runtime-rs: fix the issue of hot-unplug memory smaller

It should do nothing instead of return an error when hot-unplug the memory to the size smaller than static plugged memory size. Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
tests: fix the issue of missing teardown pods
2026-02-22 14:54:23 +00:00 · 2025-11-10 14:17:44 +08:00 · 2025-11-10 10:30:17 +08:00 · 2025-11-07 11:29:57 +08:00 · 2025-11-06 16:28:33 +01:00 · 2025-11-06 16:28:33 +01:00
1660 changed files with 105299 additions and 56098 deletions
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -7,19 +7,28 @@
 self-hosted-runner:
  # Labels of self-hosted runner that linter should ignore
  labels:
+    - amd64-nvidia-a100
+    - amd64-nvidia-h100-snp
    - arm64-k8s
-    - ubuntu-22.04-arm
+    - containerd-v1.7-overlayfs
+    - containerd-v2.0-overlayfs
+    - containerd-v2.1-overlayfs
+    - containerd-v2.2
+    - containerd-v2.2-overlayfs
    - garm-ubuntu-2004
    - garm-ubuntu-2004-smaller
    - garm-ubuntu-2204
    - garm-ubuntu-2304
    - garm-ubuntu-2304-smaller
    - garm-ubuntu-2204-smaller
-    - k8s-ppc64le
-    - metrics
    - ppc64le
+    - ppc64le-k8s
+    - ppc64le-small
+    - ubuntu-24.04-ppc64le
+    - metrics
    - riscv-builder
    - sev-snp
    - s390x
    - s390x-large
    - tdx
+    - ubuntu-22.04-arm
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -66,6 +66,9 @@ updates:
      rustix:
        patterns:
          - rustix
+      slab:
+        patterns:
+          - slab
      time:
        patterns:
          - time
--- a/.github/workflows/PR-wip-checks.yaml
+++ b/.github/workflows/PR-wip-checks.yaml
@@ -9,8 +9,7 @@ on:
      - labeled
      - unlabeled

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@@ -3,16 +3,8 @@ name: Lint GHA workflows
 on:
  workflow_dispatch:
  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-    paths:
-      - '.github/workflows/**'

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -20,6 +12,7 @@ concurrency:

 jobs:
  run-actionlint:
+    name: run-actionlint
    env:
      GH_TOKEN: ${{ github.token }}
    runs-on: ubuntu-24.04
--- a/.github/workflows/basic-ci-amd64.yaml
+++ b/.github/workflows/basic-ci-amd64.yaml
@@ -13,11 +13,11 @@ on:
        type: string
        default: ""

-permissions:
-  contents: read
+permissions: {}

 jobs:
  run-containerd-sandboxapi:
+    name: run-containerd-sandboxapi
    strategy:
      # We can set this to true whenever we're 100% sure that
      # the all the tests are not flaky, otherwise we'll fail
@@ -49,6 +49,8 @@ jobs:

      - name: Install dependencies
        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -64,11 +66,12 @@ jobs:
        run: bash tests/integration/cri-containerd/gha-run.sh run

  run-containerd-stability:
+    name: run-containerd-stability
    strategy:
      fail-fast: false
      matrix:
        containerd_version: ['lts', 'active']
-        vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'stratovirt']
+        vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu']
    runs-on: ubuntu-22.04
    env:
      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -89,6 +92,8 @@ jobs:

      - name: Install dependencies
        run: bash tests/stability/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -104,6 +109,7 @@ jobs:
        run: bash tests/stability/gha-run.sh run

  run-nydus:
+    name: run-nydus
    strategy:
      # We can set this to true whenever we're 100% sure that
      # the all the tests are not flaky, otherwise we'll fail
@@ -111,7 +117,7 @@ jobs:
      fail-fast: false
      matrix:
        containerd_version: ['lts', 'active']
-        vmm: ['clh', 'qemu', 'dragonball', 'stratovirt']
+        vmm: ['clh', 'qemu', 'dragonball']
    runs-on: ubuntu-22.04
    env:
      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
@@ -132,6 +138,8 @@ jobs:

      - name: Install dependencies
        run: bash tests/integration/nydus/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -147,6 +155,7 @@ jobs:
        run: bash tests/integration/nydus/gha-run.sh run

  run-runk:
+    name: run-runk
    # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
    if: false
    runs-on: ubuntu-22.04
@@ -182,6 +191,7 @@ jobs:
        run: bash tests/integration/runk/gha-run.sh run

  run-tracing:
+    name: run-tracing
    strategy:
      fail-fast: false
      matrix:
@@ -209,6 +219,8 @@ jobs:

      - name: Install dependencies
        run: bash tests/functional/tracing/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -224,6 +236,7 @@ jobs:
        run: bash tests/functional/tracing/gha-run.sh run

  run-vfio:
+    name: run-vfio
    strategy:
      fail-fast: false
      matrix:
@@ -253,6 +266,8 @@ jobs:

      - name: Install dependencies
        run: bash tests/functional/vfio/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -265,6 +280,7 @@ jobs:
        run: bash tests/functional/vfio/gha-run.sh run

  run-docker-tests:
+    name: run-docker-tests
    strategy:
      # We can set this to true whenever we're 100% sure that
      # all the tests are not flaky, otherwise we'll fail them
@@ -272,10 +288,7 @@ jobs:
      fail-fast: false
      matrix:
        vmm:
-          - clh
          - qemu
-          - dragonball
-          - cloud-hypervisor
    runs-on: ubuntu-22.04
    env:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
@@ -294,6 +307,8 @@ jobs:

      - name: Install dependencies
        run: bash tests/integration/docker/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -309,6 +324,7 @@ jobs:
        run: bash tests/integration/docker/gha-run.sh run

  run-nerdctl-tests:
+    name: run-nerdctl-tests
    strategy:
      # We can set this to true whenever we're 100% sure that
      # all the tests are not flaky, otherwise we'll fail them
@@ -339,6 +355,7 @@ jobs:
      - name: Install dependencies
        env:
          GITHUB_API_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ github.token }}
        run: bash tests/integration/nerdctl/gha-run.sh install-dependencies

      - name: get-kata-tarball
@@ -367,6 +384,7 @@ jobs:
          retention-days: 1

  run-kata-agent-apis:
+    name: run-kata-agent-apis
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -383,6 +401,8 @@ jobs:

      - name: Install dependencies
        run: bash tests/functional/kata-agent-apis/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
--- a/.github/workflows/basic-ci-s390x.yaml
+++ b/.github/workflows/basic-ci-s390x.yaml
@@ -13,11 +13,11 @@ on:
        type: string
        default: ""

-permissions:
-  contents: read
+permissions: {}

 jobs:
  run-containerd-sandboxapi:
+    name: run-containerd-sandboxapi
    strategy:
      # We can set this to true whenever we're 100% sure that
      # the all the tests are not flaky, otherwise we'll fail
@@ -48,7 +48,9 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: Install dependencies
-        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
+        run: bash tests/integration/cri-containerd/gha-run.sh
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -64,6 +66,7 @@ jobs:
        run: bash tests/integration/cri-containerd/gha-run.sh run

  run-containerd-stability:
+    name: run-containerd-stability
    strategy:
      fail-fast: false
      matrix:
@@ -105,6 +108,7 @@ jobs:
        run: bash tests/stability/gha-run.sh run

  run-docker-tests:
+    name: run-docker-tests
    strategy:
      # We can set this to true whenever we're 100% sure that
      # all the tests are not flaky, otherwise we'll fail them
--- a/.github/workflows/build-checks-preview-riscv64.yaml
+++ b/.github/workflows/build-checks-preview-riscv64.yaml
@@ -12,12 +12,12 @@ on:
        required: true
        type: string

-permissions:
-  contents: read
+permissions: {}

 name: Build checks preview riscv64
 jobs:
  check:
+    name: check
    runs-on: ${{ inputs.instance }}
    strategy:
      fail-fast: false
@@ -124,9 +124,11 @@ jobs:
          echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
      - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
        run: |
-          cd ${{ matrix.component.path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          ${COMMAND}
        env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component.path }}
          RUST_BACKTRACE: "1"
          RUST_LIB_BACKTRACE: "0"
          SKIP_GO_VERSION_CHECK: "1"
--- a/.github/workflows/build-checks.yaml
+++ b/.github/workflows/build-checks.yaml
@@ -5,13 +5,14 @@ on:
        required: true
        type: string

-permissions:
-  contents: read
+permissions: {}
+

 name: Build checks
 jobs:
  check:
-    runs-on: ${{ inputs.instance }}
+    name: check
+    runs-on: ${{ matrix.component.name == 'runtime' && inputs.instance == 'ubuntu-24.04-s390x' && 's390x' || matrix.component.name == 'runtime' && inputs.instance == 'ubuntu-24.04-ppc64le' && 'ppc64le' || inputs.instance }}
    strategy:
      fail-fast: false
      matrix:
@@ -42,6 +43,11 @@ jobs:
            path: src/runtime-rs
            needs:
              - rust
+          - name: libs
+            path: src/libs
+            needs:
+              - rust
+              - protobuf-compiler
          - name: agent-ctl
            path: src/tools/agent-ctl
            needs:
@@ -52,6 +58,7 @@ jobs:
            path: src/tools/kata-ctl
            needs:
              - rust
+              - protobuf-compiler
          - name: trace-forwarder
            path: src/tools/trace-forwarder
            needs:
@@ -122,9 +129,11 @@ jobs:
          echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
      - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
        run: |
-          cd ${{ matrix.component.path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          eval "${COMMAND}"
        env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component.path }}
          RUST_BACKTRACE: "1"
          RUST_LIB_BACKTRACE: "0"
          SKIP_GO_VERSION_CHECK: "1"
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -23,12 +23,14 @@ on:
    secrets:
      QUAY_DEPLOYER_PASSWORD:
        required: false
+      KBUILD_SIGN_PIN:
+        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    runs-on: ubuntu-22.04
    permissions:
      contents: read
@@ -61,7 +63,6 @@ jobs:
          - qemu
          - qemu-snp-experimental
          - qemu-tdx-experimental
-          - stratovirt
          - trace-forwarder
          - virtiofsd
        stage:
@@ -108,12 +109,15 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}

      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
        run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

@@ -141,7 +145,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error

@@ -150,11 +154,12 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
          retention-days: 15
          if-no-files-found: error

  build-asset-rootfs:
+    name: build-asset-rootfs
    runs-on: ubuntu-22.04
    needs: build-asset
    permissions:
@@ -215,17 +220,19 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
    runs-on: ubuntu-22.04
    needs: build-asset-rootfs
    strategy:
@@ -243,6 +250,7 @@ jobs:

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts-for-release:
+    name: remove-rootfs-binary-artifacts-for-release
    runs-on: ubuntu-22.04
    needs: build-asset-rootfs
    strategy:
@@ -256,6 +264,7 @@ jobs:
          name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
+    name: build-asset-shim-v2
    runs-on: ubuntu-22.04
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
    permissions:
@@ -312,11 +321,12 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.xz
+          path: kata-build/kata-static-shim-v2.tar.zst
          retention-days: 15
          if-no-files-found: error

  create-kata-tarball:
+    name: create-kata-tarball
    runs-on: ubuntu-22.04
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    permissions:
@@ -349,6 +359,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-static.tar.xz
+          path: kata-static.tar.zst
          retention-days: 15
          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -23,12 +23,14 @@ on:
    secrets:
      QUAY_DEPLOYER_PASSWORD:
        required: false
+      KBUILD_SIGN_PIN:
+        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    runs-on: ubuntu-22.04-arm
    permissions:
      contents: read
@@ -45,10 +47,10 @@ jobs:
          - kernel
          - kernel-dragonball-experimental
          - kernel-nvidia-gpu
+          - kernel-cca-confidential
          - nydus
          - ovmf
          - qemu
-          - stratovirt
          - virtiofsd
    env:
      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
@@ -88,12 +90,15 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}

      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
        run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

@@ -121,7 +126,7 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error

@@ -130,11 +135,12 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
          retention-days: 15
          if-no-files-found: error

  build-asset-rootfs:
+    name: build-asset-rootfs
    runs-on: ubuntu-22.04-arm
    needs: build-asset
    permissions:
@@ -190,17 +196,19 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
    runs-on: ubuntu-22.04-arm
    needs: build-asset-rootfs
    strategy:
@@ -215,6 +223,7 @@ jobs:

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts-for-release:
+    name: remove-rootfs-binary-artifacts-for-release
    runs-on: ubuntu-22.04-arm
    needs: build-asset-rootfs
    strategy:
@@ -228,6 +237,7 @@ jobs:
          name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
+    name: build-asset-shim-v2
    runs-on: ubuntu-22.04-arm
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
    permissions:
@@ -282,11 +292,12 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.xz
+          path: kata-build/kata-static-shim-v2.tar.zst
          retention-days: 15
          if-no-files-found: error

  create-kata-tarball:
+    name: create-kata-tarball
    runs-on: ubuntu-22.04-arm
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    permissions:
@@ -319,6 +330,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
-          path: kata-static.tar.xz
+          path: kata-static.tar.zst
          retention-days: 15
          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@@ -24,15 +24,15 @@ on:
      QUAY_DEPLOYER_PASSWORD:
        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    permissions:
      contents: read
      packages: write
-    runs-on: ppc64le
+    runs-on: ppc64le-small
    strategy:
      matrix:
        asset:
@@ -83,12 +83,13 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 1
          if-no-files-found: error

  build-asset-rootfs:
-    runs-on: ppc64le
+    name: build-asset-rootfs
+    runs-on: ppc64le-small
    needs: build-asset
    permissions:
      contents: read
@@ -148,12 +149,13 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 1
          if-no-files-found: error

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
    runs-on: ubuntu-22.04
    needs: build-asset-rootfs
    strategy:
@@ -167,7 +169,8 @@ jobs:
          name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
-    runs-on: ppc64le
+    name: build-asset-shim-v2
+    runs-on: ppc64le-small
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
    permissions:
      contents: read
@@ -221,12 +224,13 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.xz
+          path: kata-build/kata-static-shim-v2.tar.zst
          retention-days: 1
          if-no-files-found: error

  create-kata-tarball:
-    runs-on: ppc64le
+    name: create-kata-tarball
+    runs-on: ppc64le-small
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    permissions:
      contents: read
@@ -262,6 +266,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }}
-          path: kata-static.tar.xz
+          path: kata-static.tar.zst
          retention-days: 1
          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@@ -24,11 +24,11 @@ on:
      QUAY_DEPLOYER_PASSWORD:
        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    runs-on: riscv-builder
    permissions:
      contents: read
@@ -81,6 +81,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -27,11 +27,11 @@ on:
        required: true


-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    runs-on: s390x
    permissions:
      contents: read
@@ -91,8 +91,10 @@ jobs:
      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          ASSET: ${{ matrix.asset }}
        run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${ASSET}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

@@ -115,11 +117,12 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error

  build-asset-rootfs:
+    name: build-asset-rootfs
    runs-on: s390x
    needs: build-asset
    permissions:
@@ -182,11 +185,12 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
          retention-days: 15
          if-no-files-found: error

  build-asset-boot-image-se:
+    name: build-asset-boot-image-se
    runs-on: s390x
    needs: [build-asset, build-asset-rootfs]
    permissions:
@@ -230,12 +234,13 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-boot-image-se.tar.xz
+          path: kata-build/kata-static-boot-image-se.tar.zst
          retention-days: 1
          if-no-files-found: error

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
    runs-on: ubuntu-22.04
    needs: [build-asset-rootfs, build-asset-boot-image-se]
    strategy:
@@ -251,6 +256,7 @@ jobs:
          name: kata-artifacts-s390x-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
+    name: build-asset-shim-v2
    runs-on: s390x
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
    permissions:
@@ -307,11 +313,12 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.xz
+          path: kata-build/kata-static-shim-v2.tar.zst
          retention-days: 15
          if-no-files-found: error

  create-kata-tarball:
+    name: create-kata-tarball
    runs-on: s390x
    needs:
      - build-asset
@@ -348,6 +355,6 @@ jobs:
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
-          path: kata-static.tar.xz
+          path: kata-static.tar.zst
          retention-days: 15
          if-no-files-found: error
--- a/.github/workflows/cargo-deny-runner.yaml
+++ b/.github/workflows/cargo-deny-runner.yaml
@@ -11,11 +11,11 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  cargo-deny-runner:
+    name: cargo-deny-runner
    runs-on: ubuntu-22.04

    steps:
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@@ -9,8 +9,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  kata-containers-ci-on-push:
@@ -31,3 +30,4 @@ jobs:
      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -2,8 +2,7 @@ name: Kata Containers CI (manually triggered)
 on:
  workflow_dispatch:

-permissions:
-  contents: read
+permissions: {}

 jobs:
  kata-containers-ci-on-push:
@@ -27,6 +26,8 @@ jobs:
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  build-checks:
    uses: ./.github/workflows/build-checks.yaml
--- a/.github/workflows/ci-nightly-s390x.yaml
+++ b/.github/workflows/ci-nightly-s390x.yaml
@@ -4,11 +4,11 @@ on:

 name: Nightly CI for s390x

-permissions:
-  contents: read
+permissions: {}

 jobs:
  check-internal-test-result:
+    name: check-internal-test-result
    runs-on: s390x
    strategy:
      fail-fast: false
@@ -16,7 +16,8 @@ jobs:
        test_title:
          - kata-vfio-ap-e2e-tests
          - cc-vfio-ap-e2e-tests
-          - cc-se-e2e-tests
+          - cc-se-e2e-tests-go
+          - cc-se-e2e-tests-rs
    steps:
    - name: Fetch a test result for {{ matrix.test_title }}
      run: |
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -7,8 +7,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  kata-containers-ci-on-push:
@@ -31,3 +30,5 @@ jobs:
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -1,9 +1,8 @@
 name: Kata Containers CI
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
    branches:
      - 'main'
-      - 'stable-*'
    types:
      # Adding 'labeled' to the list of activity types that trigger this event
      # (default: opened, synchronize, reopened) so that we can run this
@@ -14,8 +13,7 @@ on:
      - reopened
      - labeled

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -52,3 +50,5 @@ jobs:
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -27,9 +27,10 @@ on:
        required: true
      QUAY_DEPLOYER_PASSWORD:
        required: true
+      KBUILD_SIGN_PIN:
+        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-kata-static-tarball-amd64:
@@ -43,6 +44,8 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  publish-kata-deploy-payload-amd64:
    needs: build-kata-static-tarball-amd64
@@ -63,6 +66,7 @@ jobs:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-publish-tee-confidential-unencrypted-image:
+    name: build-and-publish-tee-confidential-unencrypted-image
    permissions:
      contents: read
      packages: write
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -35,10 +35,12 @@ on:
        required: true
      QUAY_DEPLOYER_PASSWORD:
        required: true
+      NGC_API_KEY:
+        required: true
+      KBUILD_SIGN_PIN:
+        required: true

-permissions:
-  contents: read
-  id-token: write
+permissions: {}

 jobs:
  build-kata-static-tarball-amd64:
@@ -52,6 +54,8 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  publish-kata-deploy-payload-amd64:
    needs: build-kata-static-tarball-amd64
@@ -82,6 +86,8 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  publish-kata-deploy-payload-arm64:
    needs: build-kata-static-tarball-arm64
@@ -173,12 +179,13 @@ jobs:
      tag: ${{ inputs.tag }}-ppc64le
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
+      runner: ppc64le-small
      arch: ppc64le
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-publish-tee-confidential-unencrypted-image:
+    name: build-and-publish-tee-confidential-unencrypted-image
    permissions:
      contents: read
      packages: write
@@ -220,6 +227,7 @@ jobs:
          file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile

  publish-csi-driver-amd64:
+    name: publish-csi-driver-amd64
    needs: build-kata-static-tarball-amd64
    permissions:
      contents: read
@@ -286,6 +294,10 @@ jobs:
    if: ${{ inputs.skip-test != 'yes' }}
    needs: publish-kata-deploy-payload-amd64
    uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
+
+    permissions:
+      contents: read
+      id-token: write # Used for OIDC access to log into Azure
    with:
      tarball-suffix: -${{ inputs.tag }}
      registry: ghcr.io
@@ -299,18 +311,6 @@ jobs:
      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

-  run-k8s-tests-on-amd64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-amd64
-    uses: ./.github/workflows/run-k8s-tests-on-amd64.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
  run-k8s-tests-on-arm64:
    if: ${{ inputs.skip-test != 'yes' }}
    needs: publish-kata-deploy-payload-arm64
@@ -323,6 +323,21 @@ jobs:
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}

+  run-k8s-tests-on-nvidia-gpu:
+    if: ${{ inputs.skip-test != 'yes' }}
+    needs: publish-kata-deploy-payload-amd64
+    uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
+    with:
+      registry: ghcr.io
+      repo: ${{ github.repository_owner }}/kata-deploy-ci
+      tag: ${{ inputs.tag }}-amd64
+      commit-hash: ${{ inputs.commit-hash }}
+      pr-number: ${{ inputs.pr-number }}
+      target-branch: ${{ inputs.target-branch }}
+    secrets:
+      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+
+
  run-kata-coco-tests:
    if: ${{ inputs.skip-test != 'yes' }}
    needs:
@@ -330,6 +345,9 @@ jobs:
     - build-and-publish-tee-confidential-unencrypted-image
     - publish-csi-driver-amd64
    uses: ./.github/workflows/run-kata-coco-tests.yaml
+    permissions:
+      contents: read
+      id-token: write # Used for OIDC access to log into Azure
    with:
      tarball-suffix: -${{ inputs.tag }}
      registry: ghcr.io
@@ -383,20 +401,6 @@ jobs:
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}

