siderolabs/talos v1.11.0-alpha.1 on GitHub

Talos 1.11.0-alpha.1 (2025-06-05)

Welcome to the v1.11.0-alpha.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

IMA support removed

Talos now drops the IMA (Integrity Measurement Architecture) support. This feature was not used in Talos for any meaningful security purpose
and has historically caused performance issues. See #11133 for more details.

Qemu provisioner on MacOS

On MacOS talosctl cluster create command now supports the Qemu provisioner in addition to the Docker provisioner.

Component Updates

Linux: 6.12.31
Kubernetes: 1.33.1
runc: 1.3.0
containerd: 2.1.1
Flannel CNI plugin: 1.7.1-flannel1

Talos is built with Go 1.24.3.

Contributors

Andrey Smirnov
Noel Georgi
Orzelius
Orzelius
Spencer Smith
Till Hoffmann
Justin Garrison
Steve Francis
Andrew Longwill
Dmitrii Sharshakov
Marat Bakeev
Olav Thoresen
Utku Ozdemir
Alvaro "Chamo" Linares Cabre
Brian Brookman
Bryan Mora
Clément Nussbaumer
Dennis Marttinen
Dmitriy Matrenichev
Joakim Nohlgård
Justin Seely
Luke Cousins
Marco Mihai Condrache
Markus Reiter
Michael Moerz
Mike
Tan Siewert
Thibault VINCENT
Tom Keur
killcity
yashutanu

