chore(deps): update dependency siderolabs/talos to v1.13.6 #24
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/siderolabs-talos-1.x"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
v1.12.4→v1.13.6Release Notes
siderolabs/talos (siderolabs/talos)
v1.13.6Compare Source
Talos 1.13.6 (2026-07-09)
Welcome to the v1.13.6 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.18.38
Talos is built with Go 1.26.5.
Contributors
Changes
15 commits
0431885release(v1.13.6): prepare release9d8e47dchore: update pkgs and tools31552f4fix: shutdown/reboot via usermode helpersbc0c3f3fix: flaky serviceaccount suite test3e75592fix: flaky testsfbe4d90fix: data race in manifest sync6df3a45fix: provide cooldown period for the QoS trigger85f8dd6fix: decode extraArgs list values correctlyc2a56d5fix: kubelet stuck restarting8714408chore: bump rekor for GHSA-47q9-m4ww-924m3e37ef8fix: handle image cache being disabled466bcd8fix: align documented image cache partition labeld3cf09bfix: image verification with referrerse9609b9feat: add AMD XGBE driver to initramfsf18efccchore: update depsChanges from siderolabs/gen
1 commit
c526410fix: skip unknown-key check for types with custom YAML unmarshalerChanges from siderolabs/pkgs
7 commits
d8c80ccchore: update toolchain and tools71874fbfeat: bump kernel to 6.18.38a2406a1feat: bump kernel 6.18.37e410c35feat: update Linux firmware to2026062389b8aafix: patch Linux kernel for tunnel metadata buffer overflow7e4a719feat: add support for AMD XGBE driver1915c58feat: enable NF_TABLES_ARP optionChanges from siderolabs/tools
1 commit
c58afd5chore: bump toolchainDependency Changes
Previous release can be found at v1.13.5
Images
v1.13.5Compare Source
Talos 1.13.5 (2026-06-22)
Welcome to the v1.13.5 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.18.36
containerd: 2.2.5
runc: 1.4.3
Talos is built with Go 1.26.4.
Contributors
Changes
9 commits
51b0d8erelease(v1.13.5): prepare releasec5089c6fix: bump number of open files for etcde0b4d9dfix: stop the log persistence and close all files on shutdown23a080dfix: honor FailurePauseTimeout when pausing before reboot9adc63afix: correct the link alias conditionb902f9dfeat: verify go.mod tidiness in generate target765f0a1fix: relax LUKS header validationd63aba4feat: update pkgs and Kubernetesf0a5842fix: update go.mod and rekresChanges from siderolabs/pkgs
8 commits
6b315f7chore: update zfs to 2.4.3ebf23f3feat: update Linux to 6.18.367eed62dchore: bump containerd to 2.2.5 (cve patches)8b67babchore: update nvidia driver lts to 580.167.088cb61b2feat: bump runcd736aeffeat: bump kernel to 6.18.357ede376fix: avoid page_table_check BUG on time namespace VVAR pagee69debdfeat: update tools and rekresChanges from siderolabs/tools
2 commits
9b78252feat: update ca-certificates to 2026-05-144d13afffeat: bump OpenSSL to 3.6.3Dependency Changes
Previous release can be found at v1.13.4
Images
v1.13.4Compare Source
Talos 1.13.4 (2026-06-09)
Welcome to the v1.13.4 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.18.34
etcd: v2.6.12
Flannel: v0.28.5
Talos is built with Go 1.26.4.
Contributors
Changes
17 commits
707dbd8release(v1.13.4): prepare release27d7a19fix: handle cluster-scoped resources with a namespace correctlyfe74e00chore: update depsf44cafbfix: recreate dns server and listeners on host DNS runner restart5ed296bfix: marshal kube-scheduler config correctly with int types5992015fix: machine configuration schemasb8dfda7fix: mark more resources as sensitiveaad841bfeat: update Flannel to v0.28.57c0900bfix(ci): aws nvidia tests9f5122dfix: flaky testcf62af3fix: etcd client leak in the (legacy) Upgrade APId5c3136feat: enforce strict QoS ordering in OOM victim selectionb5ad39efeat: update etcd to v3.6.12c83dad3fix: health request server-side577cc6ffix: bring in a change to BCM2712_MIP29da68afix: touch rootfs files with SOURCE_DATE_EPOCHb19a03bfix: ignore cgroups with zero rank in OOM handlerChanges from siderolabs/go-kubernetes
1 commit
131a2bdfix: handle cluster-scoped resources with a ns correctlyChanges from siderolabs/pkgs
5 commits
54ec9fcfix: disable PAGE_TABLE_CHECK_ENFORCED in kernel config0d5985afeat: enable USB hiddev for apcupsd support593e34cfeat: bump kernel to 6.18.34366f575fix: enable CONFIG_BCM2712_MIP as built-in in arm64 kernel configb45e84cfeat: bump Go to 1.26.4Changes from siderolabs/tools
2 commits
a06bb31feat: bump go to 1.26.49bb7abefeat: update libcap to 2.78Dependency Changes
Previous release can be found at v1.13.3
Images
v1.13.3Compare Source
Talos 1.13.3 (2026-05-26)
Welcome to the v1.13.3 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.18.33
Kubernetes: 1.36.1
containerd: 2.2.4
Talos is built with Go 1.26.3.
Contributors
Changes
19 commits
befeda7release(v1.13.3): prepare releasef4d4510feat(ci): rotate credentials01b4348fix: guard apply config API calla42c37ffeat(machined): support instance tags on Akamaid62d54cfix: memorymodules resource reportingb673b4bfix: bump Go golang.org/x modules19755adfeat: add bnxt_re module to the rootfs532bc6bfix: relax hostname config validation3bbd3edfix: bump Kubernetes to 1.36.1 in one more place472b9d9feat: update default Kubernetes version to 1.36.16d53ce0chore(ci): fix cloud image upload job name5633c77fix: rework how scheduler config is marshaled52f0560fix: restore some shared (and some lower tier slave) mount propagation9de3c12fix: image verification issue with registry.k8s.io7dc716dfeat: redact more machine config secrets and audit redactorsd5448c6chore(ci): try fixing homebrew actionef9f0bfdocs: drop controlplane endpoint examples7ee3e78feat: update Linux to 6.18.33e99744bfix: update containerd to 2.2.4Changes from siderolabs/go-smbios
1 commit
063f5dcchore: rekres + new testdataChanges from siderolabs/pkgs
12 commits
8c18616feat: pre-generate drbd patches using spatch out of tree82e70a0feat: update Linux to 6.18.33993d4a6feat: enable PPP and INFINIBAND_BNXT_RE12d5337feat: enable more options for CRI-U checkpoint/restorec2e43aafeat: preserve System.map on kernel builds230b4bcchore: update deps847a37efeat: bump kernel 6.18.32d7ae843feat: update Linux to 6.18.31a26d3c0feat: update ZFS & NVIDIA LTS94d28c5feat: update Linux to 6.18.30b3dd525fix: macb silent TX stall on BCM2712/RP1 (v2 patches from netdev)8bdd5e0feat: update containerd to 2.2.4Dependency Changes
Previous release can be found at v1.13.2
Images
v1.13.2Compare Source
Talos 1.13.2 (2026-05-12)
Welcome to the v1.13.2 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Etcd: 3.6.11
Linux: 6.18.29
Talos is built with Go 1.26.3.
Contributors
Changes
1 commit
c5d7c65release(v1.13.2): prepare releaseDependency Changes
Previous release can be found at v1.13.1
Images
v1.13.0Compare Source
Welcome to the v1.14.0-alpha.2 release of Talos!
This is a pre-release of Talos
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
DNS over TLS (DoT) and DNS over HTTPS (DoH) Support
Talos now supports DNS over TLS (DoT) and DNS over HTTPS (DoH) for secure DNS resolution.