-  run-metrics-tests:
-    # Skip metrics tests whilst runner is broken
-    if: false
-    # if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    uses: ./.github/workflows/run-metrics.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
  run-basic-amd64-tests:
    if: ${{ inputs.skip-test != 'yes' }}
    needs: build-kata-static-tarball-amd64
@@ -425,13 +429,11 @@ jobs:
          { containerd_version: lts,    vmm: clh              },
          { containerd_version: lts,    vmm: dragonball       },
          { containerd_version: lts,    vmm: qemu             },
-          { containerd_version: lts,    vmm: stratovirt       },
          { containerd_version: lts,    vmm: cloud-hypervisor },
          { containerd_version: lts,    vmm: qemu-runtime-rs  },
          { containerd_version: active, vmm: clh              },
          { containerd_version: active, vmm: dragonball       },
          { containerd_version: active, vmm: qemu             },
-          { containerd_version: active, vmm: stratovirt       },
          { containerd_version: active, vmm: cloud-hypervisor },
          { containerd_version: active, vmm: qemu-runtime-rs  },
         ]
@@ -479,7 +481,7 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
+      runner: ppc64le-small
      arch: ppc64le
      containerd_version: ${{ matrix.params.containerd_version }}
      vmm: ${{ matrix.params.vmm }}
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@@ -4,13 +4,14 @@ on:
    - cron: "0 0 * * *"
  workflow_dispatch:

-permissions:
-  contents: read
-  id-token: write
+permissions: {}

 jobs:
  cleanup-resources:
+    name: cleanup-resources
    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write # Used for OIDC access to log into Azure
    environment: ci
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -19,8 +19,8 @@ on:
  schedule:
    - cron: '45 0 * * 1'

-permissions:
-  contents: read
+permissions: {}
+

 jobs:
  analyze:
--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@@ -6,8 +6,7 @@ on:
      - reopened
      - synchronize

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -42,7 +41,7 @@ jobs:
        filter_out_pattern: '^Revert "|^Reapply "'

    - name: DCO Check
-      uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20 # master (2020-04-28)
+      uses: tim-actions/dco@f2279e6e62d5a7d9115b0cb8e837b777b1b02e21 # v1.1.0
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}

--- a/.github/workflows/darwin-tests.yaml
+++ b/.github/workflows/darwin-tests.yaml
@@ -6,8 +6,7 @@ on:
      - reopened
      - synchronize

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -16,15 +15,29 @@ concurrency:
 name: Darwin tests
 jobs:
  test:
+    name: test
    runs-on: macos-latest
    steps:
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-      with:
-        go-version: 1.23.10
+    - name: Install Protoc
+      run: |
+        f=$(mktemp)
+        curl -sSLo "$f" https://github.com/protocolbuffers/protobuf/releases/download/v28.2/protoc-28.2-osx-aarch_64.zip
+        mkdir -p "$HOME/.local"
+        unzip -d "$HOME/.local" "$f"
+        echo "$HOME/.local/bin" >> "${GITHUB_PATH}"
+
    - name: Checkout code
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        persist-credentials: false
+
+    - name: Install golang
+      run: |
+        ./tests/install_go.sh -f -p
+        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
+
+    - name: Install Rust
+      run: ./tests/install_rust.sh
+
    - name: Build utils
      run: ./ci/darwin-test.sh
--- a/.github/workflows/docs-url-alive-check.yaml
+++ b/.github/workflows/docs-url-alive-check.yaml
@@ -1,36 +1,34 @@
 on:
  schedule:
    - cron:  '0 23 * * 0'
+  workflow_dispatch:

-permissions:
-  contents: read
+permissions: {}

 name: Docs URL Alive Check
 jobs:
  test:
+    name: test
    runs-on: ubuntu-22.04
    # don't run this action on forks
    if: github.repository_owner == 'kata-containers'
    env:
      target_branch: ${{ github.base_ref }}
    steps:
-    - name: Install Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
-      with:
-        go-version: 1.23.10
-      env:
-        GOPATH: ${{ github.workspace }}/kata-containers
    - name: Set env
      run: |
-        echo "GOPATH=${{ github.workspace }}" >> "$GITHUB_ENV"
-        echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+        echo "GOPATH=${GITHUB_WORKSPACE}" >> "$GITHUB_ENV"
    - name: Checkout code
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        fetch-depth: 0
        persist-credentials: false
-        path: ./src/github.com/${{ github.repository }}
-    # docs url alive check
+
+    - name: Install golang
+      run: |
+        ./tests/install_go.sh -f -p
+        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
+
    - name: Docs URL Alive Check
      run: |
-        cd "${GOPATH}/src/github.com/${{ github.repository }}" && make docs-url-alive-check
+        make docs-url-alive-check
--- a/.github/workflows/gatekeeper-skipper.yaml
+++ b/.github/workflows/gatekeeper-skipper.yaml
@@ -31,11 +31,11 @@ on:
      skip_static:
        value: ${{ jobs.skipper.outputs.skip_static }}

-permissions:
-  contents: read
+permissions: {}

 jobs:
  skipper:
+    name: skipper
    runs-on: ubuntu-22.04
    outputs:
      skip_build: ${{ steps.skipper.outputs.skip_build }}
--- a/.github/workflows/gatekeeper.yaml
+++ b/.github/workflows/gatekeeper.yaml
@@ -5,15 +5,14 @@ name: Gatekeeper
 # reporting the status.

 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
    types:
      - opened
      - synchronize
      - reopened
      - labeled

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -21,6 +20,7 @@ concurrency:

 jobs:
  gatekeeper:
+    name: gatekeeper
    runs-on: ubuntu-22.04
    permissions:
      actions: read
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -3,23 +3,23 @@ on:

 name: Govulncheck

-permissions:
-  contents: read
+permissions: {}

 jobs:
  govulncheck:
+    name: govulncheck
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        include:
          - binary: "kata-runtime"
            make_target: "runtime"
-          - binary: "containerd-shim-kata-v2" 
+          - binary: "containerd-shim-kata-v2"
            make_target: "containerd-shim-v2"
          - binary: "kata-monitor"
            make_target: "monitor"
      fail-fast: false
-    
+
    steps:
      - name: Checkout the code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
@@ -40,11 +40,14 @@ jobs:
      - name: Build runtime binaries
        run: |
          cd src/runtime
-          make ${{ matrix.make_target }}
+          make "${MAKE_TARGET}"
        env:
+          MAKE_TARGET: ${{ matrix.make_target }}
          SKIP_GO_VERSION_CHECK: "1"

      - name: Run govulncheck on ${{ matrix.binary }}
+        env:
+          BINARY: ${{ matrix.binary }}
        run: |
          cd src/runtime
-          bash ../../tests/govulncheck-runner.sh "./${{ matrix.binary }}"
+          bash ../../tests/govulncheck-runner.sh "./${BINARY}"
--- a/.github/workflows/kata-runtime-classes-sync.yaml
+++ b/.github/workflows/kata-runtime-classes-sync.yaml
@@ -1,3 +1,5 @@
+name: kata-runtime-classes-sync
+
 on:
  pull_request:
    types:
@@ -6,8 +8,7 @@ on:
      - reopened
      - synchronize

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -15,6 +16,7 @@ concurrency:

 jobs:
  kata-deploy-runtime-classes-check:
+    name: kata-deploy-runtime-classes-check
    runs-on: ubuntu-22.04
    steps:
    - name: Checkout code
--- a/.github/workflows/nydus-snapshotter-version-in-sync.yaml
+++ b/.github/workflows/nydus-snapshotter-version-in-sync.yaml
@@ -0,0 +1,35 @@
+name: nydus-snapshotter-version-sync
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  nydus-snapshotter-version-check:
+    name: nydus-snapshotter-version-check
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
+    - name: Ensure nydus-snapshotter-version is in sync inside our repo
+      run: |
+        dockerfile_version=$(grep "ARG NYDUS_SNAPSHOTTER_VERSION" tools/packaging/kata-deploy/Dockerfile | cut -f2 -d'=')
+        versions_version=$(yq ".externals.nydus-snapshotter.version | explode(.)" versions.yaml)
+        if [[ "${dockerfile_version}" != "${versions_version}" ]]; then
+          echo "nydus-snapshotter version must be the same in the following places: "
+          echo "- versions.yaml: ${versions_version}"
+          echo "- tools/packaging/kata-deploy/Dockerfile: ${dockerfile_version}"
+          exit 1
+        fi
--- a/.github/workflows/osv-scanner.yaml
+++ b/.github/workflows/osv-scanner.yaml
@@ -15,6 +15,8 @@ on:
  push:
    branches: [ "main" ]

+permissions: {}
+
 jobs:
  scan-scheduled:
    permissions:
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@@ -5,8 +5,7 @@ on:
      - main
  workflow_dispatch:

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -25,6 +24,7 @@ jobs:
      target-branch: ${{ github.ref_name }}
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  build-assets-arm64:
    permissions:
@@ -39,6 +39,7 @@ jobs:
      target-branch: ${{ github.ref_name }}
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  build-assets-s390x:
    permissions:
@@ -130,12 +131,13 @@ jobs:
      repo: kata-containers/kata-deploy-ci
      tag: kata-containers-latest-ppc64le
      target-branch: ${{ github.ref_name }}
-      runner: ppc64le
+      runner: ppc64le-small
      arch: ppc64le
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-manifest:
+    name: publish-manifest
    runs-on: ubuntu-22.04
    permissions:
      contents: read
@@ -160,3 +162,42 @@ jobs:
        env:
          KATA_DEPLOY_IMAGE_TAGS: "kata-containers-latest"
          KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy-ci"
+
+  upload-helm-chart-tarball:
+    name: upload-helm-chart-tarball
+    needs: publish-manifest
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: write # needed to push the helm chart to ghcr.io
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Install helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        id: install
+
+      - name: Login to the OCI registries
+        env:
+          QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
+          QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
+          echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
+
+      - name: Push helm chart to the OCI registries
+        run: |
+          echo "Adjusting the Chart.yaml and values.yaml"
+          yq eval '.version = "0.0.0-dev" | .appVersion = "0.0.0-dev"' -i tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml
+          yq eval '.image.reference = "quay.io/kata-containers/kata-deploy-ci" | .image.tag = "kata-containers-latest"' -i tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
+
+          echo "Generating the chart package"
+          helm dependencies update tools/packaging/kata-deploy/helm-chart/kata-deploy
+          helm package tools/packaging/kata-deploy/helm-chart/kata-deploy
+
+          echo "Pushing the chart to the OCI registries"
+          helm push "kata-deploy-0.0.0-dev.tgz" oci://quay.io/kata-containers/kata-deploy-charts
+          helm push "kata-deploy-0.0.0-dev.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@@ -34,11 +34,11 @@ on:
      QUAY_DEPLOYER_PASSWORD:
        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  kata-payload:
+    name: kata-payload
    permissions:
      contents: read
      packages: write
@@ -85,6 +85,6 @@ jobs:
          TAG: ${{ inputs.tag }}
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-          "$(pwd)/kata-static.tar.xz" \
+          "$(pwd)/kata-static.tar.zst" \
          "${REGISTRY}/${REPO}" \
          "${TAG}"
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -8,9 +8,10 @@ on:
    secrets:
      QUAY_DEPLOYER_PASSWORD:
        required: true
+      KBUILD_SIGN_PIN:
+        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-kata-static-tarball-amd64:
@@ -20,6 +21,7 @@ jobs:
      stage: release
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
    permissions:
      contents: read
      packages: write
@@ -27,6 +29,7 @@ jobs:
      attestations: write

  kata-deploy:
+    name: kata-deploy
    needs: build-kata-static-tarball-amd64
    permissions:
      contents: read
@@ -71,9 +74,9 @@ jobs:
          fi
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -8,9 +8,10 @@ on:
    secrets:
      QUAY_DEPLOYER_PASSWORD:
        required: true
+      KBUILD_SIGN_PIN:
+        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-kata-static-tarball-arm64:
@@ -20,6 +21,7 @@ jobs:
      stage: release
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
    permissions:
      contents: read
      packages: write
@@ -27,6 +29,7 @@ jobs:
      attestations: write

  kata-deploy:
+    name: kata-deploy
    needs: build-kata-static-tarball-arm64
    permissions:
      contents: read
@@ -71,9 +74,9 @@ jobs:
          fi
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@@ -9,8 +9,7 @@ on:
      QUAY_DEPLOYER_PASSWORD:
        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-kata-static-tarball-ppc64le:
@@ -27,11 +26,12 @@ jobs:
      attestations: write

  kata-deploy:
+    name: kata-deploy
    needs: build-kata-static-tarball-ppc64le
    permissions:
      contents: read
      packages: write
-    runs-on: ppc64le
+    runs-on: ppc64le-small
    steps:
      - name: Login to Kata Containers ghcr.io
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@@ -71,9 +71,9 @@ jobs:
          fi
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -11,8 +11,7 @@ on:
      QUAY_DEPLOYER_PASSWORD:
        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build-kata-static-tarball-s390x:
@@ -31,6 +30,7 @@ jobs:


  kata-deploy:
+    name: kata-deploy
    needs: build-kata-static-tarball-s390x
    permissions:
      contents: read
@@ -75,9 +75,9 @@ jobs:
          fi
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
+                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -2,11 +2,11 @@ name: Release Kata Containers
 on:
  workflow_dispatch

-permissions:
-  contents: read
+permissions: {}

 jobs:
  release:
+    name: release
    runs-on: ubuntu-22.04
    permissions:
      contents: write # needed for the `gh release create` command
@@ -35,6 +35,7 @@ jobs:
      target-arch: amd64
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  build-and-push-assets-arm64:
    needs: release
@@ -48,6 +49,7 @@ jobs:
      target-arch: arm64
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  build-and-push-assets-s390x:
    needs: release
@@ -77,6 +79,7 @@ jobs:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-multi-arch-images:
+    name: publish-multi-arch-images
    runs-on: ubuntu-22.04
    needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
    permissions:
@@ -114,6 +117,7 @@ jobs:
          KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy ghcr.io/kata-containers/kata-deploy"

  upload-multi-arch-static-tarball:
+    name: upload-multi-arch-static-tarball
    needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
    permissions:
      contents: write # needed for the `gh release` commands
@@ -126,7 +130,7 @@ jobs:

      - name: Set KATA_STATIC_TARBALL env var
        run: |
-          tarball=$(pwd)/kata-static.tar.xz
+          tarball=$(pwd)/kata-static.tar.zst
          echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"

      - name: Download amd64 artifacts
@@ -178,6 +182,7 @@ jobs:
          ARCHITECTURE: ppc64le

  upload-versions-yaml:
+    name: upload-versions-yaml
    needs: release
    runs-on: ubuntu-22.04
    permissions:
@@ -195,6 +200,7 @@ jobs:
          GH_TOKEN: ${{ github.token }}

  upload-cargo-vendored-tarball:
+    name: upload-cargo-vendored-tarball
    needs: release
    runs-on: ubuntu-22.04
    permissions:
@@ -212,6 +218,7 @@ jobs:
          GH_TOKEN: ${{ github.token }}

  upload-libseccomp-tarball:
+    name: upload-libseccomp-tarball
    needs: release
    runs-on: ubuntu-22.04
    permissions:
@@ -229,6 +236,7 @@ jobs:
          GH_TOKEN: ${{ github.token }}

  upload-helm-chart-tarball:
+    name: upload-helm-chart-tarball
    needs: release
    runs-on: ubuntu-22.04
    permissions:
@@ -253,10 +261,11 @@ jobs:
      - name: Login to the OCI registries
        env:
          QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          GITHUB_ACTOR: ${{ github.actor }}
+          QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+          GITHUB_TOKEN: ${{ github.token }}
        run: |
-          echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
-          echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
+          echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
+          echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin

      - name: Push helm chart to the OCI registries
        run: |
@@ -265,6 +274,7 @@ jobs:
          helm push "kata-deploy-${release_version}.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts

  publish-release:
+    name: publish-release
    needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ]
    runs-on: ubuntu-22.04
    permissions:
--- a/.github/workflows/run-containerd-guest-pull-stability-tests.yaml
+++ b/.github/workflows/run-containerd-guest-pull-stability-tests.yaml
@@ -0,0 +1,167 @@
+name: CI | Run containerd guest pull stability tests
+on:
+  schedule:
+    - cron: "0 */1 * * *" #run every hour
+
+permissions: {}
+
+# This job relies on k8s pre-installed using kubeadm
+jobs:
+  run-containerd-guest-pull-stability-tests:
+    name: run-containerd-guest-pull-stability-tests-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
+    strategy:
+      fail-fast: false
+      matrix:
+        environment: [
+          { test-type: multi-snapshotter, containerd: v2.2 },
+          { test-type: force-guest-pull, containerd: v1.7 },
+          { test-type: force-guest-pull, containerd: v2.0 },
+          { test-type: force-guest-pull, containerd: v2.1 },
+          { test-type: force-guest-pull, containerd: v2.2 },
+        ]
+    env:
+      # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here.
+      IMAGES_LIST: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11 ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d
+    runs-on: containerd-${{ matrix.environment.test-type }}-${{ matrix.environment.containerd }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Rotate the journal
+        run: sudo journalctl --rotate --vacuum-time 1s
+
+      - name: Pull the kata-deploy image to be used
+        run: sudo ctr -n k8s.io image pull quay.io/kata-containers/kata-deploy-ci:kata-containers-latest
+
+      - name: Deploy Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' && 'nydus' || '' }}
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.test-type == 'multi-snapshotter' }}
+          EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.test-type == 'force-guest-pull' && 'qemu-coco-dev' || '' }}
+
+      # This is needed as we may hit the createContainerTimeout
+      - name: Adjust Kata Containers' create_container_timeout
+        run: |
+          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      # This is needed in order to have enough tmpfs space inside the guest to pull the image
+      - name: Adjust Kata Containers' default_memory
+        run: |
+          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      - name: Run a few containers using overlayfs
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "overlayfs | Using on image: ${img}"
+            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image="${img}" \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              -- uname -r
+          done
+          
+      - name: Run a the same few containers using a different snapshotter
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "nydus | Using on image: ${img}"
+            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image="${img}" \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              --overrides='{
+                "spec": {
+                  "runtimeClassName": "kata-qemu-coco-dev"
+                }
+              }' \
+              -- uname -r
+          done
+
+      - name: Uninstall Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
+
+      - name: Run a few containers using overlayfs
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "overlayfs | Using on image: ${img}"
+            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image=${img} \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              -- uname -r
+          done
+          
+      - name: Deploy Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
+
+      # This is needed as we may hit the createContainerTimeout
+      - name: Adjust Kata Containers' create_container_timeout
+        run: |
+          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      # This is needed in order to have enough tmpfs space inside the guest to pull the image
+      - name: Adjust Kata Containers' default_memory
+        run: |
+          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      - name: Run a the same few containers using a different snapshotter
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "nydus | Using on image: ${img}"
+            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image="${img}" \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              --overrides='{
+                "spec": {
+                  "runtimeClassName": "kata-qemu-coco-dev"
+                }
+              }' \
+              -- uname -r
+          done
+
+      - name: Uninstall Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup || true
+        if: always()
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
--- a/.github/workflows/run-cri-containerd-tests.yaml
+++ b/.github/workflows/run-cri-containerd-tests.yaml
@@ -1,7 +1,6 @@
 name: CI | Run cri-containerd tests

-permissions:
-  contents: read
+permissions: {}

 on:
  workflow_call:
@@ -59,6 +58,8 @@ jobs:
      - name: Install dependencies
        timeout-minutes: 15
        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball for ${{ inputs.arch }}
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -34,12 +34,11 @@ on:
        required: true


-permissions:
-  contents: read
-  id-token: write
+permissions: {}

 jobs:
  run-k8s-tests:
+    name: run-k8s-tests
    strategy:
      fail-fast: false
      matrix:
@@ -50,7 +49,6 @@ jobs:
          - dragonball
          - qemu
          - qemu-runtime-rs
-          - stratovirt
          - cloud-hypervisor
        instance-type:
          - small
@@ -60,17 +58,17 @@ jobs:
            vmm: clh
            instance-type: small
            genpolicy-pull-method: oci-distribution
-            auto-generate-policy: yes
          - host_os: cbl-mariner
            vmm: clh
            instance-type: small
            genpolicy-pull-method: containerd
-            auto-generate-policy: yes
          - host_os: cbl-mariner
            vmm: clh
            instance-type: normal
-            auto-generate-policy: yes
    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write # Used for OIDC access to log into Azure
    environment: ci
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
@@ -80,10 +78,8 @@ jobs:
      KATA_HOST_OS: ${{ matrix.host_os }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      KUBERNETES: "vanilla"
-      USING_NFD: "false"
      K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }}
      GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
-      AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -139,13 +135,21 @@ jobs:
        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials

      - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks

      - name: Run tests
        timeout-minutes: 60
        run: bash tests/integration/kubernetes/gha-run.sh run-tests

+      - name: Refresh OIDC token in case access token expired
+        if: always()
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+
      - name: Delete AKS cluster
        if: always()
        run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
--- a/.github/workflows/run-k8s-tests-on-arm64.yaml
+++ b/.github/workflows/run-k8s-tests-on-arm64.yaml
@@ -22,11 +22,11 @@ on:
        type: string
        default: ""

-permissions:
-  contents: read
+permissions: {}

 jobs:
  run-k8s-tests-on-arm64:
+    name: run-k8s-tests-on-arm64
    strategy:
      fail-fast: false
      matrix:
@@ -42,7 +42,6 @@ jobs:
      GH_PR_NUMBER: ${{ inputs.pr-number }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
      K8S_TEST_HOST_TYPE: all
      TARGET_ARCH: "aarch64"
    steps:
@@ -59,7 +58,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata

      - name: Install `bats`
@@ -83,5 +82,5 @@ jobs:

