v0.14.0-beta.1

[smira]

Talos 0.14.0-beta.1 (2021-12-13)

Welcome to the v0.14.0-beta.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/talos-systems/talos/issues.

Kexec and capabilities

When kexec support is disabled
Talos no longer drops Linux capabilities (CAP_SYS_BOOT and CAP_SYS_MODULES) for child processes.
That is helpful for advanced use-cases like Docker-in-Docker.

If you want to permanently disable kexec and capabilities dropping, pass kexec_load_disabled=1 argument to the kernel.

For example:

install:
  extraKernelArgs:
    - sysctl.kernel.kexec_load_disabled=1

Please note that capabilities are dropped before machine configuration is loaded,
so disabling kexec via machine.sysctls will not be enough.

Cluster Discovery

Cluster Discovery is enabled by default for Talos 0.14.
Cluster Discovery can be disabled with talosctl gen config --with-cluster-discovery=false.

installer and imager images

Talos supports two target architectures: amd64 and arm64, so all Talos images are built for both amd64 and arm64.

New image imager was added which contains Talos assets for both architectures which allows to generate Talos disk images
cross-arch: e.g. generate Talos Raspberry PI disk image on amd64 machine.

As installer image is used only to do initial install and upgrades, it now contains Talos assets for a specific architecture.
This reduces size of the installer image leading to faster upgrades and less memory usage.

There are no user-visible changes except that now imager container image should be used to produce Talos disk images.

Kubelet

Kubelet configuration can be updated without node restart (.machine.kubelet section of machine configuration) with commands
talosctl edit mc --immediate, talosctl apply-config --immediate, talosctl patch mc --immediate.

Kubelet service can now be restarted with talosctl service kubelet restart.

Kubelet node IP configuration (.machine.kubelet.nodeIP.validSubnets) can now include negative subnet matches (prefixed with !).

Log Shipping

Talos can now ship system logs
to the configured destination using either JSON-over-UDP or JSON-over-TCP:
see .machine.logging machine configuration option.

NTP Sync

Talos NTP sync process was improved to align better with kernel time adjustment periods and to filter out spikes.

SideroLink

A set of Talos ehancements is going to unlock a number of exciting features in the upcoming release of Sidero:

• SideroLink: a point-to-point Wireguard tunnel connecting Talos node back to the provisioning platform (Sidero).
• event sink (kernel arg talos.event.sink=http://10.0.0.1:4000) delivers Talos internal events to the specified destination.
• kmsg log delivery (kernel arg talos.logging.kernel=tcp://10.0.0.1:4001) sends kernel logs as JSON lines over TCP or UDP.

talosctl support

talosctl CLI tool now has a new subcommand called support, that can gather all
cluster information that could help with future debugging in a single run.

Output of the command is a zip archive with all talos service logs, kubernetes pod logs and manifests,
talos resources manifests and so on.
Generated archive does not contain any secret information so it is safe to send it for analysis to a third party.

Component Updates

• Linux: 5.15.6
• etcd: 3.5.1
• containerd: 1.5.8
• runc: 1.0.3
• Kubernetes: 1.23.0
• CoreDNS: 1.8.6
• Flannel (default CNI): 0.15.1

Talos is built with Go 1.17.5

Kubernetes Upgrade Enhancements

talosctl upgrade-k8s was improved to:

• sync all boostrap manifest resources in the Kubernetes cluster with versions bundled with current version Talos
• upgrade kubelet to the version of the control plane components (without node reboot)

So there is no need to update CoreDNS, Flannel container manually after running upgrade-k8s anymore.

VLAN Enhancements

Talos now supports setting MTU and Virtual IPs on VLAN interfaces.