Changes

135 commits

81ca27949 release(v1.11.0-alpha.1): prepare release
58a868e68 chore: fix renovate config, add release-gate label
a59aaee84 feat: bump dependencies, Linux 6.12.31
e954ee30a docs: typo correction: LongHorn -> Longhorn
aab053394 fix: mashal resource byte slices as strings in YAML
c7d4191e7 fix: rework the way CRI config generation is waited for
0114183de docs: update lastRelease to 1.10.3
938b0760a docs: update issue template
2a7b735b2 feat: drop IMA support
2d5a805b0 fix: typo in DiscoverdVolume spec
60c12bad9 feat: support nocloud include url userdata directive
0fd622c82 fix(talosctl): correct --help output for dashboard command
a90c936a1 feat: support qemu provisioner on darwin
5322ca0d3 docs: update overlay docs
a60b6322d fix(ci): drop nebula from extensions test
dbbb59a67 docs: add note for default dataDirHostPath for Rook
e26054378 docs: macos qemu provider
5d0224093 docs: use the cilium-cli image repo in the job installation manifest
ff80e4cca docs: fix CIDR name
a5fd15e8b fix(ci): reproducibility test
8f8963e50 docs: update Nexxen brand
c6b86872d fix(ci): iso reproducibility file permissions
995a1dec4 chore: add a check for unsupported darwin flags
9db5d0c97 fix: nocloud metadata for hostname
3cf325654 feat: modularize more arm64 kernel
3524745cc fix: allow any PKI in Talos API
f438cdb09 chore: use custom dhcpd server on macos qemu
11c17fb9a fix: metal-iso reproducibility
7fcb89ee3 chore: add darwin vmnet qemu support
fc1237343 chore: clean up /usr/bin
b551f32ce feat: update containerd to v2.1.1
67f4154f9 docs: update disk-management.md
0cb137ad7 fix: make disk size check work on old Talos
7c057edd5 fix: use vmdk-convert istead of qemu-img to create VMDK for OVA files
cd618dad0 chore: update the go-blockdevice package
0b99631a0 fix: bump apid memory limit
5451f35b1 docs: update virtualbox
bd4d202a5 refactor: bring owned.State from COSI to simplify tests
0b96df574 feat: update containerd to 2.1.0
e1a939144 docs: fix formatting in disk encryption
7a817df1c docs: fix typo
f35b213b2 test: fix DHCP unicast failures in QEMU environment
7064bbf05 docs: fix vmware factory URL
78c33bcdb feat: update default Kubernetes to v1.33.1
da6795266 fix: disable automatic MAC assignment to bridge interfaces
ca34adf58 chore(ci): drop azure keys
ea5de19fa fix: selinux detection
52c76ea3a fix: consistently apply dynamic grpc proxy dialer
aa9569e5d chore: refactor cluster create cmd flags
1161faa05 docs: fix typo in Cilium docs
164745e44 docs: remove preserve flag mention in upgrade notes
9a2ecbaaf fix: makefile operating system param
118aa69d6 chore: update cloud-image-uploader dependencies
acdd721cf chore: dump qemu pachine ipam records on darwin
bb9094534 chore: rotate aws iam credentials
0bfa4ae1b chore: update deps for cloud-image-uploader
956d7c71b chore: update sops keys
e2f819d88 test: fix the process runner log collection
fdac4cfb9 fix: upgrade go-kubernetes for DRA flag bug
09d88e1e8 test: fix some flaky tests
ec1f41a94 chore: make qemu config server bind work on darwin
980f4d2b9 feat: bump dependencies
95259337e fix: k8s 1.32->1.33 upgrade check
c3c326b40 fix: improve volume mounter automaton
918b94d9a refactor: rewrite disk size check
ab7e693d7 chore: make qemu lb address bind work on darwin
97ceab001 fix: multiple logic issues in platform network config controller
46349a9df docs: remove azure image gallery instructions
0cfcdd3de docs: fix search on base talos.dev
78646b4e0 docs: add registryd debug command
c6824c211 fix: deny apply config requests without v1alpha1 in "normal" mode
7df0408e4 fix: interactive installer config gen
881c5d62b fix: suppress duplicate platform config updates
66d77888e fix: replace downloaded asset paths correctly in cluster create cmd
6bd6c9b5a fix: generate iso greater than 4 gig
ac140324e fix: skip PCR extension if TPM1.2 is found
09ef1f8a4 fix: ignore http proxy on grpc socket dial
22a72dc80 chore: split options between three structs
22c34a50f fix(ci): provision cron jobs
b3b20eff3 fix: containerd crashing with sigsegv
f7891c301 chore: calculate vmnet interface name preemptively
ae87edffb fix: drop libseccomp from rootfs
f74a805bb fix: do correct backoff for nocloud reconcile
01bb294af fix(ci): provision tests
e4945be3b docs: add registryd debug command
d8c670ad3 release(v1.11.0-alpha.0): prepare release
ace44ea61 test: update hydrophone to 0.7.0
3a1163692 chore: cross platform qemu preflight checks
7914fb104 chore: move the create command to it's own package
c8e619608 chore: prepare for release 1.11
1299aaa45 chore(ci): add extensions test for Youki runtime
e50ceb221 docs: activate Talos 1.10 docs
9d12aaeb1 test: improve config patch test
106a656b6 chore: make qemu provider build on darwin
8013aa06c test: replace platform metadata test
2b89c2810 fix: relax etcd APIs RBAC requirements
1e677587c fix: preserve kubelet image suffix
62ab8af45 fix: disk image generation with image cache
d60626f01 fix: handle encryption type mismatch
a9109ebd0 feat: allow SideroLink unique token in machine config
2ff3a6e40 feat(kernel): add bcache kernel module to core talos
fa95a2146 fix(ci): bios provision test
f7c5b86be fix: sync PCR extension with volume provisioning lifecycle
f90c79474 chore: show bound driver in pcidevices info
8db34624c fix: handle correctly changing platform network config
77c7a075b feat: update Kubernetes to 1.33.0
74f0c48c7 feat: add version compatibility for Talos 1.11
c4fb7dad0 fix: force DNS runner shutdown on timeout
c49b4836e docs: hetzner: add note about public iso
16ea2b113 docs: add what is new for 1.10
be3f0c018 fix: fix Gvisor tests with containerd patch
37db132b3 chore(ci): add provision test with bios
ec60b70e7 fix: set media type to OCI for image cache layer
a471eb31b feat: update Linux 6.12.24, containerd 2.0.5
54ad5b872 fix: extension services logging to console
601f036ba docs: correct flannel extra args example
ae94377d1 feat: support encryption config for user volumes
9616f6e8d docs: add caveat for kubespan and host ports
a1d08a362 docs: fixes typo at OpenEBS Mayastor worker patches
a91e8726e docs: add a dark theme
c76189c58 fix: grub EFI mount point
4ca985c65 fix: grub efi platform install
b31260281 docs: update storage.md
396a29040 feat: add new SBCs
a902f6580 feat: update Flannel to v0.26.7
2bbefec1a docs: use cache in preview
6028a8d2d docs: update kubeprism.md
e51a8ef8c fix: prefer new MountStatus resource
d9c7e7946 docs: fix search
b32fa029b feat: update Kubernetes to 1.33.0-rc.1
f0ea478cb feat: support address priority
8cd3c8dc7 test: fix NVIDIA OSS tests
62f2d27cd docs: update virtualbox.md
141326ea3 docs: fix tabpane styling
134aa53cc feat: update base CoreDNS code in host DNS to 1.12.1

