Talos 1.9.0-beta.1 (2024-12-10)
Welcome to the v1.9.0-beta.1 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Auditd
Talos Linux now starts an auditd service by default.
Logs can be read with talosctl logs auditd.
talosctl cgroups
The talosctl cgroups command has been added to the talosctl tool.
This command allows you to view the cgroup resource consumption and limits for a machine, e.g.
talosctl cgroups --preset memory.
cgroups version 1
Support for cgroupsv1 is deprecated, and will be removed in Talos 1.10 (for non-container mode).
Custom search domains for Talos nodes
Talos now allows to supports specifying custom search domains for Talos nodes using
new config field machine.network.searchDomains
For the host it will look something like this:
nameserver 127.0.0.53
search my-custom-search-name.com my-custom-search-name2.com
For the pods it will look something like this:
search default.svc.cluster.local svc.cluster.local cluster.local my-custom-search-name.com my-custom-search-name2.com
nameserver 10.96.0.10
options ndots:5
Device Selectors
Talos now supports matching on permanent hardware (MAC) address of the network interfaces.
This is specifically useful to match bond members, as they change their hardware addresses when they become part of the bond.
Direct Rendering Manager (DRM)
Starting with Talos 1.9, the i915 and amdgpu DRM drivers will be dropped from the Talos squashfs.
There will be new system extensions named i915 and amdgpu that would contain both the drivers and firmware packaged together.
Upgrades via Image Factory will automatically include the new extensions if previously i915-ucode or amdgpu-firmware were used.
Image Cache
Talos now supports providing a local Image Cache for container images.
Kube APIServer Authorization Config
Starting with Talos 1.9, .cluster.apiServer.authorizationConfig field supports setting Kubernetes API server authorization modes
using the --authorization-config flag.
The machine config field supports a list of authorizers. For instance:
cluster:
apiServer:
authorizationConfig:
- type: Node
name: Node
- type: RBAC
name: rbacFor new cluster if the Kubernetes API server supports the --authorization-config flag, it'll be used by default instead of the --authorization-mode flag.
By default Talos will always add the Node and RBAC authorizers to the list.
When upgrading if either a user-provided authorization-mode or authorization-webhook-* flag is set via .cluster.apiServer.extraArgs, it'll be used instead of the new AuthorizationConfig.
Current authorization config can be viewed by running: talosctl get authorizationconfigs.kubernetes.talos.dev -o yaml
Node Address Sort
Talos supports new experimental address sort algorithm for NodeAddress which are used to pick up default addresses for kubelet, etcd, etc.
It can be enabled with the following config patch:
machine:
features:
nodeAddressSortAlgorithm: v2
### OCI Base Runtime Spec
Talos now allows to [modify the OCI base runtime spec for the container runtime](https://www.talos.dev/v1.9/advanced/oci-base-spec/).
### Registry Mirrors
In versions before Talos 1.9, there was a discrepancy between the way Talos itself and CRI plugin resolves registry mirrors:
Talos will never fall back to the default registry if endpoints are configured, while CRI plugin will.
> Note: Talos Linux pulls images for the `installer`, `kubelet`, `etcd`, while all workload images are pulled by the CRI plugin.
In Talos 1.9 this was fixed, so that by default an upstream registry is used as a fallback in all cases, while new registry mirror
configuration option `.skipFallback` can be used to disable this behavior both for Talos and CRI plugin.
### talosctl disks
The command `talosctl disks` was removed, please use `talosctl get disks`, `talosctl get systemdisk`, and `talosctl get blockdevices` instead.
### talosctl wipe
The new command `talosctl wipe disk` allows to wipe a disk or a partition which is not used as a volume.
### udevd
Talos previously used `eudev` to provide `udevd`, now it uses `systemd-udevd` instead.
### Component Updates
* Linux: 6.12.4
* containerd: 2.0.0
* Flannel: 0.26.1
* Kubernetes: 1.32.0-rc.1
* runc: 1.2.1
* CoreDNS: 1.12.0
Talos is built with Go 1.23.4.
### User Namespaces
Talos Linux now supports running Kubernetes pods with user namespaces enabled.
Refer to the [documentation](https://www.talos.dev/v1.9/kubernetes-guides/configuration/usernamespace/) for more information.
