siderolabs/talos v1.13.0-alpha.0 on GitHub

Talos 1.13.0-alpha.0 (2025-12-25)

Welcome to the v1.13.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

Component Updates

Linux: 6.18.2
containerd: 2.2.1
etcd: 3.6.7
CoreDNS: 1.13.2
Kubernetes: 1.35.0
Flannel CNI plugin: v1.9.0-flannel1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259
cryptsetup: 2.8.3

Talos is built with Go 1.25.5.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

Andrey Smirnov
Mateusz Urbanek
Noel Georgi
Dmitrii Sharshakov
Laura Brehm
Bryan Lee
Edward Sammut Alessi
Birger Johan Nordølum
Christopher Puschmann
Jaakko Sirén
Jean-Francois Roy
Joakim Nohlgård
Justin Garrison
Lennard Klein
Michal Baumgartner
Orzelius
Serge van Ginderachter
Skye Soss
dataprolet
eseiker
pranav767

Changes

96 commits

c76484e58 release(v1.13.0-alpha.0): prepare release
f0d8a6851 test: skip the source bundle on exact tag
c57701d65 fix: remove interactive installer
43937c1cd feat: update Linux and systemd
72a194df8 feat: add VM CPU hot-add rules
f09ae1e0d fix: probe small images correctly
8f2b33799 feat: imager support rootless builds
c7525a97e feat: support creating filesystems from folder
e2bffb5ce chore: refactor imager code so it's more clear
0fb50dbd0 fix: invalid versions check in talos-bundle
b5dd56032 test: upgrade versions in upgrade tests
3dfa4d6e4 fix: make upgrade work with SELinux enforcing=1
786c8e2ee feat: ship pigz/igzip in rootfs to speed up image decompression
48d242918 feat: update containerd to 2.2.1
536541afe fix: mount volume mount/unmount race
39117d457 feat: update dependencies
f0f420725 fix: bond setting change detection
8d6a7a867 feat: update Kubernetes to 1.35.0
845a0d09c feat: update etcd 3.6.7, CoreDNS 1.13.2
b95912e04 feat: enforce proc_mem.force_override=never by default
681f3e84c test: run virtiofs tests only when virtiofsd is running
0592ff0cd fix: drop the Omni API URL check on IP address
a4879a5fa feat: update Linux to 6.18.1
43b43ff18 docs: split talosctl commands into groups
6d17c18bf feat: enable Powercap and Intel RAPL
884e76662 docs: fix the talosctl cluster create help output
6dc31be4f fix: exclude new Virtual IPs configured with new config
94905c73e feat(talosctl): support running qemu x86 on Mac
f871ab241 fix: provide json support in nft binary
694f45413 feat: external volumes
39feb16d2 fix: update containerd 2.2.0 with cgroups patch
82027eb9b fix: bond configuration with new settings
121b13b8f fix: disable kexec on arm64
7eaa725d0 fix: selection of boot entry
949bdb90a feat: add Secure Boot to CloudStack platform config
798143a88 fix: discard better klog message from Kubernetes client
008cd0986 fix: disable kexec in talosctl cluster create on arm64
bb62b29ed chore: prepare talos for 1.13
c0935030a chore: fork reference docs for 1.13.x
e387e48b3 fix: do not override DNS on MacOS
1e7e87fb1 fix: rework NFT rules for KubeSpan
51bcfb567 feat: rename image default and source bundle
585abe944 feat: update Kubernetes to v1.35.0-rc.1
f301e3e9b fix: update KubeSpan MSS clamping
74c1df6f4 test: propagate MTU size to QEMU in talosctl cluster create
d347ca1af fix: update CNI plugins to 1.9.0
e3f8196b4 chore: update Grype and Syft
e1b8ab323 docs: add misssing period
cd04c3dde docs: update release notes
fc8ae3249 docs: add omni join token example to create qemu command
9fa00773c chore: update go-blockdevice
ba13b6786 fix: correct condition to use UKI cmdline in GRUB
d2ce3f47f docs: drop machine.network example
cf087c1e0 test: bird2 extension
13df94388 fix: adapt SELinuxSuite.TestNoPtrace to new strace version
861787c38 fix: mark secureboot as supported for metal
04e3e87ad fix: clean up kubelet mounts
21057903a fix: clear provisioning data on SideroLink config change
0f9f4c05f feat: update Kubernetes to 1.35.0-rc.0
d4309d7b1 fix: add a timeout for DNS resolving for NTP
dd6c1089c feat: update Linux to 6.18.0
e9a30bf9a test: revert add direct connectivity CA rotation test
cc95562bc fix: don't disable LACP by default
c9fe4679b test: add platform acquire/not valid config unit-test
5a03a7a20 chore: fix longhorn test
a0cfc3527 feat: implement logs persistence
51b732bea fix: selection of boot entry
18f8ac369 feat: update Kubernetes to 1.35.0-beta.0
92fa7c5e4 chore: update pkgs for NVIDIA 580.105.08
f489299b6 chore: correct condition for running k8s integration tests
ab149750d chore: update tools/pkgs to 1.13.0-alpha.0
87ff9f860 test: fix the image-factory test to pass IF endpoint
2ffe538e7 test: add direct connectivity CA rotation test
70f6b80e0 chore(ci): skip multipath extension tests
561cfb60c chore: update pkgs and tools version
2f42202a7 fix: simplify OOM expression
7b06ae8c2 test: fix flaky LinkSpec/Wireguard test
e715f3871 feat: present kernel log as talosctl logs kernel
e2ee39b8a fix: support specifying patch file without '@' symbol
e202b1f9e fix: trim trailing dots from certificate SANs
7f7079f9c fix: assign value of multicast setting properly
eba96141e feat: update etcd to 3.6.6
9945ceef3 docs: add API Server Cipher Suites changelog
9ed488d09 feat: update TLS cipher suites for API server
f1c04e4d6 feat: generate mirrors patch
a89108995 fix: add CA subject to generated certificate
35dd612a5 fix: add more resilient move
83675838f feat: extend flags of cache-cert-gen
80ab7a064 chore: remove spammy 'clean up unused volumes' logs
74d35900a chore: disable k8s integration tests for 1GiB worker nodes
4f6218674 feat: support TALOS_HOME env var
0c59b3ea3 feat: add multicast to linkconfig
6db06f4d5 feat: implement multicast setting
eeded98f5 fix: add riscv64 talosctl to release artifacts
a6bbae91b fix: fix typos across the project
83f2bdb9c feat: support relative voume size

