v1.12.0-beta.0

[smira]

Talos 1.12.0-beta.0 (2025-11-14)

Welcome to the v1.12.0-beta.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

New User Volume type - bind

New field in UserVolumeConfig - volumeType that defaults to partition, but can be set to directory.
When set to directory, provisioning and filesystem operations are skipped and a directory is created under /var/mnt/<name>.

The directory type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.

When volumeType = "directory":

• A directory is created at /var/mnt/<metadata.name>;
• provisioning, filesystem and encryption are prohibited.

Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits.
It should not be used for workloads requiring predictable storage quotas.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs
field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

New User Volume type - disk

volumeType in UserVolumeConfig can be set to disk.
When set to disk, a full block device is used for the volume.

When volumeType = "disk":

• Size specific settings are not allowed in the provisioning block (minSize, maxSize, grow).

Embedded Config

Talos Linux now supports embedding the machine configuration directly into the boot image.

etcd

etcd container image is now pulled from registry.k8s.io/etcd instead of gcr.io/etcd-development/etcd.

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.

Extra Binaries

Talos Linux now ships with nft binary in the rootfs to support CNIs which shell out to nft command.

Feature Lock

Talos now ignores the following machine configuration fields:

• machine.features.rbac (locked to true)
• machine.features.apidCheckExtKeyUsage (locked to true)
• cluster.apiServer.disablePodSecurityPolicy (locked to false)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.

Talos force reboot

Talos now supports a "force" reboot mode, which allows skipping the graceful userland termination.
It can be used in situations where a userland service (e.g. the kubelet) gets stuck during graceful shutdown, causing the regular reboot flow to fail.

In addition, talosctl was updated to support this feature via talosctl reboot --mode force.

GRUB

Talos Linux introduces new machine configuration option .machine.install.grubUseUKICmdline to control whether GRUB should use the kernel command line
provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).

This option defaults to true for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
For existing installations upgrading to v1.12, this option will default to false to preserve the legacy behavior.

Kernel Module

Talos now supports optionally disabling kernel module signature verification by setting module.sig_enforce=0 kernel parameter.
By default module signature verification is enabled (module.sig_enforce=1).
When using Factory or Imager supply as -module.sig_enfore module.sig_enforce=0 kernel parameters to disable module signature enforcement.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with talosctl get kernelparamstatus command.

Encrypted Volumes

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.

Network Configuration

The network configuration under .machine.network (with the exception of KubeSpan) has been deprecated, but it is still supported for backwards compatibility.
New configuration documents were created to replace it, they will be documented in the future.

CRI Registry Configuration

The CRI registry configuration in v1apha1 legacy machine configuration under .machine.registries is now deprecated, but still supported for backwards compatibility.
New configuration documents RegistryMirrorConfig, RegistryAuthConfig and RegistryTLSConfig should be used instead.

talosctl image cache-serve

talosctl includes new subcommand image cache-serve.
It allows serving the created OCI image registry over HTTP/HTTPS.
It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the cache-create command;

Additionally talosctl image cache-create has some changes:

• new flag --layout: oci (default), flat:
  • oci preserves current behavior;
  • flat does not repack artifact layer, but moves it to a destination directory, allowing it to be served by talosctl image cache-serve;
• changed flag --platform: now can accept multiple os/arch combinations:
  • comma separated (--platform=linux/amd64,linux/arm64);
  • multiple instances (--platform=linux/amd64 --platform=linux/arm64);

UEFI Boot

When using UEFI boot with systemd-boot as bootloader (on new installs of Talos from 1.10+ onwards), Talos will now not touch the UEFI boot order.
Talos 1.11 made a fix to create UEFI boot entry and set the boot order as first entry, but this behavior caused issues on some systems.
To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist, but will not modify the boot order.

Component Updates

Linux: 6.17.7
Kubernetes: 1.35.0-alpha.3
CNI Plugins: 1.8.0
cryptsetup: 2.8.1
LVM2: 2_03_34
systemd-udevd: 257.8
runc: 1.3.2
CoreDNS: 1.13.1
etcd: 3.6.5
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel2
runc: 1.3.3
containerd: 2.1.5

Talos is built with Go 1.25.4.

Contributors

• Andrey Smirnov
• Noel Georgi
• Mateusz Urbanek
• Dmitrii Sharshakov
• Amarachi Iheanacho
• Orzelius
• Oguz Kilcan
• Laura Brehm
• Justin Garrison
• Artem Chernyshev
• Utku Ozdemir
• George Gaál
• Jorik Jonker
• Michael Smith
• Nicole Hubbard
• 459below
• Adrian L Lange
• Alp Celik
• Andrew Longwill
• Chris Sanders
• Dmitry
• Febrian
• Florian Grignon
• Fred Heinecke
• Giau. Tran Minh
• Grzegorz Rozniecki
• Guillaume LEGRAIN
• Hector Monsalve
• Markus Freitag
• Max Makarov
• Mike Beaumont
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Pranav
• Sammy ETUR
• Serge Logvinov
• Skyler Mäntysaari
• SuitDeer
• Tom
• aurh1l
• frozenprocess
• frozensprocess
• kassad
• leppeK
• samoreno
• theschles
• winnie

