Talos 1.3.0-alpha.0 (2022-09-28)
Welcome to the v1.3.0-alpha.0 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
kube-apiserver Audit Policy
Talos now supports setting custom audit policy for kube-apiserver
in the machine configuration.
etcd Consistency Check
Talos enables --experimental-compact-hash-check-enabled option by default to improve
etcd store consistency guarantees.
This options is only available with etcd >= v3.5.5, so Talos doesn't support version of etcd before v3.5.5.
Kernel Modules
Talos now supports settings kernel module parameters.
Eg:
machine:
kernel:
modules:
- name: "br_netfilter"
parameters:
- nf_conntrack_max=131072
Nano Pi R4S
Talos now supports the Nano Pi R4S SBC.
Raspberry Generic Images
The Raspberry Pi 4 specific image has been deprecated and will be removed in the v1.4 release of Talos.
Talos now ships a generic Raspberry Pi image that should support more Raspberry Pi variants.
Refer to the docs at https://www.talos.dev/v1.3/talos-guides/install/single-board-computers/rpi_generic/ to find which ones are supported.
Component Updates
- Kubernetes: v1.26.0-alpha.1
- Flannel: v0.19.2
- CoreDNS: v1.10.0
- etcd: v3.5.5
- Linux: 5.15.70
Contributors
- Andrey Smirnov
- Noel Georgi
- Andrey Smirnov
- Artem Chernyshev
- Dmitriy Matrenichev
- Artem Chernyshev
- Alexey Palazhchenko
- Serge Logvinov
- Andrew Rynhard
- Utku Ozdemir
- Kris Reeves
- Marvin Drees
- Philipp Sauter
- Andrew Rynhard
- Branden Cash
- Matt Zahorik
- Olli Janatuinen
- Pau Campana
- Sander Maijers
- Seán C McCord
- Spencer Smith
- Steve Francis
- Tim Jones
Changes
106 commits
- 67cc45ae3 release(v1.3.0-alpha.0): prepare release
- 18c377a4d feat: customize audit policy
- 23c9ea46b fix: raspberry pi install
- f17cdee16 feat: jsonpath filter for talosctl get outputs
- 6bd3cca1a chore: generic raspberry pi images
- d914ab8bb chore: add vulncheck tool as a linter
- a0151aa13 feat: add generic rpi u-boot support
- 30f851d09 chore: bump dependences
- 8b2235c3b fix: lookup Equinix Metal bond slaves using 'permanent addr'
- b3257ebb1 chore: bump kernel to 5.15.70
- 0b2767c16 feat: implement 'permanent addr' in link statuses
- c90e20251 fix: kubeconfig permission
- fc48849d0 chore: move maps/slices/ordered to gen module
- 8b09bd4b0 feat: update Kubernetes to v1.26.0-alpha.1
- 276d4175b chore: bump extension versions in testing
- 357b770cb fix: cryptsetup delete slot
- 711128839 fix: continue applying bootstrap manifests on some errors
- ce12c7b38 chore: update COSI runtime to v0.2.0-alpha.1
- 1b435c0b3 chore: bump kernel + ice drivers
- 18e041f1e docs: fix typo in patching example
- 0ad6452ca feat: update CoreDNS to v1.10.0
- 479f3f52e chore: bump dependencies
- e07c6ae99 feat: update Kubernetes to v1.25.1
- 13fdfaffc test: fix up default branch name
- ef181321a docs: add component diagram; K8s & Talos Linux
- aade73643 docs: fix missing variable in OpenEBS docs
- 472590aa8 chore: return InvalidArgument on invalid config in maintenance mode
- e5cabd42c feat: enable etcd consistency hashcheck
- 015535d90 fix: update discovery client with the redirect fix
- d0c8e7699 chore: bump kernel and go
- 985b0c2e7 chore: remove go.work.sum
- 69124f102 feat: update etcd to v3.5.5
- 1985a796c docs: update docs for pod security
- 94b088f02 fix: set etcd options consistently
