kata-deploy: tools: tests: Use zstd instead of xz

Although the compress ratio is not as optimal as using xz, it's way faster to compress / uncompress, and it's "good enough". This change is not small, but it's still self-contained, and has to get in at once, in order to help bisects in the future. Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-08-22 17:59:31 +00:00 · 2025-08-21 00:01:09 +02:00 · 2025-08-21 00:01:09 +02:00 · ad240a39e6
commit ad240a39e6
parent 9cc97ad35c
28 changed files with 120 additions and 116 deletions
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@ -144,7 +144,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -153,7 +153,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -224,7 +224,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -316,7 +316,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.xz
+          path: kata-build/kata-static-shim-v2.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -353,6 +353,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-static.tar.xz
+          path: kata-static.tar.zst
          retention-days: 15
          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@ -121,7 +121,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -130,7 +130,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -195,7 +195,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -282,7 +282,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.xz
+          path: kata-build/kata-static-shim-v2.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -319,6 +319,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
-          path: kata-static.tar.xz
+          path: kata-static.tar.zst
          retention-days: 15
          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@ -83,7 +83,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 1
          if-no-files-found: error
@ -148,7 +148,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 1
          if-no-files-found: error
@ -221,7 +221,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.xz
+          path: kata-build/kata-static-shim-v2.tar.zst
          retention-days: 1
          if-no-files-found: error
@ -262,6 +262,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }}
-          path: kata-static.tar.xz
+          path: kata-static.tar.zst
          retention-days: 1
          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@ -81,6 +81,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@ -115,7 +115,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -182,7 +182,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -230,7 +230,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-boot-image-se.tar.xz
+          path: kata-build/kata-static-boot-image-se.tar.zst
          retention-days: 1
          if-no-files-found: error
@ -307,7 +307,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.xz
+          path: kata-build/kata-static-shim-v2.tar.zst
          retention-days: 15
          if-no-files-found: error
@ -348,6 +348,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
-          path: kata-static.tar.xz
+          path: kata-static.tar.zst
          retention-days: 15
          if-no-files-found: error
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@ -85,6 +85,6 @@ jobs:
          TAG: ${{ inputs.tag }}
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-          "$(pwd)/kata-static.tar.xz" \
+          "$(pwd)/kata-static.tar.zst" \
          "${REGISTRY}/${REPO}" \
          "${TAG}"
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@ -74,9 +74,9 @@ jobs:
          fi
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@ -71,9 +71,9 @@ jobs:
          fi
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@ -71,9 +71,9 @@ jobs:
          fi
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@ -75,9 +75,9 @@ jobs:
          fi
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -127,7 +127,7 @@ jobs:
      - name: Set KATA_STATIC_TARBALL env var
        run: |
-          tarball=$(pwd)/kata-static.tar.xz
+          tarball=$(pwd)/kata-static.tar.zst
          echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
      - name: Download amd64 artifacts
--- a/ci/README.md
+++ b/ci/README.md
@ -306,7 +306,7 @@ tarball to the newly created VM that will be used for debugging purposes.
 > [!NOTE]
 > Those artifacts are only available (for 15 days) when all jobs are finished.
-Once you have the `kata-static.tar.xz` in your VM, you can login to the VM with
+Once you have the `kata-static.tar.zst` in your VM, you can login to the VM with
 `kcli ssh debug-nerdctl-pr8070`, go ahead and then clone your development branch
 ```bash
@ -323,15 +323,15 @@ $ git config --global user.name "Your Name"
 $ git rebase upstream/main
 ```
-Now copy the `kata-static.tar.xz` into your `kata-containers/kata-artifacts` directory
+Now copy the `kata-static.tar.zst` into your `kata-containers/kata-artifacts` directory
 ```bash
 $ mkdir kata-artifacts
-$ cp ../kata-static.tar.xz kata-artifacts/
+$ cp ../kata-static.tar.zst kata-artifacts/
 ```
 > [!NOTE]
-> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.xz`
+> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.zst`
 And finally run the tests following what's in the yaml file for the test you're
 debugging.
@ -363,11 +363,11 @@ and have fun debugging and hacking!
