siderolabs/talos v1.9.0-alpha.2 on GitHub

Talos 1.9.0-alpha.2 (2024-11-08)

Welcome to the v1.9.0-alpha.2 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

AppArmor

Talos Linux starting with v1.9 will ship with SELinux LSM enabled by default.
If you need to use AppArmor LSM add the following to the machine configuration:

machine:
  install:
     extraKernelArgs:
      - -selinux
      - lsm=lockdown,capability,yama,apparmor,bpf
      - apparmor=1

Auditd

Talos Linux now starts a auditd service by default.
Logs can be read with talosctl logs auditd.

`talosctl cgroups`

The talosctl cgroups command has been added to the talosctl tool.
This command allows you to view the cgroup resource consumption and limits for a machine, e.g.
talosctl cgroups --preset memory.

udevd

Talos previously used udevd to provide udevd, now it uses systemd-udevd instead.

Component Updates

Linux: 6.6.59
containerd: 2.0.0
Flannel: 0.26.0
Kubernetes: 1.32.0-beta.0
runc: 1.2.1

Talos is built with Go 1.23.2.

User Namespaces

Talos Linux now supports running Kubernetes pods with user namespaces enabled.
Refer to the documentation for more information.

Contributors

Andrey Smirnov
Noel Georgi
Dmitriy Matrenichev
Dmitry Sharshakov
Joakim Nohlgård
Jean-Francois Roy
Utku Ozdemir
blablu
Adolfo Ochagavía
Dan Rue
David Backeus
Eddie Wang
Florian Ströger
Hexoplon
Jakob Maležič
KBAegis
Mike Beaumont
Nebula
Nico Berlee
Philip Schmid
Philipp Kleber
Remko Molier
Robby Ciliberto
Ryan Borstelmann
Serge Logvinov
Spencer Smith
Steven Cassamajor
Tim Jones
adilTepe
ekarlso
naed3r
nevermarine
solidDoWant