Changes

291 commits

• 3d997d742 release(v1.12.0-beta.0): prepare release
• e62384ba3 fix: re-creating STATE after partition drop
• 6919d232a docs: update kernel args size
• 887b296dc test: randomize MAC addresses used in the unit-tests
• 6063fbf91 feat: update dependencies
• 542a67a06 feat: add riscv64 build of talosctl
• 68560b53a fix: split volume/disk locators
• 2c3d30e94 docs: fix image-cache-path flag description
• 93f2e87c2 feat: shorthand for generating secrets to stdout
• 5e1de0035 feat: implement time and resolvers multi-doc configuration
• 399240be3 feat: drop partitions on reset with system partitions wipe
• 5cca96655 feat: add new rockchip sbcs
• 00fe50d86 fix: uefi bootorder setting
• 3a881184b chore: improve error handling for system disk reset
• 859194e67 chore: extract system+user volume config transformers, test
• 308c6bc41 feat: add full disk volumes
• 82ac1119e feat: implement new registry configuration
• 106f45799 feat: update Linux kernel with userfaultfd/VDPA
• 721a1e0d7 chore: rename+improve client.ErrEventNotSupported
• 43f4e317f fix: race between VolumeConfigController and UserVolumeConfigController
• 66c01a706 chore: deprecate interactive installer mode
• 957770f65 feat(machined): add panic/force mode reboot
• 60be0daf8 feat: implement multi-doc Wireguard config
• cf014cb5d fix: only set default bootloader if none is set
• e9b016f80 fix: use strict platform match when pulling images
• fafab391b feat: update Kubernetes to 1.35.0-alpha.3
• 7bf3aaca9 feat: allow glibc aarch64 so files in extensions
• c8561ee2d feat: implement bridge multi-document config
• f4ad3077b feat: implement bond multi-doc configuration
• 75fe47582 fix: stop attaching to tearing down mount parents
• c93a9c6b4 fix: improve OOM controller stability and make test strict on false positives
• 021bbfefb feat: update Go 1.25.4, containerd 2.1.5
• e25db484f test: disable parallelism in Longhorn tests
• 54b93aff0 feat: update Linux 6.17.7, runc 1.3.3
• 2af69ff35 fix: provide minimal platform metadata always
• 92eeaa482 fix: update YAML library
• aa24da9aa fix: bump kubelet credendial provider config to v1
• 335f91761 feat: add short -c flag for --cluster
• 4c095281b fix: set a timeout for SideroLink provision API call
• 75e4c4a59 fix: log duplication on log senders
• e3cbc92c0 fix: add video kernel module to arm
• d69305a67 fix: userspace wireguard handling
• ee5fee7c8 fix: image-signer commands
• be028b67a feat: add support for multi-doc VLAN config
• f3df0f80b feat: add directory backed UserVolumes
• 0327e7790 feat: add support for dashboard custom console parameter
• fed948b8a release(v1.12.0-alpha.2): prepare release
• fb4bfe851 chore: fix LVM test
• f4ee0d112 chore: disable VIP operator test
• 288f63872 feat: bump deps
• b66482c52 feat: allow disabling injection of extra cmdline in cluster create
• 704b5f99e feat: update Kubernetes to 1.35.0-alpha.2
• 1dffa5d99 feat: implement virtual IP operator config
• 43b1d7537 fix: validate provisioner when destroying local clusters
• b494c54c8 fix: talos import on non-linux
• 61e95cb4b feat: support bootloader option for ISO
• d11072726 fix: provide offset for partitions in discovered volumes
• 39eeae963 feat: update dependencies
• 9890a9a31 test: fix OOM test
• c0772b8ed feat: add airgapped mode to QEMU backed talos
• ac60a9e27 fix: update test for PCI driver rebind/IOMMU
• 6c98f4cdb feat: implement new DHCP network configuration
• da92a756d fix: drop 'ro' falg from defaults
• 28fd2390c fix: imager build on arm64
• 4e12df8c5 test: integration test for OOM controller
• 7e498faba feat: use image signer
• eccb21dd3 feat: add presets to the 'cluster create qemu' command
• ec0a813fa feat: unify cmdline handling GRUB/systemd-boot
• 37e4c40c6 fix: skip module signature tests on docker provisioner only
• 8124efb42 fix: cache e2e
• 4adcda0f5 fix: reserve the apid and trustd ports from the ephemeral port range
• ced57b047 feat: support optionally disabling module sig verification
• 1e5c4ed64 fix: build talosctl image cache-serve non-linux
• dbdd2b237 feat: add static registry to talosctl
• 77d8cc7c5 chore: push latest tag only on main
• 59d9b1c75 feat: update dependencies
• bf6ad5171 feat: add back install script
• da451c5ba chore: drop documentation except for fresh reference
• 2f23fedeb fix: file leak in reading cgroups
• b412ffdbc docs: update README.md for docs link
• 8dc51bae7 feat: add drm_gpuvm and drm_gpusvm_helper modules
• 4ca58aeb8 fix: make Akamai platform usable
• 061f8e76f feat: bump pkgs
• a9fa852da feat: update uefi image to talos linux logo
• 04753ba69 feat: update go to 1.25.2
• 9a42b05bd feat: implement link aliasing
• d732bd0be chore(ci): run only nvidia tests for NVIDIA workflows
• 8d1468209 fix: stop populating apiserver cert SANs
• 02473244c fix: wait for mount status to be proper mode
• 825622d90 fix: resource proto definitions
• 2c6003e79 docs: add Project Calico installation in two mode
• 4fb4c8678 feat: add disk.EnableUUID to generated ova
• 33fb48f8f fix: add dashboard spinner
• 053fd0bd4 feat: update Linux to 6.17
• 34e107e1b docs: fix broken link
• dfbece56b docs: update the kubespan docs
• 8b041a72c docs: update scaleway.md
