feat(deps): update dependency aqua:siderolabs/talos ( 1.11.6 ➔ 1.12.2 )

[parsec-renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
aqua:siderolabs/talos	minor	1.11.6 → 1.12.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

siderolabs/talos (aqua:siderolabs/talos)

v1.12.2

Compare Source

Talos 1.12.2 (2026-01-22)

Welcome to the v1.12.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

talosctl images talos-bundle can ignore reaching to the registry

The talosctl images talos-bundle command now accepts optional --ovelays and --extensions flags.
If those are set to false, the command will not attempt to reach out to the container registry to fetch the latest versions and digests of the overlays and extensions.

Component Updates

Linux: 6.18.5

Talos is built with Go 1.25.6.

Contributors

• Andrey Smirnov
• Dmitrii Sharshakov
• Andras BALI
• Artem Chernyshev
• Jonas Lammler
• Mateusz Urbanek
• Max Makarov
• Noel Georgi

Changes

21 commits

• @​54e5b43 release(v1.12.2): prepare release
• @​30da0bc fix: oracle platform file format
• @​7ddb37b fix: make OOM expression a bit less sensitive
• @​e438ec2 fix: marshal of FailOverMac property
• @​717ed72 fix: check if the device is not mounted when wiping
• @​c95c9fd fix: wipe the first/last 1MiB in addition to wiping by signatures
• @​52bed35 fix: add talos version to Hetzner Cloud client user agent
• @​0e447a4 fix: make OOM controller more precise by considering separate cgroup PSI
• @​3b974b9 fix: sort mirrors and tls configs when generating the machine config
• @​8b16fe5 feat: add VLAN support to OpenStack platform
• @​eb8480c fix: panic in configpatcher when the whole section is missing
• @​4d44306 fix: wipe disk by signatures
• @​cca4cd2 feat: add it87 hwmon module
• @​d9480ee fix: resolve SideroLink Wireguard endpoint on reconnect
• @​e16c2d5 fix: handle correctly incomplete RegistryTLSConfig
• @​dedd273 fix: bond config via platform
• @​f527cff fix: allow HostnameConfig to be used with incomplete machine config
• @​1091813 fix: lock down etcd listen address to IPv4 localhost
• @​9f8d938 fix: print talosctl images to release notes
• @​95433c1 fix: update VIP config example
• @​919394f feat: update Go to 1.25.6

Changes from siderolabs/pkgs

7 commits

• siderolabs/pkgs@4f8efaf fix: enable pinctrl for Raspberry Pi 5
• siderolabs/pkgs@3a36a01 feat: update NVIDIA LTS and production driver versions
• siderolabs/pkgs@d364d04 feat: update Linux to 6.18.5
• siderolabs/pkgs@a3d6cc4 feat: update Linux firmware to 2026011
• siderolabs/pkgs@40fa324 feat: enable IT87 hwmon module
• siderolabs/pkgs@8b8f314 feat: enable IPV6_MROUTE
• siderolabs/pkgs@3571127 feat: update Go to 1.25.6

Changes from siderolabs/tools

1 commit

• siderolabs/tools@31959f4 feat: update Go to 1.25.6

Dependency Changes

• github.com/klauspost/compress v1.18.2 -> v1.18.3
• github.com/siderolabs/go-blockdevice/v2 v2.0.22 -> v2.0.23
• github.com/siderolabs/pkgs v1.12.0-25-g90ff196 -> v1.12.0-32-g4f8efaf
• github.com/siderolabs/talos/pkg/machinery v1.12.1 -> v1.12.2
• github.com/siderolabs/tools v1.12.0-3-g5df8bae -> v1.12.0-4-g31959f4
• go.uber.org/zap v1.27.0 -> v1.27.1
• golang.org/x/net v0.47.0 -> v0.48.0
• golang.org/x/oauth2 v0.33.0 -> v0.34.0
• golang.org/x/sync v0.18.0 -> v0.19.0
• golang.org/x/sys v0.38.0 -> v0.40.0
• golang.org/x/term v0.37.0 -> v0.38.0
• golang.org/x/text v0.31.0 -> v0.33.0