Contributors

• Andrey Smirnov
• Alexey Palazhchenko
• Artem Chernyshev
• Noel Georgi
• Serge Logvinov
• Nico Berlee
• Spencer Smith
• Alex Zero
• Andrew Rynhard
• Branden Cash
• David Haines
• Gerard de Leeuw
• Michael Fornaro
• Rohit Dandamudi
• Rui Lopes
• Seán C McCord

Changes

173 commits

• bc8983b93 release(v0.14.0-beta.1): prepare release
• 02796f889 fix: allow kubelet to be started via the API
• e69eacae1 fix: use default time servers in time API if none are configured
• c60e153a1 fix: cleanup affiliates
• 301f9e4e0 feat: update Kubernetes to 1.23.0
• fe2e953af feat: upgrade kubelet version in talosctl upgrade-k8s
• 4daff7895 chore: update Go to 1.17.5
• 35cb34bd5 release(v0.14.0-beta.0): prepare release
• 1d6f140d7 fix: make apply-config work reliably in any Talos state
• a5a6c720e chore: remove boot-{arch}.tar.gz artifact
• fc5ec5007 fix: relax validation for wireguard endpoints
• cdbd5cff4 docs: vlan VIP
• 149ffa977 fix: increase boot and etcd join timeouts
• dc9db2141 feat: autocomplete nodes, context and resource definitions
• b4b3e2133 chore: bump tools/pkgs/extra to final released versions
• d225cf91e fix: tmpfs default permissions
• 8f3e1a4ad fix: drop unpacked layers from containerd image store
• 1fc43619d docs: improve clarity for users
• 36c9a65ac feat: update deps and Kubernetes to 1.23.0-rc.1
• 64a4f6e77 test: bump Talos versions in upgrade tests
• d2ebda78c feat: update runc to 1.0.3
• adf05072a chore: drop unused package
• 961d1567d chore: update Go to 1.17.4
• d2fd7c217 feat: make kubelet service apply changes immediately
• 4f5d9da92 feat: allow overriding KSPP kernel parameters
• 6377f3df7 test: uplift capi versions and templates
• 2a0da0624 feat: split installer and imager images
• 1a13aaa23 feat: update Linux to 5.15.6
• 73293bc2a feat: can disable controlmanager and scheduler
• 7f9922296 feat: add powercycle mode in reboot
• bc69f6ec8 feat: vip for VLANs
• 99338e5ff feat: update Flannel to 0.15.1
• 8370dde1f docs: fix typos
• a5646db29 feat: support MTU for VLAN's
• 4aad0ebf9 docs: expand logging documentation
• 400225c88 docs: fix GCP docs
• f7c87d1d9 release(v0.14.0-alpha.2): prepare release
• e9f4b7b20 feat: update Linux to 5.15.5
• 4d0a75a3f docs: add documentation about logging
• 8d1cbeef9 chore: add API breaking changes detector
• ed7fb9db1 feat: move kubelet proccesses to /podruntime cgroup
• 2cd3f9be1 feat: filter out SideroLink addresses by default
• 0f169bf9b chore: add API deprecations mechanism
• eaf6d4720 refactor: use random port listener in kernel log delivery tests
• bf4c81e7d feat: kernel log (kmsg) delivery controller
• f3149780e feat: update Kubernetes to 1.23.0-rc.0
• b824909d6 fix: disable kexec on RPi4
• 3257751bc fix: initialize Drainer properly
• e4bc68bf0 fix: leave only a single IPv4/IPv6 address as kubelet's node IP
• e6d007418 feat: update pkgs - Linux 5.15.4, LibreSSL 3.2.7
• d5cbc3640 feat: add GCP ccm
• 7433150fd feat: implement events sink controller
• b4a406ae7 test: pin cluster API templates version to tag v1alpha4
• 9427e78dc fix: catch panics in network operator runs
• d1f55f901 fix: update blockdevice library to properly handle absent GPT
• 5ac64b2d9 chore: set version in unit-tests
• 20d39c0b4 chore: format .proto files
• 852bf4a7d feat: talosctl fish completion support
• 6bb75150a fix: allow add_key and request_key in kubelet seccomp profile
• 6487b21fe feat: update pkgs for u-boot, containerd, etc
• f7d1e7776 feat: provide SideroLink client implementation
• 58892cd69 fix: unblock events watch on context cancel
• caa76be2c fix: containerd failed to load plugin
• 1ffa8e048 feat: add ULA prefix for SideroLink
• c6a67b866 fix: ignore not existing nodes on cordoning
• f73025257 feat: add new event types
• 7c9b082f7 feat: update Kubernetes to 1.23.0-beta.0
• 750e31c4a fix: ignore EBUSY from kexec_file_load
• 2d11b5955 fix: ignore virtual IP as kubelet node IPs
• 030fd349b fix: don't run kexec prepare on shutdown and reset
• 6dcce20e6 test: set proper pod CIDR for Cilium tests
• 695300dac release(v0.14.0-alpha.1): prepare release
• 753a82188 refactor: move pkg/resources to machinery
• 0102a64a5 refactor: remove pkg/resources dependencies on wgtypes, netx
• 7462733bc chore: update golangci-lint
• 032c99a03 refactor: remove pkg/resources dependencies on k8s and base62
• 4a5cff45f perf: raspberry PIs clockspeed as fast as firmware allows
• a76f6d69d feat: allow kubelet to be restarted and provide negative nodeIP subnets
• 189221d58 chore: update dependencies
• 41f0aecc1 docs: update partition info
• 95105071d chore: fix simple issues found by golangci-lint
• d4b0ca21a test: retry upgrade mutex lock failures
• 4357e9a84 docs: add Talos partions info
• 8e8687d75 fix: use temporary sonobuoy version
• e4e8e8737 test: disable e2e-misc test with Canal CNI
