diff --git a/content/en/docs/next/install/kubernetes/talos-bootstrap.md b/content/en/docs/next/install/kubernetes/talos-bootstrap.md index 1678b79e..a7a40aa8 100644 --- a/content/en/docs/next/install/kubernetes/talos-bootstrap.md +++ b/content/en/docs/next/install/kubernetes/talos-bootstrap.md @@ -102,6 +102,10 @@ talos-bootstrap --help - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is disabled by default" color="warning" %}} + The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes. + {{% /alert %}} + {{% alert title="Do not change op: on these entries" color="warning" %}} Talos rejects `op: create` for any file outside `/var`, returning the error `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and enters a reboot loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause. {{% /alert %}} diff --git a/content/en/docs/next/install/kubernetes/talosctl.md b/content/en/docs/next/install/kubernetes/talosctl.md index 7e9adc94..e2fdaff6 100644 --- a/content/en/docs/next/install/kubernetes/talosctl.md +++ b/content/en/docs/next/install/kubernetes/talosctl.md @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13 - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is disabled by default" color="warning" %}} + The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes. + {{% /alert %}} + {{% alert title="Do not change op: on these entries" color="warning" %}} Talos rejects `op: create` for any file outside `/var`, returning the error `create operation not allowed outside of /var` — the only exception is the special-cased `/etc/cri/conf.d/20-customization.part`. Because `/etc/lvm/lvm.conf` already exists on the node, it must use `op: overwrite`. Changing the op (or pointing `create` at another `/etc` path) fails the `WriteUserFiles` boot step: the node pauses and enters a reboot loop, and `talosctl bootstrap` reports only `bootstrap is not available yet` with no obvious cause. {{% /alert %}} diff --git a/content/en/docs/v0/install/kubernetes/talos-bootstrap.md b/content/en/docs/v0/install/kubernetes/talos-bootstrap.md index 267e61b4..a11b654c 100644 --- a/content/en/docs/v0/install/kubernetes/talos-bootstrap.md +++ b/content/en/docs/v0/install/kubernetes/talos-bootstrap.md @@ -106,6 +106,10 @@ talos-bootstrap --help - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}} + The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: ```yaml diff --git a/content/en/docs/v0/install/kubernetes/talosctl.md b/content/en/docs/v0/install/kubernetes/talosctl.md index 32a6dbf8..66618af8 100644 --- a/content/en/docs/v0/install/kubernetes/talosctl.md +++ b/content/en/docs/v0/install/kubernetes/talosctl.md @@ -130,6 +130,10 @@ Discovered open port 50000/tcp on 192.168.123.13 - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}} + The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: Note that VIP address is used for `machine.network.interfaces[0].vip.ip`: diff --git a/content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md b/content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md index 479fe9bc..3a76627f 100644 --- a/content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md +++ b/content/en/docs/v1.0/install/kubernetes/talos-bootstrap.md @@ -102,6 +102,10 @@ talos-bootstrap --help - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}} + The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: ```yaml diff --git a/content/en/docs/v1.0/install/kubernetes/talosctl.md b/content/en/docs/v1.0/install/kubernetes/talosctl.md index 4675df1e..6171f662 100644 --- a/content/en/docs/v1.0/install/kubernetes/talosctl.md +++ b/content/en/docs/v1.0/install/kubernetes/talosctl.md @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13 - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}} + The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: Note that VIP address is used for `machine.network.interfaces[0].vip.ip`: diff --git a/content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md b/content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md index b380163f..db310a88 100644 --- a/content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md +++ b/content/en/docs/v1.1/install/kubernetes/talos-bootstrap.md @@ -102,6 +102,10 @@ talos-bootstrap --help - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}} + The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: ```yaml diff --git a/content/en/docs/v1.1/install/kubernetes/talosctl.md b/content/en/docs/v1.1/install/kubernetes/talosctl.md index 3cf1b41a..4c0f4ef8 100644 --- a/content/en/docs/v1.1/install/kubernetes/talosctl.md +++ b/content/en/docs/v1.1/install/kubernetes/talosctl.md @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13 - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}} + The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: Note that VIP address is used for `machine.network.interfaces[0].vip.ip`: diff --git a/content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md b/content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md index 19272544..68742cab 100644 --- a/content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md +++ b/content/en/docs/v1.2/install/kubernetes/talos-bootstrap.md @@ -102,6 +102,10 @@ talos-bootstrap --help - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}} + The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: ```yaml diff --git a/content/en/docs/v1.2/install/kubernetes/talosctl.md b/content/en/docs/v1.2/install/kubernetes/talosctl.md index 0f451543..05207761 100644 --- a/content/en/docs/v1.2/install/kubernetes/talosctl.md +++ b/content/en/docs/v1.2/install/kubernetes/talosctl.md @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13 - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is not disabled in this image" color="warning" %}} + The Talos image pinned above predates the KVM nested-virtualization mitigation for [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Adding `kvm_intel.nested=0` / `kvm_amd.nested=0` to `machine.install.extraKernelArgs` takes effect only on BIOS/GRUB nodes; on UEFI/systemd-boot the kernel command line is baked into the UKI and the override is silently ignored. To mitigate reliably, follow the linked advisory or upgrade to a current Cozystack release whose Talos image disables nested virtualization by default. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: Note that VIP address is used for `machine.network.interfaces[0].vip.ip`: diff --git a/content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md b/content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md index bc7b4743..ff145f43 100644 --- a/content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md +++ b/content/en/docs/v1.3/install/kubernetes/talos-bootstrap.md @@ -102,6 +102,10 @@ talos-bootstrap --help - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is disabled by default" color="warning" %}} + The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: ```yaml diff --git a/content/en/docs/v1.3/install/kubernetes/talosctl.md b/content/en/docs/v1.3/install/kubernetes/talosctl.md index c3782f42..77270a35 100644 --- a/content/en/docs/v1.3/install/kubernetes/talosctl.md +++ b/content/en/docs/v1.3/install/kubernetes/talosctl.md @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13 - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is disabled by default" color="warning" %}} + The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: Note that VIP address is used for `machine.network.interfaces[0].vip.ip`: diff --git a/content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md b/content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md index 297d6974..321c701a 100644 --- a/content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md +++ b/content/en/docs/v1.4/install/kubernetes/talos-bootstrap.md @@ -102,6 +102,10 @@ talos-bootstrap --help - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is disabled by default" color="warning" %}} + The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: ```yaml diff --git a/content/en/docs/v1.4/install/kubernetes/talosctl.md b/content/en/docs/v1.4/install/kubernetes/talosctl.md index 1461d23b..965ac502 100644 --- a/content/en/docs/v1.4/install/kubernetes/talosctl.md +++ b/content/en/docs/v1.4/install/kubernetes/talosctl.md @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13 - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is disabled by default" color="warning" %}} + The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: Note that VIP address is used for `machine.network.interfaces[0].vip.ip`: diff --git a/content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md b/content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md index da3ae158..5b5a0737 100644 --- a/content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md +++ b/content/en/docs/v1.5/install/kubernetes/talos-bootstrap.md @@ -102,6 +102,10 @@ talos-bootstrap --help - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is disabled by default" color="warning" %}} + The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: ```yaml diff --git a/content/en/docs/v1.5/install/kubernetes/talosctl.md b/content/en/docs/v1.5/install/kubernetes/talosctl.md index 046bd12b..1a7fb593 100644 --- a/content/en/docs/v1.5/install/kubernetes/talosctl.md +++ b/content/en/docs/v1.5/install/kubernetes/talosctl.md @@ -126,6 +126,10 @@ Discovered open port 50000/tcp on 192.168.123.13 - 10.96.0.0/16 ``` + {{% alert title="KVM nested virtualization is disabled by default" color="warning" %}} + The Cozystack Talos image disables KVM nested virtualization (`kvm_intel.nested=0`, `kvm_amd.nested=0`) to mitigate [CVE-2026-53359](/blog/2026/07/security-advisory-cve-2026-53359-januscape-kvm-guest-to-host-escape/) ("Januscape"), a KVM guest-to-host escape. Cozystack VMs do not need nested virtualization, so no machine-config change is required. If a workload genuinely needs it, build a custom Talos image without these arguments — the setting is baked into the boot assets, so a `machine.install.extraKernelArgs` override is silently ignored on UEFI/systemd-boot nodes. + {{% /alert %}} + 1. Make another configuration patch file `patch-controlplane.yaml` with settings exclusive to control plane nodes: Note that VIP address is used for `machine.network.interfaces[0].vip.ip`: