mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-08-05 22:27:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: bump Linux, Go and other packages

Browse Source 
Include all core packages into SBOM, make sure Talos is built with the
same Go versions as pkgs.

Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
This commit is contained in:
Dmitrii Sharshakov 2025-07-09 18:04:48 +02:00
parent 0b8c180b82
commit 2d89bcc71f
No known key found for this signature in database
GPG Key ID: 9866BBFAF691F3AF
11 changed files with 63 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Dockerfile
View File

@ -231,6 +231,7 @@ COPY --from=pkg-cni-amd64 /opt/cni/bin/firewall /opt/cni/bin/firewall
COPY --from=pkg-cni-amd64 /opt/cni/bin/host-local /opt/cni/bin/host-local
COPY --from=pkg-cni-amd64 /opt/cni/bin/loopback /opt/cni/bin/loopback
COPY --from=pkg-cni-amd64 /opt/cni/bin/portmap /opt/cni/bin/portmap
COPY --from=pkg-cni-amd64 /usr/share/spdx/cni.spdx.json /usr/share/spdx/cni.spdx.json
FROM scratch AS pkg-cni-stripped-arm64
COPY --from=pkg-cni-arm64 /opt/cni/bin/bridge /opt/cni/bin/bridge
@ -238,6 +239,7 @@ COPY --from=pkg-cni-arm64 /opt/cni/bin/firewall /opt/cni/bin/firewall
COPY --from=pkg-cni-arm64 /opt/cni/bin/host-local /opt/cni/bin/host-local
COPY --from=pkg-cni-arm64 /opt/cni/bin/loopback /opt/cni/bin/loopback
COPY --from=pkg-cni-arm64 /opt/cni/bin/portmap /opt/cni/bin/portmap
COPY --from=pkg-cni-arm64 /usr/share/spdx/cni.spdx.json /usr/share/spdx/cni.spdx.json
FROM ${PKG_TALOSCTL_CNI_BUNDLE} AS pkgs-talosctl-cni-bundle
@ -311,6 +313,8 @@ ENV GOMODCACHE=/.cache/mod
ENV PROTOTOOL_CACHE_PATH=/.cache/prototool
ARG SOURCE_DATE_EPOCH
ENV SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH}
# Go standard library is shipped with Talos, thus it must be tracked in SBOM
COPY --link --from=tools /usr/share/spdx/golang.spdx.json /rootfs/usr/share/spdx/golang.spdx.json
WORKDIR /src
# The build-go target creates a container to build Go code with Go modules downloaded and verified.
@ -727,8 +731,10 @@ COPY --link --exclude=usr/bin/ctr --from=pkg-containerd-amd64 / /rootfs
COPY --link --from=pkg-dosfstools-amd64 / /rootfs
COPY --link --from=pkg-e2fsprogs-amd64 / /rootfs
COPY --link --exclude=usr/share --from=pkg-systemd-udevd-amd64 / /rootfs
COPY --link --from=pkg-systemd-udevd-amd64 /usr/share/spdx/systemd.spdx.json /rootfs/usr/share/spdx/systemd.spdx.json
COPY --link --from=pkg-libcap-amd64 / /rootfs
COPY --link --exclude=usr/share --from=pkg-iptables-amd64 / /rootfs
COPY --link --from=pkg-iptables-amd64 /usr/share/spdx/iptables.spdx.json /rootfs/usr/share/spdx/iptables.spdx.json
COPY --link --from=pkg-libattr-amd64 / /rootfs
COPY --link --from=pkg-libinih-amd64 / /rootfs
COPY --link --from=pkg-libjson-c-amd64 / /rootfs