- 92ae7ef4b fix: fix protoenc encoding for enums and types with custom encoders
- 93809017c docs: cpu scaling governor knowledgebase
- 7b270ff33 test: fix api controller test
- 2dadcd669 fix: stop worker nodes from acting as apid routers
- 9eaf33f3f fix: never sign client certificate requests in trustd
- 436749124 feat: environment vars for extension service
- 0c0cb671e chore: mark machine configuration validation failure as InvalidArgument
- f424e5340 fix: stop containers more thoroughly
- 12827b861 chore: move "implements" checks to compile time
- 3a67c42cb fix: kill the task processes when cleaning up stale task
- 14a79e325 chore: bump dependencies
- 9beee92e7 docs: fix double vv in Kubernetes version
- 688272515 fix: use different username for Talos Kubernetes API access
- 161a52a9e feat: check apid client certificate extended key usage
- 9dadc4a59 fix: include all node addresses into etcd cert SANs
- 71bfd3e43 feat: update CoreDNS to 1.9.4
- 9df8f1ff1 fix: list COSI APIs for the apid authenticator
- 31462450f fix: pass a pointer to specs.Mount into protoenc.Marshal
- e626540df chore: avoid double API request logging in trustd
- f62d17125 chore: update crypto to use new import path siderolabs/crypto
- ef27dd855 chore: bump dependencies
- 6472ae00b fix: automatically discard VIPs for etcd advertised addresses
- 5e21cca52 feat: support setting kernel parameters
- bd56621cd feat: add structprotogen tool
- cdb6bb2cc feat: add Nano Pi R4S support
- 36c1f1d6e fix: flip the client-server version check
- cd6c53a97 docs: fork docs for v1.3
- 0847400f7 fix: prevent panic on health check if a member has no IPs
- 7471d7f01 feat: update Flannel to v0.19.2
- 148c75cfb docs: consolidate the control-plane documentation
- 353154281 fix: drop kube-system SA default binding
- 4f37b668b chore: remove capi hacks
- 1369afea8 docs: make 1.2.0 docs default ones
- 7627cb0e3 docs: add new
talosctl gen secrets
- 8aa60a37a chore: bump kernel to 5.15.64
- a798dbd5d docs: update docs for upcoming 1.2.0 release
- b2fec3c97 fix: properly handle
configContext
beingnil
in Talos client - 1c0977b3a fix: change the type of returned gRPC connection object from the client
- 41848e421 fix: expose Talos client gRPC connection via the function
Conn
- 2e9be4af8 chore: bump dependencies
- d283aba3a test: fix cli reboot test
- 0b339a9dc feat: track progress of action API calls
- 072349812 fix: update COSI to the version with gRPC Wait fix
- 89d57aa81 fix: always abort the maintenance service
- f6fa74619 fix: limit apid backoff max delay
- d7ef346db fix: get command in the case 'nodes' are not set in the context
- 4e9c32256 fix: correctly render hosts.toml with multiple endpoints
- cdd0f08bc feat: check client <> server version in some Talos commands
- 446b0af58 chore: bump kernel and runc
- 8c203ce9b feat: remove the machine from the discovery service on reset
- b59ca5810 chore: move from inet.af/netaddr to net/netip and go4.org/netipx
- 053af1d59 fix: update etcd certificates when node addresses changes
- 11edb2c6f test: re-enable upgrade tests
- 0310e2089 chore: bump github.com/siderolabs/protoenc to v0.1.5
- 29bd63240 chore: remove old build tags syntax
- b500d0aa9 chore: bump k8s to v1.25.0
- 29e574be7 docs: update to v1.2.0-beta.1
