siderolabs · talos-bot · Nov 14, 2025 · Nov 6, 2025
diff --git a/.kres.yaml b/.kres.yaml
@@ -53,6 +53,7 @@ spec:
     - qlogic-firmware
     - realtek-firmware
     - revpi-firmware
+    - soci-snapshotter
     - spin
     - stargz-snapshotter
     - tailscale

diff --git a/Makefile b/Makefile
@@ -110,6 +110,7 @@ TARGETS += qemu-guest-agent
 TARGETS += qlogic-firmware
 TARGETS += realtek-firmware
 TARGETS += revpi-firmware
+TARGETS += soci-snapshotter
 TARGETS += spin
 TARGETS += stargz-snapshotter
 TARGETS += tailscale

diff --git a/README.md b/README.md
@@ -65,6 +65,7 @@ tiers based on support level:
 | [gvisor](container-runtime/gvisor) | :green_square: core | [ghcr.io/siderolabs/gvisor](https://github.com/siderolabs/extensions/pkgs/container/gvisor) | `20251103.0` |  This system extension provides gVisor using containerd's runtime handler. |
 | [gvisor-debug](container-runtime/gvisor-debug) | :yellow_square: extra | [ghcr.io/siderolabs/gvisor-debug](https://github.com/siderolabs/extensions/pkgs/container/gvisor-debug) | `v1.0.0` |  This system extension enables gVisor debug logging. |
 | [kata-containers](container-runtime/kata-containers) | :yellow_square: extra | [ghcr.io/siderolabs/kata-containers](https://github.com/siderolabs/extensions/pkgs/container/kata-containers) | `3.22.0` |  This system extension provides kata-container using containerd's runtime handler. |
+| [soci-snapshotter](container-runtime/soci-snapshotter) | :yellow_square: extra | [ghcr.io/siderolabs/soci-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/soci-snapshotter) | `v0.11.1` |  This system extension provides AWS SOCI Snapshotter using containerd's runtime handler. |
 | [spin](container-runtime/spin) | :yellow_square: extra | [ghcr.io/siderolabs/spin](https://github.com/siderolabs/extensions/pkgs/container/spin) | `v0.22.0` |  This system extension provides support for spin runtime (WebAssembly) containers. |
 | [stargz-snapshotter](container-runtime/stargz-snapshotter) | :green_square: core | [ghcr.io/siderolabs/stargz-snapshotter](https://github.com/siderolabs/extensions/pkgs/container/stargz-snapshotter) | `v0.18.1` |  This system extension provides Stargz Snapshotter using containerd's runtime handler. |
 | [wasmedge](container-runtime/wasmedge) | :yellow_square: extra | [ghcr.io/siderolabs/wasmedge](https://github.com/siderolabs/extensions/pkgs/container/wasmedge) | `v0.6.0` |  This system extension provides support for WasmEdge runtime (WebAssembly) containers. |

diff --git a/container-runtime/soci-snapshotter/10-soci-snapshotter.part b/container-runtime/soci-snapshotter/10-soci-snapshotter.part
@@ -0,0 +1,8 @@
+[proxy_plugins]
+  [proxy_plugins.soci]
+    type = "snapshot"
+    address = "/var/run/soci-snapshotter/soci-snapshotter-grpc.sock"
+
+[plugins."io.containerd.cri.v1.images"]
+  snapshotter = "soci"
+  disable_snapshot_annotations = false
diff --git a/container-runtime/soci-snapshotter/README.md b/container-runtime/soci-snapshotter/README.md
@@ -0,0 +1,16 @@
+# AWS SOCI Snapshotter extension
+
+## Installation
+
+See [Installing Extensions](https://github.com/siderolabs/extensions#installing-extensions).