 Steps for debugging the Kubernetes tests are very similar to the ones for
 debugging non-Kubernetes tests, with the caveat that what you'll need, this
-time, is not the `kata-static.tar.xz` tarball, but rather a payload to be used
+time, is not the `kata-static.tar.zst` tarball, but rather a payload to be used
 with kata-deploy.
 In order to generate your own kata-deploy image you can generate your own
-`kata-static.tar.xz` and then take advantage of the following script.  Be aware
+`kata-static.tar.zst` and then take advantage of the following script.  Be aware
 that the image generated and uploaded must be accessible by the VM where you'll
 be performing your tests.
--- a/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md
+++ b/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md
@ -89,16 +89,16 @@ However, if any of these components are absent, they must be built from the
 $ # Assume that the project is cloned at $GOPATH/src/github.com/kata-containers
 $ cd $GOPATH/src/github.com/kata-containers/kata-containers
 $ make rootfs-initrd-confidential-tarball
-$ tar -tf build/kata-static-kernel-confidential.tar.xz | grep vmlinuz
+$ tar --zstd -tf build/kata-static-kernel-confidential.tar.zst | grep vmlinuz
 ./opt/kata/share/kata-containers/vmlinuz-confidential.container
 ./opt/kata/share/kata-containers/vmlinuz-6.7-136-confidential
 $ kernel_version=6.7-136
-$ tar -tf build/kata-static-rootfs-initrd-confidential.tar.xz | grep initrd
+$ tar --zstd -tf build/kata-static-rootfs-initrd-confidential.tar.zst | grep initrd
 ./opt/kata/share/kata-containers/kata-containers-initrd-confidential.img
 ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
 $ mkdir artifacts
-$ tar -xvf build/kata-static-kernel-confidential.tar.xz -C artifacts ./opt/kata/share/kata-containers/vmlinuz-${kernel_version}-confidential
+$ tar --zstd -xvf build/kata-static-kernel-confidential.tar.zst -C artifacts ./opt/kata/share/kata-containers/vmlinuz-${kernel_version}-confidential
-$ tar -xvf build/kata-static-rootfs-initrd-confidential.tar.xz -C artifacts ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
+$ tar --zstd -xvf build/kata-static-rootfs-initrd-confidential.tar.zst -C artifacts ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
 $ ls artifacts/opt/kata/share/kata-containers/
 kata-ubuntu-20.04-confidential.initrd  vmlinuz-${kernel_version}-confidential
 ```
@ -190,8 +190,8 @@ can be easily accomplished by issuing the following make target:
 $ cd $GOPATH/src/github.com/kata-containers/kata-containers
 $ mkdir hkd_dir && cp $host_key_document hkd_dir
 $ HKD_PATH=hkd_dir SE_KERNEL_PARAMS="agent.log=debug" make boot-image-se-tarball
-$ ls build/kata-static-boot-image-se.tar.xz
+$ ls build/kata-static-boot-image-se.tar.zst
-build/kata-static-boot-image-se.tar.xz
+build/kata-static-boot-image-se.tar.zst
 ```
 `SE_KERNEL_PARAMS` could be used to add any extra kernel parameters. If no additional kernel configuration is required, this can be omitted.