Changes

145 commits

0290a3881 release(v1.9.0-alpha.2): prepare release
a309f6aa5 chore: fix nil pointer dereference in AWS uploader
333737f17 test: fix unpriviliged process runner test
200116705 chore(ci): save support zip always after tests
6a42c3b8e release(v1.9.0-alpha.1): prepare release
fb72e4b7b fix(ci): skip test if UserNamespacesSupport feature gate is not set
11380f933 feat: display current CPU frequency on dashboard
fbce267ae feat: check bridged interfaces should not have addresses
942962bf0 docs: add docs on usernamespace support in k8s
0406a05a9 chore: update pkgs to ones built with gcc 14.2
2e127627d docs: add apparmor enablement release notes
aa9311f3d fix: install disk matcher error
1800f8104 fix: selinux handling and apparmor tests
313bffadf feat: update Kubernetes to v1.32.0-beta.0
bbfa14451 feat: update containerd to v2.0.0
8e02b9fcb docs: update manual k8s upgrade docs
474949dc7 feat: add dm-cache dm-cache-smq kernel modules
5112547d6 chore: generate support zip for crashdump
a867f85e4 feat: label system socket and runtime files
398f714cf feat: update Linux 6.6.59, runc 1.2.1
05c620957 feat: allow extra mounts for docker-based talosctl cluster create
cedabeddf chore: cleanup code
61d363e1d chore: update go-auditlib
960a04049 feat: start enabling SELinux
7f3aaa21c fix: update permissions for logging directories in /var
0e6c983b8 fix: mount /sys/kernel/security conditionally
74b0e8c37 fix: make route normalization keep family
0a3761c22 fix: talosctl windows arm64
4b10c5328 chore: add Windows ARM64 build for talosctl
9abf16108 feat: add auditd service
d464ca869 chore: drop runc memfd bind added in #9069
b54d26c2c fix: mount pseudo sub-mountpoints in init
7aeb15f73 chore: disable coredns cache for cluster domain
d8b652150 docs: add warning about NVMe bus path bug
3e16ab135 feat: update Kubernetes to v1.32.0-alpha.3
0b8b35677 feat: add BridgePort property to network machine configuration
b37950625 fix: use more correct condition to skip generating hosts files
62ec7ec33 refactor: replace the old v1 mount package with new one
0ece13c62 docs: update network-config.md (cont)
93827f048 docs: update network-config.md
423b1e5fb fix: do not trim 0 from process SELinux label
2136358d6 feat: introduce metal agent mode
0e15955fc chore: small refactoring
66012a7f2 feat: remove wrapperd and launch processes directly
3a0a17ae6 fix: prevent panic in nocloud platform code
dc0c6acbd refactor: remove unmaintained github.com/vishvananda/netlink
78353f791 feat: add parsing of vlanNNNN:ethX style VLAN cmdline args
9db7a36bf fix: generation of SecureBoot iso
c755b6d7e fix: update the CRI sandbox image reference
cec290b35 feat: allow extensions to log to console
b7801df82 fix: wait for udevd to be running before activating LVM
d4cb478a5 docs: improve field description for BridgeSTP, BridgeVLAN
7329824b2 docs: add Mynewsdesk to ADOPTERS.md
a13cf76a3 chore: simplify DNSUpstreamController and DNSUpstream resource
62d185473 fix: talosctl process null character
77d7368ea feat: update containerd to v2.0.0-rc.6
d39393879 fix: rework the 'metal-iso' config acquisition
1993afca9 chore: create /usr/etc in a different step
8680351c1 chore: move system extensions' udev rules
3067f64c8 feat: update Flannel to v0.26.0
8658d6865 docs: typo in deploying cilium
49bbadc4b docs: add documentation on performance tuning
534b0ce18 feat: update runc to 1.2.0 final
217253523 docs: fix image factory links
375e3da73 feat: update Kubernetes to 1.32.0-alpha.2
9e6f64df0 fix: improve error messages for invalid bridge/bond configuration
7c8c72c2b fix: correct error message for invalid ip=
ead46997c chore: rename tpm2.PCRExtent -> tpm2.PCRExtend
867c4b812 docs: fix typo in prodnotes.md
1b22df48a chore: support debug shell for advanced development
c14b44622 feat: update Kubernetes to v1.32.0-alpha.1
29780d35a test: add an integration test for verifying process parameters
3d342af44 fix: update incorrect alias for PCIDevice resource
f7d35a5e0 release(v1.9.0-alpha.0): prepare release
e0434d77d feat: update dependencies
5c5a24886 feat: add Talos 1.9 compatibility guarantees
bc4c21f41 test: add json logs test environment
71faa3294 docs: nvidia proprietary/oss hardware requirement
59a78da42 chore: add proto-codec/codec
7ff1cedfe chore: update siderolabs/crypto module and return proper ALPN
ccbd5aed3 feat: optionally decode hcloud userdata as base64
34f652ce8 feat: add well-known app.kubernetes.io labels to control-plane pods
fc89dc216 fix: support extra-disks when using iso
f2bff814d chore: add arm64 target for integration-test
5853bb0ea fix: json logging panic
a859cff36 chore: use virtio driver for disks in arm64
db248de88 chore(ci): add config for lldpd extension
9f0de9f43 test: update provision upgrade tests for Talos 1.9
39fe285e6 fix: skip ram disks
a9bff3a1d test: skip no error test in Cilium
4d902021b fix: do not use pflag csv comma reader for config-patch
5371788ce fix: typo in documentation
8a228ba6b docs: add egress documentation
182325cb0 test: skip lvm test if not enough user disks available
519a48302 fix: wipe system partitions correctly via kernel args
0a2b4556c fix: volume encryption with failing keyslots
6affbd318 fix: update grpc-go the latest patch release
77a4a4adc fix: scaleway metadata
7acadc0c8 fix: do not stop udevd before unmounting volumes
6a081055b feat: update Flannel to v0.25.7
2362f6d3e fix: improve container detection
b67bc73fd fix: fix mdadm system extension
f08669c7a feat: bring in lpfc kernel module driver
6a014374b feat: enable QEDF driver
f711907e0 fix: make /var/run empty on reboots
7d02eb60f docs: fix typo in CloudStack docs
74861573a fix: multiple fixes for LVM activation
74c12c20e feat: replace eudev with systemd-udevd
0a4df4ef8 docs: fix nvidia CRI config example
afc1e1a46 docs: fix typo in extraMounts directory
a341bdb06 fix: prevent file descriptors leaks to child processes
dec653bfe chore: better lvm2 tests
908fd8789 feat: support cgroup deep analysis in talosctl
aa846cc18 feat: add support for CI Network config in nocloud
10f2539f2 chore: disable cloud-images cron workflow
b07a8b36b chore: ignore more plugins for system containerd
392c4798f feat: prepare for Talos 1.9
ea7bf9fb4 docs: update storage.md
4ab8dee69 fix: build talosctl without tcell_minimal
2fa019bd9 docs: enable 'edit on GitHub' link
d2ccbc2b1 docs: update hetzner documentation for CCM
d498f647c docs: fix Kernel Self Protection Project (KSPP) references
0ec75463e docs: make Talos 1.8 current release
9b77698cf fix: update blockdevice library to v2.0.2
e46227ab9 docs: fix kubespan name inconsistency
6b15ca19c fix: audit and fix cgroup reservations
32b5d01ed chore: bump lvm2
6484581eb feat: allow /sbin/ldconfig in extensions
9fa08e843 chore: refactor tests
d8ab4981b feat: support lvm auto activation
8166a58b3 fix: filter out non-printable characters in process line
806b6aaf5 docs: add SECURITY.md
7bd26df30 docs: document /dev/net/tun compatibility
18daedb51 fix: strategic merge patch delete for map keys
f3370529a docs: correct typo
8d6884a8e test: add a test for inline machine config trusted roots
d4a6d017d fix: ignore invalid NTP responses
869f8379f feat: update default Kubernetes version to 1.31.1
780a1f198 fix: update CoreDNS health check
79cd03158 chore: account for resource sorting in dns upstream resource
e17fafaca chore: drop activateLogicalVolumes sequencer step
a294b366f fix: parse SideroLink API endpoint correctly
a9269ac7b fix: remove extra logging on ethtool ioctl failures
5c6277d17 feat: update etcd to 3.5.16
c1ed2984b docs: add what's new for Talos 1.8