Changes since v1.11.0-alpha.0

85 commits

81ca27949 release(v1.11.0-alpha.1): prepare release
58a868e68 chore: fix renovate config, add release-gate label
a59aaee84 feat: bump dependencies, Linux 6.12.31
e954ee30a docs: typo correction: LongHorn -> Longhorn
aab053394 fix: mashal resource byte slices as strings in YAML
c7d4191e7 fix: rework the way CRI config generation is waited for
0114183de docs: update lastRelease to 1.10.3
938b0760a docs: update issue template
2a7b735b2 feat: drop IMA support
2d5a805b0 fix: typo in DiscoverdVolume spec
60c12bad9 feat: support nocloud include url userdata directive
0fd622c82 fix(talosctl): correct --help output for dashboard command
a90c936a1 feat: support qemu provisioner on darwin
5322ca0d3 docs: update overlay docs
a60b6322d fix(ci): drop nebula from extensions test
dbbb59a67 docs: add note for default dataDirHostPath for Rook
e26054378 docs: macos qemu provider
5d0224093 docs: use the cilium-cli image repo in the job installation manifest
ff80e4cca docs: fix CIDR name
a5fd15e8b fix(ci): reproducibility test
8f8963e50 docs: update Nexxen brand
c6b86872d fix(ci): iso reproducibility file permissions
995a1dec4 chore: add a check for unsupported darwin flags
9db5d0c97 fix: nocloud metadata for hostname
3cf325654 feat: modularize more arm64 kernel
3524745cc fix: allow any PKI in Talos API
f438cdb09 chore: use custom dhcpd server on macos qemu
11c17fb9a fix: metal-iso reproducibility
7fcb89ee3 chore: add darwin vmnet qemu support
fc1237343 chore: clean up /usr/bin
b551f32ce feat: update containerd to v2.1.1
67f4154f9 docs: update disk-management.md
0cb137ad7 fix: make disk size check work on old Talos
7c057edd5 fix: use vmdk-convert istead of qemu-img to create VMDK for OVA files
cd618dad0 chore: update the go-blockdevice package
0b99631a0 fix: bump apid memory limit
5451f35b1 docs: update virtualbox
bd4d202a5 refactor: bring owned.State from COSI to simplify tests
0b96df574 feat: update containerd to 2.1.0
e1a939144 docs: fix formatting in disk encryption
7a817df1c docs: fix typo
f35b213b2 test: fix DHCP unicast failures in QEMU environment
7064bbf05 docs: fix vmware factory URL
78c33bcdb feat: update default Kubernetes to v1.33.1
da6795266 fix: disable automatic MAC assignment to bridge interfaces
ca34adf58 chore(ci): drop azure keys
ea5de19fa fix: selinux detection
52c76ea3a fix: consistently apply dynamic grpc proxy dialer
aa9569e5d chore: refactor cluster create cmd flags
1161faa05 docs: fix typo in Cilium docs
164745e44 docs: remove preserve flag mention in upgrade notes
9a2ecbaaf fix: makefile operating system param
118aa69d6 chore: update cloud-image-uploader dependencies
acdd721cf chore: dump qemu pachine ipam records on darwin
bb9094534 chore: rotate aws iam credentials
0bfa4ae1b chore: update deps for cloud-image-uploader
956d7c71b chore: update sops keys
e2f819d88 test: fix the process runner log collection
fdac4cfb9 fix: upgrade go-kubernetes for DRA flag bug
09d88e1e8 test: fix some flaky tests
ec1f41a94 chore: make qemu config server bind work on darwin
980f4d2b9 feat: bump dependencies
95259337e fix: k8s 1.32->1.33 upgrade check
c3c326b40 fix: improve volume mounter automaton
918b94d9a refactor: rewrite disk size check
ab7e693d7 chore: make qemu lb address bind work on darwin
97ceab001 fix: multiple logic issues in platform network config controller
46349a9df docs: remove azure image gallery instructions
0cfcdd3de docs: fix search on base talos.dev
78646b4e0 docs: add registryd debug command
c6824c211 fix: deny apply config requests without v1alpha1 in "normal" mode
7df0408e4 fix: interactive installer config gen
881c5d62b fix: suppress duplicate platform config updates
66d77888e fix: replace downloaded asset paths correctly in cluster create cmd
6bd6c9b5a fix: generate iso greater than 4 gig
ac140324e fix: skip PCR extension if TPM1.2 is found
09ef1f8a4 fix: ignore http proxy on grpc socket dial
22a72dc80 chore: split options between three structs
22c34a50f fix(ci): provision cron jobs
b3b20eff3 fix: containerd crashing with sigsegv
f7891c301 chore: calculate vmnet interface name preemptively
ae87edffb fix: drop libseccomp from rootfs
f74a805bb fix: do correct backoff for nocloud reconcile
01bb294af fix(ci): provision tests
e4945be3b docs: add registryd debug command