- 26b549f2a chore: bump dependencies
- 8c3ac4c42 chore: limit GOMAXPROCS for Talos services
- 361e85b74 fix: properly read kexec disabled sysctl
- cfe6c2bc2 docs: nvidia oss drivers
- 2f2d97b6b fix: don't wait for the hostname in maintenance mode
- b15a63924 chore: bump kernel to 5.15.62
- a0d94be30 fix: stable default hostname bias
- da4cd34ef feat: update etcd advertised peer addresses on the fly
- faf92ce01 chore: bump kubernetes to v1.25.0-rc.1
- 52de919e3 chore: bump containerd to v1.6.8
- 7d43fc79b fix: make 'ca', 'crt' and 'key' flags optional for 'talosctl config add'
- fd467e02c fix: handle grub config being empty in the
Revert
function - 9492aca65 fix: clean up
cancelCtxMu
leftovers in PriorityLock - 61e3eb2ea fix: talosctl edit mc loop
- 32db7a7f5 fix: surround
cancelCtx
with the mutex
Changes from siderolabs/crypto
27 commits
- siderolabs/crypto@c3225ee feat: allow CSR template subject field to be overridden
- siderolabs/crypto@8570669 chore: rename to siderolabs/crypto
- siderolabs/crypto@e9df1b8 feat: add support for generating keys from RSA-SHA256 CAs
- siderolabs/crypto@510b0d2 chore: add json tags
- siderolabs/crypto@6fa2d93 fix: deepcopy nil fields as
nil
- siderolabs/crypto@9a63cba fix: add back support for generating ECDSA keys with P-256 and SHA512
- siderolabs/crypto@893bc66 fix: use SHA256 for ECDSA-P256
- siderolabs/crypto@deec8d4 chore: implement DeepCopy methods for PEMEncoded* types
- siderolabs/crypto@d3cb772 feat: make possible to change KeyUsage
- siderolabs/crypto@6bc5bb5 chore: remove unused argument
- siderolabs/crypto@cd18ef6 feat: add support for several organizations
- siderolabs/crypto@97c888b chore: add options to CSR
- siderolabs/crypto@7776057 chore: fix typos
- siderolabs/crypto@80df078 chore: remove named result parameters
- siderolabs/crypto@15bdd28 chore: minor updates
- siderolabs/crypto@4f80b97 fix: verify CSR signature before issuing a certificate
- siderolabs/crypto@39584f1 feat: support for key/certificate types RSA, Ed25519, ECDSA
- siderolabs/crypto@cf75519 fix: function NewKeyPair should create certificate with proper subject
- siderolabs/crypto@751c95a feat: add 'PEMEncodedKey' which allows to transport keys in YAML
- siderolabs/crypto@562c3b6 feat: add support for public RSA key in RSAKey
- siderolabs/crypto@bda0e9c feat: enable more conversions between encoded and raw versions
- siderolabs/crypto@e0dd56a feat: add NotBefore option for x509 cert creation
- siderolabs/crypto@12a4897 feat: add support for SPKI fingerprint generation and matching
- siderolabs/crypto@d0c3eef fix: implement NewKeyPair
- siderolabs/crypto@196679e feat: move
pkg/grpc/tls
fromgithub.com/talos-systems/talos
as./tls
- siderolabs/crypto@1ff6242 chore: initial version as imported from talos-systems/talos
- siderolabs/crypto@835063e chore: initial commit
Changes from siderolabs/discovery-api
3 commits
- siderolabs/discovery-api@5b0c5e7 chore: rename to siderolabs, rekres, etc
- siderolabs/discovery-api@db279ef feat: initial set of APIs and generated files
- siderolabs/discovery-api@ac52a37 chore: initial commit
Changes from siderolabs/discovery-client
Changes from siderolabs/gen
4 commits
- siderolabs/gen@726e066 fix: rename tuples.go to pair.go and set proper package name
- siderolabs/gen@d8d7d25 chore: minor additions