Changes since v1.9.0-alpha.1

4 commits

0290a3881 release(v1.9.0-alpha.2): prepare release
a309f6aa5 chore: fix nil pointer dereference in AWS uploader
333737f17 test: fix unpriviliged process runner test
200116705 chore(ci): save support zip always after tests

Changes from siderolabs/crypto

1 commit

siderolabs/crypto@58b2f92 chore: use HTTP/2 ALPN by default

Changes from siderolabs/discovery-api

1 commit

siderolabs/discovery-api@005e92c chore: rekres and regen

Changes from siderolabs/discovery-client

1 commit

siderolabs/discovery-client@b74fb90 fix: allow custom TLS config for the client

Changes from siderolabs/extras

2 commits

siderolabs/extras@eab6e58 feat: update dependencies
siderolabs/extras@1459d78 feat: update pkgs for 1.9

Changes from siderolabs/gen

3 commits

siderolabs/gen@e847d2a chore: add more utilities to xiter
siderolabs/gen@f3c5a2b chore: add Empty and Empty2 iterators
siderolabs/gen@c53b90b chore: add packages xiter/xstrings/xbytes

Changes from siderolabs/go-blockdevice

1 commit

siderolabs/go-blockdevice@134c41b fix: fast wipe also last 1MB of the device

Changes from siderolabs/go-circular

1 commit

siderolabs/go-circular@9a0f7b0 fix: multiple data race issues

Changes from siderolabs/go-cmd

3 commits

siderolabs/go-cmd@d735250 fix: return an error on process nonzero exit code
siderolabs/go-cmd@5662c7f feat: add an equivalent of WaitWrapper for os.Process
siderolabs/go-cmd@71fced6 chore: rekres and move to GHA

Changes from siderolabs/go-kubernetes

3 commits

siderolabs/go-kubernetes@87d2e8e feat: add one more deprecation for 1.32.0-beta.0
siderolabs/go-kubernetes@e56a7f6 fix: update deprecations based on Kubernetes 1.32.0-alpha.3
siderolabs/go-kubernetes@381f251 feat: update for Kubernetes 1.32

Changes from siderolabs/grpc-proxy

2 commits

siderolabs/grpc-proxy@de1c628 fix: copy data from big frame msg
siderolabs/grpc-proxy@ef47ec7 chore: upgrade Codec implementations and usages to Codec2

