Merge pull request #6892 from fidencio/3.2.0-alpha1-branch-bump

# Kata Containers 3.2.0-alpha1
release: Kata Containers 3.2.0-alpha1
2026-03-17 10:12:24 +00:00 · 2023-05-19 12:31:33 +02:00 · 2023-05-19 09:26:36 +02:00 · 2023-05-18 22:38:31 +02:00 · 2023-05-18 20:35:16 +02:00 · 2023-05-18 09:36:06 +00:00
350 changed files with 16022 additions and 2778 deletions
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -1,10 +1,14 @@
-name: CI | Publish kata-deploy payload for amd64
+name: CI | Build kata-static tarball for amd64
 on:
  workflow_call:
    inputs:
-      target-arch:
-        required: true
+      tarball-suffix:
+        required: false
        type: string
+      push-to-registry:
+        required: false
+        type: string
+        default: no

 jobs:
  build-asset:
@@ -15,23 +19,28 @@ jobs:
          - cloud-hypervisor
          - firecracker
          - kernel
+          - kernel-sev
          - kernel-dragonball-experimental
+          - kernel-tdx-experimental
+          - kernel-nvidia-gpu
+          - kernel-nvidia-gpu-snp
+          - kernel-nvidia-gpu-tdx-experimental
          - nydus
+          - ovmf
+          - ovmf-sev
          - qemu
+          - qemu-snp-experimental
+          - qemu-tdx-experimental
          - rootfs-image
          - rootfs-initrd
+          - rootfs-initrd-sev
          - shim-v2
+          - tdvf
          - virtiofsd
    steps:
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
      - uses: actions/checkout@v3
        with:
+          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
      - name: Build ${{ matrix.asset }}
        run: |
@@ -42,12 +51,12 @@ jobs:
        env:
          KATA_ASSET: ${{ matrix.asset }}
          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: yes
+          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@v3
        with:
-          name: kata-artifacts-amd64
+          name: kata-artifacts-amd64${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
          retention-days: 1
          if-no-files-found: error
@@ -57,10 +66,12 @@ jobs:
    needs: build-asset
    steps:
      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
      - name: get-artifacts
        uses: actions/download-artifact@v3
        with:
-          name: kata-artifacts-amd64
+          name: kata-artifacts-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
      - name: merge-artifacts
        run: |
@@ -68,31 +79,7 @@ jobs:
      - name: store-artifacts
        uses: actions/upload-artifact@v3
        with:
-          name: kata-static-tarball-amd64
+          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-static.tar.xz
          retention-days: 1
          if-no-files-found: error
-
-  kata-payload:
-    needs: create-kata-tarball
-    runs-on: ubuntu-latest
-    steps:
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@v3
-      - name: get-kata-tarball
-        uses: actions/download-artifact@v3
-        with:
-          name: kata-static-tarball-amd64
-
-      - name: build-and-push-kata-payload
-        id: build-and-push-kata-payload
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-          $(pwd)/kata-static.tar.xz "quay.io/kata-containers/kata-deploy-ci" \
-          "kata-containers-${{ inputs.target-arch }}"
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -1,10 +1,14 @@
-name: CI | Publish kata-deploy payload for arm64
+name: CI | Build kata-static tarball for arm64
 on:
  workflow_call:
    inputs:
-      target-arch:
-        required: true
+      tarball-suffix:
+        required: false
        type: string
+      push-to-registry:
+        required: false
+        type: string
+        default: no

 jobs:
  build-asset:
@@ -23,19 +27,13 @@ jobs:
          - shim-v2
          - virtiofsd
    steps:
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
      - name: Adjust a permission for repo
        run: |
          sudo chown -R $USER:$USER $GITHUB_WORKSPACE

      - uses: actions/checkout@v3
        with:
+          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
      - name: Build ${{ matrix.asset }}
        run: |
@@ -46,12 +44,12 @@ jobs:
        env:
          KATA_ASSET: ${{ matrix.asset }}
          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: yes
+          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@v3
        with:
-          name: kata-artifacts-arm64
+          name: kata-artifacts-arm64${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
          retention-days: 1
          if-no-files-found: error
@@ -65,10 +63,12 @@ jobs:
          sudo chown -R $USER:$USER $GITHUB_WORKSPACE

      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
      - name: get-artifacts
        uses: actions/download-artifact@v3
        with:
-          name: kata-artifacts-arm64
+          name: kata-artifacts-arm64${{ inputs.tarball-suffix }}
          path: kata-artifacts
      - name: merge-artifacts
        run: |
@@ -76,35 +76,7 @@ jobs:
      - name: store-artifacts
        uses: actions/upload-artifact@v3
        with:
-          name: kata-static-tarball-arm64
+          name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
          path: kata-static.tar.xz
          retention-days: 1
          if-no-files-found: error
-
-  kata-payload:
-    needs: create-kata-tarball
-    runs-on: arm64
-    steps:
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - name: Adjust a permission for repo
-        run: |
-          sudo chown -R $USER:$USER $GITHUB_WORKSPACE
-
-      - uses: actions/checkout@v3
-      - name: get-kata-tarball
-        uses: actions/download-artifact@v3
-        with:
-          name: kata-static-tarball-arm64
-
-      - name: build-and-push-kata-payload
-        id: build-and-push-kata-payload
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-          $(pwd)/kata-static.tar.xz "quay.io/kata-containers/kata-deploy-ci" \
-          "kata-containers-${{ inputs.target-arch }}"
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -1,10 +1,14 @@
-name: CI | Publish kata-deploy payload for s390x
+name: CI | Build kata-static tarball for s390x
 on:
  workflow_call:
    inputs:
-      target-arch:
-        required: true
+      tarball-suffix:
+        required: false
        type: string
+      push-to-registry:
+        required: false
+        type: string
+        default: no

 jobs:
  build-asset:
@@ -19,19 +23,13 @@ jobs:
          - shim-v2
          - virtiofsd
    steps:
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
      - name: Adjust a permission for repo
        run: |
          sudo chown -R $USER:$USER $GITHUB_WORKSPACE

      - uses: actions/checkout@v3
        with:
+          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
      - name: Build ${{ matrix.asset }}
        run: |
@@ -43,12 +41,12 @@ jobs:
        env:
          KATA_ASSET: ${{ matrix.asset }}
          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: yes
+          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@v3
        with:
-          name: kata-artifacts-s390x
+          name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
          retention-days: 1
          if-no-files-found: error
@@ -62,10 +60,12 @@ jobs:
          sudo chown -R $USER:$USER $GITHUB_WORKSPACE

      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
      - name: get-artifacts
        uses: actions/download-artifact@v3
        with:
-          name: kata-artifacts-s390x
+          name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
          path: kata-artifacts
      - name: merge-artifacts
        run: |
@@ -73,35 +73,7 @@ jobs:
      - name: store-artifacts
        uses: actions/upload-artifact@v3
        with:
-          name: kata-static-tarball-s390x
+          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
          path: kata-static.tar.xz
          retention-days: 1
          if-no-files-found: error
-
-  kata-payload:
-    needs: create-kata-tarball
-    runs-on: s390x
-    steps:
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@v2
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - name: Adjust a permission for repo
-        run: |
-          sudo chown -R $USER:$USER $GITHUB_WORKSPACE
-
-      - uses: actions/checkout@v3
-      - name: get-kata-tarball
-        uses: actions/download-artifact@v3
-        with:
-          name: kata-static-tarball-s390x
-
-      - name: build-and-push-kata-payload
-        id: build-and-push-kata-payload
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-          $(pwd)/kata-static.tar.xz "quay.io/kata-containers/kata-deploy-ci" \
-          "kata-containers-${{ inputs.target-arch }}"
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -0,0 +1,54 @@
+name: Kata Containers CI
+on:
+  pull_request_target:
+    branches:
+      - 'main'
+
+jobs:
+  build-kata-static-tarball-amd64:
+    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
+    with:
+      tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.event.pull_request.head.sha }}
+
+  publish-kata-deploy-payload-amd64:
+    needs: build-kata-static-tarball-amd64
+    uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml
+    with:
+      tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.event.pull_request.head.sha }}
+      registry: ghcr.io
+      repo: ${{ github.repository_owner }}/kata-deploy-ci
+      tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
+    secrets: inherit
+
+  run-k8s-tests-on-aks:
+    needs: publish-kata-deploy-payload-amd64
+    uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
+    with:
+      registry: ghcr.io
+      repo: ${{ github.repository_owner }}/kata-deploy-ci
+      tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
+    secrets: inherit
+
+  run-k8s-tests-on-sev:
+    needs: publish-kata-deploy-payload-amd64
+    uses: ./.github/workflows/run-k8s-tests-on-sev.yaml
+    with:
+      registry: ghcr.io
+      repo: ${{ github.repository_owner }}/kata-deploy-ci
+      tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
+
+  run-k8s-tests-on-snp:
+    needs: publish-kata-deploy-payload-amd64
+    uses: ./.github/workflows/run-k8s-tests-on-snp.yaml
+    with:
+      registry: ghcr.io
+      repo: ${{ github.repository_owner }}/kata-deploy-ci
+      tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
+
+  run-k8s-tests-on-tdx:
+    needs: publish-kata-deploy-payload-amd64
+    uses: ./.github/workflows/run-k8s-tests-on-tdx.yaml
+    with:
+      registry: ghcr.io
+      repo: ${{ github.repository_owner }}/kata-deploy-ci
+      tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@@ -62,6 +62,9 @@ jobs:
        #   to be specified at the start of the regex as the action is passed
        #   the entire commit message.
        #
+        # - This check will pass if the commit message only contains a subject
+        #   line, as other body message properties are enforced elsewhere.
+        #
        # - Body lines *can* be longer than the maximum if they start
        #   with a non-alphabetic character or if there is no whitespace in
        #   the line.
@@ -75,7 +78,7 @@ jobs:
        #
        # - A SoB comment can be any length (as it is unreasonable to penalise
        #   people with long names/email addresses :)
-        pattern: '^.+(\n([a-zA-Z].{0,150}|[^a-zA-Z\n].*|[^\s\n]*|Signed-off-by:.*|))+$'
+        pattern: '(^[^\n]+$|^.+(\n([a-zA-Z].{0,150}|[^a-zA-Z\n].*|[^\s\n]*|Signed-off-by:.*|))+$)'
        error: 'Body line too long (max 150)'
        post_error: ${{ env.error_msg }}

--- a/.github/workflows/kata-deploy-push.yaml
+++ b/.github/workflows/kata-deploy-push.yaml
@@ -1,80 +0,0 @@
-name: kata deploy build
-
-on: 
-  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-    paths:
-      - tools/**
-      - versions.yaml
-
-jobs:
-  build-asset:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        asset:
-          - kernel
-          - kernel-dragonball-experimental
-          - shim-v2
-          - qemu
-          - cloud-hypervisor
-          - firecracker
-          - rootfs-image
-          - rootfs-initrd
-          - virtiofsd
-          - nydus
-    steps:
-      - uses: actions/checkout@v2
-      - name: Build ${{ matrix.asset }}
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-        run: |
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          sudo cp -r --preserve=all "${build_dir}" "kata-build"
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-
-      - name: store-artifact ${{ matrix.asset }}
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-artifacts
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
-          if-no-files-found: error
-
-  create-kata-tarball:
-    runs-on: ubuntu-latest
-    needs: build-asset
-    steps:
-      - uses: actions/checkout@v2
-      - name: get-artifacts
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-        uses: actions/download-artifact@v2
-        with:
-          name: kata-artifacts
-          path: build
-      - name: merge-artifacts
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-        run: |
-          make merge-builds
-      - name: store-artifacts
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-static-tarball
-          path: kata-static.tar.xz
-
-  make-kata-tarball:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: make kata-tarball
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-        run: |
-          make kata-tarball
-          sudo make install-tarball
--- a/.github/workflows/kata-deploy-test.yaml
+++ b/.github/workflows/kata-deploy-test.yaml
@@ -1,164 +0,0 @@
-on:
-  workflow_dispatch: # this is used to trigger the workflow on non-main branches
-    inputs:
-      pr:
-        description: 'PR number from the selected branch to test'
-        type: string
-        required: true
-  issue_comment:
-    types: [created, edited]
-
-name: test-kata-deploy
-
-jobs:
-  check-comment-and-membership:
-    runs-on: ubuntu-latest
-    if: |
-      github.event.issue.pull_request
-      && github.event_name == 'issue_comment'
-      && github.event.action == 'created'
-      && startsWith(github.event.comment.body, '/test_kata_deploy')
-      || github.event_name == 'workflow_dispatch'
-    steps:
-      - name: Check membership on comment or dispatch
-        uses: kata-containers/is-organization-member@1.0.1
-        id: is_organization_member
-        with:
-          organization: kata-containers
-          username: ${{ github.event.comment.user.login || github.event.sender.login }}
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Fail if not member
-        run: |
-          result=${{ steps.is_organization_member.outputs.result }}
-          if [ $result == false ]; then
-              user=${{ github.event.comment.user.login || github.event.sender.login }}
-              echo Either ${user} is not part of the kata-containers organization
-              echo or ${user} has its Organization Visibility set to Private at
-              echo https://github.com/orgs/kata-containers/people?query=${user}
-              echo 
-              echo Ensure you change your Organization Visibility to Public and
-              echo trigger the test again.
-              exit 1
-          fi
-
-  build-asset:
-    runs-on: ubuntu-latest
-    needs: check-comment-and-membership
-    strategy:
-      matrix:
-        asset:
-          - cloud-hypervisor
-          - firecracker
-          - kernel
-          - kernel-dragonball-experimental
-          - nydus
-          - qemu
-          - rootfs-image
-          - rootfs-initrd
-          - shim-v2
-          - virtiofsd
-    steps:
-      - name: get-PR-ref
-        id: get-PR-ref
-        run: |
-            if [ ${{ github.event_name }} == 'issue_comment' ]; then
-                ref=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.pull_request.url' | sed  's#^.*\/pulls#refs\/pull#' | sed 's#$#\/merge#')
-            else # workflow_dispatch
-                ref="refs/pull/${{ github.event.inputs.pr }}/merge"
-            fi
-            echo "reference for PR: " ${ref} "event:" ${{ github.event_name }}
-            echo "pr-ref=${ref}" >> $GITHUB_OUTPUT
-      - uses: actions/checkout@v2
-        with:
-          ref: ${{ steps.get-PR-ref.outputs.pr-ref }}
-
-      - name: Build ${{ matrix.asset }}
-        run: |
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          sudo cp -r "${build_dir}" "kata-build"
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-artifacts
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
-          if-no-files-found: error
-
-  create-kata-tarball:
-    runs-on: ubuntu-latest
-    needs: build-asset
-    steps:
-      - name: get-PR-ref
-        id: get-PR-ref
-        run: |
-            if [ ${{ github.event_name }} == 'issue_comment' ]; then
-                ref=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.pull_request.url' | sed  's#^.*\/pulls#refs\/pull#' | sed 's#$#\/merge#')
-            else # workflow_dispatch
-                ref="refs/pull/${{ github.event.inputs.pr }}/merge"
-            fi
-            echo "reference for PR: " ${ref} "event:" ${{ github.event_name }}
-            echo "pr-ref=${ref}" >> $GITHUB_OUTPUT
-      - uses: actions/checkout@v2
-        with:
-          ref: ${{ steps.get-PR-ref.outputs.pr-ref }}
-      - name: get-artifacts
-        uses: actions/download-artifact@v2
-        with:
-          name: kata-artifacts
-          path: kata-artifacts
-      - name: merge-artifacts
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
-      - name: store-artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-static-tarball
-          path: kata-static.tar.xz
-
-  kata-deploy:
-    needs: create-kata-tarball
-    runs-on: ubuntu-latest
-    steps:
-      - name: get-PR-ref
-        id: get-PR-ref
-        run: |
-            if [ ${{ github.event_name }} == 'issue_comment' ]; then
-                ref=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.pull_request.url' | sed  's#^.*\/pulls#refs\/pull#' | sed 's#$#\/merge#')
-            else # workflow_dispatch
-                ref="refs/pull/${{ github.event.inputs.pr }}/merge"
-            fi
-            echo "reference for PR: " ${ref} "event:" ${{ github.event_name }}
-            echo "pr-ref=${ref}" >> $GITHUB_OUTPUT
-      - uses: actions/checkout@v2
-        with:
-          ref: ${{ steps.get-PR-ref.outputs.pr-ref }}
-      - name: get-kata-tarball
-        uses: actions/download-artifact@v2
-        with:
-          name: kata-static-tarball
-      - name: build-and-push-kata-deploy-ci
-        id: build-and-push-kata-deploy-ci
-        run: |
-          PR_SHA=$(git log --format=format:%H -n1)
-          mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz
-          docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t quay.io/kata-containers/kata-deploy-ci:$PR_SHA $GITHUB_WORKSPACE/tools/packaging/kata-deploy
-          docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io
-          docker push quay.io/kata-containers/kata-deploy-ci:$PR_SHA
-          mkdir -p packaging/kata-deploy
-          ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action
-          echo "PKG_SHA=${PR_SHA}" >> $GITHUB_OUTPUT
-      - name: test-kata-deploy-ci-in-aks
-        uses: ./packaging/kata-deploy/action
-        with:
-          packaging-sha: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
-        env:
-          PKG_SHA: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
-          AZ_APPID: ${{ secrets.AZ_APPID }}
-          AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
-          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-          AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@@ -7,26 +7,50 @@ on:

 jobs:
  build-assets-amd64:
-    uses: ./.github/workflows/payload-after-push-amd64.yaml
+    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
    with:
-      target-arch: amd64
-    secrets: inherit
+      push-to-registry: yes

  build-assets-arm64:
-    uses: ./.github/workflows/payload-after-push-arm64.yaml
+    uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
    with:
-      target-arch: arm64
-    secrets: inherit
+      push-to-registry: yes

  build-assets-s390x:
-    uses: ./.github/workflows/payload-after-push-s390x.yaml
+    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
    with:
-      target-arch: s390x
+      push-to-registry: yes
+
+  publish-kata-deploy-payload-amd64:
+    needs: build-assets-amd64
+    uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml
+    with:
+      registry: quay.io
+      repo: kata-containers/kata-deploy-ci
+      tag: kata-containers-amd64
    secrets: inherit

-  publish:
+  publish-kata-deploy-payload-arm64:
+    needs: build-assets-arm64
+    uses: ./.github/workflows/publish-kata-deploy-payload-arm64.yaml
+    with:
+      registry: quay.io
+      repo: kata-containers/kata-deploy-ci
+      tag: kata-containers-arm64
+    secrets: inherit
+
+  publish-kata-deploy-payload-s390x:
+    needs: build-assets-s390x
+    uses: ./.github/workflows/publish-kata-deploy-payload-s390x.yaml
+    with:
+      registry: quay.io
+      repo: kata-containers/kata-deploy-ci
+      tag: kata-containers-s390x
+    secrets: inherit
+
+  publish-manifest:
    runs-on: ubuntu-latest
-    needs: [build-assets-amd64, build-assets-arm64, build-assets-s390x]
+    needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
--- a/.github/workflows/publish-kata-deploy-payload-amd64.yaml
+++ b/.github/workflows/publish-kata-deploy-payload-amd64.yaml
@@ -0,0 +1,52 @@
+name: CI | Publish kata-deploy payload for amd64
+on:
+  workflow_call:
+    inputs:
+      tarball-suffix:
+        required: false
+        type: string
+      registry:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+
+jobs:
+  kata-payload:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
+
+      - name: Login to Kata Containers quay.io
+        if: ${{ inputs.registry == 'quay.io' }}
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - name: Login to Kata Containers ghcr.io
+        if: ${{ inputs.registry == 'ghcr.io' }}
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: build-and-push-kata-payload
+        id: build-and-push-kata-payload
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
+          $(pwd)/kata-static.tar.xz \
+          ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }}
--- a/.github/workflows/publish-kata-deploy-payload-arm64.yaml
+++ b/.github/workflows/publish-kata-deploy-payload-arm64.yaml
@@ -0,0 +1,57 @@
+name: CI | Publish kata-deploy payload for arm64
+on:
+  workflow_call:
+    inputs:
+      tarball-suffix:
+        required: false
+        type: string
+      registry:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+
+jobs:
+  kata-payload:
+    runs-on: arm64
+    steps:
+      - name: Adjust a permission for repo
+        run: |
+          sudo chown -R $USER:$USER $GITHUB_WORKSPACE
+
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
+
+      - name: Login to Kata Containers quay.io
+        if: ${{ inputs.registry == 'quay.io' }}
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - name: Login to Kata Containers ghcr.io
+        if: ${{ inputs.registry == 'ghcr.io' }}
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: build-and-push-kata-payload
+        id: build-and-push-kata-payload
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
+          $(pwd)/kata-static.tar.xz \
+          ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }}
+
--- a/.github/workflows/publish-kata-deploy-payload-s390x.yaml
+++ b/.github/workflows/publish-kata-deploy-payload-s390x.yaml
@@ -0,0 +1,56 @@
+name: CI | Publish kata-deploy payload for s390x
+on:
+  workflow_call:
+    inputs:
+      tarball-suffix:
+        required: false
+        type: string
+      registry:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+
+jobs:
+  kata-payload:
+    runs-on: s390x
+    steps:
+      - name: Adjust a permission for repo
+        run: |
+          sudo chown -R $USER:$USER $GITHUB_WORKSPACE
+
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
+
+      - name: Login to Kata Containers quay.io
+        if: ${{ inputs.registry == 'quay.io' }}
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - name: Login to Kata Containers ghcr.io
+        if: ${{ inputs.registry == 'ghcr.io' }}
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: build-and-push-kata-payload
+        id: build-and-push-kata-payload
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
+          $(pwd)/kata-static.tar.xz \
+          ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }}
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -0,0 +1,63 @@
+name: Publish Kata release artifacts for amd64
+on:
+  workflow_call:
+    inputs:
+      target-arch:
+        required: true
+        type: string
+
+jobs:
+  build-kata-static-tarball-amd64:
+    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
+
+  kata-deploy:
+    needs: build-kata-static-tarball-amd64
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to Kata Containers docker.io
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Login to Kata Containers quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@v3
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-amd64
+
+      - name: build-and-push-kata-deploy-ci-amd64
+        id: build-and-push-kata-deploy-ci-amd64
+        run: |
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          pushd $GITHUB_WORKSPACE
+          git checkout $tag
+          pkg_sha=$(git rev-parse HEAD)
+          popd
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
+            $(pwd)/kata-static.tar.xz "docker.io/katadocker/kata-deploy-ci" \
+            "${pkg_sha}-${{ inputs.target-arch }}"
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
+            $(pwd)/kata-static.tar.xz "quay.io/kata-containers/kata-deploy-ci" \
+            "${pkg_sha}-${{ inputs.target-arch }}"
+
+      - name: push-tarball
+        run: |
+          # tag the container image we created and push to DockerHub
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          tags=($tag)
+          tags+=($([[ "$tag" =~ "alpha"|"rc" ]] && echo "latest" || echo "stable"))
+          for tag in ${tags[@]}; do
+            docker tag docker.io/katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci-amd64.outputs.PKG_SHA}}-${{ inputs.target-arch }} docker.io/katadocker/kata-deploy:${tag}-${{ inputs.target-arch }}
+            docker tag quay.io/kata-containers/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci-amd64.outputs.PKG_SHA}}-${{ inputs.target-arch }} quay.io/kata-containers/kata-deploy:${tag}-${{ inputs.target-arch }}
+            docker push docker.io/katadocker/kata-deploy:${tag}-${{ inputs.target-arch }}
+            docker push quay.io/kata-containers/kata-deploy:${tag}-${{ inputs.target-arch }}
+          done
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -0,0 +1,63 @@
+name: Publish Kata release artifacts for arm64
+on:
+  workflow_call:
+    inputs:
+      target-arch:
+        required: true
+        type: string
+
+jobs:
+  build-kata-static-tarball-arm64:
+    uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
+
+  kata-deploy:
+    needs: build-kata-static-tarball-arm64
+    runs-on: arm64
+    steps:
+      - name: Login to Kata Containers docker.io
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Login to Kata Containers quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@v3
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-arm64
+
+      - name: build-and-push-kata-deploy-ci-arm64
+        id: build-and-push-kata-deploy-ci-arm64
+        run: |
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          pushd $GITHUB_WORKSPACE
+          git checkout $tag
+          pkg_sha=$(git rev-parse HEAD)
+          popd
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
+            $(pwd)/kata-static.tar.xz "docker.io/katadocker/kata-deploy-ci" \
+            "${pkg_sha}-${{ inputs.target-arch }}"
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
+            $(pwd)/kata-static.tar.xz "quay.io/kata-containers/kata-deploy-ci" \
+            "${pkg_sha}-${{ inputs.target-arch }}"
+
+      - name: push-tarball
+        run: |
+          # tag the container image we created and push to DockerHub
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          tags=($tag)
+          tags+=($([[ "$tag" =~ "alpha"|"rc" ]] && echo "latest" || echo "stable"))
+          for tag in ${tags[@]}; do
+            docker tag docker.io/katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci-arm64.outputs.PKG_SHA}}-${{ inputs.target-arch }} docker.io/katadocker/kata-deploy:${tag}-${{ inputs.target-arch }}
+            docker tag quay.io/kata-containers/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci-arm64.outputs.PKG_SHA}}-${{ inputs.target-arch }} quay.io/kata-containers/kata-deploy:${tag}-${{ inputs.target-arch }}
+            docker push docker.io/katadocker/kata-deploy:${tag}-${{ inputs.target-arch }}
+            docker push quay.io/kata-containers/kata-deploy:${tag}-${{ inputs.target-arch }}
+          done
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -0,0 +1,63 @@
+name: Publish Kata release artifacts for s390x
+on:
+  workflow_call:
+    inputs:
+      target-arch:
+        required: true
+        type: string
+
+jobs:
+  build-kata-static-tarball-s390x:
+    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
+
+  kata-deploy:
+    needs: create-kata-tarball
+    runs-on: s390x
+    steps:
+      - name: Login to Kata Containers docker.io
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Login to Kata Containers quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@v3
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-s390x
+
+      - name: build-and-push-kata-deploy-ci-s390x
+        id: build-and-push-kata-deploy-ci-s390x
+        run: |
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          pushd $GITHUB_WORKSPACE
+          git checkout $tag
+          pkg_sha=$(git rev-parse HEAD)
+          popd
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
+            $(pwd)/kata-static.tar.xz "docker.io/katadocker/kata-deploy-ci" \
+            "${pkg_sha}-${{ inputs.target-arch }}"
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
+            $(pwd)/kata-static.tar.xz "quay.io/kata-containers/kata-deploy-ci" \
+            "${pkg_sha}-${{ inputs.target-arch }}"
+
+      - name: push-tarball
+        run: |
+          # tag the container image we created and push to DockerHub
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          tags=($tag)
+          tags+=($([[ "$tag" =~ "alpha"|"rc" ]] && echo "latest" || echo "stable"))
+          for tag in ${tags[@]}; do
+            docker tag docker.io/katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci-s390x.outputs.PKG_SHA}}-${{ inputs.target-arch }} docker.io/katadocker/kata-deploy:${tag}-${{ inputs.target-arch }}
+            docker tag quay.io/kata-containers/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci-s390x.outputs.PKG_SHA}}-${{ inputs.target-arch }} quay.io/kata-containers/kata-deploy:${tag}-${{ inputs.target-arch }}
+            docker push docker.io/katadocker/kata-deploy:${tag}-${{ inputs.target-arch }}
+            docker push quay.io/kata-containers/kata-deploy:${tag}-${{ inputs.target-arch }}
+          done
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,124 +5,83 @@ on:
      - '[0-9]+.[0-9]+.[0-9]+*'

 jobs:
-  build-asset:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        asset:
-          - cloud-hypervisor
-          - firecracker
-          - kernel
-          - kernel-dragonball-experimental
-          - nydus
-          - qemu
-          - rootfs-image
-          - rootfs-initrd
-          - shim-v2
-          - virtiofsd
-    steps:
-      - uses: actions/checkout@v2
-      - name: Build ${{ matrix.asset }}
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-copy-yq-installer.sh
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh --build="${KATA_ASSET}"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          sudo cp -r "${build_dir}" "kata-build"
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
+  build-and-push-assets-amd64:
+    uses: ./.github/workflows/release-amd64.yaml
+    with:
+      target-arch: amd64
+    secrets: inherit