### Contributors
* Andrey Smirnov
* Noel Georgi
* Dmitriy Matrenichev
* Dmitry Sharshakov
* Joakim Nohlgård
* Utku Ozdemir
* Jean-Francois Roy
* Nico Berlee
* Steven Kreitzer
* blablu
* Adolfo Ochagavía
* Alessio Moiso
* Dan Rue
* David Backeus
* Devin Buhl
* Eddie Wang
* Florian Ströger
* Hexoplon
* Jakob Maležič
* Jasmin
* Justin Garrison
* KBAegis
* Mike Beaumont
* Mohammad Amin Mokhtari
* Nebula
* OliviaBarrington
* Philip Schmid
* Philipp Kleber
* Remko Molier
* Robby Ciliberto
* Roman Ivanov
* Ryan Borstelmann
* Rémi Paulmier
* Sam Stelfox
* Serge Logvinov
* Sergey Melnik
* Spencer Smith
* SpiReCZ
* Steven Cassamajor
* Tim Jones
* Variant9
* adilTepe
* egrosdou01
* ekarlso
* naed3r
* nevermarine
* solidDoWant
* sophia-coldren
### Changes
<details><summary>238 commits</summary>
<p>
* siderolabs/talos@7e57d5bd2 release(v1.9.0-beta.1): prepare release
* siderolabs/talos@830e95ace feat: update Linux to 6.12.4
* siderolabs/talos@c715695c6 test: fix user namespace test, TPM2 fixes
* siderolabs/talos@ebf1d844e feat: update Linux to 6.12.3
* siderolabs/talos@3a0c34538 fix: install iptables-nft to the host
* siderolabs/talos@50ea58813 docs: fix a few mistakes in release notes
* siderolabs/talos@58e18de0b chore: add version compatibility for Talos 1.10
* siderolabs/talos@f96992490 chore: update Go to 1.23.4
* siderolabs/talos@67fdd10bd chore: add integration tests for image-cache
* siderolabs/talos@2c71086ba fix: lock provisioning order of user disk partitions
* siderolabs/talos@1c26aad56 feat: implement new address sorting algorithm
* siderolabs/talos@1343773e6 test: use two workers in qemu tests by default
* siderolabs/talos@246180feb feat: update Kubernetes to 1.32.0-rc.1
* siderolabs/talos@24f9875e4 feat: support vlan/bond in v1, vlan in v2 for nocloud
* siderolabs/talos@1c8701737 feat: add process scheduling options
* siderolabs/talos@580805bab release(v1.9.0-beta.0): prepare release
* siderolabs/talos@ff13ccc5b docs: update the Cilium CNI deployment
* siderolabs/talos@191825a44 docs: update install-kubevirt.md
* siderolabs/talos@770be1642 feat: support image cache copying
* siderolabs/talos@8fb567dd1 docs: fix typo in virtualbox docs
* siderolabs/talos@60e4561b4 feat: add support for custom search domains
* siderolabs/talos@95c695880 fix: don't reset health status if service doesn't support health checks
* siderolabs/talos@b7609edd1 chore: update pkgs/extras to final 1.9.0 tags
* siderolabs/talos@c7b25430b fix: multiple small fixes for service runners
* siderolabs/talos@e33d2f581 feat: support overriding base OCI spec for CRI
* siderolabs/talos@347b75846 chore: support saving cluster logs on destroy
* siderolabs/talos@c254f261f fix: do not extract xattrs in unsquashfs
* siderolabs/talos@fc3b31575 fix: multiple issues with opening encrypted volumes
* siderolabs/talos@145b02642 chore: deprecate cgroupsv1 in non-container mode
* siderolabs/talos@581c0851d feat: update dependencies
* siderolabs/talos@e9058461e feat: add api-server authorization config
* siderolabs/talos@db1c70768 chore: move enabling SELinux by default to 1.10
* siderolabs/talos@ef69c9d39 feat: update Linux to 6.12.1
* siderolabs/talos@ccc5a8d34 chore: split `config.Registry` into the separate resource
* siderolabs/talos@c735d1492 fix: wait for udevd before starting sync
* siderolabs/talos@bef4d5150 fix: make `system_disk` condition work properly before install
* siderolabs/talos@af91c99ba chore: update image cache config
* siderolabs/talos@e10e90b05 fix: nocloud network link matching on MAC addresses
* siderolabs/talos@2a9130a2e fix: make Talos META partition match more precise
* siderolabs/talos@9adaf7f01 docs: update local-storage.md
* siderolabs/talos@7e19d5c4c docs: add kubevirt install
* siderolabs/talos@f1d1628c8 fix: properly halt installation if Talos already installed
* siderolabs/talos@177df62a0 fix: small logrus fixes
* siderolabs/talos@a9875b770 fix: return proper number from the `timeStampWriter`
* siderolabs/talos@e8a262490 fix: systemd-udevd restore old naming behavior
* siderolabs/talos@939c555f9 fix: imager disk image-cache generator
* siderolabs/talos@1bac0b183 feat: support generating disk images with image cache
* siderolabs/talos@84459d902 fix: make immage cache config apply immediately
* siderolabs/talos@56e1ee72e release(v1.9.0-alpha.3): prepare release
* siderolabs/talos@af5d6b8c4 fix: show SELinux labels on pseudo-fs
* siderolabs/talos@f46922fa9 chore: fix dockerfile warnings
* siderolabs/talos@a13f82c59 feat: udev: label device nodes
