Update dependency siderolabs/talos to v1.12.0

[renovate]

This PR contains the following updates:

Package	Update	Change
siderolabs/talos	minor	v1.11.6 → v1.12.0

---

Release Notes

siderolabs/talos (siderolabs/talos)

v1.12.0

Compare Source

Welcome to the v1.13.0-alpha.0 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

External Volumes

Talos now supports virtiofs-based external volumes via the new
ExternalVolumeConfig
document.

These virtiofs external volumes are not supported when SELinux is running
in enforcing mode.

Talos Imager Enhancements

Talos imager now supports running rootless. --privileged and -v /dev:/dev are no longer required.

Container Image Decompression

Talos now ships with igzip (amd64) and pigz (arm64) to speed up container image decompression.

/proc/PID/mem Access Hardening

A new kernel parameter proc_mem.force_override=never has been introduced by default to enhance system security
by preventing unwanted writes to protected process memory via /proc/PID/mem.
If the kernel parameter is removed, default behavior is restored, allowing access only if the process is traced.

Reproducible Disk Images

Talos disk images are now reproducible. Building the same version of Talos multiple times will yield
identical disk images.

Note: VHD and VMDK (Azure and VMware) images are not currently reproducible due to limitations in the underlying image creation tools.
Users verifying reproducible images should use raw images, verify checksums, and convert them to VHD/VMDK as needed.

Component Updates

Linux: 6.18.2
containerd: 2.2.1
etcd: 3.6.7
CoreDNS: 1.13.2
Kubernetes: 1.35.0
Flannel CNI plugin: v1.9.0-flannel1
LVM2: 2_03_38
runc: 1.4.0
systemd: 259
cryptsetup: 2.8.3

Talos is built with Go 1.25.5.

VM Hot-Add Support

Talos now includes udev rules to support hot-adding of CPUs in virtualized environments.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Laura Brehm
• Bryan Lee
• Edward Sammut Alessi
• Birger Johan Nordølum
• Christopher Puschmann
• Jaakko Sirén
• Jean-Francois Roy
• Joakim Nohlgård
• Justin Garrison
• Lennard Klein
• Michal Baumgartner
• Orzelius
• Serge van Ginderachter
• Skye Soss
• dataprolet
• eseiker
• pranav767