• 897da2f6e docs: common typos
• a50483ddd feat: update Linux to 5.15.1
• a2233bfe4 fix: improve NTP sync process
• 7efc1238e fix: parse partition size correctly
• d6147eb17 chore: update sonobuoy
• efbae7857 fix: use etc folder for du cli tests
• 198eea51a fix: wait for follow reader to start before writing to the file
• e7f715eb0 chore: log KubeSpan IPs overlaps
• 82a1ad168 chore: bump dependencies
• e8fccbf53 fix: clear time adjustment error when setting time to specific value
• e6f90bb41 chore: remove unused parameters
• 785161d19 feat: update k8s to 1.23.0-alpha.4
• fe228d7c8 fix: do not use yaml.v2 in the support cmd
• 9b48ca217 fix: endpoints and nodes in generated talosconfig
• 6e16fd2fe chore: update tools, pkgs, and extras
• 261c497c7 feat: implement talosctl support command
• fc7dc4548 chore: check our API idiosyncrasies
• b15844298 feat: use GCP deployment manager
• 3e7d4df99 chore: bump dependencies
• 88f242295 refactor: get rid of prometheus/procfs dependency in pkg/resources
• dd196d300 refactor: prepare for move of pkg/resources to machinery
• f6110f803 fix: remove listening socket to fix Talos in a container restart
• 53bbb13ed docs: update docs with emmc boot guide
• 8329d2111 chore: split polymorphic RootSecret resource into specific types
• c97becdd9 chore: remove interfaces and routes APIs
• d798635d9 feat: automatically limit kubelet node IP family based on service CIDRs
• 205a8d6dc chore: make nethelpers build on all OSes
• 5b5dd49f6 feat: extract JSON fields from more log messages
• eb4f11822 docs: create cluster in hetzner cloud
• 728164e25 docs: fix kexec_load_disabled param name in release notes
• f6328f09a fix: fix filename typo
• 01b0f0abb release(v0.14.0-alpha.0): prepare release
• 8b6206537 fix: skip generating empty .machine.logging
• 60ad00636 fix: don't drop ability to use ambient capabilities
• b6b78e7fe test: add cluster discovery integration tests
• 97d64d160 fix: hcloud network config changes
• 4c76865d0 feat: multiple logging improvements
• 1d1e1df64 fix: handle skipped mounts correctly
• 0a964d921 test: fix openstack unit-test stability
• 72f62ac27 chore: bump Go and Docker dependencies
• 9c48ebe8f fix: gcp fetching externalIP
• 6c297268c test: fix e2e k8s version
• ae5af9d3f feat: update Kubernetes to 1.23.0-alpha.3
• 28d3a69e9 feat: openstack config-drive support
• 2258bc491 test: update GCP e2e script to work with new templates
• 36b6ace25 feat: update Linux to 5.10.75
• 38516a549 test: update Talos versions in upgrade tests
• cff20ec78 fix: change services OOM score
• 666a2b620 feat: azure platform ipv6 support
• d32814e30 feat: extract JSON fields from log lines
• e77d81fff fix: treat literal 'unknown' as a valid machine type
• c8e404e35 test: update vars for AWS cluster
• ad23891b1 feat: update CoreDNS version 1.8.6
• 41299cae9 feat: udev rules support
• 5237fdc95 feat: send JSON logs over UDP
• 6d44587a4 feat: coredns service dualstack
• 12f7888b7 feat: feed control plane endpoints on workers from cluster discovery
• 431e4fb4b chore: bump Go and Docker dependencies
• 89f3b9f8d feat: update etcd to 3.5.1
• e60469a38 feat: initial support for JSON logging
• 68c420e3c feat: enable cluster discovery by default
• 3e100aa97 test: workaround EventsWatch test flakiness
• 9bd4838ac chore: stop using sonobuoy CLI
• 6ad459519 docs: fix field names for bonding configuration
• d7a3b7b5b chore: use discovery-client and discovery-api modules
• d6309eed6 docs: create docs for Talos 0.14
• c0fda6436 fix: attempt to clean up tasks in containerd runner
• 8cf442daa chore: bump tools, pkgs, extras
• 0dad5f4d7 chore: small cleanup
• e3e2113ad feat: upgrade CoreDNS during upgrade-k8s call
• d92c98e19 docs: fix discovery service documentation link
• e44b11c59 feat: update containerd to 1.5.7, bump Go dependencies
• 24129307a docs: make Talos 0.13 docs latest, update documentation
• 31b6e39e5 fix: delete expired affiliates from the discovery service
• 877a2b6fc test: bump CAPI components to v1alpha4
• 2ba0e0ac4 docs: add KubeSpan documentation
• 997873b6d fix: use ECDSA-SHA512 when generating certs for Talos < 0.13
• 7137166d1 fix: allow overriding audit-policy-file in kube-apiserver static pod
• 8fcd42196 chore: fix integration-qemu-race
• 91a858b53 fix: sort output of the argument builder
• 657f7a56b fix: use ECDSA-SHA256 signature algorithm for Kubernetes certs
• 983d2459e feat: suppress logging NTP sync to the console
• 022c7335f fix: add interface route if DHCP4 router is not directly routeable
• 66a1579ea fix: don't enable 'no new privs' on the system level
• 423861cf9 feat: don't drop capabilities if kexec is disabled
• facc8c38a docs: fix documentation for cluster discovery
• ce65ca4e4 chore: build using only amd64 builders
• e9b0f010d chore: update docker image in the pipeline