-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-artifacts
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
-          if-no-files-found: error
+  build-and-push-assets-arm64:
+    uses: ./.github/workflows/release-arm64.yaml
+    with:
+      target-arch: arm64
+    secrets: inherit

-  create-kata-tarball:
-    runs-on: ubuntu-latest
-    needs: build-asset
-    steps:
-      - uses: actions/checkout@v2
-      - name: get-artifacts
-        uses: actions/download-artifact@v2
-        with:
-          name: kata-artifacts
-          path: kata-artifacts
-      - name: merge-artifacts
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
-      - name: store-artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: kata-static-tarball
-          path: kata-static.tar.xz
+  build-and-push-assets-s390x:
+    uses: ./.github/workflows/release-s390x.yaml
+    with:
+      target-arch: s390x
+    secrets: inherit

-  kata-deploy:
-    needs: create-kata-tarball
+  publish-multi-arch-images:
    runs-on: ubuntu-latest
+    needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x]
    steps:
-      - uses: actions/checkout@v2
-      - name: get-kata-tarball
-        uses: actions/download-artifact@v2
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Login to Kata Containers docker.io
+        uses: docker/login-action@v3
        with:
-          name: kata-static-tarball
-      - name: build-and-push-kata-deploy-ci
-        id: build-and-push-kata-deploy-ci
-        run: |
-          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
-          pushd $GITHUB_WORKSPACE
-          git checkout $tag
-          pkg_sha=$(git rev-parse HEAD)
-          popd
-          mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz
-          docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:$pkg_sha -t quay.io/kata-containers/kata-deploy-ci:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy
-          docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
-          docker push katadocker/kata-deploy-ci:$pkg_sha
-          docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io
-          docker push quay.io/kata-containers/kata-deploy-ci:$pkg_sha
-          mkdir -p packaging/kata-deploy
-          ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action
-          echo "PKG_SHA=${pkg_sha}" >> $GITHUB_OUTPUT
-      - name: test-kata-deploy-ci-in-aks
-        uses: ./packaging/kata-deploy/action
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Login to Kata Containers quay.io
+        uses: docker/login-action@v3
        with:
-          packaging-sha: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
-        env:
-          PKG_SHA: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
-          AZ_APPID: ${{ secrets.AZ_APPID }}
-          AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
-          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-          AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      - name: push-tarball
+          registry: quay.io
+          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - name: Push multi-arch manifest
        run: |
          # tag the container image we created and push to DockerHub
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          tags=($tag)
          tags+=($([[ "$tag" =~ "alpha"|"rc" ]] && echo "latest" || echo "stable"))
-          for tag in ${tags[@]}; do \
-            docker tag katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} katadocker/kata-deploy:${tag} && \
-            docker tag quay.io/kata-containers/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} quay.io/kata-containers/kata-deploy:${tag} && \
-            docker push katadocker/kata-deploy:${tag} && \
-            docker push quay.io/kata-containers/kata-deploy:${tag}; \
+          # push to quay.io and docker.io
+          for tag in ${tags[@]}; do
+            docker manifest create quay.io/kata-containers/kata-deploy:${tag} \
+              --amend quay.io/kata-containers/kata-deploy:${tag}-amd64 \
+              --amend quay.io/kata-containers/kata-deploy:${tag}-arm64 \
+              --amend quay.io/kata-containers/kata-deploy:${tag}-s390x
+
+            docker manifest create docker.io/katadocker/kata-deploy:${tag} \
+              --amend docker.io/katadocker/kata-deploy:${tag}-amd64 \
+              --amend docker.io/katadocker/kata-deploy:${tag}-arm64 \
+              --amend docker.io/katadocker/kata-deploy:${tag}-s390x
+
+            docker manifest push quay.io/kata-containers/kata-deploy:${tag}
+            docker manifest push docker.io/katadocker/kata-deploy:${tag}
          done

-  upload-static-tarball:
-    needs: kata-deploy
+  upload-multi-arch-static-tarball:
+    needs: publish-multi-arch-images
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - name: download-artifacts
-        uses: actions/download-artifact@v2
-        with:
-          name: kata-static-tarball
+      - uses: actions/checkout@v3
      - name: install hub
        run: |
          HUB_VER=$(curl -s "https://api.github.com/repos/github/hub/releases/latest" | jq -r .tag_name | sed 's/^v//')
          wget -q -O- https://github.com/github/hub/releases/download/v$HUB_VER/hub-linux-amd64-$HUB_VER.tgz | \
          tar xz --strip-components=2 --wildcards '*/bin/hub' && sudo mv hub /usr/local/bin/hub
-      - name: push static tarball to github
+
+      - name: download-artifacts-amd64
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-amd64
+      - name: push amd64 static tarball to github
        run: |
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
          tarball="kata-static-$tag-x86_64.tar.xz"
@@ -132,11 +91,39 @@ jobs:
          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}"
          popd

+      - name: download-artifacts-arm64
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-arm64
+      - name: push arm64 static tarball to github
+        run: |
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          tarball="kata-static-$tag-aarch64.tar.xz"
+          mv kata-static.tar.xz "$GITHUB_WORKSPACE/${tarball}"
+          pushd $GITHUB_WORKSPACE
+          echo "uploading asset '${tarball}' for tag: ${tag}"
+          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}"
+          popd
+
+      - name: download-artifacts-s390x
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball-s390x
+      - name: push s390x static tarball to github
+        run: |
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          tarball="kata-static-$tag-s390x.tar.xz"
+          mv kata-static.tar.xz "$GITHUB_WORKSPACE/${tarball}"
+          pushd $GITHUB_WORKSPACE
+          echo "uploading asset '${tarball}' for tag: ${tag}"
+          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}"
+          popd
+
  upload-cargo-vendored-tarball:
-    needs: upload-static-tarball
+    needs: upload-multi-arch-static-tarball
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: generate-and-upload-tarball
        run: |
          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
@@ -150,7 +137,7 @@ jobs:
    needs: upload-cargo-vendored-tarball
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: download-and-upload-tarball
        env:
          GITHUB_TOKEN: ${{ secrets.GIT_UPLOAD_TOKEN }}
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -0,0 +1,95 @@
+name: CI | Run kubernetes tests on AKS
+on:
+  workflow_call:
+    inputs:
+      registry:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+
+jobs:
+  run-k8s-tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - clh
+          - dragonball
+          - qemu
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Download Azure CLI
+        run: |
+          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+
+      - name: Log into the Azure account
+        run: |
+          az login \
+            --service-principal \
+            -u "${{ secrets.AZ_APPID }}" \
+            -p "${{ secrets.AZ_PASSWORD }}" \
+            --tenant "${{ secrets.AZ_TENANT_ID }}"
+
+      - name: Create AKS cluster
+        run: |
+          az aks create \
+            -g "kataCI" \
+            -n "${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-${{ matrix.vmm }}-amd64" \
+            -s "Standard_D4s_v5" \
+            --node-count 1 \
+            --generate-ssh-keys
+
+      - name: Install `bats`
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install bats
+
+      - name: Install `kubectl`
+        run: |
+          sudo az aks install-cli
+
+      - name: Download credentials for the Kubernetes CLI to use them
+        run: |
+          az aks get-credentials -g "kataCI" -n ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-${{ matrix.vmm }}-amd64
+
+      - name: Run tests
+        timeout-minutes: 30
+        run: |
+          sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}|g" tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | grep "${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}" || die "Failed to setup the tests image"
+
+          kubectl apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
+          kubectl apply -f tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          kubectl -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod
+          kubectl apply -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
+
+          # This is needed as the kata-deploy pod will be set to "Ready" when it starts running,
+          # which may cause issues like not having the node properly labeled or the artefacts
+          # properly deployed when the tests actually start running.
+          sleep 60s
+
+          pushd tests/integration/kubernetes
+          sed -i -e 's|runtimeClassName: kata|runtimeClassName: kata-${{ matrix.vmm }}|' runtimeclass_workloads/*.yaml
+          bash run_kubernetes_tests.sh
+          popd
+        env:
+          KATA_HYPERVISOR: ${{ matrix.vmm }}
+
+      - name: Delete AKS cluster
+        if: always()
+        run: |
+          az aks delete \
+            -g "kataCI" \
+            -n "${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-${{ matrix.vmm }}-amd64" \
+            --yes \
+            --no-wait
--- a/.github/workflows/run-k8s-tests-on-sev.yaml
+++ b/.github/workflows/run-k8s-tests-on-sev.yaml
@@ -0,0 +1,68 @@
+name: CI | Run kubernetes tests on SEV
+on:
+  workflow_call:
+    inputs:
+      registry:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+
+jobs:
+  run-k8s-tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-sev
+    runs-on: sev
+    env:
+      KUBECONFIG: /home/kata/.kube/config
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Run tests
+        timeout-minutes: 30
+        run: |
+          sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}|g" tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | grep "${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}" || die "Failed to setup the tests image"
+
+          kubectl apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
+          kubectl apply -f tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          kubectl -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod
+          kubectl apply -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
+
+          # This is needed as the kata-deploy pod will be set to "Ready" when it starts running,
+          # which may cause issues like not having the node properly labeled or the artefacts
+          # properly deployed when the tests actually start running.
+          sleep 60s
+
+          pushd tests/integration/kubernetes
+          sed -i -e 's|runtimeClassName: kata|runtimeClassName: kata-${{ matrix.vmm }}|' runtimeclass_workloads/*.yaml
+          bash run_kubernetes_tests.sh
+          popd
+        env:
+          KATA_HYPERVISOR: ${{ matrix.vmm }}
+
+      - name: Delete kata-deploy
+        if: always()
+        run: |
+          kubectl delete -f tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          kubectl -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod
+
+          sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}|g" tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          cat tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          cat tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml | grep "${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}" || die "Failed to setup the tests image"
+          kubectl apply -f tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          sleep 180s
+
+          kubectl delete -f tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          kubectl delete -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
+          kubectl delete -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
--- a/.github/workflows/run-k8s-tests-on-snp.yaml
+++ b/.github/workflows/run-k8s-tests-on-snp.yaml
@@ -0,0 +1,68 @@
+name: CI | Run kubernetes tests on SEV-SNP
+on:
+  workflow_call:
+    inputs:
+      registry:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+
+jobs:
+  run-k8s-tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-snp
+    runs-on: sev-snp
+    env:
+      KUBECONFIG: /home/kata/.kube/config
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Run tests
+        timeout-minutes: 30
+        run: |
+          sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}|g" tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | grep "${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}" || die "Failed to setup the tests image"
+
+          kubectl apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
+          kubectl apply -f tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          kubectl -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod
+          kubectl apply -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
+
+          # This is needed as the kata-deploy pod will be set to "Ready" when it starts running,
+          # which may cause issues like not having the node properly labeled or the artefacts
+          # properly deployed when the tests actually start running.
+          sleep 60s
+
+          pushd tests/integration/kubernetes
+          sed -i -e 's|runtimeClassName: kata|runtimeClassName: kata-${{ matrix.vmm }}|' runtimeclass_workloads/*.yaml
+          bash run_kubernetes_tests.sh
+          popd
+        env:
+          KATA_HYPERVISOR: ${{ matrix.vmm }}
+
+      - name: Delete kata-deploy
+        if: always()
+        run: |
+          kubectl delete -f tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          kubectl -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod
+
+          sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}|g" tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          cat tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          cat tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml | grep "${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}" || die "Failed to setup the tests image"
+          kubectl apply -f tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          sleep 180s
+
+          kubectl delete -f tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          kubectl delete -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
+          kubectl delete -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
--- a/.github/workflows/run-k8s-tests-on-tdx.yaml
+++ b/.github/workflows/run-k8s-tests-on-tdx.yaml
@@ -0,0 +1,68 @@
+name: CI | Run kubernetes tests on TDX
+on:
+  workflow_call:
+    inputs:
+      registry:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+
+jobs:
+  run-k8s-tests:
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-tdx
+    runs-on: tdx
+    env:
+      KUBECONFIG: /etc/rancher/k3s/k3s.yaml
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Run tests
+        timeout-minutes: 30
+        run: |
+          sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}|g" tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
+          cat tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | grep "${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}" || die "Failed to setup the tests image"
+
+          kubectl apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
+          kubectl apply -k tools/packaging/kata-deploy/kata-deploy/overlays/k3s
+          kubectl -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod
+          kubectl apply -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
+
+          # This is needed as the kata-deploy pod will be set to "Ready" when it starts running,
+          # which may cause issues like not having the node properly labeled or the artefacts
+          # properly deployed when the tests actually start running.
+          sleep 60s
+
+          pushd tests/integration/kubernetes
+          sed -i -e 's|runtimeClassName: kata|runtimeClassName: kata-${{ matrix.vmm }}|' runtimeclass_workloads/*.yaml
+          bash run_kubernetes_tests.sh
+          popd
+        env:
+          KATA_HYPERVISOR: ${{ matrix.vmm }}
+
+      - name: Delete kata-deploy
+        if: always()
+        run: |
+          kubectl delete -k tools/packaging/kata-deploy/kata-deploy/overlays/k3s
+          kubectl -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod
+
+          sed -i -e "s|quay.io/kata-containers/kata-deploy:latest|${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}|g" tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          cat tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml
+          cat tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml | grep "${{ inputs.registry }}/${{ inputs.repo }}:${{ inputs.tag }}" || die "Failed to setup the tests image"
+          kubectl apply -k tools/packaging/kata-deploy/kata-cleanup/overlays/k3s
+          sleep 180s
+
+          kubectl delete -k tools/packaging/kata-deploy/kata-cleanup/overlays/k3s
+          kubectl delete -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
+          kubectl delete -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
--- a/.github/workflows/snap-release.yaml
+++ b/.github/workflows/snap-release.yaml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Check out Git repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0

@@ -32,6 +32,7 @@ jobs:
        run: |
          # Removing man-db, workflow kept failing, fixes: #4480
          sudo apt -y remove --purge man-db
+          sudo apt-get update
          sudo apt-get install -y git git-extras
          kata_url="https://github.com/kata-containers/kata-containers"
          latest_version=$(git ls-remote --tags ${kata_url}  | egrep -o "refs.*" | egrep -v "\-alpha|\-rc|{}" | egrep -o "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" | sort -V -r | head -1)
--- a/.github/workflows/snap.yaml
+++ b/.github/workflows/snap.yaml
@@ -14,7 +14,7 @@ jobs:
    steps:
      - name: Check out
        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0

--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,8 @@
 **/.vscode
 **/.idea
 **/.fleet
+**/*.swp
+**/*.swo
 pkg/logging/Cargo.lock
 src/agent/src/version.rs
 src/agent/kata-agent.service
--- a/1
+++ b/1
@@ -18,6 +18,7 @@ TOOLS =
 TOOLS += agent-ctl
 TOOLS += kata-ctl
 TOOLS += log-parser
+TOOLS += log-parser-rs
 TOOLS += runk
 TOOLS += trace-forwarder

--- a/README.md
+++ b/README.md
@@ -134,6 +134,7 @@ The table below lists the remaining parts of the project:
 | [osbuilder](tools/osbuilder) | infrastructure | Tool to create "mini O/S" rootfs and initrd images and kernel for the hypervisor. |
 | [`agent-ctl`](src/tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. |
 | [`kata-ctl`](src/tools/kata-ctl) | utility | Tool that provides advanced commands and debug facilities. |
+| [`log-parser-rs`](src/tools/log-parser-rs) | utility | Tool that aid in analyzing logs from the kata runtime. |
 | [`trace-forwarder`](src/tools/trace-forwarder) | utility | Agent tracing helper. |
 | [`runk`](src/tools/runk) | utility | Standard OCI container runtime based on the agent. |
 | [`ci`](https://github.com/kata-containers/ci) | CI | Continuous Integration configuration files and scripts. |
--- a/2
+++ b/2
@@ -1 +1 @@
-3.2.0-alpha0
+3.2.0-alpha1
--- a/docs/design/architecture/networking.md
+++ b/docs/design/architecture/networking.md
@@ -36,7 +36,7 @@ compatibility, and performance on par with MACVTAP.
 Kata Containers has deprecated support for bridge due to lacking performance relative to TC-filter and MACVTAP.

 Kata Containers supports both
-[CNM](https://github.com/docker/libnetwork/blob/master/docs/design.md#the-container-network-model)
+[CNM](https://github.com/moby/libnetwork/blob/master/docs/design.md#the-container-network-model)
 and [CNI](https://github.com/containernetworking/cni) for networking management.

