# Talos Linux — Immutable, API-Managed OS for Kubernetes > A minimal, immutable, SSH-less Linux distribution where every node is configured entirely over a gRPC API — designed only to run Kubernetes. ## Install Save as a script file and run: # Talos Linux — Immutable, API-Managed OS for Kubernetes ## Quick Use ```bash # Install talosctl (macOS / Linux) brew install siderolabs/tap/talosctl # Generate a cluster config talosctl gen config my-cluster https://192.168.1.10:6443 # Apply the config to a booted Talos node (PXE, ISO, or bare-metal installer) talosctl apply-config --insecure --nodes 192.168.1.10 --file controlplane.yaml talosctl bootstrap --nodes 192.168.1.10 talosctl kubeconfig --nodes 192.168.1.10 . kubectl get nodes ``` ## Introduction Talos Linux is a purpose-built operating system for Kubernetes: no shell, no systemd, no SSH, no package manager. A single `machined` PID 1 written in Go exposes a signed gRPC API; every configuration change — kernel args, CNI, disks, upgrades — happens through `talosctl`. The surface area for compromise is ~10% of a general-purpose Linux. ## What Talos Linux Does - Boots from ISO / PXE / cloud image into a stateless root filesystem - Configures Kubernetes control plane and workers via declarative YAML - Exposes only `machined` (gRPC, mTLS) — no SSH, no shell, no package manager - Upgrades atomically by writing a new system image to B partition and rebooting - Supports AWS, Azure, GCP, Hetzner, Equinix, vSphere, bare metal, Raspberry Pi ## Architecture Overview Talos is built with a minimal musl-libc + Go userspace. `machined` is PID 1 and supervises a handful of services (`etcd`, `kubelet`, `containerd`, `apid`, `trustd`). All state that needs to persist lives on an ephemeral partition; the root is read-only SquashFS. The gRPC API is mTLS-authenticated via a per-cluster CA bundle; `talosctl` is the only operator-facing tool. ## Self-Hosting & Configuration - Use the Image Factory to build custom installer images with extensions - `controlplane.yaml` / `worker.yaml` define every node's config declaratively - Omni (SaaS) or self-hosted provides cluster lifecycle UI and KubeSpan VPN - Upgrades: `talosctl upgrade --image ghcr.io/siderolabs/installer:v1.8.2` - Backups: `talosctl etcd snapshot` stores an encrypted etcd snapshot ## Key Features - No SSH, no shell — drastically reduced attack surface - Immutable A/B root partitions; atomic upgrades and instant rollback - Declarative machine config versioned in Git - KubeSpan mesh (WireGuard) links nodes across clouds without a VPN appliance - CNCF Sandbox project with active commercial backing (Sidero Labs) ## Comparison with Similar Tools - **Flatcar / CoreOS** — immutable too, but still include SSH and Ignition; broader distro - **Bottlerocket (AWS)** — similar philosophy, tightly coupled to EKS/ECS on AWS - **k0s / k3s on Ubuntu** — easier onboarding but relies on general-purpose OS - **Rancher OS** — older, discontinued direction - **Photon OS** — VMware-centric minimal OS; less Kubernetes-focused ## FAQ **Q:** How do I debug a node without SSH? A: `talosctl logs machined`, `talosctl dmesg`, `talosctl shell` (ephemeral debug pod). Everything is via the API. **Q:** Does it run arbitrary workloads? A: Only Kubernetes workloads. Talos only supports containerd-managed pods. **Q:** Can I run on bare metal? A: Yes — it is the original target. Use PXE, iPXE, or USB installer images. **Q:** What about persistent storage? A: `STATE` + `EPHEMERAL` partitions are auto-provisioned; use Rook/Longhorn/Ceph for PVs. ## Sources - https://github.com/siderolabs/talos - https://www.talos.dev --- Source: https://tokrepo.com/en/workflows/2cc9525d-38f0-11f1-9bc6-00163e2b0d79 Author: Script Depot