These features allow Talos to encrypt DNS queries and responses, enhancing privacy and security for DNS traffic.
The DNS protocol can be configured on a per-name server basis in the
ResolverConfigdocument, allowing for flexible configuration of DNS resolution.noexec on EPHEMERAL (/var)
The EPHEMERAL volume (
/var) is now mounted withnoexecin addition to the existingnosuidandnodev,blocking binary execution from
/var.Workloads that exec binaries placed under
/varwill break.For example, Longhorn v1's
instance-managerexec's engine binaries theengine-imageDaemonSet drops under/var/lib/longhorn/engine-binaries/,which now fails with
permission denied. Affected users can opt out via aVolumeConfigdocument:Upgrade note: apply this
VolumeConfigpatch before upgrading, otherwise affected workloads will fail after the next reboot. Longhorn v2 (SPDK data engine) runs the data plane inside the instance manager process and is not affected.Apply Configuration Modes
The '--mode=reboot' option has been removed from the
talosctl apply-configcommand; by default, configuration is applied without a reboot.Most configuration changes don't require a reboot; the documentation lists the changes that do.
Btrfs Support
Talos now supports mounting and provisioning
btrfsfilesystem for user volumes and existing volumes.Support for
btrfsis enabled by installingbtrfssystem extension.Containerd NRI
Talos no longer disables NRI (Node Resource Interface) for the CRI containerd instance by default, so NRI is available
to use without any machine config patches.
To bring back the old behavior of NRI disabled by default, use the following machine config patch:
Default Installer Image
The default installer image has been updated to use the Image Factory.
The
ghcr.io/siderolabs/installerimage is no longer published with releases; use the Image Factory installer image instead.DHCP Search Domains
DHCPv4 search domains are now applied to the resolver configuration.
Encryption Discards
Volume encryption now supports an
allowDiscardsoption (disabled by default) which passes TRIM/discard requeststhrough to the underlying device when the encrypted volume is opened.
This only enables passing discards through to the underlying device; Talos does not perform any fstrim/discard operation by itself.
etcd
Talos is now compatible with etcd v3.6.x only (the default etcd version was 3.6.x since Talos v1.11).
The default version is 3.7.0+ now.
etcd now serves its HTTP-only endpoints (
/metrics,/health, the gRPC-gateway JSON API) on a dedicatedlistener on port
2383, while the client port2379serves gRPC only. This keeps gRPC off Go'snet/httpHTTP/2 server, avoiding watch-stream starvation under TLS (see etcd-io/etcd#15402, golang/go#58804,
etcd-io/etcd#21605).
Upgrade note: etcd metrics and the HTTP health endpoint are no longer reachable on
2379; scrape them onport
2383instead (same client mTLS as before). etcd gRPC clients and the Talos health check are unaffected.Firewall might need to be adjusted to block the port
2383if previously2379was blocked.If
--listen-metrics-urlswas customized, the metrics should not move.Filesystem Trim
Talos can now periodically trim (the equivalent of the
fstrimcommand) mounted filesystems which support trimming,discarding unused blocks. This is useful for SSDs and thin-provisioned storage.
Trimming is opt-in via a new
FilesystemTrimConfigdocument which sets the global trim interval:The default machine configuration for Talos 1.14+ includes a
FilesystemTrimConfigdocument with a default trim interval of one week,so trimming is enabled by default for eligible filesystems. For cluster which were upgraded from older versions, the
FilesystemTrimConfigdocument will be missing,so trimming will be disabled by default until the document is added.
When the document is present, Talos builds a stable schedule (hashed by node ID and volume ID, so trims are spread out
across volumes and across nodes in a cluster) and trims eligible volumes (ready disk/partition volumes with a
trim-capable filesystem; for encrypted volumes only when
allowDiscardsis set).The trim interval can be overridden or disabled per-volume via a
trimblock on the volume documents(
VolumeConfig,UserVolumeConfig,ExistingVolumeConfig,ExternalVolumeConfig):Flannel CNI
Talos now configures Flannel with the
EnableNFTablesoption enabled, which uses nftables native backend instead ofiptables-nftcompatibility layer.Host DNS Configuration
HostDNS configuration was moved from the v1alpha1 config
.machine.features.hostDNSfield to the newhostDNSin theResolverConfigdocument.HTTP Probe Support
Talos now supports HTTP network probes, allowing for monitoring of HTTP endpoints.
HTTP responses with status 200-399 are considered successful, while connection and transport errors are treated as failures.
Image Cache Configuration
Talos now supports a new
ImageCacheConfigdocument for configuring the Image Cache feature, replacing the oldmachine.features.imageCachefield in the v1alpha1 config.Old configuration is still supported for backwards compatibility.
Kernel Multi-document Configuration
Talos introduces new multi-document configuration for kernel parameters (sysctl and sysfs settings), replacing the old v1alpha1 config fields.
The old configuration is still supported for backwards compatibility, but new deployments should use the new documents.
If both old and new configuration sources are used, the new multi-document configuration takes precedence over the old v1alpha1 config on conflicting fields.
List of changes:
.machine.sysctlsin the v1alpha1 config; use theSysctlConfigdocument for kernel sysctl configuration..machine.sysfsin the v1alpha1 config; use theSysfsConfigdocument for sysfs configuration.Kernel Module Status
Talos now reports the status of both dynamically loaded, and built-in kernel modules.
The
LoadedKernelModuleresource has been deprecated and superseded by the newKernelModuleStatusresource.Kubernetes Multi-document Configuration
Talos introduces new multi-document Kubernetes configuration, which allows for more flexible and modular configuration of Kubernetes components.
Talos still supports the old v1alpha1 config for backwards compatibility, but new features and fields will only be available in the new multi-document format.
Talos introduces support for configuring multiple discovery service endpoints.
The
kube-proxyis now using configuration to manage its settings instead of command line arguments (with newKubeProxyConfigdocument).List of changes:
.cluster.secretboxEncryptionSecretin the v1alpha1 config; use theKubeEtcdEncryptionConfigdocument for full etcd encryption configuration..cluster.apiServerin the v1alpha1 config; use theKubeAPIServerConfig,KubeAdmissionControlConfig,KubeAuditPolicyConfig,KubeAuthenticationConfigandKubeAuthorizerConfigdocuments for kube-apiserver configuration..cluster.controllerManagerin the v1alpha1 config; use theKubeControllerManagerConfigdocument for kube-controller-manager configuration..cluster.schedulerin the v1alpha1 config; use theKubeSchedulerConfigdocument for kube-scheduler configuration..cluster.proxyin the v1alpha1 config; use theKubeProxyConfigdocument for kube-proxy configuration..cluster.networkin the v1alpha1 config; use theKubeNetworkConfigdocument for Kubernetes network configuration; Flannel can be configured using theKubeFlannelCNIConfigdocument..cluster.discoveryin the v1alpha1 config; use theDiscoveryServiceConfigdocument for discovery service configuration. The v1alpha1 config andDiscoveryServiceConfigare mutually exclusive.LVM Logical Volume Creation
Logical volumes can now be declared with a new
LVMLogicalVolumeConfigmulti-doc config kind. Each documentnames a logical volume, its parent
volumeGroup, atype(linear,raid0,raid1orraid10) and amaxSize(absolute, e.g.50GiB, or a percentage of the volume group, e.g.80%). RAID layouts acceptoptional
mirrors(raid1/raid10, default 1) andstripes(raid0/raid10, default: all available physicalvolumes) fields. Once the volume group is assembled the logical volume is created via
lvcreate.Raising
maxSizegrows an existing logical volume vialvextend; percentage-sized volumes also grow whentheir volume group is extended. Shrinking is never performed (it risks data loss) - a request to reduce the
size surfaces an
LVMValidationErrorinstead. Removal stays an explicit operation via the LVMService LVremove RPC (
talosctl wipe lv).LVM Status
Talos now provides detailed LVM status information, allowing for better monitoring and management of LVM volumes.