Changes from siderolabs/pkgs

38 commits

siderolabs/pkgs@4699763 feat: update gcc to 14.2
siderolabs/pkgs@9a98f73 feat: update containerd to v2.0.0
siderolabs/pkgs@20e1e08 feat: enable CONFIG_DM_CACHE
siderolabs/pkgs@df45e16 feat: update Linux to 6.6.59
siderolabs/pkgs@2e733cc feat: bump dependencies
siderolabs/pkgs@c92e123 fix: enable nvme and 2.5gbit ethernet on nanopi-r5s
siderolabs/pkgs@b160184 feat: update runc to v1.2.1
siderolabs/pkgs@e9950d9 chore: drop syslinux
siderolabs/pkgs@fc2e8dc feat: update containerd to v2.0.0-rc.6
siderolabs/pkgs@38304a6 feat: update Linux to 6.6.58
siderolabs/pkgs@84b8df8 chore: do not use /usr/etc/udev
siderolabs/pkgs@c9282c8 feat: update runc to 1.2.0
siderolabs/pkgs@38ad08e fix: default IOMMU mode to 'lazy'
siderolabs/pkgs@be92da0 feat: update Linux to 6.6.57, update Linux firmware
siderolabs/pkgs@0b67a13 feat: bump dependencies
siderolabs/pkgs@dd5f928 feat: update Linux 6.6.56 and protect /proc/mem
siderolabs/pkgs@b1bf972 feat: enable CONFIG_XFRM_STATISTICS
siderolabs/pkgs@c63beae feat: update Linux to 6.6.54
siderolabs/pkgs@f474a55 fix: libselinux: support running without /etc/selinux
siderolabs/pkgs@ba0341e fix: systemd-udevd: search for config in /usr/etc
siderolabs/pkgs@2b193f1 feat: add lpfc kernel module
siderolabs/pkgs@1adb946 feat: enable QEDF driver
siderolabs/pkgs@dbbe3d0 feat: update containerd to v2.0.0-rc.5
siderolabs/pkgs@f19590e feat: update Go to 1.23.2
siderolabs/pkgs@e2a561f fix: drop the LVM2 udev lvm rule
siderolabs/pkgs@ae205aa fix: force LVM to use /run as state directory
siderolabs/pkgs@232a153 feat: replace eudev with systemd-udevd
siderolabs/pkgs@40fb82a feat: add libselinux, libsepol, pcre2 and libcap
siderolabs/pkgs@6f40fbb feat: update xfsprogs 6.10.1
siderolabs/pkgs@a1709c7 feat: enable module unloading and memory hotplug (for NVIDIA UVM)
siderolabs/pkgs@2c5785b feat: enable transparent huge pages in madvise mode
siderolabs/pkgs@ca2e8c8 fix: lvm2 modprobe path
siderolabs/pkgs@6b334a6 feat: update Linux to 6.6.52
siderolabs/pkgs@e90ae7e feat: update Linux firmware to 20240909
siderolabs/pkgs@79a4f92 feat: enable INET_DIAG
siderolabs/pkgs@c9f7eb9 feat: update Linux to 6.6.51
siderolabs/pkgs@126b6a4 fix: add mpt3sas UBSAN patches
siderolabs/pkgs@a09bf93 chore: drop UBSAN patch

Changes from siderolabs/proto-codec

3 commits

siderolabs/proto-codec@0d84c65 chore: add support for gogo protobuf generator
siderolabs/proto-codec@19f8d2e chore: add kres
siderolabs/proto-codec@e038bb4 Initial commit

Changes from siderolabs/siderolink

1 commit

siderolabs/siderolink@1893385 fix: initialize tls listener properly

Changes from siderolabs/tools

8 commits

siderolabs/tools@3750064 fix: update for musl with close_range
siderolabs/tools@0a443c6 feat: update toolchain for gcc 14.2
siderolabs/tools@63ecd80 feat: bump depedendencies
siderolabs/tools@2058296 feat: bump dependencies
siderolabs/tools@1151610 feat: update Go to 1.23.2
siderolabs/tools@9f2189b fix: bump gettext-tiny to the latest dev version
siderolabs/tools@95069d6 feat: update Go to 1.23.1
siderolabs/tools@eec0656 feat: replace gettext with gettext-tiny

