siderolabs
diff --git a/‎.conform.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.conform.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/renovate.json‎
Lines changed: 6 additions & 0 deletions b/‎.github/renovate.json‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.kres.yaml‎
Lines changed: 6 additions & 2 deletions b/‎.kres.yaml‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎Makefile‎
Lines changed: 4 additions & 3 deletions b/‎Makefile‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎Pkgfile‎
Lines changed: 1 addition & 1 deletion b/‎Pkgfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 18 additions & 17 deletions b/‎README.md‎
Lines changed: 18 additions & 17 deletions
diff --git a/‎container-runtime/soci-snapshotter/10-soci-snapshotter.part‎
Lines changed: 8 additions & 0 deletions b/‎container-runtime/soci-snapshotter/10-soci-snapshotter.part‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎container-runtime/soci-snapshotter/README.md‎
Lines changed: 16 additions & 0 deletions b/‎container-runtime/soci-snapshotter/README.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎container-runtime/soci-snapshotter/config.toml‎
Lines changed: 7 additions & 0 deletions b/‎container-runtime/soci-snapshotter/config.toml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎container-runtime/soci-snapshotter/manifest.yaml.tmpl‎
Lines changed: 10 additions & 0 deletions b/‎container-runtime/soci-snapshotter/manifest.yaml.tmpl‎
Lines changed: 10 additions & 0 deletions
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2024-08-01T17:25:51Z by kres faf91e3.
+# Generated on 2025-11-13T15:52:54Z by kres e1d6dac.
 
 policies:
   - type: commit
@@ -12,7 +12,7 @@ policies:
           gitHubOrganization: siderolabs
       spellcheck:
         locale: US
-      maximumOfOneCommit: true
+      maximumOfOneCommit: false
       header:
         length: 89
         imperative: true
 
@@ -97,6 +97,12 @@
             "matchPackageNames": [
                 "git://linux-nfs.org/~steved/libtirpc"
             ]
+        },
+        {
+            "versioning": "regex:^(?<major>\\d+)\\.?(?<minor>\\d+)?\\.?(?<patch>\\d+)?$",
+            "matchPackageNames": [
+                "systemd/systemd"
+            ]
         }
     ],
     "separateMajorMinor": false
 
@@ -49,6 +49,7 @@ spec:
     - nvidia-open-gpu-kernel-modules-lts
     - nvidia-open-gpu-kernel-modules-production
     - nvme-cli
+    - soci-snapshotter
     - panfrost
     - qemu-guest-agent
     - qlogic-firmware
@@ -90,11 +91,11 @@ spec:
       - name: EXTENSIONS_IMAGE_REF
         defaultValue: $(REGISTRY_AND_USERNAME)/extensions:$(TAG)
       - name: PKGS
-        defaultValue: v1.12.0-alpha.0-50-g4ae050a
+        defaultValue: v1.12.0
       - name: PKGS_PREFIX
         defaultValue: ghcr.io/siderolabs
       - name: TOOLS
-        defaultValue: v1.12.0-alpha.0-18-g44932c0
+        defaultValue: v1.12.0
       - name: TOOLS_PREFIX
         defaultValue: ghcr.io/siderolabs
   useBldrPkgTagResolver: true
@@ -295,3 +296,6 @@ spec:
     - matchPackageNames:
         - git://linux-nfs.org/~steved/libtirpc
       versioning: 'regex:^(?<major>\d+)-(?<minor>\d+)-?(?<patch>\d+)?$'
+    - matchPackageNames:
+        - systemd/systemd
+      versioning: 'regex:^(?<major>\d+)\.?(?<minor>\d+)?\.?(?<patch>\d+)?$'
@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2025-11-21T09:49:36Z by kres e1d6dac.
+# Generated on 2025-11-15T05:31:19Z by kres e1d6dac.
 