New resources
LVMPhysicalVolumeStatus,LVMVolumeGroupStatus, andLVMLogicalVolumeStatusexpose PV, VG, and LV details.DiscoveredVolumeresources for logical volumes are listed by their kernel name (e.g.dm-0). To resolve the<vg>/<lv>for a given device, use theDisksorBlockSymlinksresources, which carry the udev-managed symlinks (e.g./dev/disk/by-id/dm-name-<vg>-<lv>).LVM Volume Group Creation
Talos can now create and grow LVM Volume Groups declaratively through a new
LVMVolumeGroupConfigmulti-docconfig kind. Each document names a Volume Group and a CEL
volumeSelectorover the disk inventory; matcheddisks are initialised as Physical Volumes (
pvcreate) and aggregated into the requested VG (vgcreate).Newly matched disks added to an existing VG are attached via
vgextend.Reconciliation is strictly additive and safe-by-default.
LVM Wipe
Talos now provides the ability to securely wipe LVM metadata from logical volumes, volume groups, and physical volumes.
This feature allows for selective wiping of logical volumes, volume groups, and physical volumes.
With
talosctl wipe lv/vg/pv <name>, users can wipe LVM metadata from a specific logical volume, volume group, or physical volume.NTS for Time Synchronization
Talos now supports Network Time Security (NTS) for secure time synchronization.
This feature enhances the security of NTP by providing cryptographic authentication of time sources.
NTS is enabled by default (without any configuration sources) for the default
time.cloudflare.comtime serverNTS can be enabled for custom time servers via the new
useNTSfield in theTimeServerConfigdocument.ICMP send_redirects Disabled by Default
Talos now sets
net.ipv4.conf.all.send_redirects=0andnet.ipv4.conf.default.send_redirects=0by default,preventing the node from emitting ICMP redirect messages. This aligns with CIS Benchmark recommendations and
does not affect normal Kubernetes pod or service traffic. Nodes that deliberately act as L3 gateways relying
on ICMP redirects can override this via
machine.sysctls.Support Bundle Encryption
The
talosctl supportcommand now encrypts support bundles using the age encryption tool, enhancing the security of support data.The default set of recipients includes the 'siderolabs' GitHub organization members, but it can be overridden with custom recipients.
TLS 1.3 Minimum Version
Talos now runs etcd and kube-apiserver with a minimum TLS version of 1.3, improving security by leveraging the latest TLS features and cipher suites.
Custom settings for cipher suites have been removed, as they are ignored when TLS 1.3 is used, which simplifies configuration and ensures the use of modern, secure defaults.
Component Updates
Linux: 6.18.36
Kubernetes: 1.36.2
containerd: 2.3.2
etcd: 3.7.0-rc.0-0
Flannel: v0.28.5
runc: 1.5.0-rc.3
CoreDNS: 1.14.2
Talos is built with Go 1.26.4.
Contributors
Changes
331 commits
917820cb3chore: sync pkgs/toolsb34be14e9fix: cli.md codeblock generation25abcc6b5docs: update kubespanconfig to match discoveryserviceconfig742589f50feat: support multiple discovery service configsfc3f27d79chore: enrich the SBOM with Go module licenses47d5c3351fix: handle image cache being disabled1a965aec3test: disable LongHorn ublk test and add more cores6d03b3f61fix: align documented image cache partition label6447d854ffix(talosctl): use aio threads on darwinf856d1808fix: image verification with referrers11a7fbe4cfeat: extract kube-apiserver config into multi-doc configs337654d2btest: fix rook-ceph testse33a86825feat: add AMD XGBE driver to initramfsbd2d6242afix: revert coredns to 1.14.27c4e644f8feat: update Linux to 6.18.366e23a5c2fchore: refactor bare opentree_clone into a mount helperdfbd30959fix(talosctl): prevent appending type 11 smbios values on restart5926dd70dtest: support running integration test against remote provisionerf146c6a18feat: refactor /etc mountsebe364117chore: bump containerd to 2.3.2bc30c61a1chore: bump deps (go, k8s, docker)00d739d0atest: skip fstrim default schedule on cloud testsd9c6edf01fix: bump number of open files for etcd990c5395cchore: update tools and pkgs 2026-06-17325be7cd8refactor: config generate uses multi-doc sysctlconfigd6930633bfix: clean up and overhaul mount opsa0219404dfix: cgroups cleanup58d8b71c4fix: stop the log persistence and close all files on shutdown4b32ebc17refactor: simplify trustd/apid rootfs setupdc98e3553feat: implement filesystem trim support897bef633feat: introduce KubeProxyConfig multi-docebde543cffeat: introduce BootID resourcecd178b9f3fix: ensure consistent manifest apply order19fac6151feat: remote provisionerb6412e031fix: drop one more reference to removed 'nodes'be7f7a7dbfeat: add human-readable size fields to LVM resourcesd4e0ca1bafix: make LVM reconciliation robust and idempotent0dbc1e529chore(ci): fix flaky testb687a47abfeat: implement an option to allow discards on encrypted volumes3fc981c57fix: improve security of scheduler/controller-manager5d4af9f33fix: gracefully stop node containers before removalc1593d8a3fix: honor FailurePauseTimeout when pausing before reboot506dc1323feat: add imager flag to set the SecureBoot key enrollment mode5d4ba702erefactor: generate pod definitions in k8stemplates995bc30d5feat: drop apply config method reboot18f6cb4d0fix: increment time epoch on wall-clock jump when time sync is disabled755a8c8ebfeat: update etcd to 3.7.0-rc.0a0c76fad1feat(talosctl): implement cluster logsdb052165cfeat(talosctl): support rebooting cluster nodes0a04f463afeat(talosctl): use gateway dns for clustercf3eb1cadchore(talosctl): disable kexec for cluster create on arm64180182b0ffix: correct the link alias conditionac9014f05fix: introduce pull attempt stall detection for image pullf2286d616fix: move Flannel netpol patch to the controlplane9986c0b16feat: bump kernel to 6.18.35e8845fba6fix: route ProxyURL test via reachable endpoint44acedf30feat: add declarative LVM logical volume provisioningf6058a11bfeat: grab support bundle via client factorycdd719773feat: add CPUCores resource8e41eb1bdfeat: verify go.mod tidiness in generate targetb19e2ea42feat: add kube-apiserver probesa321a1dccfeat: support proxy-url in talosconfig contextbb2ac7546feat: parse schematic info out of extension status0c02a5a07fix: align flannel MTU with kubespan to avoid permanent fragmentation3d5fd822cfeat: expose disk firmware and BIOS version30115981cfix: relax LUKS header validation5923199fbrefactor: use ClientFactory for the action tracker72c0ced3crefactor: deprecate sysfs and sysctl in machineconfigee74a41fbfix: handle cluster-scoped resources with a namespace correctly9df5a647afeat: allow to disable access time for EPHEMERAL partition9b667dbdechore: fix lint error in test311378386test: increase resource inmem buffer to stabilize the tests6f85ce3d2docs: hack/release.toml explains kernelmodulestatus9bb0a5d01fix(talosctl): add scrolling to dashboard footer node list4c029c2d6fix: machine configuration schemasc3052e845feat: move CNI config out of v1alpha1 config1d2f1208cfeat: add declarative LVM volume group provisioning85f1d428fchore: refactor tests to use debug apic901d47a5refactor: talosctl streaming commands and more fixes166854959fix: mark more resources as