      - name: Delete kata-deploy
        if: always()
-        timeout-minutes: 5
+        timeout-minutes: 15
        run: bash tests/integration/kubernetes/gha-run.sh cleanup
--- a/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
+++ b/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
@@ -1,4 +1,4 @@
-name: CI | Run kubernetes tests on amd64
+name: CI | Run NVIDIA GPU kubernetes tests on arm64
 on:
  workflow_call:
    inputs:
@@ -21,45 +21,31 @@ on:
        required: false
        type: string
        default: ""
+    secrets:
+      NGC_API_KEY:
+        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
-  run-k8s-tests-amd64:
+  run-nvidia-gpu-tests-on-amd64:
+    name: run-${{ matrix.environment.name }}-tests-on-amd64
    strategy:
      fail-fast: false
      matrix:
-        vmm:
-          - clh #cloud-hypervisor
-          - dragonball
-          - fc #firecracker
-          - qemu
-          - cloud-hypervisor
-        container_runtime:
-          - containerd
-        snapshotter:
-          - devmapper
-        k8s:
-          - k3s
-        include:
-          - vmm: qemu
-            container_runtime: crio
-            snapshotter: ""
-            k8s: k0s
-    runs-on: ubuntu-22.04
+        environment: [
+          { name: nvidia-gpu,     vmm: qemu-nvidia-gpu,     runner: amd64-nvidia-a100 },
+          { name: nvidia-gpu-snp, vmm: qemu-nvidia-gpu-snp, runner: amd64-nvidia-h100-snp },
+        ]
+    runs-on: ${{ matrix.environment.runner }}
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
      DOCKER_REPO: ${{ inputs.repo }}
      DOCKER_TAG: ${{ inputs.tag }}
      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: ${{ matrix.k8s }}
-      KUBERNETES_EXTRA_PARAMS: ${{ matrix.container_runtime != 'crio' && '' || '--cri-socket remote:unix:///var/run/crio/crio.sock --kubelet-extra-args --cgroup-driver="systemd"' }}
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USING_NFD: "false"
+      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
+      KUBERNETES: kubeadm
      K8S_TEST_HOST_TYPE: all
-      CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -73,43 +59,31 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

-      - name: Configure CRI-O
-        if: matrix.container_runtime == 'crio'
-        run: bash tests/integration/kubernetes/gha-run.sh setup-crio
-
-      - name: Deploy ${{ matrix.k8s }}
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
-        env:
-          CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
-
-      - name: Configure the ${{ matrix.snapshotter }} snapshotter
-        if: matrix.snapshotter != ''
-        run: bash tests/integration/kubernetes/gha-run.sh configure-snapshotter
-
      - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata

      - name: Install `bats`
        run: bash tests/integration/kubernetes/gha-run.sh install-bats

-      - name: Run tests
+      - name: Run tests ${{ matrix.environment.vmm }}
        timeout-minutes: 30
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Collect artifacts ${{ matrix.vmm }}
+        run: bash tests/integration/kubernetes/gha-run.sh run-nv-tests
+        env:
+          NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+      - name: Collect artifacts ${{ matrix.environment.vmm }}
        if: always()
        run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
        continue-on-error: true

-      - name: Archive artifacts ${{ matrix.vmm }}
+      - name: Archive artifacts ${{ matrix.environment.vmm }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
-          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.snapshotter }}-${{ matrix.k8s }}-${{ inputs.tag }}
+          name: k8s-tests-${{ matrix.environment.vmm }}-kubeadm-${{ inputs.tag }}
          path: /tmp/artifacts
          retention-days: 1

      - name: Delete kata-deploy
        if: always()
-        timeout-minutes: 5
+        timeout-minutes: 15
        run: bash tests/integration/kubernetes/gha-run.sh cleanup
--- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml
+++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml
@@ -22,11 +22,11 @@ on:
        type: string
        default: ""

-permissions:
-  contents: read
+permissions: {}

 jobs:
  run-k8s-tests:
+    name: run-k8s-tests
    strategy:
      fail-fast: false
      matrix:
@@ -34,7 +34,7 @@ jobs:
          - qemu
        k8s:
          - kubeadm
-    runs-on: k8s-ppc64le
+    runs-on: ppc64le-k8s
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
      DOCKER_REPO: ${{ inputs.repo }}
@@ -43,7 +43,6 @@ jobs:
      GOPATH: ${{ github.workspace }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
      TARGET_ARCH: "ppc64le"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -63,19 +62,16 @@ jobs:
          ./tests/install_go.sh -f -p
          echo "/usr/local/go/bin" >> "$GITHUB_PATH"

-      - name: Prepare the runner for k8s cluster creation
-        run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"
+      - name: Prepare the runner for k8s test suite
+        run: bash "${HOME}/scripts/k8s_cluster_prepare.sh"

-      - name: Create k8s cluster using kubeadm
-        run: bash "${HOME}/scripts/k8s_cluster_create.sh"
+      - name: Check if cluster is healthy to run the tests
+        run: bash "${HOME}/scripts/k8s_cluster_check.sh"

      - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-kubeadm

      - name: Run tests
        timeout-minutes: 30
        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Delete cluster and post cleanup actions
-        run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"
--- a/.github/workflows/run-k8s-tests-on-zvsi.yaml
+++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml
@@ -25,11 +25,11 @@ on:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true

-permissions:
-  contents: read
+permissions: {}

 jobs:
  run-k8s-tests:
+    name: run-k8s-tests
    strategy:
      fail-fast: false
      matrix:
@@ -46,11 +46,9 @@ jobs:
        include:
          - snapshotter: devmapper
            pull-type: default
-            using-nfd: true
            deploy-cmd: configure-snapshotter
          - snapshotter: nydus
            pull-type: guest-pull
-            using-nfd: false
            deploy-cmd: deploy-snapshotter
        exclude:
          - snapshotter: overlayfs
@@ -76,7 +74,6 @@ jobs:
      KUBERNETES: ${{ matrix.k8s }}
      PULL_TYPE: ${{ matrix.pull-type }}
      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USING_NFD: ${{ matrix.using-nfd }}
      TARGET_ARCH: "s390x"
      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
@@ -106,11 +103,13 @@ jobs:
      # qemu-runtime-rs only works with overlayfs
      # See: https://github.com/kata-containers/kata-containers/issues/10066
      - name: Configure the ${{ matrix.snapshotter }} snapshotter
-        run: bash tests/integration/kubernetes/gha-run.sh ${{ matrix.deploy-cmd }}
+        env:
+          DEPLOY_CMD: ${{ matrix.deploy-cmd }}
+        run: bash tests/integration/kubernetes/gha-run.sh "${DEPLOY_CMD}"
        if: ${{ matrix.snapshotter != 'overlayfs' }}

      - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-zvsi

      - name: Uninstall previous `kbs-client`
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -35,13 +35,12 @@ on:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true

-permissions:
-  contents: read
-  id-token: write
+permissions: {}

 jobs:
  # Generate jobs for testing CoCo on non-TEE environments
  run-stability-k8s-tests-coco-nontee:
+    name: run-stability-k8s-tests-coco-nontee
    strategy:
      fail-fast: false
      matrix:
@@ -52,6 +51,9 @@ jobs:
        pull-type:
          - guest-pull
    runs-on: ubuntu-22.04
+    permissions:
+
+      id-token: write # Used for OIDC access to log into Azure
    environment: ci
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
@@ -68,7 +70,6 @@ jobs:
      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USING_NFD: "false"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -91,9 +92,6 @@ jobs:
      - name: Install kata
        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts

-      - name: Download Azure CLI
-        run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
-
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
@@ -141,6 +139,14 @@ jobs:
        timeout-minutes: 300
        run: bash tests/stability/gha-stability-run.sh run-tests

+      - name: Refresh OIDC token in case access token expired
+        if: always()
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+
      - name: Delete AKS cluster
        if: always()
        run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -36,22 +36,20 @@ on:
      ITA_KEY:
        required: true

-permissions:
-  contents: read
-  id-token: write
+permissions: {}

 jobs:
-  run-k8s-tests-on-tdx:
+  run-k8s-tests-on-tee:
+    name: run-k8s-tests-on-tee
    strategy:
      fail-fast: false
      matrix:
-        vmm:
-          - qemu-tdx
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-    runs-on: tdx
+        include:
+          - runner: tdx
+            vmm: qemu-tdx
+          - runner: sev-snp
+            vmm: qemu-snp
+    runs-on: ${{ matrix.runner }}
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
      DOCKER_REPO: ${{ inputs.repo }}
@@ -59,15 +57,14 @@ jobs:
      GH_PR_NUMBER: ${{ inputs.pr-number }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      KUBERNETES: "vanilla"
-      USING_NFD: "true"
      KBS: "true"
      K8S_TEST_HOST_TYPE: "baremetal"
      KBS_INGRESS: "nodeport"
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      PULL_TYPE: ${{ matrix.pull-type }}
+      SNAPSHOTTER: "nydus"
+      PULL_TYPE: "guest-pull"
      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
+      GH_ITA_KEY: ${{ secrets.ITA_KEY }}
      AUTO_GENERATE_POLICY: "yes"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -82,13 +79,9 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata

      - name: Uninstall previous `kbs-client`
        timeout-minutes: 10
@@ -97,6 +90,8 @@ jobs:
      - name: Deploy CoCo KBS
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+        env:
+          ITA_KEY: ${{ env.KATA_HYPERVISOR == 'qemu-tdx' && env.GH_ITA_KEY || '' }}

      - name: Install `kbs-client`
        timeout-minutes: 10
@@ -110,102 +105,19 @@ jobs:
        timeout-minutes: 100
        run: bash tests/integration/kubernetes/gha-run.sh run-tests

+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
      - name: Delete kata-deploy
        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx
-
-      - name: Delete Snapshotter
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup

      - name: Delete CoCo KBS
        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
-
-      - name: Delete CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
-
-  run-k8s-tests-sev-snp:
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-snp
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-    runs-on: sev-snp
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBECONFIG: /home/kata/.kube/config
-      KUBERNETES: "vanilla"
-      USING_NFD: "false"
-      KBS: "true"
-      KBS_INGRESS: "nodeport"
-      K8S_TEST_HOST_TYPE: "baremetal"
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      PULL_TYPE: ${{ matrix.pull-type }}
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AUTO_GENERATE_POLICY: "yes"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp
-
-      - name: Uninstall previous `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
-
-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-
-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
-
-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
-      - name: Run tests
-        timeout-minutes: 50
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Delete kata-deploy
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp
-
-      - name: Delete Snapshotter
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
-
-      - name: Delete CoCo KBS
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+          [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}"
+          bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

      - name: Delete CSI driver
        timeout-minutes: 5
@@ -213,6 +125,7 @@ jobs:

  # Generate jobs for testing CoCo on non-TEE environments
  run-k8s-tests-coco-nontee:
+    name: run-k8s-tests-coco-nontee
    strategy:
      fail-fast: false
      matrix:
@@ -222,7 +135,12 @@ jobs:
          - nydus
        pull-type:
          - guest-pull
+        include:
+          - pull-type: experimental-force-guest-pull
+            snapshotter: ""
    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write # Used for OIDC access to log into Azure
    environment: ci
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
@@ -244,8 +162,6 @@ jobs:
      # host type chose it will result on the creation of a cluster with
      # insufficient resources.
      K8S_TEST_HOST_TYPE: "all"
-      USING_NFD: "false"
-      AUTO_GENERATE_POLICY: "yes"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -268,9 +184,6 @@ jobs:
      - name: Install kata
        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts

-      - name: Download Azure CLI
-        run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
-
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
@@ -298,13 +211,13 @@ jobs:
      - name: Download credentials for the Kubernetes CLI to use them
        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials

-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
      - name: Deploy Kata
-        timeout-minutes: 10
+        timeout-minutes: 20
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
+        env:
+          EXPERIMENTAL_FORCE_GUEST_PULL: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && env.KATA_HYPERVISOR || '' }}
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ env.SNAPSHOTTER == 'nydus' }}
+          AUTO_GENERATE_POLICY: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && 'no' || 'yes' }}

      - name: Deploy CoCo KBS
        timeout-minutes: 10
@@ -326,6 +239,105 @@ jobs:
        if: always()
        run: bash tests/integration/kubernetes/gha-run.sh report-tests

+      - name: Refresh OIDC token in case access token expired
+        if: always()
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+
      - name: Delete AKS cluster
        if: always()
        run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
+
+  # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
+  run-k8s-tests-coco-nontee-with-erofs-snapshotter:
+    name: run-k8s-tests-coco-nontee-with-erofs-snapshotter
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-coco-dev
+        snapshotter:
+          - erofs
+        pull-type:
+          - default
+    runs-on: ubuntu-24.04
+    environment: ci
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      # Some tests rely on that variable to run (or not)
+      KBS: "false"
+      # Set the KBS ingress handler (empty string disables handling)
+      KBS_INGRESS: ""
+      KUBERNETES: "vanilla"
+      CONTAINER_ENGINE: "containerd"
+      CONTAINER_ENGINE_VERSION: "v2.2"
+      PULL_TYPE: ${{ matrix.pull-type }}
+      SNAPSHOTTER: ${{ matrix.snapshotter }}
+      USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: "true"
+      K8S_TEST_HOST_TYPE: "all"
+      # We are skipping the auto generated policy tests for now,
+      # but those should be enabled as soon as we work on that.
+      AUTO_GENERATE_POLICY: "no"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
+      - name: Deploy kubernetes
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Install `bats`
+        run: bash tests/integration/kubernetes/gha-run.sh install-bats
+
+      - name: Deploy Kata
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+
+      - name: Deploy CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+
+      - name: Run tests
+        timeout-minutes: 80
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -29,12 +29,11 @@ on:
      AZ_SUBSCRIPTION_ID:
        required: true

-permissions:
-  contents: read
-  id-token: write
+permissions: {}

 jobs:
  run-kata-deploy-tests:
+    name: run-kata-deploy-tests
    strategy:
      fail-fast: false
      matrix:
@@ -50,6 +49,8 @@ jobs:
            vmm: clh
    runs-on: ubuntu-22.04
    environment: ci
+    permissions:
+      id-token: write # Used for OIDC access to log into Azure
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
      DOCKER_REPO: ${{ inputs.repo }}
@@ -58,7 +59,6 @@ jobs:
      KATA_HOST_OS: ${{ matrix.host_os }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      KUBERNETES: "vanilla"
-      USING_NFD: "false"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -72,9 +72,6 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

-      - name: Download Azure CLI
-        run: bash tests/functional/kata-deploy/gha-run.sh install-azure-cli
-
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
@@ -105,6 +102,14 @@ jobs:
      - name: Run tests
        run: bash tests/functional/kata-deploy/gha-run.sh run-tests

+      - name: Refresh OIDC token in case access token expired
+        if: always()
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+
      - name: Delete AKS cluster
        if: always()
        run: bash tests/functional/kata-deploy/gha-run.sh delete-cluster
--- a/.github/workflows/run-kata-deploy-tests.yaml
+++ b/.github/workflows/run-kata-deploy-tests.yaml
@@ -22,11 +22,11 @@ on:
        type: string
        default: ""

-permissions:
-  contents: read
+permissions: {}

 jobs:
  run-kata-deploy-tests:
+    name: run-kata-deploy-tests
    strategy:
      fail-fast: false
      matrix:
@@ -45,7 +45,6 @@ jobs:
      GH_PR_NUMBER: ${{ inputs.pr-number }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -59,6 +58,25 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
      - name: Deploy ${{ matrix.k8s }}
        run:  bash tests/functional/kata-deploy/gha-run.sh deploy-k8s

--- a/.github/workflows/run-kata-monitor-tests.yaml
+++ b/.github/workflows/run-kata-monitor-tests.yaml
@@ -13,11 +13,11 @@ on:
        type: string
        default: ""

-permissions:
-  contents: read
+permissions: {}

 jobs:
  run-monitor:
+    name: run-monitor
    strategy:
      fail-fast: false
      matrix:
@@ -54,6 +54,8 @@ jobs:

      - name: Install dependencies
        run: bash tests/functional/kata-monitor/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
--- a/.github/workflows/run-metrics.yaml
+++ b/.github/workflows/run-metrics.yaml
@@ -22,11 +22,11 @@ on:
        type: string
        default: ""

-permissions:
-  contents: read
+permissions: {}

 jobs:
  run-metrics:
+    name: run-metrics
    strategy:
      # We can set this to true whenever we're 100% sure that
      # the all the tests are not flaky, otherwise we'll fail
@@ -44,7 +44,6 @@ jobs:
      DOCKER_TAG: ${{ inputs.tag }}
      GH_PR_NUMBER: ${{ inputs.pr-number }}
      K8S_TEST_HOST_TYPE: "baremetal"
-      USING_NFD: "false"
      KUBERNETES: kubeadm
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/run-runk-tests.yaml
+++ b/.github/workflows/run-runk-tests.yaml
@@ -13,11 +13,11 @@ on:
        type: string
        default: ""

-permissions:
-  contents: read
+permissions: {}

 jobs:
  run-runk:
+    name: run-runk
    # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
    if: false
    runs-on: ubuntu-22.04
@@ -38,6 +38,8 @@ jobs:

      - name: Install dependencies
        run: bash tests/integration/runk/gha-run.sh install-dependencies
+        env:
+          GH_TOKEN: ${{ github.token }}

      - name: get-kata-tarball
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
--- a/.github/workflows/shellcheck.yaml
+++ b/.github/workflows/shellcheck.yaml
@@ -10,8 +10,7 @@ on:
      - reopened
      - synchronize

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -19,6 +18,7 @@ concurrency:

 jobs:
  shellcheck:
+    name: shellcheck
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout the code
@@ -27,6 +27,6 @@ jobs:
          fetch-depth: 0
          persist-credentials: false
      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
        with:
          ignore_paths: "**/vendor/**"
--- a/.github/workflows/shellcheck_required.yaml
+++ b/.github/workflows/shellcheck_required.yaml
@@ -11,8 +11,7 @@ on:
      - reopened
      - synchronize

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -20,6 +19,7 @@ concurrency:

 jobs:
  shellcheck-required:
+    name: shellcheck-required
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout the code
@@ -29,7 +29,7 @@ jobs:
          persist-credentials: false

      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master (2024-06-20)
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
        with:
          severity: error
          ignore_paths: "**/vendor/**"
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -4,11 +4,11 @@ on:
    - cron: '0 0 * * *'
  workflow_dispatch:

-permissions:
-  contents: read
+permissions: {}

 jobs:
  stale:
+    name: stale
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
--- a/.github/workflows/static-checks-self-hosted.yaml
+++ b/.github/workflows/static-checks-self-hosted.yaml
@@ -6,8 +6,7 @@ on:
      - reopened
      - labeled # a workflow runs only when the 'ok-to-test' label is added

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -31,7 +30,7 @@ jobs:
        instance:
          - "ubuntu-22.04-arm"
          - "s390x"
-          - "ppc64le"
+          - "ubuntu-24.04-ppc64le"
    uses: ./.github/workflows/build-checks.yaml
    with:
      instance: ${{ matrix.instance }}
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -7,8 +7,7 @@ on:
      - synchronize
  workflow_dispatch:

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -23,6 +22,7 @@ jobs:
      target-branch: ${{ github.event.pull_request.base.ref }}

  check-kernel-config-version:
+    name: check-kernel-config-version
    needs: skipper
    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
    runs-on: ubuntu-22.04
@@ -55,6 +55,7 @@ jobs:
      instance: ubuntu-22.04

  build-checks-depending-on-kvm:
+    name: build-checks-depending-on-kvm
    runs-on: ubuntu-22.04
    needs: skipper
    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
@@ -89,13 +90,16 @@ jobs:
      - name: Running `${{ matrix.command }}` for ${{ matrix.component }}
        run: |
          export PATH="$PATH:${HOME}/.cargo/bin"
-          cd ${{ matrix.component-path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          eval "${COMMAND}"
        env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component-path }}
          RUST_BACKTRACE: "1"
          RUST_LIB_BACKTRACE: "0"

  static-checks:
+    name: static-checks
    runs-on: ubuntu-22.04
    needs: skipper
    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
@@ -118,13 +122,13 @@ jobs:
          path: ./src/github.com/${{ github.repository }}
      - name: Install yq
        run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
          ./ci/install_yq.sh
        env:
          INSTALL_IN_GOPATH: false
      - name: Install golang
        run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
          ./tests/install_go.sh -f -p
          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
      - name: Install system dependencies
@@ -132,7 +136,7 @@ jobs:
          sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
      - name: Install open-policy-agent
        run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
          ./tests/install_opa.sh
      - name: Install regorus
        env:
@@ -140,13 +144,49 @@ jobs:
          ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
          ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
        run: |
-          "${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh"
+          "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh"
      - name: Run check
+        env:
+          CMD: ${{ matrix.cmd }}
        run: |
          export PATH="${PATH}:${GOPATH}/bin"
-          cd "${GOPATH}/src/github.com/${{ github.repository }}" && ${{ matrix.cmd }}
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD}

  govulncheck:
    needs: skipper
    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
    uses: ./.github/workflows/govulncheck.yaml
+
+  codegen:
+    name: codegen
+    runs-on: ubuntu-22.04
+    needs: skipper
+    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
+    permissions:
+      contents: read  # for checkout
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: generate
+        run: make -C src/agent generate-protocols
+      - name: check for diff
+        run: |
+          diff=$(git diff)
+          if [[ -z "${diff}" ]]; then
+            echo "No diff detected."
+            exit 0
+          fi
+
+          cat << EOF >> "${GITHUB_STEP_SUMMARY}"
+          Run \`make -C src/agent generate-protocols\` to update protobuf bindings.
+
+          \`\`\`diff
+          ${diff}
+          \`\`\`
+          EOF
+
+          echo "::error::Golang protobuf bindings need to be regenerated (see Github step summary for diff)."
+          exit 1
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -1,12 +1,9 @@
 name: GHA security analysis

 on:
-  push:
-    branches: ["main"]
  pull_request:

-permissions:
-  contents: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -14,10 +11,8 @@ concurrency:

 jobs:
  zizmor:
+    name: zizmor
    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -26,4 +21,9 @@ jobs:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        with:
+          advanced-security: false
+          annotations: true
+          persona: auditor
+          version: v1.13.0
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  undocumented-permissions:
+    disable: true
--- a/2
+++ b/2
@@ -42,7 +42,7 @@ generate-protocols:

 # Some static checks rely on generated source files of components.
 static-checks: static-checks-build
-	bash tests/static-checks.sh github.com/kata-containers/kata-containers
+	bash tests/static-checks.sh

 docs-url-alive-check:
 	bash ci/docs-url-alive-check.sh
--- a/2
+++ b/2
@@ -1 +1 @@
-3.19.0
+3.22.0
--- a/ci/README.md
+++ b/ci/README.md
@@ -306,7 +306,7 @@ tarball to the newly created VM that will be used for debugging purposes.
 > [!NOTE]
 > Those artifacts are only available (for 15 days) when all jobs are finished.