@ -344,18 +344,18 @@ $ make virtiofsd-tarball
 $ make shim-v2-tarball
 $ mkdir kata-artifacts
 $ build_dir=$(readlink -f build)
-$ cp -r $build_dir/*.tar.xz kata-artifacts
+$ cp -r $build_dir/*.tar.zst kata-artifacts
 $ ls -1 kata-artifacts
-kata-static-agent.tar.xz
+kata-static-agent.tar.zst
-kata-static-boot-image-se.tar.xz
+kata-static-boot-image-se.tar.zst
-kata-static-coco-guest-components.tar.xz
+kata-static-coco-guest-components.tar.zst
-kata-static-kernel-confidential-modules.tar.xz
+kata-static-kernel-confidential-modules.tar.zst
-kata-static-kernel-confidential.tar.xz
+kata-static-kernel-confidential.tar.zst
-kata-static-pause-image.tar.xz
+kata-static-pause-image.tar.zst
-kata-static-qemu.tar.xz
+kata-static-qemu.tar.zst
-kata-static-rootfs-initrd-confidential.tar.xz
+kata-static-rootfs-initrd-confidential.tar.zst
-kata-static-shim-v2.tar.xz
+kata-static-shim-v2.tar.zst
-kata-static-virtiofsd.tar.xz
+kata-static-virtiofsd.tar.zst
 $ ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
 ```
@ -369,7 +369,7 @@ command before running `kata-deploy-merge-builds.sh`:
 $ make rootfs-image-tarball
 ```
-At this point, you should have an archive file named `kata-static.tar.xz` at the project root,
+At this point, you should have an archive file named `kata-static.tar.zst` at the project root,
 which will be used to build a payload image. If you are using a local container registry at
 `localhost:5000`, proceed with the following:
@ -381,7 +381,7 @@ Build and push a payload image with the name `localhost:5000/build-kata-deploy`
 `latest` using the following:
 ```
-$ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh kata-static.tar.xz localhost:5000/build-kata-deploy latest
+$ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh kata-static.tar.zst localhost:5000/build-kata-deploy latest
 ... logs ...
 Pushing the image localhost:5000/build-kata-deploy:latest to the registry
 The push refers to repository [localhost:5000/build-kata-deploy]
--- a/tests/common.bash
+++ b/tests/common.bash
@ -430,13 +430,13 @@ EOF
 function install_kata_core() {
 	declare -r katadir="$1"
 	declare -r destdir="/"
-	declare -r kata_tarball="kata-static.tar.xz"
+	declare -r kata_tarball="kata-static.tar.zst"
 	# Removing previous kata installation
 	sudo rm -rf "${katadir}"
 	pushd "${kata_tarball_dir}"
-	sudo tar -xvf "${kata_tarball}" -C "${destdir}"
+	sudo tar --zstd -xvf "${kata_tarball}" -C "${destdir}"
 	popd
 }
--- a/tools/osbuilder/rootfs-builder/alpine/Dockerfile.in
+++ b/tools/osbuilder/rootfs-builder/alpine/Dockerfile.in
@ -26,6 +26,7 @@ RUN apk update && apk add --no-cache \
    musl-dev \
    protoc \
    tar \
-    xz
+    xz \
    zstd
 # aarch64 requires this name -- link for all
 RUN ln -s /usr/bin/gcc "/usr/bin/$(uname -m)-linux-musl-gcc"
--- a/tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in
+++ b/tools/osbuilder/rootfs-builder/cbl-mariner/Dockerfile.in
@ -11,6 +11,7 @@ RUN tdnf -y install \
    dnf \
    git \
    tar \
-    xz
+    xz \
    zstd
@INSTALL_RUST@
--- a/tools/osbuilder/rootfs-builder/debian/Dockerfile.in
+++ b/tools/osbuilder/rootfs-builder/debian/Dockerfile.in
@ -33,7 +33,8 @@ RUN apt-get update && apt-get --no-install-recommends install -y \
    tar \
    vim \
    wget \
-    xz-utils
+    xz-utils \
    zstd
 # aarch64 requires this name -- link for all
 RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"
--- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh
@ -123,7 +123,7 @@ setup_nvidia_gpu_rootfs_stage_one() {
 	# We need the kernel packages for building the drivers cleanly will be
 	# deinstalled and removed from the roofs once the build finishes.
-	tar -xvf "${BUILD_DIR}"/kata-static-kernel-nvidia-gpu"${appendix}"-headers.tar.xz -C .
+	tar --zstd -xvf "${BUILD_DIR}"/kata-static-kernel-nvidia-gpu"${appendix}"-headers.tar.zst -C .
 	# If we find a local downloaded run file build the kernel modules
 	# with it, otherwise use the distribution packages. Run files may have
@ -237,7 +237,7 @@ chisseled_gpudirect() {
 chisseled_init() {
 	echo "nvidia: chisseling init"
-	tar xvf "${BUILD_DIR}"/kata-static-busybox.tar.xz -C .
+	tar --zstd -xvf "${BUILD_DIR}"/kata-static-busybox.tar.zst -C .
 	mkdir -p dev etc proc run/cdi sys tmp usr var lib/modules lib/firmware \
 		 usr/share/nvidia lib/"${machine_arch}"-linux-gnu lib64        \
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -190,7 +190,7 @@ AGENT_SOURCE_BIN    Path to the directory of agent binary.