• 435dcbf82 fix: provide nocloud metadata with missing network config
• ec3bd878f refactor: remove the go-blockdevice v1 completely
• 33544bde9 fix: minor improvements to fs
• fd2eebf7f feat: create merge patch from diff of two machine configs
• eadbdda94 fix: uefi boot order setting
• cd9fb2743 fix: support secure HTTP proxy with gRPC dial
• adf87b4b9 feat: update Flannel to v0.27.4
• 5dfb7e1fe feat: serve etcd image from registry.k8s.io
• 5ca841804 fix: nftables flaky test
• a940e45a7 feat: generate list of images required to build talos
• 3472d6e79 fix: revert "chore: use new mount/v3 package in efivarfs"
• 42c0bdbf3 feat: add provisioner flag to images default command
• 6bc0b1bcf feat: drop and lock deprecated features
• 362a8e63b fix: change the compression format
• 6e58f58aa fix: mkdir artifacts path
• 3165a2b84 release(v1.12.0-alpha.1): prepare release
• e455c7ea9 chore: use testing/synctest in tests
• 7f048e962 feat: update dependencies
• fe36b3d32 fix: stop returning EINVAL on remount of detached mounts
• c6279e04c chore: use new mount/v3 package in efivarfs
• d5197effb feat: update etcd 3.6.5, CoreDNS 1.12.4
• 33714b715 feat: release cloud image using factory
• d10a2747e docs: deprecate JSON6902 patches and interactive installer
• 1e604cbf5 fix: don't set broadcast for /31 and /32 addresses
• 65a66097a refactor: split cluster create logic into smaller parts
• ab847310e fix: provide refreshing CA pool (resolvers)
• d63c3ed7d docs: update secureboot docs
• 493f7ed9d feat: support embedded config
• 251df70f6 feat: add a userspace OOM controller
• 7bae5b40b feat: implement link configuration
• 724857dec fix(ci): skip netbird extension for tests
• e06a08698 fix: default gateway as string
• 7ed07412e fix: uefi boot entry handling logic
• ea4ed165a refactor: efivarfs mock and tests
• 1fca111e2 feat: support setting wake-on-lan for Ethernet
• 94f78dbe7 docs: add a documentation for running Talos in KVM
• 46902f8fd docs: add TrueFullstaq to adopters
• a28e5cbd5 chore: update pkgs and tools
• 7cf403db8 docs: step-by-step scaleway documentation to get an image
• 687285fa2 docs: remove 'curl' in wget command
• 9db6dc06c feat: stop mounting state partition
• 53ce93aae test: try to clear connection refused more aggressively
• 51db5279c fix: bump trustd memory limit
• 25204dc8a fix(machined): change constants.MinimumGOAMD64Level using build tag
• 9cd2d794d feat: ship nft binary with Talos rootfs
• b1416c9fe feat: record last log the failed service
• 0b129f9ef feat: enforce more KSPP and hardening sysctls
• 11872643c chore: drop docs folder
• d30fdcd88 chore: pass in github token to imager
• b88f27d80 chore: make reset test code a bit better
• 1cde53d01 test: fix several issues with tests
• 16cd127a0 docs: add docs on updating image cache
• c3ae92b14 fix: build kernel checks only on linux
• 2120904ec feat: create detached tmpfs
• 6bbee6de5 docs: remove 'ceph-data' from volume examples/docs
• 07acb3bd2 fix: use correct order to determine SideroV1 keys directory path
• 2d57fa002 fix: trim zero bytes in the DHCP host & domain response
• 451cb5f78 docs: clarify disk partition confusion
• a2122ee5c feat: implement HostConfig multi-doc
• 69ab076b4 fix: re-create cgroups when restarting runners
• 297b5cc28 docs: add docs on node labels
• e168512dd fix: apply 'ro' flag to iso9660 filesystems
• 7f7acfbb9 docs: fix typo in doc
• d57882b18 feat: update Kubernetes to 1.34.1
• f85f82f32 test: fix flakiness in RawVolumes test
• 82569e319 feat: update Linux 6.16.6
• 2fd2ab4e4 fix: remove CoreDNS cpu limit
• ce9bc32a0 chore(ci): rekres to use new runner groups
• 8b64f68f6 test: improve test stability
• 272cb860d chore: drop the --input-dir flag from the cluster create command
• 1b6533675 docs: add note about ca-signed certs for secureboot
• d3f88f50c docs: document talos vip failover behavior
• 005fc8bd5 docs: add docs on syncing configs after a kube upgrade
• 4d876d9af feat: update Go to 1.25.1
• 2b556cd22 feat: implement multi-doc StaticHostConfig
• a7b776842 docs: replace Raspberry Pi 5 links with Talos builder
• a349b20ed docs: clarify that talos does not support intermediate ca
• 895133de9 feat: support configuring PCR states to bind disk encryption
• c1360103b docs: fix command for uploading image on Hetzner
• 43b5b9d89 fix: correctly handle status-code 204
• feeb0d312 feat: update runc to 1.3.1
• 421634a14 docs: add docs on multihoming
• 41af2d230 refactor: clean up internal cluster creation code
• 3000d9e43 fix: don't bootstrap talos cluster if there's no config present
• 79cb871d0 feat: use the id of the volume in the mapped luks2 name
• 6c322710d chore: refactor mount package
• ced7186e2 refactor: update COSI to 1.11.0
• de2e24fcd docs: clarify that install-cni image is deprecated
• bef8ef509 docs: add docs on cilium's compatibility with kubespan
• e5acb10fc feat: update pkgs
• c4c1daf0e docs: add info about br_netfilter
• 5c52ecac3 docs: clarify interactive dashboard resolution control
• 15ecb02a4 feat: update Linux kernel (memcg_v1, ublk)
• 53f18c2f6 fix: enable support for VMWare arm64
• 3bbe1c0da docs: add docs on grow flag
• b9fb09dcd release(v1.12.0-alpha.0): prepare release
• 6a389cad3 chore: update dependencies
• 9d98c2e89 feat: add a cgroup preset for PSI and --skip-cri-resolve