+
+## Pulling from Privte Registries
+
+To pull from private registries an additional step is required. You must configure the Kubelet to use the SOCI snapshotter as an image service proxy. This is explained in more detail in the [SOCI docs](https://github.com/awslabs/soci-snapshotter/blob/main/docs/registry-authentication.md#kubernetes-cri-credentials). An example config patch:
+
+```yaml
+machine:
+  kubelet:
+    extraConfig:
+      imageServiceEndpoint: unix:///var/run/soci-snapshotter/soci-snapshotter-grpc.sock
+```
diff --git a/container-runtime/soci-snapshotter/config.toml b/container-runtime/soci-snapshotter/config.toml
@@ -0,0 +1,7 @@
+# SOCI Snapshotter configuration
+
+# Enable use of the SOCI snapshotter as a proxy ImageService so it can pull
+# images from private registries.
+[cri_keychain]
+enable_keychain = true
+image_service_path = "/var/run/containerd/containerd.sock"
diff --git a/container-runtime/soci-snapshotter/manifest.yaml.tmpl b/container-runtime/soci-snapshotter/manifest.yaml.tmpl
@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: soci-snapshotter
+  version: "{{ .VERSION }}"
+  author: Sidero Labs
+  description: |
+    [{{ .TIER }}] This system extension provides AWS SOCI Snapshotter using containerd's runtime handler.
+  compatibility:
+    talos:
+      version: ">= v1.8.0"
diff --git a/container-runtime/soci-snapshotter/pkg.yaml b/container-runtime/soci-snapshotter/pkg.yaml
@@ -0,0 +1,71 @@
+name: soci-snapshotter
+variant: scratch
+shell: /bin/bash
+dependencies:
+  - stage: base
+steps:
+  - sources:
+      - url: https://github.com/awslabs/soci-snapshotter/archive/refs/tags/{{ .SOCI_SNAPSHOTTER_VERSION }}.tar.gz
+        destination: soci-snapshotter.tar.gz
+        sha256: {{ .SOCI_SNAPSHOTTER_SHA256 }}
+        sha512: {{ .SOCI_SNAPSHOTTER_SHA512 }}
+    env:
+      GOPATH: /tmp/go
+      VERSION: {{ .SOCI_SNAPSHOTTER_VERSION }}
+      REVISION: {{ .SOCI_SNAPSHOTTER_REV }}
+    cachePaths:
+      - /.cache/go-build
+      - /tmp/go/pkg
+  - network: default
+    prepare:
+      - |
+        mkdir -p ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+
+        tar -xzf soci-snapshotter.tar.gz --strip-components=1 -C ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+      - |
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter/cmd
+        go mod download
+  - network: none
+    build:
+      - |
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+
+        make soci-snapshotter-grpc
+        make soci
+    install:
+      - |
+        mkdir -p /rootfs/usr/local/bin
+        mkdir -p /rootfs/usr/local/lib/containers/soci-snapshotter
+
+        cd ${GOPATH}/src/github.com/awslabs/soci-snapshotter
+
+        cp ./out/soci-snapshotter-grpc /rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
+        chmod +x /rootfs/usr/local/lib/containers/soci-snapshotter/soci-snapshotter-grpc
+
+        cp ./out/soci /rootfs/usr/local/lib/containers/soci-snapshotter/soci
+        chmod +x /rootfs/usr/local/lib/containers/soci-snapshotter/soci
+
+        mkdir -p /rootfs/usr/local/lib/containers/soci-snapshotter/etc/soci-snapshotter-grpc/ 