-Once you have the `kata-static.tar.xz` in your VM, you can login to the VM with
+Once you have the `kata-static.tar.zst` in your VM, you can login to the VM with
 `kcli ssh debug-nerdctl-pr8070`, go ahead and then clone your development branch

 ```bash
@@ -323,15 +323,15 @@ $ git config --global user.name "Your Name"
 $ git rebase upstream/main
 ```

-Now copy the `kata-static.tar.xz` into your `kata-containers/kata-artifacts` directory
+Now copy the `kata-static.tar.zst` into your `kata-containers/kata-artifacts` directory

 ```bash
 $ mkdir kata-artifacts
-$ cp ../kata-static.tar.xz kata-artifacts/
+$ cp ../kata-static.tar.zst kata-artifacts/
 ```

 > [!NOTE]
-> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.xz`
+> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.zst`

 And finally run the tests following what's in the yaml file for the test you're
 debugging.
@@ -363,11 +363,11 @@ and have fun debugging and hacking!

 Steps for debugging the Kubernetes tests are very similar to the ones for
 debugging non-Kubernetes tests, with the caveat that what you'll need, this
-time, is not the `kata-static.tar.xz` tarball, but rather a payload to be used
+time, is not the `kata-static.tar.zst` tarball, but rather a payload to be used
 with kata-deploy.

 In order to generate your own kata-deploy image you can generate your own
-`kata-static.tar.xz` and then take advantage of the following script.  Be aware
+`kata-static.tar.zst` and then take advantage of the following script.  Be aware
 that the image generated and uploaded must be accessible by the VM where you'll
 be performing your tests.

--- a/ci/darwin-test.sh
+++ b/ci/darwin-test.sh
@@ -8,6 +8,7 @@ set -e

 cidir=$(dirname "$0")
 runtimedir=${cidir}/../src/runtime
+genpolicydir=${cidir}/../src/tools/genpolicy

 build_working_packages() {
 	# working packages:
@@ -40,3 +41,11 @@ build_working_packages() {
 }

 build_working_packages
+
+build_genpolicy() {
+	echo "building genpolicy"
+	pushd "${genpolicydir}" &>/dev/null
+	make TRIPLE=aarch64-apple-darwin build
+}
+
+build_genpolicy
--- a/ci/openshift-ci/cluster/install_kata.sh
+++ b/ci/openshift-ci/cluster/install_kata.sh
@@ -43,19 +43,22 @@ WORKAROUND_9206_CRIO=${WORKAROUND_9206_CRIO:-no}
 # Leverage kata-deploy to install Kata Containers in the cluster.
 #
 apply_kata_deploy() {
-	local deploy_file="tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml"
-	pushd "${katacontainers_repo_dir}" || die
-	sed -ri "s#(\s+image:) .*#\1 ${KATA_DEPLOY_IMAGE}#" "${deploy_file}"
+	if ! command -v helm &>/dev/null; then
+		echo "Helm not installed, installing in current location..."
+		PATH=".:${PATH}"
+		curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | HELM_INSTALL_DIR='.' bash -s -- --no-sudo
+	fi

-	info "Applying kata-deploy"
-	oc apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
 	oc label --overwrite ns kube-system pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/audit=baseline
-	oc apply -f "${deploy_file}"
-	oc -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod
+	local version chart
+	version=$(curl -sSL https://api.github.com/repos/kata-containers/kata-containers/releases/latest | jq .tag_name | tr -d '"')
+	chart="oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy"

-	info "Adding the kata runtime classes"
-	oc apply -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
-	popd || die
+	# Ensure any potential leftover is cleaned up ... and this secret usually is not in case of previous failures
+	oc delete secret sh.helm.release.v1.kata-deploy.v1 -n kube-system || true
+
+	echo "Installing kata using helm ${chart} ${version}"
+	helm install kata-deploy --wait --namespace kube-system --set "image.reference=${KATA_DEPLOY_IMAGE%%:*},image.tag=${KATA_DEPLOY_IMAGE##*:}" "${chart}" --version "${version}"
 }


@@ -174,13 +177,13 @@ wait_for_app_pods_message() {
 	local namespace="$5"
 	[[ -z "${pod_count}" ]] && pod_count=1
 	[[ -z "${timeout}" ]] && timeout=60
-	[[ -n "${namespace}" ]] && namespace=" -n ${namespace} "
+	[[ -n "${namespace}" ]] && namespace=("-n" "${namespace}")
 	local pod
 	local pods
 	local i
 	SECONDS=0
 	while :; do
-		mapfile -t pods < <(oc get pods -l app="${app}" --no-headers=true "${namespace}" | awk '{print $1}')
+		mapfile -t pods < <(oc get pods -l app="${app}" --no-headers=true "${namespace[@]}" | awk '{print $1}')
 		[[ "${#pods}" -ge "${pod_count}" ]] && break
 		if [[ "${SECONDS}" -gt "${timeout}" ]]; then
 			printf "Unable to find ${pod_count} pods for '-l app=\"${app}\"' in ${SECONDS}s (%s)" "${pods[@]}"
@@ -190,7 +193,7 @@ wait_for_app_pods_message() {
 	local log
 	for pod in "${pods[@]}"; do
 		while :; do
-			log=$(oc logs "${namespace}" "${pod}")
+			log=$(oc logs "${namespace[@]}" "${pod}")
 			echo "${log}" | grep "${message}" -q && echo "Found $(echo "${log}" | grep "${message}") in ${pod}'s log (${SECONDS})" && break;
 			if [[ "${SECONDS}" -gt "${timeout}" ]]; then
 				echo -n "Message '${message}' not present in '${pod}' pod of the '-l app=\"${app}\"' "
--- a/ci/openshift-ci/peer-pods-azure.sh
+++ b/ci/openshift-ci/peer-pods-azure.sh
@@ -12,6 +12,33 @@

 SCRIPT_DIR=$(dirname "$0")

+##################
+# Helper functions
+##################
+
+# Sparse "git clone" supporting old git version
+# $1  - origin
+# $2  - revision
+# $3- - sparse checkout paths
+# Note: uses pushd to change into the clonned directory!
+git_sparse_clone() {
+  local origin="$1"
+  local revision="$2"
+  shift 2
+  local sparse_paths=("$@")
+
+  local repo
+  repo=$(basename -s .git "${origin}")
+
+  git init "${repo}"
+  pushd "${repo}" || exit 1
+  git remote add origin "${origin}"
+  git fetch --depth 1 origin "${revision}"
+  git sparse-checkout init --cone
+  git sparse-checkout set "${sparse_paths[@]}"
+  git checkout FETCH_HEAD
+}
+
 ###############################
 # Disable security to allow e2e
 ###############################
@@ -116,33 +143,40 @@ az network vnet subnet update \
 for NODE_NAME in $(kubectl get nodes -o jsonpath='{.items[*].metadata.name}'); do [[ "${NODE_NAME}" =~ 'worker' ]] && kubectl label node "${NODE_NAME}" node.kubernetes.io/worker=; done

 # CAA artifacts
-CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor"
-TAGS="$(curl https://quay.io/api/v1/repository/confidential-containers/cloud-api-adaptor/tag/?onlyActiveTags=true)"
-DIGEST=$(echo "${TAGS}" | jq -r '.tags[] | select(.name | contains("latest-amd64")) | .manifest_digest')
-CAA_TAG="$(echo "${TAGS}" | jq -r '.tags[] | select(.manifest_digest | contains("'"${DIGEST}"'")) | .name' | grep -v "latest")"
+if [[ -z "${CAA_TAG}" ]]; then
+	if [[ -n "${CAA_IMAGE}" ]]; then
+		echo "CAA_IMAGE (${CAA_IMAGE}) is set but CAA_TAG isn't, which is not supported. Please specify both or none"
+		exit 1
+	fi
+	TAGS="$(curl https://quay.io/api/v1/repository/confidential-containers/cloud-api-adaptor/tag/?onlyActiveTags=true)"
+	DIGEST=$(echo "${TAGS}" | jq -r '.tags[] | select(.name | contains("latest-amd64")) | .manifest_digest')
+	CAA_TAG="$(echo "${TAGS}" | jq -r '.tags[] | select(.manifest_digest | contains("'"${DIGEST}"'")) | .name' | grep -v "latest")"
+fi
+if [[ -z "${CAA_IMAGE}" ]]; then
+	CAA_IMAGE="quay.io/confidential-containers/cloud-api-adaptor"
+fi

 # Get latest PP image
-SUCCESS_TIME=$(curl -s \
-  -H "Accept: application/vnd.github+json" \
-  "https://api.github.com/repos/confidential-containers/cloud-api-adaptor/actions/workflows/azure-nightly-build.yml/runs?status=success" \
-  | jq -r '.workflow_runs[0].updated_at')
-PP_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/$(date -u -jf "%Y-%m-%dT%H:%M:%SZ" "${SUCCESS_TIME}" "+%Y.%m.%d" 2>/dev/null || date -d "${SUCCESS_TIME}" +%Y.%m.%d)"
+if [[ -z "${PP_IMAGE_ID}" ]]; then
+	SUCCESS_TIME=$(curl -s \
+	  -H "Accept: application/vnd.github+json" \
+	  "https://api.github.com/repos/confidential-containers/cloud-api-adaptor/actions/workflows/azure-nightly-build.yml/runs?status=success" \
+	  | jq -r '.workflow_runs[0].updated_at')
+	PP_IMAGE_ID="/CommunityGalleries/cocopodvm-d0e4f35f-5530-4b9c-8596-112487cdea85/Images/podvm_image0/Versions/$(date -u -jf "%Y-%m-%dT%H:%M:%SZ" "${SUCCESS_TIME}" "+%Y.%m.%d" 2>/dev/null || date -d "${SUCCESS_TIME}" +%Y.%m.%d)"
+fi

-echo "AZURE_REGION: \"${AZURE_REGION}\""
-echo "PP_REGION: \"${PP_REGION}\""
-echo "AZURE_RESOURCE_GROUP: \"${AZURE_RESOURCE_GROUP}\""
-echo "PP_RESOURCE_GROUP: \"${PP_RESOURCE_GROUP}\""
-echo "PP_SUBNET_ID: \"${PP_SUBNET_ID}\""
-echo "CAA_TAG: \"${CAA_TAG}\""
-echo "PP_IMAGE_ID: \"${PP_IMAGE_ID}\""
+echo "AZURE_REGION=\"${AZURE_REGION}\""
+echo "PP_REGION=\"${PP_REGION}\""
+echo "AZURE_RESOURCE_GROUP=\"${AZURE_RESOURCE_GROUP}\""
+echo "PP_RESOURCE_GROUP=\"${PP_RESOURCE_GROUP}\""
+echo "PP_SUBNET_ID=\"${PP_SUBNET_ID}\""
+echo "CAA_IMAGE=\"${CAA_IMAGE}\""
+echo "CAA_TAG=\"${CAA_TAG}\""
+echo "PP_IMAGE_ID=\"${PP_IMAGE_ID}\""

 # Clone and configure caa
-git clone --depth 1 --no-checkout https://github.com/confidential-containers/cloud-api-adaptor.git
-pushd cloud-api-adaptor
-git sparse-checkout init --cone
-git sparse-checkout set src/cloud-api-adaptor/install/
-git checkout
-echo "CAA_GIT_SHA: \"$(git rev-parse HEAD)\""
+git_sparse_clone "https://github.com/confidential-containers/cloud-api-adaptor.git" "${CAA_GIT_SHA:-main}" "src/cloud-api-adaptor/install/"
+echo "CAA_GIT_SHA=\"$(git rev-parse HEAD)\""
 pushd src/cloud-api-adaptor
 cat <<EOF > install/overlays/azure/workload-identity.yaml
 apiVersion: apps/v1
@@ -208,12 +242,8 @@ echo "AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}" >> install/overlays/azure/serv
 echo "AZURE_TENANT_ID=${AZURE_TENANT_ID}" >> install/overlays/azure/service-principal.env

 # Deploy Operator
-git clone --depth 1 --no-checkout https://github.com/confidential-containers/operator
-pushd operator
-git sparse-checkout init --cone
-git sparse-checkout set "config/"
-git checkout
-echo "OPERATOR_SHA: \"$(git rev-parse HEAD)\""
+git_sparse_clone "https://github.com/confidential-containers/operator" "${OPERATOR_SHA:-main}" "config/"
+echo "OPERATOR_SHA=\"$(git rev-parse HEAD)\""
 oc apply -k "config/release"
 oc apply -k "config/samples/ccruntime/peer-pods"
 popd
@@ -227,7 +257,7 @@ popd
 SECONDS=0
 ( while [[ "${SECONDS}" -lt 360 ]]; do
    kubectl get runtimeclass | grep -q kata-remote && exit 0
-done; exit 1 ) || { echo "kata-remote runtimeclass not initialized in 60s"; kubectl -n confidential-containers-system get all; echo; echo CAA; kubectl -n confidential-containers-system logs daemonset.apps/cloud-api-adaptor-daemonset; echo pre-install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-pre-install-daemon; echo install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-daemon-install; exit 1; }
+done; exit 1 ) || { echo "kata-remote runtimeclass not initialized in 60s"; kubectl -n confidential-containers-system get all; echo; echo "kubectl -n confidential-containers-system describe all"; kubectl -n confidential-containers-system describe all; echo; echo CAA; kubectl -n confidential-containers-system logs daemonset.apps/cloud-api-adaptor-daemonset; echo pre-install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-pre-install-daemon; echo install; kubectl -n confidential-containers-system logs daemonset.apps/cc-operator-daemon-install; exit 1; }


 ################
--- a/docs/Developer-Guide.md
+++ b/docs/Developer-Guide.md
@@ -450,7 +450,7 @@ You can build and install the guest kernel image as shown [here](../tools/packag
 # Install a hypervisor

 When setting up Kata using a [packaged installation method](install/README.md#installing-on-a-linux-system), the
-`QEMU` VMM is installed automatically. Cloud-Hypervisor, Firecracker and StratoVirt VMMs are available from the [release tarballs](https://github.com/kata-containers/kata-containers/releases), as well as through [`kata-deploy`](../tools/packaging/kata-deploy/README.md).
+`QEMU` VMM is installed automatically. Cloud-Hypervisor, Firecracker and StratoVirt VMMs are available from the [release tarballs](https://github.com/kata-containers/kata-containers/releases), as well as through [`kata-deploy`](../tools/packaging/kata-deploy/helm-chart/README.md).
 You may choose to manually build your VMM/hypervisor.

 ## Build a custom QEMU
--- a/docs/Limitations.md
+++ b/docs/Limitations.md
@@ -166,19 +166,65 @@ moment.
 See [this issue](https://github.com/kata-containers/runtime/issues/2812) for more details.
 [Another issue](https://github.com/kata-containers/kata-containers/issues/1728) focuses on the case of `emptyDir`.

-## Host resource sharing
+### Kubernetes [hostPath][k8s-hostpath] volumes

-### Privileged containers
+In Kata, Kubernetes hostPath volumes can mount host directories and
+regular files into the guest VM via filesystem sharing, if it is enabled
+through the `shared_fs` [configuration][runtime-config] flag.
+
+By default:
+
+ - Non-TEE environment: Filesystem sharing is used to mount host files.
+ - TEE environment: Filesystem sharing is disabled. Instead, host files
+   are copied into the guest VM when the container starts, and file
+   changes are *not* synchronized between the host and the guest.
+
+In some cases, the behavior of hostPath volumes in Kata is further
+different compared to `runc` containers:
+
+**Mounting host block devices**: When a hostPath volume is of type
+[`BlockDevice`][k8s-blockdevice], Kata hotplugs the host block device
+into the guest and exposes it directly to the container.
+
+**Mounting guest devices**: When the source path of a hostPath volume is
+under `/dev`, and the path either corresponds to a host device or is not
+accessible by the Kata shim, the Kata agent bind mounts the source path
+directly from the *guest* filesystem into the container.
+
+[runtime-config]: /src/runtime/README.md#configuration
+[k8s-hostpath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
+[k8s-blockdevice]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-volume-types
+
+### Mounting `procfs` and `sysfs`
+
+For security reasons, the following mounts are disallowed:
+
+| Type              | Source    | Destination                      | Rationale      |
+|-------------------|-----------|----------------------------------|----------------|
+| `bind`            | `!= proc` | `/proc`                          | CVE-2019-16884 |
+| `bind`            | `*`       | `/proc/*` (see exceptions below) | CVE-2019-16884 |
+| `proc \|\| sysfs` | `*`       | not a directory (e.g. symlink)   | CVE-2019-19921 |
+
+For bind mounts under /proc, these destinations are allowed:
+	
+ * `/proc/cpuinfo`
+ * `/proc/diskstats`
+ * `/proc/meminfo`
+ * `/proc/stat`
+ * `/proc/swaps`
+ * `/proc/uptime`
+ * `/proc/loadavg`
+ * `/proc/net/dev`
+
+## Privileged containers

 Privileged support in Kata is essentially different from `runc` containers.
-The container runs with elevated capabilities within the guest and is granted
-access to guest devices instead of the host devices.
+The container runs with elevated capabilities within the guest.
 This is also true with using `securityContext privileged=true` with Kubernetes.

-The container may also be granted full access to a subset of host devices
-(https://github.com/kata-containers/runtime/issues/1568).
-
-See [Privileged Kata Containers](how-to/privileged.md) for how to configure some of this behavior.
+Importantly, the default behavior to pass the host devices to a
+privileged container is not supported in Kata Containers and needs to be
+disabled, see [Privileged Kata Containers](how-to/privileged.md).

 # Appendices

--- a/docs/how-to/README.md
+++ b/docs/how-to/README.md
@@ -31,6 +31,7 @@
 - [Setting Sysctls with Kata](how-to-use-sysctls-with-kata.md)
 - [What Is VMCache and How To Enable It](what-is-vm-cache-and-how-do-I-use-it.md)
 - [What Is VM Templating and How To Enable It](what-is-vm-templating-and-how-do-I-use-it.md)
+- [How to Use Template in runtime-rs](how-to-use-template-in-runtime-rs.md)
 - [Privileged Kata Containers](privileged.md)
 - [How to load kernel modules in Kata Containers](how-to-load-kernel-modules-with-kata.md)
 - [How to use Kata Containers with `virtio-mem`](how-to-use-virtio-mem-with-kata.md)
@@ -48,3 +49,4 @@
 - [How to use the Kata Agent Policy](how-to-use-the-kata-agent-policy.md)
 - [How to pull images in the guest](how-to-pull-images-in-guest-with-kata.md)
 - [How to use mem-agent to decrease the memory usage of Kata container](how-to-use-memory-agent.md)
+- [How to use seccomp with runtime-rs](how-to-use-seccomp-with-runtime-rs.md)
--- a/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md
+++ b/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md
@@ -89,16 +89,16 @@ However, if any of these components are absent, they must be built from the
 $ # Assume that the project is cloned at $GOPATH/src/github.com/kata-containers
 $ cd $GOPATH/src/github.com/kata-containers/kata-containers
 $ make rootfs-initrd-confidential-tarball
-$ tar -tf build/kata-static-kernel-confidential.tar.xz | grep vmlinuz
+$ tar --zstd -tf build/kata-static-kernel-confidential.tar.zst | grep vmlinuz
 ./opt/kata/share/kata-containers/vmlinuz-confidential.container
 ./opt/kata/share/kata-containers/vmlinuz-6.7-136-confidential
 $ kernel_version=6.7-136
-$ tar -tf build/kata-static-rootfs-initrd-confidential.tar.xz | grep initrd
+$ tar --zstd -tf build/kata-static-rootfs-initrd-confidential.tar.zst | grep initrd
 ./opt/kata/share/kata-containers/kata-containers-initrd-confidential.img
 ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
 $ mkdir artifacts
-$ tar -xvf build/kata-static-kernel-confidential.tar.xz -C artifacts ./opt/kata/share/kata-containers/vmlinuz-${kernel_version}-confidential
-$ tar -xvf build/kata-static-rootfs-initrd-confidential.tar.xz -C artifacts ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
+$ tar --zstd -xvf build/kata-static-kernel-confidential.tar.zst -C artifacts ./opt/kata/share/kata-containers/vmlinuz-${kernel_version}-confidential
+$ tar --zstd -xvf build/kata-static-rootfs-initrd-confidential.tar.zst -C artifacts ./opt/kata/share/kata-containers/kata-ubuntu-20.04-confidential.initrd
 $ ls artifacts/opt/kata/share/kata-containers/
 kata-ubuntu-20.04-confidential.initrd  vmlinuz-${kernel_version}-confidential
 ```
@@ -190,8 +190,8 @@ can be easily accomplished by issuing the following make target:
 $ cd $GOPATH/src/github.com/kata-containers/kata-containers
 $ mkdir hkd_dir && cp $host_key_document hkd_dir
 $ HKD_PATH=hkd_dir SE_KERNEL_PARAMS="agent.log=debug" make boot-image-se-tarball
-$ ls build/kata-static-boot-image-se.tar.xz
-build/kata-static-boot-image-se.tar.xz
+$ ls build/kata-static-boot-image-se.tar.zst
+build/kata-static-boot-image-se.tar.zst
 ```

 `SE_KERNEL_PARAMS` could be used to add any extra kernel parameters. If no additional kernel configuration is required, this can be omitted.
@@ -318,7 +318,7 @@ Finally, an operational kata container with IBM Secure Execution is now running.

