Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions content/en/docs/next/install/kubernetes/talos-bootstrap.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ talos-bootstrap --help
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is disabled by default" color="warning" %}}
The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes.
{{% /alert %}}

{{% alert title="Do not change op: on these entries" color="warning" %}}
Talos rejects `op: create` for any file outside `/var`, returning the error `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and enters a reboot loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause.
{{% /alert %}}
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/next/install/kubernetes/talosctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is disabled by default" color="warning" %}}
The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes.
{{% /alert %}}

{{% alert title="Do not change op: on these entries" color="warning" %}}
Talos rejects `op: create` for any file outside `/var`, returning the error `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and enters a reboot loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause.
{{% /alert %}}
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v0/install/kubernetes/talos-bootstrap.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,10 @@ talos-bootstrap --help
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}}
The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

```yaml
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v0/install/kubernetes/talosctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,10 @@ Discovered open port 50000/tcp on 192.168.123.13
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}}
The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

Note that VIP address is used for `machine.network.interfaces[0].vip.ip`:
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ talos-bootstrap --help
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}}
The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

```yaml
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.0/install/kubernetes/talosctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}}
The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

Note that VIP address is used for `machine.network.interfaces[0].vip.ip`:
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ talos-bootstrap --help
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}}
The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

```yaml
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.1/install/kubernetes/talosctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}}
The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

Note that VIP address is used for `machine.network.interfaces[0].vip.ip`:
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ talos-bootstrap --help
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}}
The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

```yaml
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.2/install/kubernetes/talosctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}}
The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

Note that VIP address is used for `machine.network.interfaces[0].vip.ip`:
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ talos-bootstrap --help
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is disabled by default" color="warning" %}}
The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

```yaml
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.3/install/kubernetes/talosctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is disabled by default" color="warning" %}}
The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

Note that VIP address is used for `machine.network.interfaces[0].vip.ip`:
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ talos-bootstrap --help
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is disabled by default" color="warning" %}}
The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

```yaml
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.4/install/kubernetes/talosctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is disabled by default" color="warning" %}}
The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

Note that VIP address is used for `machine.network.interfaces[0].vip.ip`:
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ talos-bootstrap --help
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is disabled by default" color="warning" %}}
The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

```yaml
Expand Down
4 changes: 4 additions & 0 deletions content/en/docs/v1.5/install/kubernetes/talosctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13
- 10.96.0.0/16
```

{{% alert title="KVM nested virtualization is disabled by default" color="warning" %}}
The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes.
{{% /alert %}}

1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes:

Note that VIP address is used for `machine.network.interfaces[0].vip.ip`:
Expand Down