Changes from siderolabs/crypto

2 commits

siderolabs/crypto@17107ae fix: add generic CSR generator and OpenSSL interop
siderolabs/crypto@53659fc refactor: split into files

Changes from siderolabs/gen

1 commit

siderolabs/gen@7c0324f chore: future-proof HashTrieMap

Changes from siderolabs/go-circular

1 commit

siderolabs/go-circular@5b39ef8 fix: do not log error if chunk zero was never written

Changes from siderolabs/go-kubernetes

2 commits

siderolabs/go-kubernetes@9070be4 fix: remove DynamicResourceAllocation feature gate
siderolabs/go-kubernetes@8cb588b fix: k8s 1.32->1.33 upgrade check

Changes from siderolabs/pkgs

33 commits

siderolabs/pkgs@79bfa9e feat: update NVIDIA drivers to 570.148.08
siderolabs/pkgs@c8b8bd8 feat: bump dependencies
siderolabs/pkgs@54bf03e feat: update Linux to 6.12.31
siderolabs/pkgs@93b3aaa feat: add patch for CephFS IMA performance regression
siderolabs/pkgs@ebd6627 feat: disable IMA support
siderolabs/pkgs@8aad53b feat: add CONFIG_NFT_CONNLIMIT to kernel
siderolabs/pkgs@7a299fa feat: update Linux to 6.12.30
siderolabs/pkgs@8c4603e feat: move more configs to modules on arm64
siderolabs/pkgs@7b1183b feat(kernel): enable IB user-space management and RDMA
siderolabs/pkgs@1b1430e fix: drop pcre2 binaries
siderolabs/pkgs@487610c fix: drop broken symlinks
siderolabs/pkgs@f31d518 fix: clean up some binaries
siderolabs/pkgs@0f74b9b feat: update containerd to v2.1.1
siderolabs/pkgs@89b4037 fix: tenstorrent pkg name
siderolabs/pkgs@a14b544 chore: drop qemu-tools vmdk support
siderolabs/pkgs@2563e47 feat: add tenstorrent package
siderolabs/pkgs@2a1c42f fix(renovate): flannel config
siderolabs/pkgs@bfa69a8 feat: add open-vmdk package
siderolabs/pkgs@9f1ba1f fix: bring back updated containerd gvisor patch
siderolabs/pkgs@1567cb6 feat: update Linux 6.12.28, firmware
siderolabs/pkgs@9bc66e6 feat: update containerd to 2.1.0
siderolabs/pkgs@c6b54e0 feat: enable zswap
siderolabs/pkgs@4cd7084 feat: update dependencies
siderolabs/pkgs@a3fcbf8 feat(kernel): enable panthor driver
siderolabs/pkgs@74d1665 feat: update ZFS to 2.3.2
siderolabs/pkgs@ddc866b feat: update Linux to 6.12.27
siderolabs/pkgs@a347857 fix: build containerd with Go 1.23
siderolabs/pkgs@74da85c fix: containerd build doesn't need seccomp
siderolabs/pkgs@4effa05 fix: downgrade libseccomp to 2.5.5
siderolabs/pkgs@9cea00b feat: update Linux to 6.12.25
siderolabs/pkgs@cb108a5 feat(kernel): enable bcache module
siderolabs/pkgs@d042432 fix: backport sandbox fix for Gvisor
siderolabs/pkgs@fa625dc feat: update Linux 6.12.24, containerd 2.0.5