• 072f77b16 chore: prepare for future Talos 1.12-alpha.0 release
• 96f41ce88 docs: update qemu and docker docs
• a751cd6b7 docs: activate Talos v1.11 docs by default
• e8f1ec1c5 docs: fix broken create qemu command v1.11 docs
• 639f0dfdd feat: update Linux to 6.16.4
• 8aa7b3933 fix: bring back linux/armv7 build and update xz
• 9cae7ba6b feat: update CoreDNS to 1.12.3
• cfef3ad45 fix: drop linux/armv7 build
• 42ea2ac50 fix: update xz module (security)
• 4fcfd35b9 docs: fix module name example
• 50824599a chore: update some tools
• bcd297490 feat: allow Ed25119 in FIPS mode
• 5992138bb test: ignore one leaking goroutine
• d155326c1 docs: add sbc unofficial ports docs
• 285fa7d22 docs: add the deploy application docs
• 527791f09 feat: update Kubernetes to 1.34.0
• a1c0e237d feat: update Linux to 6.15.11, Go to 1.25
• 4d7fc25f8 docs: switch order of wipe disk command
• 7368a994d feat: add SOCKS5 proxy support to dynamic proxy dialer
• d63591069 chore: silence linter warnings
• 07eb4d7ec fix: set default ram unit to MiB instead of MB
• 6b732adc4 feat: update Linux to 6.12.43
• b6410914f feat: add human readable byte size cli flags
• ec70cef99 feat: update NVIDIA drivers and kernel
• 0879efa69 feat: update Kubernetes default to v1.34.0-rc.2
• f504639df feat: add a user-facing create qemu command
• 558e0b09a test: fix the Image Factory PXE boot test
• d73f0a2e5 docs: make readme badges consistent
• f1369af98 chore: use new filesystem api on STATE partition
• 366cedbe7 docs: link to kubernetes linux swap tuning
• 2f5a16f5e fix: make --with-uuid-hostnames functionality available to qemu provider
• 70612c1f9 refactor: split the PlatformConfigController
• 511748339 docs: add system extension tier documentation
• 009fb1540 test: don't run nvidia tests on integration/aws
• 99674ef20 docs: apply fixes for what is new
• 92db677b5 fix: image cache lockup on a missing volume
• 9c97ed886 fix: version contract parsing in encryption keys handling
• 1fc670a08 fix: dial with proxy
• 18447d0af feat: update Linux to 6.12.41
• f65f39b78 fix: provide mitigation CVE-1999-0524
• 8817cc60c fix: actually use SIDEROV1_KEYS_DIR env var if it's provided
• b08b20a10 feat: use key provider with fallback option for auth type SideroV1
• 7a52d7489 fix: kubernetes upgrade options for kubelet
• ea8289f55 feat: add a user facing docker command
• 54ad64765 chore: re-enable vulncheck
• 26bbddea9 fix: darwin build
• b5d5ef79e fix: set secs field in DHCPv4 packets
• c07911933 chore: refactor how tools are being installed
• 34f25815c docs: fork docs for v1.12
• b66b995d3 feat: update default Kubernetes to v1.34.0-rc.1
• b967c587d docs: fix clone URL to include .git
• b72c68398 docs: edit the insecure, etcd-metrics, inline and extramanifests
• e5b9c1fff docs: remov RAS Syndrome
• 701fe774b docs: fix cilium links and bump to 1.18.0
• d306713a1 feat: update Go to 1.24.6
• 721595a00 chore: add deadcode elimination linter
• dc4865915 refactor: stop using text/template in machined code paths
• 545be55ed feat: add a pause function to dashboard
• 06a6c0fe3 refactor: fix deadcode elimination with godbus
• 2dce8f8d4 refactor: replace containerd/containerd/v2 module for proper DCE
• 9b11d8608 chore: rekres to configure slack notify workflow for CI failures
• 5ce6a660f docs: augment the pod security docs
• ada51ff69 fix: unmarshal encryption STATE from META
• b9e9b2e07 docs: add what is new notes for 1.11
• 53055bdf4 docs: fix typo in kubevirt page
• 8d12db480 fix: one more attempt to fix volume mount race on restart
• 34d37a268 chore: rekres to use correct slack channel for slack-notify
• 326a00538 feat: implement talos.config.early command line arg
• a5f3000f2 feat: implement encryption locking to STATE
• c1e65a342 docs: remove talos API flags from mgmt commands
• 181d0bbf5 feat: bootedentry resource
• 7ad439ac3 fix: enforce minimum size on user volumes if not set explicitly
• 50e37aefd fix: live reload of TLS client config for discovery client
• 87efd75ef feat: update containerd to 2.1.4
• 724b9de6d feat: add F71808E watchdog driver
• 8af96f7af docs: add ETCD downgrade documentation
• 44edd205d docs: add remark about 'exclude-from-external-load-balancers' label
• 727101926 fix(ci): use a random suffix for ami names
• d621ce372 fix: grype scan
• d62e255c2 fix: issues with reading GPT
• 5d0883e14 feat: update PCI DB module to v0.3.2
• 3751c8ccf test: wait for service account test job longer
• a592eb9f9 feat: update Linux to 6.12.40
• 4c40e6d3f feat: update etcd to 3.6.4
• 2bc37bd2c docs: fix error in kernel module guide
• bfc57fb86 chore: tag aws snapshots created via ci with the image name
• 06ef7108a fix: issue with volume remount on service restart
• 03efbff18 docs: add SBOM documentation
• af8a2869d fix: do not download artifacts for cron Grype scan
• 5f442159b feat: unify disk encryption configuration
• 38e176e59 chore(ci): fix datasource versioning
• 85d6b9198 feat: update etcd to v3.5.22
• dd7bd2dab docs: rewrite the getting started and prod docs for v1.10 and v1.11
• 136a899aa chore: regenerate release step with signing fixes
• 450b30d5a chore(ci): add more nvidia test matrix
• 451c2c4c3 test: add talosctl:latest to the image cache