                    AGENT_SOURCE_BIN and AGENT_TARBALL should never be used toghether.
                    Default value: <not set>
-AGENT_TARBALL       Path to the kata-agent.tar.xz tarball to be unpacked inside the
+AGENT_TARBALL       Path to the kata-agent.tar.zst tarball to be unpacked inside the
                    rootfs.
                    If set, this will take the priority and will be used instead of
                    building the agent.
@ -205,7 +205,7 @@ ARCH                Target architecture (according to \`uname -m\`).
                    and glibc agents.
                    Default value: $(uname -m)
-COCO_GUEST_COMPONENTS_TARBALL       Path to the kata-coco-guest-components.tar.xz tarball to be unpacked inside the
+COCO_GUEST_COMPONENTS_TARBALL       Path to the kata-coco-guest-components.tar.zst tarball to be unpacked inside the
                                    rootfs.
                                    If set, the tarball will be unpacked onto the rootfs.
                                    Default value: <not set>
@ -234,7 +234,7 @@ KERNEL_MODULES_DIR  Path to a directory containing kernel modules to include in
 LIBC                libc the agent is built against (gnu or musl).
                    Default value: ${LIBC} (varies with architecture)
-PAUSE_IMAGE_TARBALL Path to the kata-static-pause-image.tar.xz tarball to be unpacked inside the
+PAUSE_IMAGE_TARBALL Path to the kata-static-pause-image.tar.zst tarball to be unpacked inside the
                    rootfs.
                    If set, the tarball will be unpacked onto the rootfs.
                    Default value: <not set>
@ -756,7 +756,7 @@ EOF
 		cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}
 		OK "cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}"
 	else
-		tar xvJpf ${AGENT_TARBALL} -C ${ROOTFS_DIR}
+		tar  --zstd -xvf ${AGENT_TARBALL} -C ${ROOTFS_DIR}
 	fi
 	${stripping_tool} ${ROOTFS_DIR}/usr/bin/kata-agent
@ -803,7 +803,7 @@ EOF
 	if [[ -n "${GUEST_HOOKS_TARBALL}" ]]; then
 		info "Install the ${GUEST_HOOKS_TARBALL} guest hooks"
-		tar xvJpf "${GUEST_HOOKS_TARBALL}" -C "${ROOTFS_DIR}"
+		tar --zstd -xvf "${GUEST_HOOKS_TARBALL}" -C "${ROOTFS_DIR}"
 	fi
 	info "Check init is installed"
@ -812,12 +812,12 @@ EOF
 	if [ -n "${PAUSE_IMAGE_TARBALL}" ] ; then
 		info "Installing the pause image tarball"
-		tar xvJpf ${PAUSE_IMAGE_TARBALL} -C ${ROOTFS_DIR}
+		tar --zstd -xvf ${PAUSE_IMAGE_TARBALL} -C ${ROOTFS_DIR}
 	fi
 	if [ -n "${COCO_GUEST_COMPONENTS_TARBALL}" ] ; then
 		info "Installing the Confidential Containers guest components tarball"
-		tar xvJpf ${COCO_GUEST_COMPONENTS_TARBALL} -C ${ROOTFS_DIR}
+		tar --zstd -xvf ${COCO_GUEST_COMPONENTS_TARBALL} -C ${ROOTFS_DIR}
 	fi
 	# Create an empty /etc/resolv.conf, to allow agent to bind mount container resolv.conf to Kata VM
--- a/tools/packaging/guest-image/build_se_image.sh
+++ b/tools/packaging/guest-image/build_se_image.sh
@ -48,7 +48,7 @@ build_image() {
 	mkdir -p "${image_source_dir}"
 	pushd "${tarball_dir}"
 	for tarball_id in kernel-confidential rootfs-initrd-confidential; do
-		tar xvf kata-static-${tarball_id}.tar.xz -C "${image_source_dir}"
+		tar --zstd -xvf kata-static-${tarball_id}.tar.zst -C "${image_source_dir}"
