This repo serves as a central place for publishing extensions to Talos Linux. Extensions enable additional functionality beyond the default Talos Linux capabilities. Things like gVisor, GPU support, etc. are good candidates for extensions.
Extensions in this repo are published as container images.
These images can be added to Talos Linux boot asset to produce a final boot asset containing a base Talos initramfs and
a set of system extensions appended to it.
The extension image is composed of a manifest.yaml file that provides information and compatibility information, as well as a rootfs that contains things like compiled binaries that are bind-mounted into the system.
In order to find a container reference for a system extension compatible with your Talos Linux version, you can use the following command:
crane export ghcr.io/siderolabs/extensions:v<talos-version> | tar x -O image-digests | grep <extension-name>For example, to find a compatible version of the gasket-driver extension for Talos v1.5.3, you can run:
$ crane export ghcr.io/siderolabs/extensions:v1.5.3 | tar x -O image-digests | grep gasket-driver
ghcr.io/siderolabs/gasket-driver:97aeba58-v1.5.3@sha256:c786edb356edae3b451cb82d5322f94e54ea0710195181b93ae37ccc8e7ba908Please always use the pinned digest when referencing an extension image.
All extensions are signed with Google Accounts OIDC issuer matching @siderolabs.com domain, so the image signatures can be verified, for example:
cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oidc-issuer https://accounts.google.com ghcr.io/siderolabs/extensions:v1.5.3
cosign verify --certificate-identity-regexp '@siderolabs\.com$' --certificate-oidc-issuer https://accounts.google.com ghcr.io/siderolabs/gasket-driver:97aeba58-v1.5.3@sha256:c786edb356edae3b451cb82d5322f94e54ea0710195181b93ae37ccc8e7ba908Talos Linux provides several official system extensions, which are split into the following tiers based on support level:
| Tier | 🟩 core | 🟨 extra | ⬜ contrib |
|---|---|---|---|
| Description | Extensions fully supported by Sidero Labs | Some level of support, might vary per extension | Supported by the community |
| Supported by Sidero Labs | 🟢 | ✔️ (best effort) | ❌ |
| Support Channel | GitHub Issues, Discussions, Sidero Labs commercial support | GitHub Issues and Discussions | GitHub Discussions in “contrib” section |
| Updates managed by Sidero Labs | 🟢 | 🟢 | ✔️ (best effort) |
| Documentation | 🟢 | ✔️ (best effort) | ❌ |
| Automated tests | 🟢 (or no automated tests required, e.g. firmware) | ✔️ (best effort) | ❌ |
| SBOMs | 🟢 (or not required, e.g. firmware) | ✔️ (best effort) | ❌ (community might provide some, but not required) |
| CVE Scan | 🟢 | ✔️ (scan is done, but CVEs don’t block the release) | ❌ |
| Compatibility/Build issues | 🟢 | ✔️ (best effort) | ❌ (extension will be disabled if it fails to build) |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| crun | 🟨 extra | ghcr.io/siderolabs/crun | 1.22 |
This system extension provides crun using containerd's runtime handler. |
| ecr-credential-provider | 🟨 extra | ghcr.io/siderolabs/ecr-credential-provider | v1.33.1 |
This system extension provides a binary which implements Kubelet's CredentialProvider API to authenticate against AWS' Elastic Container Registry and pull images. |
| gvisor | 🟩 core | ghcr.io/siderolabs/gvisor | 20250707.0 |
This system extension provides gVisor using containerd's runtime handler. |
| gvisor-debug | 🟨 extra | ghcr.io/siderolabs/gvisor-debug | v1.0.0 |
This system extension enables gVisor debug logging. |
| kata-containers | 🟨 extra | ghcr.io/siderolabs/kata-containers | 3.18.0 |
This system extension provides kata-container using containerd's runtime handler. |
| spin | 🟨 extra | ghcr.io/siderolabs/spin | v0.20.0 |
This system extension provides support for spin runtime (WebAssembly) containers. |
| stargz-snapshotter | 🟩 core | ghcr.io/siderolabs/stargz-snapshotter | v0.16.3 |
This system extension provides Stargz Snapshotter using containerd's runtime handler. |
| wasmedge | 🟨 extra | ghcr.io/siderolabs/wasmedge | v0.6.0 |
This system extension provides support for WasmEdge runtime (WebAssembly) containers. |
| youki | ⬜ contrib | ghcr.io/siderolabs/youki | 0.5.3 |
This system extension provides youki using containerd's runtime handler. |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| amd-ucode | 🟩 core | ghcr.io/siderolabs/amd-ucode | 20250808 |
This system extension provides AMD microcode binaries. |
| bnx2-bnx2x | 🟩 core | ghcr.io/siderolabs/bnx2-bnx2x | 20250808 |