Changes from siderolabs/pkgs

33 commits

siderolabs/pkgs@972f44d feat: update dependencies
siderolabs/pkgs@f8eb5b0 feat: update Linux to 6.18.2
siderolabs/pkgs@3fb6291 feat: update systemd to 259
siderolabs/pkgs@59241bd fix: add SBOMs for pigz/igzip
siderolabs/pkgs@9377c78 feat: optimize decompression for containerd
siderolabs/pkgs@e8e61ce feat: update containerd to 2.2.1
siderolabs/pkgs@daa74ba feat: support xfs filesystem reproducibility
siderolabs/pkgs@1f66513 feat: update OpenZFS to 2.4.0
siderolabs/pkgs@b209af5 chore: rekres with latest changes
siderolabs/pkgs@2b806b9 feat: bump dependencies
siderolabs/pkgs@65242fd feat: enable CONFIG_MISC_RP1 in ARM64 config
siderolabs/pkgs@4daecd8 feat: update Linux to 6.18.1
siderolabs/pkgs@9868a66 feat: enable Powercap and Intel RAPL
siderolabs/pkgs@07883ee feat: build and package perf binary
siderolabs/pkgs@47abca0 fix: add json support to nftables binary
siderolabs/pkgs@b961ff8 feat: patch containerd 2.2.0 with cgroups fix patch
siderolabs/pkgs@b7dd7f6 feat: add mstflint module
siderolabs/pkgs@ae53351 feat: update ZFS to 2.4.0-rc5
siderolabs/pkgs@b8edf01 feat: update CNI plugins to v1.9.0
siderolabs/pkgs@a57c1b0 feat: enable amd sev-snp
siderolabs/pkgs@68562c1 feat: update Linux to 6.18
siderolabs/pkgs@6f4ff8c feat: enable Amlogic Meson PCIe controller driver
siderolabs/pkgs@c41127b feat: enable Intel GPIO/Pinctrl kernel modules
siderolabs/pkgs@4a31ff7 feat: update NVIDIA LTS to 580.105.08
siderolabs/pkgs@3e858d3 chore: fork pkgs for Talos 1.13
siderolabs/pkgs@dcc5aa1 feat: update runc to 1.3.4
siderolabs/pkgs@8b6ae5b fix: regenerate configs
siderolabs/pkgs@2992598 fix: add missing kernel config entries
siderolabs/pkgs@c8ea18a feat: rekres to alow multiple commits
siderolabs/pkgs@2ddef8b chore: update dependencies
siderolabs/pkgs@d1f28e0 chore: update dependencies
siderolabs/pkgs@ab253f5 feat: enable gpio-fan module
siderolabs/pkgs@0b10666 chore: use ubuntu mirrors