 It is reasonable to expect that the manual steps mentioned above can be easily executed.
 Typically, you can use
-[kata-deploy](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/README.md)
+[kata-deploy](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/README.md)
 to install Kata Containers on a Kubernetes cluster. However, when leveraging IBM Secure Execution,
 you need to employ the confidential container's
 [operator](https://github.com/confidential-containers/operator).
@@ -344,18 +344,18 @@ $ make virtiofsd-tarball
 $ make shim-v2-tarball
 $ mkdir kata-artifacts
 $ build_dir=$(readlink -f build)
-$ cp -r $build_dir/*.tar.xz kata-artifacts
+$ cp -r $build_dir/*.tar.zst kata-artifacts
 $ ls -1 kata-artifacts
-kata-static-agent.tar.xz
-kata-static-boot-image-se.tar.xz
-kata-static-coco-guest-components.tar.xz
-kata-static-kernel-confidential-modules.tar.xz
-kata-static-kernel-confidential.tar.xz
-kata-static-pause-image.tar.xz
-kata-static-qemu.tar.xz
-kata-static-rootfs-initrd-confidential.tar.xz
-kata-static-shim-v2.tar.xz
-kata-static-virtiofsd.tar.xz
+kata-static-agent.tar.zst
+kata-static-boot-image-se.tar.zst
+kata-static-coco-guest-components.tar.zst
+kata-static-kernel-confidential-modules.tar.zst
+kata-static-kernel-confidential.tar.zst
+kata-static-pause-image.tar.zst
+kata-static-qemu.tar.zst
+kata-static-rootfs-initrd-confidential.tar.zst
+kata-static-shim-v2.tar.zst
+kata-static-virtiofsd.tar.zst
 $ ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
 ```

@@ -369,7 +369,7 @@ command before running `kata-deploy-merge-builds.sh`:
 $ make rootfs-image-tarball
 ```

-At this point, you should have an archive file named `kata-static.tar.xz` at the project root,
+At this point, you should have an archive file named `kata-static.tar.zst` at the project root,
 which will be used to build a payload image. If you are using a local container registry at
 `localhost:5000`, proceed with the following:

@@ -381,7 +381,7 @@ Build and push a payload image with the name `localhost:5000/build-kata-deploy`
 `latest` using the following:

 ```
-$ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh kata-static.tar.xz localhost:5000/build-kata-deploy latest
+$ ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh kata-static.tar.zst localhost:5000/build-kata-deploy latest
 ... logs ...
 Pushing the image localhost:5000/build-kata-deploy:latest to the registry
 The push refers to repository [localhost:5000/build-kata-deploy]
--- a/docs/how-to/how-to-use-kata-containers-with-firecracker.md
+++ b/docs/how-to/how-to-use-kata-containers-with-firecracker.md
@@ -104,12 +104,20 @@ LOW_WATER_MARK=32768
 sudo dmsetup create "${POOL_NAME}" \
    --table "0 ${LENGTH_IN_SECTORS} thin-pool ${META_DEV} ${DATA_DEV} ${DATA_BLOCK_SIZE} ${LOW_WATER_MARK}"

+# Determine plugin name based on containerd config version
+CONFIG_VERSION=$(containerd config dump | awk '/^version/ {print $3}')
+if [ "$CONFIG_VERSION" -ge 2 ]; then
+    PLUGIN="io.containerd.snapshotter.v1.devmapper"
+else
+    PLUGIN="devmapper"
+fi
+
 cat << EOF
 #
 # Add this to your config.toml configuration file and restart containerd daemon
 #
 [plugins]
-  [plugins.devmapper]
+  [plugins."${PLUGIN}"]
    pool_name = "${POOL_NAME}"
    root_path = "${DATA_DIR}"
    base_image_size = "10GB"
--- a/docs/how-to/how-to-use-seccomp-with-runtime-rs.md
+++ b/docs/how-to/how-to-use-seccomp-with-runtime-rs.md
@@ -0,0 +1,44 @@
+## Introduction
+
+To enhance security, Kata Containers supports using seccomp to restrict the hypervisor's system calls. Previously, this was only supported for a subset of hypervisors in runtime-go. Now, the runtime-rs also supports seccomp. This document describes how to enable/disable the seccomp feature for the corresponding hypervisor in runtime-rs.
+
+## Pre-requisites
+
+1. Ensure your system's kernel supports **seccomp**.
+2. Confirm that each of the following virtual machines can run correctly on your system.
+
+## Configure seccomp
+
+With the exception of `qemu`, seccomp is enabled by default for all other supported hypervisors. Their corresponding built-in functionalities are also enabled by default.
+
+### QEMU
+
+As with runtime-go, you need to modify the following in your **configuration file**. These parameters will be passed directly to the `qemu` startup command line. For more details on the parameters, you can refer to: [https://www.qemu.org/docs/master/system/qemu-manpage.html](https://www.qemu.org/docs/master/system/qemu-manpage.html)
+
+``` toml
+# Qemu seccomp sandbox feature
+# comma-separated list of seccomp sandbox features to control the syscall access.
+# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
+# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
+# Another note: enabling this feature may reduce performance, you may enable
+# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
+seccompsandbox="on,obsolete=deny,spawn=deny,resourcecontrol=deny"
+```
+### Cloud Hypervisor, Firecracker and Dragonball
+
+The **seccomp** functionality is enabled by default for the following three hypervisors: `cloud hypervisor`, `firecracker`, and `dragonball`.
+
+The seccomp rules for `cloud hypervisor` and `firecracker` are built directly into their executable files. For `dragonball`, the relevant configuration is currently located at `src/runtime-rs/crates/hypervisor/src/dragonball/seccomp.rs`.
+
+To disable this functionality for these hypervisors, you can modify the following configuration options in your **configuration file**.
+
+``` toml
+# Disable the 'seccomp' feature from Cloud Hypervisor, firecracker or dragonball, default false
+disable_seccomp = true
+```
+
+## Implementation details
+
+For `qemu`, `cloud hypervisor`, and `firecracker`, their **seccomp** functionality is built into the respective executable files you are using. **runtime-rs** simply provides command-line arguments for their launch based on the configuration file.
+
+For `dragonball`, a set of allowed system calls is currently provided for the entire **runtime-rs** process, and the process is prevented from using any system calls outside of this whitelist. As mentioned above, this set is located at `src/runtime-rs/crates/hypervisor/src/dragonball/seccomp.rs`.
--- a/docs/how-to/how-to-use-template-in-runtime-rs.md
+++ b/docs/how-to/how-to-use-template-in-runtime-rs.md
@@ -0,0 +1,119 @@
+# How to Use Template in runtime-rs
+
+## What is VM Templating
+
+VM templating is a Kata Containers feature that enables new VM creation using a cloning technique. When enabled, new VMs are created by cloning from a pre-created template VM, and they will share the same initramfs, kernel and agent memory in readonly mode. It is very much like a process fork done by the kernel but here we *fork* VMs.
+
+For more details on VM templating, refer to the [What is VM templating and how do I use it](./what-is-vm-templating-and-how-do-I-use-it.md) article.
+
+## How to Enable VM Templating
+
+VM templating can be enabled by changing your Kata Containers config file (`/opt/kata/share/defaults/kata-containers/runtime-rs/configuration.toml`, overridden by `/etc/kata-containers/configuration.toml` if provided) such that:
+
+- `qemu` version `v4.1.0` or above is specified in `hypervisor.qemu`->`path` section
+- `enable_template = true`
+- `template_path = "/run/vc/vm/template"` (default value, can be customized as needed)
+- `initrd =` is set
+- `image =` option is commented out or removed
+- `shared_fs =` option is commented out or removed
+- `default_memory =` should be set to more than 256MB
+
+Then you can create a VM template for later usage by calling:
+
+### Initialize and create the VM template
+The `factory init` command creates a VM template by launching a new VM, initializing the Kata Agent, then pausing and saving its state (memory and device snapshots) to the template directory. This saved template is used to rapidly clone new VMs using QEMU's memory sharing capabilities.
+
+```bash
+sudo kata-ctl factory init
+```
+
+### Check the status of the VM template
+
+The `factory status` command checks whether a VM template currently exists by verifying the presence of template files (memory snapshot and device state). It will output "VM factory is on" if the template exists, or "VM factory is off" otherwise.
+
+```bash
+sudo kata-ctl factory status
+```
+
+### Destroy and clean up the VM template
+
+The `factory destroy` command removes the VM template by remove the `tmpfs` filesystem and deleting the template directory along with all its contents.
+
+```bash
+sudo kata-ctl factory destroy
+```
+
+## How to Create a New VM from VM Template
+In the Go version of Kata Containers, the VM templating mechanism is implemented using virtio-9p (9pfs). However, 9pfs is not supported in runtime-rs due to its poor performance, limited cache coherence, and security risks. Instead, runtime-rs adopts `VirtioFS` as the default mechanism to provide rootfs for containers and VMs.
+
+Yet, when enabling the VM template mechanism, `VirtioFS` introduces conflicts in memory sharing because its DAX-based shared memory mapping overlaps with the template's page-sharing design. To resolve these conflicts and ensure strict isolation between cloned VMs, runtime-rs replaces `VirtioFS` with the snapshotter approach — specifically, the `blockfile` snapshotter.
+
+The `blockfile` snapshotter is used in runtime-rs because it provides each VM with an independent block-based root filesystem, ensuring strong isolation and full compatibility with the VM templating mechanism.
+
+### Configure Snapshotter
+
+#### Check if `Blockfile` Snapshotter is Available
+```bash
+ctr plugins ls | grep blockfile
+```
+
+If not available, continue with the following steps:
+
+#### Create Scratch File
+```bash
+dd if=/dev/zero of=/opt/containerd/blockfile bs=1M count=500
+sudo mkfs.ext4 /opt/containerd/blockfile
+```
+
+#### Configure containerd
+Edit the containerd configuration file:
+```bash
+sudo vim /etc/containerd/config.toml
+```
+Add or modify the following configuration for the `blockfile` snapshotter:
+```toml
+[plugins."io.containerd.snapshotter.v1.blockfile"]
+  scratch_file = "/opt/containerd/blockfile"
+  root_path = ""
+  fs_type = "ext4"
+  mount_options = []
+  recreate_scratch = true
+```
+
+#### Restart containerd
+After modifying the configuration, restart containerd to apply changes:
+
+```bash
+sudo systemctl restart containerd
+```
+
+### Run Container with `blockfile` Snapshotter
+After the VM template is created, you can pull an image and run a container using the `blockfile` snapshotter:
+
+```bash
+ctr run --rm -t --snapshotter blockfile docker.io/library/busybox:latest template sh
+```
+
+We can verify whether a VM was launched from a template or started normally by checking the launch parameters — if the parameters contain `incoming`, it indicates that the VM was started from a template rather than created directly.
+
+## Performance Test
+
+The comparative experiment between **template-based VM** creation and **direct VM** creation showed that the template-based approach achieved a ≈ **73.2%** reduction in startup latency (average launch time of **0.6s** vs. **0.82s**) and a ≈ **79.8%** reduction in memory usage (average memory usage of **178.2 MiB** vs. **223.2 MiB**), demonstrating significant improvements in VM startup efficiency and resource utilization.
+
+The test script is as follows:
+
+```bash
+# Clear the page cache, dentries, and inodes to free up memory
+echo 3 | sudo tee /proc/sys/vm/drop_caches
+
+# Display the current memory usage
+free -h
+
+# Create 100 normal VMs and template-based VMs, and track the time
+time for I in $(seq 100); do
+  echo -n " ${I}th"  # Display the iteration number
+  ctr run -d --runtime io.containerd.kata.v2 --snapshotter blockfile docker.io/library/busybox:latest normal/template${I}
+done
+
+# Display the memory usage again after running the test
+free -h
--- a/docs/how-to/how-to-use-the-kata-agent-policy.md
+++ b/docs/how-to/how-to-use-the-kata-agent-policy.md
@@ -32,11 +32,24 @@ Kubernetes users can encode in `base64` format their Policy documents, and add t

 ### Encode a Policy file

-For example, the [`allow-all-except-exec-process.rego`](../../src/kata-opa/allow-all-except-exec-process.rego) sample policy file is different from the [default Policy](../../src/kata-opa/allow-all.rego) because it rejects any `ExecProcess` requests. You can encode this policy file:
+For example, the [`allow-all-except-exec-process.rego`](../../src/kata-opa/allow-all-except-exec-process.rego) sample policy file is different from the [default Policy](../../src/kata-opa/allow-all.rego) because it rejects any `ExecProcess` requests. To encode this policy file, you need to:
+- Embed the policy inside an init data struct
+- Compress
+- Base64 encode 
+For example:

 ```bash
-$ base64 -w 0 allow-all-except-exec-process.rego
-cGFja2FnZSBhZ2VudF9wb2xpY3kKCmRlZmF1bHQgQWRkQVJQTmVpZ2hib3JzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBDb3B5RmlsZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEdldE1ldHJpY3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IExpc3RJbnRlcmZhY2VzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdFJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IE1lbUhvdHBsdWdCeVByb2JlUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgT25saW5lQ1BVTWVtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUGF1c2VDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQdWxsSW1hZ2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZWFkU3RyZWFtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlU3RhbGVWaXJ0aW9mc1NoYXJlTW91bnRzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzZWVkUmFuZG9tRGV2UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzdW1lQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2V0R3Vlc3REYXRlVGltZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNldFBvbGljeVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNpZ25hbFByb2Nlc3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdGFydENvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0VHJhY2luZ1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXRzQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RvcFRyYWNpbmdSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBUdHlXaW5SZXNpemVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSB0cnVlCgpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSBmYWxzZQo=
+$ STRING="$(< allow-all-except-exec-process.rego)"
+$ cat <<EOF | gzip -c | base64 -w0
+version = "0.1.0"
+algorithm = "sha256"
+
+[data]
+"policy.rego" = '''
+$STRING
+'''
+EOF
+H4sIAAAAAAAAA42UTW/TQBCG7/4Vq/QQOCQKQXCo1ENIAkRqiGWnpBJCaGKP7RXrXTM7DnV/PRMiVUh07R582J3H8/XO7AnJa2fVjRrNpm+ms1EEpnSkuarPd76C+bv3oyj6lgPD92jUOKOzbkpYupEA4/E4ulJL13Sky4rVq+y1ms/mb9VWZ+S8K1iM1DgClijRlcBpvLqf3OoMrcfJJkfLutBI12rRQFbhZD6dCRfJ4SeUqOSz/OMSNopyLKA1rBZ5vkjiLyhBj458gr9a9KyubxRTi/9i6W9oQualcR5TzrUNElLZR20waCcExqWzDNoi9WMp2PzoHkLQSi7JdQPUJ+QtMuksWLQQu912fZK+BZHz7QolaRN0c6s9bywjFZBhL5W4lsPEFuvPjhvTlh+6mNwx2MudNdLDZXwnf4SYGFo/3O64NWZTy+SEgAQhT1lECQZKsHan4UgXLGUw+FWTzHjh0woIt661HGxJgh4xT0RoV6/w1IO19XAOKfJFTxmxva6DRQsX/12jIKBLC0Y0Er2DuUutxMM5nak9QaZt2cOwf4En1ww42nN3OK+w14/B4u+a/CWLesHWTYU1Eph+GS/w0470Y/1LcgDNA40/yKOMzw/tE7N+wOx/NwUYj9H5qf4DsX93tO4FAAA=
 ```

 ### Attach the Policy to a pod
@@ -49,7 +62,7 @@ kind: Pod
 metadata:
  name: policy-exec-rejected
  annotations:
-    io.katacontainers.config.agent.policy: cGFja2FnZSBhZ2VudF9wb2xpY3kKCmRlZmF1bHQgQWRkQVJQTmVpZ2hib3JzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgQWRkU3dhcFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENsb3NlU3RkaW5SZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBDb3B5RmlsZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZUNvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IENyZWF0ZVNhbmRib3hSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBEZXN0cm95U2FuZGJveFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEdldE1ldHJpY3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBHZXRPT01FdmVudFJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IEd1ZXN0RGV0YWlsc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IExpc3RJbnRlcmZhY2VzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgTGlzdFJvdXRlc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IE1lbUhvdHBsdWdCeVByb2JlUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgT25saW5lQ1BVTWVtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUGF1c2VDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBQdWxsSW1hZ2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBSZWFkU3RyZWFtUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVtb3ZlU3RhbGVWaXJ0aW9mc1NoYXJlTW91bnRzUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzZWVkUmFuZG9tRGV2UmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgUmVzdW1lQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU2V0R3Vlc3REYXRlVGltZVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNldFBvbGljeVJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFNpZ25hbFByb2Nlc3NSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBTdGFydENvbnRhaW5lclJlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXJ0VHJhY2luZ1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFN0YXRzQ29udGFpbmVyUmVxdWVzdCA6PSB0cnVlCmRlZmF1bHQgU3RvcFRyYWNpbmdSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBUdHlXaW5SZXNpemVSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVDb250YWluZXJSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVFcGhlbWVyYWxNb3VudHNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVJbnRlcmZhY2VSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBVcGRhdGVSb3V0ZXNSZXF1ZXN0IDo9IHRydWUKZGVmYXVsdCBXYWl0UHJvY2Vzc1JlcXVlc3QgOj0gdHJ1ZQpkZWZhdWx0IFdyaXRlU3RyZWFtUmVxdWVzdCA6PSB0cnVlCgpkZWZhdWx0IEV4ZWNQcm9jZXNzUmVxdWVzdCA6PSBmYWxzZQo=
+    io.katacontainers.config.hypervisor.cc_init_data: H4sIAAAAAAAAA42UTW/TQBCG7/4Vq/QQOCQKQXCo1ENIAkRqiGWnpBJCaGKP7RXrXTM7DnV/PRMiVUh07R582J3H8/XO7AnJa2fVjRrNpm+ms1EEpnSkuarPd76C+bv3oyj6lgPD92jUOKOzbkpYupEA4/E4ulJL13Sky4rVq+y1ms/mb9VWZ+S8K1iM1DgClijRlcBpvLqf3OoMrcfJJkfLutBI12rRQFbhZD6dCRfJ4SeUqOSz/OMSNopyLKA1rBZ5vkjiLyhBj458gr9a9KyubxRTi/9i6W9oQualcR5TzrUNElLZR20waCcExqWzDNoi9WMp2PzoHkLQSi7JdQPUJ+QtMuksWLQQu912fZK+BZHz7QolaRN0c6s9bywjFZBhL5W4lsPEFuvPjhvTlh+6mNwx2MudNdLDZXwnf4SYGFo/3O64NWZTy+SEgAQhT1lECQZKsHan4UgXLGUw+FWTzHjh0woIt661HGxJgh4xT0RoV6/w1IO19XAOKfJFTxmxva6DRQsX/12jIKBLC0Y0Er2DuUutxMM5nak9QaZt2cOwf4En1ww42nN3OK+w14/B4u+a/CWLesHWTYU1Eph+GS/w0470Y/1LcgDNA40/yKOMzw/tE7N+wOx/NwUYj9H5qf4DsX93tO4FAAA=
 spec:
  runtimeClassName: kata
  containers:
@@ -66,7 +79,7 @@ Create the pod:
 $ kubectl apply -f pod1.yaml
 ```

-While creating the Pod sandbox, the Kata Shim will notice the `io.katacontainers.config.agent.policy` annotation and will send the Policy document to the Kata Agent - by sending a `SetPolicy` request. Note that this request will fail if the default Policy, included in the Guest image, doesn't allow this `SetPolicy` request. If the `SetPolicy` request is rejected by the Guest, the Kata Shim will fail to start the Pod sandbox.
+While creating the Pod sandbox, the Kata Shim will notice the `io.katacontainers.config.hypervisor.cc_init_data` annotation and will create the init data device on the host and mount it on the guest as a block device. The agent then reads the init data struct from this device and sets the policy if present.

 # How is the Policy being enforced?

--- a/docs/how-to/how-to-use-virtio-fs-with-kata.md
+++ b/docs/how-to/how-to-use-virtio-fs-with-kata.md
@@ -6,4 +6,4 @@ Container deployments utilize explicit or implicit file sharing between host fil

 As of the 2.0 release of Kata Containers, [virtio-fs](https://virtio-fs.gitlab.io/) is the default filesystem sharing mechanism.

-virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](../../tools/packaging/kata-deploy/README.md#kubernetes-quick-start).
+virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](../../tools/packaging/kata-deploy/helm-chart/README.md).
--- a/docs/how-to/privileged.md
+++ b/docs/how-to/privileged.md
@@ -1,22 +1,25 @@
 # Privileged Kata Containers

+> [!WARNING]
+> Whilst this functionality is supported, it can decrease the security of Kata Containers if not configured correctly.
+
 Kata Containers supports creation of containers that are "privileged" (i.e. have additional capabilities and access
 that is not normally granted).

-## Warnings
+## Enabling privileged containers without host devices

-**Warning:** Whilst this functionality is supported, it can decrease the security of Kata Containers if not configured 
-correctly.
+> [!TIP]
+> When Kata Containers is installed through
+> [kata-deploy](/tools/packaging/kata-deploy/helm-chart/README.md#kata-deploy-helm-chart), this mitigation is configured
+> out of the box, hence there is no action required in that case.

-### Host Devices
+By default, a privileged container attempts to expose all devices from the host. This is generally not supported in Kata
+Containers as the container is running a different kernel than the host.