@ -748,8 +754,10 @@ COPY --link --from=pkg-xfsprogs-amd64 / /rootfs
COPY --link --from=pkg-util-linux-amd64 /usr/lib/libblkid.* /rootfs/usr/lib/
COPY --link --from=pkg-util-linux-amd64 /usr/lib/libuuid.* /rootfs/usr/lib/
COPY --link --from=pkg-util-linux-amd64 /usr/lib/libmount.* /rootfs/usr/lib/
COPY --link --from=pkg-util-linux-amd64 /usr/share/spdx/util-linux.spdx.json /rootfs/usr/share/spdx/util-linux.spdx.json
COPY --link --from=pkg-kmod-amd64 /usr/lib/libkmod.* /rootfs/usr/lib/
COPY --link --from=pkg-kmod-amd64 /usr/bin/kmod /rootfs/usr/bin/modprobe
COPY --link --from=pkg-kmod-amd64 usr/share/spdx/kmod.spdx.json /rootfs/usr/share/spdx/kmod.spdx.json
COPY --link --from=modules-amd64 /usr/lib/modules /rootfs/usr/lib/modules
COPY --link --from=machined-build-amd64 /machined /rootfs/usr/bin/init
@ -804,8 +812,10 @@ COPY --link --exclude=usr/bin/ctr --from=pkg-containerd-arm64 / /rootfs
COPY --link --from=pkg-dosfstools-arm64 / /rootfs
COPY --link --from=pkg-e2fsprogs-arm64 / /rootfs
COPY --link --exclude=usr/share --from=pkg-systemd-udevd-arm64 / /rootfs
COPY --link --from=pkg-systemd-udevd-arm64 /usr/share/spdx/systemd.spdx.json /rootfs/usr/share/spdx/systemd.spdx.json
COPY --link --from=pkg-libcap-arm64 / /rootfs
COPY --link --exclude=usr/share --from=pkg-iptables-arm64 / /rootfs
COPY --link --from=pkg-iptables-arm64 /usr/share/spdx/iptables.spdx.json /rootfs/usr/share/spdx/iptables.spdx.json
COPY --link --from=pkg-libattr-arm64 / /rootfs
COPY --link --from=pkg-libinih-arm64 / /rootfs
COPY --link --from=pkg-libjson-c-arm64 / /rootfs
@ -825,8 +835,10 @@ COPY --link --from=pkg-xfsprogs-arm64 / /rootfs
COPY --link --from=pkg-util-linux-arm64 /usr/lib/libblkid.* /rootfs/usr/lib/
COPY --link --from=pkg-util-linux-arm64 /usr/lib/libuuid.* /rootfs/usr/lib/
COPY --link --from=pkg-util-linux-arm64 /usr/lib/libmount.* /rootfs/usr/lib/
COPY --link --from=pkg-util-linux-arm64 /usr/share/spdx/util-linux.spdx.json /rootfs/usr/share/spdx/util-linux.spdx.json
COPY --link --from=pkg-kmod-arm64 /usr/lib/libkmod.* /rootfs/usr/lib/
COPY --link --from=pkg-kmod-arm64 /usr/bin/kmod /rootfs/usr/bin/modprobe
COPY --link --from=pkg-kmod-arm64 /usr/share/spdx/kmod.spdx.json /rootfs/usr/share/spdx/kmod.spdx.json
COPY --link --from=modules-arm64 /usr/lib/modules /rootfs/usr/lib/modules
COPY --link --from=machined-build-arm64 /machined /rootfs/usr/bin/init
@ -885,14 +897,14 @@ RUN cp go.mod go.sum /tmp/sbom-src/
FROM build-sbom AS sbom-container-arm64-generate
COPY --from=rootfs-base-arm64 /rootfs/usr/share/spdx /tmp/sbom-src/
RUN --mount=type=cache,target=/.cache,id=talos/.cache sbom.sh /tmp/sbom-src/ "$NAME (arm64 container)" talos-container-arm64.spdx.json
RUN --mount=type=cache,target=/.cache,id=talos/.cache sbom.sh /tmp/sbom-src/ talos-container-arm64.spdx.json