 	done
 	popd
--- a/tools/packaging/kata-deploy/Dockerfile
+++ b/tools/packaging/kata-deploy/Dockerfile
@ -5,7 +5,7 @@
 ARG BASE_IMAGE_NAME=alpine
 ARG BASE_IMAGE_TAG=3.22
 FROM $BASE_IMAGE_NAME:$BASE_IMAGE_TAG
-ARG KATA_ARTIFACTS=./kata-static.tar.xz
+ARG KATA_ARTIFACTS=./kata-static.tar.zst
 ARG DESTINATION=/opt/kata-artifacts
 COPY ${KATA_ARTIFACTS} ${WORKDIR}
@ -19,7 +19,7 @@ COPY ${KATA_ARTIFACTS} ${WORKDIR}
 # word splitting, which can also be ignored for now.
 # hadolint ignore=DL3018,SC2086
 RUN \
-	apk --no-cache add bash curl && \
+	apk --no-cache add bash curl tar zstd && \
 	ARCH=$(uname -m) && \
 	if [ "${ARCH}" = "x86_64" ]; then ARCH=amd64; fi && \
 	if [ "${ARCH}" = "aarch64" ]; then ARCH=arm64; fi && \
@ -30,9 +30,9 @@ RUN \
 	curl -fL --progress-bar -o /usr/bin/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-${DEBIAN_ARCH} && \
 	chmod +x /usr/bin/jq && \
 	mkdir -p ${DESTINATION} && \
-	tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \
+	tar --zstd -xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \
 	rm -f ${WORKDIR}/${KATA_ARTIFACTS} && \
-	apk del curl && \
+	apk del curl tar zstd && \
 	apk --no-cache add py3-pip && \
 	pip install --no-cache-dir yq==3.2.3 --break-system-packages
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@ -57,7 +57,7 @@ endef
 define DUMMY
 	$(call BUILD,"dummy")
-	mv $(MK_DIR)/build/kata-static-dummy.tar.xz $(MK_DIR)/build/kata-static-$(patsubst %-tarball,%,$1).tar.xz
+	mv $(MK_DIR)/build/kata-static-dummy.tar.zst $(MK_DIR)/build/kata-static-$(patsubst %-tarball,%,$1).tar.zst
 endef
 kata-tarball: | all-parallel merge-builds
@ -201,4 +201,4 @@ merge-builds:
 	$(MK_DIR)/kata-deploy-merge-builds.sh build "$(MK_DIR)/../../../../versions.yaml"
 install-tarball:
-	tar -xf ./kata-static.tar.xz -C /
+	tar --zstd -xf ./kata-static.tar.zst -C /
--- a/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile
+++ b/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile
@ -57,7 +57,8 @@ RUN apt-get update && \
    git \
    make \
    wget \
-    xz-utils && \
+    xz-utils \
    zstd && \
    if [ "${ARCH}" != "$(uname -m)" ] && [ "${ARCH}" == "s390x" ]; then \
        apt-get install -y --no-install-recommends \
        gcc-s390x-linux-gnu \
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@ -215,11 +215,11 @@ install_cached_shim_v2_tarball_get_root_hash() {
 	fi
 	local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
-	local image_conf_tarball="kata-static-rootfs-image-confidential.tar.xz"
+	local image_conf_tarball="kata-static-rootfs-image-confidential.tar.zst"
 	local root_hash_basedir="./opt/kata/share/kata-containers/"
-	tar xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,
+	tar --zstd -xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,
 	mv root_hash.txt "${tarball_dir}/root_hash.txt"
 	return 0
@ -290,14 +290,14 @@ install_cached_tarball_component() {
 get_agent_tarball_path() {
 	agent_local_build_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
-	agent_tarball_name="kata-static-agent.tar.xz"
+	agent_tarball_name="kata-static-agent.tar.zst"
 	echo "${agent_local_build_dir}/${agent_tarball_name}"
 }
 get_coco_guest_components_tarball_path() {
 	coco_guest_components_local_build_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
-	coco_guest_components_tarball_name="kata-static-coco-guest-components.tar.xz"
+	coco_guest_components_tarball_name="kata-static-coco-guest-components.tar.zst"
 	echo "${coco_guest_components_local_build_dir}/${coco_guest_components_tarball_name}"
 }