 # common variables
 
@@ -51,9 +51,9 @@ COMMON_ARGS += $(BUILD_ARGS)
 # extra variables
 
 EXTENSIONS_IMAGE_REF ?= $(REGISTRY_AND_USERNAME)/extensions:$(TAG)
-PKGS ?= v1.12.0-alpha.0-50-g4ae050a
+PKGS ?= v1.12.0
 PKGS_PREFIX ?= ghcr.io/siderolabs
-TOOLS ?= v1.12.0-alpha.0-18-g44932c0
+TOOLS ?= v1.12.0
 TOOLS_PREFIX ?= ghcr.io/siderolabs
 IMAGE_SIGNER_RELEASE ?= v0.1.1
 
@@ -106,6 +106,7 @@ TARGETS += nvidia-gdrdrv-device
 TARGETS += nvidia-open-gpu-kernel-modules-lts
 TARGETS += nvidia-open-gpu-kernel-modules-production
 TARGETS += nvme-cli
+TARGETS += soci-snapshotter
 TARGETS += panfrost
 TARGETS += qemu-guest-agent
 TARGETS += qlogic-firmware
 
@@ -4,7 +4,7 @@ format: v1alpha2
 
 vars:
   CONTAINERD_VERSION: v2.1.5 # update this when updating PKGS_VERSION in Makefile
-  LINUX_FIRMWARE_VERSION: "20251021" # update this when updating PKGS_VERSION in Makefile
+  LINUX_FIRMWARE_VERSION: "20251111" # update this when updating PKGS_VERSION in Makefile
   DRBD_DRIVER_VERSION: 9.2.15 # update this when updating PKGS_VERSION in Makefile
   ZFS_DRIVER_VERSION: 2.4.0-rc2 # update this when updating PKGS_VERSION in Makefile
   ZFS_TOOLS_SHA256: 6b5b821e03520034b49f965acb198ff4f37661195689326a1c05a4782389987f
 
@@ -60,38 +60,39 @@ tiers based on support level:
 
 | Name | Tier | Image | Version | Description |
 | ---- | ---- | ----- | ------- | ----------- |
-| [crun](container-runtime/crun) | :yellow_square: extra | [ghcr.io/siderolabs/crun](https://github.com/siderolabs/extensions/pkgs/container/crun) | `1.24` |  This system extension provides crun using containerd's runtime handler. |
+| [crun](container-runtime/crun) | :yellow_square: extra | [ghcr.io/siderolabs/crun](https://github.com/siderolabs/extensions/pkgs/container/crun) | `1.25` |  This system extension provides crun using containerd's runtime handler. |
 | [ecr-credential-provider](container-runtime/ecr-credential-provider) | :yellow_square: extra | [ghcr.io/siderolabs/ecr-credential-provider](https://github.com/siderolabs/extensions/pkgs/container/ecr-credential-provider) | `v1.34.1` |  This system extension provides a binary which implements Kubelet's CredentialProvider API to authenticate against AWS' Elastic Container Registry and pull images. |
-| [gvisor](container-runtime/gvisor) | :green_square: core | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | `20251020.0` |  This system extension provides gVisor using containerd's runtime handler. |
+| [gvisor](container-runtime/gvisor) | :green_square: core | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | `20251103.0` |  This system extension provides gVisor using containerd's runtime handler. |
 | [gvisor-debug](container-runtime/gvisor-debug) | :yellow_square: extra | [ghcr.io/siderolabs/gvisor-debug](https://github.com/siderolabs/extensions/pkgs/container/gvisor-debug) | `v1.0.0` |  This system extension enables gVisor debug logging. |
 | [kata-containers](container-runtime/kata-containers) | :yellow_square: extra | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers) | `3.22.0` |  This system extension provides kata-container using containerd's runtime handler. |
+| [soci-snapshotter](container-runtime/soci-snapshotter) | :yellow_square: extra | [ghcr.io/siderolabs/soci-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/soci-snapshotter) | `v0.11.1` |  This system extension provides AWS SOCI Snapshotter using containerd's runtime handler. |
 | [spin](container-runtime/spin) | :yellow_square: extra | [ghcr.io/siderolabs/spin](https://github.com/siderolabs/extensions/pkgs/container/spin) | `v0.22.0` |  This system extension provides support for spin runtime (WebAssembly) containers. |
-| [stargz-snapshotter](container-runtime/stargz-snapshotter) | :green_square: core | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | `v0.18.0` |  This system extension provides Stargz Snapshotter using containerd's runtime handler. |
+| [stargz-snapshotter](container-runtime/stargz-snapshotter) | :green_square: core | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | `v0.18.1` |  This system extension provides Stargz Snapshotter using containerd's runtime handler. |
 | [wasmedge](container-runtime/wasmedge) | :yellow_square: extra | [ghcr.io/siderolabs/wasmedge](https://github.com/siderolabs/extensions/pkgs/container/wasmedge) | `v0.6.0` |  This system extension provides support for WasmEdge runtime (WebAssembly) containers. |
-| [youki](container-runtime/youki) | :white_large_square: contrib | [ghcr.io/siderolabs/youki](https://github.com/siderolabs/extensions/pkgs/container/youki) | `0.5.6` |  This system extension provides youki using containerd's runtime handler. |
+| [youki](container-runtime/youki) | :white_large_square: contrib | [ghcr.io/siderolabs/youki](https://github.com/siderolabs/extensions/pkgs/container/youki) | `0.5.7` |  This system extension provides youki using containerd's runtime handler. |
 