* siderolabs/talos@e899fb37f feat: label created files in /etc
* siderolabs/talos@5f68c17ed feat: implement image cache configuration
* siderolabs/talos@0ffb2187a feat: registry proxy
* siderolabs/talos@77cf84fb5 feat: support generating iso with imagecache
* siderolabs/talos@5de6275b8 chore: image cache generator improvements
* siderolabs/talos@1a8cc5f8b feat: add SELinux labels to volumes
* siderolabs/talos@61b9129e0 fix: add directory entries and filemode to tarball
* siderolabs/talos@4caeae21e refactor: optimize flags and SetLabel
* siderolabs/talos@6074a870a feat: add e2fsprogs to talos rootfs
* siderolabs/talos@7ffcf5b93 docs: update getting started
* siderolabs/talos@c4c1a0d7c fix: make vmware platform common code build on all arches
* siderolabs/talos@cc768037f feat: implement block device wipe
* siderolabs/talos@6fb518ae5 fix: don't activate LVM volumes in agent mode
* siderolabs/talos@0e3ed3072 fix: no longer leak `Close` reader
* siderolabs/talos@4dc58cfdf chore: small fixes
* siderolabs/talos@f400ae911 fix: small fixes for image cache generation
* siderolabs/talos@93754b7de fix: config and platform manifest generation
* siderolabs/talos@95b2fc946 feat: image cache gen
* siderolabs/talos@e4c6186c6 chore: remove i915/amdgpu drivers
* siderolabs/talos@744ad12a6 docs: update replicated-local-storage-with-openebs.md
* siderolabs/talos@fd713e451 feat: add permanent hardware addr to device selectors
* siderolabs/talos@d55a96e8c refactor: remove SELinux client_u and client_r
* siderolabs/talos@3a5b55fd2 fix: allow CEL expressions config merge
* siderolabs/talos@f1b15f580 chore: remove replace for safchain/ethtool
* siderolabs/talos@f9697a9a0 fix: register controlplane node with NoSchedule taint
* siderolabs/talos@30f8b5a9f fix: registry mirror fallback handling
* siderolabs/talos@0f41e7743 feat: allow for onlink directive (nocloud)
* siderolabs/talos@e26d0043e chore: code cleanup
* siderolabs/talos@43fe3807a feat: implement tracking of blockdevice secondaries
* siderolabs/talos@8a7476c3a fix: install on non-empty disk
* siderolabs/talos@8b4253d18 feat: update etcd to v3.5.17
* siderolabs/talos@5a0fd5b88 refactor: move early initialization functions to pre-initialize phase
* siderolabs/talos@9916e2cd8 chore: update pkgs/tools/extras for Go 1.23.3
* siderolabs/talos@20bbf0235 docs: update vultr documentation
* siderolabs/talos@aea98940b fix: arch linux search paths and names for QEMU provisioner
* siderolabs/talos@682718d4c fix: use imager incoming version for extension validation
* siderolabs/talos@9a02ecc49 feat: rewrite install disk selector to use CEL expressions
* siderolabs/talos@eba35f441 docs: add note about PSP in Rook-Ceph guide
* siderolabs/talos@38b80fb1d docs: add missing `--talosconfig` parameter to end of Hetzner guide
* siderolabs/talos@a07f66c91 docs: gcp: fix controlplane nodes tags
* siderolabs/talos@4fe6dc8a0 chore: clean dns code
* siderolabs/talos@0290a3881 release(v1.9.0-alpha.2): prepare release
* siderolabs/talos@a309f6aa5 chore: fix nil pointer dereference in AWS uploader
* siderolabs/talos@333737f17 test: fix unpriviliged process runner test
* siderolabs/talos@200116705 chore(ci): save support zip always after tests
* siderolabs/talos@6a42c3b8e release(v1.9.0-alpha.1): prepare release
* siderolabs/talos@fb72e4b7b fix(ci): skip test if `UserNamespacesSupport` feature gate is not set
* siderolabs/talos@11380f933 feat: display current CPU frequency on dashboard
* siderolabs/talos@fbce267ae feat: check bridged interfaces should not have addresses
* siderolabs/talos@942962bf0 docs: add docs on usernamespace support in k8s
* siderolabs/talos@0406a05a9 chore: update pkgs to ones built with gcc 14.2
* siderolabs/talos@2e127627d docs: add apparmor enablement release notes
* siderolabs/talos@aa9311f3d fix: install disk matcher error
* siderolabs/talos@1800f8104 fix: selinux handling and apparmor tests
* siderolabs/talos@313bffadf feat: update Kubernetes to v1.32.0-beta.0
* siderolabs/talos@bbfa14451 feat: update containerd to v2.0.0
* siderolabs/talos@8e02b9fcb docs: update manual k8s upgrade docs
* siderolabs/talos@474949dc7 feat: add dm-cache dm-cache-smq kernel modules
* siderolabs/talos@5112547d6 chore: generate support zip for crashdump
* siderolabs/talos@a867f85e4 feat: label system socket and runtime files
* siderolabs/talos@398f714cf feat: update Linux 6.6.59, runc 1.2.1
* siderolabs/talos@05c620957 feat: allow extra mounts for docker-based `talosctl cluster create`