 ## Network Hotplug
--- a/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md
+++ b/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md
@@ -44,12 +44,11 @@ $ popd
 - Build a custom QEMU
 ```bash
 $ source kata-containers/tools/packaging/scripts/lib.sh
-$ qemu_url="$(get_from_kata_deps "assets.hypervisor.qemu.snp.url")"
-$ qemu_branch="$(get_from_kata_deps "assets.hypervisor.qemu.snp.branch")"
-$ qemu_commit="$(get_from_kata_deps "assets.hypervisor.qemu.snp.commit")"
-$ git clone -b "${qemu_branch}" "${qemu_url}"
+$ qemu_url="$(get_from_kata_deps "assets.hypervisor.qemu-snp-experimental.url")"
+$ qemu_tag="$(get_from_kata_deps "assets.hypervisor.qemu-snp-experimental.tag")"
+$ git clone "${qemu_url}"
 $ pushd qemu
-$ git checkout "${qemu_commit}"
+$ git checkout "${qemu_tag}"
 $ ./configure --enable-virtfs --target-list=x86_64-softmmu --enable-debug
 $ make -j "$(nproc)"
 $ popd
--- a/docs/how-to/how-to-run-rootless-vmm.md
+++ b/docs/how-to/how-to-run-rootless-vmm.md
@@ -1,5 +1,5 @@
 ## Introduction
-To improve security, Kata Container supports running the VMM process (currently only QEMU) as a non-`root` user.
+To improve security, Kata Container supports running the VMM process (QEMU and cloud-hypervisor) as a non-`root` user. 
 This document describes how to enable the rootless VMM mode and its limitations.

 ## Pre-requisites
@@ -27,7 +27,7 @@ Another necessary change is to move the hypervisor runtime files (e.g. `vhost-fs
 ## Limitations

 1. Only the VMM process is running as a non-root user. Other processes such as Kata Container shimv2 and `virtiofsd` still run as the root user.
-2. Currently, this feature is only supported in QEMU. Still need to bring it to Firecracker and Cloud Hypervisor (see https://github.com/kata-containers/kata-containers/issues/2567).
+2. Currently, this feature is only supported in QEMU and cloud-hypervisor. For firecracker, you can use jailer to run the VMM process with a non-root user.
 3. Certain features will not work when rootless VMM is enabled, including:
   1. Passing devices to the guest (`virtio-blk`, `virtio-scsi`) will not work if the non-privileged user does not have permission to access it (leading to a permission denied error). A more permissive permission (e.g. 666) may overcome this issue. However, you need to be aware of the potential security implications of reducing the security on such devices.
   2. `vfio` device will also not work because of permission denied error.
--- a/docs/install/README.md
+++ b/docs/install/README.md
@@ -19,7 +19,7 @@ Packaged installation methods uses your distribution's native package format (su
 |------------------------------------------------------|----------------------------------------------------------------------------------------------|-------------------|-----------------------------------------------------------------------------------------------|
 | [Using kata-deploy](#kata-deploy-installation)       | The preferred way to deploy the Kata Containers distributed binaries on a Kubernetes cluster | **No!**           | Best way to give it a try on kata-containers on an already up and running Kubernetes cluster. | 
 | [Using official distro packages](#official-packages) | Kata packages provided by Linux distributions official repositories                          | yes               | Recommended for most users.                                                                   |
-| [Using snap](#snap-installation)                     | Easy to install                                                                              | yes               | Good alternative to official distro packages.                                                 |
+| ~~[Using snap](#snap-installation)~~                     | ~~Easy to install~~                                                                              | ~~yes~~               | **Snap is unmaintained!** ~~Good alternative to official distro packages.~~                                                 |
 | [Automatic](#automatic-installation)                 | Run a single command to install a full system                                                | **No!**           | For those wanting the latest release quickly.                                                 |
 | [Manual](#manual-installation)                       | Follow a guide step-by-step to install a working system                                      | **No!**           | For those who want the latest release with more control.                                      |
 | [Build from source](#build-from-source-installation) | Build the software components manually                                                       | **No!**           | Power users and developers only.                                                              |
@@ -44,9 +44,24 @@ Kata packages are provided by official distribution repositories for:

 ### Snap Installation

-The snap installation is available for all distributions which support `snapd`.
+> **WARNING:**
+>
+> The Snap package method is **unmaintained** and only provides an old
+> version of Kata Containers:
+> The [latest Kata Containers snap](https://snapcraft.io/kata-containers)
+> provides Kata Containers
+> [version 2.4.2](https://github.com/kata-containers/kata-containers/releases/tag/2.4.2)
+> but the latest stable Kata Containers release at the time of writing is
+> [version 3.1.0](https://github.com/kata-containers/kata-containers/releases/tag/3.1.0).
+>
+> We recommend strongly that you switch to an alternative Kata Containers installation method.
+>
+> See: https://github.com/kata-containers/kata-containers/issues/6769
+> for further details.

-[Use snap](snap-installation-guide.md) to install Kata Containers from https://snapcraft.io.
+~~The snap installation is available for all distributions which support `snapd`.~~
+
+~~[Use snap](snap-installation-guide.md) to install Kata Containers from https://snapcraft.io. ~~

 ### Automatic Installation

--- a/docs/install/kata-containers-3.0-rust-runtime-installation-guide.md
+++ b/docs/install/kata-containers-3.0-rust-runtime-installation-guide.md
@@ -49,14 +49,14 @@ Follow the [`kata-deploy`](../../tools/packaging/kata-deploy/README.md).

 * Download `Rustup` and install  `Rust`
    > **Notes:**
-    > Rust version 1.62.0 is needed
+    > For Rust version, please set `RUST_VERSION` to the value of `languages.rust.meta.newest-version key` in [`versions.yaml`](../../versions.yaml) or, if `yq` is available on your system, run `export RUST_VERSION=$(yq read versions.yaml languages.rust.meta.newest-version)`.

    Example for `x86_64`
    ```
    $ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
    $ source $HOME/.cargo/env
-    $ rustup install 1.62.0
-    $ rustup default 1.62.0-x86_64-unknown-linux-gnu
+    $ rustup install ${RUST_VERSION}
+    $ rustup default ${RUST_VERSION}-x86_64-unknown-linux-gnu
    ```

 * Musl support for fully static binary
--- a/docs/install/snap-installation-guide.md
+++ b/docs/install/snap-installation-guide.md
@@ -1,5 +1,20 @@
 # Kata Containers snap package

+> **WARNING:**
+>
+> The Snap package method is **unmaintained** and only provides an old
+> version of Kata Containers:
+> The [latest Kata Containers snap](https://snapcraft.io/kata-containers)
+> provides Kata Containers
+> [version 2.4.2](https://github.com/kata-containers/kata-containers/releases/tag/2.4.2)
+> but the latest stable Kata Containers release at the time of writing is
+> [version 3.1.0](https://github.com/kata-containers/kata-containers/releases/tag/3.1.0).
+>
+> We recommend strongly that you switch to an alternative Kata Containers installation method.
+>
+> See: https://github.com/kata-containers/kata-containers/issues/6769
+> for further details.
+
 ## Install Kata Containers

 Kata Containers can be installed in any Linux distribution that supports
@@ -7,6 +22,21 @@ Kata Containers can be installed in any Linux distribution that supports

 Run the following command to install **Kata Containers**:

+> **WARNING:**
+>
+> The Snap package method is **unmaintained** and only provides an old
+> version of Kata Containers:
+> The [latest Kata Containers snap](https://snapcraft.io/kata-containers)
+> provides Kata Containers
+> [version 2.4.2](https://github.com/kata-containers/kata-containers/releases/tag/2.4.2)
+> but the latest stable Kata Containers release at the time of writing is
+> [version 3.1.0](https://github.com/kata-containers/kata-containers/releases/tag/3.1.0).
+>
+> We recommend strongly that you switch to an alternative Kata Containers installation method.
+>
+> See: https://github.com/kata-containers/kata-containers/issues/6769
+> for further details.
+
 ```sh
 $ sudo snap install kata-containers --stable --classic
 ```
--- a/snap/snapcraft.yaml
+++ b/snap/snapcraft.yaml
@@ -63,6 +63,9 @@ parts:
      echo "Adding $USER into docker group"
      sudo -E gpasswd -a $USER docker
      echo "Starting docker"
+      # docker may fail to start using "fd://" in docker.service
+      sudo sed -i 's/fd:\/\//unix:\/\//g' /lib/systemd/system/docker.service
+      sudo systemctl daemon-reload
      sudo -E systemctl start docker || true

  image:
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@@ -120,7 +120,7 @@ checksum = "d7d78656ba01f1b93024b7c3a0467f1608e4be67d725749fdcd7d2c7678fd7a2"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -137,7 +137,7 @@ checksum = "96cf8829f67d2eab0b2dfa42c5d0ef737e0724e4a82b01b3e292456202b19716"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -191,7 +191,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fd9e32d7420c85055e8107e5b2463c4eeefeaac18b52359fe9f9c08a18f342b2"
 dependencies = [
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -329,7 +329,7 @@ dependencies = [
 "proc-macro-error",
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -399,7 +399,7 @@ checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -410,7 +410,7 @@ checksum = "3418329ca0ad70234b9735dc4ceed10af4df60eff9c8e7b06cb5e520d92c3535"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -457,7 +457,7 @@ checksum = "f58dc3c5e468259f19f2d46304a6b28f1c3d034442e14b322d2b850e36f6d5ae"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -600,7 +600,7 @@ checksum = "33c1e13800337f4d4d7a316bf45a567dbcb6ffe087f16424852d97e97a91f512"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -819,7 +819,7 @@ dependencies = [
 "opentelemetry",
 "procfs",
 "prometheus",
- "protobuf",
+ "protobuf 3.2.0",
 "protocols",
 "regex",
 "rtnetlink",
@@ -992,7 +992,7 @@ dependencies = [
 "libc",
 "log",
 "wasi 0.11.0+wasi-snapshot-preview1",
- "windows-sys",
+ "windows-sys 0.36.1",
 ]

 [[package]]
@@ -1257,7 +1257,7 @@ dependencies = [
 "libc",
 "redox_syscall",
 "smallvec",
- "windows-sys",
+ "windows-sys 0.36.1",
 ]

 [[package]]
@@ -1318,7 +1318,7 @@ checksum = "744b6f092ba29c3650faf274db506afd39944f48420f6c86b17cfe0ee1cb36bb"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -1379,7 +1379,7 @@ dependencies = [
 "proc-macro-error-attr",
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 "version_check",
 ]

@@ -1396,9 +1396,9 @@ dependencies = [

 [[package]]
 name = "proc-macro2"
-version = "1.0.40"
+version = "1.0.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd96a1e8ed2596c337f8eae5f24924ec83f5ad5ab21ea8e455d3566c69fbcaf7"
+checksum = "fa1fb82fc0c281dd9671101b66b771ebbe1eaf967b96ac8740dcba4b70005ca8"
 dependencies = [
 "unicode-ident",
 ]
@@ -1431,7 +1431,7 @@ dependencies = [
 "memchr",
 "parking_lot 0.12.1",
 "procfs",
- "protobuf",
+ "protobuf 2.27.1",
 "thiserror",
 ]

@@ -1473,7 +1473,7 @@ dependencies = [
 "itertools",
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -1491,9 +1491,16 @@ name = "protobuf"
 version = "2.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf7e6d18738ecd0902d30d1ad232c9125985a3422929b16c65517b38adc14f96"
+
+[[package]]
+name = "protobuf"
+version = "3.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b55bad9126f378a853655831eb7363b7b01b81d19f8cb1218861086ca4a1a61e"
 dependencies = [
- "serde",
- "serde_derive",
+ "once_cell",
+ "protobuf-support",
+ "thiserror",
 ]

 [[package]]
@@ -1502,17 +1509,47 @@ version = "2.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aec1632b7c8f2e620343439a7dfd1f3c47b18906c4be58982079911482b5d707"
 dependencies = [
- "protobuf",
+ "protobuf 2.27.1",
 ]

 [[package]]
-name = "protobuf-codegen-pure"
-version = "2.27.1"
+name = "protobuf-codegen"
+version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f8122fdb18e55190c796b088a16bdb70cd7acdcd48f7a8b796b58c62e532cc6"
+checksum = "0dd418ac3c91caa4032d37cb80ff0d44e2ebe637b2fb243b6234bf89cdac4901"
 dependencies = [
- "protobuf",
- "protobuf-codegen",
+ "anyhow",
+ "once_cell",
+ "protobuf 3.2.0",
+ "protobuf-parse",
+ "regex",
+ "tempfile",
+ "thiserror",
+]
+
+[[package]]
+name = "protobuf-parse"
+version = "3.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d39b14605eaa1f6a340aec7f320b34064feb26c93aec35d6a9a2272a8ddfa49"
+dependencies = [
+ "anyhow",
+ "indexmap",
+ "log",
+ "protobuf 3.2.0",
+ "protobuf-support",
+ "tempfile",
+ "thiserror",
+ "which",
+]
+
+[[package]]
+name = "protobuf-support"
+version = "3.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5d4d7b8601c814cfb36bcebb79f0e61e45e1e93640cf778837833bbed05c372"
+dependencies = [
+ "thiserror",
 ]

 [[package]]
@@ -1521,16 +1558,16 @@ version = "0.1.0"
 dependencies = [
 "async-trait",
 "oci",
- "protobuf",
+ "protobuf 3.2.0",
 "ttrpc",
 "ttrpc-codegen",
 ]

 [[package]]
 name = "quote"
-version = "1.0.20"
+version = "1.0.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3bcdf212e9776fbcb2d23ab029360416bb1706b1aea2d1a5ba002727cbcab804"
+checksum = "8f4f29d145265ec1c483c7c654450edde0bfe043d3938d6972630663356d9500"
 dependencies = [
 "proc-macro2",
 ]
@@ -1705,7 +1742,7 @@ dependencies = [
 "nix 0.24.2",
 "oci",
 "path-absolutize",
- "protobuf",
+ "protobuf 3.2.0",
 "protocols",
 "regex",
 "rlimit",
@@ -1762,7 +1799,7 @@ checksum = "1f26faba0c3959972377d3b2d306ee9f71faee9714294e41bb777f83f88578be"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -1784,7 +1821,7 @@ checksum = "1fe39d9fbb0ebf5eb2c7cb7e2a47e4f462fad1379f1166b8ae49ad9eae89a7ca"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -1806,7 +1843,7 @@ checksum = "b2acd6defeddb41eb60bb468f8825d0cfd0c2a76bc03bfd235b6a1dc4f6a1ad5"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -1914,9 +1951,9 @@ checksum = "f2dd574626839106c320a323308629dcb1acfc96e32a8cba364ddc61ac23ee83"

 [[package]]
 name = "socket2"
-version = "0.4.4"
+version = "0.4.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66d72b759436ae32898a2af0a14218dbf55efde3feeb170eb623637db85ee1e0"
+checksum = "64a4a911eed85daf18834cfaa86a79b7d266ff93ff5ba14005426219480ed662"
 dependencies = [
 "libc",
 "winapi",
@@ -1955,6 +1992,17 @@ dependencies = [
 "unicode-ident",
 ]

+[[package]]
+name = "syn"
+version = "2.0.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6f671d4b5ffdb8eadec19c0ae67fe2639df8684bd7bc4b83d986b8db549cf01"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
 [[package]]
 name = "take_mut"
 version = "0.2.2"
@@ -2014,7 +2062,7 @@ checksum = "0396bc89e626244658bef819e22d0cc459e795a5ebe878e6ec336d1674a8d79a"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -2050,33 +2098,32 @@ dependencies = [

 [[package]]
 name = "tokio"
-version = "1.19.2"
+version = "1.28.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c51a52ed6686dd62c320f9b89299e9dfb46f730c7a48e635c19f21d116cb1439"
+checksum = "0aa32867d44e6f2ce3385e89dceb990188b8bb0fb25b0cf576647a6f98ac5105"
 dependencies = [
+ "autocfg",
 "bytes 1.1.0",
 "libc",
- "memchr",
 "mio",
 "num_cpus",
- "once_cell",
 "parking_lot 0.12.1",
 "pin-project-lite",
 "signal-hook-registry",
 "socket2",
 "tokio-macros",
- "winapi",
+ "windows-sys 0.48.0",
 ]

 [[package]]
 name = "tokio-macros"
-version = "1.8.0"
+version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9724f9a975fb987ef7a3cd9be0350edcbe130698af5b8f7a631e23d42d052484"
+checksum = "630bdcf245f78637c13ec01ffae6187cca34625e8c63150d424b59e55af2675e"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 2.0.16",
 ]

 [[package]]
@@ -2146,7 +2193,7 @@ checksum = "cc6b8ad3567499f98a1db7a752b07a7c8c7c7c34c332ec00effb2b0027974b7c"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -2217,9 +2264,9 @@ dependencies = [

 [[package]]
 name = "ttrpc"
-version = "0.6.1"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ecfff459a859c6ba6668ff72b34c2f1d94d9d58f7088414c2674ad0f31cc7d8"
+checksum = "a35f22a2964bea14afee161665bb260b83cb48e665e0260ca06ec0e775c8b06c"
 dependencies = [
 "async-trait",
 "byteorder",
@@ -2227,8 +2274,8 @@ dependencies = [
 "libc",
 "log",
 "nix 0.23.1",
- "protobuf",
- "protobuf-codegen-pure",
+ "protobuf 3.2.0",
+ "protobuf-codegen 3.2.0",
 "thiserror",
 "tokio",
 "tokio-vsock",
@@ -2236,28 +2283,28 @@ dependencies = [

 [[package]]
 name = "ttrpc-codegen"
-version = "0.2.0"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "809eda4e459820237104e4b61d6b41bbe6c9e1ce6adf4057955e6e6722a90408"
+checksum = "94d7f7631d7a9ebed715a47cd4cb6072cbc7ae1d4ec01598971bbec0024340c2"
 dependencies = [
- "protobuf",
- "protobuf-codegen",
- "protobuf-codegen-pure",
+ "protobuf 2.27.1",
+ "protobuf-codegen 3.2.0",
+ "protobuf-support",
 "ttrpc-compiler",
 ]

 [[package]]
 name = "ttrpc-compiler"
-version = "0.4.1"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2978ed3fa047d8fd55cbeb4d4a61d461fb3021a90c9618519c73ce7e5bb66c15"
+checksum = "ec3cb5dbf1f0865a34fe3f722290fe776cacb16f50428610b779467b76ddf647"
 dependencies = [
 "derive-new",
 "prost",
 "prost-build",
 "prost-types",
- "protobuf",
- "protobuf-codegen",
+ "protobuf 2.27.1",
+ "protobuf-codegen 2.27.1",
 "tempfile",
 ]

@@ -2367,7 +2414,7 @@ dependencies = [
 "log",
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 "wasm-bindgen-shared",
 ]

@@ -2389,7 +2436,7 @@ checksum = "7d94ac45fcf608c1f45ef53e748d35660f168490c10b23704c7779ab8f5c3048"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 "wasm-bindgen-backend",
 "wasm-bindgen-shared",
 ]
@@ -2457,43 +2504,109 @@ version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2"
 dependencies = [
- "windows_aarch64_msvc",
- "windows_i686_gnu",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_msvc",
+ "windows_aarch64_msvc 0.36.1",
+ "windows_i686_gnu 0.36.1",
+ "windows_i686_msvc 0.36.1",
+ "windows_x86_64_gnu 0.36.1",
+ "windows_x86_64_msvc 0.36.1",
 ]

+[[package]]
+name = "windows-sys"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b1eb6f0cd7c80c79759c929114ef071b87354ce476d9d94271031c0497adfd5"
+dependencies = [
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc 0.48.0",
+ "windows_i686_gnu 0.48.0",
+ "windows_i686_msvc 0.48.0",
+ "windows_x86_64_gnu 0.48.0",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc 0.48.0",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47"

+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6"

+[[package]]
+name = "windows_i686_gnu"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024"

+[[package]]
+name = "windows_i686_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1"

+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"

+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a"
+
 [[package]]
 name = "xattr"
 version = "0.2.3"
@@ -2553,7 +2666,7 @@ dependencies = [
 "proc-macro2",
 "quote",
 "regex",
- "syn",
+ "syn 1.0.98",
 ]

 [[package]]
@@ -2590,5 +2703,5 @@ dependencies = [
 "proc-macro-crate",
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.98",
 ]
--- a/src/agent/Cargo.toml
+++ b/src/agent/Cargo.toml
@@ -10,8 +10,8 @@ oci = { path = "../libs/oci" }
 rustjail = { path = "rustjail" }
 protocols = { path = "../libs/protocols", features = ["async"] }
 lazy_static = "1.3.0"
-ttrpc = { version = "0.6.0", features = ["async"], default-features = false }
-protobuf = "2.27.0"
+ttrpc = { version = "0.7.1", features = ["async"], default-features = false }
+protobuf = "3.2.0"
 libc = "0.2.58"
 nix = "0.24.2"
 capctl = "0.2.0"
@@ -30,7 +30,7 @@ async-recursion = "0.3.2"
 futures = "0.3.17"

 # Async runtime
-tokio = { version = "1.14.0", features = ["full"] }
+tokio = { version = "1.28.1", features = ["full"] }
 tokio-vsock = "0.3.1"

 netlink-sys = { version = "0.7.0", features = ["tokio_socket",]}
--- a/src/agent/Makefile
+++ b/src/agent/Makefile
@@ -33,6 +33,12 @@ ifeq ($(SECCOMP),yes)
    override EXTRA_RUSTFEATURES += seccomp
 endif

+include ../../utils.mk
+
+ifeq ($(ARCH), ppc64le)
+    override ARCH = powerpc64le
+endif
+
 ##VAR STANDARD_OCI_RUNTIME=yes|no define if agent enables standard oci runtime feature
 STANDARD_OCI_RUNTIME := no

@@ -45,8 +51,6 @@ ifneq ($(EXTRA_RUSTFEATURES),)
    override EXTRA_RUSTFEATURES := --features "$(EXTRA_RUSTFEATURES)"
 endif

-include ../../utils.mk
-
 TARGET_PATH = target/$(TRIPLE)/$(BUILD_TYPE)/$(TARGET)

 ##VAR DESTDIR=<path> is a directory prepended to each installed target file
--- a/src/agent/rustjail/Cargo.toml
+++ b/src/agent/rustjail/Cargo.toml
@@ -18,7 +18,7 @@ scopeguard = "1.0.0"
 capctl = "0.2.0"
 lazy_static = "1.3.0"
 libc = "0.2.58"
-protobuf = "2.27.0"
+protobuf = "3.2.0"
 slog = "2.5.2"
 slog-scope = "4.1.2"
 scan_fmt = "0.2.6"
@@ -29,7 +29,7 @@ cgroups = { package = "cgroups-rs", version = "0.3.2" }
 rlimit = "0.5.3"
 cfg-if = "0.1.0"

-tokio = { version = "1.2.0", features = ["sync", "io-util", "process", "time", "macros", "rt"] }
+tokio = { version = "1.28.1", features = ["sync", "io-util", "process", "time", "macros", "rt"] }
 futures = "0.3.17"
 async-trait = "0.1.31"
 inotify = "0.9.2"
--- a/src/agent/rustjail/src/cgroups/fs/mod.rs
+++ b/src/agent/rustjail/src/cgroups/fs/mod.rs
@@ -27,7 +27,7 @@ use oci::{
    LinuxNetwork, LinuxPids, LinuxResources,
 };

-use protobuf::{CachedSize, RepeatedField, SingularPtrField, UnknownFields};
+use protobuf::MessageField;
 use protocols::agent::{
    BlkioStats, BlkioStatsEntry, CgroupStats, CpuStats, CpuUsage, HugetlbStats, MemoryData,
    MemoryStats, PidsStats, ThrottlingData,
@@ -50,7 +50,7 @@ macro_rules! get_controller_or_return_singular_none {
    ($cg:ident) => {
        match $cg.controller_of() {
            Some(c) => c,
-            None => return SingularPtrField::none(),
+            None => return MessageField::none(),
        }
    };
 }
@@ -134,11 +134,10 @@ impl CgroupManager for Manager {

        let throttling_data = get_cpu_stats(&self.cgroup);

-        let cpu_stats = SingularPtrField::some(CpuStats {
+        let cpu_stats = MessageField::some(CpuStats {
            cpu_usage,
            throttling_data,
-            unknown_fields: UnknownFields::default(),
-            cached_size: CachedSize::default(),
+            ..Default::default()
        });

        // Memorystats
@@ -160,8 +159,7 @@ impl CgroupManager for Manager {
            pids_stats,
            blkio_stats,
            hugetlb_stats,
-            unknown_fields: UnknownFields::default(),
-            cached_size: CachedSize::default(),
+            ..Default::default()
        })
    }

@@ -446,14 +444,14 @@ fn set_memory_resources(cg: &cgroups::Cgroup, memory: &LinuxMemory, update: bool
        let memstat = get_memory_stats(cg)
            .into_option()
            .ok_or_else(|| anyhow!("failed to get the cgroup memory stats"))?;
-        let memusage = memstat.get_usage();
+        let memusage = memstat.usage();

        // When update memory limit, the kernel would check the current memory limit
        // set against the new swap setting, if the current memory limit is large than
        // the new swap, then set limit first, otherwise the kernel would complain and
        // refused to set; on the other hand, if the current memory limit is smaller than
        // the new swap, then we should set the swap first and then set the memor limit.
-        if swap == -1 || memusage.get_limit() < swap as u64 {
+        if swap == -1 || memusage.limit() < swap as u64 {
            mem_controller.set_memswap_limit(swap)?;
            set_resource!(mem_controller, set_limit, memory, limit);
        } else {
@@ -657,21 +655,20 @@ lazy_static! {
    };
 }

-fn get_cpu_stats(cg: &cgroups::Cgroup) -> SingularPtrField<ThrottlingData> {
+fn get_cpu_stats(cg: &cgroups::Cgroup) -> MessageField<ThrottlingData> {
    let cpu_controller: &CpuController = get_controller_or_return_singular_none!(cg);
    let stat = cpu_controller.cpu().stat;
    let h = lines_to_map(&stat);

-    SingularPtrField::some(ThrottlingData {
+    MessageField::some(ThrottlingData {
        periods: *h.get("nr_periods").unwrap_or(&0),
        throttled_periods: *h.get("nr_throttled").unwrap_or(&0),
        throttled_time: *h.get("throttled_time").unwrap_or(&0),
-        unknown_fields: UnknownFields::default(),
-        cached_size: CachedSize::default(),
+        ..Default::default()
    })
 }

-fn get_cpuacct_stats(cg: &cgroups::Cgroup) -> SingularPtrField<CpuUsage> {
+fn get_cpuacct_stats(cg: &cgroups::Cgroup) -> MessageField<CpuUsage> {
    if let Some(cpuacct_controller) = cg.controller_of::<CpuAcctController>() {
        let cpuacct = cpuacct_controller.cpuacct();

@@ -685,13 +682,12 @@ fn get_cpuacct_stats(cg: &cgroups::Cgroup) -> SingularPtrField<CpuUsage> {

        let percpu_usage = line_to_vec(&cpuacct.usage_percpu);

-        return SingularPtrField::some(CpuUsage {
+        return MessageField::some(CpuUsage {
            total_usage,
            percpu_usage,
            usage_in_kernelmode,
            usage_in_usermode,
-            unknown_fields: UnknownFields::default(),
-            cached_size: CachedSize::default(),
+            ..Default::default()
        });
    }

@@ -704,17 +700,16 @@ fn get_cpuacct_stats(cg: &cgroups::Cgroup) -> SingularPtrField<CpuUsage> {
    let total_usage = *h.get("usage_usec").unwrap_or(&0);
    let percpu_usage = vec![];

-    SingularPtrField::some(CpuUsage {
+    MessageField::some(CpuUsage {
        total_usage,
        percpu_usage,
        usage_in_kernelmode,
        usage_in_usermode,
-        unknown_fields: UnknownFields::default(),
-        cached_size: CachedSize::default(),
+        ..Default::default()
    })
 }

-fn get_memory_stats(cg: &cgroups::Cgroup) -> SingularPtrField<MemoryStats> {
+fn get_memory_stats(cg: &cgroups::Cgroup) -> MessageField<MemoryStats> {