Changes since v0.14.0-beta.0

7 commits

• bc8983b93 release(v0.14.0-beta.1): prepare release
• 02796f889 fix: allow kubelet to be started via the API
• e69eacae1 fix: use default time servers in time API if none are configured
• c60e153a1 fix: cleanup affiliates
• 301f9e4e0 feat: update Kubernetes to 1.23.0
• fe2e953af feat: upgrade kubelet version in talosctl upgrade-k8s
• 4daff7895 chore: update Go to 1.17.5

Changes from talos-systems/discovery-api

2 commits

• siderolabs/discovery-api@db279ef feat: initial set of APIs and generated files
• siderolabs/discovery-api@ac52a37 chore: initial commit

Changes from talos-systems/discovery-client

2 commits

• siderolabs/discovery-client@a9a5e9b feat: initial client code
• siderolabs/discovery-client@98eb999 chore: initial commit

Changes from talos-systems/extras

6 commits

• siderolabs/extras@d6b73a7 feat: update Go to 1.17.5
• siderolabs/extras@bc66403 chore: update pkgs and tools to 0.9.0
• siderolabs/extras@d5ffdd8 feat: update Go to 1.17.4
• siderolabs/extras@50fc401 feat: include flannel CNI plugin into install-cni package
• siderolabs/extras@2bb2efc chore: update pkgs and tools
• siderolabs/extras@d6e8b3a chore: update pkgs and tools

Changes from talos-systems/go-blockdevice

2 commits

• siderolabs/go-blockdevice@15b182d fix: return partition table not exist when trying to read an empty dev
• siderolabs/go-blockdevice@b9517d5 fix: resize partition

Changes from talos-systems/go-smbios

1 commit

• siderolabs/go-smbios@fd5ec8c fix: remove useless (?) goroutines leading to data race error

Changes from talos-systems/net

2 commits

• siderolabs/net@b4b7181 feat: add a way to filter list of IPs for the machine
• siderolabs/net@0abe5bd feat: implement FilterIPs function