-By default, when privileged is enabled for a container, all the `/dev/*` block devices from the host are mounted
-into the guest. This will allow the privileged container inside the Kata guest to gain access to mount any block device 
-from the host, a potentially undesirable side-effect that decreases the security of Kata.
+Instead, the following sections document how to disable this behavior in different container runtimes. Note that this
+mitigation does not affect a container's ability to mount *guest* devices.

-The following sections document how to configure this behavior in different container runtimes.
-
-#### Containerd
+## Containerd

 The Containerd allows configuring the privileged host devices behavior for each runtime in the containerd config. This is
 done with the `privileged_without_host_devices` option. Setting this to `true` will disable hot plugging of the host 
@@ -43,7 +46,7 @@ See below example config:
 - [How to use Kata Containers and containerd with Kubernetes](how-to-use-k8s-with-containerd-and-kata.md)
 - [Containerd CRI config documentation](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)

-#### CRI-O
+## CRI-O

 Similar to containerd, CRI-O allows configuring the privileged host devices
 behavior for each runtime in the CRI config. This is done with the 
--- a/docs/install/README.md
+++ b/docs/install/README.md
@@ -8,50 +8,11 @@ Kata Containers requires nested virtualization or bare metal. Check
 [hardware requirements](./../../README.md#hardware-requirements) to see if your system is capable of running Kata 
 Containers.

-## Packaged installation methods
-
-The packaged installation method uses your distribution's native package format (such as RPM or DEB).
-
-> **Note:**
->
-> We encourage you to select an installation method that provides
-> automatic updates, to ensure you get the latest security updates and
-> bug fixes.
-
-| Installation method                                  | Description                                                                                  | Automatic updates | Use case                                                                                      |
-|------------------------------------------------------|----------------------------------------------------------------------------------------------|-------------------|-----------------------------------------------------------------------------------------------|
-| [Using official distro packages](#official-packages) | Kata packages provided by Linux distributions official repositories                          | yes               | Recommended for most users.                                                                   |
-| [Automatic](#automatic-installation)                 | Run a single command to install a full system                                                | **No!**           | For those wanting the latest release quickly.                                                 |
-| [Using kata-deploy Helm chart](#kata-deploy-helm-chart)       | The preferred way to deploy the Kata Containers distributed binaries on a Kubernetes cluster | **No!**           | Best way to give it a try on kata-containers on an already up and running Kubernetes cluster. |
-
-### Kata Deploy Helm Chart
-
-The Kata Deploy Helm chart is a convenient way to install all of the binaries and
+The Kata Deploy Helm chart is the preferred  way to install all of the binaries and
 artifacts required to run Kata Containers on Kubernetes.

 [Use Kata Deploy Helm Chart](/tools/packaging/kata-deploy/helm-chart/README.md) to install Kata Containers on a Kubernetes Cluster.

-### Official packages
-
-Kata packages are provided by official distribution repositories for:
-
-| Distribution (link to installation guide)                | Minimum versions                                                               |
-|----------------------------------------------------------|--------------------------------------------------------------------------------|
-| [CentOS](centos-installation-guide.md)                   | 8                                                                              |
-| [Fedora](fedora-installation-guide.md)                   | 34                                                                             |
-
-### Automatic Installation
-
-[Use `kata-manager`](/utils/README.md) to automatically install a working Kata Containers system.
-
-## Installing on a Cloud Service Platform
-
-* [Amazon Web Services (AWS)](aws-installation-guide.md)
-* [Google Compute Engine (GCE)](gce-installation-guide.md)
-* [Microsoft Azure](azure-installation-guide.md)
-* [Minikube](minikube-installation-guide.md)
-* [VEXXHOST OpenStack Cloud](vexxhost-installation-guide.md)
-
 ## Further information

 * [upgrading document](../Upgrading.md)
--- a/docs/install/aws-installation-guide.md
+++ b/docs/install/aws-installation-guide.md
@@ -1,135 +0,0 @@
-# Install Kata Containers on Amazon Web Services
-
-Kata Containers on Amazon Web Services (AWS) makes use of [i3.metal](https://aws.amazon.com/ec2/instance-types/i3/) instances. Most of the installation procedure is identical to that for Kata on your preferred distribution, except that you have to run it on bare metal instances since AWS doesn't support nested virtualization yet. This guide walks you through creating an i3.metal instance.
-
-## Install and Configure AWS CLI
-
-### Requirements
-
-* Python:
-  * Python 2 version 2.6.5+
-  * Python 3 version 3.3+
-
-### Install
-
-Install with this command:
-
-```bash
-$ pip install awscli --upgrade --user
-```
-
-### Configure
-
-First, verify it:
-
-```bash
-$ aws --version
-```
-
-Then configure it:
-
-```bash
-$ aws configure
-```
-
-Specify the required parameters:
-
-```
-AWS Access Key ID []: <your-key-id-from-iam>
-AWS Secret Access Key []: <your-secret-access-key-from-iam>
-Default region name []: <your-aws-region-for-your-i3-metal-instance>
-Default output format [None]: <yaml-or-json-or-empty>
-```
-
-Alternatively, you can create the files: `~/.aws/credentials` and `~/.aws/config`:
-
-```bash
-$ cat <<EOF > ~/.aws/credentials
-[default]
-aws_access_key_id = <your-key-id-from-iam>
-aws_secret_access_key = <your-secret-access-key-from-iam>
-EOF
-$ cat <<EOF > ~/.aws/config
-[default]
-region = <your-aws-region-for-your-i3-metal-instance>
-EOF
-```
-
-For more information on how to get AWS credentials please refer to [this guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html). Alternatively, you can ask the administrator of your AWS account to issue one with the AWS CLI:
-
-```sh
-$ aws_username="myusername"
-$ aws iam create-access-key --user-name="$aws_username"
-```
-
-More general AWS CLI guidelines can be found [here](https://docs.aws.amazon.com/cli/latest/userguide/installing.html).
-
-## Create or Import an EC2 SSH key pair
-
-You will need this to access your instance.
-
-To create:
-
-```bash
-$ aws ec2 create-key-pair --key-name MyKeyPair | grep KeyMaterial | cut -d: -f2- | tr -d ' \n\"\,' > MyKeyPair.pem
-$ chmod 400 MyKeyPair.pem
-```
-
-Alternatively to import using your public SSH key:
-
-```bash
-$ aws ec2 import-key-pair --key-name "MyKeyPair" --public-key-material file://MyKeyPair.pub
-```
-
-## Launch i3.metal instance
-
-Get the latest Bionic Ubuntu AMI (Amazon Image) or the latest AMI for the Linux distribution you would like to use. For example:
-
-```bash
-$ aws ec2 describe-images --owners 099720109477 --filters "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server*" --query 'sort_by(Images, &CreationDate)[].ImageId '
-```
-
-This command will produce output similar to the following:
-
-```
-[
-    ...
-    "ami-063aa838bd7631e0b",
-    "ami-03d5270fcb641f79b"
-]
-```
-
-Launch the EC2 instance and pick IP the `INSTANCEID`:
-
-```bash
-$ aws ec2 run-instances --image-id ami-03d5270fcb641f79b --count 1 --instance-type i3.metal --key-name MyKeyPair --associate-public-ip-address > /tmp/aws.json
-$ export INSTANCEID=$(grep InstanceId /tmp/aws.json | cut -d: -f2- | tr -d ' \n\"\,')
-```
-
-Wait for the instance to come up, the output of the following command should be `running`:
-
-```bash
-$ aws ec2 describe-instances --instance-id=${INSTANCEID} | grep running | cut -d: -f2- | tr -d ' \"\,'
-```
-
-Get the public IP address for the instances:
-
-```bash
-$ export IP=$(aws ec2 describe-instances --instance-id=${INSTANCEID} | grep PublicIpAddress | cut -d: -f2- | tr -d ' \n\"\,')
-```
-
-Refer to [this guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-ec2-launch.html) for more details on how to launch instances with the AWS CLI.
-
-SSH into the machine
-
-```bash
-$ ssh -i MyKeyPair.pem ubuntu@${IP}
-```
-
-Go onto the next step.
-
-## Install Kata
-
-The process for installing Kata itself on bare metal is identical to that of a virtualization-enabled VM.
-
-For detailed information to install Kata on your distribution of choice, see the [Kata Containers installation user guides](../install/README.md).
--- a/docs/install/azure-installation-guide.md
+++ b/docs/install/azure-installation-guide.md
@@ -1,18 +0,0 @@
-# Install Kata Containers on Microsoft Azure
-
-Kata Containers on Azure use nested virtualization to provide an identical installation
-experience to Kata on your preferred Linux distribution.
-
-This guide assumes you have an Azure account set up and tools to remotely login to your virtual
-machine (SSH). Instructions will use the Azure Portal to avoid
-local dependencies and setup.
-
-## Create a new virtual machine with nesting support
-
-Create a new virtual machine with:
-* Nesting support (v3 series)
-* your distro of choice
-
-## Set up with distribution specific quick start
-
-Follow distribution specific [install guides](../install/README.md#packaged-installation-methods).
--- a/docs/install/centos-installation-guide.md
+++ b/docs/install/centos-installation-guide.md
@@ -1,21 +0,0 @@
-# Install Kata Containers on CentOS
-
-1. Install the Kata Containers components with the following commands:
-
-   ```bash
-   $ sudo -E dnf install -y centos-release-advanced-virtualization
-   $ sudo -E dnf module disable -y virt:rhel
-   $ source /etc/os-release
-   $ cat <<EOF | sudo -E tee /etc/yum.repos.d/kata-containers.repo
-     [kata-containers]
-     name=Kata Containers
-     baseurl=http://mirror.centos.org/\$contentdir/\$releasever/virt/\$basearch/kata-containers
-     enabled=1
-     gpgcheck=1
-     skip_if_unavailable=1
-     EOF
-   $ sudo -E dnf install -y kata-containers
-   ```
-
-2. Decide which container manager to use and select the corresponding link that follows:
-   - [Kubernetes](../Developer-Guide.md#run-kata-containers-with-kubernetes)
--- a/docs/install/fedora-installation-guide.md
+++ b/docs/install/fedora-installation-guide.md
@@ -1,10 +0,0 @@
-# Install Kata Containers on Fedora
-
-1. Install the Kata Containers components with the following commands:
-
-   ```bash
-   $ sudo -E dnf -y install kata-containers
-   ```
-
-2. Decide which container manager to use and select the corresponding link that follows:
-   - [Kubernetes](../Developer-Guide.md#run-kata-containers-with-kubernetes)
--- a/docs/install/gce-installation-guide.md
+++ b/docs/install/gce-installation-guide.md
@@ -1,127 +0,0 @@
-# Install Kata Containers on Google Compute Engine
-
-Kata Containers on Google Compute Engine (GCE) makes use of [nested virtualization](https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances). Most of the installation procedure is identical to that for Kata on your preferred distribution, but enabling nested virtualization currently requires extra steps on GCE. This guide walks you through creating an image and instance with nested virtualization enabled. Note that `kata-runtime check` checks for nested virtualization, but does not fail if support is not found.
-
-As a pre-requisite this guide assumes an installed and configured instance of the [Google Cloud SDK](https://cloud.google.com/sdk/downloads). For a zero-configuration option, all of the commands below were been tested under [Google Cloud Shell](https://cloud.google.com/shell/) (as of Jun 2018). Verify your `gcloud` installation and configuration:
-
-```bash
-$ gcloud info || { echo "ERROR: no Google Cloud SDK"; exit 1; }
-```
-
-## Create an Image with Nested Virtualization Enabled
-
-VM images on GCE are grouped into families under projects. Officially supported images are automatically discoverable with `gcloud compute images list`. That command produces a list similar to the following (likely with different image names):
-
-```bash
-$ gcloud compute images list
-NAME                                                  PROJECT            FAMILY                            DEPRECATED  STATUS
-centos-7-v20180523                                    centos-cloud       centos-7                                      READY
-coreos-stable-1745-5-0-v20180531                      coreos-cloud       coreos-stable                                 READY
-cos-beta-67-10575-45-0                                cos-cloud          cos-beta                                      READY
-cos-stable-66-10452-89-0                              cos-cloud          cos-stable                                    READY
-debian-9-stretch-v20180510                            debian-cloud       debian-9                                      READY
-rhel-7-v20180522                                      rhel-cloud         rhel-7                                        READY
-sles-11-sp4-v20180523                                 suse-cloud         sles-11                                       READY
-ubuntu-1604-xenial-v20180522                          ubuntu-os-cloud    ubuntu-1604-lts                               READY
-ubuntu-1804-bionic-v20180522                          ubuntu-os-cloud    ubuntu-1804-lts                               READY
-```
-
-Each distribution has its own project, and each project can host images for multiple versions of the distribution, typically grouped into families. We recommend you select images by project and family, rather than by name. This ensures any scripts or other automation always works with a non-deprecated image, including security updates, updates to GCE-specific scripts, etc.
-
-### Create the Image
-
-The following example (substitute your preferred distribution project and image family) produces an image with nested virtualization enabled in your currently active GCE project:
-
-```bash
-$ SOURCE_IMAGE_PROJECT=ubuntu-os-cloud
-$ SOURCE_IMAGE_FAMILY=ubuntu-1804-lts
-$ IMAGE_NAME=${SOURCE_IMAGE_FAMILY}-nested
-
-$ gcloud compute images create \
-    --source-image-project $SOURCE_IMAGE_PROJECT \
-    --source-image-family $SOURCE_IMAGE_FAMILY \
-    --licenses=https://www.googleapis.com/compute/v1/projects/vm-options/global/licenses/enable-vmx \
-    $IMAGE_NAME
-```
-
-If successful, `gcloud` reports that the image was created. Verify that the image has the nested virtualization license with `gcloud compute images describe $IMAGE_NAME`. This produces output like the following (some fields have been removed for clarity and to redact personal info):
-
-```yaml
-diskSizeGb: '10'
-kind: compute#image
-licenseCodes:
-  - '1002001'
-  - '5926592092274602096'
-licenses:
-  - https://www.googleapis.com/compute/v1/projects/vm-options/global/licenses/enable-vmx
-  - https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/licenses/ubuntu-1804-lts
-name: ubuntu-1804-lts-nested
-sourceImage: https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-1804-bionic-v20180522
-sourceImageId: '3280575157699667619'
-sourceType: RAW
-status: READY
-```
-
-The primary criterion of interest here is the presence of the `enable-vmx` license. Without that licence Kata will not work. Without that license Kata does not work. The presence of that license instructs the Google Compute Engine hypervisor to enable Intel's VT-x instructions in virtual machines created from the image. Note that nested virtualization is only available in VMs running on Intel Haswell or later CPU micro-architectures.
-
-### Verify VMX is Available
-
-Assuming you created a nested-enabled image using the previous instructions, verify that VMs created from this image are VMX-enabled with the following:
-
-1. Create a VM from the image created previously:
-
-    ```bash
-    $ gcloud compute instances create \
-        --image $IMAGE_NAME \
-        --machine-type n1-standard-2 \
-        --min-cpu-platform "Intel Broadwell" \
-        kata-testing
-    ```
-
-> **NOTE**: In most zones the `--min-cpu-platform` argument can be omitted. It is only necessary in GCE Zones that include hosts based on Intel's Ivybridge platform.
-
-2. Verify that the VMX CPUID flag is set:
-
-    ```bash
-    $ gcloud compute ssh kata-testing
-    
-    # While ssh'd into the VM:
-    $ [ -z "$(lscpu|grep GenuineIntel)" ] && { echo "ERROR: Need an Intel CPU"; exit 1; }
-    ```
-
-If this fails, ensure you created your instance from the correct image and that the previously listed `enable-vmx` license is included.
-
-## Install Kata
-
-The process for installing Kata itself on a virtualization-enabled VM is identical to that for bare metal.
-
-For detailed information to install Kata on your distribution of choice, see the [Kata Containers installation user guides](../install/README.md).
-
-## Create a Kata-enabled Image
-
-Optionally, after installing Kata, create an image to preserve the fruits of your labor:
-
-```bash
-$ gcloud compute instances stop kata-testing
-$ gcloud compute images create \
-    --source-disk kata-testing \
-    kata-base
-```
-
-The result is an image that includes any changes made to the `kata-testing` instance as well as the `enable-vmx` flag. Verify this with `gcloud compute images describe kata-base`. The result, which omits some fields for clarity, should be similar to the following:
-
-```yaml
-diskSizeGb: '10'
-kind: compute#image
-licenseCodes:
-  - '1002001'
-  - '5926592092274602096'
-licenses:
-  - https://www.googleapis.com/compute/v1/projects/vm-options/global/licenses/enable-vmx
-  - https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/licenses/ubuntu-1804-lts
-name: kata-base
-selfLink: https://www.googleapis.com/compute/v1/projects/my-kata-project/global/images/kata-base
-sourceDisk: https://www.googleapis.com/compute/v1/projects/my-kata-project/zones/us-west1-a/disks/kata-testing
-sourceType: RAW
-status: READY
-```
--- a/docs/install/kata-containers-3.0-rust-runtime-installation-guide.md
+++ b/docs/install/kata-containers-3.0-rust-runtime-installation-guide.md
@@ -32,7 +32,7 @@ architectures:

 ### Kata Deploy Installation

-Follow the [`kata-deploy`](../../tools/packaging/kata-deploy/README.md).
+Follow the [`kata-deploy`](../../tools/packaging/kata-deploy/helm-chart/README.md).
 ### Official packages
 `ToDo`
 ### Automatic Installation
--- a/docs/install/vexxhost-installation-guide.md
+++ b/docs/install/vexxhost-installation-guide.md
@@ -1,16 +0,0 @@
-# Install Kata Containers on VEXXHOST
-
-Kata Containers on VEXXHOST use nested virtualization to provide an identical
-installation experience to Kata on your preferred Linux distribution.
-
-This guide assumes you have an OpenStack public cloud account set up and tools
-to remotely connect to your virtual machine (SSH).
-
-## Create a new virtual machine with nesting support
-
-All regions support nested virtualization using the V2 flavors (those prefixed
-with v2).  The recommended machine type for container workloads is `v2-highcpu` range.
-
-## Set up with distribution specific quick start
-
-Follow distribution specific [install guides](../install/README.md#packaged-installation-methods).
--- a/docs/use-cases/using-Intel-QAT-and-kata.md
+++ b/docs/use-cases/using-Intel-QAT-and-kata.md
@@ -419,7 +419,7 @@ You might need to disable Docker before initializing Kubernetes. Be aware
 that the OpenSSL container image built above will need to be exported from
 Docker and imported into containerd.

-If Kata is installed through [`kata-deploy`](../../tools/packaging/kata-deploy/README.md)
+If Kata is installed through [`kata-deploy`](../../tools/packaging/kata-deploy/helm-chart/README.md)
 there will be multiple `configuration.toml` files associated with different
 hypervisors. Rather than add in the custom Kata kernel, Kata rootfs, and
 kernel modules to each `configuration.toml` as the default, instead use
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@@ -508,6 +508,15 @@ dependencies = [
 "wyz",
 ]

+[[package]]
+name = "block-buffer"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "block-buffer"
 version = "0.10.4"
@@ -656,30 +665,6 @@ dependencies = [
 "shlex",
 ]

-[[package]]
-name = "cdi"
-version = "0.1.0"
-source = "git+https://github.com/cncf-tags/container-device-interface-rs?rev=3b1e83dda5efcc83c7a4f134466ec006b37109c9#3b1e83dda5efcc83c7a4f134466ec006b37109c9"
-dependencies = [
- "anyhow",
- "clap",
- "const_format",
- "jsonschema",
- "lazy_static",
- "libc",
- "nix 0.24.3",
- "notify",
- "oci-spec",
- "once_cell",
- "path-clean",
- "regex",
- "semver",
- "serde",
- "serde_derive",
- "serde_json",
- "serde_yaml",
-]
-
 [[package]]
 name = "cfg-if"
 version = "1.0.0"
@@ -799,6 +784,31 @@ dependencies = [
 "unicode-xid",
 ]

+[[package]]
+name = "container-device-interface"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "653849f0c250f73d9afab4b2a9a6b07adaee1f34c44ffa6f2d2c3f9392002c1a"
+dependencies = [
+ "anyhow",
+ "clap",
+ "const_format",
+ "jsonschema",
+ "lazy_static",
+ "libc",
+ "nix 0.24.3",
+ "notify",
+ "oci-spec",
+ "once_cell",
+ "path-clean",
+ "regex",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "serde_yaml",
+]
+
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -889,6 +899,16 @@ dependencies = [
 "typenum",
 ]

+[[package]]
+name = "crypto-mac"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1d1a86f49236c215f271d40892d5fc950490551400b02ef360692c29815c714"
+dependencies = [
+ "generic-array",
+ "subtle",
+]
+
 [[package]]
 name = "darling"
 version = "0.14.4"
@@ -1033,13 +1053,22 @@ dependencies = [
 "syn 2.0.101",
 ]

+[[package]]
+name = "digest"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "digest"
 version = "0.10.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
 dependencies = [
- "block-buffer",
+ "block-buffer 0.10.4",
 "crypto-common",
 ]

@@ -1543,6 +1572,16 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"

+[[package]]
+name = "hmac"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a2a2320eb7ec0ebe8da8f744d7812d9fc4cb4d09344ac01898dbcb6a20ae69b"
+dependencies = [
+ "crypto-mac",
+ "digest 0.9.0",
+]
+
 [[package]]
 name = "home"
 version = "0.5.9"
@@ -2011,11 +2050,11 @@ dependencies = [
 "async-trait",
 "base64 0.22.1",
 "capctl",
- "cdi",
 "cfg-if",
 "cgroups-rs",
 "clap",
 "const_format",
+ "container-device-interface",
 "derivative",
 "futures",
 "ipnetwork",
@@ -2026,7 +2065,7 @@ dependencies = [
 "libc",
 "log",
 "logging",
- "mem-agent-lib",
+ "mem-agent",
 "netlink-packet-core",
 "netlink-packet-route",
 "netlink-sys 0.7.0",
@@ -2035,7 +2074,7 @@ dependencies = [
 "opentelemetry",
 "procfs 0.12.0",
 "prometheus",
- "protobuf 3.7.2",
+ "protobuf",
 "protocols",
 "regex",
 "rstest",
@@ -2049,7 +2088,7 @@ dependencies = [
 "serde",
 "serde_json",
 "serial_test",
- "sha2",
+ "sha2 0.10.9",
 "slog",
 "slog-scope",
 "slog-stdlog",
@@ -2133,7 +2172,7 @@ dependencies = [
 "serde",
 "serde-enum-str",
 "serde_json",
- "sha2",
+ "sha2 0.10.9",
 "slog",
 "slog-scope",
 "sysinfo",
@@ -2210,6 +2249,23 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9a7cbbd4ad467251987c6e5b47d53b11a5a05add08f2447a9e2d70aef1e0d138"

+[[package]]
+name = "libsystemd"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f4f0b5b062ba67aa075e331de778082c09e66b5ef32970ea5a1e9c37c9555d1"
+dependencies = [
+ "hmac",
+ "libc",
+ "log",
+ "nix 0.23.2",
+ "once_cell",
+ "serde",
+ "sha2 0.9.9",
+ "thiserror 1.0.69",
+ "uuid 0.8.2",
+]
+
 [[package]]
 name = "libz-sys"
 version = "1.1.22"
@@ -2273,6 +2329,7 @@ dependencies = [
 "serde_json",
 "slog",
 "slog-async",
+ "slog-journald",
 "slog-json",
 "slog-scope",
 "slog-term",
@@ -2294,7 +2351,7 @@ dependencies = [
 ]

 [[package]]
-name = "mem-agent-lib"
+name = "mem-agent"
 version = "0.2.0"
 dependencies = [
 "anyhow",
@@ -2734,6 +2791,12 @@ version = "1.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"

+[[package]]
+name = "opaque-debug"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
+
 [[package]]
 name = "opentelemetry"
 version = "0.14.0"
@@ -3095,22 +3158,21 @@ dependencies = [

 [[package]]
 name = "procfs"
-version = "0.16.0"
+version = "0.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "731e0d9356b0c25f16f33b5be79b1c57b562f141ebfcdb0ad8ac2c13a24293b4"
+checksum = "cc5b72d8145275d844d4b5f6d4e1eef00c8cd889edb6035c21675d1bb1f45c9f"
 dependencies = [
 "bitflags 2.9.0",
 "hex",
- "lazy_static",
 "procfs-core",
 "rustix 0.38.44",
 ]

 [[package]]
 name = "procfs-core"
-version = "0.16.0"
+version = "0.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d3554923a69f4ce04c4a754260c338f505ce22642d3830e049a399fc2059a29"
+checksum = "239df02d8349b06fc07398a3a1697b06418223b1c7725085e801e7c0fc6a12ec"
 dependencies = [
 "bitflags 2.9.0",
 "hex",
@@ -3118,9 +3180,9 @@ dependencies = [

 [[package]]
 name = "prometheus"
-version = "0.13.4"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d33c28a30771f7f96db69893f78b857f7450d7e0237e9c8fc6427a81bae7ed1"
+checksum = "3ca5326d8d0b950a9acd87e6a3f94745394f62e4dae1b1ee22b2bc0c394af43a"
 dependencies = [
 "cfg-if",
 "fnv",
@@ -3128,9 +3190,9 @@ dependencies = [
 "libc",
 "memchr",
 "parking_lot",
- "procfs 0.16.0",
- "protobuf 2.28.0",
- "thiserror 1.0.69",
+ "procfs 0.17.0",
+ "protobuf",
+ "thiserror 2.0.12",
 ]

 [[package]]
@@ -3184,12 +3246,6 @@ dependencies = [
 "prost",
 ]

-[[package]]
-name = "protobuf"
-version = "2.28.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
-
 [[package]]
 name = "protobuf"
 version = "3.7.2"
@@ -3209,7 +3265,7 @@ checksum = "5d3976825c0014bbd2f3b34f0001876604fe87e0c86cd8fa54251530f1544ace"
 dependencies = [
 "anyhow",
 "once_cell",
- "protobuf 3.7.2",
+ "protobuf",
 "protobuf-parse",
 "regex",
 "tempfile",
@@ -3225,7 +3281,7 @@ dependencies = [
 "anyhow",
 "indexmap 2.9.0",
 "log",
- "protobuf 3.7.2",
+ "protobuf",
 "protobuf-support",
 "tempfile",
 "thiserror 1.0.69",
@@ -3247,7 +3303,7 @@ version = "0.1.0"
 dependencies = [
 "async-trait",
 "oci-spec",
- "protobuf 3.7.2",
+ "protobuf",
 "serde",
 "serde_json",
 "ttrpc",
@@ -3505,7 +3561,7 @@ dependencies = [
 "rkyv_derive",
 "seahash",
 "tinyvec",
- "uuid",
+ "uuid 1.16.0",
 ]

 [[package]]
@@ -3677,7 +3733,7 @@ dependencies = [
 "nix 0.26.4",
 "oci-spec",
 "path-absolutize",
- "protobuf 3.7.2",
+ "protobuf",
 "protocols",
 "regex",
 "rlimit",
@@ -3918,7 +3974,20 @@ checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
 dependencies = [
 "cfg-if",
 "cpufeatures",
- "digest",
+ "digest 0.10.7",
+]
+
+[[package]]
+name = "sha2"
+version = "0.9.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800"
+dependencies = [
+ "block-buffer 0.9.0",
+ "cfg-if",
+ "cpufeatures",
+ "digest 0.9.0",
+ "opaque-debug",
 ]

 [[package]]
@@ -3929,7 +3998,7 @@ checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
 dependencies = [
 "cfg-if",
 "cpufeatures",
- "digest",
+ "digest 0.10.7",
 ]

 [[package]]
@@ -3970,12 +4039,9 @@ checksum = "56199f7ddabf13fe5074ce809e7d3f42b42ae711800501b5b16ea82ad029c39d"

 [[package]]
 name = "slab"
-version = "0.4.9"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
-dependencies = [
- "autocfg",
-]
+checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589"

 [[package]]
 name = "slash-formatter"
@@ -4001,6 +4067,16 @@ dependencies = [
 "thread_local",
 ]

+[[package]]
+name = "slog-journald"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83e14eb8c2f5d0c8fc9fbac40e6391095e4dc5cb334f7dce99c75cb1919eb39c"
+dependencies = [
+ "libsystemd",
+ "slog",
+]
+
 [[package]]
 name = "slog-json"
 version = "2.6.1"
@@ -4140,6 +4216,12 @@ dependencies = [
 "winapi",
 ]

+[[package]]
+name = "subtle"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
+
 [[package]]
 name = "syn"
 version = "1.0.109"
@@ -4590,7 +4672,7 @@ dependencies = [
 "libc",
 "log",
 "nix 0.26.4",
- "protobuf 3.7.2",
+ "protobuf",
 "protobuf-codegen",
 "thiserror 1.0.69",
 "tokio",
@@ -4604,7 +4686,7 @@ version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0e5c657ef5cea6f6c6073c1be0787ba4482f42a569d4821e467daec795271f86"
 dependencies = [
- "protobuf 3.7.2",
+ "protobuf",
 "protobuf-codegen",
 "protobuf-support",
 "ttrpc-compiler",
@@ -4620,7 +4702,7 @@ dependencies = [
 "prost",
 "prost-build",
 "prost-types",
- "protobuf 3.7.2",
+ "protobuf",
 "protobuf-codegen",
 "tempfile",
 ]
@@ -4701,6 +4783,15 @@ version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"

+[[package]]
+name = "uuid"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "uuid"
 version = "1.16.0"
@@ -4714,7 +4805,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "23b082222b4f6619906941c17eb2297fff4c2fb96cb60164170522942a200bd8"
 dependencies = [
 "outref",
- "uuid",
+ "uuid 1.16.0",
 "vsimd",
 ]

--- a/src/agent/Cargo.toml
+++ b/src/agent/Cargo.toml
@@ -13,8 +13,12 @@ lazy_static = "1.3.0"
 ttrpc = { version = "0.8.4", features = ["async"], default-features = false }
 protobuf = "3.7.2"
 libc = "0.2.94"
-# Notes: nix needs to stay in sync with libs
+
+# Notes:
+# - Needs to stay in sync with libs
+# - Upgrading to 0.27+ will require code changes (see #11842)
 nix = "0.26.4"
+
 capctl = "0.2.0"
 scan_fmt = "0.2.6"
 scopeguard = "1.0.0"
@@ -50,7 +54,7 @@ slog-stdlog = "4.0.0"
 log = "0.4.11"

 cfg-if = "1.0.0"
-prometheus = { version = "0.13.0", features = ["process"] }
+prometheus = { version = "0.14.0", features = ["process"] }
 procfs = "0.12.0"

 anyhow = "1"
@@ -81,10 +85,10 @@ kata-agent-policy = { path = "policy" }
 rustjail = { path = "rustjail" }
 vsock-exporter = { path = "vsock-exporter" }

-mem-agent = { path = "../mem-agent", package = "mem-agent-lib" }
+mem-agent = { path = "../libs/mem-agent" }

 kata-sys-util = { path = "../libs/kata-sys-util" }
-kata-types = { path = "../libs/kata-types" }
+kata-types = { path = "../libs/kata-types", features = ["safe-path"] }
 # Note: this crate sets the slog 'max_*' features which allows the log level
 # to be modified at runtime.
 logging = { path = "../libs/logging" }
@@ -163,9 +167,6 @@ clap.workspace = true
 strum.workspace = true
 strum_macros.workspace = true

-# Agent Policy
-cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "3b1e83dda5efcc83c7a4f134466ec006b37109c9" }
-
 # Local dependencies
 kata-agent-policy = { workspace = true, optional = true }
 mem-agent.workspace = true
@@ -185,6 +186,8 @@ base64 = "0.22"
 sha2 = "0.10.8"
 async-compression = { version = "0.4.22", features = ["tokio", "gzip"] }

+container-device-interface = "0.1.0"
+
 [target.'cfg(target_arch = "s390x")'.dependencies]
 pv_core = { git = "https://github.com/ibm-s390-linux/s390-tools", rev = "4942504a9a2977d49989a5e5b7c1c8e07dc0fa41", package = "s390_pv_core" }

--- a/src/agent/Makefile
+++ b/src/agent/Makefile
@@ -217,4 +217,11 @@ codecov-html: check_tarpaulin

 ##TARGET generate-protocols: generate/update grpc agent protocols
 generate-protocols:
+	image=$$(docker build -q \
+	  --build-arg GO_VERSION=$$(yq '.languages.golang.version' $(CURDIR)/../../versions.yaml) \
+	  --build-arg PROTOC_VERSION=$$(yq '.externals.protoc.version' $(CURDIR)/../../versions.yaml | grep -oE "[0-9.]+") \
+	  --build-arg PROTOC_GEN_GO_VERSION=$$(yq '.externals.protoc-gen-go.version' $(CURDIR)/../../versions.yaml) \
+	  --build-arg TTRPC_VERSION=$$(yq '.externals.ttrpc.version' $(CURDIR)/../../versions.yaml) \
+	  $(CURDIR)/../../tools/packaging/static-build/codegen) && \
+	docker run --rm --workdir /kata/src/agent -v $(CURDIR)/../..:/kata --user $(shell id -u) $$image \
 	../libs/protocols/hack/update-generated-proto.sh all
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -1037,6 +1037,12 @@ impl BaseContainer for LinuxContainer {
        let child_stderr: std::process::Stdio;

        if tty {
+            // NOTE(#11842): This code will require changes if we upgrade to nix 0.27+:
+            // - `pseudo` will contain OwnedFds instead of RawFds.
+            // - We'll have to use `OwnedFd::into_raw_fd()` which will
+            //   transfer the ownership to the caller.
+            // - The duplication strategy will not change.
+
            let pseudo = pty::openpty(None, None)?;
            p.term_master = Some(pseudo.master);
            let _ = fcntl::fcntl(pseudo.master, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC))
@@ -1045,8 +1051,8 @@ impl BaseContainer for LinuxContainer {
                .map_err(|e| warn!(logger, "fcntl pseudo.slave {:?}", e));

            child_stdin = unsafe { std::process::Stdio::from_raw_fd(pseudo.slave) };
-            child_stdout = unsafe { std::process::Stdio::from_raw_fd(pseudo.slave) };
-            child_stderr = unsafe { std::process::Stdio::from_raw_fd(pseudo.slave) };
+            child_stdout = unsafe { std::process::Stdio::from_raw_fd(unistd::dup(pseudo.slave)?) };
+            child_stderr = unsafe { std::process::Stdio::from_raw_fd(unistd::dup(pseudo.slave)?) };

            if let Some(proc_io) = &mut p.proc_io {
                // A reference count used to clean up the term master fd.
@@ -1914,7 +1920,7 @@ mod tests {
        let cgroups_path = format!(
            "/{}/dummycontainer{}",
            CGROUP_PARENT,
-            since_the_epoch.as_millis()
+            since_the_epoch.as_micros()
        );

        let mut spec = SpecBuilder::default()
--- a/src/agent/rustjail/src/mount.rs
+++ b/src/agent/rustjail/src/mount.rs
@@ -5,6 +5,7 @@

 use anyhow::{anyhow, Context, Result};
 use libc::uid_t;
+use nix::errno::Errno;
 use nix::fcntl::{self, OFlag};
 #[cfg(not(test))]
 use nix::mount;
@@ -336,25 +337,19 @@ fn check_proc_mount(m: &Mount) -> Result<()> {

    if mount_dest == PROC_PATH {
        // only allow a mount on-top of proc if it's source is "proc"
-        unsafe {
-            let mut stats = MaybeUninit::<libc::statfs>::uninit();
-            let mount_source = m.source().as_ref().unwrap().display().to_string();
-            if mount_source
-                .with_nix_path(|path| libc::statfs(path.as_ptr(), stats.as_mut_ptr()))
-                .is_ok()
-            {
-                if stats.assume_init().f_type == PROC_SUPER_MAGIC {
-                    return Ok(());
-                }
-            } else {
-                return Ok(());
-            }
+        let mount_source = m.source().as_ref().unwrap().display().to_string();

-            return Err(anyhow!(format!(
+        let mut stats = MaybeUninit::<libc::statfs>::uninit();
+        let statfs_ret = mount_source
+            .with_nix_path(|path| unsafe { libc::statfs(path.as_ptr(), stats.as_mut_ptr()) })?;
+
+        return match Errno::result(statfs_ret) {
+            Ok(_) if unsafe { stats.assume_init().f_type } == PROC_SUPER_MAGIC => Ok(()),
+            Ok(_) | Err(_) => Err(anyhow!(format!(
                "{} cannot be mounted to {} because it is not of type proc",
                &mount_source, &mount_dest
-            )));
-        }
+            ))),
+        };
    }

    if mount_dest.starts_with(PROC_PATH) {
--- a/src/agent/src/confidential_data_hub/mod.rs
+++ b/src/agent/src/confidential_data_hub/mod.rs
@@ -22,6 +22,8 @@ use protocols::{
 };
 use safe_path::scoped_join;
 use std::fs;
+use std::fs::File;
+use std::io::{self, Read};
 use std::path::Path;
 use std::{os::unix::fs::symlink, path::PathBuf};
 use tokio::sync::OnceCell;
@@ -235,8 +237,8 @@ pub async fn unseal_file(path: &str) -> Result<()> {
        }

        let secret_name = entry.file_name();
-        let contents = fs::read_to_string(&target_path)?;
-        if contents.starts_with(SEALED_SECRET_PREFIX) {
+        if content_starts_with_prefix(&target_path, SEALED_SECRET_PREFIX).await? {
+            let contents = fs::read_to_string(&target_path)?;
            // Get the directory name of the sealed secret file
            let dir_name = target_path
                .parent()
@@ -262,6 +264,17 @@ pub async fn unseal_file(path: &str) -> Result<()> {
    Ok(())
 }

+pub async fn content_starts_with_prefix(path: &Path, prefix: &str) -> io::Result<bool> {
+    let mut file = File::open(path)?;
+    let mut buffer = vec![0u8; prefix.len()];
+
+    match file.read_exact(&mut buffer) {
+        Ok(()) => Ok(buffer == prefix.as_bytes()),
+        Err(ref e) if e.kind() == io::ErrorKind::UnexpectedEof => Ok(false),
+        Err(e) => Err(e),
+    }
+}
+
 pub async fn secure_mount(
    volume_type: &str,
    options: &std::collections::HashMap<String, String>,
@@ -294,7 +307,7 @@ mod tests {
    use std::fs::File;
    use std::io::{Read, Write};
    use std::sync::Arc;
-    use tempfile::tempdir;
+    use tempfile::{tempdir, NamedTempFile};
    use test_utils::skip_if_not_root;
    use tokio::signal::unix::{signal, SignalKind};
    struct TestService;
@@ -416,4 +429,34 @@ mod tests {
        rt.shutdown_background();
        std::thread::sleep(std::time::Duration::from_secs(2));
    }
+
+    #[tokio::test]
+    async fn test_content_starts_with_prefix() {
+        // Normal case: content matches the prefix
+        let mut f = NamedTempFile::new().unwrap();
+        write!(f, "sealed.hello_world").unwrap();
+        assert!(content_starts_with_prefix(f.path(), "sealed.")
+            .await
+            .unwrap());
+
+        // Does not match the prefix
+        let mut f2 = NamedTempFile::new().unwrap();
+        write!(f2, "notsealed.hello_world").unwrap();
+        assert!(!content_starts_with_prefix(f2.path(), "sealed.")
+            .await
+            .unwrap());
+
+        // File length < prefix.len()
+        let mut f3 = NamedTempFile::new().unwrap();
+        write!(f3, "seal").unwrap();
+        assert!(!content_starts_with_prefix(f3.path(), "sealed.")
+            .await
+            .unwrap());
+
+        // Empty file
+        let f4 = NamedTempFile::new().unwrap();
+        assert!(!content_starts_with_prefix(f4.path(), "sealed.")
+            .await
+            .unwrap());
+    }
 }
--- a/src/agent/src/config.rs
+++ b/src/agent/src/config.rs
@@ -202,7 +202,7 @@ macro_rules! config_override {
        }
    };

-    ($builder:ident, $config:ident, $field:ident, $func: ident) => {
+    ($builder:ident, $config:ident, $field:ident, $func:ident) => {
        if let Some(v) = $builder.$field {
            $config.$field = $func(&v)?;
        }
@@ -661,8 +661,8 @@ impl AgentConfig {
            self.server_addr = addr;
        }

-        if let Ok(addr) = env::var(LOG_LEVEL_ENV_VAR) {
-            if let Ok(level) = logrus_to_slog_level(&addr) {
+        if let Ok(level) = env::var(LOG_LEVEL_ENV_VAR) {
+            if let Ok(level) = logrus_to_slog_level(&level) {
                self.log_level = level;
            }
        }
--- a/src/agent/src/device/mod.rs
+++ b/src/agent/src/device/mod.rs
@@ -15,6 +15,7 @@ use anyhow::{anyhow, Context, Result};
 use cdi::annotations::parse_annotations;
 use cdi::cache::{new_cache, with_auto_refresh, CdiOption};
 use cdi::spec_dirs::with_spec_dirs;
+use container_device_interface as cdi;
 use kata_types::device::DeviceHandlerManager;
 use nix::sys::stat;
 use oci::{LinuxDeviceCgroup, Spec};
--- a/src/agent/src/main.rs
+++ b/src/agent/src/main.rs
@@ -30,6 +30,7 @@ use nix::unistd::{self, dup, sync, Pid};
 use std::env;
 use std::ffi::OsStr;
 use std::fs::{self, File};
+use std::io::ErrorKind;
 use std::os::unix::fs::{self as unixfs, FileTypeExt};
 use std::os::unix::io::AsRawFd;
 use std::path::Path;
@@ -465,8 +466,17 @@ fn attestation_binaries_available(logger: &Logger, procs: &GuestComponentsProcs)
        _ => vec![],
    };
    for binary in binaries.iter() {
-        if !Path::new(binary).exists() {
-            warn!(logger, "{} not found", binary);
+        let exists = Path::new(binary)
+            .try_exists()
+            .unwrap_or_else(|error| match error.kind() {
+                ErrorKind::NotFound => {
+                    warn!(logger, "{} not found", binary);
+                    false
+                }
+                _ => panic!("Path existence check failed for '{}': {}", binary, error),
+            });
+
+        if !exists {
            return false;
        }
    }
--- a/src/agent/src/mount.rs
+++ b/src/agent/src/mount.rs
@@ -336,11 +336,17 @@ mod tests {
        let plain = slog_term::PlainSyncDecorator::new(std::io::stdout());
        let logger = Logger::root(slog_term::FullFormat::new(plain).build().fuse(), o!());

+        // Detect actual filesystem types mounted in this environment
+        // Z runners mount /dev as tmpfs, while normal systems use devtmpfs
+        let dev_fs_type = get_mount_fs_type("/dev").unwrap_or_else(|_| String::from("devtmpfs"));
+        let proc_fs_type = get_mount_fs_type("/proc").unwrap_or_else(|_| String::from("proc"));
+        let sys_fs_type = get_mount_fs_type("/sys").unwrap_or_else(|_| String::from("sysfs"));
+
        let test_cases = [
-            ("dev", "/dev", "devtmpfs"),
-            ("udev", "/dev", "devtmpfs"),
-            ("proc", "/proc", "proc"),
-            ("sysfs", "/sys", "sysfs"),
+            ("dev", "/dev", dev_fs_type.as_str()),
+            ("udev", "/dev", dev_fs_type.as_str()),
+            ("proc", "/proc", proc_fs_type.as_str()),
+            ("sysfs", "/sys", sys_fs_type.as_str()),
        ];

        for &(source, destination, fs_type) in &test_cases {
@@ -381,6 +387,22 @@ mod tests {
        let drain = slog::Discard;
        let logger = slog::Logger::root(drain, o!());