sensitive58adf2e00fix: classify installer and imager exits9549930fffeat: update Flannel to v0.28.527362d18erefactor: replace the callback strategy for most commandscb42d9d9afeat: implement support bundle encryption9ae260b55feat: enable NRI by defaultd1d5847b0fix: flaky test0f2331586feat: support external secureboot and pcr signersb349d919dfeat: enforce strict QoS ordering in OOM victim selection76d9b49bdfix(ci): aws nvidia tests3131826cdfix: provide NTS sync with bad initial clock state89e307e58fix: etcd client leak in the (legacy) Upgrade API476c4d050fix: recreate dns server and listeners on host DNS runner restart9a283d9b1feat: bump Go to 1.26.44759dc246chore: bump dependencies26a25a073chore(ci): drop homebrew workflowfa8a55192feat: update etcd to v3.6.1241fcab476feat: update kernel to 6.18.348ba00612bfeat: update dependencies6e2dec1earefactor: update talosctl commands to stop using WithNodesf9ad63a35feat: add custom logging convention linter30dbce03fchore: make oci images reproducible38244fd5bfeat: add sbom builder5177c50e2refactor: deprecate loadedkernelmodulec2eef3645fix: health request server-sided6eff8effrefactor: drop multi-nodes proxying for the dashboard2e547a964refactor: deprecate multi-node proxyingddcc519e1fix: add --fail to image-signer curl downloade5b0b1ddefix: normalize log fieldsd8e95c396fix: drop installer from bundle7aad9ec81feat: update pkgs, tools, Go dependenciesb50ee396ffix: fix trace fix to also lookup release branches027c93d25release(v1.14.0-alpha.1): prepare release4eb862d09feat: add LVMService for VG/LV/PV removalb88f16a52fix: use POSIX shell idioms for error propagation5290eb374fix: suppress ICMP redirects by default7b4aba2e5fix: marshal kube-scheduler config correctly with int types894be9bf5fix: touch rootfs files with SOURCE_DATE_EPOCHcde82224efix: ignore cgroups with zero rank in OOM handlerbc0372411fix: bring in a change to BCM2712_MIPf572c33f1chore: fail on makefile errore317d4b47fix: drop modprobe path and enforce usermode helper89e53f610fix(machined): make built-in mod state always 'permanent'cfbec9bd5test: skip UEFI vars wipe if TPM is enabled1e31deda3fix: create parent directories when extracting tar archives14dc188bdchore: verify go-containerregistry preserves symlinks951922dfbfix: guard apply config API call3e173adf4feat: move kube-controller-manager config to multi-docb5cda3438fix: reset QEMU UEFI variable store when disk is wiped4a17ac6acchore: script for tracking fixes made in upstream toolchain/tools/pkgsd71edeeadfeat: add LVM status resource definitions4aeba1cdefix: perform backwards-compatible kernel args cleanup9b7b2bf36feat: implement support for btrfs user volumes03ee8ee3afeat(machined): support instance tags on Akamaid19f9ade0fix: memorymodules resource reportinga6edcf6f3chore: move out adv library40e66eac7fix: bump Go golang.org/x modulese23ca4a0achore(ci): add upgrade tests for trustedboote3003c0ecchore: bump tpm nonce size to match the algorithm used8fd04da1ffeat: add bnxt_re module to the rootfs1cfab00f1fix: update etcd experimental argsad96fc6aefix: relax hostname config validationefd735334chore(ci): add missing labels, move release metadata check to job9ec045059feat: update containerd to 2.3.142f4144a1feat: introduce new KubeSchedulerConfigf2b7f39dbrefactor: move Args type out of config/v1alpha1b959dcb3efix: bump Kubernetes to 1.36.1 in one more place8ecc77f1afeat: update default Kubernetes version to 1.36.1cbd9c3745chore: rekres to secure slack workflows6a92fc653test: update Canal version used in the testsbe12d3d08feat: support 4k sector size disk imagesa7e8f4c28chore(ci): fix cloud image upload job name4319399f6feat: introduce more modular Linux kerneled5df89f6feat(ci): rotate credentialsa6a984ff7chore(ci): fix the job conditionsecb7d4588feat: enable Flannel nftables mode9919ff781feat: update Linux to 6.18.321a7d136e4feat: add Azure Secure Boot imager profiledf68e7391feat: implement kernel module status resourcee98ee99d4fix: streamline config validation flowd7f0a2fd4feat: update Linux to 6.18.312b66e25a5chore: update image signer5aa1795f9chore: drop e2e step dependenciesd42b3b396feat: update Linux to 6.18.30c3f6f3507feat: implement static host resolving via host DNS2f06a68efrefactor: split host DNS handlere99c5be5afeat: implement DNS over HTTP(S)cf6065238chore: stop publishing installer to ghcr0edabd29cfix: restore some shared (and some lower tier slave) mount propagationf1578dc63fix: image verification issue with registry.k8s.io46b1f8a24fix: rework how scheduler config is marshaled820a9fa59chore: fix typos in comments649a384a9feat: move more kernel stuff to modules4f3ab2012chore(ci): try fixing homebrew action600c0ab5dfeat(ci): validate that extensions PKGS and TOOLS sync with talos76080416bfeat: redact more machine config secrets and audit redactorsaabf63957docs: drop controlplane endpoint examplesb48a2bef4test: relax kernel-default routing rule assertiond2208b034refactor(talosctl): propagate command context throughout, handle interrupts0760b5c28fix: normalize source name for syft consistencyc49ac0ec2docs: document release policyec7e6ef9ffeat: bump in-toto indirect dependency21858a674feat: update kernel to 6.18.295a49dc61dfeat: migrate Image Cache config to multi-doc574298ec1fix: handle empty GCP operation errors366b10b79feat: dockerfile improvements9a1d9d0affeat: bump go 1.26.36eec1c229feat: support DNS over TLS for upstream resolversdee139aeffeat: revert update CoreDNS to 1.14.3087bc4c18chore: lint packages under tools9e7516faefix: clarify documentation for image verification pattern41c8e9dc4feat: bump dependencies2b6c06ef5feat: update CoreDNS to 1.14.36b6f7978bfeat: update containerd to 2.3.0f9c4f90dafeat(ci): longhorn v2 ublk tests84d169c62fix: make dnsd retry listening689974bd5fix: volume mount permissionsff0f66bdffix: skip reserved routing rule priorities850e2c754feat: drop fakeroot, use go helper0c1bd701afeat: add golangci-lint fmt target53bd66956feat: support conditional start of IPv6 dns serversb31d93e0dfeat: auto-enroll SecureBoot keys for disk images849a68006test: update pkgs to test new extensionsc30a6dfcbfix: preserve DHCP DNS servers5b81b20d3feat: apply DHCP search domains4e5ff8fa2fix(ci): zfs test14abe5140fix: handle gateways which are not on-link routes in dhcp4e1f759af8chore: fix lint issues automatically664c5f643chore: update toolsc64df2b61fix: add missing kernel modules in rootfsf73c24594feat: run depmod with verification on rootfs build1371596d7fix: provide proper AWS platform metadata4f11f021dfeat: implement etcd encryption config (kube-apiserver)876f83643feat: add support for HTTP Probes9b776d598feat: update etcd to 3.6.11631a1bc5efix: bring in hardened kernela349dac03fix: stale discovered volume children13ce01879fix: re-enable kexec on arm6432539d4acfix: deadlock in the makefs ext4 with populated source0f3e1966afix: panic in Kubernetes manifest sync3bae01ac1fix: do not pick up a system disk from a loop devicededb7a96cfix(talosctl): protect k8sNames map writes with mutexcc2be213afix: drop explicit platform matcher1dffebaf2fix: mount throws EPERM on virtiofs with SELinux48a481c29fix: replace Canal manifest with a more recent