Changes from siderolabs/siderolink

1 commit

siderolabs/siderolink@d2a79e0 fix: clean up device on failure

Changes from siderolabs/tools

3 commits

siderolabs/tools@af3fd64 feat: update dependencies
siderolabs/tools@e35234b feat: update dependencies
siderolabs/tools@c96a4e6 chore: update toolchain to the latest version

Dependency Changes

cloud.google.com/go/compute/metadata v0.6.0 -> v0.7.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 -> v1.10.0
github.com/containerd/containerd/api v1.8.0 -> v1.9.0
github.com/containerd/containerd/v2 v2.0.5 -> v2.1.1
github.com/containernetworking/plugins v1.6.2 -> v1.7.1
github.com/cosi-project/runtime v0.10.2 -> v0.10.6
github.com/detailyang/go-fallocate 432fa640bd2e new
github.com/docker/cli v28.0.4 -> v28.2.2
github.com/docker/docker v28.0.4 -> v28.2.2
github.com/google/cel-go v0.24.1 -> v0.25.0
github.com/google/go-containerregistry v0.20.3 -> v0.20.5
github.com/google/go-tpm v0.9.3 -> v0.9.5
github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.1 -> v2.3.2
github.com/hetznercloud/hcloud-go/v2 v2.21.0 -> v2.21.1
github.com/linode/go-metadata v0.2.1 -> v0.2.2
github.com/miekg/dns v1.1.65 -> v1.1.66
github.com/prometheus/procfs v0.16.0 -> v0.16.1
github.com/rivo/tview 949945f8d922 -> 0c592cd31026
github.com/safchain/ethtool v0.5.10 -> v0.6.1
github.com/siderolabs/crypto v0.5.1 -> v0.6.0
github.com/siderolabs/gen v0.8.0 -> v0.8.1
github.com/siderolabs/go-blockdevice/v2 v2.0.16 -> v2.0.18
github.com/siderolabs/go-circular v0.2.2 -> v0.2.3
github.com/siderolabs/go-kubernetes v0.2.21 -> v0.2.23
github.com/siderolabs/pkgs v1.10.0-5-g48dba3e -> v1.11.0-alpha.0-32-g79bfa9e
github.com/siderolabs/siderolink v0.3.13 -> v0.3.14
github.com/siderolabs/talos/pkg/machinery v1.10.0 -> v1.11.0-alpha.1
github.com/siderolabs/tools v1.10.0 -> v1.11.0-alpha.0-2-gaf3fd64
golang.org/x/net v0.39.0 -> v0.40.0
golang.org/x/oauth2 v0.29.0 -> v0.30.0
golang.org/x/sync v0.13.0 -> v0.14.0
golang.org/x/sys v0.32.0 -> v0.33.0
golang.org/x/term v0.31.0 -> v0.32.0
golang.org/x/text v0.24.0 -> v0.25.0
google.golang.org/grpc v1.71.1 -> v1.72.2
k8s.io/api v0.33.0 -> v0.33.1
k8s.io/apimachinery v0.33.0 -> v0.33.1
k8s.io/apiserver v0.33.0 -> v0.33.1
k8s.io/client-go v0.33.0 -> v0.33.1
k8s.io/component-base v0.33.0 -> v0.33.1
k8s.io/kube-scheduler v0.33.0 -> v0.33.1
k8s.io/kubectl v0.33.0 -> v0.33.1
k8s.io/kubelet v0.33.0 -> v0.33.1
k8s.io/pod-security-admission v0.33.0 -> v0.33.1
sigs.k8s.io/hydrophone b92baf7e0b04 -> v0.7.0

Previous release can be found at v1.10.0

Images

ghcr.io/siderolabs/flannel:v0.26.7
registry.k8s.io/coredns/coredns:v1.12.1
gcr.io/etcd-development/etcd:v3.5.21
registry.k8s.io/kube-apiserver:v1.33.1
registry.k8s.io/kube-controller-manager:v1.33.1
registry.k8s.io/kube-scheduler:v1.33.1
registry.k8s.io/kube-proxy:v1.33.1
ghcr.io/siderolabs/kubelet:v1.33.1
ghcr.io/siderolabs/installer:v1.11.0-alpha.1
registry.k8s.io/pause:3.10