Changes

95 commits

• f0d8a6851 test: skip the source bundle on exact tag
• c57701d65 fix: remove interactive installer
• 43937c1cd feat: update Linux and systemd
• 72a194df8 feat: add VM CPU hot-add rules
• f09ae1e0d fix: probe small images correctly
• 8f2b33799 feat: imager support rootless builds
• c7525a97e feat: support creating filesystems from folder
• e2bffb5ce chore: refactor imager code so it's more clear
• 0fb50dbd0 fix: invalid versions check in talos-bundle
• b5dd56032 test: upgrade versions in upgrade tests
• 3dfa4d6e4 fix: make upgrade work with SELinux enforcing=1
• 786c8e2ee feat: ship pigz/igzip in rootfs to speed up image decompression
• 48d242918 feat: update containerd to 2.2.1
• 536541afe fix: mount volume mount/unmount race
• 39117d457 feat: update dependencies
• f0f420725 fix: bond setting change detection
• 8d6a7a867 feat: update Kubernetes to 1.35.0
• 845a0d09c feat: update etcd 3.6.7, CoreDNS 1.13.2
• b95912e04 feat: enforce proc_mem.force_override=never by default
• 681f3e84c test: run virtiofs tests only when virtiofsd is running
• 0592ff0cd fix: drop the Omni API URL check on IP address
• a4879a5fa feat: update Linux to 6.18.1
• 43b43ff18 docs: split talosctl commands into groups
• 6d17c18bf feat: enable Powercap and Intel RAPL
• 884e76662 docs: fix the talosctl cluster create help output
• 6dc31be4f fix: exclude new Virtual IPs configured with new config
• 94905c73e feat(talosctl): support running qemu x86 on Mac
• f871ab241 fix: provide json support in nft binary
• 694f45413 feat: external volumes
• 39feb16d2 fix: update containerd 2.2.0 with cgroups patch
• 82027eb9b fix: bond configuration with new settings
• 121b13b8f fix: disable kexec on arm64
• 7eaa725d0 fix: selection of boot entry
• 949bdb90a feat: add Secure Boot to CloudStack platform config
• 798143a88 fix: discard better klog message from Kubernetes client
• 008cd0986 fix: disable kexec in talosctl cluster create on arm64
• bb62b29ed chore: prepare talos for 1.13
• c0935030a chore: fork reference docs for 1.13.x
• e387e48b3 fix: do not override DNS on MacOS
• 1e7e87fb1 fix: rework NFT rules for KubeSpan
• 51bcfb567 feat: rename image default and source bundle
• 585abe944 feat: update Kubernetes to v1.35.0-rc.1
• f301e3e9b fix: update KubeSpan MSS clamping
• 74c1df6f4 test: propagate MTU size to QEMU in talosctl cluster create
• d347ca1af fix: update CNI plugins to 1.9.0
• e3f8196b4 chore: update Grype and Syft
• e1b8ab323 docs: add misssing period
• cd04c3dde docs: update release notes
• fc8ae3249 docs: add omni join token example to create qemu command
• 9fa00773c chore: update go-blockdevice
• ba13b6786 fix: correct condition to use UKI cmdline in GRUB
• d2ce3f47f docs: drop machine.network example
• cf087c1e0 test: bird2 extension
• 13df94388 fix: adapt SELinuxSuite.TestNoPtrace to new strace version
• 861787c38 fix: mark secureboot as supported for metal
• 04e3e87ad fix: clean up kubelet mounts
• 21057903a fix: clear provisioning data on SideroLink config change
• 0f9f4c05f feat: update Kubernetes to 1.35.0-rc.0
• d4309d7b1 fix: add a timeout for DNS resolving for NTP
• dd6c1089c feat: update Linux to 6.18.0
• e9a30bf9a test: revert add direct connectivity CA rotation test
• cc95562bc fix: don't disable LACP by default
• c9fe4679b test: add platform acquire/not valid config unit-test
• 5a03a7a20 chore: fix longhorn test
• a0cfc3527 feat: implement logs persistence
• 51b732bea fix: selection of boot entry
• 18f8ac369 feat: update Kubernetes to 1.35.0-beta.0
• 92fa7c5e4 chore: update pkgs for NVIDIA 580.105.08
• f489299b6 chore: correct condition for running k8s integration tests
• ab149750d chore: update tools/pkgs to 1.13.0-alpha.0
• 87ff9f860 test: fix the image-factory test to pass IF endpoint
• 2ffe538e7 test: add direct connectivity CA rotation test
• 70f6b80e0 chore(ci): skip multipath extension tests
• 561cfb60c chore: update pkgs and tools version
• 2f42202a7 fix: simplify OOM expression
• 7b06ae8c2 test: fix flaky LinkSpec/Wireguard test
• e715f3871 feat: present kernel log as talosctl logs kernel
• e2ee39b8a fix: support specifying patch file without '@​' symbol
• e202b1f9e fix: trim trailing dots from certificate SANs
• 7f7079f9c fix: assign value of multicast setting properly
• eba96141e feat: update etcd to 3.6.6
• 9945ceef3 docs: add API Server Cipher Suites changelog
• 9ed488d09 feat: update TLS cipher suites for API server
• f1c04e4d6 feat: generate mirrors patch
• a89108995 fix: add CA subject to generated certificate
• 35dd612a5 fix: add more resilient move
• 83675838f feat: extend flags of cache-cert-gen
• 80ab7a064 chore: remove spammy 'clean up unused volumes' logs
• 74d35900a chore: disable k8s integration tests for 1GiB worker nodes
• 4f6218674 feat: support TALOS_HOME env var
• 0c59b3ea3 feat: add multicast to linkconfig
• 6db06f4d5 feat: implement multicast setting
• eeded98f5 fix: add riscv64 talosctl to release artifacts
• a6bbae91b fix: fix typos across the project
• 83f2bdb9c feat: support relative voume size

Changes from siderolabs/pkgs

33 commits

• 972f44d feat: update dependencies
• f8eb5b0 feat: update Linux to 6.18.2
• 3fb6291 feat: update systemd to 259
• 59241bd fix: add SBOMs for pigz/igzip
• 9377c78 feat: optimize decompression for containerd
• e8e61ce feat: update containerd to 2.2.1
• daa74ba feat: support xfs filesystem reproducibility
• 1f66513 feat: update OpenZFS to 2.4.0
• b209af5 chore: rekres with latest changes
• 2b806b9 feat: bump dependencies
• 65242fd feat: enable CONFIG_MISC_RP1 in ARM64 config
• 4daecd8 feat: update Linux to 6.18.1
• 9868a66 feat: enable Powercap and Intel RAPL
• 07883ee feat: build and package perf binary
• 47abca0 fix: add json support to nftables binary
• b961ff8 feat: patch containerd 2.2.0 with cgroups fix patch
• b7dd7f6 feat: add mstflint module
• ae53351 feat: update ZFS to 2.4.0-rc5
• b8edf01 feat: update CNI plugins to v1.9.0
• a57c1b0 feat: enable amd sev-snp
• 68562c1 feat: update Linux to 6.18
• 6f4ff8c feat: enable Amlogic Meson PCIe controller driver
• c41127b feat: enable Intel GPIO/Pinctrl kernel modules
• 4a31ff7 feat: update NVIDIA LTS to 580.105.08
• 3e858d3 chore: fork pkgs for Talos 1.13
• dcc5aa1 feat: update runc to 1.3.4
• 8b6ae5b fix: regenerate configs
• 2992598 fix: add missing kernel config entries
• c8ea18a feat: rekres to alow multiple commits
• 2ddef8b chore: update dependencies
• d1f28e0 chore: update dependencies
• ab253f5 feat: enable gpio-fan module
• 0b10666 chore: use ubuntu mirrors