@ -313,7 +313,7 @@ get_latest_coco_guest_components_artefact_and_builder_image_version() {
 get_pause_image_tarball_path() {
 	pause_image_local_build_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
-	pause_image_tarball_name="kata-static-pause-image.tar.xz"
+	pause_image_tarball_name="kata-static-pause-image.tar.zst"
 	echo "${pause_image_local_build_dir}/${pause_image_tarball_name}"
 }
@ -635,12 +635,12 @@ install_cached_kernel_tarball_component() {
 		"kernel-nvidia-gpu"*"")
 			local kernel_headers_dir=$(get_kernel_headers_dir "${kernel_name}")
 			mkdir -p ${kernel_headers_dir} || true
-			tar xvf ${workdir}/${kernel_name}/builddir/kata-static-${kernel_name}-headers.tar.xz -C "${kernel_headers_dir}" || return 1
+			tar --zstd -xvf ${workdir}/${kernel_name}/builddir/kata-static-${kernel_name}-headers.tar.zst -C "${kernel_headers_dir}" || return 1
-			;;& # fallthrough in the confidential case we need the modules.tar.xz and for every kernel-nvidia-gpu we need the headers
+			;;& # fallthrough in the confidential case we need the modules.tar.zst and for every kernel-nvidia-gpu we need the headers
 		"kernel"*"-confidential")
 			local modules_dir=$(get_kernel_modules_dir ${kernel_version} ${kernel_kata_config_version} ${build_target})
 			mkdir -p "${modules_dir}" || true
-			tar xvf "${workdir}/kata-static-${kernel_name}-modules.tar.xz" -C "${modules_dir}" || return 1
+			tar --zstd -xvf "${workdir}/kata-static-${kernel_name}-modules.tar.zst" -C "${modules_dir}" || return 1
 			;;
 	esac
@ -664,13 +664,13 @@ install_kernel_helper() {
 	fi
 	if [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then
-		local kernel_modules_tarball_name="kata-static-${kernel_name}-modules.tar.xz"
+		local kernel_modules_tarball_name="kata-static-${kernel_name}-modules.tar.zst"
 		local kernel_modules_tarball_path="${workdir}/${kernel_modules_tarball_name}"
 		extra_tarballs="${kernel_modules_tarball_name}:${kernel_modules_tarball_path}"
 	fi
 	if [[ "${kernel_name}" == "kernel-nvidia-gpu*" ]]; then
-		local kernel_headers_tarball_name="kata-static-${kernel_name}-headers.tar.xz"
+		local kernel_headers_tarball_name="kata-static-${kernel_name}-headers.tar.zst"
 		local kernel_headers_tarball_path="${workdir}/${kernel_headers_tarball_name}"
 		extra_tarballs+=" ${kernel_headers_tarball_name}:${kernel_headers_tarball_path}"
 	fi
@ -758,7 +758,7 @@ install_qemu_helper() {
 	info "build static ${qemu_name}"
 	"${builder}"
-	tar xvf "${qemu_tarball_name}" -C "${destdir}"
+	tar --zstd -xvf "${qemu_tarball_name}" -C "${destdir}"
 }
 # Install static qemu asset
@ -976,7 +976,7 @@ install_ovmf() {
 		&& return 0
 	DESTDIR="${destdir}" PREFIX="${prefix}" ovmf_build="${ovmf_type}" "${ovmf_builder}"
-	tar xvf "${builddir}/${tarball_name}" -C "${destdir}"
+	tar --zstd -xvf "${builddir}/${tarball_name}" -C "${destdir}"
 }
 # Install OVMF SEV
@ -1196,7 +1196,7 @@ handle_build() {
 	local build_target
 	build_target="$1"
-	export final_tarball_path="${workdir}/kata-static-${build_target}.tar.xz"
+	export final_tarball_path="${workdir}/kata-static-${build_target}.tar.zst"
 	export final_tarball_name="$(basename ${final_tarball_path})"
 	rm -f ${final_tarball_name}
@ -1308,7 +1308,7 @@ handle_build() {
 	virtiofsd) install_virtiofsd ;;
 	dummy)
-		tar cvfJ ${final_tarball_path} --files-from /dev/null
+		tar --zstd -cvf ${final_tarball_path} --files-from /dev/null
 	       	;;
 	*)
@ -1318,54 +1318,54 @@ handle_build() {
 	if [ ! -f "${final_tarball_path}" ]; then
 		cd "${destdir}"
-		tar cvfJ "${final_tarball_path}" "."