* siderolabs/talos@cedabeddf chore: cleanup code
* siderolabs/talos@61d363e1d chore: update go-auditlib
* siderolabs/talos@960a04049 feat: start enabling SELinux
* siderolabs/talos@7f3aaa21c fix: update permissions for logging directories in /var
* siderolabs/talos@0e6c983b8 fix: mount /sys/kernel/security conditionally
* siderolabs/talos@74b0e8c37 fix: make route normalization keep family
* siderolabs/talos@0a3761c22 fix: talosctl windows arm64
* siderolabs/talos@4b10c5328 chore: add Windows ARM64 build for talosctl
* siderolabs/talos@9abf16108 feat: add auditd service
* siderolabs/talos@d464ca869 chore: drop runc memfd bind added in #9069
* siderolabs/talos@b54d26c2c fix: mount pseudo sub-mountpoints in init
* siderolabs/talos@7aeb15f73 chore: disable coredns cache for cluster domain
* siderolabs/talos@d8b652150 docs: add warning about NVMe bus path bug
* siderolabs/talos@3e16ab135 feat: update Kubernetes to v1.32.0-alpha.3
* siderolabs/talos@0b8b35677 feat: add BridgePort property to network machine configuration
* siderolabs/talos@b37950625 fix: use more correct condition to skip generating hosts files
* siderolabs/talos@62ec7ec33 refactor: replace the old v1 mount package with new one
* siderolabs/talos@0ece13c62 docs: update network-config.md (cont)
* siderolabs/talos@93827f048 docs: update network-config.md
* siderolabs/talos@423b1e5fb fix: do not trim 0 from process SELinux label
* siderolabs/talos@2136358d6 feat: introduce metal agent mode
* siderolabs/talos@0e15955fc chore: small refactoring
* siderolabs/talos@66012a7f2 feat: remove wrapperd and launch processes directly
* siderolabs/talos@3a0a17ae6 fix: prevent panic in nocloud platform code
* siderolabs/talos@dc0c6acbd refactor: remove unmaintained github.com/vishvananda/netlink
* siderolabs/talos@78353f791 feat: add parsing of vlanNNNN:ethX style VLAN cmdline args
* siderolabs/talos@9db7a36bf fix: generation of SecureBoot iso
* siderolabs/talos@c755b6d7e fix: update the CRI sandbox image reference
* siderolabs/talos@cec290b35 feat: allow extensions to log to console
* siderolabs/talos@b7801df82 fix: wait for udevd to be running before activating LVM
* siderolabs/talos@d4cb478a5 docs: improve field description for BridgeSTP, BridgeVLAN
* siderolabs/talos@7329824b2 docs: add Mynewsdesk to ADOPTERS.md
* siderolabs/talos@a13cf76a3 chore: simplify `DNSUpstreamController` and `DNSUpstream` resource
* siderolabs/talos@62d185473 fix: talosctl process null character
* siderolabs/talos@77d7368ea feat: update containerd to v2.0.0-rc.6
* siderolabs/talos@d39393879 fix: rework the 'metal-iso' config acquisition
* siderolabs/talos@1993afca9 chore: create /usr/etc in a different step
* siderolabs/talos@8680351c1 chore: move system extensions' udev rules
* siderolabs/talos@3067f64c8 feat: update Flannel to v0.26.0
* siderolabs/talos@8658d6865 docs: typo in deploying cilium
* siderolabs/talos@49bbadc4b docs: add documentation on performance tuning
* siderolabs/talos@534b0ce18 feat: update runc to 1.2.0 final
* siderolabs/talos@217253523 docs: fix image factory links
* siderolabs/talos@375e3da73 feat: update Kubernetes to 1.32.0-alpha.2
* siderolabs/talos@9e6f64df0 fix: improve error messages for invalid bridge/bond configuration
* siderolabs/talos@7c8c72c2b fix: correct error message for invalid ip=
* siderolabs/talos@ead46997c chore: rename tpm2.PCRExtent -> tpm2.PCRExtend
* siderolabs/talos@867c4b812 docs: fix typo in prodnotes.md
* siderolabs/talos@1b22df48a chore: support debug shell for advanced development
* siderolabs/talos@c14b44622 feat: update Kubernetes to v1.32.0-alpha.1
* siderolabs/talos@29780d35a test: add an integration test for verifying process parameters
* siderolabs/talos@3d342af44 fix: update incorrect alias for PCIDevice resource
* siderolabs/talos@f7d35a5e0 release(v1.9.0-alpha.0): prepare release
* siderolabs/talos@e0434d77d feat: update dependencies
* siderolabs/talos@5c5a24886 feat: add Talos 1.9 compatibility guarantees
* siderolabs/talos@bc4c21f41 test: add json logs test environment
* siderolabs/talos@71faa3294 docs: nvidia proprietary/oss hardware requirement
* siderolabs/talos@59a78da42 chore: add proto-codec/codec
* siderolabs/talos@7ff1cedfe chore: update siderolabs/crypto module and return proper ALPN
* siderolabs/talos@ccbd5aed3 feat: optionally decode hcloud userdata as base64
* siderolabs/talos@34f652ce8 feat: add well-known app.kubernetes.io labels to control-plane pods
* siderolabs/talos@fc89dc216 fix: support `extra-disks` when using iso