- siderolabs/gen@338a650 chore: add initial implementation and documentation
- siderolabs/gen@4fd8667 Initial commit
Changes from siderolabs/go-blockdevice
55 commits
- siderolabs/go-blockdevice@dcf6044 chore: rekres and rename
- siderolabs/go-blockdevice@9c4af49 fix: cryptsetup remove slot
- siderolabs/go-blockdevice@74ea471 feat: add freebsd stubs
- siderolabs/go-blockdevice@9fa801c feat: add ReadOnly attribute to Disk
- siderolabs/go-blockdevice@fccee8b chore: rekres the source, fix issues
- siderolabs/go-blockdevice@d9c3a27 feat: support probing FAT12/FAT16 filesystems
- siderolabs/go-blockdevice@b374eb4 fix: align partition to 1M boundary by default
- siderolabs/go-blockdevice@ec428fe fix: lookup filesystem labels on the actual device path
- siderolabs/go-blockdevice@7b9de26 feat: read symlink fullpath in block device list function
- siderolabs/go-blockdevice@6928ee4 refactor: rewrite GPT serialize/deserialize functions
- siderolabs/go-blockdevice@0c7e429 refactor: simplify middle endian functions
- siderolabs/go-blockdevice@15b182d fix: return partition table not exist when trying to read an empty dev
- siderolabs/go-blockdevice@b9517d5 fix: resize partition
- siderolabs/go-blockdevice@70d2865 fix: try to find cdrom disks
- siderolabs/go-blockdevice@667bf53 fix: revert gpt partition not found
- siderolabs/go-blockdevice@d7d4cdd fix: gpt partition not found
- siderolabs/go-blockdevice@33afba3 fix: also open in readonly mode when running
All
lookup method - siderolabs/go-blockdevice@e367f9d feat: make probe always open blockdevices in readonly mode
- siderolabs/go-blockdevice@d981156 fix: allow Build for Windows
- siderolabs/go-blockdevice@fe24303 fix: perform correct PMBR partition calculations
- siderolabs/go-blockdevice@2ec0c3c fix: preserve the PMBR bootable flag when opening GPT partition
- siderolabs/go-blockdevice@87816a8 feat: align partition to minimum I/O size
- siderolabs/go-blockdevice@c34b59f feat: expose more encryption options in the LUKS module
- siderolabs/go-blockdevice@30c2bc3 feat: mark MBR bootable
- siderolabs/go-blockdevice@1292574 fix: make disk type matcher parser case insensitive
- siderolabs/go-blockdevice@b77400e fix: properly detect nvme and sd card disk types
- siderolabs/go-blockdevice@1d830a2 fix: revert mark the EFI partition in PMBR as bootable
- siderolabs/go-blockdevice@bec914f fix: mark the EFI partition in PMBR as bootable
- siderolabs/go-blockdevice@776b37d feat: add options to probe disk by various sysblock parameters
- siderolabs/go-blockdevice@bb3ad73 fix: align partition start to physical sector size
- siderolabs/go-blockdevice@8f976c2 feat: replace exec.Command with go-cmd module
- siderolabs/go-blockdevice@1cf7f25 fix: properly handle no child processes error from cmd.Wait
- siderolabs/go-blockdevice@04a9851 feat: implement luks encryption provider
- siderolabs/go-blockdevice@b0375e4 feat: add an option to open block device with exclusive flock
- siderolabs/go-blockdevice@5a1c7f7 refactor: add devname into gpt.Partition, refactor probe package
- siderolabs/go-blockdevice@f2728a5 fix: keep contents of PMBR when writing it
- siderolabs/go-blockdevice@2878460 fix: write second copy of partition entries
- siderolabs/go-blockdevice@943b08b fix: blockdevice reset should read partition table from disk