Dependency Changes

cloud.google.com/go/compute/metadata v0.5.0 -> v0.5.2
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0 -> v1.16.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 -> v1.8.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.1.0 -> v1.2.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 -> v1.2.0
github.com/aws/aws-sdk-go-v2/config v1.27.33 -> v1.28.1
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 -> v1.16.18
github.com/aws/aws-sdk-go-v2/service/kms v1.35.7 -> v1.37.3
github.com/aws/smithy-go v1.20.4 -> v1.22.0
github.com/containerd/containerd/api v1.8.0-rc.3 -> v1.8.0
github.com/containerd/containerd/v2 v2.0.0-rc.4 -> v2.0.0
github.com/containerd/errdefs v0.1.0 -> v1.0.0
github.com/containerd/platforms v0.2.1 -> v1.0.0-rc.0
github.com/containerd/typeurl/v2 v2.2.0 -> v2.2.2
github.com/containernetworking/plugins v1.5.1 -> v1.6.0
github.com/cosi-project/runtime v0.5.5 -> v0.7.1
github.com/docker/cli v27.3.1 new
github.com/docker/docker v27.2.0 -> v27.3.1
github.com/elastic/go-libaudit/v2 1df86e79cca7 new
github.com/fatih/color v1.17.0 -> v1.18.0
github.com/florianl/go-tc v0.4.4 new
github.com/foxboron/go-uefi e2076f0e58ca -> fab4fdf2f2f3
github.com/fsnotify/fsnotify v1.7.0 -> v1.8.0
github.com/google/cadvisor v0.50.0 -> v0.51.0
github.com/gopacket/gopacket v1.2.0 -> v1.3.0
github.com/hetznercloud/hcloud-go/v2 v2.13.1 -> v2.15.0
github.com/klauspost/compress v1.17.9 -> v1.17.11
github.com/linode/go-metadata v0.2.0 -> v0.2.1
github.com/mdlayher/ethtool v0.1.0 -> v0.2.0
github.com/opencontainers/runc v1.2.0-rc.3 -> v1.2.1
github.com/rivo/tview fd649dbf1223 -> c76f7879f592
github.com/siderolabs/crypto v0.4.4 -> v0.5.0
github.com/siderolabs/discovery-api v0.1.4 -> v0.1.5
github.com/siderolabs/discovery-client v0.1.9 -> v0.1.10
github.com/siderolabs/extras v1.8.0 -> v1.9.0-alpha.0-1-geab6e58
github.com/siderolabs/gen v0.5.0 -> v0.7.0
github.com/siderolabs/go-blockdevice v0.4.7 -> v0.4.8
github.com/siderolabs/go-blockdevice/v2 v2.0.2 -> v2.0.3
github.com/siderolabs/go-circular v0.2.0 -> v0.2.1
github.com/siderolabs/go-cmd v0.1.1 -> v0.1.3
github.com/siderolabs/go-kubernetes v0.2.12 -> v0.2.15
github.com/siderolabs/grpc-proxy v0.4.1 -> v0.5.1
github.com/siderolabs/pkgs v1.8.0-8-gdf1a1a5 -> v1.9.0-alpha.0-37-g4699763
github.com/siderolabs/proto-codec v0.1.1 new
github.com/siderolabs/siderolink v0.3.10 -> v0.3.11
github.com/siderolabs/talos/pkg/machinery v1.8.0 -> v1.9.0-alpha.2
github.com/siderolabs/tools v1.8.0-1-ga0c06c6 -> v1.9.0-alpha.0-7-g3750064
golang.org/x/net v0.29.0 -> v0.30.0
golang.org/x/sys v0.25.0 -> v0.26.0
golang.org/x/term v0.24.0 -> v0.25.0
golang.org/x/text v0.18.0 -> v0.19.0
golang.org/x/time v0.6.0 -> v0.7.0
google.golang.org/grpc v1.66.0 -> v1.67.1
google.golang.org/protobuf v1.34.2 -> v1.35.1
k8s.io/api v0.31.1 -> v0.32.0-beta.0
k8s.io/apimachinery v0.31.1 -> v0.32.0-beta.0
k8s.io/apiserver v0.31.1 -> v0.32.0-beta.0
k8s.io/client-go v0.31.1 -> v0.32.0-beta.0
k8s.io/component-base v0.31.1 -> v0.32.0-beta.0
k8s.io/cri-api v0.32.0-alpha.0 -> v0.32.0-beta.0
k8s.io/kube-scheduler v0.31.1 -> v0.32.0-beta.0
k8s.io/kubectl v0.31.1 -> v0.32.0-beta.0
k8s.io/kubelet v0.31.1 -> v0.32.0-beta.0
k8s.io/pod-security-admission v0.31.1 -> v0.32.0-beta.0
kernel.org/pub/linux/libs/security/libcap/cap v1.2.70 -> v1.2.71

Previous release can be found at v1.8.0

Images

ghcr.io/siderolabs/flannel:v0.26.0
registry.k8s.io/coredns/coredns:v1.11.3
gcr.io/etcd-development/etcd:v3.5.16
registry.k8s.io/kube-apiserver:v1.32.0-beta.0
registry.k8s.io/kube-controller-manager:v1.32.0-beta.0
registry.k8s.io/kube-scheduler:v1.32.0-beta.0
registry.k8s.io/kube-proxy:v1.32.0-beta.0
ghcr.io/siderolabs/kubelet:v1.32.0-beta.0
ghcr.io/siderolabs/installer:v1.9.0-alpha.2
registry.k8s.io/pause:3.10