* siderolabs/talos@f2bff814d chore: add arm64 target for integration-test
* siderolabs/talos@5853bb0ea fix: json logging panic
* siderolabs/talos@a859cff36 chore: use virtio driver for disks in arm64
* siderolabs/talos@db248de88 chore(ci): add config for lldpd extension
* siderolabs/talos@9f0de9f43 test: update provision upgrade tests for Talos 1.9
* siderolabs/talos@39fe285e6 fix: skip ram disks
* siderolabs/talos@a9bff3a1d test: skip no error test in Cilium
* siderolabs/talos@4d902021b fix: do not use pflag csv comma reader for config-patch
* siderolabs/talos@5371788ce fix: typo in documentation
* siderolabs/talos@8a228ba6b docs: add egress documentation
* siderolabs/talos@182325cb0 test: skip lvm test if not enough user disks available
* siderolabs/talos@519a48302 fix: wipe system partitions correctly via kernel args
* siderolabs/talos@0a2b4556c fix: volume encryption with failing keyslots
* siderolabs/talos@6affbd318 fix: update grpc-go the latest patch release
* siderolabs/talos@77a4a4adc fix: scaleway metadata
* siderolabs/talos@7acadc0c8 fix: do not stop udevd before unmounting volumes
* siderolabs/talos@6a081055b feat: update Flannel to v0.25.7
* siderolabs/talos@2362f6d3e fix: improve container detection
* siderolabs/talos@b67bc73fd fix: fix mdadm system extension
* siderolabs/talos@f08669c7a feat: bring in lpfc kernel module driver
* siderolabs/talos@6a014374b feat: enable QEDF driver
* siderolabs/talos@f711907e0 fix: make /var/run empty on reboots
* siderolabs/talos@7d02eb60f docs: fix typo in CloudStack docs
* siderolabs/talos@74861573a fix: multiple fixes for LVM activation
* siderolabs/talos@74c12c20e feat: replace eudev with systemd-udevd
* siderolabs/talos@0a4df4ef8 docs: fix nvidia CRI config example
* siderolabs/talos@afc1e1a46 docs: fix typo in extraMounts directory
* siderolabs/talos@a341bdb06 fix: prevent file descriptors leaks to child processes
* siderolabs/talos@dec653bfe chore: better lvm2 tests
* siderolabs/talos@908fd8789 feat: support cgroup deep analysis in `talosctl`
* siderolabs/talos@aa846cc18 feat: add support for CI Network config in nocloud
* siderolabs/talos@10f2539f2 chore: disable cloud-images cron workflow
* siderolabs/talos@b07a8b36b chore: ignore more plugins for system containerd
* siderolabs/talos@392c4798f feat: prepare for Talos 1.9
* siderolabs/talos@ea7bf9fb4 docs: update storage.md
* siderolabs/talos@4ab8dee69 fix: build talosctl without `tcell_minimal`
* siderolabs/talos@2fa019bd9 docs: enable 'edit on GitHub' link
* siderolabs/talos@d2ccbc2b1 docs: update hetzner documentation for CCM
* siderolabs/talos@d498f647c docs: fix Kernel Self Protection Project (KSPP) references
* siderolabs/talos@0ec75463e docs: make Talos 1.8 current release
* siderolabs/talos@9b77698cf fix: update blockdevice library to v2.0.2
* siderolabs/talos@e46227ab9 docs: fix kubespan name inconsistency
* siderolabs/talos@6b15ca19c fix: audit and fix cgroup reservations
* siderolabs/talos@32b5d01ed chore: bump lvm2
* siderolabs/talos@6484581eb feat: allow /sbin/ldconfig in extensions
* siderolabs/talos@9fa08e843 chore: refactor tests
* siderolabs/talos@d8ab4981b feat: support lvm auto activation
* siderolabs/talos@8166a58b3 fix: filter out non-printable characters in process line
* siderolabs/talos@806b6aaf5 docs: add SECURITY.md
* siderolabs/talos@7bd26df30 docs: document `/dev/net/tun` compatibility
* siderolabs/talos@18daedb51 fix: strategic merge patch delete for map keys
* siderolabs/talos@f3370529a docs: correct typo
* siderolabs/talos@8d6884a8e test: add a test for inline machine config trusted roots
* siderolabs/talos@d4a6d017d fix: ignore invalid NTP responses
* siderolabs/talos@869f8379f feat: update default Kubernetes version to 1.31.1
* siderolabs/talos@780a1f198 fix: update CoreDNS health check
* siderolabs/talos@79cd03158 chore: account for resource sorting in dns upstream resource
* siderolabs/talos@e17fafaca chore: drop `activateLogicalVolumes` sequencer step
* siderolabs/talos@a294b366f fix: parse SideroLink API endpoint correctly
* siderolabs/talos@a9269ac7b fix: remove extra logging on ethtool ioctl failures
* siderolabs/talos@5c6277d17 feat: update etcd to 3.5.16
* siderolabs/talos@c1ed2984b docs: add what's new for Talos 1.8
</p>
</details>
### Changes since v1.9.0-beta.0
<details><summary>15 commits</summary>
<p>
* siderolabs/talos@7e57d5bd2 release(v1.9.0-beta.1): prepare release
* siderolabs/talos@830e95ace feat: update Linux to 6.12.4
* siderolabs/talos@c715695c6 test: fix user namespace test, TPM2 fixes