+        // Detect filesystem type of root directory
+        let tmp_fs_type = get_mount_fs_type("/").unwrap_or_else(|_| String::from("unknown"));
+
+        // Error messages that vary based on filesystem type
+        const DEFAULT_ERROR_EPERM: &str = "Operation not permitted";
+        const BTRFS_ERROR_ENODEV: &str = "No such device";
+
+        // Helper to select error message based on filesystem type (e.g. btrfs for s390x runners)
+        let get_error_msg = |default: &'static str, btrfs_specific: &'static str| -> &'static str {
+            if tmp_fs_type == "btrfs" && !btrfs_specific.is_empty() {
+                btrfs_specific
+            } else {
+                default
+            }
+        };
+
        let tests = &[
            TestData {
                test_user: TestUserType::Any,
@@ -416,7 +438,7 @@ mod tests {
                fs_type: "bind",
                flags: MsFlags::empty(),
                options: "bind",
-                error_contains: "Operation not permitted",
+                error_contains: get_error_msg(DEFAULT_ERROR_EPERM, BTRFS_ERROR_ENODEV),
            },
            TestData {
                test_user: TestUserType::NonRootOnly,
@@ -496,7 +518,14 @@ mod tests {

            let err = result.unwrap_err();
            let error_msg = format!("{}", err);
-            assert!(error_msg.contains(d.error_contains), "{}", msg);
+
+            assert!(
+                error_msg.contains(d.error_contains),
+                "{}: expected error containing '{}', got '{}'",
+                msg,
+                d.error_contains,
+                error_msg
+            );
        }
    }

--- a/src/agent/src/netlink.rs
+++ b/src/agent/src/netlink.rs
@@ -401,7 +401,11 @@ impl Handle {
                }

                if let RouteAttribute::Oif(index) = attribute {
-                    route.device = self.find_link(LinkFilter::Index(*index)).await?.name();
+                    route.device = self
+                        .find_link(LinkFilter::Index(*index))
+                        .await
+                        .context(format!("error looking up device {index}"))?
+                        .name();
                }
            }

@@ -909,10 +913,27 @@ mod tests {
    use super::*;
    use netlink_packet_route::address::AddressHeader;
    use netlink_packet_route::link::LinkHeader;
+    use serial_test::serial;
    use std::iter;
    use std::process::Command;
    use test_utils::skip_if_not_root;

+    // Constants for ARP neighbor tests
+    const TEST_DUMMY_INTERFACE: &str = "dummy_for_arp";
+    const TEST_ARP_IP: &str = "192.0.2.127";
+
+    /// Helper function to check if the result is a netlink EACCES error
+    fn is_netlink_permission_error<T>(result: &Result<T>) -> bool {
+        if let Err(e) = result {
+            let error_string = format!("{:?}", e);
+            if error_string.contains("code: Some(-13)") {
+                println!("INFO: skipping test - netlink operations are restricted in this environment (EACCES)");
+                return true;
+            }
+        }
+        false
+    }
+
    #[tokio::test]
    async fn find_link_by_name() {
        let message = Handle::new()
@@ -972,11 +993,15 @@ mod tests {
    }

    #[tokio::test]
+    #[serial(arp_neighbor_tests)]
    async fn list_routes() {
+        clean_env_for_test_add_one_arp_neighbor(TEST_DUMMY_INTERFACE, TEST_ARP_IP);
+        let devices: Vec<Interface> = Handle::new().unwrap().list_interfaces().await.unwrap();
        let all = Handle::new()
            .unwrap()
            .list_routes()
            .await
+            .context(format!("available devices: {:?}", devices))
            .expect("Failed to list routes");

        assert_ne!(all.len(), 0);
@@ -1032,10 +1057,14 @@ mod tests {
        let lo = handle.find_link(LinkFilter::Name("lo")).await.unwrap();

        for network in list {
-            handle
-                .add_addresses(lo.index(), iter::once(network))
-                .await
-                .expect("Failed to add IP");
+            let result = handle.add_addresses(lo.index(), iter::once(network)).await;
+
+            // Skip test if netlink operations are restricted (EACCES = -13)
+            if is_netlink_permission_error(&result) {
+                return;
+            }
+
+            result.expect("Failed to add IP");

            // Make sure the address is there
            let result = handle
@@ -1050,10 +1079,14 @@ mod tests {
            assert!(result.is_some());

            // Update it
-            handle
-                .add_addresses(lo.index(), iter::once(network))
-                .await
-                .expect("Failed to delete address");
+            let result = handle.add_addresses(lo.index(), iter::once(network)).await;
+
+            // Skip test if netlink operations are restricted (EACCES = -13)
+            if is_netlink_permission_error(&result) {
+                return;
+            }
+
+            result.expect("Failed to delete address");
        }
    }

@@ -1088,7 +1121,7 @@ mod tests {
            .expect("prepare: failed to delete neigh");
    }

-    fn prepare_env_for_test_add_one_arp_neighbor(dummy_name: &str, ip: &str) {
+    async fn prepare_env_for_test_add_one_arp_neighbor(dummy_name: &str, ip: &str) {
        clean_env_for_test_add_one_arp_neighbor(dummy_name, ip);
        // modprobe dummy
        Command::new("modprobe")
@@ -1102,9 +1135,9 @@ mod tests {
            .output()
            .expect("failed to add dummy interface");

-        // ip addr add 192.168.0.2/16 dev dummy
+        // ip addr add 192.0.2.2/24 dev dummy
        Command::new("ip")
-            .args(["addr", "add", "192.168.0.2/16", "dev", dummy_name])
+            .args(["addr", "add", "192.0.2.2/24", "dev", dummy_name])
            .output()
            .expect("failed to add ip for dummy");

@@ -1113,24 +1146,26 @@ mod tests {
            .args(["link", "set", dummy_name, "up"])
            .output()
            .expect("failed to up dummy");
+
+        // Wait briefly to ensure the IP address addition is fully complete
+        tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
    }

    #[tokio::test]
+    #[serial(arp_neighbor_tests)]
    async fn test_add_one_arp_neighbor() {
        skip_if_not_root!();

        let mac = "6a:92:3a:59:70:aa";
-        let to_ip = "169.254.1.1";
-        let dummy_name = "dummy_for_arp";

-        prepare_env_for_test_add_one_arp_neighbor(dummy_name, to_ip);
+        prepare_env_for_test_add_one_arp_neighbor(TEST_DUMMY_INTERFACE, TEST_ARP_IP).await;

        let mut ip_address = IPAddress::new();
-        ip_address.set_address(to_ip.to_string());
+        ip_address.set_address(TEST_ARP_IP.to_string());

        let mut neigh = ARPNeighbor::new();
        neigh.set_toIPAddress(ip_address);
-        neigh.set_device(dummy_name.to_string());
+        neigh.set_device(TEST_DUMMY_INTERFACE.to_string());
        neigh.set_lladdr(mac.to_string());
        neigh.set_state(0x80);

@@ -1141,15 +1176,24 @@ mod tests {
            .expect("Failed to add ARP neighbor");

        // ip neigh show dev dummy ip
-        let stdout = Command::new("ip")
-            .args(["neigh", "show", "dev", dummy_name, to_ip])
+        let output = Command::new("ip")
+            .args(["neigh", "show", "dev", TEST_DUMMY_INTERFACE, TEST_ARP_IP])
            .output()
-            .expect("failed to show neigh")
-            .stdout;
+            .expect("failed to show neigh");

-        let stdout = std::str::from_utf8(&stdout).expect("failed to convert stdout");
-        assert_eq!(stdout.trim(), format!("{} lladdr {} PERMANENT", to_ip, mac));
+        let stdout = std::str::from_utf8(&output.stdout).expect("failed to convert stdout");
+        let stderr = std::str::from_utf8(&output.stderr).expect("failed to convert stderr");
+        assert!(
+            output.status.success(),
+            "`ip neigh show` returned exit code {:?}. stderr: {:?}",
+            output.status.code(),
+            stderr
+        );
+        assert_eq!(
+            stdout.trim(),
+            format!("{} lladdr {} PERMANENT", TEST_ARP_IP, mac)
+        );

-        clean_env_for_test_add_one_arp_neighbor(dummy_name, to_ip);
+        clean_env_for_test_add_one_arp_neighbor(TEST_DUMMY_INTERFACE, TEST_ARP_IP);
    }
 }
--- a/src/agent/src/random.rs
+++ b/src/agent/src/random.rs
@@ -59,10 +59,26 @@ pub fn reseed_rng(data: &[u8]) -> Result<()> {
 #[cfg(test)]
 mod tests {
    use super::*;
+    use nix::errno::Errno;
    use std::fs::File;
    use std::io::prelude::*;
    use test_utils::skip_if_not_root;

+    /// Helper function to check if the result is an EPERM error
+    fn is_permission_error(result: &Result<()>) -> bool {
+        if let Err(e) = result {
+            if let Some(errno) = e.downcast_ref::<Errno>() {
+                if *errno == Errno::EPERM {
+                    println!(
+                        "EPERM: skipping test - reseeding RNG is not permitted in this environment"
+                    );
+                    return true;
+                }
+            }
+        }
+        false
+    }
+
    #[test]
    fn test_reseed_rng() {
        skip_if_not_root!();
@@ -73,6 +89,9 @@ mod tests {
        // Ensure the buffer was filled.
        assert!(n == POOL_SIZE);
        let ret = reseed_rng(&seed);
+        if is_permission_error(&ret) {
+            return;
+        }
        assert!(ret.is_ok());
    }

@@ -85,6 +104,9 @@ mod tests {
        // Ensure the buffer was filled.
        assert!(n == POOL_SIZE);
        let ret = reseed_rng(&seed);
+        if is_permission_error(&ret) {
+            return;
+        }
        if nix::unistd::Uid::effective().is_root() {
            assert!(ret.is_ok());
        } else {
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -2417,7 +2417,7 @@ mod tests {
        let cgroups_path = format!(
            "/{}/dummycontainer{}",
            CGROUP_PARENT,
-            since_the_epoch.as_millis()
+            since_the_epoch.as_micros()
        );

        let spec = SpecBuilder::default()
@@ -2481,6 +2481,26 @@ mod tests {
        // normally this module should eixsts...
        m.name = "bridge".to_string();
        let result = load_kernel_module(&m);
+
+        // Skip test if loading kernel modules is not permitted
+        // or kernel module is not found
+        if let Err(e) = &result {
+            let error_string = format!("{:?}", e);
+            // Let's print out the error message first
+            println!("DEBUG: error: {}", error_string);
+            if error_string.contains("Operation not permitted")
+                || error_string.contains("EPERM")
+                || error_string.contains("Permission denied")
+            {
+                println!("INFO: skipping test - loading kernel modules is not permitted in this environment");
+                return;
+            }
+            if error_string.contains("not found") {
+                println!("INFO: skipping test - kernel module is not found in this environment");
+                return;
+            }
+        }
+
        assert!(result.is_ok(), "load module should success");
    }

--- a/src/agent/src/sandbox.rs
+++ b/src/agent/src/sandbox.rs
@@ -858,7 +858,7 @@ mod tests {
        let cgroups_path = format!(
            "/{}/dummycontainer{}",
            CGROUP_PARENT,
-            since_the_epoch.as_millis()
+            since_the_epoch.as_micros()
        );

        let spec = SpecBuilder::default()
--- a/src/dragonball/Cargo.lock
+++ b/src/dragonball/Cargo.lock
@@ -285,7 +285,7 @@ dependencies = [
 "kvm-bindings",
 "kvm-ioctls",
 "libc",
- "memoffset",
+ "memoffset 0.6.5",
 "thiserror 1.0.48",
 "vm-memory",
 "vmm-sys-util",
@@ -344,20 +344,26 @@ name = "dbs-pci"
 version = "0.1.0"
 dependencies = [
 "byteorder",
+ "dbs-address-space",
 "dbs-allocator",
 "dbs-arch",
 "dbs-boot",
 "dbs-device",
 "dbs-interrupt",
+ "dbs-utils",
+ "dbs-virtio-devices",
 "downcast-rs",
 "kvm-bindings",
 "kvm-ioctls",
 "libc",
 "log",
+ "serde",
 "thiserror 1.0.48",
 "vfio-bindings",
 "vfio-ioctls",
+ "virtio-queue",
 "vm-memory",
+ "vmm-sys-util",
 ]

 [[package]]
@@ -491,6 +497,17 @@ dependencies = [
 "winapi",
 ]

+[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "downcast-rs"
 version = "1.2.0"
@@ -653,9 +670,9 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"

 [[package]]
 name = "form_urlencoded"
-version = "1.2.0"
+version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a62bc1cf6f830c2ec14a513a9fb124d0a213a629668a4186f329db21fe045652"
+checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
 dependencies = [
 "percent-encoding",
 ]
@@ -914,13 +931,110 @@ dependencies = [
 ]

 [[package]]
-name = "idna"
-version = "0.4.0"
+name = "icu_collections"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7d20d6b07bfbc108882d88ed8e37d39636dcc260e15e30c45e6ba089610b917c"
+checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
 dependencies = [
- "unicode-bidi",
- "unicode-normalization",
+ "displaydoc",
+ "potential_utf",
+ "yoke",
+ "zerofrom",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_locale_core"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
+dependencies = [
+ "displaydoc",
+ "litemap",
+ "tinystr",
+ "writeable",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
+dependencies = [
+ "displaydoc",
+ "icu_collections",
+ "icu_normalizer_data",
+ "icu_properties",
+ "icu_provider",
+ "smallvec",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_normalizer_data"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
+
+[[package]]
+name = "icu_properties"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "016c619c1eeb94efb86809b015c58f479963de65bdb6253345c1a1276f22e32b"
+dependencies = [
+ "displaydoc",
+ "icu_collections",
+ "icu_locale_core",
+ "icu_properties_data",
+ "icu_provider",
+ "potential_utf",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "icu_properties_data"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "298459143998310acd25ffe6810ed544932242d3f07083eee1084d83a71bd632"
+
+[[package]]
+name = "icu_provider"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
+dependencies = [
+ "displaydoc",
+ "icu_locale_core",
+ "stable_deref_trait",
+ "tinystr",
+ "writeable",
+ "yoke",
+ "zerofrom",
+ "zerotrie",
+ "zerovec",
+]
+
+[[package]]
+name = "idna"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
+dependencies = [
+ "idna_adapter",
+ "smallvec",
+ "utf8_iter",
+]
+
+[[package]]
+name = "idna_adapter"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+dependencies = [
+ "icu_normalizer",
+ "icu_properties",
 ]

 [[package]]
@@ -1007,9 +1121,9 @@ dependencies = [

 [[package]]
 name = "kvm-ioctls"
-version = "0.12.0"
+version = "0.12.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3a321cabd827642499c77e27314f388dd83a717a5ca716b86476fb947f73ae4"
+checksum = "3d592c9b0da14bacab1fe89c78e7ed873b20cf7f502d0fc26f628d733215b1e5"
 dependencies = [
 "kvm-bindings",
 "libc",
@@ -1062,6 +1176,12 @@ version = "0.4.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d26c52dbd32dccf2d10cac7725f8eae5296885fb5703b261f7d0a0739ec807ab"

+[[package]]
+name = "litemap"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
+
 [[package]]
 name = "lock_api"
 version = "0.4.10"
@@ -1113,6 +1233,15 @@ dependencies = [
 "autocfg",
 ]

+[[package]]
+name = "memoffset"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5de893c32cde5f383baa4c04c5d6dbdd735cfd4a794b0debdb2bb1b421da5ff4"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "mime"
 version = "0.3.17"
@@ -1179,7 +1308,7 @@ dependencies = [
 "cc",
 "cfg-if",
 "libc",
- "memoffset",
+ "memoffset 0.6.5",
 ]

 [[package]]
@@ -1191,7 +1320,20 @@ dependencies = [
 "bitflags 1.3.2",
 "cfg-if",
 "libc",
- "memoffset",
+ "memoffset 0.6.5",
+]
+
+[[package]]
+name = "nix"
+version = "0.26.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "598beaf3cc6fdd9a5dfb1630c2800c7acd31df7aaf0f565796fba2b53ca1af1b"
+dependencies = [
+ "bitflags 1.3.2",
+ "cfg-if",
+ "libc",
+ "memoffset 0.7.1",
+ "pin-utils",
 ]

 [[package]]
@@ -1325,9 +1467,9 @@ checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"

 [[package]]
 name = "openssl"
-version = "0.10.72"
+version = "0.10.73"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da"
+checksum = "8505734d46c8ab1e19a1dce3aef597ad87dcb4c37e7188231769bd6bd51cebf8"
 dependencies = [
 "bitflags 2.4.0",
 "cfg-if",
@@ -1366,9 +1508,9 @@ dependencies = [

 [[package]]
 name = "openssl-sys"
-version = "0.9.108"
+version = "0.9.109"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e145e1651e858e820e4860f7b9c5e169bc1d8ce1c86043be79fa7b7634821847"
+checksum = "90096e2e47630d78b7d1c20952dc621f957103f8bc2c8359ec81290d75238571"
 dependencies = [
 "cc",
 "libc",
@@ -1402,9 +1544,9 @@ dependencies = [

 [[package]]
 name = "percent-encoding"
-version = "2.3.0"
+version = "2.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b2a4787296e9989611394c33f193f676704af1686e70b8f8033ab5ba9a35a94"
+checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"

 [[package]]
 name = "pin-project-lite"
@@ -1424,6 +1566,15 @@ version = "0.3.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"

+[[package]]
+name = "potential_utf"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585"
+dependencies = [
+ "zerovec",
+]
+
 [[package]]
 name = "powerfmt"
 version = "0.2.0"
@@ -1665,9 +1816,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"

 [[package]]
 name = "seccompiler"
-version = "0.2.0"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e01d1292a1131b22ccea49f30bd106f1238b5ddeec1a98d39268dcc31d540e68"
+checksum = "a4ae55de56877481d112a559bbc12667635fdaf5e005712fd4e2b2fa50ffc884"
 dependencies = [
 "libc",
 ]
@@ -1777,12 +1928,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"

 [[package]]
 name = "slab"
-version = "0.4.9"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
-dependencies = [
- "autocfg",
-]
+checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589"

 [[package]]
 name = "slog"
@@ -1828,9 +1976,9 @@ dependencies = [

 [[package]]
 name = "smallvec"
-version = "1.11.0"
+version = "1.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"

 [[package]]
 name = "socket2"
@@ -1842,6 +1990,12 @@ dependencies = [
 "windows-sys 0.52.0",
 ]

+[[package]]
+name = "stable_deref_trait"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
+
 [[package]]
 name = "subtle"
 version = "2.5.0"
@@ -1870,6 +2024,17 @@ dependencies = [
 "unicode-ident",
 ]

+[[package]]
+name = "synstructure"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "take_mut"
 version = "0.2.2"
@@ -1915,7 +2080,7 @@ dependencies = [
 name = "test-utils"
 version = "0.1.0"
 dependencies = [
- "nix 0.24.3",
+ "nix 0.26.4",
 ]

 [[package]]
@@ -2018,20 +2183,15 @@ dependencies = [
 ]

 [[package]]
-name = "tinyvec"
-version = "1.6.0"
+name = "tinystr"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
+checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
 dependencies = [
- "tinyvec_macros",
+ "displaydoc",
+ "zerovec",
 ]

-[[package]]
-name = "tinyvec_macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
-
 [[package]]
 name = "tokio"
 version = "1.44.2"
@@ -2141,38 +2301,29 @@ version = "1.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"

-[[package]]
-name = "unicode-bidi"
-version = "0.3.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460"
-
 [[package]]
 name = "unicode-ident"
 version = "1.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c"

-[[package]]
-name = "unicode-normalization"
-version = "0.1.22"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921"
-dependencies = [
- "tinyvec",
-]
-
 [[package]]
 name = "url"
-version = "2.4.1"
+version = "2.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "143b538f18257fac9cad154828a57c6bf5157e1aa604d4816b5995bf6de87ae5"
+checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
 dependencies = [
 "form_urlencoded",
 "idna",
 "percent-encoding",
 ]

+[[package]]
+name = "utf8_iter"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
+
 [[package]]
 name = "vcpkg"
 version = "0.2.15"
@@ -2202,7 +2353,7 @@ dependencies = [
 "kvm-ioctls",
 "libc",
 "log",
- "thiserror 1.0.48",
+ "thiserror 2.0.12",
 "vfio-bindings",
 "vm-memory",
 "vmm-sys-util",
@@ -2560,6 +2711,12 @@ dependencies = [
 "bitflags 2.4.0",
 ]

+[[package]]
+name = "writeable"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
+
 [[package]]
 name = "xattr"
 version = "1.0.1"
@@ -2569,6 +2726,84 @@ dependencies = [
 "libc",
 ]

+[[package]]
+name = "yoke"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
+dependencies = [
+ "serde",
+ "stable_deref_trait",
+ "yoke-derive",
+ "zerofrom",
+]
+
+[[package]]
+name = "yoke-derive"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+ "synstructure",
+]
+
+[[package]]
+name = "zerofrom"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5"
+dependencies = [
+ "zerofrom-derive",
+]
+
+[[package]]
+name = "zerofrom-derive"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+ "synstructure",
+]
+
+[[package]]
+name = "zerotrie"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
+dependencies = [
+ "displaydoc",
+ "yoke",
+ "zerofrom",
+]
+
+[[package]]
+name = "zerovec"
+version = "0.11.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428"
+dependencies = [
+ "yoke",
+ "zerofrom",
+ "zerovec-derive",
+]
+
+[[package]]
+name = "zerovec-derive"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "zstd"
 version = "0.11.2+zstd.1.5.2"
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .19.0
 .22.0