    let memory_controller: &MemController = get_controller_or_return_singular_none!(cg);

    // cache from memory stat
@@ -726,52 +721,48 @@ fn get_memory_stats(cg: &cgroups::Cgroup) -> SingularPtrField<MemoryStats> {
    let use_hierarchy = value == 1;

    // get memory data
-    let usage = SingularPtrField::some(MemoryData {
+    let usage = MessageField::some(MemoryData {
        usage: memory.usage_in_bytes,
        max_usage: memory.max_usage_in_bytes,
        failcnt: memory.fail_cnt,
        limit: memory.limit_in_bytes as u64,
-        unknown_fields: UnknownFields::default(),
-        cached_size: CachedSize::default(),
+        ..Default::default()
    });

    // get swap usage
    let memswap = memory_controller.memswap();

-    let swap_usage = SingularPtrField::some(MemoryData {
+    let swap_usage = MessageField::some(MemoryData {
        usage: memswap.usage_in_bytes,
        max_usage: memswap.max_usage_in_bytes,
        failcnt: memswap.fail_cnt,
        limit: memswap.limit_in_bytes as u64,
-        unknown_fields: UnknownFields::default(),
-        cached_size: CachedSize::default(),
+        ..Default::default()
    });

    // get kernel usage
    let kmem_stat = memory_controller.kmem_stat();

-    let kernel_usage = SingularPtrField::some(MemoryData {
+    let kernel_usage = MessageField::some(MemoryData {
        usage: kmem_stat.usage_in_bytes,
        max_usage: kmem_stat.max_usage_in_bytes,
        failcnt: kmem_stat.fail_cnt,
        limit: kmem_stat.limit_in_bytes as u64,
-        unknown_fields: UnknownFields::default(),
-        cached_size: CachedSize::default(),
+        ..Default::default()
    });

-    SingularPtrField::some(MemoryStats {
+    MessageField::some(MemoryStats {
        cache,
        usage,
        swap_usage,
        kernel_usage,
        use_hierarchy,
        stats: memory.stat.raw,
-        unknown_fields: UnknownFields::default(),
-        cached_size: CachedSize::default(),
+        ..Default::default()
    })
 }

-fn get_pids_stats(cg: &cgroups::Cgroup) -> SingularPtrField<PidsStats> {
+fn get_pids_stats(cg: &cgroups::Cgroup) -> MessageField<PidsStats> {
    let pid_controller: &PidController = get_controller_or_return_singular_none!(cg);

    let current = pid_controller.get_pid_current().unwrap_or(0);
@@ -785,11 +776,10 @@ fn get_pids_stats(cg: &cgroups::Cgroup) -> SingularPtrField<PidsStats> {
        },
    } as u64;

-    SingularPtrField::some(PidsStats {
+    MessageField::some(PidsStats {
        current,
        limit,
-        unknown_fields: UnknownFields::default(),
-        cached_size: CachedSize::default(),
+        ..Default::default()
    })
 }

@@ -825,8 +815,8 @@ https://github.com/opencontainers/runc/blob/a5847db387ae28c0ca4ebe4beee1a76900c8
    Total 0
 */

-fn get_blkio_stat_blkiodata(blkiodata: &[BlkIoData]) -> RepeatedField<BlkioStatsEntry> {
-    let mut m = RepeatedField::new();
+fn get_blkio_stat_blkiodata(blkiodata: &[BlkIoData]) -> Vec<BlkioStatsEntry> {
+    let mut m = Vec::new();
    if blkiodata.is_empty() {
        return m;
    }
@@ -839,16 +829,15 @@ fn get_blkio_stat_blkiodata(blkiodata: &[BlkIoData]) -> RepeatedField<BlkioStats
            minor: d.minor as u64,
            op: op.clone(),
            value: d.data,
-            unknown_fields: UnknownFields::default(),
-            cached_size: CachedSize::default(),
+            ..Default::default()
        });
    }

    m
 }

-fn get_blkio_stat_ioservice(services: &[IoService]) -> RepeatedField<BlkioStatsEntry> {
-    let mut m = RepeatedField::new();
+fn get_blkio_stat_ioservice(services: &[IoService]) -> Vec<BlkioStatsEntry> {
+    let mut m = Vec::new();

    if services.is_empty() {
        return m;
@@ -872,17 +861,16 @@ fn build_blkio_stats_entry(major: i16, minor: i16, op: &str, value: u64) -> Blki
        minor: minor as u64,
        op: op.to_string(),
        value,
-        unknown_fields: UnknownFields::default(),
-        cached_size: CachedSize::default(),
+        ..Default::default()
    }
 }

-fn get_blkio_stats_v2(cg: &cgroups::Cgroup) -> SingularPtrField<BlkioStats> {
+fn get_blkio_stats_v2(cg: &cgroups::Cgroup) -> MessageField<BlkioStats> {
    let blkio_controller: &BlkIoController = get_controller_or_return_singular_none!(cg);
    let blkio = blkio_controller.blkio();

    let mut resp = BlkioStats::new();
-    let mut blkio_stats = RepeatedField::new();
+    let mut blkio_stats = Vec::new();

    let stat = blkio.io_stat;
    for s in stat {
@@ -898,10 +886,10 @@ fn get_blkio_stats_v2(cg: &cgroups::Cgroup) -> SingularPtrField<BlkioStats> {

    resp.io_service_bytes_recursive = blkio_stats;

-    SingularPtrField::some(resp)
+    MessageField::some(resp)
 }

-fn get_blkio_stats(cg: &cgroups::Cgroup) -> SingularPtrField<BlkioStats> {
+fn get_blkio_stats(cg: &cgroups::Cgroup) -> MessageField<BlkioStats> {
    if cg.v2() {
        return get_blkio_stats_v2(cg);
    }
@@ -934,7 +922,7 @@ fn get_blkio_stats(cg: &cgroups::Cgroup) -> SingularPtrField<BlkioStats> {
        m.sectors_recursive = get_blkio_stat_blkiodata(&blkio.sectors_recursive);
    }

-    SingularPtrField::some(m)
+    MessageField::some(m)
 }

 fn get_hugetlb_stats(cg: &cgroups::Cgroup) -> HashMap<String, HugetlbStats> {
@@ -958,8 +946,7 @@ fn get_hugetlb_stats(cg: &cgroups::Cgroup) -> HashMap<String, HugetlbStats> {
                usage,
                max_usage,
                failcnt,
-                unknown_fields: UnknownFields::default(),
-                cached_size: CachedSize::default(),
+                ..Default::default()
            },
        );
    }
--- a/src/agent/rustjail/src/cgroups/mock.rs
+++ b/src/agent/rustjail/src/cgroups/mock.rs
@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //

-use protobuf::{CachedSize, SingularPtrField, UnknownFields};
+use protobuf::MessageField;

 use crate::cgroups::Manager as CgroupManager;
 use crate::protocols::agent::{BlkioStats, CgroupStats, CpuStats, MemoryStats, PidsStats};
@@ -33,13 +33,12 @@ impl CgroupManager for Manager {

    fn get_stats(&self) -> Result<CgroupStats> {
        Ok(CgroupStats {
-            cpu_stats: SingularPtrField::some(CpuStats::default()),
-            memory_stats: SingularPtrField::some(MemoryStats::new()),
-            pids_stats: SingularPtrField::some(PidsStats::new()),
-            blkio_stats: SingularPtrField::some(BlkioStats::new()),
+            cpu_stats: MessageField::some(CpuStats::default()),
+            memory_stats: MessageField::some(MemoryStats::new()),
+            pids_stats: MessageField::some(PidsStats::new()),
+            blkio_stats: MessageField::some(BlkioStats::new()),
            hugetlb_stats: HashMap::new(),
-            unknown_fields: UnknownFields::default(),
-            cached_size: CachedSize::default(),
+            ..Default::default()
        })
    }

--- a/src/agent/rustjail/src/cgroups/systemd/dbus_client.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/dbus_client.rs
@@ -26,7 +26,7 @@ pub trait SystemdInterface {

    fn get_version(&self) -> Result<String>;

-    fn unit_exist(&self, unit_name: &str) -> Result<bool>;
+    fn unit_exists(&self, unit_name: &str) -> Result<bool>;

    fn add_process(&self, pid: i32, unit_name: &str) -> Result<()>;
 }
@@ -36,8 +36,9 @@ pub struct DBusClient {}

 impl DBusClient {
    fn build_proxy(&self) -> Result<SystemManager<'static>> {
-        let connection = zbus::blocking::Connection::system()?;
-        let proxy = SystemManager::new(&connection)?;
+        let connection =
+            zbus::blocking::Connection::system().context("Establishing a D-Bus connection")?;
+        let proxy = SystemManager::new(&connection).context("Building a D-Bus proxy manager")?;
        Ok(proxy)
    }
 }
@@ -108,8 +109,10 @@ impl SystemdInterface for DBusClient {
        Ok(systemd_version)
    }

-    fn unit_exist(&self, unit_name: &str) -> Result<bool> {
-        let proxy = self.build_proxy()?;
+    fn unit_exists(&self, unit_name: &str) -> Result<bool> {
+        let proxy = self
+            .build_proxy()
+            .with_context(|| format!("Checking if systemd unit {} exists", unit_name))?;

        Ok(proxy.get_unit(unit_name).is_ok())
    }
--- a/src/agent/rustjail/src/cgroups/systemd/manager.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/manager.rs
@@ -41,7 +41,7 @@ pub struct Manager {
 impl CgroupManager for Manager {
    fn apply(&self, pid: pid_t) -> Result<()> {
        let unit_name = self.unit_name.as_str();
-        if self.dbus_client.unit_exist(unit_name).unwrap() {
+        if self.dbus_client.unit_exists(unit_name)? {
            self.dbus_client.add_process(pid, self.unit_name.as_str())?;
        } else {
            self.dbus_client.start_unit(
--- a/src/agent/rustjail/src/cgroups/systemd/subsystem/cpu.rs
+++ b/src/agent/rustjail/src/cgroups/systemd/subsystem/cpu.rs
@@ -71,7 +71,7 @@ impl Cpu {
    }

    // v2:
-    // cpu.shares <-> CPUShares
+    // cpu.shares <-> CPUWeight
    // cpu.period <-> CPUQuotaPeriodUSec
    // cpu.period & cpu.quota <-> CPUQuotaPerSecUSec
    fn unified_apply(
@@ -80,8 +80,8 @@ impl Cpu {
        systemd_version: &str,
    ) -> Result<()> {
        if let Some(shares) = cpu_resources.shares {
-            let unified_shares = get_unified_cpushares(shares);
-            properties.push(("CPUShares", Value::U64(unified_shares)));
+            let weight = shares_to_weight(shares);
+            properties.push(("CPUWeight", Value::U64(weight)));
        }

        if let Some(period) = cpu_resources.period {
@@ -104,7 +104,7 @@ impl Cpu {

 // ref: https://github.com/containers/crun/blob/main/crun.1.md#cgroup-v2
 // [2-262144] to [1-10000]
-fn get_unified_cpushares(shares: u64) -> u64 {
+fn shares_to_weight(shares: u64) -> u64 {
    if shares == 0 {
        return 100;
    }
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -48,7 +48,7 @@ use nix::unistd::{self, fork, ForkResult, Gid, Pid, Uid, User};
 use std::os::unix::fs::MetadataExt;
 use std::os::unix::io::AsRawFd;

-use protobuf::SingularPtrField;
+use protobuf::MessageField;

 use oci::State as OCIState;
 use regex::Regex;
@@ -875,7 +875,7 @@ impl BaseContainer for LinuxContainer {
        // what about network interface stats?

        Ok(StatsContainerResponse {
-            cgroup_stats: SingularPtrField::some(self.cgroup_manager.as_ref().get_stats()?),
+            cgroup_stats: MessageField::some(self.cgroup_manager.as_ref().get_stats()?),
            ..Default::default()
        })
    }
--- a/src/agent/rustjail/src/lib.rs
+++ b/src/agent/rustjail/src/lib.rs
@@ -82,11 +82,11 @@ pub fn process_grpc_to_oci(p: &grpc::Process) -> oci::Process {
        let cap = p.Capabilities.as_ref().unwrap();

        Some(oci::LinuxCapabilities {
-            bounding: cap.Bounding.clone().into_vec(),
-            effective: cap.Effective.clone().into_vec(),
-            inheritable: cap.Inheritable.clone().into_vec(),
-            permitted: cap.Permitted.clone().into_vec(),
-            ambient: cap.Ambient.clone().into_vec(),
+            bounding: cap.Bounding.clone(),
+            effective: cap.Effective.clone(),
+            inheritable: cap.Inheritable.clone(),
+            permitted: cap.Permitted.clone(),
+            ambient: cap.Ambient.clone(),
        })
    } else {
        None
@@ -108,8 +108,8 @@ pub fn process_grpc_to_oci(p: &grpc::Process) -> oci::Process {
        terminal: p.Terminal,
        console_size,
        user,
-        args: p.Args.clone().into_vec(),
-        env: p.Env.clone().into_vec(),
+        args: p.Args.clone(),
+        env: p.Env.clone(),
        cwd: p.Cwd.clone(),
        capabilities,
        rlimits,
@@ -130,9 +130,9 @@ fn root_grpc_to_oci(root: &grpc::Root) -> oci::Root {
 fn mount_grpc_to_oci(m: &grpc::Mount) -> oci::Mount {
    oci::Mount {
        destination: m.destination.clone(),
-        r#type: m.field_type.clone(),
+        r#type: m.type_.clone(),
        source: m.source.clone(),
-        options: m.options.clone().into_vec(),
+        options: m.options.clone(),
    }
 }

@@ -143,8 +143,8 @@ fn hook_grpc_to_oci(h: &[grpcHook]) -> Vec<oci::Hook> {
    for e in h.iter() {
        r.push(oci::Hook {
            path: e.Path.clone(),
-            args: e.Args.clone().into_vec(),
-            env: e.Env.clone().into_vec(),
+            args: e.Args.clone(),
+            env: e.Env.clone(),
            timeout: Some(e.Timeout as i32),
        });
    }
@@ -359,7 +359,7 @@ fn seccomp_grpc_to_oci(sec: &grpc::LinuxSeccomp) -> oci::LinuxSeccomp {
            let mut args = Vec::new();

            let errno_ret: u32 = if sys.has_errnoret() {
-                sys.get_errnoret()
+                sys.errnoret()
            } else {
                libc::EPERM as u32
            };
@@ -374,7 +374,7 @@ fn seccomp_grpc_to_oci(sec: &grpc::LinuxSeccomp) -> oci::LinuxSeccomp {
            }

            r.push(oci::LinuxSyscall {
-                names: sys.Names.clone().into_vec(),
+                names: sys.Names.clone(),
                action: sys.Action.clone(),
                errno_ret,
                args,
@@ -385,8 +385,8 @@ fn seccomp_grpc_to_oci(sec: &grpc::LinuxSeccomp) -> oci::LinuxSeccomp {

    oci::LinuxSeccomp {
        default_action: sec.DefaultAction.clone(),
-        architectures: sec.Architectures.clone().into_vec(),
-        flags: sec.Flags.clone().into_vec(),
+        architectures: sec.Architectures.clone(),
+        flags: sec.Flags.clone(),
        syscalls,
    }
 }
@@ -456,8 +456,8 @@ fn linux_grpc_to_oci(l: &grpc::Linux) -> oci::Linux {
        devices,
        seccomp,
        rootfs_propagation: l.RootfsPropagation.clone(),
-        masked_paths: l.MaskedPaths.clone().into_vec(),
-        readonly_paths: l.ReadonlyPaths.clone().into_vec(),
+        masked_paths: l.MaskedPaths.clone(),
+        readonly_paths: l.ReadonlyPaths.clone(),
        mount_label: l.MountLabel.clone(),
        intel_rdt,
    }
@@ -558,35 +558,30 @@ mod tests {
                // All fields specified
                grpcproc: grpc::Process {
                    Terminal: true,
-                    ConsoleSize: protobuf::SingularPtrField::<grpc::Box>::some(grpc::Box {
+                    ConsoleSize: protobuf::MessageField::<grpc::Box>::some(grpc::Box {
                        Height: 123,
                        Width: 456,
                        ..Default::default()
                    }),
-                    User: protobuf::SingularPtrField::<grpc::User>::some(grpc::User {
+                    User: protobuf::MessageField::<grpc::User>::some(grpc::User {
                        UID: 1234,
                        GID: 5678,
                        AdditionalGids: Vec::from([910, 1112]),
                        Username: String::from("username"),
                        ..Default::default()
                    }),
-                    Args: protobuf::RepeatedField::from(Vec::from([
-                        String::from("arg1"),
-                        String::from("arg2"),
-                    ])),
-                    Env: protobuf::RepeatedField::from(Vec::from([String::from("env")])),
+                    Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                    Env: Vec::from([String::from("env")]),
                    Cwd: String::from("cwd"),
-                    Capabilities: protobuf::SingularPtrField::some(grpc::LinuxCapabilities {
-                        Bounding: protobuf::RepeatedField::from(Vec::from([String::from("bnd")])),
-                        Effective: protobuf::RepeatedField::from(Vec::from([String::from("eff")])),
-                        Inheritable: protobuf::RepeatedField::from(Vec::from([String::from(
-                            "inher",
-                        )])),
-                        Permitted: protobuf::RepeatedField::from(Vec::from([String::from("perm")])),
-                        Ambient: protobuf::RepeatedField::from(Vec::from([String::from("amb")])),
+                    Capabilities: protobuf::MessageField::some(grpc::LinuxCapabilities {
+                        Bounding: Vec::from([String::from("bnd")]),
+                        Effective: Vec::from([String::from("eff")]),
+                        Inheritable: Vec::from([String::from("inher")]),
+                        Permitted: Vec::from([String::from("perm")]),
+                        Ambient: Vec::from([String::from("amb")]),
                        ..Default::default()
                    }),
-                    Rlimits: protobuf::RepeatedField::from(Vec::from([
+                    Rlimits: Vec::from([
                        grpc::POSIXRlimit {
                            Type: String::from("r#type"),
                            Hard: 123,
@@ -599,7 +594,7 @@ mod tests {
                            Soft: 1011,
                            ..Default::default()
                        },
-                    ])),
+                    ]),
                    NoNewPrivileges: true,
                    ApparmorProfile: String::from("apparmor profile"),
                    OOMScoreAdj: 123456,
@@ -649,7 +644,7 @@ mod tests {
            TestData {
                // None ConsoleSize
                grpcproc: grpc::Process {
-                    ConsoleSize: protobuf::SingularPtrField::<grpc::Box>::none(),
+                    ConsoleSize: protobuf::MessageField::<grpc::Box>::none(),
                    OOMScoreAdj: 0,
                    ..Default::default()
                },
@@ -662,7 +657,7 @@ mod tests {
            TestData {
                // None User
                grpcproc: grpc::Process {
-                    User: protobuf::SingularPtrField::<grpc::User>::none(),
+                    User: protobuf::MessageField::<grpc::User>::none(),
                    OOMScoreAdj: 0,
                    ..Default::default()
                },
@@ -680,7 +675,7 @@ mod tests {
            TestData {
                // None Capabilities
                grpcproc: grpc::Process {
-                    Capabilities: protobuf::SingularPtrField::none(),
+                    Capabilities: protobuf::MessageField::none(),
                    OOMScoreAdj: 0,
                    ..Default::default()
                },
@@ -781,99 +776,57 @@ mod tests {
            TestData {
                // All specified
                grpchooks: grpc::Hooks {
-                    Prestart: protobuf::RepeatedField::from(Vec::from([
+                    Prestart: Vec::from([
                        grpc::Hook {
                            Path: String::from("prestartpath"),
-                            Args: protobuf::RepeatedField::from(Vec::from([
-                                String::from("arg1"),
-                                String::from("arg2"),
-                            ])),
-                            Env: protobuf::RepeatedField::from(Vec::from([
-                                String::from("env1"),
-                                String::from("env2"),
-                            ])),
+                            Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                            Env: Vec::from([String::from("env1"), String::from("env2")]),
                            Timeout: 10,
                            ..Default::default()
                        },
                        grpc::Hook {
                            Path: String::from("prestartpath2"),
-                            Args: protobuf::RepeatedField::from(Vec::from([
-                                String::from("arg3"),
-                                String::from("arg4"),
-                            ])),
-                            Env: protobuf::RepeatedField::from(Vec::from([
-                                String::from("env3"),
-                                String::from("env4"),
-                            ])),
+                            Args: Vec::from([String::from("arg3"), String::from("arg4")]),
+                            Env: Vec::from([String::from("env3"), String::from("env4")]),
                            Timeout: 25,
                            ..Default::default()
                        },
-                    ])),
-                    Poststart: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    ]),
+                    Poststart: Vec::from([grpc::Hook {
                        Path: String::from("poststartpath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
-                    Poststop: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    }]),
+                    Poststop: Vec::from([grpc::Hook {
                        Path: String::from("poststoppath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
-                    CreateRuntime: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    }]),
+                    CreateRuntime: Vec::from([grpc::Hook {
                        Path: String::from("createruntimepath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
-                    CreateContainer: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    }]),
+                    CreateContainer: Vec::from([grpc::Hook {
                        Path: String::from("createcontainerpath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
-                    StartContainer: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    }]),
+                    StartContainer: Vec::from([grpc::Hook {
                        Path: String::from("startcontainerpath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
+                    }]),
                    ..Default::default()
                },
                result: oci::Hooks {
@@ -926,72 +879,42 @@ mod tests {
            TestData {
                // Prestart empty
                grpchooks: grpc::Hooks {
-                    Prestart: protobuf::RepeatedField::from(Vec::from([])),
-                    Poststart: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    Prestart: Vec::from([]),
+                    Poststart: Vec::from([grpc::Hook {
                        Path: String::from("poststartpath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
-                    Poststop: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    }]),
+                    Poststop: Vec::from([grpc::Hook {
                        Path: String::from("poststoppath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
-                    CreateRuntime: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    }]),
+                    CreateRuntime: Vec::from([grpc::Hook {
                        Path: String::from("createruntimepath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
-                    CreateContainer: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    }]),
+                    CreateContainer: Vec::from([grpc::Hook {
                        Path: String::from("createcontainerpath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
-                    StartContainer: protobuf::RepeatedField::from(Vec::from([grpc::Hook {
+                    }]),
+                    StartContainer: Vec::from([grpc::Hook {
                        Path: String::from("startcontainerpath"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
-                    }])),
+                    }]),
                    ..Default::default()
                },
                result: oci::Hooks {
@@ -1063,11 +986,8 @@ mod tests {
                grpcmount: grpc::Mount {
                    destination: String::from("destination"),
                    source: String::from("source"),
-                    field_type: String::from("fieldtype"),
-                    options: protobuf::RepeatedField::from(Vec::from([
-                        String::from("option1"),
-                        String::from("option2"),
-                    ])),
+                    type_: String::from("fieldtype"),
+                    options: Vec::from([String::from("option1"), String::from("option2")]),
                    ..Default::default()
                },
                result: oci::Mount {
@@ -1081,8 +1001,8 @@ mod tests {
                grpcmount: grpc::Mount {
                    destination: String::from("destination"),
                    source: String::from("source"),
-                    field_type: String::from("fieldtype"),
-                    options: protobuf::RepeatedField::from(Vec::new()),
+                    type_: String::from("fieldtype"),
+                    options: Vec::new(),
                    ..Default::default()
                },
                result: oci::Mount {
@@ -1096,8 +1016,8 @@ mod tests {
                grpcmount: grpc::Mount {
                    destination: String::new(),
                    source: String::from("source"),
-                    field_type: String::from("fieldtype"),
-                    options: protobuf::RepeatedField::from(Vec::from([String::from("option1")])),
+                    type_: String::from("fieldtype"),
+                    options: Vec::from([String::from("option1")]),
                    ..Default::default()
                },
                result: oci::Mount {
@@ -1111,8 +1031,8 @@ mod tests {
                grpcmount: grpc::Mount {
                    destination: String::from("destination"),
                    source: String::from("source"),
-                    field_type: String::new(),
-                    options: protobuf::RepeatedField::from(Vec::from([String::from("option1")])),
+                    type_: String::new(),
+                    options: Vec::from([String::from("option1")]),
                    ..Default::default()
                },
                result: oci::Mount {
@@ -1172,27 +1092,15 @@ mod tests {
                grpchook: &[
                    grpc::Hook {
                        Path: String::from("path"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg1"),
-                            String::from("arg2"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env1"),
-                            String::from("env2"),
-                        ])),
+                        Args: Vec::from([String::from("arg1"), String::from("arg2")]),
+                        Env: Vec::from([String::from("env1"), String::from("env2")]),
                        Timeout: 10,
                        ..Default::default()