 ### Firmware
 
 | Name | Tier | Image | Version | Description |
 | ---- | ---- | ----- | ------- | ----------- |
-| [amd-ucode](firmware/amd-ucode) | :green_square: core | [ghcr.io/siderolabs/amd-ucode](https://github.com/siderolabs/extensions/pkgs/container/amd-ucode) | `20251021` |  This system extension provides AMD microcode binaries. |
-| [bnx2-bnx2x](firmware/bnx2-bnx2x) | :green_square: core | [ghcr.io/siderolabs/bnx2-bnx2x](https://github.com/siderolabs/extensions/pkgs/container/bnx2-bnx2x) | `20251021` | This system extension provides bnx2 and bnx2x binaries. |
-| [chelsio-firmware](firmware/chelsio) | :white_large_square: contrib | [ghcr.io/siderolabs/chelsio-firmware](https://github.com/siderolabs/extensions/pkgs/container/chelsio-firmware) | `20251021` |  This system extension provides Chelsio NIC firmware binaries. |
-| [intel-ice-firmware](firmware/intel-ice-firmware) | :green_square: core | [ghcr.io/siderolabs/intel-ice-firmware](https://github.com/siderolabs/extensions/pkgs/container/intel-ice-firmware) | `20251021` |  This system extension provides Intel Ice firmware binaries. |
-| [intel-ucode](firmware/intel-ucode) | :green_square: core | [ghcr.io/siderolabs/intel-ucode](https://github.com/siderolabs/extensions/pkgs/container/intel-ucode) | `20250812` |  This system extension provides Intel microcode binaries. |
-| [qlogic-firmware](firmware/qlogic-firmware) | :green_square: core | [ghcr.io/siderolabs/qlogic-firmware](https://github.com/siderolabs/extensions/pkgs/container/qlogic-firmware) | `20251021` |  This system extension provides firmware for QLogic devices. |
-| [realtek-firmware](firmware/realtek-firmware) | :green_square: core | [ghcr.io/siderolabs/realtek-firmware](https://github.com/siderolabs/extensions/pkgs/container/realtek-firmware) | `20251021` |  This system extension provides realtek firmware binaries. |
+| [amd-ucode](firmware/amd-ucode) | :green_square: core | [ghcr.io/siderolabs/amd-ucode](https://github.com/siderolabs/extensions/pkgs/container/amd-ucode) | `20251111` |  This system extension provides AMD microcode binaries. |
+| [bnx2-bnx2x](firmware/bnx2-bnx2x) | :green_square: core | [ghcr.io/siderolabs/bnx2-bnx2x](https://github.com/siderolabs/extensions/pkgs/container/bnx2-bnx2x) | `20251111` | This system extension provides bnx2 and bnx2x binaries. |
+| [chelsio-firmware](firmware/chelsio) | :white_large_square: contrib | [ghcr.io/siderolabs/chelsio-firmware](https://github.com/siderolabs/extensions/pkgs/container/chelsio-firmware) | `20251111` |  This system extension provides Chelsio NIC firmware binaries. |
+| [intel-ice-firmware](firmware/intel-ice-firmware) | :green_square: core | [ghcr.io/siderolabs/intel-ice-firmware](https://github.com/siderolabs/extensions/pkgs/container/intel-ice-firmware) | `20251111` |  This system extension provides Intel Ice firmware binaries. |
+| [intel-ucode](firmware/intel-ucode) | :green_square: core | [ghcr.io/siderolabs/intel-ucode](https://github.com/siderolabs/extensions/pkgs/container/intel-ucode) | `20251111` |  This system extension provides Intel microcode binaries. |
+| [qlogic-firmware](firmware/qlogic-firmware) | :green_square: core | [ghcr.io/siderolabs/qlogic-firmware](https://github.com/siderolabs/extensions/pkgs/container/qlogic-firmware) | `20251111` |  This system extension provides firmware for QLogic devices. |
+| [realtek-firmware](firmware/realtek-firmware) | :green_square: core | [ghcr.io/siderolabs/realtek-firmware](https://github.com/siderolabs/extensions/pkgs/container/realtek-firmware) | `20251111` |  This system extension provides realtek firmware binaries. |
 | [revpi-firmware](firmware/revpi-firmware) | :white_large_square: contrib | [ghcr.io/siderolabs/revpi-firmware](https://github.com/siderolabs/extensions/pkgs/container/revpi-firmware) | `v1.0.0` |  This system extension provides tools e.g. udev rules for the RevolutionPi platform. |
 
 ### Direct Rendering Manager (DRM)
 
 | Name | Tier | Image | Version | Description |
 | ---- | ---- | ----- | ------- | ----------- |
-| [amdgpu](drm/amdgpu) | :green_square: core | [ghcr.io/siderolabs/amdgpu](https://github.com/siderolabs/extensions/pkgs/container/amdgpu) | `20251021-VERSION` |  This system extension provides AMDGPU firmware binaries and kernel modules. |
-| [i915](drm/i915) | :green_square: core | [ghcr.io/siderolabs/i915](https://github.com/siderolabs/extensions/pkgs/container/i915) | `20251021-VERSION` |  This system extension provides Intel GPU microcode binaries and kernel modules. |
-| [panfrost](drm/panfrost) | :white_large_square: contrib | [ghcr.io/siderolabs/panfrost](https://github.com/siderolabs/extensions/pkgs/container/panfrost) | `20251021-VERSION` |  This system extension provides ARM Mali Midgard, Bifrost, and Valhall firmware binaries and kernel modules. |
+| [amdgpu](drm/amdgpu) | :green_square: core | [ghcr.io/siderolabs/amdgpu](https://github.com/siderolabs/extensions/pkgs/container/amdgpu) | `20251111-VERSION` |  This system extension provides AMDGPU firmware binaries and kernel modules. |
+| [i915](drm/i915) | :green_square: core | [ghcr.io/siderolabs/i915](https://github.com/siderolabs/extensions/pkgs/container/i915) | `20251111-VERSION` |  This system extension provides Intel GPU microcode binaries and kernel modules. |
+| [panfrost](drm/panfrost) | :white_large_square: contrib | [ghcr.io/siderolabs/panfrost](https://github.com/siderolabs/extensions/pkgs/container/panfrost) | `20251111-VERSION` |  This system extension provides ARM Mali Midgard, Bifrost, and Valhall firmware binaries and kernel modules. |
 | [vc4](drm/vc4) | :yellow_square: extra | [ghcr.io/siderolabs/vc4](https://github.com/siderolabs/extensions/pkgs/container/vc4) | `VERSION` |  This system extension provides kernel modules for Broadcom VideoCore GPU. |
-| [xe](drm/xe) | :green_square: core | [ghcr.io/siderolabs/xe](https://github.com/siderolabs/extensions/pkgs/container/xe) | `20251021-VERSION` |  This system extension provides Intel GPU microcode binaries and kernel modules. |
+| [xe](drm/xe) | :green_square: core | [ghcr.io/siderolabs/xe](https://github.com/siderolabs/extensions/pkgs/container/xe) | `20251111-VERSION` |  This system extension provides Intel GPU microcode binaries and kernel modules. |
 
 ### Drivers
 
@@ -128,10 +129,10 @@ tiers based on support level:
 