Previous release can be found at v1.12.1

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.13.2
registry.k8s.io/etcd:v3.6.7
registry.k8s.io/kube-apiserver:v1.35.0
registry.k8s.io/kube-controller-manager:v1.35.0
registry.k8s.io/kube-scheduler:v1.35.0
registry.k8s.io/kube-proxy:v1.35.0
ghcr.io/siderolabs/kubelet:v1.35.0
registry.k8s.io/pause:3.10
ghcr.io/siderolabs/installer:v1.12.2
ghcr.io/siderolabs/installer-base:v1.12.2
ghcr.io/siderolabs/imager:v1.12.2
ghcr.io/siderolabs/talos:v1.12.2
ghcr.io/siderolabs/talosctl-all:v1.12.2
ghcr.io/siderolabs/overlays:v1.12.2
ghcr.io/siderolabs/extensions:v1.12.2

v1.12.1

Compare Source

Welcome to the v1.11.0-alpha.3 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Azure

Talos on Azure now defaults to MTU of 1400 bytes for the eth0 interface to avoid packet fragmentation issues.
The default MTU can be overriden with machine configuration.

IMA support removed

Talos now drops the IMA (Integrity Measurement Architecture) support. This feature was not used in Talos for any meaningful security purpose
and has historically caused performance issues. See #​11133 for more details.

Kubernetes Version Validation

Talos now validates Kubernetes version in the image submitted in the machine configuration.
Previously this check was performed only on upgrade, but now it is consistently applied to upgrade, initial provisioning, and machine configuration updates.

This implies that all image references should contain the tag, even if the image is pinned by digest.

Qemu provisioner on MacOS

On MacOS talosctl cluster create command now supports the Qemu provisioner in addition to the Docker provisioner.

Swap Suport

Talos now supports swap on block devices.
This feature can be enable by using SwapVolumeConfig document in the machine configuration.

Component Updates

Linux: 6.12.35
Kubernetes: 1.34.0-alpha.2
runc: 1.3.0
containerd: 2.1.3
Flannel CNI plugin: 1.7.1-flannel1
Flannel: 0.27.0
CoreDNS: 1.12.2

Talos is built with Go 1.24.4.

VMware

Talos VMWare platform now supports arm64 architecture in addition to amd64.

Zswap Support

Talos now supports zswap, a compressed cache for swap pages.
This feature can be enabled by using ZswapConfig document in the machine configuration.

Contributors

• Andrey Smirnov
• Noel Georgi
• Orzelius
• Orzelius
• Justin Garrison
• Spencer Smith
• Till Hoffmann
• Utku Ozdemir
• Artem Chernyshev
• Dmitrii Sharshakov
• Michael Robbins
• Steve Francis
• Andrew Longwill
• Marat Bakeev
• Olav Thoresen
• Thibault VINCENT
• Alvaro "Chamo" Linares Cabre
• Brian Brookman
• Bryan Mora
• Clément Nussbaumer
• Damien
• David R
• Dennis Marttinen
• Dmitriy Matrenichev
• Joakim Nohlgård
• Jorik Jonker
• Justin Seely
• Luke Cousins
• Marco Mihai Condrache
• Markus Reiter
• Martyn Ranyard
• Michael Moerz
• Mike
• Tan Siewert
• Tom Keur
• jvanthienen-gluo
• killcity
• yashutanu