Changes from siderolabs/proto-codec

1 commit

• bd9c491 chore: bump and update dependencies

Changes from siderolabs/tools

7 commits

• 896f8b9 fix: add sbom for zlib-ng
• 543a16f feat: replace zlib -> zlib-ng, add nasm
• b67c1a1 chore: rekres with latest changes
• 5e087cb feat: bump dependencies
• da96a27 chore: rekres to fix reproducibility
• e283ec8 feat: update Go to 1.25.5
• c38ff0c chore: update to 1.13.0-alpha.0 toolchain

Dependency Changes

• github.com/aws/aws-sdk-go-v2/config v1.31.20 -> v1.32.6
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 -> v1.18.16
• github.com/aws/aws-sdk-go-v2/service/kms v1.46.0 -> v1.49.4
• github.com/aws/smithy-go v1.23.2 -> v1.24.0
• github.com/containerd/cgroups/v3 v3.0.5 -> v3.1.0
• github.com/containerd/containerd/api v1.9.0 -> v1.10.0
• github.com/containerd/containerd/v2 v2.1.5 -> v2.2.0
• github.com/containerd/platforms v1.0.0-rc.1 -> v1.0.0-rc.2
• github.com/cosi-project/runtime v1.12.0 -> v1.13.0
• github.com/diskfs/go-diskfs fc569a0 new
• github.com/docker/cli v29.0.0 -> v29.1.3
• github.com/gdamore/tcell/v2 v2.9.0 -> v2.13.4
• github.com/godbus/dbus/v5 v5.1.0 -> v5.2.0
• github.com/google/cadvisor v0.53.0 -> v0.54.1
• github.com/google/go-containerregistry v0.20.6 -> v0.20.7
• github.com/hetznercloud/hcloud-go/v2 v2.30.0 -> v2.32.0
• github.com/klauspost/compress v1.18.1 -> v1.18.2
• github.com/linode/go-metadata v0.2.2 -> v0.2.3
• github.com/mdlayher/ethtool v0.4.0 -> v0.5.0
• github.com/miekg/dns v1.1.68 -> v1.1.69
• github.com/moby/moby/client v0.1.0 -> v0.2.1
• github.com/siderolabs/go-blockdevice/v2 v2.0.20 -> v2.0.22
• github.com/siderolabs/pkgs v1.12.0-23-ge0b78b8 -> v1.13.0-alpha.0-24-g972f44d
• github.com/siderolabs/proto-codec v0.1.2 -> v0.1.3
• github.com/siderolabs/talos/pkg/machinery v1.12.0 -> v1.12.0-alpha.2
• github.com/siderolabs/tools v1.12.0-2-g7d57df0 -> v1.13.0-alpha.0-6-g896f8b9
• github.com/sirupsen/logrus v1.9.3 -> dd1b4c2
• go.etcd.io/etcd/api/v3 v3.6.6 -> v3.6.7
• go.etcd.io/etcd/client/pkg/v3 v3.6.6 -> v3.6.7
• go.etcd.io/etcd/client/v3 v3.6.6 -> v3.6.7
• go.etcd.io/etcd/etcdutl/v3 v3.6.6 -> v3.6.7
• go.uber.org/zap v1.27.0 -> v1.27.1
• golang.org/x/net v0.47.0 -> v0.48.0
• golang.org/x/oauth2 v0.33.0 -> v0.34.0
• golang.org/x/sync v0.18.0 -> v0.19.0
• golang.org/x/sys v0.38.0 -> v0.39.0
• golang.org/x/term v0.37.0 -> v0.38.0
• golang.org/x/text v0.31.0 -> v0.32.0
• google.golang.org/grpc v1.76.0 -> v1.77.0
• google.golang.org/protobuf v1.36.10 -> v1.36.11

Previous release can be found at v1.12.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.