Changes since v1.12.0-alpha.2

46 commits

• 3d997d742 release(v1.12.0-beta.0): prepare release
• e62384ba3 fix: re-creating STATE after partition drop
• 6919d232a docs: update kernel args size
• 887b296dc test: randomize MAC addresses used in the unit-tests
• 6063fbf91 feat: update dependencies
• 542a67a06 feat: add riscv64 build of talosctl
• 68560b53a fix: split volume/disk locators
• 2c3d30e94 docs: fix image-cache-path flag description
• 93f2e87c2 feat: shorthand for generating secrets to stdout
• 5e1de0035 feat: implement time and resolvers multi-doc configuration
• 399240be3 feat: drop partitions on reset with system partitions wipe
• 5cca96655 feat: add new rockchip sbcs
• 00fe50d86 fix: uefi bootorder setting
• 3a881184b chore: improve error handling for system disk reset
• 859194e67 chore: extract system+user volume config transformers, test
• 308c6bc41 feat: add full disk volumes
• 82ac1119e feat: implement new registry configuration
• 106f45799 feat: update Linux kernel with userfaultfd/VDPA
• 721a1e0d7 chore: rename+improve client.ErrEventNotSupported
• 43f4e317f fix: race between VolumeConfigController and UserVolumeConfigController
• 66c01a706 chore: deprecate interactive installer mode
• 957770f65 feat(machined): add panic/force mode reboot
• 60be0daf8 feat: implement multi-doc Wireguard config
• cf014cb5d fix: only set default bootloader if none is set
• e9b016f80 fix: use strict platform match when pulling images
• fafab391b feat: update Kubernetes to 1.35.0-alpha.3
• 7bf3aaca9 feat: allow glibc aarch64 so files in extensions
• c8561ee2d feat: implement bridge multi-document config
• f4ad3077b feat: implement bond multi-doc configuration
• 75fe47582 fix: stop attaching to tearing down mount parents
• c93a9c6b4 fix: improve OOM controller stability and make test strict on false positives
• 021bbfefb feat: update Go 1.25.4, containerd 2.1.5
• e25db484f test: disable parallelism in Longhorn tests
• 54b93aff0 feat: update Linux 6.17.7, runc 1.3.3
• 2af69ff35 fix: provide minimal platform metadata always
• 92eeaa482 fix: update YAML library
• aa24da9aa fix: bump kubelet credendial provider config to v1
• 335f91761 feat: add short -c flag for --cluster
• 4c095281b fix: set a timeout for SideroLink provision API call
• 75e4c4a59 fix: log duplication on log senders
• e3cbc92c0 fix: add video kernel module to arm
• d69305a67 fix: userspace wireguard handling
• ee5fee7c8 fix: image-signer commands
• be028b67a feat: add support for multi-doc VLAN config
• f3df0f80b feat: add directory backed UserVolumes
• 0327e7790 feat: add support for dashboard custom console parameter