Changes

170 commits

• 777335f23 chore: improve cloud image uploader resilience
• 14e5eee7d release(v1.11.0-alpha.2): prepare release
• 1e5a008f5 fix: hold user volume mount point across kubelet restarts
• cdad50590 docs: user volumes and kubernetes upgrade updates
• c880835c8 feat: implement zswap support
• 7f0300f10 feat: update dependencies, Kubernetes 1.34.0-alpha.2
• 61afbe3d2 docs: add vc4 documentation
• b9dbdc8e7 fix: etcd recover with multiple advertised addresses
• 19d94c357 feat: update Linux to 6.12.35, containerd to 2.1.3
• 44a1fc3b7 fix: treat context canceled as expected error on image pull
• 4da2dd537 feat: enforce Kubernetes version compatibility
• 6c7f8201a fix: set default MTU on Azure to 1400
• 091cd6989 docs: small yaml typo fix
• 66ecbd48f docs: update support matrix with omni version
• c948d7617 docs: minor fixes for creating kernel modules
• cc14c4a25 docs: add docs for creating kernel modules
• 93bcd3b56 docs: create SBOM for Go dependencies
• 38c4ce415 feat: add user-space InfiniBand modules
• 251dc934f feat: arm64 support for platform vmware
• 09b3ad577 feat: update containerd to 2.1.2
• 0767dd07b chore: enable --with-siderolink-agent on Darwin
• 9642198d7 fix: userspace wireguard library overrides
• 208f0763e chore: fix talosctl build on non-Linux hosts
• 87421af87 docs: expand documentation description
• d32ccfa59 feat: implement swap support
• 8f5cf81db docs: update kvm documentation
• 8e84c8b0f fix: nil pointer deref in quirk
• 6e74a3676 docs: aad ery basic details on how to run on scaleway
• 260d1bc9a fix: correctl close encrypted volumes
• 034ef42af fix: update siderolink library for wgtunnel panic fix
• 3035744a8 fix: correctly predict interface name on darwin
• cfcfad3c4 chore: move checkUnknownKeys function to github.com/siderolabs/gen
• 5ecc53c69 docs: add macos section to developing-talos.md
• b5b35307f chore: update Go to 1.24.4
• fde772d8d feat: update Flannel to 0.27.0
• 81ca27949 release(v1.11.0-alpha.1): prepare release
• 58a868e68 chore: fix renovate config, add release-gate label
• a59aaee84 feat: bump dependencies, Linux 6.12.31
• e954ee30a docs: typo correction: LongHorn -> Longhorn
• aab053394 fix: mashal resource byte slices as strings in YAML
• c7d4191e7 fix: rework the way CRI config generation is waited for
• 0114183de docs: update lastRelease to 1.10.3
• 938b0760a docs: update issue template
• 2a7b735b2 feat: drop IMA support
• 2d5a805b0 fix: typo in DiscoverdVolume spec
• 60c12bad9 feat: support nocloud include url userdata directive
• 0fd622c82 fix(talosctl): correct --help output for dashboard command
• a90c936a1 feat: support qemu provisioner on darwin
• 5322ca0d3 docs: update overlay docs
• a60b6322d fix(ci): drop nebula from extensions test
• dbbb59a67 docs: add note for default dataDirHostPath for Rook
• e26054378 docs: macos qemu provider
• 5d0224093 docs: use the cilium-cli image repo in the job installation manifest
• ff80e4cca docs: fix CIDR name
• a5fd15e8b fix(ci): reproducibility test
• 8f8963e50 docs: update Nexxen brand
• c6b86872d fix(ci): iso reproducibility file permissions
• 995a1dec4 chore: add a check for unsupported darwin flags
• 9db5d0c97 fix: nocloud metadata for hostname
• 3cf325654 feat: modularize more arm64 kernel
• 3524745cc fix: allow any PKI in Talos API
• f438cdb09 chore: use custom dhcpd server on macos qemu
• 11c17fb9a fix: metal-iso reproducibility
• 7fcb89ee3 chore: add darwin vmnet qemu support
• fc1237343 chore: clean up /usr/bin
• b551f32ce feat: update containerd to v2.1.1
• 67f4154f9 docs: update disk-management.md
• 0cb137ad7 fix: make disk size check work on old Talos
• 7c057edd5 fix: use vmdk-convert istead of qemu-img to create VMDK for OVA files
• cd618dad0 chore: update the go-blockdevice package
• 0b99631a0 fix: bump apid memory limit
• 5451f35b1 docs: update virtualbox
• bd4d202a5 refactor: bring owned.State from COSI to simplify tests
• 0b96df574 feat: update containerd to 2.1.0
• e1a939144 docs: fix formatting in disk encryption
• 7a817df1c docs: fix typo
• f35b213b2 test: fix DHCP unicast failures in QEMU environment
• 7064bbf05 docs: fix vmware factory URL
• 78c33bcdb feat: update default Kubernetes to v1.33.1
• da6795266 fix: disable automatic MAC assignment to bridge interfaces
• ca34adf58 chore(ci): drop azure keys
• ea5de19fa fix: selinux detection
• 52c76ea3a fix: consistently apply dynamic grpc proxy dialer
• aa9569e5d chore: refactor cluster create cmd flags