one6a445406efix: make lacp active nilable0d1d95c7dfix: bump go-kmsg to fix the timestamp driftbd344fd53fix: reset the ticker when the KubeSpan is disabled/enabled462015bcdrelease(v1.14.0-alpha.0): prepare release8a037a56etest: fix flaky tests08c81d838feat: bump kernel to 6.18.25fe40b6e58fix(ci): fetch empty pr labels837a9ed07feat: move host DNS config into ResolverConfig96a8ecd1efeat: default to factory installer imagef19eef78bfix: revert add extraArgs from service-account-issuer6821225b6fix: revert use append instead of prepend in service-account-issuerb43c3a124feat: add quirk for talosctl factory downloadsdf0b9a8darefactor: make all controller unit-test follow modern patternsc2948cef2feat: support auth for Image Factory in cluster create560bcf0cafeat: enforce TLS 1.3 minmum version for Kubernetes components3db14309efix(talosctl): ensure uncordon runs after reboot/upgrade errorsecf2fa855feat: update Kubernetes to v1.36.071557eaddfix(ci): skip misc jobs not on pull request026313b7cdocs: rename security-insights.yml to lowercase for LFX detectiondc4ffd490fix(ci): fix jobs not interpolating matrix due to condition25e2f37e2chore: generate comments for fields in resource proto149592fa5fix: watch kubelet's kubeconfig and time out for cache sync1f315e6e9feat: update Linux to 6.18.230198eedc2feat: add NTS (Network Time Security) support for NTP time sync6830a8b97fix(ci): matrix jobs cleanups71aeb347ftest: fix OOM test flake9b9542cc5test: fix a flake in the manifest sync test863d882b6test: add image verification for factory.talos.devbba0b4aeechore(ci): nvidia update helm values3399ff4defix: propagate route table down to the resourcec684ec60echore: prepare for Talos 1.14 releaseed9545d0dchore(ci): bump gpu operator version4de3e4393fix(ci): cron triggered workflows212182e6fchore: bump container registry libraryc028db0b8fix: do not flip machine stage to rebooting during shutdown6ce62d9e8fix(ci): workflow runs withworkflow_run509cd9733fix: boot entry detection5e3f30188feat(ci): rework to schedule daily runs after a cron7fa4d3919fix: zfs extensions test1ef8e630atest: allow more tests to run in FIPS strict modebdcc9321bfix: reduce memory dashboard usage2d177af82chore: update Syft to v1.42.4+patches0d8362119fix: return failed precondition on upgrade when not installedbe58eafabfix: wrong slot of encryption key was logged015081c76feat: update dependencies9fbb7c95dfix: audit trustd code for security986e97fc7feat: update Flannel to 0.28.4f3817d1d1chore: update sign images to support image name suffixe776721f3feat: update Kubernetes 1.36.0-rc.1f6e7346fafix: encode extra args fields in resources with new id3c7bb80bachore: bump tools3ba35c9b9chore(ci): nvidia try UKI boote3e8f01cachore: bump tools181584a5ffix: handle boot failurec464c7e88fix: upgrade API in maintenance mode (legacy)b7512d912feat: update Kubernetes to 1.36.0-rc.04ba11156frefactor: allow overriding out image name suffixc81aa125cfix: panic in reading PCR values6a3ab87c5feat(ci): add nvidia arm64 matrix21f459aabfix(talosctl): always use default GRPC dial optionsca208e514fix: validate hostDNS forwarding requires hostDNS to be enabled9fcb9e05bfeat: bump go to 1.26.20bfdf7f70fix: create correct blackhole routes for IPv452b920032feat: add client-side Kubernetes node drain to reboot and upgrade commands968ec1e0crefactor: propagate NAME properly, allow to set on buildacc69c346fix: set the minimum TLS version to 1.30cfa6e302chore: bump some tool dependencies4229bb9d2feat: add dis-vulncheck toold697f5538fix: don't set xattrs while decompressing extensions34fb2cbe5refactor: remove manual shell completion and replace with cobra completion79fa2e300feat: allow more nvidia and nvme files from extensions414f78a29feat: allow glibc ld files in etc1bbba4301feat: update Flannel to v0.28.255815e0fafix: handle ISOs with zeroes in volume labels7b6ab0c1cfeat: add flag to force fallback to legacy upgrade5e24d5265feat: add resource view to talosctl dashboard649ab7fe4fix: add os:meta:writer role to the dashboard10cdfa909fix: drop talosctl install087ced85ffix: unseal with "slow" TPM11ab0a8c5fix: drop unused type from ExternalVolume schemae2df0f6cefix: always grow disks919d8c365chore: drop debug shell783a35851fix: add metal-agent mode to runtime capabilities37b2221ccdocs: add SECURITY-INSIGHTS.yml for OSPS Baseline QA-04.01bed2bd414feat: add graceful power off support to QEMU VM launcher3400059ccfix: incorrect route source for on-link routesb3dfbf743feat: bump musl to 1.2.64227921b3test: fix the PKI mismatch test flakef2bc2dcc6feat: update NVIDIA production drivers to 595.58.03aa5946dd3test: fix cron failures for provision-1 & provision-21dd701efafix: allow blockdevice wipe in maintenance mode786bf00abfeat: add --platform=all support to image cache-createe1f645e3cfeat: validate luks headers for tamperingad72c7300test: improve maintenance API provision tests70cefab6atest: fix the flakes in tests with trusted rootsaacff17f4test: bump memory for Flannel netpolicy tests9c3459114feat: update Linux to 6.18.19, CNI to 1.9.1038cb8735feat: enforce PID check on connections to services over file socketse2b2dd3eachore: update go-kubernetes library9597714f6fix: add symlinks nvidia-ctk and nvidia-cdi-hook in /usr/bin8ac47d677fix: unset rlimits for extension servicesb1a02f368feat: update Kubernetes to 1.36.0-beta.0362fdc9ecfeat: update etcd to 3.6.90a47f40b3fix(machined): clear stale bond ARP/NS targets on decode86344639ffix: update diff library to v1.0.1eff89d1edfix: panics in diff algorithms8e1c8a7a9test: fix the apid test against AWS/GCPChanges since v1.14.0-alpha.1
111 commits
917820cb3chore: sync pkgs/toolsb34be14e9fix: cli.md codeblock generation25abcc6b5docs: update kubespanconfig to match discoveryserviceconfig742589f50feat: support multiple discovery service configsfc3f27d79chore: enrich the SBOM with Go module licenses47d5c3351fix: handle image cache being disabled1a965aec3test: disable LongHorn ublk test and add more cores6d03b3f61fix: align documented image cache partition label6447d854ffix(talosctl): use aio threads on darwinf856d1808fix: image verification with referrers11a7fbe4cfeat: extract kube-apiserver config into multi-doc configs337654d2btest: fix rook-ceph testse33a86825feat: add AMD XGBE driver to initramfsbd2d6242afix: revert coredns to 1.14.27c4e644f8feat: update Linux to 6.18.366e23a5c2fchore: refactor bare opentree_clone into a mount helperdfbd30959fix(talosctl): prevent appending type 11 smbios values on restart5926dd70dtest: support running integration test against remote provisionerf146c6a18feat: refactor /etc mountsebe364117chore: bump containerd to 2.3.2bc30c61a1chore: bump deps (go, k8s, docker)00d739d0atest: skip fstrim default schedule on cloud testsd9c6edf01fix: bump number of open files for etcd990c5395cchore: update tools and pkgs 2026-06-17325be7cd8refactor: config generate uses multi-doc sysctlconfigd6930633bfix: clean up and overhaul mount opsa0219404dfix: cgroups cleanup58d8b71c4fix: stop the log persistence and close all files on shutdown4b32ebc17refactor: simplify trustd/apid rootfs setupdc98e3553feat: implement filesystem trim support897bef633feat: introduce