> ## Documentation Index > Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt > Use this file to discover all available pages before exploring further. # What's New in Talos 1.12.0 > Discover the latest features and updates in Talos Linux 1.12. export const VersionWarningBanner = () => { const latestVersion = "v1.13"; const [latestUrl, setLatestUrl] = useState(null); const [currentVersion, setCurrentVersion] = useState(null); const [isBeta, setIsBeta] = useState(false); const parseVersion = v => v.replace("v", "").split(".").map(Number); const isGreaterVersion = (a, b) => { const [aMajor, aMinor] = parseVersion(a); const [bMajor, bMinor] = parseVersion(b); if (aMajor > bMajor) return true; if (aMajor === bMajor && aMinor > bMinor) return true; return false; }; useEffect(() => { if (typeof window === "undefined") return; const {pathname, hash, search} = window.location; const match = pathname.match(/\/talos\/(v\d+\.\d+)\//); if (!match) return; const detectedVersion = match[1]; if (detectedVersion === latestVersion) return; setCurrentVersion(detectedVersion); if (isGreaterVersion(detectedVersion, latestVersion)) { setIsBeta(true); } const newPath = pathname.replace(`/talos/${detectedVersion}/`, `/talos/${latestVersion}/`); setLatestUrl(`${newPath}${search}${hash}`); }, []); if (!latestUrl || !currentVersion) return null; return
{isBeta ? <> ⚠️ You are viewing a beta version of Talos ({currentVersion}). This version may be unstable. View latest stable version {latestVersion} → : <> ⚠️ You are viewing an older version of Talos ({currentVersion}). View the latest version {latestVersion} → }
; }; For critical changes, refer to the [upgrade notes](../configure-your-talos-cluster/lifecycle-management/upgrading-talos). ## Important changes ### Network configuration Talos v1.12 introduces new [network configuration documents](../networking/configuration/overview). These changes follow the new ["multi-doc" configuration](https://github.com/siderolabs/talos/issues/10925) concept, and allow more granular machine configuration. Asides from providing more granular/flexible configuration, the new "multi-doc" configuration documents can be applied at any time, including maintenance mode, and can also be embedded into the boot image, or supplied via the `talos.config.early` kernel command line argument. The new documents replace the previous network configuration under [.machine.network](../../v1.11/reference/configuration/v1alpha1/config#network), including: * `hostname`: replaced by [HostnameConfig](../reference/configuration/network/hostnameconfig) * `interfaces` replaced by: * [LinkConfig](../reference/configuration/network/linkconfig) * [LinkAliasConfig](../reference/configuration/network/linkaliasconfig) * [EthernetConfig](../reference/configuration/network/ethernetconfig) * [BondConfig](../reference/configuration/network/bondconfig) * [BridgeConfig](../reference/configuration/network/bridgeconfig) * [DHCPv4Config](../reference/configuration/network/dhcpv4config) * [DHCPv6Config](../reference/configuration/network/dhcpv6config) * [VLANConfig](../reference/configuration/network/vlanconfig) * [WireGuardConfig](../reference/configuration/network/wireguardconfig) * [DummyLinkConfig](../reference/configuration/network/dummylinkconfig) * [Layer2VIPConfig](../reference/configuration/network/layer2vipconfig) * `nameservers`, `searchDomains`, `disableSearchDomain`: replaced by [ResolverConfig](../reference/configuration/network/resolverconfig) * `extraHostEntries`: replaced by [StaticHostConfig](../reference/configuration/network/statichostconfig) This change **does not** affect KubeSpan configuration, which still resides under [`.machine.network`](../reference/configuration/v1alpha1/config#network) The previous configuration ([machine.network](../../v1.11/reference/configuration/v1alpha1/config.mdx#network)) (with the exception of KubeSpan configuration) is now deprecated, but supported for backwards compatibility. ### New user volume types The [UserVolumeConfig](../reference/configuration/block/uservolumeconfig) document has been extended with a new `volumeType` field to specify the type of user volume. #### `directory` When `volumeType` is set to `directory`, provisioning and filesystem operations