                    },
                    grpc::Hook {
                        Path: String::from("path2"),
-                        Args: protobuf::RepeatedField::from(Vec::from([
-                            String::from("arg3"),
-                            String::from("arg4"),
-                        ])),
-                        Env: protobuf::RepeatedField::from(Vec::from([
-                            String::from("env3"),
-                            String::from("env4"),
-                        ])),
+                        Args: Vec::from([String::from("arg3"), String::from("arg4")]),
+                        Env: Vec::from([String::from("env3"), String::from("env4")]),
                        Timeout: 20,
                        ..Default::default()
                    },
--- a/src/agent/rustjail/src/mount.rs
+++ b/src/agent/rustjail/src/mount.rs
@@ -35,7 +35,7 @@ use crate::log_child;
 // struct is populated from the content in the /proc/<pid>/mountinfo file.
 #[derive(std::fmt::Debug, PartialEq)]
 pub struct Info {
-    mount_point: String,
+    pub mount_point: String,
    optional: String,
    fstype: String,
 }
@@ -553,7 +553,7 @@ fn rootfs_parent_mount_private(path: &str) -> Result<()> {

 // Parse /proc/self/mountinfo because comparing Dev and ino does not work from
 // bind mounts
-fn parse_mount_table(mountinfo_path: &str) -> Result<Vec<Info>> {
+pub fn parse_mount_table(mountinfo_path: &str) -> Result<Vec<Info>> {
    let file = File::open(mountinfo_path)?;
    let reader = BufReader::new(file);
    let mut infos = Vec::new();
--- a/src/agent/src/config.rs
+++ b/src/agent/src/config.rs
@@ -200,7 +200,7 @@ impl AgentConfig {
        let config_position = args.iter().position(|a| a == "--config" || a == "-c");
        if let Some(config_position) = config_position {
            if let Some(config_file) = args.get(config_position + 1) {
-                return AgentConfig::from_config_file(config_file);
+                return AgentConfig::from_config_file(config_file).context("AgentConfig from args");
            } else {
                panic!("The config argument wasn't formed properly: {:?}", args);
            }
@@ -216,7 +216,8 @@ impl AgentConfig {
            // or if it can't be parsed properly.
            if param.starts_with(format!("{}=", CONFIG_FILE).as_str()) {
                let config_file = get_string_value(param)?;
-                return AgentConfig::from_config_file(&config_file);
+                return AgentConfig::from_config_file(&config_file)
+                    .context("AgentConfig from kernel cmdline");
            }

            // parse cmdline flags
@@ -304,7 +305,8 @@ impl AgentConfig {

    #[instrument]
    pub fn from_config_file(file: &str) -> Result<AgentConfig> {
-        let config = fs::read_to_string(file)?;
+        let config = fs::read_to_string(file)
+            .with_context(|| format!("Failed to read config file {}", file))?;
        AgentConfig::from_str(&config)
    }

--- a/src/agent/src/device.rs
+++ b/src/agent/src/device.rs
@@ -759,7 +759,7 @@ async fn vfio_pci_device_handler(
    device: &Device,
    sandbox: &Arc<Mutex<Sandbox>>,
 ) -> Result<SpecUpdate> {
-    let vfio_in_guest = device.field_type != DRIVER_VFIO_PCI_GK_TYPE;
+    let vfio_in_guest = device.type_ != DRIVER_VFIO_PCI_GK_TYPE;
    let mut pci_fixups = Vec::<(pci::Address, pci::Address)>::new();
    let mut group = None;

@@ -874,9 +874,9 @@ pub async fn add_devices(
 async fn add_device(device: &Device, sandbox: &Arc<Mutex<Sandbox>>) -> Result<SpecUpdate> {
    // log before validation to help with debugging gRPC protocol version differences.
    info!(sl!(), "device-id: {}, device-type: {}, device-vm-path: {}, device-container-path: {}, device-options: {:?}",
-          device.id, device.field_type, device.vm_path, device.container_path, device.options);
+          device.id, device.type_, device.vm_path, device.container_path, device.options);

-    if device.field_type.is_empty() {
+    if device.type_.is_empty() {
        return Err(anyhow!("invalid type for device {:?}", device));
    }

@@ -888,7 +888,7 @@ async fn add_device(device: &Device, sandbox: &Arc<Mutex<Sandbox>>) -> Result<Sp
        return Err(anyhow!("invalid container path for device {:?}", device));
    }

-    match device.field_type.as_str() {
+    match device.type_.as_str() {
        DRIVER_BLK_TYPE => virtio_blk_device_handler(device, sandbox).await,
        DRIVER_BLK_CCW_TYPE => virtio_blk_ccw_device_handler(device, sandbox).await,
        DRIVER_MMIO_BLK_TYPE => virtiommio_blk_device_handler(device, sandbox).await,
@@ -898,7 +898,7 @@ async fn add_device(device: &Device, sandbox: &Arc<Mutex<Sandbox>>) -> Result<Sp
            vfio_pci_device_handler(device, sandbox).await
        }
        DRIVER_VFIO_AP_TYPE => vfio_ap_device_handler(device, sandbox).await,
-        _ => Err(anyhow!("Unknown device type {}", device.field_type)),
+        _ => Err(anyhow!("Unknown device type {}", device.type_)),
    }
 }

--- a/src/agent/src/main.rs
+++ b/src/agent/src/main.rs
@@ -442,9 +442,8 @@ mod tests {
            let msg = format!("test[{}]: {:?}", i, d);
            let (rfd, wfd) = unistd::pipe2(OFlag::O_CLOEXEC).unwrap();
            defer!({
-                // rfd is closed by the use of PipeStream in the crate_logger_task function,
-                // but we will attempt to close in case of a failure
-                let _ = unistd::close(rfd);
+                // XXX: Never try to close rfd, because it will be closed by PipeStream in
+                // create_logger_task() and it's not safe to close the same fd twice time.
                unistd::close(wfd).unwrap();
            });

--- a/src/agent/src/mount.rs
+++ b/src/agent/src/mount.rs
@@ -211,10 +211,10 @@ async fn ephemeral_storage_handler(
    // By now we only support one option field: "fsGroup" which
    // isn't an valid mount option, thus we should remove it when
    // do mount.
-    if storage.options.len() > 0 {
+    if !storage.options.is_empty() {
        // ephemeral_storage didn't support mount options except fsGroup.
        let mut new_storage = storage.clone();
-        new_storage.options = protobuf::RepeatedField::default();
+        new_storage.options = Default::default();
        common_storage_handler(logger, &new_storage)?;

        let opts_vec: Vec<String> = storage.options.to_vec();
@@ -654,7 +654,7 @@ pub fn set_ownership(logger: &Logger, storage: &Storage) -> Result<()> {
    if storage.fs_group.is_none() {
        return Ok(());
    }
-    let fs_group = storage.get_fs_group();
+    let fs_group = storage.fs_group();

    let mut read_only = false;
    let opts_vec: Vec<String> = storage.options.to_vec();
@@ -671,7 +671,7 @@ pub fn set_ownership(logger: &Logger, storage: &Storage) -> Result<()> {
        err
    })?;

-    if fs_group.group_change_policy == FSGroupChangePolicy::OnRootMismatch
+    if fs_group.group_change_policy == FSGroupChangePolicy::OnRootMismatch.into()
        && metadata.gid() == fs_group.group_id
    {
        let mut mask = if read_only { RO_MASK } else { RW_MASK };
@@ -1094,7 +1094,6 @@ fn parse_options(option_list: Vec<String>) -> HashMap<String, String> {
 #[cfg(test)]
 mod tests {
    use super::*;
-    use protobuf::RepeatedField;
    use protocols::agent::FSGroup;
    use std::fs::File;
    use std::fs::OpenOptions;
@@ -2015,9 +2014,8 @@ mod tests {
                mount_path: "rw_mount",
                fs_group: Some(FSGroup {
                    group_id: 3000,
-                    group_change_policy: FSGroupChangePolicy::Always,
-                    unknown_fields: Default::default(),
-                    cached_size: Default::default(),
+                    group_change_policy: FSGroupChangePolicy::Always.into(),
+                    ..Default::default()
                }),
                read_only: false,
                expected_group_id: 3000,
@@ -2027,9 +2025,8 @@ mod tests {
                mount_path: "ro_mount",
                fs_group: Some(FSGroup {
                    group_id: 3000,
-                    group_change_policy: FSGroupChangePolicy::OnRootMismatch,
-                    unknown_fields: Default::default(),
-                    cached_size: Default::default(),
+                    group_change_policy: FSGroupChangePolicy::OnRootMismatch.into(),
+                    ..Default::default()
                }),
                read_only: true,
                expected_group_id: 3000,
@@ -2049,10 +2046,7 @@ mod tests {
            let directory_mode = mount_dir.as_path().metadata().unwrap().permissions().mode();
            let mut storage_data = Storage::new();
            if d.read_only {
-                storage_data.set_options(RepeatedField::from_slice(&[
-                    "foo".to_string(),
-                    "ro".to_string(),
-                ]));
+                storage_data.set_options(vec!["foo".to_string(), "ro".to_string()]);
            }
            if let Some(fs_group) = d.fs_group.clone() {
                storage_data.set_fs_group(fs_group);
--- a/src/agent/src/netlink.rs
+++ b/src/agent/src/netlink.rs
@@ -7,7 +7,6 @@ use anyhow::{anyhow, Context, Result};
 use futures::{future, StreamExt, TryStreamExt};
 use ipnetwork::{IpNetwork, Ipv4Network, Ipv6Network};
 use nix::errno::Errno;
-use protobuf::RepeatedField;
 use protocols::types::{ARPNeighbor, IPAddress, IPFamily, Interface, Route};
 use rtnetlink::{new_connection, packet, IpVersion};
 use std::convert::{TryFrom, TryInto};
@@ -83,8 +82,8 @@ impl Handle {

        // Add new ip addresses from request
        for ip_address in &iface.IPAddresses {
-            let ip = IpAddr::from_str(ip_address.get_address())?;
-            let mask = ip_address.get_mask().parse::<u8>()?;
+            let ip = IpAddr::from_str(ip_address.address())?;
+            let mask = ip_address.mask().parse::<u8>()?;

            self.add_addresses(link.index(), std::iter::once(IpNetwork::new(ip, mask)?))
                .await?;
@@ -152,7 +151,7 @@ impl Handle {
                .map(|p| p.try_into())
                .collect::<Result<Vec<IPAddress>>>()?;

-            iface.IPAddresses = RepeatedField::from_vec(ips);
+            iface.IPAddresses = ips;

            list.push(iface);
        }
@@ -334,7 +333,7 @@ impl Handle {

            // `rtnetlink` offers a separate request builders for different IP versions (IP v4 and v6).
            // This if branch is a bit clumsy because it does almost the same.
-            if route.get_family() == IPFamily::v6 {
+            if route.family() == IPFamily::v6 {
                let dest_addr = if !route.dest.is_empty() {
                    Ipv6Network::from_str(&route.dest)?
                } else {
@@ -368,9 +367,9 @@ impl Handle {
                    if Errno::from_i32(message.code.abs()) != Errno::EEXIST {
                        return Err(anyhow!(
                            "Failed to add IP v6 route (src: {}, dst: {}, gtw: {},Err: {})",
-                            route.get_source(),
-                            route.get_dest(),
-                            route.get_gateway(),
+                            route.source(),
+                            route.dest(),
+                            route.gateway(),
                            message
                        ));
                    }
@@ -409,9 +408,9 @@ impl Handle {
                    if Errno::from_i32(message.code.abs()) != Errno::EEXIST {
                        return Err(anyhow!(
                            "Failed to add IP v4 route (src: {}, dst: {}, gtw: {},Err: {})",
-                            route.get_source(),
-                            route.get_dest(),
-                            route.get_gateway(),
+                            route.source(),
+                            route.dest(),
+                            route.gateway(),
                            message
                        ));
                    }
@@ -506,7 +505,7 @@ impl Handle {
            self.add_arp_neighbor(&neigh).await.map_err(|err| {
                anyhow!(
                    "Failed to add ARP neighbor {}: {:?}",
-                    neigh.get_toIPAddress().get_address(),
+                    neigh.toIPAddress().address(),
                    err
                )
            })?;
@@ -725,7 +724,7 @@ impl TryFrom<Address> for IPAddress {
        let mask = format!("{}", value.0.header.prefix_len);

        Ok(IPAddress {
-            family,
+            family: family.into(),
            address,
            mask,
            ..Default::default()
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -21,22 +21,26 @@ use ttrpc::{
 use anyhow::{anyhow, Context, Result};
 use cgroups::freezer::FreezerState;
 use oci::{LinuxNamespace, Root, Spec};
-use protobuf::{Message, RepeatedField, SingularPtrField};
+use protobuf::{MessageDyn, MessageField};
 use protocols::agent::{
    AddSwapRequest, AgentDetails, CopyFileRequest, GetIPTablesRequest, GetIPTablesResponse,
    GuestDetailsResponse, Interfaces, Metrics, OOMEvent, ReadStreamResponse, Routes,
    SetIPTablesRequest, SetIPTablesResponse, StatsContainerResponse, VolumeStatsRequest,
    WaitProcessResponse, WriteStreamResponse,
 };
-use protocols::csi::{VolumeCondition, VolumeStatsResponse, VolumeUsage, VolumeUsage_Unit};
+use protocols::csi::{
+    volume_usage::Unit as VolumeUsage_Unit, VolumeCondition, VolumeStatsResponse, VolumeUsage,
+};
 use protocols::empty::Empty;
 use protocols::health::{
-    HealthCheckResponse, HealthCheckResponse_ServingStatus, VersionCheckResponse,
+    health_check_response::ServingStatus as HealthCheckResponse_ServingStatus, HealthCheckResponse,
+    VersionCheckResponse,
 };
 use protocols::types::Interface;
 use protocols::{agent_ttrpc_async as agent_ttrpc, health_ttrpc_async as health_ttrpc};
 use rustjail::cgroups::notifier;
 use rustjail::container::{BaseContainer, Container, LinuxContainer, SYSTEMD_CGROUP_PATH_FORMAT};
+use rustjail::mount::parse_mount_table;
 use rustjail::process::Process;
 use rustjail::specconv::CreateOpts;

@@ -93,6 +97,7 @@ const USR_IP6TABLES_SAVE: &str = "/usr/sbin/ip6tables-save";
 const IP6TABLES_SAVE: &str = "/sbin/ip6tables-save";
 const USR_IP6TABLES_RESTORE: &str = "/usr/sbin/ip6tables-save";
 const IP6TABLES_RESTORE: &str = "/sbin/ip6tables-restore";
+const KATA_GUEST_SHARE_DIR: &str = "/run/kata-containers/shared/containers/";

 const ERR_CANNOT_GET_WRITER: &str = "Cannot get writer";
 const ERR_INVALID_BLOCK_SIZE: &str = "Invalid block size";
@@ -124,11 +129,11 @@ macro_rules! is_allowed {
        if !AGENT_CONFIG
            .read()
            .await
-            .is_allowed_endpoint($req.descriptor().name())
+            .is_allowed_endpoint($req.descriptor_dyn().name())
        {
            return Err(ttrpc_error!(
                ttrpc::Code::UNIMPLEMENTED,
-                format!("{} is blocked", $req.descriptor().name()),
+                format!("{} is blocked", $req.descriptor_dyn().name()),
            ));
        }
    };
@@ -151,7 +156,7 @@ impl AgentService {
        kata_sys_util::validate::verify_id(&cid)?;

        let mut oci_spec = req.OCI.clone();
-        let use_sandbox_pidns = req.get_sandbox_pidns();
+        let use_sandbox_pidns = req.sandbox_pidns();

        let sandbox;
        let mut s;
@@ -785,7 +790,7 @@ impl agent_ttrpc::AgentService for AgentService {
    ) -> ttrpc::Result<protocols::empty::Empty> {
        trace_rpc_call!(ctx, "pause_container", req);
        is_allowed!(req);
-        let cid = req.get_container_id();
+        let cid = req.container_id();
        let s = Arc::clone(&self.sandbox);
        let mut sandbox = s.lock().await;

@@ -809,7 +814,7 @@ impl agent_ttrpc::AgentService for AgentService {
    ) -> ttrpc::Result<protocols::empty::Empty> {
        trace_rpc_call!(ctx, "resume_container", req);
        is_allowed!(req);
-        let cid = req.get_container_id();
+        let cid = req.container_id();
        let s = Arc::clone(&self.sandbox);
        let mut sandbox = s.lock().await;

@@ -826,6 +831,29 @@ impl agent_ttrpc::AgentService for AgentService {
        Ok(Empty::new())
    }

+    async fn remove_stale_virtiofs_share_mounts(
+        &self,
+        ctx: &TtrpcContext,
+        req: protocols::agent::RemoveStaleVirtiofsShareMountsRequest,
+    ) -> ttrpc::Result<Empty> {
+        trace_rpc_call!(ctx, "remove_stale_virtiofs_share_mounts", req);
+        is_allowed!(req);
+        let mount_infos = parse_mount_table("/proc/self/mountinfo")
+            .map_err(|e| ttrpc_error!(ttrpc::Code::INTERNAL, e))?;
+        for m in &mount_infos {
+            if m.mount_point.starts_with(KATA_GUEST_SHARE_DIR) {
+                // stat the mount point, virtiofs daemon will remove the stale cache and release the fds if the mount point doesn't exist any more.
+                // More details in https://github.com/kata-containers/kata-containers/issues/6455#issuecomment-1477137277
+                match stat::stat(Path::new(&m.mount_point)) {
+                    Ok(_) => info!(sl!(), "stat {} success", m.mount_point),
+                    Err(e) => info!(sl!(), "stat {} failed: {}", m.mount_point, e),
+                }
+            }
+        }
+
+        Ok(Empty::new())
+    }
+
    async fn write_stdin(
        &self,
        _ctx: &TtrpcContext,
@@ -964,16 +992,12 @@ impl agent_ttrpc::AgentService for AgentService {
        trace_rpc_call!(ctx, "update_routes", req);
        is_allowed!(req);

-        let new_routes = req
-            .routes
-            .into_option()
-            .map(|r| r.Routes.into_vec())
-            .ok_or_else(|| {
-                ttrpc_error!(
-                    ttrpc::Code::INVALID_ARGUMENT,
-                    "empty update routes request".to_string(),
-                )
-            })?;
+        let new_routes = req.routes.into_option().map(|r| r.Routes).ok_or_else(|| {
+            ttrpc_error!(
+                ttrpc::Code::INVALID_ARGUMENT,
+                "empty update routes request".to_string(),
+            )
+        })?;

        let mut sandbox = self.sandbox.lock().await;

@@ -992,7 +1016,7 @@ impl agent_ttrpc::AgentService for AgentService {
        })?;

        Ok(protocols::agent::Routes {
-            Routes: RepeatedField::from_vec(list),
+            Routes: list,
            ..Default::default()
        })
    }
@@ -1191,7 +1215,7 @@ impl agent_ttrpc::AgentService for AgentService {
            })?;

        Ok(protocols::agent::Interfaces {
-            Interfaces: RepeatedField::from_vec(list),
+            Interfaces: list,
            ..Default::default()
        })
    }
@@ -1214,7 +1238,7 @@ impl agent_ttrpc::AgentService for AgentService {
            .map_err(|e| ttrpc_error!(ttrpc::Code::INTERNAL, format!("list routes: {:?}", e)))?;

        Ok(protocols::agent::Routes {
-            Routes: RepeatedField::from_vec(list),
+            Routes: list,
            ..Default::default()
        })
    }
@@ -1330,7 +1354,7 @@ impl agent_ttrpc::AgentService for AgentService {
        let neighs = req
            .neighbors
            .into_option()
-            .map(|n| n.ARPNeighbors.into_vec())
+            .map(|n| n.ARPNeighbors)
            .ok_or_else(|| {
                ttrpc_error!(
                    ttrpc::Code::INVALID_ARGUMENT,
@@ -1414,7 +1438,7 @@ impl agent_ttrpc::AgentService for AgentService {

        // to get agent details
        let detail = get_agent_details();
-        resp.agent_details = SingularPtrField::some(detail);
+        resp.agent_details = MessageField::some(detail);

        Ok(resp)
    }
@@ -1539,8 +1563,8 @@ impl agent_ttrpc::AgentService for AgentService {
            .map(|u| usage_vec.push(u))
            .map_err(|e| ttrpc_error!(ttrpc::Code::INTERNAL, e))?;

-        resp.usage = RepeatedField::from_vec(usage_vec);
-        resp.volume_condition = SingularPtrField::some(condition);
+        resp.usage = usage_vec;
+        resp.volume_condition = MessageField::some(condition);
        Ok(resp)
    }

@@ -1644,7 +1668,7 @@ fn get_volume_capacity_stats(path: &str) -> Result<VolumeUsage> {
    usage.total = stat.blocks() * block_size;
    usage.available = stat.blocks_free() * block_size;
    usage.used = usage.total - usage.available;
-    usage.unit = VolumeUsage_Unit::BYTES;
+    usage.unit = VolumeUsage_Unit::BYTES.into();

    Ok(usage)
 }
@@ -1656,7 +1680,7 @@ fn get_volume_inode_stats(path: &str) -> Result<VolumeUsage> {
    usage.total = stat.files();
    usage.available = stat.files_free();
    usage.used = usage.total - usage.available;
-    usage.unit = VolumeUsage_Unit::INODES;
+    usage.unit = VolumeUsage_Unit::INODES.into();

    Ok(usage)
 }
@@ -1676,14 +1700,12 @@ fn get_agent_details() -> AgentDetails {
    detail.set_supports_seccomp(have_seccomp());
    detail.init_daemon = unistd::getpid() == Pid::from_raw(1);

-    detail.device_handlers = RepeatedField::new();
-    detail.storage_handlers = RepeatedField::from_vec(
-        STORAGE_HANDLER_LIST
-            .to_vec()
-            .iter()
-            .map(|x| x.to_string())
-            .collect(),
-    );
+    detail.device_handlers = Vec::new();
+    detail.storage_handlers = STORAGE_HANDLER_LIST
+        .to_vec()
+        .iter()
+        .map(|x| x.to_string())
+        .collect();

    detail
 }
@@ -2037,7 +2059,7 @@ fn load_kernel_module(module: &protocols::agent::KernelModule) -> Result<()> {

    let mut args = vec!["-v".to_string(), module.name.clone()];

-    if module.parameters.len() > 0 {
+    if !module.parameters.is_empty() {
        args.extend(module.parameters.to_vec())
    }

--- a/src/agent/src/signal.rs
+++ b/src/agent/src/signal.rs
@@ -24,7 +24,7 @@ async fn handle_sigchild(logger: Logger, sandbox: Arc<Mutex<Sandbox>>) -> Result
    loop {
        // Avoid reaping the undesirable child's signal, e.g., execute_hook's
        // The lock should be released immediately.
-        rustjail::container::WAIT_PID_LOCKER.lock().await;
+        let _locker = rustjail::container::WAIT_PID_LOCKER.lock().await;
        let result = wait::waitpid(
            Some(Pid::from_raw(-1)),
            Some(WaitPidFlag::WNOHANG | WaitPidFlag::__WALL),
--- a/src/agent/vsock-exporter/Cargo.toml
+++ b/src/agent/vsock-exporter/Cargo.toml
@@ -18,4 +18,4 @@ bincode = "1.3.3"
 byteorder = "1.4.3"
 slog = { version = "2.5.2", features = ["dynamic-keys", "max_level_trace", "release_max_level_debug"] }
 async-trait = "0.1.50"
-tokio = "1.2.0"
+tokio = "1.28.1"
--- a/src/dragonball/src/vm/x86_64.rs
+++ b/src/dragonball/src/vm/x86_64.rs
@@ -7,7 +7,6 @@
 // found in the THIRD-PARTY file.

 use std::convert::TryInto;
-use std::mem;
 use std::ops::Deref;

 use dbs_address_space::AddressSpace;
@@ -16,8 +15,9 @@ use dbs_utils::epoll_manager::EpollManager;
 use dbs_utils::time::TimestampUs;
 use kvm_bindings::{kvm_irqchip, kvm_pit_config, kvm_pit_state2, KVM_PIT_SPEAKER_DUMMY};
 use linux_loader::cmdline::Cmdline;
+use linux_loader::configurator::{linux::LinuxBootConfigurator, BootConfigurator, BootParams};
 use slog::info;
-use vm_memory::{Address, Bytes, GuestAddress, GuestAddressSpace, GuestMemory};
+use vm_memory::{Address, GuestAddress, GuestAddressSpace, GuestMemory};

 use crate::address_space_manager::{GuestAddressSpaceImpl, GuestMemoryImpl};
 use crate::error::{Error, Result, StartMicroVmError};
@@ -110,15 +110,11 @@ fn configure_system<M: GuestMemory>(
        }
    }

-    let zero_page_addr = GuestAddress(layout::ZERO_PAGE_START);
-    guest_mem
-        .checked_offset(zero_page_addr, mem::size_of::<bootparam::boot_params>())
-        .ok_or(Error::ZeroPagePastRamEnd)?;
-    guest_mem
-        .write_obj(params, zero_page_addr)
-        .map_err(|_| Error::ZeroPageSetup)?;
-
-    Ok(())
+    LinuxBootConfigurator::write_bootparams(
+        &BootParams::new(&params, GuestAddress(layout::ZERO_PAGE_START)),
+        guest_mem,
+    )
+    .map_err(|_| Error::ZeroPageSetup)
 }

 impl Vm {
--- a/src/libs/Cargo.lock
+++ b/src/libs/Cargo.lock
@@ -703,9 +703,9 @@ dependencies = [

 [[package]]
 name = "once_cell"
-version = "1.9.0"
+version = "1.17.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da32515d9f6e6e489d7bc9d84c71b060db7247dc035bbe44eac88cf87486d8d5"
+checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3"

 [[package]]
 name = "parking_lot"
@@ -845,9 +845,16 @@ name = "protobuf"
 version = "2.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf7e6d18738ecd0902d30d1ad232c9125985a3422929b16c65517b38adc14f96"
+
+[[package]]
+name = "protobuf"
+version = "3.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b55bad9126f378a853655831eb7363b7b01b81d19f8cb1218861086ca4a1a61e"
 dependencies = [
- "serde",
- "serde_derive",
+ "once_cell",
+ "protobuf-support",
+ "thiserror",
 ]

 [[package]]
@@ -856,17 +863,47 @@ version = "2.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "aec1632b7c8f2e620343439a7dfd1f3c47b18906c4be58982079911482b5d707"
 dependencies = [
- "protobuf",
+ "protobuf 2.27.1",
 ]

 [[package]]
-name = "protobuf-codegen-pure"
-version = "2.27.1"
+name = "protobuf-codegen"
+version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f8122fdb18e55190c796b088a16bdb70cd7acdcd48f7a8b796b58c62e532cc6"
+checksum = "0dd418ac3c91caa4032d37cb80ff0d44e2ebe637b2fb243b6234bf89cdac4901"
 dependencies = [
- "protobuf",
- "protobuf-codegen",
+ "anyhow",
+ "once_cell",
+ "protobuf 3.2.0",
+ "protobuf-parse",
+ "regex",
+ "tempfile",
+ "thiserror",
+]
+
+[[package]]
+name = "protobuf-parse"
+version = "3.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d39b14605eaa1f6a340aec7f320b34064feb26c93aec35d6a9a2272a8ddfa49"
+dependencies = [
+ "anyhow",
+ "indexmap",
+ "log",
+ "protobuf 3.2.0",
+ "protobuf-support",
+ "tempfile",
+ "thiserror",
+ "which",
+]
+
+[[package]]
+name = "protobuf-support"
+version = "3.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5d4d7b8601c814cfb36bcebb79f0e61e45e1e93640cf778837833bbed05c372"
+dependencies = [
+ "thiserror",
 ]

 [[package]]
@@ -875,7 +912,7 @@ version = "0.1.0"
 dependencies = [
 "async-trait",
 "oci",
- "protobuf",
+ "protobuf 3.2.0",
 "serde",
 "serde_json",
 "ttrpc",
@@ -1314,9 +1351,9 @@ checksum = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642"

 [[package]]
