debug shell
783a35851 fix: add metal-agent mode to runtime capabilities
37b2221cc docs: add SECURITY-INSIGHTS.yml for OSPS Baseline QA-04.01
bed2bd414 feat: add graceful power off support to QEMU VM launcher
3400059cc fix: incorrect route source for on-link routes
b3dfbf743 feat: bump musl to 1.2.6
4227921b3 test: fix the PKI mismatch test flake
f2bc2dcc6 feat: update NVIDIA production drivers to 595.58.03
aa5946dd3 test: fix cron failures for provision-1 & provision-2
1dd701efa fix: allow blockdevice wipe in maintenance mode
786bf00ab feat: add --platform=all support to image cache-create
e1f645e3c feat: validate luks headers for tampering
ad72c7300 test: improve maintenance API provision tests
70cefab6a test: fix the flakes in tests with trusted roots
aacff17f4 test: bump memory for Flannel netpolicy tests
9c3459114 feat: update Linux to 6.18.19, CNI to 1.9.1
038cb8735 feat: enforce PID check on connections to services over file sockets
e2b2dd3ea chore: update go-kubernetes library
9597714f6 fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin
8ac47d677 fix: unset rlimits for extension services
b1a02f368 feat: update Kubernetes to 1.36.0-beta.0
362fdc9ec feat: update etcd to 3.6.9
0a47f40b3 fix(machined): clear stale bond ARP/NS targets on decode
86344639f fix: update diff library to v1.0.1
eff89d1ed fix: panics in diff algorithms
8e1c8a7a9 test: fix the apid test against AWS/GCP

Dependency Changes

github.com/fsnotify/fsnotify v1.9.0 -> v1.10.1
github.com/google/go-containerregistry v0.21.5 -> v0.21.6
github.com/klauspost/compress v1.18.5 -> v1.18.6
github.com/minio/minio-go/v7 v7.0.100 -> v7.2.0
github.com/siderolabs/go-blockdevice/v2 v2.0.28 -> v2.0.29
github.com/siderolabs/go-vex 59abb9af79f6 -> v0.1.1
github.com/siderolabs/pkgs v1.13.0-beta.0-14-gb121566 -> v1.14.0-alpha.0-70-g0870a4b
github.com/siderolabs/talos v1.13.0 -> v1.14.0-alpha.1
github.com/siderolabs/talos/pkg/machinery v1.13.0 -> v1.14.0-alpha.1
github.com/sigstore/rekor v1.5.1 -> v1.5.2
github.com/sigstore/sigstore v1.10.5 -> v1.10.7
go.uber.org/zap v1.27.1 -> v1.28.0

Previous release can be found at v1.3.2