• 1161faa05 docs: fix typo in Cilium docs
• 164745e44 docs: remove preserve flag mention in upgrade notes
• 9a2ecbaaf fix: makefile operating system param
• 118aa69d6 chore: update cloud-image-uploader dependencies
• acdd721cf chore: dump qemu pachine ipam records on darwin
• bb9094534 chore: rotate aws iam credentials
• 0bfa4ae1b chore: update deps for cloud-image-uploader
• 956d7c71b chore: update sops keys
• e2f819d88 test: fix the process runner log collection
• fdac4cfb9 fix: upgrade go-kubernetes for DRA flag bug
• 09d88e1e8 test: fix some flaky tests
• ec1f41a94 chore: make qemu config server bind work on darwin
• 980f4d2b9 feat: bump dependencies
• 95259337e fix: k8s 1.32->1.33 upgrade check
• c3c326b40 fix: improve volume mounter automaton
• 918b94d9a refactor: rewrite disk size check
• ab7e693d7 chore: make qemu lb address bind work on darwin
• 97ceab001 fix: multiple logic issues in platform network config controller
• 46349a9df docs: remove azure image gallery instructions
• 0cfcdd3de docs: fix search on base talos.dev
• 78646b4e0 docs: add registryd debug command
• c6824c211 fix: deny apply config requests without v1alpha1 in "normal" mode
• 7df0408e4 fix: interactive installer config gen
• 881c5d62b fix: suppress duplicate platform config updates
• 66d77888e fix: replace downloaded asset paths correctly in cluster create cmd
• 6bd6c9b5a fix: generate iso greater than 4 gig
• ac140324e fix: skip PCR extension if TPM1.2 is found
• 09ef1f8a4 fix: ignore http proxy on grpc socket dial
• 22a72dc80 chore: split options between three structs
• 22c34a50f fix(ci): provision cron jobs
• b3b20eff3 fix: containerd crashing with sigsegv
• f7891c301 chore: calculate vmnet interface name preemptively
• ae87edffb fix: drop libseccomp from rootfs
• f74a805bb fix: do correct backoff for nocloud reconcile
• 01bb294af fix(ci): provision tests
• e4945be3b docs: add registryd debug command
• d8c670ad3 release(v1.11.0-alpha.0): prepare release
• ace44ea61 test: update hydrophone to 0.7.0
• 3a1163692 chore: cross platform qemu preflight checks
• 7914fb104 chore: move the create command to it's own package
• c8e619608 chore: prepare for release 1.11
• 1299aaa45 chore(ci): add extensions test for Youki runtime
• e50ceb221 docs: activate Talos 1.10 docs
• 9d12aaeb1 test: improve config patch test
• 106a656b6 chore: make qemu provider build on darwin
• 8013aa06c test: replace platform metadata test
• 2b89c2810 fix: relax etcd APIs RBAC requirements
• 1e677587c fix: preserve kubelet image suffix
• 62ab8af45 fix: disk image generation with image cache
• d60626f01 fix: handle encryption type mismatch
• a9109ebd0 feat: allow SideroLink unique token in machine config
• 2ff3a6e40 feat(kernel): add bcache kernel module to core talos
• fa95a2146 fix(ci): bios provision test
• f7c5b86be fix: sync PCR extension with volume provisioning lifecycle
• f90c79474 chore: show bound driver in pcidevices info
• 8db34624c fix: handle correctly changing platform network config
• 77c7a075b feat: update Kubernetes to 1.33.0
• 74f0c48c7 feat: add version compatibility for Talos 1.11
• c4fb7dad0 fix: force DNS runner shutdown on timeout
• c49b4836e docs: hetzner: add note about public iso
• 16ea2b113 docs: add what is new for 1.10
• be3f0c018 fix: fix Gvisor tests with containerd patch
• 37db132b3 chore(ci): add provision test with bios
• ec60b70e7 fix: set media type to OCI for image cache layer
• a471eb31b feat: update Linux 6.12.24, containerd 2.0.5
• 54ad5b872 fix: extension services logging to console
• 601f036ba docs: correct flannel extra args example
• ae94377d1 feat: support encryption config for user volumes
• 9616f6e8d docs: add caveat for kubespan and host ports
• a1d08a362 docs: fixes typo at OpenEBS Mayastor worker patches
• a91e8726e docs: add a dark theme
• c76189c58 fix: grub EFI mount point
• 4ca985c65 fix: grub efi platform install
• b31260281 docs: update storage.md
• 396a29040 feat: add new SBCs
• a902f6580 feat: update Flannel to v0.26.7
• 2bbefec1a docs: use cache in preview
• 6028a8d2d docs: update kubeprism.md
• e51a8ef8c fix: prefer new MountStatus resource
• d9c7e7946 docs: fix search
• b32fa029b feat: update Kubernetes to 1.33.0-rc.1
• f0ea478cb feat: support address priority
• 8cd3c8dc7 test: fix NVIDIA OSS tests
• 62f2d27cd docs: update virtualbox.md
• 141326ea3 docs: fix tabpane styling
• 134aa53cc feat: update base CoreDNS code in host DNS to 1.12.1