- siderolabs/go-blockdevice@5b4ee44 fix: ignore
/dev/ram
devices - siderolabs/go-blockdevice@98754ec refactor: rewrite GPT library
- siderolabs/go-blockdevice@2a1baad fix: correctly build paths for
mmcblk
devices - siderolabs/go-blockdevice@8076344 fix: return proper disk size from GetDisks function
- siderolabs/go-blockdevice@8742133 chore: add common method to list available disks using /sys/block
- siderolabs/go-blockdevice@c4b5833 feat: implement "fast" wipe
- siderolabs/go-blockdevice@b4e67d7 feat: return resize status from Resize() function
- siderolabs/go-blockdevice@ceae64e fix: sync kernel partition table incrementally
- siderolabs/go-blockdevice@2cb9516 fix: return correct error value from blkpg functions
- siderolabs/go-blockdevice@cebe43d refactor: expose
InsertAt
method via interface - siderolabs/go-blockdevice@c40dcd8 fix: properly inform kernel about partition deletion
- siderolabs/go-blockdevice@bb8ac5d feat: implement disk wiping via several methods
- siderolabs/go-blockdevice@23fb7dc feat: expose partition name (label)
- siderolabs/go-blockdevice@ff3a821 feat: implement 'InsertAt' method to insert partitions at any position
- siderolabs/go-blockdevice@3d1ce4f fix: calculate last lba of partition correctly
- siderolabs/go-blockdevice@b71540f feat: copy initial version from talos-systems/talos
- siderolabs/go-blockdevice@ca3c078 Initial commit
Changes from siderolabs/pkgs
26 commits
- siderolabs/pkgs@0ac7773 chore: use generic raspberry pi u-boot
- siderolabs/pkgs@d5633d4 chore: bump kernel to 5.15.70
- siderolabs/pkgs@39c0d43 feat: add generic rpi_arm64_defconfig configuration
- siderolabs/pkgs@ed269ca chore: bump kernel to 5.15.69
- siderolabs/pkgs@f2f8333 fix: no slack notifications on failure
- siderolabs/pkgs@6f0af33 chore: disable drone slack pipeline for renovate
- siderolabs/pkgs@32aea3f chore: disable drone for renovate/dependabot
- siderolabs/pkgs@44579f0 fix: rollback xfsprogs to 5.18.0
- siderolabs/pkgs@792c0e3 feat: add gasket driver package
- siderolabs/pkgs@07f1898 chore: update deps
- siderolabs/pkgs@f78f410 chore: enable conntrack zones and timestamps
- siderolabs/pkgs@049b3c6 chore: enable intel ice drivers
- siderolabs/pkgs@606ff32 chore: bump deps
- siderolabs/pkgs@eee5c8a chore: disable irc in conntrack
- siderolabs/pkgs@70e6c46 chore: bump kernel to 5.15.64
- siderolabs/pkgs@e510321 chore: update renovate config
- siderolabs/pkgs@d1fa510 feat: enable renovate bot
- siderolabs/pkgs@e427a77 chore: bump runc to v1.1.4
- siderolabs/pkgs@40e1215 chore: enable nfsv4.2 client support
- siderolabs/pkgs@15efada chore: bump kernel to 5.15.63
- siderolabs/pkgs@e70e3c1 fix: nvidia oss pkg name
- siderolabs/pkgs@30b8d79 chore: bump kernel to 5.15.62
- siderolabs/pkgs@862c392 chore: bump gcc to 12.2.0
- siderolabs/pkgs@2ecd14e fix: containerd version
- siderolabs/pkgs@01df058 feat: add NanoPi R4S configuration
- siderolabs/pkgs@d4cb33b chore: bump containerd to v1.6.8
Changes from siderolabs/tools
15 commits
- siderolabs/tools@5df6589 chore: disable drone for renovate/dependabot
- siderolabs/tools@1f00d2e fix: revert gawk to 5.1.1
- siderolabs/tools@feeda1f chore: bump grpc-go
- siderolabs/tools@8542014 chore: bump deps
- siderolabs/tools@e5c4968 chore: update renovate config