KubeProxyConfig multi-docebde543cffeat: introduce BootID resourcecd178b9f3fix: ensure consistent manifest apply order19fac6151feat: remote provisionerb6412e031fix: drop one more reference to removed 'nodes'be7f7a7dbfeat: add human-readable size fields to LVM resourcesd4e0ca1bafix: make LVM reconciliation robust and idempotent0dbc1e529chore(ci): fix flaky testb687a47abfeat: implement an option to allow discards on encrypted volumes3fc981c57fix: improve security of scheduler/controller-manager5d4af9f33fix: gracefully stop node containers before removalc1593d8a3fix: honor FailurePauseTimeout when pausing before reboot506dc1323feat: add imager flag to set the SecureBoot key enrollment mode5d4ba702erefactor: generate pod definitions in k8stemplates995bc30d5feat: drop apply config method reboot18f6cb4d0fix: increment time epoch on wall-clock jump when time sync is disabled755a8c8ebfeat: update etcd to 3.7.0-rc.0a0c76fad1feat(talosctl): implement cluster logsdb052165cfeat(talosctl): support rebooting cluster nodes0a04f463afeat(talosctl): use gateway dns for clustercf3eb1cadchore(talosctl): disable kexec for cluster create on arm64180182b0ffix: correct the link alias conditionac9014f05fix: introduce pull attempt stall detection for image pullf2286d616fix: move Flannel netpol patch to the controlplane9986c0b16feat: bump kernel to 6.18.35e8845fba6fix: route ProxyURL test via reachable endpoint44acedf30feat: add declarative LVM logical volume provisioningf6058a11bfeat: grab support bundle via client factorycdd719773feat: add CPUCores resource8e41eb1bdfeat: verify go.mod tidiness in generate targetb19e2ea42feat: add kube-apiserver probesa321a1dccfeat: support proxy-url in talosconfig contextbb2ac7546feat: parse schematic info out of extension status0c02a5a07fix: align flannel MTU with kubespan to avoid permanent fragmentation3d5fd822cfeat: expose disk firmware and BIOS version30115981cfix: relax LUKS header validation5923199fbrefactor: use ClientFactory for the action tracker72c0ced3crefactor: deprecate sysfs and sysctl in machineconfigee74a41fbfix: handle cluster-scoped resources with a namespace correctly9df5a647afeat: allow to disable access time for EPHEMERAL partition9b667dbdechore: fix lint error in test311378386test: increase resource inmem buffer to stabilize the tests6f85ce3d2docs: hack/release.toml explains kernelmodulestatus9bb0a5d01fix(talosctl): add scrolling to dashboard footer node list4c029c2d6fix: machine configuration schemasc3052e845feat: move CNI config out of v1alpha1 config1d2f1208cfeat: add declarative LVM volume group provisioning85f1d428fchore: refactor tests to use debug apic901d47a5refactor: talosctl streaming commands and more fixes166854959fix: mark more resources as sensitive58adf2e00fix: classify installer and imager exits9549930fffeat: update Flannel to v0.28.527362d18erefactor: replace the callback strategy for most commandscb42d9d9afeat: implement support bundle encryption9ae260b55feat: enable NRI by defaultd1d5847b0fix: flaky test0f2331586feat: support external secureboot and pcr signersb349d919dfeat: enforce strict QoS ordering in OOM victim selection76d9b49bdfix(ci): aws nvidia tests3131826cdfix: provide NTS sync with bad initial clock state89e307e58fix: etcd client leak in the (legacy) Upgrade API476c4d050fix: recreate dns server and listeners on host DNS runner restart9a283d9b1feat: bump Go to 1.26.44759dc246chore: bump dependencies26a25a073chore(ci): drop homebrew workflowfa8a55192feat: update etcd to v3.6.1241fcab476feat: update kernel to 6.18.348ba00612bfeat: update dependencies6e2dec1earefactor: update talosctl commands to stop using WithNodesf9ad63a35feat: add custom logging convention linter30dbce03fchore: make oci images reproducible38244fd5bfeat: add sbom builder5177c50e2refactor: deprecate loadedkernelmodulec2eef3645fix: health request server-sided6eff8effrefactor: drop multi-nodes proxying for the dashboard2e547a964refactor: deprecate multi-node proxyingddcc519e1fix: add --fail to image-signer curl downloade5b0b1ddefix: normalize log fieldsd8e95c396fix: drop installer from bundle7aad9ec81feat: update pkgs, tools, Go dependenciesb50ee396ffix: fix trace fix to also lookup release branchesChanges from siderolabs/go-adv
2 commits
3818a65feat: initial implementation95e583cInitial commitChanges from siderolabs/go-kmsg
1 commit
65e97cbfix: boot time offset calculationChanges from siderolabs/go-kubeconfig
2 commits
d0b8f82chore: rekres and bump depsc356eebfix: fix context conflict detection add New() constructorChanges from siderolabs/go-kubernetes
4 commits
cc8c2c9fix: return the apply results in a consistent order131a2bdfix: handle cluster-scoped resources with a ns correctly38c182ffix: normalize the changeset to be keyed without apiVersionca35008feat: update k8s api to 0.36.0Changes from siderolabs/go-smbios
1 commit
063f5dcchore: rekres + new testdataChanges from siderolabs/go-talos-support
2 commits
59d47affeat: rewrite support bundle library around client provider8dd4326feat: support encryption of the support bundle using ageChanges from siderolabs/grpc-proxy
3 commits
d670c42chore: bump dependencies8614c71chore: bump deps80677e0fix: propagate the headers before the messageChanges from siderolabs/pkgs
90 commits
ea48e8bfix: patch Linux kernel for tunnel metadata buffer overflowff80d88feat: add support for AMD XGBE driver9f8ab22feat: enable NF_TABLES_ARP optionbedfbebfeat: update Linux to 6.18.36a9f2bb3chore: bump containerd to 2.3.273e76f8chore: upgrade runc to 1.5.0-rc.328db1cachore: update nvidia driver lts to 580.167.085df1a44chore: update zfs to 2.4.3cd77c4fchore: update dependencies 2026-06-160f27eccfeat: bump runcd213ff5feat: bump OpenSSL to 3.6.3cb713aefeat: bump kernel to 6.18.3509cb04efix: avoid page_table_check BUG on time namespace VVAR pagebfb88f6feat: add nvidia-fs kernel modulef2850d1feat: enable USB hiddev for apcupsd support55aa64ffeat: bump go to 1.26.4f27dbe1feat: bump kernel to 6.18.34aa9fe00feat: add DVB USB Modules0870a4bfeat: bump dependenciesf9134e5fix: enable CONFIG_BCM2712_MIP as built-in in arm64 kernel config285c6aefix: set usermode static helper to machinebd2a754feat: pre-generate drbd patches using spatch out of tree898844efeat: update Linux to 6.18.33a8dfbf7fix: disable kernel modprobe pathc542950fix: pull in tools with zstd sbomc0ec8f3feat: enable PPP and INFINIBAND_BNXT_REc62c4e1feat: update containerd to 2.3.1270f9f8chore: update deps4f7feb4feat: enable more options for CRI-U checkpoint/restore87994f7feat: move autoloadable stuff as modules80c27f3fix: drop legacy network protocolsfbb7360feat: drop legacy iptables/ebtables supporteac5f86feat: bump kernel 6.18.32d616f6cfeat: update Linux to 6.18.3102bcfcefix: macb silent TX stall on BCM2712/RP1 (v2 patches from netdev)12ca698feat: update ZFS & NVIDIA LTS9fff943feat: update Linux to 6.18.30c5a1685feat: move HWMON as modulesb2a45fbfeat: move CONFIG_INTEL_IOATDMA as a moduleea8d35ffeat: move ACPI device drivers as modules501ba58feat: move HID quirks as modulesb35312cfeat: move PS/2 mouse drivers as modules3a5d9d7feat: move IPMI driver to be a module792a69afeat: disable AGP drivers99990b4feat: move Hyper-V drivers as modulesfb697d6feat: move Xen frontend drivers as modules1df1713feat: move ATA / MMC controllers as modulesf7f9341feat: move USB class drivers as modulesba873e9feat: move USB host controllers as modules8f25baafeat: move virtio bus stuff as modulesd0c5480feat: bump kernel to 6.18.29dfb09f0feat: bump kernel 6.18.28c97bc24feat: update Go to 1.26.3dfe8926feat: add btrfsprogs06ff9dcfeat: update Linux to 6.18.272265fc9feat(kernel): backport two PCI bridge realloc fixes from v6.195a21d99feat: bump dependenciescb3f406feat: update containerd to 2.3.0e192574feat: update Linux to 6.18.26e5e6cb8feat: update DRBD to 9.3.277538b1feat: update NVIDIA driversadeaafcfeat: preserve System.map on kernel buildsc77f985fix: disable legacy framebuffer drivers8f3ef77fix: enable safesetid LSMf82d3affix: disable CONFIG_DEVPORTb189a96fix: disable crypto user API9a718f6docs: list net macb silent TX stall fixes in kernel/build/patches/README.mdca3599ffix: macb silent TX stall on BCM2712/RP1 (RFC patches from netdev)6a53a93feat: bump kernel to 6.18.25f567bcefeat: disable more stuff in Kconfigffd9790feat: bump kernel to 6.18.24b7c709afeat: bump depse5e5b3cfeat: update Linux to 6.18.231a4cd20fix: renovate configd0ed6edfeat: update dependencies6ea49c7fix: support disabling module signature verification6520ec4feat: update containerd to 2.2.337ce992feat: enable CONFIG_UHID and CONFIG_INPUT_JOYDEV as modulescddd934feat: update backportable dependencies32e4077feat: update OpenSSL2d241e7feat: update Go to 1.26.2 and small deps updates7f540cefeat: disable dynamic SCS3bef043feat: update runc to 1.4.2c6e6f10feat: update Linux to 6.18.21a9e8afafix: libarchive install prefixe4d0113feat: update for musl 1.2.69142603feat: update NVIDIA production to 595.58.0322fa669feat: update Linux to 6.18.1903680aefeat: update containerd patch verifier rolebdc239efeat: enable CHECKPOINT_RESTORE optionChanges from siderolabs/proto-codec
1 commit
9b8a14echore: bump dependenciesChanges from siderolabs/siderolink
1 commit
0a1933cchore: bump dependenciesChanges from siderolabs/tools
18 commits
0f1c859chore: make rekres5c0c9bechore: update dependencies 2026-06-16b88d99cfeat: bump OpenSSL to 3.6.342c59b9feat: bump toolchain to bring in Go 1.26.4206a4c0feat: update dependencies, rework LLVM buildf9f37dffix: add proper name for zlib-ng sbomaa45c41fix: add SBOM for zstd library808f34ffeat: update Go to 1.26.35dfe83dfeat: drop fakeroot and policycoreutils618fd20feat: add Python wheel packagedf3c1b7feat: bump dependencies44ad18cfeat: bump depsf3d0dd9fix: renovate configs4ac4449feat: update dependencies027744ffeat: bump OpenSSL to 3.6.27067f1ffeat: update util-linux to 2.41.46cb3e56feat: update Go to 1.26.29186c5ffeat: update musl to 1.2.6Dependency Changes
5adc3eb->11b94ed310581b->ab860166706a29->93566baba97887newPrevious release can be found at v1.13.0
v1.12.9Compare Source
Talos 1.12.9 (2026-06-19)
Welcome to the v1.12.9 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.18.35
runc: 1.3.6
CoreDNS: 1.14.2
containerd: 2.2.5
Talos is built with Go 1.25.11.
Contributors
Changes
18 commits
150ee5brelease(v1.12.9): prepare releasecba53b4fix: revert coredns to 1.14.270a9d61fix: bump number of open files for etcd045146cfix: guard apply config API call6593d3bfix: honor FailurePauseTimeout when pausing before reboote7eeb32feat: verify go.mod tidiness in generate targetcd429e9fix: relax LUKS header validation4c288cafix: mark more resources as sensitive3c57602fix: etcd client leak in the (legacy) Upgrade APIe002e47fix: recreate dns server and listeners on host DNS runner restart9b12c51fix: bring in a change to BCM2712_MIPdd4926ffix: touch rootfs files with SOURCE_DATE_EPOCH0e9ef3dfeat: enforce strict QoS ordering in OOM victim selectiond040a7dfix: relax hostname config validationb63a69bfix: memorymodules resource reporting0263a99chore: bump containerd to 2.2.5 (cve patches)26a2889chore: bump vuln go pkgs, go mod tidy19daa72chore: bump pkgs and toolsChanges from siderolabs/pkgs
11 commits
0516a46chore: bump containerd to 2.2.5 (cve patches)8ce6127chore: bump toolsbecfefafeat: bump OpenSSL to 3.6.3298b394feat: bump kernel to 6.18.35435044bfix: avoid page_table_check BUG on time namespace VVAR pagea909a84fix: disable PAGE_TABLE_CHECK_ENFORCED in kernel configaf985d6fix: enable CONFIG_BCM2712_MIP as built-in in arm64 kernel configde0e5b9feat: bump kernel to 6.18.341e6b222feat: pre-generate drbd patches using spatch out of tree283a3e6feat: update Linux to 6.18.3356397e0feat: bump runc to 1.3.6Changes from siderolabs/tools
3 commits
3841297chore: bump openssl, libcap, fakeroot; fix texinfo4ff7ad2chore: make rekres2cc5cacchore: bump Go to 1.25.11Dependency Changes
Previous release can be found at v1.12.8
Images
v1.12.8Compare Source
Talos 1.12.8 (2026-05-22)
Welcome to the v1.12.8 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Containerd Update
This release includes an update to containerd v2.2.4 due to v2.1.x releases being EOL and affected by CVE-2026-46680.
Component Updates
Linux: 6.18.32
etcd: 3.6.11
CoreDNS: 1.14.3
containerd: 2.2.4
Talos is built with Go 1.25.10.
Contributors
Changes
17 commits
aef64carelease(v1.12.8): prepare releasefaff617fix: update containerd to 2.2.4ea3cc69chore: update dependencies7a96c02feat(ci): rotate credentials99a1aabtest: fix flaky tests3f8572dfeat: update CoreDNS to 1.14.3d4a83c8fix: provide proper AWS platform metadata1ab16c0feat: update etcd to 3.6.11ad7bfb6fix: add missing kernel modules in rootfsff0fe19feat: run depmod with verification on rootfs build55cd11afix: stale discovered volume children555bc84fix(ci): zfs testfbfe83ffix: do not pick up a system disk from a loop device7e035bcfix: bump go-kmsg to fix the timestamp drift0f23c2cfix: make lacp active nilablec00250ffix: reset the ticker when the KubeSpan is disabled/enabled07a0e93fix: replace Canal manifest with a more recent oneChanges from siderolabs/go-kmsg
1 commit
65e97cbfix: boot time offset calculationChanges from siderolabs/pkgs
17 commits
153574bchore: update containerd to v2.2.4a9a3868chore: update depsfe604f9feat: preserve System.map on kernel buildsb00971echore: bump toolchain and tools3b9b487feat: bump kernel 6.18.3287acdb5feat: update Linux to 6.18.31ea936f1chore: run rekresb2c955efeat: update Linux to 6.18.309a77690fix: macb silent TX stall on BCM2712/RP1 (v2 patches from netdev)d73927efeat: bump kernel to 6.18.2957ab006feat: bump kernel 6.18.28a3d2b15feat: update Linux to 6.18.27dc3a7c1feat(kernel): backport two PCI bridge realloc fixes from v6.19cd6601ffeat: update Linux to 6.18.26dd845d1docs: list net macb silent TX stall fixes in kernel/build/patches/README.mddf2aee2fix: macb silent TX stall on BCM2712/RP1 (RFC patches from netdev)c0ef955feat: bump kernel to 6.18.25Changes from siderolabs/tools
2 commits
cbb843dchore: update dependencies for 1.12.82584442fix: renovate configsDependency Changes
Previous release can be found at v1.12.7
Images
v1.12.7Compare Source
Talos 1.12.7 (2026-04-24)
Welcome to the v1.12.7 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.18.24
containerd: 2.1.7
etcd: 3.6.9
Kubernetes: v1.35.4
Talos is built with Go 1.25.9.