 | Name | Tier | Image | Version | Description |
 | ---- | ---- | ----- | ------- | ----------- |
-| [cloudflared](network/cloudflared) | :white_large_square: contrib | [ghcr.io/siderolabs/cloudflared](https://github.com/siderolabs/extensions/pkgs/container/cloudflared) | `2025.10.1` |  Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, allowing safe access to services like HTTP, SSH, remote desktops, and other protocols. More info: https://github.com/cloudflare/cloudflared/ |
+| [cloudflared](network/cloudflared) | :white_large_square: contrib | [ghcr.io/siderolabs/cloudflared](https://github.com/siderolabs/extensions/pkgs/container/cloudflared) | `2025.11.1` |  Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, allowing safe access to services like HTTP, SSH, remote desktops, and other protocols. More info: https://github.com/cloudflare/cloudflared/ |
 | [lldpd](network/lldpd) | :yellow_square: extra | [ghcr.io/siderolabs/lldpd](https://github.com/siderolabs/extensions/pkgs/container/lldpd) | `1.0.20` |  LLDP adds a LLDP discovery service to Talos. LLDP cli can be used to interface with the daemon. |
 | [nebula](network/nebula) | :white_large_square: contrib | [ghcr.io/siderolabs/nebula](https://github.com/siderolabs/extensions/pkgs/container/nebula) | `1.9.7` |  A scalable overlay networking tool with a focus on performance, simplicity and security |
-| [netbird](network/netbird) | :white_large_square: contrib | [ghcr.io/siderolabs/netbird](https://github.com/siderolabs/extensions/pkgs/container/netbird) | `0.59.11` |  NetBird combines a WireGuard®-based overlay network with Zero Trust Network Access, providing a unified open source platform for reliable and secure connectivity. |
+| [netbird](network/netbird) | :white_large_square: contrib | [ghcr.io/siderolabs/netbird](https://github.com/siderolabs/extensions/pkgs/container/netbird) | `0.59.12` |  NetBird combines a WireGuard®-based overlay network with Zero Trust Network Access, providing a unified open source platform for reliable and secure connectivity. |
 | [newt](network/newt) | :white_large_square: contrib | [ghcr.io/siderolabs/newt](https://github.com/siderolabs/extensions/pkgs/container/newt) | `1.6.0` |  Newt is a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. By using Newt, you don't need to manage complex WireGuard tunnels and NATing. More info: https://github.com/fosrl/newt |
 | [tailscale](network/tailscale) | :yellow_square: extra | [ghcr.io/siderolabs/tailscale](https://github.com/siderolabs/extensions/pkgs/container/tailscale) | `1.90.6` |  Tailscale connects your team's devices and development environments for easy access to remote resources. |
 | [zerotier](network/zerotier) | :white_large_square: contrib | [ghcr.io/siderolabs/zerotier](https://github.com/siderolabs/extensions/pkgs/container/zerotier) | `1.16.0` |  Connect your Talos cluster into a zerotier network |
 
@@ -0,0 +1,8 @@
+[proxy_plugins]
+  [proxy_plugins.soci]
+    type = "snapshot"
+    address = "/var/run/soci-snapshotter/soci-snapshotter-grpc.sock"
+
+[plugins."io.containerd.cri.v1.images"]
+  snapshotter = "soci"
+  disable_snapshot_annotations = false
@@ -0,0 +1,16 @@
+# AWS SOCI Snapshotter extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Pulling from Privte Registries
+
+To pull from private registries an additional step is required. You must configure the Kubelet to use the SOCI snapshotter as an image service proxy. This is explained in more detail in the [SOCI docs](https://github.com/awslabs/soci-snapshotter/blob/main/docs/registry-authentication.md#kubernetes-cri-credentials). An example config patch:
+
+```yaml
+machine:
+  kubelet:
+    extraConfig:
+      imageServiceEndpoint: unix:///var/run/soci-snapshotter/soci-snapshotter-grpc.sock
+```
@@ -0,0 +1,7 @@
+# SOCI Snapshotter configuration
+
+# Enable use of the SOCI snapshotter as a proxy ImageService so it can pull
+# images from private registries.
+[cri_keychain]
+enable_keychain = true
+image_service_path = "/var/run/containerd/containerd.sock"
@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: soci-snapshotter
+  version: "{{ .VERSION }}"
+  author: Sidero Labs
+  description: |
+    [{{ .TIER }}] This system extension provides AWS SOCI Snapshotter using containerd's runtime handler.
+  compatibility:
+    talos:
+      version: ">= v1.8.0"
Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,12 @@`
`97`	`97`	`"matchPackageNames": [`
`98`	`98`	`"git://linux-nfs.org/~steved/libtirpc"`
`99`	`99`	`]`
	`100`	`+ },`
	`101`	`+ {`
	`102`	`+ "versioning": "regex:^(?<major>\\d+)\\.?(?<minor>\\d+)?\\.?(?<patch>\\d+)?$",`
	`103`	`+ "matchPackageNames": [`
	`104`	`+ "systemd/systemd"`
	`105`	`+ ]`
`100`	`106`	`}`
`101`	`107`	`],`
`102`	`108`	`"separateMajorMinor": false`