+		tar --zstd -cvf "${final_tarball_path}" "."
 	fi
-	tar tvf "${final_tarball_path}"
+	tar --zstd -tvf "${final_tarball_path}"
 	case ${build_target} in
 		kernel-nvidia-gpu*)
-			local kernel_headers_final_tarball_path="${workdir}/kata-static-${build_target}-headers.tar.xz"
+			local kernel_headers_final_tarball_path="${workdir}/kata-static-${build_target}-headers.tar.zst"
 			if [ ! -f "${kernel_headers_final_tarball_path}" ]; then
 				local kernel_headers_dir
 				kernel_headers_dir=$(get_kernel_headers_dir "${build_target}")
 				pushd "${kernel_headers_dir}"
-				find . -type f -name "*.${KERNEL_HEADERS_PKG_TYPE}" -exec tar rvf kernel-headers.tar {} +
+				find . -type f -name "*.${KERNEL_HEADERS_PKG_TYPE}" -exec tar -rvf kernel-headers.tar {} +
 				if [ -n "${KBUILD_SIGN_PIN}" ]; then
 					head -n1 kata-linux-*/certs/signing_key.pem | grep -q "ENCRYPTED PRIVATE KEY" || die "signing_key.pem is not encrypted"
 					mv kata-linux-*/certs/signing_key.pem .
 					mv kata-linux-*/certs/signing_key.x509 .
 					tar -rvf kernel-headers.tar signing_key.pem signing_key.x509 --remove-files
 				fi
-				xz -T0 kernel-headers.tar
+				zstd -T0 kernel-headers.tar -o kernel-headers.tar.zst
-				mv kernel-headers.tar.xz "${kernel_headers_final_tarball_path}"
+				mv kernel-headers.tar.zst "${kernel_headers_final_tarball_path}"
 				popd
 			fi
-			tar tvf "${kernel_headers_final_tarball_path}"
+			tar --zstd -tvf "${kernel_headers_final_tarball_path}"
-			;;& # fallthrough in the confidential case we need the modules.tar.xz and for every kernel-nvidia-gpu we need the headers
+			;;& # fallthrough in the confidential case we need the modules.tar.zst and for every kernel-nvidia-gpu we need the headers
 		kernel*-confidential)
-			local modules_final_tarball_path="${workdir}/kata-static-${build_target}-modules.tar.xz"
+			local modules_final_tarball_path="${workdir}/kata-static-${build_target}-modules.tar.zst"
 			if [ ! -f "${modules_final_tarball_path}" ]; then
 				local modules_dir=$(get_kernel_modules_dir ${kernel_version} ${kernel_kata_config_version} ${build_target})
 				pushd "${modules_dir}"
 				rm -f build
-				tar cvfJ "${modules_final_tarball_path}" "."
+				tar --zstd -cvf "${modules_final_tarball_path}" "."