Changes from talos-systems/pkgs

29 commits

• siderolabs/pkgs@7a3419a feat: update Go to 1.17.5
• siderolabs/pkgs@4534074 feat: update tools to 0.9.0
• siderolabs/pkgs@4112eed feat: update runc to 1.0.3
• siderolabs/pkgs@49f3c17 feat: enable additional support for RPi hardware
• siderolabs/pkgs@7c066d0 feat: update Go to 1.17.4
• siderolabs/pkgs@4b55a29 feat: update Linux to 5.15.6
• siderolabs/pkgs@80a5f97 feat: update CNI to 1.0.1, separate package for flannel
• siderolabs/pkgs@422276d feat: update Linux to 5.15.5
• siderolabs/pkgs@d385e24 chore: update LibreSSL to 3.2.7
• siderolabs/pkgs@39a3b76 feat: update Linux to 5.15.4
• siderolabs/pkgs@ca30b50 feat: update u-boot to 2021.10
• siderolabs/pkgs@cea93f1 chore: add conformance
• siderolabs/pkgs@79d16b8 feat: update containerd to 1.5.8
• siderolabs/pkgs@1c76107 feat: add mdraid 1/0/10
• siderolabs/pkgs@740da24 feat: bump raspberrypi-firmware to 1.20211029
• siderolabs/pkgs@832dae4 fix: enable CONFIG_DM_SNAPSHOT
• siderolabs/pkgs@f307e64 feat: update Linux to 5.15.1
• siderolabs/pkgs@4f0f238 chore: update tools
• siderolabs/pkgs@932c3cf feat: update libseccomp to 2.5.3
• siderolabs/pkgs@7f3311e feat: update cpu governor to schedutil
• siderolabs/pkgs@b4cdb99 fix: update containerd shas
• siderolabs/pkgs@80a63d4 feat: update Linux to 5.10.75
• siderolabs/pkgs@5c98efd feat: add QLogic QED 25/40/100Gb Ethernet NIC driver
• siderolabs/pkgs@bfb2365 feat: enable driver for SuperMicro raid controller
• siderolabs/pkgs@657e16b feat: enable Intel VMD driver
• siderolabs/pkgs@f7d9d72 feat: enable smarpqi driver and related options
• siderolabs/pkgs@bca3be0 feat: enable aqtion device driver
• siderolabs/pkgs@b88127a chore: update tools
• siderolabs/pkgs@971735f feat: update containerd to 1.5.7

Changes from talos-systems/siderolink

6 commits

• siderolabs/siderolink@d0612a7 refactor: pass in listener to the log receiver
• siderolabs/siderolink@d86cdd5 feat: implement logreceiver for kernel logs
• siderolabs/siderolink@f7cadbc fix: handle duplicate peer updates
• siderolabs/siderolink@0755b24 feat: initial implementation of SideroLink
• siderolabs/siderolink@ee73ea9 feat: add Talos events sink proto files and the reference implementation
• siderolabs/siderolink@1e2cd9d Initial commit

Changes from talos-systems/tools

10 commits

• siderolabs/tools@b1146f9 feat: update Go to 1.17.5
• siderolabs/tools@86ce921 chore: bump toolchain to the final 0.4.0 version
• siderolabs/tools@cc8426b feat: update Go to 1.17.4
• siderolabs/tools@aacbc5b feat: update toolchain with Linux headers 5.15
• siderolabs/tools@96e0231 feat: update squashfs-tools to 4.5
• siderolabs/tools@2c9c826 feat: update libseccomp to 2.5.3
• siderolabs/tools@f713a7c feat: update protobuf to 3.19.1, grpc-go to 1.42.0
• siderolabs/tools@972c5ef feat: update Go to 1.17.3
• siderolabs/tools@f63848c feat: update PCRE version and source host
• siderolabs/tools@fab7532 feat: update Go to 1.17.2