Contributors
Changes
19 commits
91c6399release(v1.12.7): prepare release3b228cafeat: bring in apparmor profile files1a05b4afeat: update kubernetes to v1.35.4b796be0feat: bump pkgs, spdystreama75ce6ffeat: bump pkgs, toolsc1ea8dbtest: fix OOM test flaked5b691bfix: watch kubelet's kubeconfig and time out for cache sync27655c5fix: propagate route table down to the resourcefcda84bfix: boot entry detection330561cfix: do not flip machine stage to rebooting during shutdown8ef4488fix: zfs extensions test8bc593dfix: wrong slot of encryption key was logged89f5615fix: panic in reading PCR values317deedfeat: add dis-vulncheck tool0654a7ffix: handle ISOs with zeroes in volume labelse16007bfix: unseal with "slow" TPM388a56bfix: incorrect route source for on-link routes7e42474test: fix the flakes in tests with trusted rootsd52ebe2feat: update etcd to 3.6.9Changes from siderolabs/pkgs
8 commits
86d6af1fix: install apparmor parser require config filesd6b125ffeat: bump systemd191632cfeat: bump kernel to 6.18.2413cbc68feat: bump tools, toolchain and containerd709678dfeat: update Linux to 6.18.2334de6dbfix: support disabling module signature verificatione30789afeat: update backportable dependencies830d895feat: update Linux to 6.18.21Changes from siderolabs/tools
3 commits
bbd753dfeat: bump toolchain61955e9feat: bump OpenSSL to 3.6.223de89ffeat: update util-linux to 2.41.4Dependency Changes
Previous release can be found at v1.12.6
Images
v1.12.6Compare Source
Talos 1.12.6 (2026-03-19)
Welcome to the v1.12.6 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.18.18
runc: 1.3.5
Talos is built with Go 1.25.8.
Contributors
Changes
21 commits
a1b8bd6release(v1.12.6): prepare release72bd570feat: update Linux to 6.18.189d5638ffix: accept image cache volume encryption config0f018bffix: panic in hardware.SystemInfoControllerc46b898fix: validate missing apiVersion in config document decoderc47cad9fix: pull in a fix for dmesg timestamps190336afix: prevent stale discovered volumes reads217e9bbfix: bring in new version of go-cmd and go-blockdeviced7779a5fix: stop pulling wrong platform for imageseb6eb66fix(machined): support USERDATA legacy fallback in OpenNebula driverba20c7cfeat(machined): add ONEGATE proxy route and deterministic interface iteration for OpenNebula739f664feat(machined): inherit IP6_METHOD from METHOD in OpenNebula driver93878c0fix(machined): align OpenNebula hostname precedence with reference9718d73feat(machined): add IPv6 alias address support for OpenNebula (ETH_ALIAS_IP6)b649fb4feat(machined): support ETH*_IP6_METHOD (static/dhcp/auto/disable) for OpenNebulac81df6frefactor(machined): extract per-interface IPv4 helper in OpenNebula driver501924efix(machined): use ParseFQDN for hostname parsing in OpenNebulae9331b2feat(machined): support per-interface route metric for OpenNebula (ETH*_METRIC)6e78afbfeat(machined): add network alias support for OpenNebula (ETH_ALIAS)9f648b4feat(machined): merge global and per-interface DNS for OpenNebula04fba03feat(machined): add static routes support via ETH*_ROUTES for OpenNebulaChanges from siderolabs/go-cmd
2 commits
5f31ba9chore: rekres and updatefff5698feat: allow capturing full output to stdout, modernize APIChanges from siderolabs/go-kmsg
3 commits
b53b36dchore: rekres and update6f7d20bfeat: calculate boot time correctly if the time jumps47655eefeat: support PRINTK_CALLER kmsg logsChanges from siderolabs/pkgs
4 commits
a92bed5feat: enable AMD GPU peer-to-peer DMA09e87a9feat: backportable deps updateeb965e2feat(kernel): enable CONFIG_USB_UHCI_HCD on amd646804ebdfeat: update Linux 6.18.16, NVIDIA, ZFSDependency Changes
Previous release can be found at v1.12.5
Images
v1.12.5Compare Source
Talos 1.12.5 (2026-03-09)
Welcome to the v1.12.5 release of Talos!
Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.
Component Updates
Linux: 6.18.15
Kubernetes: 1.35.2
etcd: 3.6.8
Talos is built with Go 1.25.8.
Contributors
Changes
19 commits
da6c6e4release(v1.12.5): prepare release4f978a7fix: correctly calculate end ranges for nftables sets8d52e2dfeat: add trusted roots generation to stdpatches6284877fix: use correct dhcp option for unicast dhcp renewaldcf23befix: ignore image digest when doing upgrade-k8sf8a2a9bfix(machined): opennebula: process ETH*_ vars regardless of NETWORK context flagdb9ff23fix: patch with delete for LinkConfigse0c38e2fix: update path handling on talosctl cgroupsca2d4c1fix: stop Kubernetes client from dynamically reloading the certs70ae2f2refactor: split locate and provisionc3b0484fix: hold user volumes root mountpointd935420fix: handle raw encryption keys with\nproperly7fe1a47fix: remove stale endpoints3ea0888fix: allow static hosts in/etc/hostswithout hostname5ebb00ffix: switch to better Myers algorithm implementation2b40379feat: update etcd to v3.6.81ce9328fix: disks flag parsing and handling in create qemu command1f989dffix: read multi-doc machine config with newer talosctl40ba6e3feat: update Linux 6.18.15, Go 1.25.8Changes from siderolabs/go-debug
1 commit
47fce68feat: support Go 1.26, rekresChanges from siderolabs/pkgs
7 commits
e695c74feat: update Linux to 6.18.157d4ef68feat: update Linux to 6.18.14300cd60feat: update Linux firmware to202602265f9fd3feat: update Linux to 6.18.1396fc8e3feat: enable MLX5 Scalable Functions and TC offload in kernelf31edf1feat: add patch for Cilium BPF verifier rejection by the kernel8b4b129feat: update Go to 1.25.8Changes from siderolabs/tools
1 commit
57916cbfeat: update Go to 1.25.8Dependency Changes
Previous release can be found at v1.12.4
Images
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
d1acac562cto500e7ba557chore(deps): update dependency siderolabs/talos to v1.12.5to chore(deps): update dependency siderolabs/talos to v1.12.6500e7ba557to6fa94f633cchore(deps): update dependency siderolabs/talos to v1.12.6to chore(deps): update dependency siderolabs/talos to v1.12.76fa94f633cto184f53d8d0chore(deps): update dependency siderolabs/talos to v1.12.7to chore(deps): update dependency siderolabs/talos to v1.13.0184f53d8d0to7b1dba1f56chore(deps): update dependency siderolabs/talos to v1.13.0to chore(deps): update dependency siderolabs/talos to v1.13.27b1dba1f56to54ff7f2daachore(deps): update dependency siderolabs/talos to v1.13.2to chore(deps): update dependency siderolabs/talos to v1.13.354ff7f2daato1e0608edffchore(deps): update dependency siderolabs/talos to v1.13.3to chore(deps): update dependency siderolabs/talos to v1.13.41e0608edffto709f35540cchore(deps): update dependency siderolabs/talos to v1.13.4to chore(deps): update dependency siderolabs/talos to v1.13.5709f35540cto80d0c58f5achore(deps): update dependency siderolabs/talos to v1.13.5to chore(deps): update dependency siderolabs/talos to v1.13.6View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.Merge
Merge the changes and update on Forgejo.Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.