Changes from siderolabs/crypto

2 commits

• siderolabs/crypto@4154a77 feat: implement dynamic certificate reloader
• siderolabs/crypto@dae07fa chore: update to Go 1.25

Changes from siderolabs/gen

1 commit

• siderolabs/gen@4c7388b chore: update Go modules, replace YAML library

Changes from siderolabs/go-api-signature

5 commits

• siderolabs/go-api-signature@8b046e5 fix: do not decode the signature in the plain key from base64
• siderolabs/go-api-signature@7e98556 feat: support verifying payload using plain ecdsa keys
• siderolabs/go-api-signature@876da9a feat: add method for revoking public key
• siderolabs/go-api-signature@184f94d chore: rekres and bump go to 1.25.2
• siderolabs/go-api-signature@68478e2 fix: return invalid signature error when a signature is required

Changes from siderolabs/go-debug

2 commits

• siderolabs/go-debug@d51e25a chore: rekres, bump deps and go
• siderolabs/go-debug@e21721b chore: add support for Go 1.25

Changes from siderolabs/go-kubernetes

1 commit

• siderolabs/go-kubernetes@8454fe9 feat: add upgrade path for 1.35

Changes from siderolabs/go-loadbalancer

1 commit

• siderolabs/go-loadbalancer@5e7a8b2 feat: add jitter and initial health check wait support to upstreams

Changes from siderolabs/go-talos-support

2 commits

• siderolabs/go-talos-support@abfc570 chore: update dependencies, replace YAML library
• siderolabs/go-talos-support@e0738a9 fix: set pod name in k8s kube-system log filenames

Changes from siderolabs/pkgs

55 commits

• siderolabs/pkgs@22a9943 feat: update dependencies
• siderolabs/pkgs@1768ccf feat: enable VDPA settings
• siderolabs/pkgs@3913216 feat: enable USERFAULTFD in the kernel
• siderolabs/pkgs@4ae050a feat: update Go to 1.25.4
• siderolabs/pkgs@0abcf01 feat: update containerd to 2.1.5
• siderolabs/pkgs@70404aa feat: bump dependencies
• siderolabs/pkgs@f70250f feat: add nvidia gdrcopy gdrdrv kernel module
• siderolabs/pkgs@a7d7c1a feat: enable CONFIG_PCI_P2PDMA for GPUDirect RDMA
• siderolabs/pkgs@da97c36 feat: update linux-firmware
• siderolabs/pkgs@6d58d7f feat: bump deps
• siderolabs/pkgs@b535af8 feat: update dependencies
• siderolabs/pkgs@a098092 feat: update Linux to 6.17.3, tt-kmd to 2.4.1
• siderolabs/pkgs@661e578 feat: add xe extension
• siderolabs/pkgs@8ddac2d feat: bump go
• siderolabs/pkgs@332303e fix: rollback libseccomp version
• siderolabs/pkgs@f62ebca chore: update dependencies
• siderolabs/pkgs@56f8ae3 feat: update Linux to 6.17.1, NVIDIA LTS to 580.95.05
• siderolabs/pkgs@20b1849 fix: revert "feat" support adding extra trusted certificates in the kernel"
• siderolabs/pkgs@1e3d375 feat: bump go
• siderolabs/pkgs@ddfd7af feat: bump dependencies
• siderolabs/pkgs@4dc7709 feat: update runc to 1.3.2
• siderolabs/pkgs@61d8b44 chore: fix renovate config for urcu & hailort
• siderolabs/pkgs@5bda512 feat: upgrade Linux to 6.17
• siderolabs/pkgs@202a8e6 feat: update Linux to 6.16.9
• siderolabs/pkgs@3a0900f feat: enable SRv6 LWTUNNEL and BPF support
• siderolabs/pkgs@628efc8 chore: update linuxfirmware and rekres
• siderolabs/pkgs@9d1fb02 feat: support adding extra trusted certificates in the kernel
• siderolabs/pkgs@7fe686d fix: build nftables with embedded gmp
• siderolabs/pkgs@fede0a7 feat: add nft binary
• siderolabs/pkgs@0dae01a feat: update NVIDIA to 580.82.07
• siderolabs/pkgs@9ac2392 feat: enable Kernel config options for IPVS Maglev hashing scheduler support
• siderolabs/pkgs@3c5315c feat: update dependencies
• siderolabs/pkgs@122fa66 feat: update Linux to 6.16.6
• siderolabs/pkgs@ab1e866 feat: update Go to 1.25.1
• siderolabs/pkgs@7d6ef1b feat: update runc to 1.3.1
• siderolabs/pkgs@e067c20 feat: enable USB audio support
• siderolabs/pkgs@c4faa38 feat: bump dependencies
• siderolabs/pkgs@453cdfc feat: enable ublk support
• siderolabs/pkgs@9824684 fix: enable memcg v1
• siderolabs/pkgs@2447e11 feat: update Linux to 6.16, GCC to 15
• siderolabs/pkgs@2cfb920 feat: update Linux to 6.15.11, update tools, rekres
• siderolabs/pkgs@ab4e975 feat: update Linux to 6.12.43
• siderolabs/pkgs@cd67e36 chore: update kernel config to support max SMP CPUs
• siderolabs/pkgs@e3b2094 fix: fix build for new NVIDIA drivers
• siderolabs/pkgs@fd5fdfd feat: update Nvidia LTS to 580.65.06 and production to 570.172.08
• siderolabs/pkgs@0edf426 fix: backport CVE kernel patches to 6.12
• siderolabs/pkgs@26d8fef feat: enable Infiniband IRDMA support
• siderolabs/pkgs@16b5fac fix: re-enable CPUSETS_V1 cgroups controller
• siderolabs/pkgs@fd53886 feat: update backportable dependencies
• siderolabs/pkgs@d5f7467 feat: update Go to 1.24.6
• siderolabs/pkgs@0bd019f feat: update containerd to 2.1.4
• siderolabs/pkgs@0ba8b5b feat: enable F71808E watchdog driver
• siderolabs/pkgs@895a86b fix: enable ISCSI IBFT
• siderolabs/pkgs@a76a67c feat: update Linux to 6.12.40
• siderolabs/pkgs@8b0a561 feat: enable bootloader control on amd64