Dependency Changes

• github.com/AlekSi/pointer v1.1.0 -> v1.2.0
• github.com/cenkalti/backoff/v4 v4.1.2 new
• github.com/containerd/cgroups v1.0.1 -> v1.0.2
• github.com/containerd/containerd v1.5.5 -> v1.5.8
• github.com/docker/docker v20.10.8 -> v20.10.11
• github.com/evanphx/json-patch v4.11.0 -> v5.6.0
• github.com/gosuri/uiprogress v0.0.1 new
• github.com/hashicorp/go-getter v1.5.8 -> v1.5.9
• github.com/hetznercloud/hcloud-go v1.32.0 -> v1.33.1
• github.com/insomniacslk/dhcp b95caade3eac -> ad197bcd36fd
• github.com/jsimonetti/rtnetlink 435639c8e6a8 -> fd9a11f42291
• github.com/jxskiss/base62 4f11678b909b -> v1.0.0
• github.com/mdlayher/ethtool 2b88debcdd43 -> 288d040e9d60
• github.com/mdlayher/netlink v1.4.1 -> v1.4.2
• github.com/packethost/packngo v0.19.1 -> v0.20.0
• github.com/rivo/tview ee97a7ab3975 -> 2a6de950f73b
• github.com/talos-systems/discovery-api v0.1.0 new
• github.com/talos-systems/discovery-client v0.1.0 new
• github.com/talos-systems/extras v0.6.0 -> v0.7.0-1-gd6b73a7
• github.com/talos-systems/go-blockdevice v0.2.4 -> v0.2.5
• github.com/talos-systems/go-smbios v0.1.0 -> v0.1.1
• github.com/talos-systems/net v0.3.0 -> v0.3.1
• github.com/talos-systems/pkgs v0.8.0 -> v0.9.0-1-g7a3419a
• github.com/talos-systems/siderolink v0.1.0 new
• github.com/talos-systems/tools v0.8.0 -> v0.9.0-1-gb1146f9
• github.com/vmware-tanzu/sonobuoy v0.53.2 -> v0.55.1
• github.com/vmware/govmomi v0.26.1 -> v0.27.2
• github.com/vmware/vmw-guestinfo 687661b8bd8e -> cc1fd90d572c
• go.etcd.io/etcd/api/v3 v3.5.0 -> v3.5.1
• go.etcd.io/etcd/client/pkg/v3 v3.5.0 -> v3.5.1
• go.etcd.io/etcd/client/v3 v3.5.0 -> v3.5.1
• go.etcd.io/etcd/etcdutl/v3 v3.5.0 -> v3.5.1
• go.uber.org/atomic v1.9.0 new
• golang.org/x/net 3ad01bbaa167 -> 012df41ee64c
• golang.org/x/sys 39ccf1dd6fa6 -> 97ca703d548d
• golang.org/x/term 140adaaadfaf -> 03fcf44c2211
• golang.org/x/time 1f47c861a9ac -> f0f3c7e86c11
• golang.zx2c4.com/wireguard/wgctrl 0a2f4901cba6 -> dd7407c86d22
• google.golang.org/grpc v1.41.0 -> v1.42.0
• inet.af/netaddr 85fa6c94624e -> c74959edd3b6
• k8s.io/api v0.22.2 -> v0.23.0
• k8s.io/apimachinery v0.22.2 -> v0.23.0
• k8s.io/client-go v0.22.2 -> v0.23.0
• k8s.io/component-base v0.23.0 new
• k8s.io/cri-api v0.22.2 -> v0.23.0
• k8s.io/kubectl v0.22.2 -> v0.23.0
• k8s.io/kubelet v0.22.2 -> v0.23.0
• kernel.org/pub/linux/libs/security/libcap/cap v1.2.59 -> v1.2.61
• sigs.k8s.io/yaml v1.3.0 new

Previous release can be found at v0.13.0

Images

quay.io/coreos/flannel:v0.15.1
ghcr.io/talos-systems/install-cni:v0.7.0-1-gd6b73a7
docker.io/coredns/coredns:1.8.6
gcr.io/etcd-development/etcd:v3.5.1
k8s.gcr.io/kube-apiserver:v1.23.0
k8s.gcr.io/kube-controller-manager:v1.23.0
k8s.gcr.io/kube-scheduler:v1.23.0
k8s.gcr.io/kube-proxy:v1.23.0
ghcr.io/talos-systems/kubelet:v1.23.0
ghcr.io/talos-systems/installer:v0.14.0-beta.1
k8s.gcr.io/pause:3.2

---

This discussion was created from the release v0.14.0-beta.1.