Changes from siderolabs/proto-codec

1 commit

siderolabs/proto-codec@bd9c491 chore: bump and update dependencies

Changes from siderolabs/tools

7 commits

siderolabs/tools@896f8b9 fix: add sbom for zlib-ng
siderolabs/tools@543a16f feat: replace zlib -> zlib-ng, add nasm
siderolabs/tools@b67c1a1 chore: rekres with latest changes
siderolabs/tools@5e087cb feat: bump dependencies
siderolabs/tools@da96a27 chore: rekres to fix reproducibility
siderolabs/tools@e283ec8 feat: update Go to 1.25.5
siderolabs/tools@c38ff0c chore: update to 1.13.0-alpha.0 toolchain

Dependency Changes

github.com/aws/aws-sdk-go-v2/config v1.31.20 -> v1.32.6
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 -> v1.18.16
github.com/aws/aws-sdk-go-v2/service/kms v1.46.0 -> v1.49.4
github.com/aws/smithy-go v1.23.2 -> v1.24.0
github.com/containerd/cgroups/v3 v3.0.5 -> v3.1.0
github.com/containerd/containerd/api v1.9.0 -> v1.10.0
github.com/containerd/containerd/v2 v2.1.5 -> v2.2.0
github.com/containerd/platforms v1.0.0-rc.1 -> v1.0.0-rc.2
github.com/cosi-project/runtime v1.12.0 -> v1.13.0
github.com/diskfs/go-diskfs fc569a00ea19 new
github.com/docker/cli v29.0.0 -> v29.1.3
github.com/gdamore/tcell/v2 v2.9.0 -> v2.13.4
github.com/godbus/dbus/v5 v5.1.0 -> v5.2.0
github.com/google/cadvisor v0.53.0 -> v0.54.1
github.com/google/go-containerregistry v0.20.6 -> v0.20.7
github.com/hetznercloud/hcloud-go/v2 v2.30.0 -> v2.32.0
github.com/klauspost/compress v1.18.1 -> v1.18.2
github.com/linode/go-metadata v0.2.2 -> v0.2.3
github.com/mdlayher/ethtool v0.4.0 -> v0.5.0
github.com/miekg/dns v1.1.68 -> v1.1.69
github.com/moby/moby/client v0.1.0 -> v0.2.1
github.com/siderolabs/go-blockdevice/v2 v2.0.20 -> v2.0.22
github.com/siderolabs/pkgs v1.12.0-23-ge0b78b8 -> v1.13.0-alpha.0-24-g972f44d
github.com/siderolabs/proto-codec v0.1.2 -> v0.1.3
github.com/siderolabs/talos/pkg/machinery v1.12.0 -> v1.13.0-alpha.0
github.com/siderolabs/tools v1.12.0-2-g7d57df0 -> v1.13.0-alpha.0-6-g896f8b9
github.com/sirupsen/logrus v1.9.3 -> dd1b4c2e81af
go.etcd.io/etcd/api/v3 v3.6.6 -> v3.6.7
go.etcd.io/etcd/client/pkg/v3 v3.6.6 -> v3.6.7
go.etcd.io/etcd/client/v3 v3.6.6 -> v3.6.7
go.etcd.io/etcd/etcdutl/v3 v3.6.6 -> v3.6.7
go.uber.org/zap v1.27.0 -> v1.27.1
golang.org/x/net v0.47.0 -> v0.48.0
golang.org/x/oauth2 v0.33.0 -> v0.34.0
golang.org/x/sync v0.18.0 -> v0.19.0
golang.org/x/sys v0.38.0 -> v0.39.0
golang.org/x/term v0.37.0 -> v0.38.0
golang.org/x/text v0.31.0 -> v0.32.0
google.golang.org/grpc v1.76.0 -> v1.77.0
google.golang.org/protobuf v1.36.10 -> v1.36.11

Previous release can be found at v1.12.0

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10.1