- siderolabs/tools@f34f94d chore: update renovate config
- siderolabs/tools@cef4cc6 chore: update renovate config
- siderolabs/tools@bab8e9e chore: add libbpf to tools
- siderolabs/tools@0a15f7b chore: build pahole properly
- siderolabs/tools@a322d06 chore: remove img
- siderolabs/tools@c7ff47b feat: enable renovate dependency updates (3/3)
- siderolabs/tools@6e095cf feat: enable renovate dependency updates (2/n)
- siderolabs/tools@bad1ad1 feat: add renovatebot
- siderolabs/tools@7d6f9c3 chore: bump gcc to 12.2.0
- siderolabs/tools@2719b4b chore: bump toolchain
Dependency Changes
- cloud.google.com/go/compute v1.8.0 -> v1.10.0
- github.com/aws/aws-sdk-go v1.44.76 -> v1.44.105
- github.com/cosi-project/runtime v0.1.1 -> v0.2.0-alpha.1
- github.com/docker/docker v20.10.17 -> v20.10.18
- github.com/google/go-cmp v0.5.8 -> v0.5.9
- github.com/google/nftables 2eca00135732 -> cbeb0fb1eccf
- github.com/hetznercloud/hcloud-go v1.35.2 -> v1.35.3
- github.com/insomniacslk/dhcp 509691fd59ec -> 043f1726f02e
- github.com/mdlayher/ethtool 856bd6cb8a38 -> 0e16326d06d1
- github.com/mdlayher/netlink v1.6.0 -> v1.6.2
- github.com/opencontainers/image-spec c5a74bcca799 -> v1.1.0-rc1
- github.com/packethost/packngo v0.25.0 -> v0.26.0
- github.com/rivo/tview 0e6b21a48e96 -> 2e69b7385a37
- github.com/siderolabs/crypto v0.4.0 new
- github.com/siderolabs/discovery-api v0.1.1 new
- github.com/siderolabs/discovery-client v0.1.1 -> v0.1.2
- github.com/siderolabs/gen v0.2.0 new
- github.com/siderolabs/go-blockdevice v0.4.0 new
- github.com/siderolabs/pkgs v1.2.0-8-g970860d -> v1.3.0-alpha.0-25-g0ac7773
- github.com/siderolabs/tools v1.2.0 -> v1.3.0-alpha.0-14-g5df6589
- github.com/vmware-tanzu/sonobuoy v0.56.9 -> v0.56.10
- go.etcd.io/etcd/api/v3 v3.5.4 -> v3.5.5
- go.etcd.io/etcd/client/pkg/v3 v3.5.4 -> v3.5.5
- go.etcd.io/etcd/client/v3 v3.5.4 -> v3.5.5
- go.etcd.io/etcd/etcdutl/v3 v3.5.4 -> v3.5.5
- go.uber.org/atomic v1.9.0 -> v1.10.0
- go.uber.org/zap v1.22.0 -> v1.23.0
- go4.org/netipx 797b0c90d8ab new
- golang.org/x/net 3211cb980234 -> 8be639271d50
- golang.org/x/sync 886fb9371eb4 -> 7f9b1623fab7
- golang.org/x/sys fbc7d0a398ab -> fb04ddd9f9c8
- golang.org/x/term a9ba230a4035 -> 7a66f970e087
- golang.org/x/time e5dcc9cfc0b9 -> f3bd1da661af
- golang.zx2c4.com/wireguard/wgctrl 3d4a969bb56b -> 473347a5e6e3
- google.golang.org/grpc v1.48.0 -> v1.49.0
- k8s.io/api v0.25.0 -> v0.26.0-alpha.1
- k8s.io/apimachinery v0.25.0 -> v0.26.0-alpha.1
- k8s.io/apiserver v0.25.0 -> v0.26.0-alpha.1
- k8s.io/client-go v0.25.0 -> v0.26.0-alpha.1
- k8s.io/component-base v0.25.0 -> v0.26.0-alpha.1
- k8s.io/cri-api v0.25.0 -> v0.26.0-alpha.1
- k8s.io/kubectl v0.25.0 -> v0.26.0-alpha.1
- k8s.io/kubelet v0.25.0 -> v0.26.0-alpha.1
- kernel.org/pub/linux/libs/security/libcap/cap v1.2.65 -> v1.2.66
Previous release can be found at v1.2.0
Images
ghcr.io/siderolabs/flannel:v0.19.2
ghcr.io/siderolabs/install-cni:v1.2.0
docker.io/coredns/coredns:1.10.0
gcr.io/etcd-development/etcd:v3.5.5
k8s.gcr.io/kube-apiserver:v1.26.0-alpha.1
k8s.gcr.io/kube-controller-manager:v1.26.0-alpha.1
k8s.gcr.io/kube-scheduler:v1.26.0-alpha.1
k8s.gcr.io/kube-proxy:v1.26.0-alpha.1
ghcr.io/siderolabs/kubelet:v1.26.0-alpha.1
ghcr.io/siderolabs/installer:v1.3.0-alpha.0
k8s.gcr.io/pause:3.6