Changes since v1.11.0-alpha.2

1 commit

• 777335f23 chore: improve cloud image uploader resilience

Changes from siderolabs/crypto

2 commits

• 17107ae fix: add generic CSR generator and OpenSSL interop
• 53659fc refactor: split into files

Changes from siderolabs/gen

4 commits

• dcb2b74 feat: add panicsafe package
• b36ee43 feat: make xyaml.CheckUnknownKeys public
• 3e319e7 feat: implement xyaml.UnmarshalStrict
• 7c0324f chore: future-proof HashTrieMap

Changes from siderolabs/go-circular

1 commit

• 5b39ef8 fix: do not log error if chunk zero was never written

Changes from siderolabs/go-kubernetes

3 commits

• 657a74b feat: prepare for Kubernetes 1.34
• 9070be4 fix: remove DynamicResourceAllocation feature gate
• 8cb588b fix: k8s 1.32->1.33 upgrade check

Changes from siderolabs/pkgs

41 commits

• 03bb94c feat: update dependencies
• c613abd fix: iptables url
• fae59df fix: download and copy hailo8 firmware
• fadf1e2 feat: update containerd to 2.1.2
• a0b0da1 feat: enable io.latency cgroup controller
• 0aaa07a feat: add hailort package
• 8555e94 chore: use ftpmirror for GNU sources
• 9fbe2b4 feat: update Go to 1.24.4
• 79bfa9e feat: update NVIDIA drivers to 570.148.08
• c8b8bd8 feat: bump dependencies
• 54bf03e feat: update Linux to 6.12.31
• 93b3aaa feat: add patch for CephFS IMA performance regression
• ebd6627 feat: disable IMA support
• 8aad53b feat: add CONFIG_NFT_CONNLIMIT to kernel
• 7a299fa feat: update Linux to 6.12.30
• 8c4603e feat: move more configs to modules on arm64
• 7b1183b feat(kernel): enable IB user-space management and RDMA
• 1b1430e fix: drop pcre2 binaries
• 487610c fix: drop broken symlinks
• f31d518 fix: clean up some binaries
• 0f74b9b feat: update containerd to v2.1.1
• 89b4037 fix: tenstorrent pkg name
• a14b544 chore: drop qemu-tools vmdk support
• 2563e47 feat: add tenstorrent package
• 2a1c42f fix(renovate): flannel config
• bfa69a8 feat: add open-vmdk package
• 9f1ba1f fix: bring back updated containerd gvisor patch
• 1567cb6 feat: update Linux 6.12.28, firmware
• 9bc66e6 feat: update containerd to 2.1.0
• c6b54e0 feat: enable zswap
• 4cd7084 feat: update dependencies
• a3fcbf8 feat(kernel): enable panthor driver
• 74d1665 feat: update ZFS to 2.3.2
• ddc866b feat: update Linux to 6.12.27
• a347857 fix: build containerd with Go 1.23
• 74da85c fix: containerd build doesn't need seccomp
• 4effa05 fix: downgrade libseccomp to 2.5.5
• 9cea00b feat: update Linux to 6.12.25
• cb108a5 feat(kernel): enable bcache module
• d042432 fix: backport sandbox fix for Gvisor
• fa625dc feat: update Linux 6.12.24, containerd 2.0.5