This system extension provides bnx2 and bnx2x binaries. |
| chelsio-firmware | ⬜ contrib | ghcr.io/siderolabs/chelsio-firmware | 20250808 |
This system extension provides Chelsio NIC firmware binaries. |
| intel-ice-firmware | 🟩 core | ghcr.io/siderolabs/intel-ice-firmware | 20250808 |
This system extension provides Intel Ice firmware binaries. |
| intel-ucode | 🟩 core | ghcr.io/siderolabs/intel-ucode | 20250812 |
This system extension provides Intel microcode binaries. |
| qlogic-firmware | 🟩 core | ghcr.io/siderolabs/qlogic-firmware | 20250808 |
This system extension provides firmware for QLogic devices. |
| realtek-firmware | 🟩 core | ghcr.io/siderolabs/realtek-firmware | 20250808 |
This system extension provides realtek firmware binaries. |
| revpi-firmware | ⬜ contrib | ghcr.io/siderolabs/revpi-firmware | v1.0.0 |
This system extension provides tools e.g. udev rules for the RevolutionPi platform. |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| amdgpu | 🟩 core | ghcr.io/siderolabs/amdgpu | 20250808-VERSION |
This system extension provides AMDGPU firmware binaries and kernel modules. |
| i915 | 🟩 core | ghcr.io/siderolabs/i915 | 20250808-VERSION |
This system extension provides Intel GPU microcode binaries and kernel modules. |
| panfrost | ⬜ contrib | ghcr.io/siderolabs/panfrost | 20250808-VERSION |
This system extension provides ARM Mali Midgard, Bifrost, and Valhall firmware binaries and kernel modules. |
| vc4 | 🟨 extra | ghcr.io/siderolabs/vc4 | VERSION |
This system extension provides kernel modules for Broadcom VideoCore GPU. |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| amazon-ena | 🟩 core | ghcr.io/siderolabs/amazon-ena | 2.15.0-VERSION |
This system extension provides Amazon ENA kernel modules built against a specific Talos version. ENA is a networking interface designed to make good use of modern CPU features and system architectures. |
| chelsio-drivers | 🟨 extra | ghcr.io/siderolabs/chelsio-drivers | VERSION |
This system extension provides Chelsio network drivers. |
| gasket-driver | 🟨 extra | ghcr.io/siderolabs/gasket-driver | 5815ee3-VERSION |
This system extension provides google gasket driver kernel modules built against a specific Talos version. This driver is required for PCIe and M.2 Google Coral accelerators. There are 2 kernel modules ("gasket" and "apex") required to enable this driver. |
| hailort | 🟨 extra | ghcr.io/siderolabs/hailort | 4.21.0 |
Driver for HailoRT family of AI hardware (eg. Hailo-8L) and is required for PCIe and M.2 Hailo accelerators. |
| mei | 🟩 core | ghcr.io/siderolabs/mei | VERSION |
This system extension provides Intel Management Engine drivers kernel modules built against a specific Talos version. This driver enables the Intel Management Engine, a prerequisite for Intel Arc discrete GPUs. |
| tenstorrent | 🟨 extra | ghcr.io/siderolabs/tenstorrent | 1.34 |
Driver for Tenstorrent AI processing hardware |
| thunderbolt | 🟨 extra | ghcr.io/siderolabs/thunderbolt | VERSION |
This system extension provides Thunderbolt/USB4 drivers kernel modules built against a specific Talos version. It enables support for Thunderbolt/USB4 devices, including those used for networking. WARNING: This extension automatically authorizes all Thunderbolt devices during system boot, which poses potential security risks. Use at your own discretion. |
| uinput | 🟨 extra | ghcr.io/siderolabs/uinput | VERSION |
This system extension provides the uinput kernel module built against a specific Talos version. This kernel module makes it possible to emulate input devices from userspace. By writing to /dev/uinput (or /dev/input/uinput) device, a process can create a virtual input device with specific capabilities. Once this virtual device is created, the process can send events through it, that will be delivered to userspace and in-kernel consumers. |
| usb-modem-drivers | 🟨 extra | ghcr.io/siderolabs/usb-modem-drivers | VERSION |
This system extension provides USB modem drivers kernel modules built against a specific Talos version. This driver is required for USB modems to function. This extension includes all the drivers needed to operate any USB modem under Linux, but your device might not require all of them. Read your device's docs to learn which drivers you need, or just enable them all as a starting point. |
| v4l-uvc-drivers | 🟨 extra | ghcr.io/siderolabs/v4l-uvc-drivers | VERSION |
This system extension provides the Video4Linux kernel modules required for USB Video Class devices built against a specific Talos version. This driver enables Video4Linux devices such as webcams. |