* siderolabs/talos@ebf1d844e feat: update Linux to 6.12.3
* siderolabs/talos@3a0c34538 fix: install iptables-nft to the host
* siderolabs/talos@50ea58813 docs: fix a few mistakes in release notes
* siderolabs/talos@58e18de0b chore: add version compatibility for Talos 1.10
* siderolabs/talos@f96992490 chore: update Go to 1.23.4
* siderolabs/talos@67fdd10bd chore: add integration tests for image-cache
* siderolabs/talos@2c71086ba fix: lock provisioning order of user disk partitions
* siderolabs/talos@1c26aad56 feat: implement new address sorting algorithm
* siderolabs/talos@1343773e6 test: use two workers in qemu tests by default
* siderolabs/talos@246180feb feat: update Kubernetes to 1.32.0-rc.1
* siderolabs/talos@24f9875e4 feat: support vlan/bond in v1, vlan in v2 for nocloud
* siderolabs/talos@1c8701737 feat: add process scheduling options
</p>
</details>
### Changes from siderolabs/crypto
<details><summary>1 commit</summary>
<p>
* siderolabs/crypto@58b2f92 chore: use HTTP/2 ALPN by default
</p>
</details>
### Changes from siderolabs/discovery-api
<details><summary>1 commit</summary>
<p>
* siderolabs/discovery-api@005e92c chore: rekres and regen
</p>
</details>
### Changes from siderolabs/discovery-client
<details><summary>1 commit</summary>
<p>
* siderolabs/discovery-client@b74fb90 fix: allow custom TLS config for the client
</p>
</details>
### Changes from siderolabs/extras
<details><summary>4 commits</summary>
<p>
* siderolabs/extras@719b5cc feat: bump dependencies
* siderolabs/extras@78ba66b feat: update Go to 1.23.3
* siderolabs/extras@eab6e58 feat: update dependencies
* siderolabs/extras@1459d78 feat: update pkgs for 1.9
</p>
</details>
### Changes from siderolabs/gen
<details><summary>3 commits</summary>
<p>
* siderolabs/gen@e847d2a chore: add more utilities to xiter
* siderolabs/gen@f3c5a2b chore: add `Empty` and `Empty2` iterators
* siderolabs/gen@c53b90b chore: add packages xiter/xstrings/xbytes
</p>
</details>
### Changes from siderolabs/go-blockdevice
<details><summary>1 commit</summary>
<p>
* siderolabs/go-blockdevice@134c41b fix: fast wipe also last 1MB of the device
</p>
</details>
### Changes from siderolabs/go-circular
<details><summary>1 commit</summary>
<p>
* siderolabs/go-circular@9a0f7b0 fix: multiple data race issues
</p>
</details>
### Changes from siderolabs/go-cmd
<details><summary>3 commits</summary>
<p>
* siderolabs/go-cmd@d735250 fix: return an error on process nonzero exit code
* siderolabs/go-cmd@5662c7f feat: add an equivalent of WaitWrapper for os.Process
* siderolabs/go-cmd@71fced6 chore: rekres and move to GHA
</p>
</details>
### Changes from siderolabs/go-kubernetes
<details><summary>6 commits</summary>
<p>
* siderolabs/go-kubernetes@06f07ab chore: add authorization config api version
* siderolabs/go-kubernetes@5ca8ab1 chore: kube-apiserver authorization config file support
* siderolabs/go-kubernetes@0f62a7e feat: add one more deprecation/removal for v1.32
* siderolabs/go-kubernetes@87d2e8e feat: add one more deprecation for 1.32.0-beta.0
* siderolabs/go-kubernetes@e56a7f6 fix: update deprecations based on Kubernetes 1.32.0-alpha.3
* siderolabs/go-kubernetes@381f251 feat: update for Kubernetes 1.32
</p>
</details>
### Changes from siderolabs/grpc-proxy
<details><summary>2 commits</summary>
<p>
* siderolabs/grpc-proxy@de1c628 fix: copy data from big frame msg
* siderolabs/grpc-proxy@ef47ec7 chore: upgrade Codec implementations and usages to Codec2
</p>
</details>
### Changes from siderolabs/pkgs
<details><summary>60 commits</summary>
<p>
* siderolabs/pkgs@abba1d8 feat: update Linux to 6.12.4
* siderolabs/pkgs@5d559d0 feat: update Linux 6.12.3
* siderolabs/pkgs@d7d890c feat: build host iptables with nftables support
* siderolabs/pkgs@41ace86 chore: bring in KSPP recommendations
* siderolabs/pkgs@214bc74 feat: update Go to 1.23.4
* siderolabs/pkgs@b047e41 feat: kernel driver support for RK3588 devices (Turing RK1)
* siderolabs/pkgs@a0c92b1 feat: enable XFS online checks and repair in kernel
* siderolabs/pkgs@2abcd4b feat: bump deps
* siderolabs/pkgs@0272ad4 fix: enable memory cgroups v1
* siderolabs/pkgs@e8fda95 feat: enable CONFIG_NETKIT
* siderolabs/pkgs@452298e feat: update systemd to 256.8, fix cpuset/cgroupsv1
* siderolabs/pkgs@c8c66b2 feat: add nt6755 driver
* siderolabs/pkgs@b08cc4c chore: drop the -f flag for rm for udev build
* siderolabs/pkgs@653d423 feat: update Linux to 6.12
* siderolabs/pkgs@a463a50 feat: add e2fsprogs
* siderolabs/pkgs@bfd88f5 chore: fix make kernel-menuconfig completely