Changes from siderolabs/siderolink

3 commits

• 5f46f65 feat: handle panics in goroutines
• d09ff45 fix: race in wait value
• d2a79e0 fix: clean up device on failure

Changes from siderolabs/tools

4 commits

• 1dfd14b feat: update Go to 1.24.4
• af3fd64 feat: update dependencies
• e35234b feat: update dependencies
• c96a4e6 chore: update toolchain to the latest version

Dependency Changes

• cloud.google.com/go/compute/metadata v0.6.0 -> v0.7.0
• github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 -> v1.10.1
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.3.1 -> v1.4.0
• github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 -> v1.4.0
• github.com/aws/aws-sdk-go-v2/config v1.29.14 -> v1.29.17
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 -> v1.16.32
• github.com/aws/aws-sdk-go-v2/service/kms v1.38.3 -> v1.41.2
• github.com/aws/smithy-go v1.22.3 -> v1.22.4
• github.com/containerd/containerd/api v1.8.0 -> v1.9.0
• github.com/containerd/containerd/v2 v2.0.5 -> v2.1.3
• github.com/containernetworking/plugins v1.6.2 -> v1.7.1
• github.com/cosi-project/runtime v0.10.2 -> v0.10.6
• github.com/detailyang/go-fallocate 432fa64 new
• github.com/docker/cli v28.0.4 -> v28.3.0
• github.com/docker/docker v28.0.4 -> v28.3.0
• github.com/equinix-ms/go-vmw-guestrpc v0.1.1 new
• github.com/foxboron/go-uefi 69fb7db -> a3183a1
• github.com/google/cadvisor v0.52.1 -> v0.53.0
• github.com/google/cel-go v0.24.1 -> v0.25.0
• github.com/google/go-containerregistry v0.20.3 -> v0.20.6
• github.com/google/go-tpm v0.9.3 -> v0.9.5
• github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.1 -> v2.3.2
• github.com/hetznercloud/hcloud-go/v2 v2.21.0 -> v2.21.1
• github.com/jsimonetti/rtnetlink/v2 v2.0.3 -> v2.0.5
• github.com/klauspost/cpuid/v2 v2.2.10 -> v2.2.11
• github.com/linode/go-metadata v0.2.1 -> v0.2.2
• github.com/miekg/dns v1.1.65 -> v1.1.66
• github.com/pkg/xattr v0.4.10 -> v0.4.11
• github.com/prometheus/procfs v0.16.0 -> v0.16.1
• github.com/rivo/tview 949945f -> a4a78f1
• github.com/safchain/ethtool v0.5.10 -> v0.6.1
• github.com/siderolabs/crypto v0.5.1 -> v0.6.0
• github.com/siderolabs/gen v0.8.0 -> v0.8.4
• github.com/siderolabs/go-blockdevice/v2 v2.0.16 -> v2.0.18
• github.com/siderolabs/go-circular v0.2.2 -> v0.2.3
• github.com/siderolabs/go-kubernetes v0.2.21 -> v0.2.24
• github.com/siderolabs/pkgs v1.10.0-5-g48dba3e -> v1.11.0-alpha.0-40-g03bb94c
• github.com/siderolabs/siderolink v0.3.13 -> v0.3.15
• github.com/siderolabs/talos/pkg/machinery v1.10.0 -> v1.11.0-alpha.2
• github.com/siderolabs/tools v1.10.0 -> v1.11.0-alpha.0-3-g1dfd14b
• go.etcd.io/etcd/api/v3 v3.5.21 -> v3.6.1
• go.etcd.io/etcd/client/pkg/v3 v3.5.21 -> v3.6.1
• go.etcd.io/etcd/client/v3 v3.5.21 -> v3.6.1
• go.etcd.io/etcd/etcdutl/v3 v3.5.21 -> v3.6.1
• golang.org/x/net v0.39.0 -> v0.41.0
• golang.org/x/oauth2 v0.29.0 -> v0.30.0
• golang.org/x/sync v0.13.0 -> v0.15.0
• golang.org/x/sys v0.32.0 -> v0.33.0
• golang.org/x/term v0.31.0 -> v0.32.0
• golang.org/x/text v0.24.0 -> v0.26.0
• golang.org/x/time v0.11.0 -> v0.12.0
• google.golang.org/grpc v1.71.1 -> v1.73.0
• k8s.io/api v0.33.0 -> v0.34.0-alpha.2
• k8s.io/apimachinery v0.33.0 -> v0.34.0-alpha.2
• k8s.io/apiserver v0.33.0 -> v0.34.0-alpha.2
• k8s.io/client-go v0.33.0 -> v0.34.0-alpha.2
• k8s.io/component-base v0.33.0 -> v0.34.0-alpha.2
• k8s.io/cri-api v0.33.0 -> v0.34.0-alpha.2
• k8s.io/kube-scheduler v0.33.0 -> v0.34.0-alpha.2
• k8s.io/kubectl v0.33.0 -> v0.34.0-alpha.2
• k8s.io/kubelet v0.33.0 -> v0.34.0-alpha.2
• k8s.io/pod-security-admission v0.33.0 -> v0.34.0-alpha.2
• sigs.k8s.io/hydrophone b92baf7 -> v0.7.0
• sigs.k8s.io/yaml v1.4.0 -> v1.5.0