| xdma-driver | 🟨 extra | ghcr.io/siderolabs/xdma-driver | aefa9a1-VERSION |
Xilinx DMA Driver |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| dvb-cx23885 | ⬜ contrib | ghcr.io/siderolabs/dvb-cx23885 | VERSION |
This system extension provides the dvb kernel modules required for Hauppage WinTV-quadHD PCIe tuner built against a specific Talos version. Includes the firmware required. |
| dvb-m88ds3103 | ⬜ contrib | ghcr.io/siderolabs/dvb-m88ds3103 | VERSION |
This system extension provides the dvb-demod-m88ds3103.fw firmware for DVB-S/S2 PCIe cards like DVBSky S952. It is intended to be used as a dependency on existing DVB driver extension dvb-cx23885 that provides the necessary kernel modules. |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| binfmt-misc | 🟨 extra | ghcr.io/siderolabs/binfmt-misc | VERSION |
This system extension provides kernel module driver for binfmt-misc built against a specific Talos version. |
| glibc | 🟩 core | ghcr.io/siderolabs/glibc | 2.41 |
This system extension provides glibc. |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| cloudflared | ⬜ contrib | ghcr.io/siderolabs/cloudflared | 2024.12.1 |
Cloudflare Tunnel securely connects resources to Cloudflare without a public IP. A lightweight daemon (cloudflared) creates outbound-only connections to Cloudflare, allowing safe access to services like HTTP, SSH, remote desktops, and other protocols. More info: https://github.com/cloudflare/cloudflared/ |
| lldpd | 🟨 extra | ghcr.io/siderolabs/lldpd | 1.0.19 |
LLDP adds a LLDP discovery service to Talos. LLDP cli can be used to interface with the daemon. |
| nebula | ⬜ contrib | ghcr.io/siderolabs/nebula | 1.9.5 |
A scalable overlay networking tool with a focus on performance, simplicity and security |
| newt | ⬜ contrib | ghcr.io/siderolabs/newt | 1.3.2 |
Newt is a fully user space WireGuard tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. By using Newt, you don't need to manage complex WireGuard tunnels and NATing. More info: https://github.com/fosrl/newt |
| tailscale | 🟨 extra | ghcr.io/siderolabs/tailscale | 1.84.2 |
Tailscale connects your team's devices and development environments for easy access to remote resources. |
| zerotier | ⬜ contrib | ghcr.io/siderolabs/zerotier | 1.14.2 |
Connect your Talos cluster into a zerotier network |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| btrfs | 🟨 extra | ghcr.io/siderolabs/btrfs | VERSION |
This system extension provides kernel module driver for BTRFS built against a specific Talos version. |
| drbd | 🟨 extra | ghcr.io/siderolabs/drbd | 9.2.14-VERSION |
This system extension provides kernel module driver for DRBD built against a specific Talos version. |
| fuse3 | 🟩 core | ghcr.io/siderolabs/fuse3 | 3.17.2 |
This system extension provides fuse3 functionality. |
| iscsi-tools | 🟩 core | ghcr.io/siderolabs/iscsi-tools | v0.2.0 |
This system extension provides iscsi-tools. |
| mdadm | ⬜ contrib | ghcr.io/siderolabs/mdadm | v4.3 |
This system extension provides mdadm binary. |
| nfsd | 🟨 extra | ghcr.io/siderolabs/nfsd | VERSION |
This system extension provides kernel module driver for NFSD built against a specific Talos version. |
| nfsrahead | ⬜ contrib | ghcr.io/siderolabs/nfsrahead | 2.8.3 |
This system extension provides nfsrahead, a tool to configure the readahead for NFS mounts. |
| zfs | 🟨 extra | ghcr.io/siderolabs/zfs | 2.3.3-VERSION |
This system extension provides the ZFS kernel module, the ZFS utilities, and a service to import all ZFS pools on start and unmount all pools on stop. |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| nut-client | ⬜ contrib | ghcr.io/siderolabs/nut-client | 2.8.3 |
This system extension provides the network-ups-tools upsmon service. |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| metal-agent | 🟩 core | ghcr.io/siderolabs/metal-agent | v0.1.3 |
This system extension provides talos-metal-agent |
| qemu-guest-agent | 🟨 extra | ghcr.io/siderolabs/qemu-guest-agent | 10.1.0 |
This system extension provides the QEMU Guest Agent service. |
| vmtoolsd-guest-agent | 🟨 extra | ghcr.io/siderolabs/vmtoolsd-guest-agent | v1.3.0 |
This system extension provides talos-vmtoolsd |
| xen-guest-agent | 🟨 extra | ghcr.io/siderolabs/xen-guest-agent | 0.4.0-g5c274e6 |
xen-guest-agent communicates information and metrics with the Xen host. |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| nonfree-kmod-nvidia-lts | 🟩 core | ghcr.io/siderolabs/nonfree-kmod-nvidia-lts | 580.65.06-VERSION |