* siderolabs/pkgs@cee356e chore: fix menuconfig build
* siderolabs/pkgs@a5530cf feat: update Linux to 6.6.62, runc to 1.2.2
* siderolabs/pkgs@ac329c9 feat: enable CONFIG_INTEL_HFI_THERMAL + CONFIG_INTEL_TURBO_MAX_3
* siderolabs/pkgs@567a14a fix: do not build unneeded utilities and man for SELinux libraries
* siderolabs/pkgs@b15a3d9 feat: bump dependencies
* siderolabs/pkgs@6bdba41 feat: update Linux to 6.6.60
* siderolabs/pkgs@4699763 feat: update gcc to 14.2
* siderolabs/pkgs@9a98f73 feat: update containerd to v2.0.0
* siderolabs/pkgs@20e1e08 feat: enable CONFIG_DM_CACHE
* siderolabs/pkgs@df45e16 feat: update Linux to 6.6.59
* siderolabs/pkgs@2e733cc feat: bump dependencies
* siderolabs/pkgs@c92e123 fix: enable nvme and 2.5gbit ethernet on nanopi-r5s
* siderolabs/pkgs@b160184 feat: update runc to v1.2.1
* siderolabs/pkgs@e9950d9 chore: drop syslinux
* siderolabs/pkgs@fc2e8dc feat: update containerd to v2.0.0-rc.6
* siderolabs/pkgs@38304a6 feat: update Linux to 6.6.58
* siderolabs/pkgs@84b8df8 chore: do not use /usr/etc/udev
* siderolabs/pkgs@c9282c8 feat: update runc to 1.2.0
* siderolabs/pkgs@38ad08e fix: default IOMMU mode to 'lazy'
* siderolabs/pkgs@be92da0 feat: update Linux to 6.6.57, update Linux firmware
* siderolabs/pkgs@0b67a13 feat: bump dependencies
* siderolabs/pkgs@dd5f928 feat: update Linux 6.6.56 and protect /proc/mem
* siderolabs/pkgs@b1bf972 feat: enable CONFIG_XFRM_STATISTICS
* siderolabs/pkgs@c63beae feat: update Linux to 6.6.54
* siderolabs/pkgs@f474a55 fix: libselinux: support running without /etc/selinux
* siderolabs/pkgs@ba0341e fix: systemd-udevd: search for config in /usr/etc
* siderolabs/pkgs@2b193f1 feat: add lpfc kernel module
* siderolabs/pkgs@1adb946 feat: enable QEDF driver
* siderolabs/pkgs@dbbe3d0 feat: update containerd to v2.0.0-rc.5
* siderolabs/pkgs@f19590e feat: update Go to 1.23.2
* siderolabs/pkgs@e2a561f fix: drop the LVM2 udev lvm rule
* siderolabs/pkgs@ae205aa fix: force LVM to use `/run` as state directory
* siderolabs/pkgs@232a153 feat: replace eudev with systemd-udevd
* siderolabs/pkgs@40fb82a feat: add libselinux, libsepol, pcre2 and libcap
* siderolabs/pkgs@6f40fbb feat: update xfsprogs 6.10.1
* siderolabs/pkgs@a1709c7 feat: enable module unloading and memory hotplug (for NVIDIA UVM)
* siderolabs/pkgs@2c5785b feat: enable transparent huge pages in madvise mode
* siderolabs/pkgs@ca2e8c8 fix: lvm2 modprobe path
* siderolabs/pkgs@6b334a6 feat: update Linux to 6.6.52
* siderolabs/pkgs@e90ae7e feat: update Linux firmware to 20240909
* siderolabs/pkgs@79a4f92 feat: enable INET_DIAG
* siderolabs/pkgs@c9f7eb9 feat: update Linux to 6.6.51
* siderolabs/pkgs@126b6a4 fix: add mpt3sas UBSAN patches
* siderolabs/pkgs@a09bf93 chore: drop UBSAN patch
</p>
</details>
### Changes from siderolabs/proto-codec
<details><summary>3 commits</summary>
<p>
* siderolabs/proto-codec@0d84c65 chore: add support for gogo protobuf generator
* siderolabs/proto-codec@19f8d2e chore: add kres
* siderolabs/proto-codec@e038bb4 Initial commit
</p>
</details>
### Changes from siderolabs/siderolink
<details><summary>1 commit</summary>
<p>
* siderolabs/siderolink@1893385 fix: initialize tls listener properly
</p>
</details>
### Changes from siderolabs/tools
<details><summary>14 commits</summary>
<p>
* siderolabs/tools@eaad82f feat: update Go to 1.23.4
* siderolabs/tools@8ac1590 feat: bump deps
* siderolabs/tools@aa0beaf chore: rekres
* siderolabs/tools@c6b0f57 feat: bump dependencies
* siderolabs/tools@e061b6f feat: update dependencies
* siderolabs/tools@2704b85 feat: update Go to 1.23.3
* siderolabs/tools@3750064 fix: update for musl with close_range
* siderolabs/tools@0a443c6 feat: update toolchain for gcc 14.2
* siderolabs/tools@63ecd80 feat: bump depedendencies
* siderolabs/tools@2058296 feat: bump dependencies
* siderolabs/tools@1151610 feat: update Go to 1.23.2
* siderolabs/tools@9f2189b fix: bump gettext-tiny to the latest dev version
* siderolabs/tools@95069d6 feat: update Go to 1.23.1
* siderolabs/tools@eec0656 feat: replace gettext with gettext-tiny
</p>
</details>
### Dependency Changes
* **cloud.google.com/go/compute/metadata** v0.5.0 -> v0.5.2
* **github.com/Azure/azure-sdk-for-go/sdk/azcore** v1.13.0 -> v1.16.0
* **github.com/Azure/azure-sdk-for-go/sdk/azidentity** v1.7.0 -> v1.8.0
* **github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates** v1.1.0 -> v1.3.0
* **github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys** v1.1.0 -> v1.3.0