Changes from siderolabs/tools

20 commits

• siderolabs/tools@b82e375 feat: update dependencies
• siderolabs/tools@44932c0 feat: update Go to 1.25.4
• siderolabs/tools@b39bb09 feat: update dependencies
• siderolabs/tools@a08cc1f feat: update git to 2.51.1
• siderolabs/tools@e62d613 feat: bump go
• siderolabs/tools@916b464 fix: add pkgconf for ncurses, fix Renovate configs, bump deps
• siderolabs/tools@11f0337 feat: update Go
• siderolabs/tools@2c56d7a feat: update OpenSSL to 3.5.4
• siderolabs/tools@8f27cfa feat: update dependencies
• siderolabs/tools@1c1420e feat: add tinfo to ncurses
• siderolabs/tools@7c7328b fix: set regex in renovate config directly
• siderolabs/tools@3ab353b fix: modify renovate regex on ca_certificates
• siderolabs/tools@4f90801 chore: update openssl, curl, libexpat and rekres
• siderolabs/tools@c37ac80 feat: update Go to 1.25.1
• siderolabs/tools@7c659e9 feat: update to GCC 15
• siderolabs/tools@83fd7b7 feat: migrate from pkg-config to pkgconf
• siderolabs/tools@edafd5f feat: update toolchain for new Go and Linux headers
• siderolabs/tools@65789c7 chore: drop unused vars from Pkgfile
• siderolabs/tools@52db66e chore: drop protobuf-related stuff from tools
• siderolabs/tools@e3c3ef2 feat: update Go to 1.24.6