This system extension provides nvidia proprietary kernel modules built against a specific Talos version. |
| nonfree-kmod-nvidia-production | 🟩 core | ghcr.io/siderolabs/nonfree-kmod-nvidia-production | 570.172.08-VERSION |
This system extension provides nvidia proprietary kernel modules built against a specific Talos version. |
| nvidia-container-toolkit-lts | 🟩 core | ghcr.io/siderolabs/nvidia-container-toolkit-lts | 580.65.06-v1.17.8 |
This system extension provides nvidia runtime and it's dependencies using NVIDIA's runtime handler. |
| nvidia-container-toolkit-production | 🟩 core | ghcr.io/siderolabs/nvidia-container-toolkit-production | 570.172.08-v1.17.8 |
This system extension provides nvidia runtime and it's dependencies using NVIDIA's runtime handler. |
| nvidia-fabricmanager-lts | 🟩 core | ghcr.io/siderolabs/nvidia-fabricmanager-lts | 580.65.06 |
This system extension provides the Nvidia fabricmanager for GPU's that need NVLink support. |
| nvidia-fabricmanager-production | 🟩 core | ghcr.io/siderolabs/nvidia-fabricmanager-production | 570.172.08 |
This system extension provides the Nvidia fabricmanager for GPU's that need NVLink support. |
| nvidia-open-gpu-kernel-modules-lts | 🟩 core | ghcr.io/siderolabs/nvidia-open-gpu-kernel-modules-lts | 580.65.06-VERSION |
This system extension provides nvidia open source driver kernel modules built against a specific Talos version. |
| nvidia-open-gpu-kernel-modules-production | 🟩 core | ghcr.io/siderolabs/nvidia-open-gpu-kernel-modules-production | 570.172.08-VERSION |
This system extension provides nvidia open source driver kernel modules built against a specific Talos version. |
| Name | Tier | Image | Version | Description |
|---|---|---|---|---|
| ctr | 🟩 core | ghcr.io/siderolabs/ctr | v2.1.4 |
This extension provides ctr containerd helper binary |
| nvme-cli | ⬜ contrib | ghcr.io/siderolabs/nvme-cli | v2.14 |
This system extension provides the NVMe command line interface. |
| util-linux-tools | ⬜ contrib | ghcr.io/siderolabs/util-linux-tools | 2.41.1 |
This system extension provides a minimal util-linux package. |
In the current form, building extensions requires the use of our bldr tool. It is highly recommended to take a look at an existing extension as a template for building your own. The rough flow should look like the following:
- Create a
manifest.yamlfile that contains information about your system extension. See instructions below for this file. - Create a
pkg.yamlfile that details the full flow of downloading, building, and installing your application. - Once you have these, add your extension to the
TARGETSlist in theMakefile. - You can now build your extension using make like
make <extension-name> PLATFORM=linux/amd64 - If you wish to output the contents of the image and validate your install, you can issue
make local-<extension-name> PLATFORM=linux/amd64 DEST=_out. The contents will then be present in the_outdirectory.
The manifest.yaml file should match the following format:
version: v1alpha1
metadata:
name: <extension name>
version: <version of the package the extension installs>-<version of the extensions repo (tracks with talos version)>
author: Andrew Rynhard
description: |
<detailed description of the extension/package>
## The compatibility section is "optional" but highly recommended to specify a Talos version that
## has been tested and known working for this extension.
compatibility:
talos:
version: ">= v1.0.0"Creating a pkg.yaml file is the normal process from bldr.
See instructions here for details and examples on this format.
Using other existing extensions in this repo for tips is also highly recommended.
One important note is that the final directory tree of the generated package should look like this example from the gvisor package:
├── manifest.yaml
└── rootfs
├── etc
│ └── cri
│ └── conf.d
│ └── gvisor.part
└── usr
└── local
└── bin
├── containerd-shim-runsc-v1
└── runsc
Note that the manifest.yaml file lives at the root, while all installed files live under /rootfs with the full tree of where they should live on the eventual Talos Linux install.
The following restrictions are applied to the contents of the rootfs of the system extension:
- no special files (FIFOs, devices, etc.)
- no world-writeable files or directories
Any paths in the rootfs should be contained within the following hierarchies:
/etc/cri/conf.d//usr/lib/firmware//usr/lib/modules//usr/lib/ld-linux-x86-64.so.2/usr/bin/ldconfig(used by NVIDIA Container Toolkit)/usr/lib/udev/rules.d//usr/local//usr/share/glvnd//usr/share/egl//etc/vulkan/