FROM scratch AS sbom-container-arm64
COPY --from=sbom-container-arm64-generate /rootfs/usr/share/spdx/talos-container-arm64.spdx.json /
FROM build-sbom AS sbom-container-amd64-generate
COPY --from=rootfs-base-amd64 /rootfs/usr/share/spdx /tmp/sbom-src/
RUN --mount=type=cache,target=/.cache,id=talos/.cache sbom.sh /tmp/sbom-src/ "$NAME (amd64 container)" talos-container-amd64.spdx.json
RUN --mount=type=cache,target=/.cache,id=talos/.cache sbom.sh /tmp/sbom-src/ talos-container-amd64.spdx.json
FROM scratch AS sbom-container-amd64
COPY --from=sbom-container-amd64-generate /rootfs/usr/share/spdx/talos-container-amd64.spdx.json /
@ -900,7 +912,7 @@ COPY --from=sbom-container-amd64-generate /rootfs/usr/share/spdx/talos-container
FROM build-sbom AS sbom-arm64-generate
COPY --from=rootfs-base-arm64 /rootfs/usr/share/spdx /tmp/sbom-src/
COPY --from=pkg-kernel-arm64 /usr/share/spdx/kernel.spdx.json /tmp/sbom-src/
RUN --mount=type=cache,target=/.cache,id=talos/.cache sbom.sh /tmp/sbom-src/ "$NAME (arm64)" talos-arm64.spdx.json
RUN --mount=type=cache,target=/.cache,id=talos/.cache sbom.sh /tmp/sbom-src/ talos-arm64.spdx.json
FROM scratch AS sbom-arm64
COPY --from=sbom-arm64-generate /rootfs/usr/share/spdx/talos-arm64.spdx.json /
@ -908,7 +920,7 @@ COPY --from=sbom-arm64-generate /rootfs/usr/share/spdx/talos-arm64.spdx.json /
FROM build-sbom AS sbom-amd64-generate
COPY --from=rootfs-base-amd64 /rootfs/usr/share/spdx /tmp/sbom-src/
COPY --from=pkg-kernel-amd64 /usr/share/spdx/kernel.spdx.json /tmp/sbom-src/
RUN --mount=type=cache,target=/.cache,id=talos/.cache sbom.sh /tmp/sbom-src/ "$NAME (amd64)" talos-amd64.spdx.json
RUN --mount=type=cache,target=/.cache,id=talos/.cache sbom.sh /tmp/sbom-src/ talos-amd64.spdx.json
FROM scratch AS sbom-amd64
COPY --from=sbom-amd64-generate /rootfs/usr/share/spdx/talos-amd64.spdx.json /
@ -933,8 +945,6 @@ FROM rootfs-base-arm64 AS rootfs-squashfs-arm64
RUN rm -rf /rootfs/usr/share/spdx/*
COPY --from=sbom-arm64 / /rootfs/usr/share/spdx/
ARG ZSTD_COMPRESSION_LEVEL
RUN find /rootfs -print0 \
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
COPY --from=selinux-generate /policy/file_contexts /file_contexts
COPY ./hack/labeled-squashfs.sh /
RUN fakeroot /labeled-squashfs.sh /rootfs /rootfs.sqsh /file_contexts ${ZSTD_COMPRESSION_LEVEL}
@ -943,8 +953,6 @@ FROM rootfs-base-amd64 AS rootfs-squashfs-amd64
RUN rm -rf /rootfs/usr/share/spdx/*
COPY --from=sbom-amd64 / /rootfs/usr/share/spdx/
ARG ZSTD_COMPRESSION_LEVEL
RUN find /rootfs -print0 \
| xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
COPY --from=selinux-generate /policy/file_contexts /file_contexts
COPY ./hack/labeled-squashfs.sh /
RUN fakeroot /labeled-squashfs.sh /rootfs /rootfs.sqsh /file_contexts ${ZSTD_COMPRESSION_LEVEL}