are skipped, and a directory is created under `/var/mnt/`. The `directory` type enables lightweight storage volumes backed by a host directory, eliminating the need for a full block device partition. When `volumeType` is set to `directory`: * A directory is created at `/var/mnt/` * `provisioning`, `filesystem`, and `encryption` are not allowed > Note: This mode does not provide filesystem-level isolation and inherits the `EPHEMERAL` partition capacity limits. > It should not be used for workloads requiring predictable storage quotas. #### `disk` When `volumeType` is set to `disk`, Talos provisions a user volume on the disk that matches the `diskSelector` criteria. When `volumeType` is set to `disk`: * Size-specific settings are not allowed in the provisioning block (`minSize`, `maxSize`, `grow`) ### Disk encryption #### TPM encryption Talos versions prior to v1.12 used PCR 7 state and signed policies locked to PCR 11 for TPM-based disk encryption. Talos now supports configuring which PCR states are used for TPM-based disk encryption via the `options.pcrs` field in the `tpm` section of the disk encryption configuration. If no options are specified, Talos defaults to using PCR 7 for backward compatibility with existing installations. This change improves compatibility with systems that may have varying PCR 7 states due to UEFI Secure Boot configurations, and allows users to disable locking to PCR 7 state entirely if desired. Signed PCR policies remain bound to PCR 11. You can view the currently used PCRs with the `talosctl get volumestatus -o yaml` command. #### Device mapper names Talos Linux now consistently provides mapped names for encrypted volumes in the format `/dev/mapper/luks2-`. This change should not affect system or user volumes but allows for easier identification of encrypted volumes, particularly raw encrypted volumes. ### Logging The kernel log (`dmesg`) is now also available as the service log named `kernel` (accessible via `talosctl logs kernel`). Talos now stores system component logs in `/var/log` with automatic log rotation, keeping the two most recent log files. This change enables collecting logs from Talos just like any other Linux system. ### GRUB kernel command line Talos Linux introduces a new machine configuration option, `.machine.install.grubUseUKICmdline`, to control whether GRUB should use the kernel command line provided by the boot assets (UKI) or the command line constructed by Talos itself (legacy behavior). This option defaults to `true` for new installations, meaning GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation. For existing installations upgrading to v1.12, this option defaults to `false` to preserve the legacy behavior. This change unifies the kernel command line across UEFI (`systemd-boot`) and BIOS (GRUB) boot modes. ### CRI registry configuration The CRI registry configuration in v1alpha1 legacy machine configuration under `.machine.registries` is now deprecated but remains supported for backward compatibility. New configuration documents — [RegistryMirrorConfig](../reference/configuration/cri/registrymirrorconfig), [RegistryAuthConfig](../reference/configuration/cri/registryauthconfig), and [RegistryTLSConfig](../reference/configuration/cri/registrytlsconfig)—should be used instead. ### Out of memory (OOM) handling Talos now includes a [userspace OOM handler](../configure-your-talos-cluster/system-configuration/oom), which automatically evicts workloads based on memory pressure. The OOM handler can be configured via the [OOMConfig](../reference/configuration/runtime/oomconfig) document. ## Kubernetes ### API server cipher suites The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default. This aligns with the best practices documented in the CIS 1.12 benchmark. You can still expand the list of supported cipher suites via the `cluster.apiServer.extraArgs."tls-cipher-suites"` machine configuration field if needed. ### etcd The etcd container image is now pulled from `registry.k8s.io/etcd` instead of `gcr.io/etcd-development/etcd`. ## Machine configuration ### Ethernet configuration The [Ethernet configuration](../reference/configuration/network/ethernetconfig) now includes a `wakeOnLAN` field to enable Wake-on-LAN (WOL) support. This field allows you to enable WOL and specify the desired WOL modes. ### Deprecations Talos now ignores the following machine configuration fields: * `machine.features.rbac` (locked to `true`) * `machine.features.apidCheckExtKeyUsage` (locked to `true`) * `cluster.apiServer.disablePodSecurityPolicy` (locked to `true`) These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values listed above. ### Embedding machine configuration Talos Linux now supports [embedding machine configuration](../configure-your-talos-cluster/system-configuration/acquire) directly into the boot image. ## Miscellaneous ### Extra binaries Talos Linux now includes the `nft` binary in the rootfs to support CNIs that invoke the `nft` command. ### Talos force reboot Talos now supports a "force" reboot mode, which allows you to skip graceful userland termination. This is useful when a userland service (e.g., the kubelet) becomes stuck during graceful shutdown, preventing the regular reboot flow from completing. Additionally, `talosctl` has been updated to support this feature via the `talosctl reboot --mode force` command. ### Kernel module signature verification Talos now supports optionally disabling kernel module signature verification by setting the `module.sig_enforce=0` kernel parameter. By default, kernel module signature verification is enabled (`module.sig_enforce=1`). When using Factory or Imager, supply the `-module.sig_enforce module.sig_enforce=0` kernel parameters to disable module signature enforcement. This change provides an easier way to load custom kernel modules, though it does reduce system security. ### Kernel security posture profile (KSPP) Talos now enables a stricter set of KSPP sysctl settings by default. You can view the list of overridden settings using the `talosctl get kernelparamstatus` command. ### `talosctl image cache-serve` `talosctl` includes a new `image cache-serve` subcommand. It allows you to serve the created OCI image registry over HTTP/HTTPS. It is a read-only registry, meaning images cannot be pushed to it; however, the backing storage can be updated by re-running the `cache-create` command. Additionally, `talosctl image cache-create` has some changes: * New flag `--layout`: accepts `oci` (*default*) or `flat`: * `oci` preserves the current behavior * `flat` does not repack the artifact layer but moves it to a destination directory, allowing it to be served by `talosctl image cache-serve` * Modified flag `--platform`: now accepts multiple OS/architecture combinations: * comma-separated (`--platform=linux/amd64,linux/arm64`) * multiple instances (`--platform=linux/amd64 --platform=linux/arm64`) ### UEFI boot When using UEFI boot with systemd-boot as the bootloader (on new Talos installations from version 1.10 onwards), Talos will no longer modify the UEFI boot order. Talos 1.11 introduced a fix to create a UEFI boot entry and set it as the first boot entry; however, this behavior caused issues on some systems. To avoid further issues, Talos will now only create the UEFI boot entry if it does not exist and will not modify the boot order. ## Component updates * Linux: 6.18.0 * Kubernetes: 1.35.0 * CNI Plugins: 1.8.0 * cryptsetup: 2.8.1 * LVM2: 2\_03\_37 * systemd-udevd: 257.8 * runc: 1.3.4 * CoreDNS: 1.13.1 * etcd: 3.6.6 * Flannel: 0.27.4 * Flannel CNI plugin: v1.8.0-flannel2 * containerd: 2.1.5 Talos is built with Go 1.25.5. ## Contributors * Andrey Smirnov * Mateusz Urbanek * Noel Georgi * Dmitrii Sharshakov * Amarachi Iheanacho * Orzelius * Laura Brehm * Oguz Kilcan * Justin Garrison * Artem Chernyshev * Utku Ozdemir * Bryan Lee * Edward Sammut Alessi * George Gaál * Jorik Jonker * Michael Smith * Nicole Hubbard * 459below * Adrian L Lange * Alp Celik * Andrew Longwill * Birger Johan Nordølum * Chris Sanders * Dmitry * Febrian * Florian Grignon * Fred Heinecke * Giau. Tran Minh * Grzegorz Rozniecki * Guillaume LEGRAIN * Hector Monsalve * Joakim Nohlgård * Lennard Klein * Markus Freitag * Max Makarov * Mike Beaumont * Misha Aksenov * MrMrRubic * Olivier Doucet * Pranav * Sammy ETUR * Serge Logvinov * Serge van Ginderachter * Skye Soss * Skyler Mäntysaari * SuitDeer * Tom * aurh1l * frozenprocess * frozensprocess * kassad * leppeK * samoreno * theschles * winnie