Dependency Changes

• cloud.google.com/go/compute/metadata v0.7.0 -> v0.9.0
• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.1 -> v1.20.0
• github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 -> v1.13.1
• github.com/aws/aws-sdk-go-v2/config v1.29.17 -> v1.31.20
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 -> v1.18.13
• github.com/aws/aws-sdk-go-v2/service/kms v1.41.2 -> v1.46.0
• github.com/aws/smithy-go v1.22.4 -> v1.23.2
• github.com/beevik/ntp v1.4.3 -> v1.5.0
• github.com/containerd/containerd/v2 v2.1.4 -> v2.1.5
• github.com/containernetworking/plugins v1.7.1 -> v1.8.0
• github.com/cosi-project/runtime v1.10.7 -> v1.12.0
• github.com/docker/cli v28.3.3 -> v29.0.0
• github.com/equinix-ms/go-vmw-guestrpc v0.1.1 -> v1.0.0
• github.com/florianl/go-tc v0.4.5 -> v0.4.7
• github.com/foxboron/go-uefi a3183a1bfc84 -> d29549a44f29
• github.com/gdamore/tcell/v2 v2.8.1 -> v2.9.0
• github.com/golang/mock v1.6.0 -> v1.7.0-rc.1
• github.com/google/cel-go v0.26.0 -> v0.26.1
• github.com/google/go-tpm v0.9.5 -> v0.9.7
• github.com/gopacket/gopacket v1.3.1 -> v1.5.0
• github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 -> v2.3.3
• github.com/hetznercloud/hcloud-go/v2 v2.22.0 -> v2.30.0
• github.com/insomniacslk/dhcp 8abf58130905 -> 175e84fbb167
• github.com/jsimonetti/rtnetlink/v2 v2.0.5 -> v2.1.0
• github.com/klauspost/compress v1.18.0 -> v1.18.1
• github.com/mdlayher/netlink fbb4dce95f42 -> v1.8.0
• github.com/miekg/dns v1.1.67 -> v1.1.68
• github.com/moby/moby/api v1.52.0 new
• github.com/moby/moby/client v0.1.0 new
• github.com/prometheus/procfs v0.17.0 -> v0.19.2
• github.com/rivo/tview a4a78f1e05cb -> v0.42.0
• github.com/safchain/ethtool v0.6.1 -> v0.7.0
• github.com/scaleway/scaleway-sdk-go v1.0.0-beta.34 -> v1.0.0-beta.35
• github.com/siderolabs/crypto v0.6.3 -> v0.6.4
• github.com/siderolabs/gen v0.8.5 -> v0.8.6
• github.com/siderolabs/go-api-signature v0.3.7 -> v0.3.12
• github.com/siderolabs/go-blockdevice/v2 v2.0.19 -> v2.0.20
• github.com/siderolabs/go-debug v0.5.0 -> v0.6.1
• github.com/siderolabs/go-kubernetes v0.2.26 -> v0.2.27
• github.com/siderolabs/go-loadbalancer v0.4.0 -> v0.5.0
• github.com/siderolabs/go-talos-support v0.1.2 -> v0.1.4
• github.com/siderolabs/pkgs v1.11.0-15-g2ac857a -> v1.12.0
• github.com/siderolabs/talos/pkg/machinery v1.11.0 -> v1.12.0-beta.0
• github.com/siderolabs/tools v1.11.0-2-g8556c73 -> v1.12.0
• github.com/spf13/cobra v1.9.1 -> v1.10.1
• github.com/spf13/pflag v1.0.7 -> v1.0.10
• github.com/stretchr/testify v1.10.0 -> v1.11.1
• github.com/u-root/u-root v0.14.0 -> v0.15.0
• go.etcd.io/etcd/api/v3 v3.6.4 -> v3.6.6
• go.etcd.io/etcd/client/pkg/v3 v3.6.4 -> v3.6.6
• go.etcd.io/etcd/client/v3 v3.6.4 -> v3.6.6
• go.etcd.io/etcd/etcdutl/v3 v3.6.4 -> v3.6.6
• go.yaml.in/yaml/v4 v4.0.0-rc.3 new
• golang.org/x/net v0.42.0 -> v0.47.0
• golang.org/x/oauth2 v0.30.0 -> v0.33.0
• golang.org/x/sync v0.16.0 -> v0.18.0
• golang.org/x/sys v0.34.0 -> v0.38.0
• golang.org/x/term v0.33.0 -> v0.37.0
• golang.org/x/text v0.27.0 -> v0.31.0
• golang.org/x/time v0.12.0 -> v0.14.0
• google.golang.org/grpc v1.73.0 -> v1.76.0
• google.golang.org/protobuf v1.36.6 -> v1.36.10
• gopkg.in/typ.v4 v4.4.0 new
• k8s.io/api v0.34.0 -> v0.35.0-alpha.3
• k8s.io/apiextensions-apiserver v0.34.0 -> v0.35.0-alpha.3
• k8s.io/apimachinery v0.34.0 -> v0.35.0-alpha.3
• k8s.io/apiserver v0.34.0 -> v0.35.0-alpha.3
• k8s.io/client-go v0.34.0 -> v0.35.0-alpha.3
• k8s.io/component-base v0.34.0 -> v0.35.0-alpha.3
• k8s.io/cri-api v0.34.0 -> v0.35.0-alpha.3
• k8s.io/kube-scheduler v0.34.0 -> v0.35.0-alpha.3
• k8s.io/kubectl v0.34.0 -> v0.35.0-alpha.3
• k8s.io/kubelet v0.34.0 -> v0.35.0-alpha.3
• k8s.io/pod-security-admission v0.34.0 -> v0.35.0-alpha.3
• k8s.io/utils 4c0f3b243397 -> bc988d571ff4
• kernel.org/pub/linux/libs/security/libcap/cap v1.2.76 -> v1.2.77

Previous release can be found at v1.11.0

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.1
registry.k8s.io/etcd:v3.6.5
registry.k8s.io/kube-apiserver:v1.35.0-alpha.3
registry.k8s.io/kube-controller-manager:v1.35.0-alpha.3
registry.k8s.io/kube-scheduler:v1.35.0-alpha.3
registry.k8s.io/kube-proxy:v1.35.0-alpha.3
ghcr.io/siderolabs/kubelet:v1.35.0-alpha.3
ghcr.io/siderolabs/installer:v1.12.0-beta.0
registry.k8s.io/pause:3.10

---

This discussion was created from the release v1.12.0-beta.0.