* **github.com/aws/aws-sdk-go-v2/config** v1.27.33 -> v1.28.5
* **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.16.13 -> v1.16.20
* **github.com/aws/aws-sdk-go-v2/service/kms** v1.35.7 -> v1.37.6
* **github.com/aws/smithy-go** v1.20.4 -> v1.22.1
* **github.com/containerd/cgroups/v3** v3.0.3 -> v3.0.4
* **github.com/containerd/containerd/api** v1.8.0-rc.3 -> v1.8.0
* **github.com/containerd/containerd/v2** v2.0.0-rc.4 -> v2.0.0
* **github.com/containerd/errdefs** v0.1.0 -> v1.0.0
* **github.com/containerd/log** v0.1.0 **_new_**
* **github.com/containerd/platforms** v0.2.1 -> v1.0.0-rc.0
* **github.com/containerd/typeurl/v2** v2.2.0 -> v2.2.3
* **github.com/containernetworking/plugins** v1.5.1 -> v1.6.0
* **github.com/cosi-project/runtime** v0.5.5 -> v0.7.2
* **github.com/docker/cli** v27.3.1 **_new_**
* **github.com/docker/docker** v27.2.0 -> v27.3.1
* **github.com/elastic/go-libaudit/v2** v2.6.1 **_new_**
* **github.com/fatih/color** v1.17.0 -> v1.18.0
* **github.com/florianl/go-tc** v0.4.4 **_new_**
* **github.com/foxboron/go-uefi** e2076f0e58ca -> fab4fdf2f2f3
* **github.com/fsnotify/fsnotify** v1.7.0 -> v1.8.0
* **github.com/google/cadvisor** v0.50.0 -> v0.51.0
* **github.com/google/cel-go** v0.22.1 **_new_**
* **github.com/gopacket/gopacket** v1.2.0 -> v1.3.1
* **github.com/hetznercloud/hcloud-go/v2** v2.13.1 -> v2.17.0
* **github.com/klauspost/compress** v1.17.9 -> v1.17.11
* **github.com/klauspost/cpuid/v2** v2.2.8 -> v2.2.9
* **github.com/linode/go-metadata** v0.2.0 -> v0.2.1
* **github.com/mdlayher/ethtool** v0.1.0 -> v0.2.0
* **github.com/opencontainers/runc** v1.2.0-rc.3 -> v1.2.2
* **github.com/rivo/tview** fd649dbf1223 -> c76f7879f592
* **github.com/safchain/ethtool** v0.4.1 -> v0.5.9
* **github.com/siderolabs/crypto** v0.4.4 -> v0.5.0
* **github.com/siderolabs/discovery-api** v0.1.4 -> v0.1.5
* **github.com/siderolabs/discovery-client** v0.1.9 -> v0.1.10
* **github.com/siderolabs/extras** v1.8.0 -> v1.9.0
* **github.com/siderolabs/gen** v0.5.0 -> v0.7.0
* **github.com/siderolabs/go-blockdevice** v0.4.7 -> v0.4.8
* **github.com/siderolabs/go-blockdevice/v2** v2.0.2 -> v2.0.6
* **github.com/siderolabs/go-circular** v0.2.0 -> v0.2.1
* **github.com/siderolabs/go-cmd** v0.1.1 -> v0.1.3
* **github.com/siderolabs/go-kubernetes** v0.2.12 -> v0.2.17
* **github.com/siderolabs/grpc-proxy** v0.4.1 -> v0.5.1
* **github.com/siderolabs/pkgs** v1.8.0-8-gdf1a1a5 -> v1.9.0-6-gabba1d8
* **github.com/siderolabs/proto-codec** v0.1.1 **_new_**
* **github.com/siderolabs/siderolink** v0.3.10 -> v0.3.11
* **github.com/siderolabs/talos/pkg/machinery** v1.8.0 -> v1.9.0-beta.1
* **github.com/siderolabs/tools** v1.8.0-1-ga0c06c6 -> v1.9.0-1-geaad82f
* **github.com/sirupsen/logrus** v1.9.3 **_new_**
* **github.com/stretchr/testify** v1.9.0 -> v1.10.0
* **github.com/thejerf/suture/v4** v4.0.5 **_new_**
* **go.etcd.io/etcd/api/v3** v3.5.16 -> v3.5.17
* **go.etcd.io/etcd/client/pkg/v3** v3.5.16 -> v3.5.17
* **go.etcd.io/etcd/client/v3** v3.5.16 -> v3.5.17
* **go.etcd.io/etcd/etcdutl/v3** v3.5.16 -> v3.5.17
* **golang.org/x/net** v0.29.0 -> v0.31.0
* **golang.org/x/oauth2** v0.23.0 -> v0.24.0
* **golang.org/x/sync** v0.8.0 -> v0.9.0
* **golang.org/x/sys** v0.25.0 -> v0.27.0
* **golang.org/x/term** v0.24.0 -> v0.26.0
* **golang.org/x/text** v0.18.0 -> v0.20.0
* **golang.org/x/time** v0.6.0 -> v0.8.0
* **google.golang.org/grpc** v1.66.0 -> v1.68.0
* **google.golang.org/protobuf** v1.34.2 -> v1.35.2
* **k8s.io/api** v0.31.1 -> v0.32.0-rc.1
* **k8s.io/apimachinery** v0.31.1 -> v0.32.0-rc.1
* **k8s.io/apiserver** v0.31.1 -> v0.32.0-rc.1
* **k8s.io/client-go** v0.31.1 -> v0.32.0-rc.1
* **k8s.io/component-base** v0.31.1 -> v0.32.0-rc.1
* **k8s.io/cri-api** v0.32.0-alpha.0 -> v0.32.0-rc.1
* **k8s.io/kube-scheduler** v0.31.1 -> v0.32.0-rc.1
* **k8s.io/kubectl** v0.31.1 -> v0.32.0-rc.1
* **k8s.io/kubelet** v0.31.1 -> v0.32.0-rc.1
* **k8s.io/pod-security-admission** v0.31.1 -> v0.32.0-rc.1
* **kernel.org/pub/linux/libs/security/libcap/cap** v1.2.70 -> v1.2.72
Previous release can be found at [v1.8.0](https://github.com/siderolabs/talos/releases/tag/v1.8.0)
## Images
ghcr.io/siderolabs/flannel:v0.26.1
registry.k8s.io/coredns/coredns:v1.12.0
gcr.io/etcd-development/etcd:v3.5.17
registry.k8s.io/kube-apiserver:v1.32.0-rc.1
registry.k8s.io/kube-controller-manager:v1.32.0-rc.1
registry.k8s.io/kube-scheduler:v1.32.0-rc.1
registry.k8s.io/kube-proxy:v1.32.0-rc.1
ghcr.io/siderolabs/kubelet:v1.32.0-rc.1
ghcr.io/siderolabs/installer:v1.9.0-beta.1
registry.k8s.io/pause:3.10