 name = "ttrpc"
-version = "0.6.1"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ecfff459a859c6ba6668ff72b34c2f1d94d9d58f7088414c2674ad0f31cc7d8"
+checksum = "a35f22a2964bea14afee161665bb260b83cb48e665e0260ca06ec0e775c8b06c"
 dependencies = [
 "async-trait",
 "byteorder",
@@ -1324,8 +1361,8 @@ dependencies = [
 "libc",
 "log",
 "nix 0.23.1",
- "protobuf",
- "protobuf-codegen-pure",
+ "protobuf 3.2.0",
+ "protobuf-codegen 3.2.0",
 "thiserror",
 "tokio",
 "tokio-vsock",
@@ -1333,28 +1370,28 @@ dependencies = [

 [[package]]
 name = "ttrpc-codegen"
-version = "0.2.0"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "809eda4e459820237104e4b61d6b41bbe6c9e1ce6adf4057955e6e6722a90408"
+checksum = "94d7f7631d7a9ebed715a47cd4cb6072cbc7ae1d4ec01598971bbec0024340c2"
 dependencies = [
- "protobuf",
- "protobuf-codegen",
- "protobuf-codegen-pure",
+ "protobuf 2.27.1",
+ "protobuf-codegen 3.2.0",
+ "protobuf-support",
 "ttrpc-compiler",
 ]

 [[package]]
 name = "ttrpc-compiler"
-version = "0.4.1"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2978ed3fa047d8fd55cbeb4d4a61d461fb3021a90c9618519c73ce7e5bb66c15"
+checksum = "ec3cb5dbf1f0865a34fe3f722290fe776cacb16f50428610b779467b76ddf647"
 dependencies = [
 "derive-new",
 "prost",
 "prost-build",
 "prost-types",
- "protobuf",
- "protobuf-codegen",
+ "protobuf 2.27.1",
+ "protobuf-codegen 2.27.1",
 "tempfile",
 ]

--- a/src/libs/kata-types/src/annotations/mod.rs
+++ b/src/libs/kata-types/src/annotations/mod.rs
@@ -308,6 +308,14 @@ pub const KATA_ANNO_CFG_DISABLE_NEW_NETNS: &str =
 /// A sandbox annotation to specify how attached VFIO devices should be treated.
 pub const KATA_ANNO_CFG_VFIO_MODE: &str = "io.katacontainers.config.runtime.vfio_mode";

+/// A sandbox annotation used to specify prefetch_files.list host path container image
+/// being used,
+/// and runtime will pass it to Hypervisor to  search for corresponding prefetch list file.
+/// "io.katacontainers.config.hypervisor.prefetch_files.list"
+///                                = "/path/to/<uid>/xyz.com/fedora:36/prefetch_file.list"
+pub const KATA_ANNO_CFG_HYPERVISOR_PREFETCH_FILES_LIST: &str =
+    "io.katacontainers.config.hypervisor.prefetch_files.list";
+
 /// A helper structure to query configuration information by check annotations.
 #[derive(Debug, Default, Deserialize)]
 pub struct Annotation {
@@ -409,10 +417,10 @@ impl Annotation {
        match self.get_value::<u32>(KATA_ANNO_CONTAINER_RES_SWAPPINESS) {
            Ok(r) => {
                if r.unwrap_or_default() > 100 {
-                    return Err(io::Error::new(
+                    Err(io::Error::new(
                        io::ErrorKind::InvalidData,
                        format!("{} greater than 100", r.unwrap_or_default()),
-                    ));
+                    ))
                } else {
                    Ok(r)
                }
@@ -673,6 +681,9 @@ impl Annotation {
                        hv.machine_info.validate_entropy_source(value)?;
                        hv.machine_info.entropy_source = value.to_string();
                    }
+                    KATA_ANNO_CFG_HYPERVISOR_PREFETCH_FILES_LIST => {
+                        hv.prefetch_list_path = value.to_string();
+                    }
                    // Hypervisor Memory related annotations
                    KATA_ANNO_CFG_HYPERVISOR_DEFAULT_MEMORY => {
                        match byte_unit::Byte::from_str(value) {
--- a/src/libs/kata-types/src/config/agent.rs
+++ b/src/libs/kata-types/src/config/agent.rs
@@ -80,6 +80,7 @@ pub struct Agent {
    pub kernel_modules: Vec<String>,

    /// container pipe size
+    #[serde(default)]
    pub container_pipe_size: u32,
 }

--- a/src/libs/kata-types/src/config/default.rs
+++ b/src/libs/kata-types/src/config/default.rs
@@ -16,6 +16,7 @@ lazy_static! {
    pub static ref DEFAULT_RUNTIME_CONFIGURATIONS: Vec::<&'static str> = vec![
        "/etc/kata-containers/configuration.toml",
        "/usr/share/defaults/kata-containers/configuration.toml",
+        "/opt/kata/share/defaults/kata-containers/configuration.toml",
    ];
 }

--- a/src/libs/kata-types/src/config/hypervisor/mod.rs
+++ b/src/libs/kata-types/src/config/hypervisor/mod.rs
@@ -979,6 +979,13 @@ pub struct Hypervisor {
    #[serde(default, flatten)]
    pub shared_fs: SharedFsInfo,

+    /// A sandbox annotation used to specify prefetch_files.list host path container image
+    /// being used, and runtime will pass it to Hypervisor to  search for corresponding
+    /// prefetch list file:
+    ///   prefetch_list_path = /path/to/<uid>/xyz.com/fedora:36/prefetch_file.list
+    #[serde(default)]
+    pub prefetch_list_path: String,
+
    /// Vendor customized runtime configuration.
    #[serde(default, flatten)]
    pub vendor: HypervisorVendor,
@@ -1022,6 +1029,10 @@ impl ConfigOps for Hypervisor {
                hv.network_info.adjust_config()?;
                hv.security_info.adjust_config()?;
                hv.shared_fs.adjust_config()?;
+                resolve_path!(
+                    hv.prefetch_list_path,
+                    "prefetch_list_path `{}` is invalid: {}"
+                )?;
            } else {
                return Err(eother!("Can not find plugin for hypervisor {}", hypervisor));
            }
@@ -1056,6 +1067,10 @@ impl ConfigOps for Hypervisor {
                    "Hypervisor control executable `{}` is invalid: {}"
                )?;
                validate_path!(hv.jailer_path, "Hypervisor jailer path `{}` is invalid: {}")?;
+                validate_path!(
+                    hv.prefetch_list_path,
+                    "prefetch_files.list path `{}` is invalid: {}"
+                )?;
            } else {
                return Err(eother!("Can not find plugin for hypervisor {}", hypervisor));
            }
--- a/src/libs/kata-types/src/config/mod.rs
+++ b/src/libs/kata-types/src/config/mod.rs
@@ -127,6 +127,14 @@ impl TomlConfig {
        result
    }

+    /// Load raw Kata configuration information from default configuration file.
+    ///
+    /// Configuration file is probed according to the default configuration file list
+    /// default::DEFAULT_RUNTIME_CONFIGURATIONS.
+    pub fn load_from_default() -> Result<(TomlConfig, PathBuf)> {
+        Self::load_raw_from_file("")
+    }
+
    /// Load raw Kata configuration information from configuration files.
    ///
    /// If `config_file` is valid, it will used, otherwise a built-in default path list will be
@@ -196,7 +204,7 @@ impl TomlConfig {
    }

    /// Probe configuration file according to the default configuration file list.
-    fn get_default_config_file() -> Result<PathBuf> {
+    pub fn get_default_config_file() -> Result<PathBuf> {
        for f in default::DEFAULT_RUNTIME_CONFIGURATIONS.iter() {
            if let Ok(path) = fs::canonicalize(f) {
                return Ok(path);
--- a/src/libs/kata-types/src/config/runtime.rs
+++ b/src/libs/kata-types/src/config/runtime.rs
@@ -130,6 +130,12 @@ pub struct Runtime {
    /// Vendor customized runtime configuration.
    #[serde(default, flatten)]
    pub vendor: RuntimeVendor,
+
+    /// If keep_abnormal is enabled, it means that 1) if the runtime exits abnormally, the cleanup process
+    /// will be skipped, and 2) the runtime will not exit even if the health check fails.
+    /// This option is typically used to retain abnormal information for debugging.
+    #[serde(default)]
+    pub keep_abnormal: bool,
 }

 impl ConfigOps for Runtime {
--- a/src/libs/oci/src/lib.rs
+++ b/src/libs/oci/src/lib.rs
@@ -192,11 +192,23 @@ pub struct Hook {
 pub struct Hooks {
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub prestart: Vec<Hook>,
-    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    #[serde(
+        rename = "createRuntime",
+        default,
+        skip_serializing_if = "Vec::is_empty"
+    )]
    pub create_runtime: Vec<Hook>,
-    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    #[serde(
+        rename = "createContainer",
+        default,
+        skip_serializing_if = "Vec::is_empty"
+    )]
    pub create_container: Vec<Hook>,
-    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    #[serde(
+        rename = "startContainer",
+        default,
+        skip_serializing_if = "Vec::is_empty"
+    )]
    pub start_container: Vec<Hook>,
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub poststart: Vec<Hook>,
@@ -837,6 +849,8 @@ pub struct State {

 #[cfg(test)]
 mod tests {
+    use std::vec;
+
    use super::*;

    #[test]
@@ -1027,6 +1041,11 @@ mod tests {
                        "path": "/usr/bin/setup-network"
                    }
                ],
+                "createRuntime": [
+                    {
+                        "path": "/usr/local/bin/nerdctl"
+                    }
+                ],
                "poststart": [
                    {
                        "path": "/usr/bin/notify-start",
@@ -1395,6 +1414,12 @@ mod tests {
                        timeout: None,
                    },
                ],
+                create_runtime: vec![crate::Hook {
+                    path: "/usr/local/bin/nerdctl".to_string(),
+                    args: vec![],
+                    env: vec![],
+                    timeout: None,
+                }],
                poststart: vec![crate::Hook {
                    path: "/usr/bin/notify-start".to_string(),
                    args: vec![],
--- a/src/libs/protocols/.gitignore
+++ b/src/libs/protocols/.gitignore
@@ -1,11 +1,6 @@
 Cargo.lock
-src/agent.rs
-src/agent_ttrpc.rs
-src/agent_ttrpc_async.rs
-src/csi.rs
-src/empty.rs
-src/health.rs
-src/health_ttrpc.rs
-src/health_ttrpc_async.rs
-src/oci.rs
-src/types.rs
+
+src/*.rs
+!src/lib.rs
+!src/trans.rs
+!src/serde_config.rs
--- a/src/libs/protocols/Cargo.toml
+++ b/src/libs/protocols/Cargo.toml
@@ -11,12 +11,13 @@ with-serde = [ "serde", "serde_json" ]
 async = ["ttrpc/async", "async-trait"]

 [dependencies]
-ttrpc = { version = "0.6.0" }
+ttrpc = { version = "0.7.1" }
 async-trait = { version = "0.1.42", optional = true }
-protobuf = { version = "2.27.0", features = ["with-serde"] }
+protobuf = { version = "3.2.0" }
 serde = { version = "1.0.130", features = ["derive"], optional = true }
 serde_json = { version = "1.0.68", optional = true }
 oci = { path = "../oci" }

 [build-dependencies]
-ttrpc-codegen = "0.2.0"
+ttrpc-codegen = "0.4.2"
+protobuf = { version = "3.2.0" }
--- a/src/libs/protocols/build.rs
+++ b/src/libs/protocols/build.rs
@@ -7,7 +7,46 @@ use std::fs::{self, File};
 use std::io::{BufRead, BufReader, Read, Write};
 use std::path::Path;
 use std::process::exit;
-use ttrpc_codegen::{Codegen, Customize, ProtobufCustomize};
+
+use protobuf::{
+    descriptor::field_descriptor_proto::Type,
+    reflect::{EnumDescriptor, FieldDescriptor, MessageDescriptor, OneofDescriptor},
+};
+use ttrpc_codegen::{Codegen, Customize, ProtobufCustomize, ProtobufCustomizeCallback};
+
+struct GenSerde;
+
+impl ProtobufCustomizeCallback for GenSerde {
+    fn message(&self, _message: &MessageDescriptor) -> ProtobufCustomize {
+        ProtobufCustomize::default().before("#[cfg_attr(feature = \"with-serde\", derive(::serde::Serialize, ::serde::Deserialize))]")
+    }
+
+    fn enumeration(&self, _enum_type: &EnumDescriptor) -> ProtobufCustomize {
+        ProtobufCustomize::default().before("#[cfg_attr(feature = \"with-serde\", derive(::serde::Serialize, ::serde::Deserialize))]")
+    }
+
+    fn oneof(&self, _oneof: &OneofDescriptor) -> ProtobufCustomize {
+        ProtobufCustomize::default().before("#[cfg_attr(feature = \"with-serde\", derive(::serde::Serialize, ::serde::Deserialize))]")
+    }
+
+    fn field(&self, field: &FieldDescriptor) -> ProtobufCustomize {
+        if field.proto().type_() == Type::TYPE_ENUM {
+            ProtobufCustomize::default().before(
+                    "#[cfg_attr(feature = \"with-serde\", serde(serialize_with = \"crate::serialize_enum_or_unknown\", deserialize_with = \"crate::deserialize_enum_or_unknown\"))]",
+                )
+        } else if field.proto().type_() == Type::TYPE_MESSAGE && field.is_singular() {
+            ProtobufCustomize::default().before(
+                "#[cfg_attr(feature = \"with-serde\", serde(serialize_with = \"crate::serialize_message_field\", deserialize_with = \"crate::deserialize_message_field\"))]",
+            )
+        } else {
+            ProtobufCustomize::default()
+        }
+    }
+
+    fn special_field(&self, _message: &MessageDescriptor, _field: &str) -> ProtobufCustomize {
+        ProtobufCustomize::default().before("#[cfg_attr(feature = \"with-serde\", serde(skip))]")
+    }
+}

 fn replace_text_in_file(file_name: &str, from: &str, to: &str) -> Result<(), std::io::Error> {
    let mut src = File::open(file_name)?;
@@ -103,10 +142,10 @@ fn codegen(path: &str, protos: &[&str], async_all: bool) -> Result<(), std::io::
        ..Default::default()
    };

-    let protobuf_options = ProtobufCustomize {
-        serde_derive: Some(true),
-        ..Default::default()
-    };
+    let protobuf_options = ProtobufCustomize::default()
+        .gen_mod_rs(false)
+        .generate_getter(true)
+        .generate_accessors(true);

    let out_dir = Path::new("src");

@@ -117,6 +156,7 @@ fn codegen(path: &str, protos: &[&str], async_all: bool) -> Result<(), std::io::
        .customize(ttrpc_options)
        .rust_protobuf()
        .rust_protobuf_customize(protobuf_options)
+        .rust_protobuf_customize_callback(GenSerde)
        .run()?;

    let autogen_comment = format!("\n//! Generated by {:?} ({:?})", file!(), module_path!());
@@ -147,6 +187,7 @@ fn real_main() -> Result<(), std::io::Error> {
        "src",
        &[
            "protos/google/protobuf/empty.proto",
+            "protos/gogo/protobuf/gogoproto/gogo.proto",
            "protos/oci.proto",
            "protos/types.proto",
            "protos/csi.proto",
--- a/src/libs/protocols/protos/agent.proto
+++ b/src/libs/protocols/protos/agent.proto
@@ -38,6 +38,7 @@ service AgentService {
 	rpc StatsContainer(StatsContainerRequest) returns (StatsContainerResponse);
 	rpc PauseContainer(PauseContainerRequest) returns (google.protobuf.Empty);
 	rpc ResumeContainer(ResumeContainerRequest) returns (google.protobuf.Empty);
+	rpc RemoveStaleVirtiofsShareMounts(RemoveStaleVirtiofsShareMountsRequest) returns (google.protobuf.Empty);

 	// stdio
 	rpc WriteStdin(WriteStreamRequest) returns (WriteStreamResponse);
@@ -301,6 +302,8 @@ message CreateSandboxRequest {
 message DestroySandboxRequest {
 }

+message RemoveStaleVirtiofsShareMountsRequest {}
+
 message Interfaces {
 	repeated types.Interface Interfaces = 1;
 }
--- a/src/libs/protocols/src/lib.rs
+++ b/src/libs/protocols/src/lib.rs
@@ -11,10 +11,19 @@ pub mod agent_ttrpc;
 pub mod agent_ttrpc_async;
 pub mod csi;
 pub mod empty;
+mod gogo;
 pub mod health;
 pub mod health_ttrpc;
 #[cfg(feature = "async")]
 pub mod health_ttrpc_async;
 pub mod oci;
+#[cfg(feature = "with-serde")]
+mod serde_config;
 pub mod trans;
 pub mod types;
+
+#[cfg(feature = "with-serde")]
+pub use serde_config::{
+    deserialize_enum_or_unknown, deserialize_message_field, serialize_enum_or_unknown,
+    serialize_message_field,
+};
--- a/src/libs/protocols/src/serde_config.rs
+++ b/src/libs/protocols/src/serde_config.rs
@@ -0,0 +1,68 @@
+// Copyright (c) 2023 Ant Group
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use protobuf::{EnumOrUnknown, MessageField};
+use serde::{Deserialize, Serialize};
+
+#[cfg(feature = "with-serde")]
+pub fn serialize_enum_or_unknown<E: protobuf::EnumFull, S: serde::Serializer>(
+    e: &protobuf::EnumOrUnknown<E>,
+    s: S,
+) -> Result<S::Ok, S::Error> {
+    e.value().serialize(s)
+}
+
+pub fn serialize_message_field<E: Serialize, S: serde::Serializer>(
+    e: &protobuf::MessageField<E>,
+    s: S,
+) -> Result<S::Ok, S::Error> {
+    if e.is_some() {
+        e.as_ref().unwrap().serialize(s)
+    } else {
+        s.serialize_unit()
+    }
+}
+
+pub fn deserialize_enum_or_unknown<'de, E: Deserialize<'de>, D: serde::Deserializer<'de>>(
+    d: D,
+) -> Result<protobuf::EnumOrUnknown<E>, D::Error> {
+    i32::deserialize(d).map(EnumOrUnknown::from_i32)
+}
+
+pub fn deserialize_message_field<'de, E: Deserialize<'de>, D: serde::Deserializer<'de>>(
+    d: D,
+) -> Result<protobuf::MessageField<E>, D::Error> {
+    Option::deserialize(d).map(MessageField::from_option)
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::agent::{ExecProcessRequest, StringUser};
+    use crate::health::{health_check_response::ServingStatus, HealthCheckResponse};
+
+    #[test]
+    fn test_serde_for_enum_or_unknown() {
+        let mut hc = HealthCheckResponse::new();
+        hc.set_status(ServingStatus::SERVING);
+
+        let json = serde_json::to_string(&hc).unwrap();
+        let from_json: HealthCheckResponse = serde_json::from_str(&json).unwrap();
+
+        assert_eq!(from_json, hc);
+    }
+
+    #[test]
+    fn test_serde_for_message_field() {
+        let mut epr = ExecProcessRequest::new();
+        let mut str_user = StringUser::new();
+        str_user.uid = "Someone's id".to_string();
+        epr.set_string_user(str_user);
+
+        let json = serde_json::to_string(&epr).unwrap();
+        let from_json: ExecProcessRequest = serde_json::from_str(&json).unwrap();
+
+        assert_eq!(from_json, epr);
+    }
+}
--- a/src/libs/protocols/src/trans.rs
+++ b/src/libs/protocols/src/trans.rs
@@ -15,19 +15,19 @@ use oci::{
 };

 // translate from interface to ttprc tools
-fn from_option<F: Sized, T: From<F>>(from: Option<F>) -> ::protobuf::SingularPtrField<T> {
+fn from_option<F: Sized, T: From<F>>(from: Option<F>) -> protobuf::MessageField<T> {
    match from {
-        Some(f) => ::protobuf::SingularPtrField::from_option(Some(T::from(f))),
-        None => ::protobuf::SingularPtrField::none(),
+        Some(f) => protobuf::MessageField::from_option(Some(f.into())),
+        None => protobuf::MessageField::none(),
    }
 }

-fn from_vec<F: Sized, T: From<F>>(from: Vec<F>) -> ::protobuf::RepeatedField<T> {
+fn from_vec<F: Sized, T: From<F>>(from: Vec<F>) -> Vec<T> {
    let mut to: Vec<T> = vec![];
    for data in from {
-        to.push(T::from(data));
+        to.push(data.into());
    }
-    ::protobuf::RepeatedField::from_vec(to)
+    to
 }

 impl From<oci::Box> for crate::oci::Box {
@@ -35,8 +35,7 @@ impl From<oci::Box> for crate::oci::Box {
        crate::oci::Box {
            Height: from.height,
            Width: from.width,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -48,8 +47,7 @@ impl From<oci::User> for crate::oci::User {
            GID: from.gid,
            AdditionalGids: from.additional_gids,
            Username: from.username,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -57,13 +55,12 @@ impl From<oci::User> for crate::oci::User {
 impl From<oci::LinuxCapabilities> for crate::oci::LinuxCapabilities {
    fn from(from: LinuxCapabilities) -> Self {
        crate::oci::LinuxCapabilities {
-            Bounding: from_vec(from.bounding),
-            Effective: from_vec(from.effective),
-            Inheritable: from_vec(from.inheritable),
-            Permitted: from_vec(from.permitted),
-            Ambient: from_vec(from.ambient),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            Bounding: from.bounding,
+            Effective: from.effective,
+            Inheritable: from.inheritable,
+            Permitted: from.permitted,
+            Ambient: from.ambient,
+            ..Default::default()
        }
    }
 }
@@ -74,8 +71,7 @@ impl From<oci::PosixRlimit> for crate::oci::POSIXRlimit {
            Type: from.r#type,
            Hard: from.hard,
            Soft: from.soft,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -86,8 +82,8 @@ impl From<oci::Process> for crate::oci::Process {
            Terminal: from.terminal,
            ConsoleSize: from_option(from.console_size),
            User: from_option(Some(from.user)),
-            Args: from_vec(from.args),
-            Env: from_vec(from.env),
+            Args: from.args,
+            Env: from.env,
            Cwd: from.cwd,
            Capabilities: from_option(from.capabilities),
            Rlimits: from_vec(from.rlimits),
@@ -95,8 +91,7 @@ impl From<oci::Process> for crate::oci::Process {
            ApparmorProfile: from.apparmor_profile,
            OOMScoreAdj: from.oom_score_adj.map_or(0, |t| t as i64),
            SelinuxLabel: from.selinux_label,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -109,8 +104,7 @@ impl From<oci::LinuxDeviceCgroup> for crate::oci::LinuxDeviceCgroup {
            Major: from.major.map_or(0, |t| t),
            Minor: from.minor.map_or(0, |t| t),
            Access: from.access,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -125,8 +119,7 @@ impl From<oci::LinuxMemory> for crate::oci::LinuxMemory {
            KernelTCP: from.kernel_tcp.map_or(0, |t| t),
            Swappiness: from.swappiness.map_or(0, |t| t),
            DisableOOMKiller: from.disable_oom_killer.map_or(false, |t| t),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -141,8 +134,7 @@ impl From<oci::LinuxCpu> for crate::oci::LinuxCPU {
            RealtimePeriod: from.realtime_period.map_or(0, |t| t),
            Cpus: from.cpus,
            Mems: from.mems,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -151,8 +143,7 @@ impl From<oci::LinuxPids> for crate::oci::LinuxPids {
    fn from(from: LinuxPids) -> Self {
        crate::oci::LinuxPids {
            Limit: from.limit,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -165,8 +156,7 @@ impl From<oci::LinuxWeightDevice> for crate::oci::LinuxWeightDevice {
            Minor: 0,
            Weight: from.weight.map_or(0, |t| t as u32),
            LeafWeight: from.leaf_weight.map_or(0, |t| t as u32),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -178,8 +168,7 @@ impl From<oci::LinuxThrottleDevice> for crate::oci::LinuxThrottleDevice {
            Major: 0,
            Minor: 0,
            Rate: from.rate,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -194,8 +183,7 @@ impl From<oci::LinuxBlockIo> for crate::oci::LinuxBlockIO {
            ThrottleWriteBpsDevice: from_vec(from.throttle_write_bps_device),
            ThrottleReadIOPSDevice: from_vec(from.throttle_read_iops_device),
            ThrottleWriteIOPSDevice: from_vec(from.throttle_write_iops_device),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -205,8 +193,7 @@ impl From<oci::LinuxHugepageLimit> for crate::oci::LinuxHugepageLimit {
        crate::oci::LinuxHugepageLimit {
            Pagesize: from.page_size,
            Limit: from.limit,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -216,8 +203,7 @@ impl From<oci::LinuxInterfacePriority> for crate::oci::LinuxInterfacePriority {
        crate::oci::LinuxInterfacePriority {
            Name: from.name,
            Priority: from.priority,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -227,8 +213,7 @@ impl From<oci::LinuxNetwork> for crate::oci::LinuxNetwork {
        crate::oci::LinuxNetwork {
            ClassID: from.class_id.map_or(0, |t| t),
            Priorities: from_vec(from.priorities),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -243,8 +228,7 @@ impl From<oci::LinuxResources> for crate::oci::LinuxResources {
            BlockIO: from_option(from.block_io),
            HugepageLimits: from_vec(from.hugepage_limits),
            Network: from_option(from.network),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -254,8 +238,7 @@ impl From<oci::Root> for crate::oci::Root {
        crate::oci::Root {
            Path: from.path,
            Readonly: from.readonly,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -265,10 +248,9 @@ impl From<oci::Mount> for crate::oci::Mount {
        crate::oci::Mount {
            destination: from.destination,
            source: from.source,
-            field_type: from.r#type,
-            options: from_vec(from.options),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            type_: from.r#type,
+            options: from.options,
+            ..Default::default()
        }
    }
 }
@@ -281,11 +263,10 @@ impl From<oci::Hook> for crate::oci::Hook {
        }
        crate::oci::Hook {
            Path: from.path,
-            Args: from_vec(from.args),
-            Env: from_vec(from.env),
+            Args: from.args,
+            Env: from.env,
            Timeout: timeout,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -299,8 +280,7 @@ impl From<oci::Hooks> for crate::oci::Hooks {
            StartContainer: from_vec(from.start_container),
            Poststart: from_vec(from.poststart),
            Poststop: from_vec(from.poststop),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -311,8 +291,7 @@ impl From<oci::LinuxIdMapping> for crate::oci::LinuxIDMapping {
            HostID: from.host_id,
            ContainerID: from.container_id,
            Size: from.size,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -322,8 +301,7 @@ impl From<oci::LinuxNamespace> for crate::oci::LinuxNamespace {
        crate::oci::LinuxNamespace {
            Type: from.r#type,
            Path: from.path,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -338,8 +316,7 @@ impl From<oci::LinuxDevice> for crate::oci::LinuxDevice {
            FileMode: from.file_mode.map_or(0, |v| v),
            UID: from.uid.map_or(0, |v| v),
            GID: from.gid.map_or(0, |v| v),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -351,8 +328,7 @@ impl From<oci::LinuxSeccompArg> for crate::oci::LinuxSeccompArg {
            Value: from.value,
            ValueTwo: from.value_two,
            Op: from.op,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -360,14 +336,13 @@ impl From<oci::LinuxSeccompArg> for crate::oci::LinuxSeccompArg {
 impl From<oci::LinuxSyscall> for crate::oci::LinuxSyscall {
    fn from(from: LinuxSyscall) -> Self {
        crate::oci::LinuxSyscall {
-            Names: from_vec(from.names),
+            Names: from.names,
            Action: from.action,
            Args: from_vec(from.args),
-            ErrnoRet: Some(crate::oci::LinuxSyscall_oneof_ErrnoRet::errnoret(
+            ErrnoRet: Some(crate::oci::linux_syscall::ErrnoRet::Errnoret(
                from.errno_ret,