4
Makefile
View File

@ -25,9 +25,9 @@ DEBUG_TOOLS_SOURCE := scratch
EMBED_TARGET ?= embed
TOOLS_PREFIX ?= ghcr.io/siderolabs/tools
TOOLS ?= v1.11.0-alpha.0-3-g1dfd14b
TOOLS ?= v1.11.0-alpha.0-6-g4818702
PKGS_PREFIX ?= ghcr.io/siderolabs
PKGS ?= v1.11.0-alpha.0-43-g2537e61
PKGS ?= v1.11.0-alpha.0-48-g8ed84c5
KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest

2
go.mod
View File

@ -1,6 +1,6 @@
module github.com/siderolabs/talos
go 1.24.4
go 1.24.5
replace (
// see e.g. https://github.com/grpc/grpc-go/issues/6696

2
go.work
View File

@ -1,4 +1,4 @@
go 1.24.4
go 1.24.5
use (
.

8
hack/release.toml
View File

@ -18,15 +18,19 @@ preface = """
[notes.updates]
title = "Component Updates"
description = """\
Linux: 6.12.35
Linux: 6.12.36
Kubernetes: 1.34.0-alpha.2
runc: 1.3.0
containerd: 2.1.3
Flannel CNI plugin: 1.7.1-flannel1
Flannel: 0.27.0
CoreDNS: 1.12.2
xfsprogs: 6.15.0
systemd-udevd and systemd-boot: 257.7
lvm2: 2.03.33
cryptsetup: 2.8.0
Talos is built with Go 1.24.4.
Talos is built with Go 1.24.5.
"""
[notes.macos-qemu]

4
hack/sbom.sh
View File

@ -6,5 +6,5 @@ SYFT_FORMAT_PRETTY=1 SYFT_FORMAT_SPDX_JSON_DETERMINISTIC_UUID=1 \
github.com/anchore/syft/cmd/syft \
scan --from dir "$1" \
--select-catalogers "+sbom-cataloger,go" \
--source-name "$2" --source-version "$TAG" \
-o spdx-json > "/rootfs/usr/share/spdx/$3"
--source-name "$NAME" --source-version "$TAG" \
-o spdx-json > "/rootfs/usr/share/spdx/$2"

30
internal/pkg/rootfs/rootfs_test.go Normal file
View File

@ -0,0 +1,30 @@
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
package rootfs_test
import (
"debug/buildinfo"
"runtime"
"testing"
"github.com/stretchr/testify/assert"
"github.com/siderolabs/talos/pkg/machinery/constants"
)
func TestPkgxGoVersionMatchesTalos(t *testing.T) {
const sampleBinaryPath = "/usr/bin/containerd"
info, err := buildinfo.ReadFile(sampleBinaryPath)
if err != nil {
t.Fatalf("failed to read build info from %s: %v", sampleBinaryPath, err)
}
binaryGoVersion := info.GoVersion
runtimeGoVersion := runtime.Version()
assert.Equal(t, runtimeGoVersion, binaryGoVersion)
assert.Equal(t, runtimeGoVersion, constants.GoVersion)
}

4
pkg/machinery/constants/constants.go
View File

@ -14,7 +14,7 @@ import (
const (
// DefaultKernelVersion is the default Linux kernel version.
DefaultKernelVersion = "6.12.35-talos"
DefaultKernelVersion = "6.12.36-talos"
// KernelParamConfig is the kernel parameter name for specifying the URL.
// to the config.
@ -1103,7 +1103,7 @@ const (
DBusClientSocketLabel = "system_u:object_r:dbus_client_socket_t:s0"
// GoVersion is the version of Go compiler this release was built with.
GoVersion = "go1.24.4"
GoVersion = "go1.24.5"
// KubernetesTalosAPIServiceName is the name of the Kubernetes service to access Talos API.
KubernetesTalosAPIServiceName = "talos"

2
pkg/machinery/gendata/data/pkgs
View File

@ -1 +1 @@
v1.11.0-alpha.0-43-g2537e61
v1.11.0-alpha.0-48-g8ed84c5

2
pkg/machinery/gendata/data/tools
View File

@ -1 +1 @@
v1.11.0-alpha.0-3-g1dfd14b
v1.11.0-alpha.0-6-g4818702

2
tools/go.mod
View File

@ -1,6 +1,6 @@
module github.com/siderolabs/talos/tools
go 1.24.3
go 1.24.5
tool github.com/anchore/syft/cmd/syft