 				popd
 			fi
-			tar tvf "${modules_final_tarball_path}"
+			tar --zstd -tvf "${modules_final_tarball_path}"
 			;;
 		shim-v2)
 			if [ "${MEASURED_ROOTFS}" = "yes" ]; then
-				local image_conf_tarball="${workdir}/kata-static-rootfs-image-confidential.tar.xz"
+				local image_conf_tarball="${workdir}/kata-static-rootfs-image-confidential.tar.zst"
 				if [ ! -f "${image_conf_tarball}" ]; then
 					die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball"
 				fi
 				local root_hash_basedir="./opt/kata/share/kata-containers/"
-				if ! tar xvf ${image_conf_tarball} ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,; then
+				if ! tar --zstd -xvf ${image_conf_tarball} --transform s,${root_hash_basedir},, ${root_hash_basedir}root_hash.txt; then
-					die "Building the shim-v2 with MEASURED_ROOTFS support requres a rootfs confidential image tarball built with MEASURED_ROOTFS support"
+					die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball built with MEASURED_ROOTFS support"
 				fi
 				mv root_hash.txt ${workdir}/shim-v2-root_hash.txt
@ -1422,18 +1422,18 @@ handle_build() {
 		case ${build_target} in
 			kernel-nvidia-gpu)
 				files_to_push+=(
-					"kata-static-${build_target}-headers.tar.xz"
+					"kata-static-${build_target}-headers.tar.zst"
 				)
 				;;
 			kernel-nvidia-gpu-confidential)
 				files_to_push+=(
-					"kata-static-${build_target}-modules.tar.xz"
+					"kata-static-${build_target}-modules.tar.zst"
-					"kata-static-${build_target}-headers.tar.xz"
+					"kata-static-${build_target}-headers.tar.zst"
 				)
 				;;
 			kernel*-confidential)
 				files_to_push+=(
-					"kata-static-${build_target}-modules.tar.xz"
+					"kata-static-${build_target}-modules.tar.zst"
 				)
 				;;
 			shim-v2)
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh
@ -12,7 +12,7 @@ set -o pipefail
 set -o errtrace
 KATA_DEPLOY_DIR="`dirname ${0}`/../../kata-deploy"
-KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}"
+KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.zst"}"
 REGISTRY="${2:-"quay.io/kata-containers/kata-deploy"}"
 TAG="${3:-}"
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh
@ -16,7 +16,7 @@ repo_root_dir="$(cd "${this_script_dir}/../../../../" && pwd)"
 kata_build_dir=${1:-build}
 kata_versions_yaml_file=${2:-""}
-tar_path="${PWD}/kata-static.tar.xz"
+tar_path="${PWD}/kata-static.tar.zst"
 kata_versions_yaml_file_path="${PWD}/${kata_versions_yaml_file}"
 pushd "${kata_build_dir}"
@ -24,10 +24,10 @@ tarball_content_dir="${PWD}/kata-tarball-content"
 rm -rf "${tarball_content_dir}"
 mkdir "${tarball_content_dir}"
-for c in kata-static-*.tar.xz
+for c in kata-static-*.tar.zst
 do
 	echo "untarring tarball \"${c}\" into ${tarball_content_dir}"
-	tar -xvf "${c}" -C "${tarball_content_dir}"
+	tar --zstd -xvf "${c}" -C "${tarball_content_dir}"
 done
 pushd "${tarball_content_dir}"
@ -46,5 +46,5 @@ pushd "${tarball_content_dir}"
 popd
 echo "create ${tar_path}"
-(cd "${tarball_content_dir}"; tar cvfJ "${tar_path}" --owner=0 --group=0 .)
+(cd "${tarball_content_dir}"; tar --zstd -cvf "${tar_path}" --owner=0 --group=0 .)
 popd
--- a/tools/packaging/release/release.sh
+++ b/tools/packaging/release/release.sh
@ -164,7 +164,7 @@ function _upload_kata_static_tarball()
 	RELEASE_VERSION="$(_release_version)"
-	new_tarball_name="kata-static-${RELEASE_VERSION}-${ARCHITECTURE}.tar.xz"
+	new_tarball_name="kata-static-${RELEASE_VERSION}-${ARCHITECTURE}.tar.zst"
 	mv ${KATA_STATIC_TARBALL} "${new_tarball_name}"
 	echo "uploading asset '${new_tarball_name}' (${ARCHITECTURE}) for tag: ${RELEASE_VERSION}"
 	gh release upload "${RELEASE_VERSION}" "${new_tarball_name}"
--- a/utils/kata-manager.sh
+++ b/utils/kata-manager.sh
@ -219,7 +219,7 @@ github_get_release_file_url()
 	case "$url" in
 		*kata*)
-			regex="kata-static-${version}-${arch_regex}.tar.xz" ;;
+			regex="kata-static-${version}-${arch_regex}.tar.zst" ;;
 		*nerdctl*)
 			# Keep this *always* before the containerd check, as it comes from
 			# the very same containerd organisation on GitHub.