            )),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -376,11 +351,10 @@ impl From<oci::LinuxSeccomp> for crate::oci::LinuxSeccomp {
    fn from(from: LinuxSeccomp) -> Self {
        crate::oci::LinuxSeccomp {
            DefaultAction: from.default_action,
-            Architectures: from_vec(from.architectures),
+            Architectures: from.architectures,
            Syscalls: from_vec(from.syscalls),
-            Flags: from_vec(from.flags),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            Flags: from.flags,
+            ..Default::default()
        }
    }
 }
@@ -389,8 +363,7 @@ impl From<oci::LinuxIntelRdt> for crate::oci::LinuxIntelRdt {
    fn from(from: LinuxIntelRdt) -> Self {
        crate::oci::LinuxIntelRdt {
            L3CacheSchema: from.l3_cache_schema,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -407,12 +380,11 @@ impl From<oci::Linux> for crate::oci::Linux {
            Devices: from_vec(from.devices),
            Seccomp: from_option(from.seccomp),
            RootfsPropagation: from.rootfs_propagation,
-            MaskedPaths: from_vec(from.masked_paths),
-            ReadonlyPaths: from_vec(from.readonly_paths),
+            MaskedPaths: from.masked_paths,
+            ReadonlyPaths: from.readonly_paths,
            MountLabel: from.mount_label,
            IntelRdt: from_option(from.intel_rdt),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -430,8 +402,7 @@ impl From<oci::Spec> for crate::oci::Spec {
            Linux: from_option(from.linux),
            Solaris: Default::default(),
            Windows: Default::default(),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -449,7 +420,7 @@ impl From<crate::oci::Mount> for oci::Mount {
    fn from(mut from: crate::oci::Mount) -> Self {
        let options = from.take_options().to_vec();
        Self {
-            r#type: from.take_field_type(),
+            r#type: from.take_type_(),
            destination: from.take_destination(),
            source: from.take_source(),
            options,
@@ -460,9 +431,9 @@ impl From<crate::oci::Mount> for oci::Mount {
 impl From<crate::oci::LinuxIDMapping> for oci::LinuxIdMapping {
    fn from(from: crate::oci::LinuxIDMapping) -> Self {
        LinuxIdMapping {
-            container_id: from.get_ContainerID(),
-            host_id: from.get_HostID(),
-            size: from.get_Size(),
+            container_id: from.ContainerID(),
+            host_id: from.HostID(),
+            size: from.Size(),
        }
    }
 }
@@ -470,17 +441,17 @@ impl From<crate::oci::LinuxIDMapping> for oci::LinuxIdMapping {
 impl From<crate::oci::LinuxDeviceCgroup> for oci::LinuxDeviceCgroup {
    fn from(mut from: crate::oci::LinuxDeviceCgroup) -> Self {
        let mut major = None;
-        if from.get_Major() > 0 {
-            major = Some(from.get_Major());
+        if from.Major() > 0 {
+            major = Some(from.Major());
        }

        let mut minor = None;
-        if from.get_Minor() > 0 {
-            minor = Some(from.get_Minor())
+        if from.Minor() > 0 {
+            minor = Some(from.Minor())
        }

        oci::LinuxDeviceCgroup {
-            allow: from.get_Allow(),
+            allow: from.Allow(),
            r#type: from.take_Type(),
            major,
            minor,
@@ -492,36 +463,36 @@ impl From<crate::oci::LinuxDeviceCgroup> for oci::LinuxDeviceCgroup {
 impl From<crate::oci::LinuxMemory> for oci::LinuxMemory {
    fn from(from: crate::oci::LinuxMemory) -> Self {
        let mut limit = None;
-        if from.get_Limit() > 0 {
-            limit = Some(from.get_Limit());
+        if from.Limit() > 0 {
+            limit = Some(from.Limit());
        }

        let mut reservation = None;
-        if from.get_Reservation() > 0 {
-            reservation = Some(from.get_Reservation());
+        if from.Reservation() > 0 {
+            reservation = Some(from.Reservation());
        }

        let mut swap = None;
-        if from.get_Swap() > 0 {
-            swap = Some(from.get_Swap());
+        if from.Swap() > 0 {
+            swap = Some(from.Swap());
        }

        let mut kernel = None;
-        if from.get_Kernel() > 0 {
-            kernel = Some(from.get_Kernel());
+        if from.Kernel() > 0 {
+            kernel = Some(from.Kernel());
        }

        let mut kernel_tcp = None;
-        if from.get_KernelTCP() > 0 {
-            kernel_tcp = Some(from.get_KernelTCP());
+        if from.KernelTCP() > 0 {
+            kernel_tcp = Some(from.KernelTCP());
        }

        let mut swappiness = None;
-        if from.get_Swappiness() > 0 {
-            swappiness = Some(from.get_Swappiness());
+        if from.Swappiness() > 0 {
+            swappiness = Some(from.Swappiness());
        }

-        let disable_oom_killer = Some(from.get_DisableOOMKiller());
+        let disable_oom_killer = Some(from.DisableOOMKiller());

        oci::LinuxMemory {
            limit,
@@ -538,28 +509,28 @@ impl From<crate::oci::LinuxMemory> for oci::LinuxMemory {
 impl From<crate::oci::LinuxCPU> for oci::LinuxCpu {
    fn from(mut from: crate::oci::LinuxCPU) -> Self {
        let mut shares = None;
-        if from.get_Shares() > 0 {
-            shares = Some(from.get_Shares());
+        if from.Shares() > 0 {
+            shares = Some(from.Shares());
        }

        let mut quota = None;
-        if from.get_Quota() > 0 {
-            quota = Some(from.get_Quota());
+        if from.Quota() > 0 {
+            quota = Some(from.Quota());
        }

        let mut period = None;
-        if from.get_Period() > 0 {
-            period = Some(from.get_Period());
+        if from.Period() > 0 {
+            period = Some(from.Period());
        }

        let mut realtime_runtime = None;
-        if from.get_RealtimeRuntime() > 0 {
-            realtime_runtime = Some(from.get_RealtimeRuntime());
+        if from.RealtimeRuntime() > 0 {
+            realtime_runtime = Some(from.RealtimeRuntime());
        }

        let mut realtime_period = None;
-        if from.get_RealtimePeriod() > 0 {
-            realtime_period = Some(from.get_RealtimePeriod());
+        if from.RealtimePeriod() > 0 {
+            realtime_period = Some(from.RealtimePeriod());
        }

        let cpus = from.take_Cpus();
@@ -580,7 +551,7 @@ impl From<crate::oci::LinuxCPU> for oci::LinuxCpu {
 impl From<crate::oci::LinuxPids> for oci::LinuxPids {
    fn from(from: crate::oci::LinuxPids) -> Self {
        oci::LinuxPids {
-            limit: from.get_Limit(),
+            limit: from.Limit(),
        }
    }
 }
@@ -588,35 +559,35 @@ impl From<crate::oci::LinuxPids> for oci::LinuxPids {
 impl From<crate::oci::LinuxBlockIO> for oci::LinuxBlockIo {
    fn from(from: crate::oci::LinuxBlockIO) -> Self {
        let mut weight = None;
-        if from.get_Weight() > 0 {
-            weight = Some(from.get_Weight() as u16);
+        if from.Weight() > 0 {
+            weight = Some(from.Weight() as u16);
        }
        let mut leaf_weight = None;
-        if from.get_LeafWeight() > 0 {
-            leaf_weight = Some(from.get_LeafWeight() as u16);
+        if from.LeafWeight() > 0 {
+            leaf_weight = Some(from.LeafWeight() as u16);
        }
        let mut weight_device = Vec::new();
-        for wd in from.get_WeightDevice() {
+        for wd in from.WeightDevice() {
            weight_device.push(wd.clone().into());
        }

        let mut throttle_read_bps_device = Vec::new();
-        for td in from.get_ThrottleReadBpsDevice() {
+        for td in from.ThrottleReadBpsDevice() {
            throttle_read_bps_device.push(td.clone().into());
        }

        let mut throttle_write_bps_device = Vec::new();
-        for td in from.get_ThrottleWriteBpsDevice() {
+        for td in from.ThrottleWriteBpsDevice() {
            throttle_write_bps_device.push(td.clone().into());
        }

        let mut throttle_read_iops_device = Vec::new();
-        for td in from.get_ThrottleReadIOPSDevice() {
+        for td in from.ThrottleReadIOPSDevice() {
            throttle_read_iops_device.push(td.clone().into());
        }

        let mut throttle_write_iops_device = Vec::new();
-        for td in from.get_ThrottleWriteIOPSDevice() {
+        for td in from.ThrottleWriteIOPSDevice() {
            throttle_write_iops_device.push(td.clone().into());
        }

@@ -661,7 +632,7 @@ impl From<crate::oci::LinuxInterfacePriority> for oci::LinuxInterfacePriority {
    fn from(mut from: crate::oci::LinuxInterfacePriority) -> Self {
        oci::LinuxInterfacePriority {
            name: from.take_Name(),
-            priority: from.get_Priority(),
+            priority: from.Priority(),
        }
    }
 }
@@ -669,11 +640,11 @@ impl From<crate::oci::LinuxInterfacePriority> for oci::LinuxInterfacePriority {
 impl From<crate::oci::LinuxNetwork> for oci::LinuxNetwork {
    fn from(mut from: crate::oci::LinuxNetwork) -> Self {
        let mut class_id = None;
-        if from.get_ClassID() > 0 {
-            class_id = Some(from.get_ClassID());
+        if from.ClassID() > 0 {
+            class_id = Some(from.ClassID());
        }
        let mut priorities = Vec::new();
-        for p in from.take_Priorities().to_vec() {
+        for p in from.take_Priorities() {
            priorities.push(p.into())
        }

@@ -688,7 +659,7 @@ impl From<crate::oci::LinuxHugepageLimit> for oci::LinuxHugepageLimit {
    fn from(mut from: crate::oci::LinuxHugepageLimit) -> Self {
        oci::LinuxHugepageLimit {
            page_size: from.take_Pagesize(),
-            limit: from.get_Limit(),
+            limit: from.Limit(),
        }
    }
 }
@@ -696,7 +667,7 @@ impl From<crate::oci::LinuxHugepageLimit> for oci::LinuxHugepageLimit {
 impl From<crate::oci::LinuxResources> for oci::LinuxResources {
    fn from(mut from: crate::oci::LinuxResources) -> Self {
        let mut devices = Vec::new();
-        for d in from.take_Devices().to_vec() {
+        for d in from.take_Devices() {
            devices.push(d.into());
        }

@@ -712,16 +683,16 @@ impl From<crate::oci::LinuxResources> for oci::LinuxResources {

        let mut pids = None;
        if from.has_Pids() {
-            pids = Some(from.get_Pids().clone().into())
+            pids = Some(from.Pids().clone().into())
        }

        let mut block_io = None;
        if from.has_BlockIO() {
-            block_io = Some(from.get_BlockIO().clone().into());
+            block_io = Some(from.BlockIO().clone().into());
        }

        let mut hugepage_limits = Vec::new();
-        for hl in from.get_HugepageLimits() {
+        for hl in from.HugepageLimits() {
            hugepage_limits.push(hl.clone().into());
        }

@@ -750,11 +721,11 @@ impl From<crate::oci::LinuxDevice> for oci::LinuxDevice {
        oci::LinuxDevice {
            path: from.take_Path(),
            r#type: from.take_Type(),
-            major: from.get_Major(),
-            minor: from.get_Minor(),
-            file_mode: Some(from.get_FileMode()),
-            uid: Some(from.get_UID()),
-            gid: Some(from.get_GID()),
+            major: from.Major(),
+            minor: from.Minor(),
+            file_mode: Some(from.FileMode()),
+            uid: Some(from.UID()),
+            gid: Some(from.GID()),
        }
    }
 }
@@ -762,9 +733,9 @@ impl From<crate::oci::LinuxDevice> for oci::LinuxDevice {
 impl From<crate::oci::LinuxSeccompArg> for oci::LinuxSeccompArg {
    fn from(mut from: crate::oci::LinuxSeccompArg) -> Self {
        oci::LinuxSeccompArg {
-            index: from.get_Index() as u32,
-            value: from.get_Value(),
-            value_two: from.get_ValueTwo(),
+            index: from.Index() as u32,
+            value: from.Value(),
+            value_two: from.ValueTwo(),
            op: from.take_Op(),
        }
    }
@@ -773,14 +744,14 @@ impl From<crate::oci::LinuxSeccompArg> for oci::LinuxSeccompArg {
 impl From<crate::oci::LinuxSyscall> for oci::LinuxSyscall {
    fn from(mut from: crate::oci::LinuxSyscall) -> Self {
        let mut args = Vec::new();
-        for ag in from.take_Args().to_vec() {
+        for ag in from.take_Args() {
            args.push(ag.into());
        }
        oci::LinuxSyscall {
            names: from.take_Names().to_vec(),
            action: from.take_Action(),
            args,
-            errno_ret: from.get_errnoret(),
+            errno_ret: from.errnoret(),
        }
    }
 }
@@ -788,7 +759,7 @@ impl From<crate::oci::LinuxSyscall> for oci::LinuxSyscall {
 impl From<crate::oci::LinuxSeccomp> for oci::LinuxSeccomp {
    fn from(mut from: crate::oci::LinuxSeccomp) -> Self {
        let mut syscalls = Vec::new();
-        for s in from.take_Syscalls().to_vec() {
+        for s in from.take_Syscalls() {
            syscalls.push(s.into());
        }

@@ -813,16 +784,16 @@ impl From<crate::oci::LinuxNamespace> for oci::LinuxNamespace {
 impl From<crate::oci::Linux> for oci::Linux {
    fn from(mut from: crate::oci::Linux) -> Self {
        let mut uid_mappings = Vec::new();
-        for id_map in from.take_UIDMappings().to_vec() {
+        for id_map in from.take_UIDMappings() {
            uid_mappings.push(id_map.into())
        }

        let mut gid_mappings = Vec::new();
-        for id_map in from.take_GIDMappings().to_vec() {
+        for id_map in from.take_GIDMappings() {
            gid_mappings.push(id_map.into())
        }

-        let sysctl = from.get_Sysctl().clone();
+        let sysctl = from.Sysctl().clone();
        let mut resources = None;
        if from.has_Resources() {
            resources = Some(from.take_Resources().into());
@@ -830,12 +801,12 @@ impl From<crate::oci::Linux> for oci::Linux {

        let cgroups_path = from.take_CgroupsPath();
        let mut namespaces = Vec::new();
-        for ns in from.take_Namespaces().to_vec() {
+        for ns in from.take_Namespaces() {
            namespaces.push(ns.into())
        }

        let mut devices = Vec::new();
-        for d in from.take_Devices().to_vec() {
+        for d in from.take_Devices() {
            devices.push(d.into());
        }

@@ -874,8 +845,8 @@ impl From<crate::oci::POSIXRlimit> for oci::PosixRlimit {
    fn from(mut from: crate::oci::POSIXRlimit) -> Self {
        oci::PosixRlimit {
            r#type: from.take_Type(),
-            hard: from.get_Hard(),
-            soft: from.get_Soft(),
+            hard: from.Hard(),
+            soft: from.Soft(),
        }
    }
 }
@@ -895,8 +866,8 @@ impl From<crate::oci::LinuxCapabilities> for oci::LinuxCapabilities {
 impl From<crate::oci::User> for oci::User {
    fn from(mut from: crate::oci::User) -> Self {
        oci::User {
-            uid: from.get_UID(),
-            gid: from.get_GID(),
+            uid: from.UID(),
+            gid: from.GID(),
            additional_gids: from.take_AdditionalGids().to_vec(),
            username: from.take_Username(),
        }
@@ -906,8 +877,8 @@ impl From<crate::oci::User> for oci::User {
 impl From<crate::oci::Box> for oci::Box {
    fn from(from: crate::oci::Box) -> Self {
        oci::Box {
-            height: from.get_Height(),
-            width: from.get_Width(),
+            height: from.Height(),
+            width: from.Width(),
        }
    }
 }
@@ -920,22 +891,22 @@ impl From<crate::oci::Process> for oci::Process {
        }

        let user = from.take_User().into();
-        let args = from.take_Args().into_vec();
-        let env = from.take_Env().into_vec();
+        let args = from.take_Args();
+        let env = from.take_Env();
        let cwd = from.take_Cwd();
        let mut capabilities = None;
        if from.has_Capabilities() {
            capabilities = Some(from.take_Capabilities().into());
        }
        let mut rlimits = Vec::new();
-        for rl in from.take_Rlimits().to_vec() {
+        for rl in from.take_Rlimits() {
            rlimits.push(rl.into());
        }
-        let no_new_privileges = from.get_NoNewPrivileges();
+        let no_new_privileges = from.NoNewPrivileges();
        let apparmor_profile = from.take_ApparmorProfile();
        let mut oom_score_adj = None;
-        if from.get_OOMScoreAdj() != 0 {
-            oom_score_adj = Some(from.get_OOMScoreAdj() as i32);
+        if from.OOMScoreAdj() != 0 {
+            oom_score_adj = Some(from.OOMScoreAdj() as i32);
        }
        let selinux_label = from.take_SelinuxLabel();

@@ -959,8 +930,8 @@ impl From<crate::oci::Process> for oci::Process {
 impl From<crate::oci::Hook> for oci::Hook {
    fn from(mut from: crate::oci::Hook) -> Self {
        let mut timeout = None;
-        if from.get_Timeout() > 0 {
-            timeout = Some(from.get_Timeout() as i32);
+        if from.Timeout() > 0 {
+            timeout = Some(from.Timeout() as i32);
        }
        oci::Hook {
            path: from.take_Path(),
@@ -1020,7 +991,7 @@ impl From<crate::oci::Spec> for oci::Spec {
        }

        let mut mounts = Vec::new();
-        for m in from.take_Mounts().into_vec() {
+        for m in from.take_Mounts() {
            mounts.push(m.into())
        }

@@ -1085,7 +1056,7 @@ mod tests {
    #[test]
    fn test_from_vec_len_0() {
        let from: Vec<TestA> = vec![];
-        let to: ::protobuf::RepeatedField<TestB> = from_vec(from.clone());
+        let to: Vec<TestB> = from_vec(from.clone());
        assert_eq!(from.len(), to.len());
    }

@@ -1094,7 +1065,7 @@ mod tests {
        let from: Vec<TestA> = vec![TestA {
            from: "a".to_string(),
        }];
-        let to: ::protobuf::RepeatedField<TestB> = from_vec(from.clone());
+        let to: Vec<TestB> = from_vec(from.clone());

        assert_eq!(from.len(), to.len());
        assert_eq!(from[0].from, to[0].to);
--- a/src/runtime-rs/Cargo.lock
+++ b/src/runtime-rs/Cargo.lock
@@ -9,7 +9,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "465a6172cf69b960917811022d8f29bc0b7fa1398bc4f78b3c466673db1213b6"
 dependencies = [
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -50,7 +50,7 @@ dependencies = [
 "logging",
 "nix 0.24.3",
 "oci",
- "protobuf",
+ "protobuf 3.2.0",
 "protocols",
 "serde",
 "serde_json",
@@ -221,7 +221,7 @@ checksum = "1cd7fce9ba8c3c042128ce72d8b2ddbf3a05747efb67ea0313c635e10bda47a2"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -276,7 +276,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fd9e32d7420c85055e8107e5b2463c4eeefeaac18b52359fe9f9c08a18f342b2"
 dependencies = [
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -475,7 +475,7 @@ dependencies = [
 "nix 0.24.3",
 "oci",
 "persist",
- "protobuf",
+ "protobuf 3.2.0",
 "serde_json",
 "slog",
 "slog-scope",
@@ -508,13 +508,14 @@ checksum = "f3ad85c1f65dc7b37604eb0e89748faf0b9653065f2a8ef69f96a687ec1e9279"

 [[package]]
 name = "containerd-shim-protos"
-version = "0.2.0"
+version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "077ec778a0835d9d85502e8535362130187759b69eddabe2bdb3a68ffb575bd0"
+checksum = "ef45f1c71aa587d8f657c546d8da38ea04f113dd05da0ef993c4515fa25fbdd1"
 dependencies = [
 "async-trait",
- "protobuf",
+ "protobuf 3.2.0",
 "ttrpc",
+ "ttrpc-codegen",
 ]

 [[package]]
@@ -583,7 +584,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6d2301688392eb071b0bf1a37be05c469d3cc4dbbd95df672fe28ab021e6a096"
 dependencies = [
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -610,7 +611,7 @@ dependencies = [
 "proc-macro2",
 "quote",
 "scratch",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -627,7 +628,7 @@ checksum = "086c685979a698443656e5cf7856c95c642295a38599f12fb1ff76fb28d19892"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -792,7 +793,7 @@ checksum = "3418329ca0ad70234b9735dc4ceed10af4df60eff9c8e7b06cb5e520d92c3535"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -1072,7 +1073,7 @@ checksum = "95a73af87da33b5acf53acfebdc339fe592ecf5357ac7c0a7734ab9d8c876a70"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -1734,6 +1735,16 @@ dependencies = [
 "tokio",
 ]

+[[package]]
+name = "netns-rs"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23541694f1d7d18cd1a0da3a1352a6ea48b01cbb4a8e7a6e547963823fd5276e"
+dependencies = [
+ "nix 0.23.2",
+ "thiserror",
+]
+
 [[package]]
 name = "nix"
 version = "0.23.2"
@@ -2076,7 +2087,7 @@ checksum = "069bdb1e05adc7a8990dce9cc75370895fbe4e3d58b9b73bf1aee56359344a55"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -2119,9 +2130,9 @@ checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"

 [[package]]
 name = "proc-macro2"
-version = "1.0.51"
+version = "1.0.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d727cae5b39d21da60fa540906919ad737832fe0b1c165da3a34d6548c849d6"
+checksum = "fa1fb82fc0c281dd9671101b66b771ebbe1eaf967b96ac8740dcba4b70005ca8"
 dependencies = [
 "unicode-ident",
 ]
@@ -2164,7 +2175,7 @@ dependencies = [
 "itertools",
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -2182,9 +2193,16 @@ name = "protobuf"
 version = "2.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"
+
+[[package]]
+name = "protobuf"
+version = "3.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b55bad9126f378a853655831eb7363b7b01b81d19f8cb1218861086ca4a1a61e"
 dependencies = [
- "serde",
- "serde_derive",
+ "once_cell",
+ "protobuf-support",
+ "thiserror",
 ]

 [[package]]
@@ -2193,36 +2211,47 @@ version = "2.28.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "033460afb75cf755fcfc16dfaed20b86468082a2ea24e05ac35ab4a099a017d6"
 dependencies = [
- "protobuf",
+ "protobuf 2.28.0",
 ]

 [[package]]
-name = "protobuf-codegen-pure"
-version = "2.28.0"
+name = "protobuf-codegen"
+version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95a29399fc94bcd3eeaa951c715f7bea69409b2445356b00519740bcd6ddd865"
+checksum = "0dd418ac3c91caa4032d37cb80ff0d44e2ebe637b2fb243b6234bf89cdac4901"
 dependencies = [
- "protobuf",
- "protobuf-codegen",
+ "anyhow",
+ "once_cell",
+ "protobuf 3.2.0",
+ "protobuf-parse",
+ "regex",
+ "tempfile",
+ "thiserror",
 ]

 [[package]]
-name = "protobuf-codegen-pure3"
-version = "2.28.2"
+name = "protobuf-parse"
+version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b351add14db0721ad0842f4858aec11a5088684112ef163fc50f113c63e69b2e"
+checksum = "9d39b14605eaa1f6a340aec7f320b34064feb26c93aec35d6a9a2272a8ddfa49"
 dependencies = [
- "protobuf",
- "protobuf-codegen3",
+ "anyhow",
+ "indexmap",
+ "log",
+ "protobuf 3.2.0",
+ "protobuf-support",
+ "tempfile",
+ "thiserror",
+ "which",
 ]

 [[package]]
-name = "protobuf-codegen3"
-version = "2.28.2"
+name = "protobuf-support"
+version = "3.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "73c5878d0fa872bd7d61782c6aa2d2d56761ba4ed4514eb6992f5f83162f1d2f"
+checksum = "a5d4d7b8601c814cfb36bcebb79f0e61e45e1e93640cf778837833bbed05c372"
 dependencies = [
- "protobuf",
+ "thiserror",
 ]

 [[package]]
@@ -2231,16 +2260,16 @@ version = "0.1.0"
 dependencies = [
 "async-trait",
 "oci",
- "protobuf",
+ "protobuf 3.2.0",
 "ttrpc",
 "ttrpc-codegen",
 ]

 [[package]]
 name = "quote"
-version = "1.0.23"
+version = "1.0.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8856d8364d252a14d474036ea1358d63c9e6965c8e5c1885c18f73d70bff9c7b"
+checksum = "8f4f29d145265ec1c483c7c654450edde0bfe043d3938d6972630663356d9500"
 dependencies = [
 "proc-macro2",
 ]
@@ -2401,6 +2430,7 @@ dependencies = [
 "byte-unit 4.0.18",
 "cgroups-rs",
 "futures 0.3.26",
+ "hex",
 "hypervisor",
 "kata-sys-util",
 "kata-types",
@@ -2409,6 +2439,7 @@ dependencies = [
 "logging",
 "netlink-packet-route",
 "netlink-sys",
+ "netns-rs",
 "nix 0.24.3",
 "oci",
 "persist",
@@ -2464,9 +2495,11 @@ dependencies = [
 "lazy_static",
 "linux_container",
 "logging",
+ "netns-rs",
 "nix 0.25.1",
 "oci",
 "persist",
+ "resource",
 "serde_json",
 "shim-interface",
 "slog",
@@ -2569,7 +2602,7 @@ checksum = "af487d118eecd09402d70a5d72551860e788df87b464af30e5ea6a38c75c541e"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -2602,7 +2635,7 @@ checksum = "b2acd6defeddb41eb60bb468f8825d0cfd0c2a76bc03bfd235b6a1dc4f6a1ad5"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -2662,7 +2695,7 @@ dependencies = [
 "logging",
 "nix 0.24.3",
 "oci",
- "protobuf",
+ "protobuf 3.2.0",
 "rand 0.8.5",
 "serial_test",
 "service",
@@ -2777,9 +2810,9 @@ checksum = "a507befe795404456341dfab10cef66ead4c041f62b8b11bbb92bffe5d0953e0"

 [[package]]
 name = "socket2"
-version = "0.4.7"
+version = "0.4.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "02e2d2db9033d13a1567121ddd7a095ee144db4e1ca1b1bda3419bc0da294ebd"
+checksum = "64a4a911eed85daf18834cfaa86a79b7d266ff93ff5ba14005426219480ed662"
 dependencies = [
 "libc",
 "winapi",
@@ -2816,7 +2849,7 @@ dependencies = [
 "proc-macro2",
 "quote",
 "rustversion",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -2846,6 +2879,17 @@ dependencies = [
 "unicode-ident",
 ]

+[[package]]
+name = "syn"
+version = "2.0.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6f671d4b5ffdb8eadec19c0ae67fe2639df8684bd7bc4b83d986b8db549cf01"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
 [[package]]
 name = "take_mut"
 version = "0.2.2"
@@ -2916,7 +2960,7 @@ checksum = "1fb327af4685e4d03fa8cbcf1716380da910eeb2bb8be417e7f9fd3fb164f36f"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -3002,14 +3046,13 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"

 [[package]]
 name = "tokio"
-version = "1.26.0"
+version = "1.28.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03201d01c3c27a29c8a5cee5b55a93ddae1ccf6f08f65365c2c918f8c1b76f64"
+checksum = "0aa32867d44e6f2ce3385e89dceb990188b8bb0fb25b0cf576647a6f98ac5105"
 dependencies = [
 "autocfg",
 "bytes 1.4.0",
 "libc",
- "memchr",
 "mio",
 "num_cpus",
 "parking_lot 0.12.1",
@@ -3017,18 +3060,18 @@ dependencies = [
 "signal-hook-registry",
 "socket2",
 "tokio-macros",
- "windows-sys 0.45.0",
+ "windows-sys 0.48.0",
 ]

 [[package]]
 name = "tokio-macros"
-version = "1.8.2"
+version = "2.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d266c00fde287f55d3f1c3e96c500c362a2b8c695076ec180f27918820bc6df8"
+checksum = "630bdcf245f78637c13ec01ffae6187cca34625e8c63150d424b59e55af2675e"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 2.0.16",
 ]

 [[package]]
@@ -3102,7 +3145,7 @@ checksum = "4017f8f45139870ca7e672686113917c71c7a6e02d4924eda67186083c03081a"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 ]

 [[package]]