Previous release can be found at v1.10.0

v1.12.0

Compare Source

Welcome to the v1.13.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

Component Updates

Linux: 6.18.2
containerd: 2.2.1
etcd: 3.6.7
CoreDNS: 1.13.2
Kubernetes: 1.35.0
Flannel CNI plugin: v1.9.0-flannel1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259
cryptsetup: 2.8.3

Talos is built with Go 1.25.5.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Laura Brehm
• Bryan Lee
• Edward Sammut Alessi
• Birger Johan Nordølum
• Christopher Puschmann
• Jaakko Sirén
• Jean-Francois Roy
• Joakim Nohlgård
• Justin Garrison
• Lennard Klein
• Michal Baumgartner
• Orzelius
• Serge van Ginderachter
• Skye Soss
• dataprolet
• eseiker
• pranav767

Changes

95 commits

• f0d8a6851 test: skip the source bundle on exact tag
• c57701d65 fix: remove interactive installer
• 43937c1cd feat: update Linux and systemd
• 72a194df8 feat: add VM CPU hot-add rules
• f09ae1e0d fix: probe small images correctly
• 8f2b33799 feat: imager support rootless builds
• c7525a97e feat: support creating filesystems from folder
• e2bffb5ce chore: refactor imager code so it's more clear
• 0fb50dbd0 fix: invalid versions check in talos-bundle
• b5dd56032 test: upgrade versions in upgrade tests
• 3dfa4d6e4 fix: make upgrade work with SELinux enforcing=1
• 786c8e2ee feat: ship pigz/igzip in rootfs to speed up image decompression
• 48d242918 feat: update containerd to 2.2.1
• 536541afe fix: mount volume mount/unmount race
• 39117d457 feat: update dependencies
• f0f420725 fix: bond setting change detection
• 8d6a7a867 feat: update Kubernetes to 1.35.0
• 845a0d09c feat: update etcd 3.6.7, CoreDNS 1.13.2
• b95912e04 feat: enforce proc_mem.force_override=never by default
• 681f3e84c test: run virtiofs tests only when virtiofsd is running
• [0592ff0cd](https://red

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.