+        cp /pkg/config.toml /rootfs/usr/local/lib/containers/soci-snapshotter/etc/soci-snapshotter-grpc/config.toml
+      - |
+        mkdir -p /rootfs/etc/cri/conf.d
+        cp /pkg/10-soci-snapshotter.part /rootfs/etc/cri/conf.d/10-soci-snapshotter.part
+
+        mkdir -p /rootfs/usr/local/etc/containers
+        cp /pkg/soci-snapshotter.yaml /rootfs/usr/local/etc/containers/
+    test:
+      - |
+        mkdir -p /extensions-validator-rootfs
+        cp -r /rootfs/ /extensions-validator-rootfs/rootfs
+        cp /pkg/manifest.yaml /extensions-validator-rootfs/manifest.yaml
+        /extensions-validator validate --rootfs=/extensions-validator-rootfs --pkg-name="${PKG_NAME}"
+    sbom:
+      outputPath: /rootfs/usr/local/share/spdx/soci-snapshotter.spdx.json
+      version: {{ .SOCI_SNAPSHOTTER_VERSION }}
+      licenses:
+        - Apache-2.0
+finalize:
+  - from: /rootfs
+    to: /rootfs
+  - from: /pkg/manifest.yaml
+    to: /
diff --git a/container-runtime/soci-snapshotter/soci-snapshotter.yaml b/container-runtime/soci-snapshotter/soci-snapshotter.yaml
@@ -0,0 +1,33 @@
+name: soci-snapshotter
+depends:
+  - service: cri
+restart: always
+container:
+  entrypoint: ./soci-snapshotter-grpc
+  args:
+    - -log-level=debug
+    - -address=/var/run/soci-snapshotter/soci-snapshotter-grpc.sock
+    - -root=/var/lib/containerd/io.containerd.snapshotter.v1.soci
+  security:
+    rootfsPropagation: shared
+  mounts:
+    - source: /var
+      destination: /var
+      type: bind
+      options:
+        - rshared
+        - rbind
+        - rw
+    - source: /run
+      destination: /run
+      type: bind
+      options:
+        - rshared
+        - rbind
+        - rw
+    - source: /etc/ssl/certs
+      destination: /etc/ssl/certs
+      type: bind
+      options:
+        - rbind
+        - ro
diff --git a/container-runtime/soci-snapshotter/vars.yaml b/container-runtime/soci-snapshotter/vars.yaml
@@ -0,0 +1,2 @@
+VERSION: "{{ .SOCI_SNAPSHOTTER_VERSION }}"
+TIER: "extra"
diff --git a/container-runtime/vars.yaml b/container-runtime/vars.yaml
@@ -9,6 +9,11 @@ GVISOR_SHA512: 038631f7b6e03ca14b2a038b51756b0ce8e3f9b490deebe4938419e82f98c9e81
 STARGZ_SNAPSHOTTER_VERSION: v0.18.1
 STARGZ_SNAPSHOTTER_SHA256: 42e9bf7536a3c1eca2160b58fc865de47f6a338f30bb88a25fe50ed8b0d130e3
 STARGZ_SNAPSHOTTER_SHA512: 076943cd8488bf58b0fd54b41471f99d0289b4fc63f66549fb946c82fdb7e68794c215b8b9ed0e858cf12227db59bf7a360004d5232b6c090decdbb36a1bd323
+# renovate: datasource=github-releases depName=awslabs/soci-snapshotter
+SOCI_SNAPSHOTTER_VERSION: v0.11.1
+SOCI_SNAPSHOTTER_REV: 28781de6731978b2e2f0f43573a345e9fa14dbd1
+SOCI_SNAPSHOTTER_SHA256: cabeac915c9bd31c5ab16dd11ef3fb46ce9f9b707428b88319aa8940b9de3b5a
+SOCI_SNAPSHOTTER_SHA512: f42bf8bf1121cce918ed9cfab542d81e2ee5562fe42ef2d4806b7cf78da2e3e15f830eb86fc1dbc17fc0f1f2566723a4db3feadb473e66c06f2f5bbf21f69588
 # renovate: datasource=github-releases depName=kubernetes/cloud-provider-aws
 CLOUD_PROVIDER_AWS_VERSION: v1.34.1
 CLOUD_PROVIDER_AWS_SHA256: 41acb02dcbf3357d2f2f910a9dcc2a115b1f8eecc9d02c3df089e116a0a63905
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		VERSION: "{{ .SOCI_SNAPSHOTTER_VERSION }}"
		TIER: "extra"