@@ -3122,9 +3165,9 @@ checksum = "3528ecfd12c466c6f163363caf2d02a71161dd5e1cc6ae7b34207ea2d42d81ed"

 [[package]]
 name = "ttrpc"
-version = "0.6.1"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ecfff459a859c6ba6668ff72b34c2f1d94d9d58f7088414c2674ad0f31cc7d8"
+checksum = "a35f22a2964bea14afee161665bb260b83cb48e665e0260ca06ec0e775c8b06c"
 dependencies = [
 "async-trait",
 "byteorder",
@@ -3132,8 +3175,8 @@ dependencies = [
 "libc",
 "log",
 "nix 0.23.2",
- "protobuf",
- "protobuf-codegen-pure",
+ "protobuf 3.2.0",
+ "protobuf-codegen 3.2.0",
 "thiserror",
 "tokio",
 "tokio-vsock",
@@ -3141,28 +3184,28 @@ dependencies = [

 [[package]]
 name = "ttrpc-codegen"
-version = "0.2.3"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2365c9179ad82b29bda1b0162c7542ab5861a7844abfedd8cfdf8bd7e12358f9"
+checksum = "94d7f7631d7a9ebed715a47cd4cb6072cbc7ae1d4ec01598971bbec0024340c2"
 dependencies = [
- "protobuf",
- "protobuf-codegen-pure3",
- "protobuf-codegen3",
+ "protobuf 2.28.0",
+ "protobuf-codegen 3.2.0",
+ "protobuf-support",
 "ttrpc-compiler",
 ]

 [[package]]
 name = "ttrpc-compiler"
-version = "0.4.3"
+version = "0.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed57c2d6669099791507b8b491b2940f2e8975b52a73fe82efad24257d10e9bc"
+checksum = "ec3cb5dbf1f0865a34fe3f722290fe776cacb16f50428610b779467b76ddf647"
 dependencies = [
 "derive-new",
 "prost",
 "prost-build",
 "prost-types",
- "protobuf",
- "protobuf-codegen3",
+ "protobuf 2.28.0",
+ "protobuf-codegen 2.28.0",
 "tempfile",
 ]

@@ -3283,7 +3326,7 @@ dependencies = [
 "nix 0.24.3",
 "oci",
 "persist",
- "protobuf",
+ "protobuf 3.2.0",
 "resource",
 "serde",
 "serde_derive",
@@ -3421,7 +3464,7 @@ dependencies = [
 "once_cell",
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 "wasm-bindgen-shared",
 ]

@@ -3455,7 +3498,7 @@ checksum = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6"
 dependencies = [
 "proc-macro2",
 "quote",
- "syn",
+ "syn 1.0.109",
 "wasm-bindgen-backend",
 "wasm-bindgen-shared",
 ]
@@ -3544,13 +3587,13 @@ version = "0.42.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5a3e1820f08b8513f676f7ab6c1f99ff312fb97b553d30ff4dd86f9f15728aa7"
 dependencies = [
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
+ "windows_aarch64_gnullvm 0.42.1",
+ "windows_aarch64_msvc 0.42.1",
+ "windows_i686_gnu 0.42.1",
+ "windows_i686_msvc 0.42.1",
+ "windows_x86_64_gnu 0.42.1",
+ "windows_x86_64_gnullvm 0.42.1",
+ "windows_x86_64_msvc 0.42.1",
 ]

 [[package]]
@@ -3559,7 +3602,16 @@ version = "0.45.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0"
 dependencies = [
- "windows-targets",
+ "windows-targets 0.42.1",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+dependencies = [
+ "windows-targets 0.48.0",
 ]

 [[package]]
@@ -3568,13 +3620,28 @@ version = "0.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e2522491fbfcd58cc84d47aeb2958948c4b8982e9a2d8a2a35bbaed431390e7"
 dependencies = [
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
+ "windows_aarch64_gnullvm 0.42.1",
+ "windows_aarch64_msvc 0.42.1",
+ "windows_i686_gnu 0.42.1",
+ "windows_i686_msvc 0.42.1",
+ "windows_x86_64_gnu 0.42.1",
+ "windows_x86_64_gnullvm 0.42.1",
+ "windows_x86_64_msvc 0.42.1",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b1eb6f0cd7c80c79759c929114ef071b87354ce476d9d94271031c0497adfd5"
+dependencies = [
+ "windows_aarch64_gnullvm 0.48.0",
+ "windows_aarch64_msvc 0.48.0",
+ "windows_i686_gnu 0.48.0",
+ "windows_i686_msvc 0.48.0",
+ "windows_x86_64_gnu 0.48.0",
+ "windows_x86_64_gnullvm 0.48.0",
+ "windows_x86_64_msvc 0.48.0",
 ]

 [[package]]
@@ -3583,42 +3650,84 @@ version = "0.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8c9864e83243fdec7fc9c5444389dcbbfd258f745e7853198f365e3c4968a608"

+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91ae572e1b79dba883e0d315474df7305d12f569b400fcf90581b06062f7e1bc"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4c8b1b673ffc16c47a9ff48570a9d85e25d265735c503681332589af6253c6c7"

+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2ef27e0d7bdfcfc7b868b317c1d32c641a6fe4629c171b8928c7b08d98d7cf3"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "de3887528ad530ba7bdbb1faa8275ec7a1155a45ffa57c37993960277145d640"

+[[package]]
+name = "windows_i686_gnu"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "622a1962a7db830d6fd0a69683c80a18fda201879f0f447f065a3b7467daa241"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bf4d1122317eddd6ff351aa852118a2418ad4214e6613a50e0191f7004372605"

+[[package]]
+name = "windows_i686_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4542c6e364ce21bf45d69fdd2a8e455fa38d316158cfd43b3ac1c5b1b19f8e00"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c1040f221285e17ebccbc2591ffdc2d44ee1f9186324dd3e84e99ac68d699c45"

+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ca2b8a661f7628cbd23440e50b05d705db3686f894fc9580820623656af974b1"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "628bfdf232daa22b0d64fdb62b09fcc36bb01f05a3939e20ab73aaf9470d0463"

+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7896dbc1f41e08872e9d5e8f8baa8fdd2677f29468c4e156210174edc7f7b953"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.42.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "447660ad36a13288b1db4d4248e857b510e8c3a225c822ba4fb748c0aafecffd"

+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.48.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a"
+
 [[package]]
 name = "xattr"
 version = "0.2.3"
--- a/src/runtime-rs/Makefile
+++ b/src/runtime-rs/Makefile
@@ -17,6 +17,10 @@ CONTAINERD_RUNTIME_NAME = io.containerd.kata.v2

 include ../../utils.mk

+ifeq ($(ARCH), ppc64le)
+    override ARCH = powerpc64le
+endif
+
 ARCH_DIR = arch
 ARCH_FILE_SUFFIX = -options.mk
 ARCH_FILE = $(ARCH_DIR)/$(ARCH)$(ARCH_FILE_SUFFIX)
--- a/src/runtime-rs/config/configuration-dragonball.toml.in
+++ b/src/runtime-rs/config/configuration-dragonball.toml.in
@@ -206,15 +206,22 @@ container_pipe_size=@PIPESIZE@
 #debug_console_enabled = true

 # Agent connection dialing timeout value in seconds
-# (default: 30)
-#dial_timeout = 30
+# (default: 45)
+dial_timeout = 45

 [runtime]
 # If enabled, the runtime will log additional debug messages to the
 # system log
 # (default: disabled)
 #enable_debug = true
-#
+
+# If enabled, enabled, it means that 1) if the runtime exits abnormally,
+# the cleanup process will be skipped, and 2) the runtime will not exit
+# even if the health check fails.
+# This option is typically used to retain abnormal information for debugging.
+# (default: false)
+#keep_abnormal = true
+
 # Internetworking model
 # Determines how the VM should be connected to the
 # the container network interface
--- a/src/runtime-rs/crates/agent/Cargo.toml
+++ b/src/runtime-rs/crates/agent/Cargo.toml
@@ -12,13 +12,13 @@ futures = "0.1.27"
 anyhow = "1.0.26"
 async-trait = "0.1.48"
 log = "0.4.14"
-protobuf = "2.27.0"
+protobuf = "3.2.0"
 serde = { version = "^1.0", features = ["derive"] }
 serde_json = ">=1.0.9"
 slog = "2.5.2"
 slog-scope = "4.4.0"
-ttrpc = { version = "0.6.1" }
-tokio = { version = "1.8.0", features = ["fs", "rt"] }
+ttrpc = { version = "0.7.1" }
+tokio = { version = "1.28.1", features = ["fs", "rt"] }
 url = "2.2.2"
 nix = "0.24.2"

--- a/src/runtime-rs/crates/agent/src/kata/agent.rs
+++ b/src/runtime-rs/crates/agent/src/kata/agent.rs
@@ -56,7 +56,7 @@ macro_rules! impl_health_service {
        impl HealthService for KataAgent {
            $(async fn $name(&self, req: $req) -> Result<$resp> {
                let r = req.into();
-                let (mut client, timeout, _) = self.get_health_client().await.context("get health client")?;
+                let (client, timeout, _) = self.get_health_client().await.context("get health client")?;
                let resp = client.$name(new_ttrpc_ctx(timeout * MILLISECOND_TO_NANOSECOND), &r).await?;
                Ok(resp.into())
            })*
@@ -75,7 +75,7 @@ macro_rules! impl_agent {
        impl Agent for KataAgent {
            $(async fn $name(&self, req: $req) -> Result<$resp> {
                let r = req.into();
-                let (mut client, mut timeout, _) = self.get_agent_client().await.context("get client")?;
+                let (client, mut timeout, _) = self.get_agent_client().await.context("get client")?;

                // update new timeout
                if let Some(v) = $new_timeout {
--- a/src/runtime-rs/crates/agent/src/kata/trans.rs
+++ b/src/runtime-rs/crates/agent/src/kata/trans.rs
@@ -30,30 +30,18 @@ use crate::{
    OomEventResponse, WaitProcessResponse, WriteStreamResponse,
 };

-fn from_vec<F: Into<T>, T: Sized>(from: Vec<F>) -> ::protobuf::RepeatedField<T> {
-    let mut to: Vec<T> = vec![];
-    for data in from {
-        to.push(data.into());
-    }
-    ::protobuf::RepeatedField::from_vec(to)
+fn trans_vec<F: Sized + Clone, T: From<F>>(from: Vec<F>) -> Vec<T> {
+    from.into_iter().map(|f| f.into()).collect()
 }

-fn into_vec<F: Sized + Clone, T: From<F>>(from: ::protobuf::RepeatedField<F>) -> Vec<T> {
-    let mut to: Vec<T> = vec![];
-    for data in from.to_vec() {
-        to.push(data.into());
-    }
-    to
-}
-
-fn from_option<F: Sized, T: From<F>>(from: Option<F>) -> ::protobuf::SingularPtrField<T> {
+fn from_option<F: Sized, T: From<F>>(from: Option<F>) -> protobuf::MessageField<T> {
    match from {
-        Some(f) => ::protobuf::SingularPtrField::from_option(Some(T::from(f))),
-        None => ::protobuf::SingularPtrField::none(),
+        Some(f) => protobuf::MessageField::from_option(Some(T::from(f))),
+        None => protobuf::MessageField::none(),
    }
 }

-fn into_option<F: Into<T>, T: Sized>(from: ::protobuf::SingularPtrField<F>) -> Option<T> {
+fn into_option<F: Into<T>, T: Sized>(from: protobuf::MessageField<F>) -> Option<T> {
    from.into_option().map(|f| f.into())
 }

@@ -84,9 +72,8 @@ impl From<FSGroup> for agent::FSGroup {

        Self {
            group_id: from.group_id,
-            group_change_policy: policy,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            group_change_policy: policy.into(),
+            ..Default::default()
        }
    }
 }
@@ -96,9 +83,8 @@ impl From<StringUser> for agent::StringUser {
        Self {
            uid: from.uid,
            gid: from.gid,
-            additionalGids: ::protobuf::RepeatedField::from_vec(from.additional_gids),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            additionalGids: from.additional_gids,
+            ..Default::default()
        }
    }
 }
@@ -107,12 +93,11 @@ impl From<Device> for agent::Device {
    fn from(from: Device) -> Self {
        Self {
            id: from.id,
-            field_type: from.field_type,
+            type_: from.field_type,
            vm_path: from.vm_path,
            container_path: from.container_path,
-            options: from_vec(from.options),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            options: trans_vec(from.options),
+            ..Default::default()
        }
    }
 }
@@ -121,14 +106,13 @@ impl From<Storage> for agent::Storage {
    fn from(from: Storage) -> Self {
        Self {
            driver: from.driver,
-            driver_options: from_vec(from.driver_options),
+            driver_options: trans_vec(from.driver_options),
            source: from.source,
            fstype: from.fs_type,
            fs_group: from_option(from.fs_group),
-            options: from_vec(from.options),
+            options: trans_vec(from.options),
            mount_point: from.mount_point,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -137,9 +121,8 @@ impl From<KernelModule> for agent::KernelModule {
    fn from(from: KernelModule) -> Self {
        Self {
            name: from.name,
-            parameters: from_vec(from.parameters),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            parameters: trans_vec(from.parameters),
+            ..Default::default()
        }
    }
 }
@@ -166,11 +149,10 @@ impl From<types::IPFamily> for IPFamily {
 impl From<IPAddress> for types::IPAddress {
    fn from(from: IPAddress) -> Self {
        Self {
-            family: from.family.into(),
+            family: protobuf::EnumOrUnknown::new(from.family.into()),
            address: from.address,
            mask: from.mask,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -178,7 +160,7 @@ impl From<IPAddress> for types::IPAddress {
 impl From<types::IPAddress> for IPAddress {
    fn from(src: types::IPAddress) -> Self {
        Self {
-            family: src.family.into(),
+            family: src.family.unwrap().into(),
            address: "".to_string(),
            mask: "".to_string(),
        }
@@ -190,14 +172,13 @@ impl From<Interface> for types::Interface {
        Self {
            device: from.device,
            name: from.name,
-            IPAddresses: from_vec(from.ip_addresses),
+            IPAddresses: trans_vec(from.ip_addresses),
            mtu: from.mtu,
            hwAddr: from.hw_addr,
            pciPath: from.pci_addr,
-            field_type: from.field_type,
+            type_: from.field_type,
            raw_flags: from.raw_flags,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -207,11 +188,11 @@ impl From<types::Interface> for Interface {
        Self {
            device: src.device,
            name: src.name,
-            ip_addresses: into_vec(src.IPAddresses),
+            ip_addresses: trans_vec(src.IPAddresses),
            mtu: src.mtu,
            hw_addr: src.hwAddr,
            pci_addr: src.pciPath,
-            field_type: src.field_type,
+            field_type: src.type_,
            raw_flags: src.raw_flags,
        }
    }
@@ -220,7 +201,7 @@ impl From<types::Interface> for Interface {
 impl From<agent::Interfaces> for Interfaces {
    fn from(src: agent::Interfaces) -> Self {
        Self {
-            interfaces: into_vec(src.Interfaces),
+            interfaces: trans_vec(src.Interfaces),
        }
    }
 }
@@ -233,9 +214,8 @@ impl From<Route> for types::Route {
            device: from.device,
            source: from.source,
            scope: from.scope,
-            family: from.family.into(),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            family: protobuf::EnumOrUnknown::new(from.family.into()),
+            ..Default::default()
        }
    }
 }
@@ -248,7 +228,7 @@ impl From<types::Route> for Route {
            device: src.device,
            source: src.source,
            scope: src.scope,
-            family: src.family.into(),
+            family: src.family.unwrap().into(),
        }
    }
 }
@@ -256,9 +236,8 @@ impl From<types::Route> for Route {
 impl From<Routes> for agent::Routes {
    fn from(from: Routes) -> Self {
        Self {
-            Routes: from_vec(from.routes),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            Routes: trans_vec(from.routes),
+            ..Default::default()
        }
    }
 }
@@ -266,7 +245,7 @@ impl From<Routes> for agent::Routes {
 impl From<agent::Routes> for Routes {
    fn from(src: agent::Routes) -> Self {
        Self {
-            routes: into_vec(src.Routes),
+            routes: trans_vec(src.Routes),
        }
    }
 }
@@ -277,12 +256,11 @@ impl From<CreateContainerRequest> for agent::CreateContainerRequest {
            container_id: from.process_id.container_id(),
            exec_id: from.process_id.exec_id(),
            string_user: from_option(from.string_user),
-            devices: from_vec(from.devices),
-            storages: from_vec(from.storages),
+            devices: trans_vec(from.devices),
+            storages: trans_vec(from.storages),
            OCI: from_option(from.oci),
            sandbox_pidns: from.sandbox_pidns,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -292,8 +270,7 @@ impl From<RemoveContainerRequest> for agent::RemoveContainerRequest {
        Self {
            container_id: from.container_id,
            timeout: from.timeout,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -302,8 +279,7 @@ impl From<ContainerID> for agent::StartContainerRequest {
    fn from(from: ContainerID) -> Self {
        Self {
            container_id: from.container_id,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -312,8 +288,7 @@ impl From<ContainerID> for agent::StatsContainerRequest {
    fn from(from: ContainerID) -> Self {
        Self {
            container_id: from.container_id,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -322,8 +297,7 @@ impl From<ContainerID> for agent::PauseContainerRequest {
    fn from(from: ContainerID) -> Self {
        Self {
            container_id: from.container_id,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -332,8 +306,7 @@ impl From<ContainerID> for agent::ResumeContainerRequest {
    fn from(from: ContainerID) -> Self {
        Self {
            container_id: from.container_id,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -344,8 +317,7 @@ impl From<SignalProcessRequest> for agent::SignalProcessRequest {
            container_id: from.process_id.container_id(),
            exec_id: from.process_id.exec_id(),
            signal: from.signal,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -355,8 +327,7 @@ impl From<WaitProcessRequest> for agent::WaitProcessRequest {
        Self {
            container_id: from.process_id.container_id(),
            exec_id: from.process_id.exec_id(),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -366,8 +337,7 @@ impl From<UpdateContainerRequest> for agent::UpdateContainerRequest {
        Self {
            container_id: from.container_id,
            resources: from_option(Some(from.resources)),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -378,8 +348,7 @@ impl From<WriteStreamRequest> for agent::WriteStreamRequest {
            container_id: from.process_id.container_id(),
            exec_id: from.process_id.exec_id(),
            data: from.data,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -402,7 +371,7 @@ impl From<GetIPTablesRequest> for agent::GetIPTablesRequest {
 impl From<agent::GetIPTablesResponse> for GetIPTablesResponse {
    fn from(from: agent::GetIPTablesResponse) -> Self {
        Self {
-            data: from.get_data().to_vec(),
+            data: from.data().to_vec(),
        }
    }
 }
@@ -420,7 +389,7 @@ impl From<SetIPTablesRequest> for agent::SetIPTablesRequest {
 impl From<agent::SetIPTablesResponse> for SetIPTablesResponse {
    fn from(from: agent::SetIPTablesResponse) -> Self {
        Self {
-            data: from.get_data().to_vec(),
+            data: from.data().to_vec(),
        }
    }
 }
@@ -432,8 +401,7 @@ impl From<ExecProcessRequest> for agent::ExecProcessRequest {
            exec_id: from.process_id.exec_id(),
            string_user: from_option(from.string_user),
            process: from_option(from.process),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -515,14 +483,14 @@ impl From<agent::BlkioStatsEntry> for BlkioStatsEntry {
 impl From<agent::BlkioStats> for BlkioStats {
    fn from(src: agent::BlkioStats) -> Self {
        Self {
-            io_service_bytes_recursive: into_vec(src.io_service_bytes_recursive),
-            io_serviced_recursive: into_vec(src.io_serviced_recursive),
-            io_queued_recursive: into_vec(src.io_queued_recursive),
-            io_service_time_recursive: into_vec(src.io_service_time_recursive),
-            io_wait_time_recursive: into_vec(src.io_wait_time_recursive),
-            io_merged_recursive: into_vec(src.io_merged_recursive),
-            io_time_recursive: into_vec(src.io_time_recursive),
-            sectors_recursive: into_vec(src.sectors_recursive),
+            io_service_bytes_recursive: trans_vec(src.io_service_bytes_recursive),
+            io_serviced_recursive: trans_vec(src.io_serviced_recursive),
+            io_queued_recursive: trans_vec(src.io_queued_recursive),
+            io_service_time_recursive: trans_vec(src.io_service_time_recursive),
+            io_wait_time_recursive: trans_vec(src.io_wait_time_recursive),
+            io_merged_recursive: trans_vec(src.io_merged_recursive),
+            io_time_recursive: trans_vec(src.io_time_recursive),
+            sectors_recursive: trans_vec(src.sectors_recursive),
        }
    }
 }
@@ -570,7 +538,7 @@ impl From<agent::StatsContainerResponse> for StatsContainerResponse {
    fn from(src: agent::StatsContainerResponse) -> Self {
        Self {
            cgroup_stats: into_option(src.cgroup_stats),
-            network_stats: into_vec(src.network_stats),
+            network_stats: trans_vec(src.network_stats),
        }
    }
 }
@@ -581,8 +549,7 @@ impl From<ReadStreamRequest> for agent::ReadStreamRequest {
            container_id: from.process_id.container_id(),
            exec_id: from.process_id.exec_id(),
            len: from.len,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -598,8 +565,7 @@ impl From<CloseStdinRequest> for agent::CloseStdinRequest {
        Self {
            container_id: from.process_id.container_id(),
            exec_id: from.process_id.exec_id(),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -611,8 +577,7 @@ impl From<TtyWinResizeRequest> for agent::TtyWinResizeRequest {
            exec_id: from.process_id.exec_id(),
            row: from.row,
            column: from.column,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -621,8 +586,7 @@ impl From<UpdateInterfaceRequest> for agent::UpdateInterfaceRequest {
    fn from(from: UpdateInterfaceRequest) -> Self {
        Self {
            interface: from_option(from.interface),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -630,8 +594,7 @@ impl From<UpdateInterfaceRequest> for agent::UpdateInterfaceRequest {
 impl From<Empty> for agent::ListInterfacesRequest {
    fn from(_: Empty) -> Self {
        Self {
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -640,8 +603,7 @@ impl From<UpdateRoutesRequest> for agent::UpdateRoutesRequest {
    fn from(from: UpdateRoutesRequest) -> Self {
        Self {
            routes: from_option(from.route),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -649,8 +611,7 @@ impl From<UpdateRoutesRequest> for agent::UpdateRoutesRequest {
 impl From<Empty> for agent::ListRoutesRequest {
    fn from(_: Empty) -> Self {
        Self {
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -663,8 +624,7 @@ impl From<ARPNeighbor> for types::ARPNeighbor {
            lladdr: from.ll_addr,
            state: from.state,
            flags: from.flags,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -672,9 +632,8 @@ impl From<ARPNeighbor> for types::ARPNeighbor {
 impl From<ARPNeighbors> for agent::ARPNeighbors {
    fn from(from: ARPNeighbors) -> Self {
        Self {
-            ARPNeighbors: from_vec(from.neighbors),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ARPNeighbors: trans_vec(from.neighbors),
+            ..Default::default()
        }
    }
 }
@@ -683,8 +642,7 @@ impl From<AddArpNeighborRequest> for agent::AddARPNeighborsRequest {
    fn from(from: AddArpNeighborRequest) -> Self {
        Self {
            neighbors: from_option(from.neighbors),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -693,14 +651,13 @@ impl From<CreateSandboxRequest> for agent::CreateSandboxRequest {
    fn from(from: CreateSandboxRequest) -> Self {
        Self {
            hostname: from.hostname,
-            dns: from_vec(from.dns),
-            storages: from_vec(from.storages),
+            dns: trans_vec(from.dns),
+            storages: trans_vec(from.storages),
            sandbox_pidns: from.sandbox_pidns,
            sandbox_id: from.sandbox_id,
            guest_hook_path: from.guest_hook_path,
-            kernel_modules: from_vec(from.kernel_modules),
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            kernel_modules: trans_vec(from.kernel_modules),
+            ..Default::default()
        }
    }
 }
@@ -708,8 +665,7 @@ impl From<CreateSandboxRequest> for agent::CreateSandboxRequest {
 impl From<Empty> for agent::DestroySandboxRequest {
    fn from(_: Empty) -> Self {
        Self {
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -720,8 +676,7 @@ impl From<OnlineCPUMemRequest> for agent::OnlineCPUMemRequest {
            wait: from.wait,
            nb_cpus: from.nb_cpus,
            cpu_only: from.cpu_only,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -730,8 +685,7 @@ impl From<ReseedRandomDevRequest> for agent::ReseedRandomDevRequest {
    fn from(from: ReseedRandomDevRequest) -> Self {
        Self {
            data: from.data,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -740,8 +694,7 @@ impl From<MemHotplugByProbeRequest> for agent::MemHotplugByProbeRequest {
    fn from(from: MemHotplugByProbeRequest) -> Self {
        Self {
            memHotplugProbeAddr: from.mem_hotplug_probe_addr,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -751,8 +704,7 @@ impl From<SetGuestDateTimeRequest> for agent::SetGuestDateTimeRequest {
        Self {
            Sec: from.sec,
            Usec: from.usec,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -762,8 +714,8 @@ impl From<agent::AgentDetails> for AgentDetails {
        Self {
            version: src.version,
            init_daemon: src.init_daemon,
-            device_handlers: into_vec(src.device_handlers),
-            storage_handlers: into_vec(src.storage_handlers),
+            device_handlers: trans_vec(src.device_handlers),
+            storage_handlers: trans_vec(src.storage_handlers),
            supports_seccomp: src.supports_seccomp,
        }
    }
@@ -790,8 +742,7 @@ impl From<CopyFileRequest> for agent::CopyFileRequest {
            gid: from.gid,
            offset: from.offset,
            data: from.data,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -807,8 +758,7 @@ impl From<agent::WaitProcessResponse> for WaitProcessResponse {
 impl From<Empty> for agent::GetOOMEventRequest {
    fn from(_: Empty) -> Self {
        Self {
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -817,8 +767,7 @@ impl From<CheckRequest> for health::CheckRequest {
    fn from(from: CheckRequest) -> Self {
        Self {
            service: from.service,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -826,7 +775,7 @@ impl From<CheckRequest> for health::CheckRequest {
 impl From<health::HealthCheckResponse> for HealthCheckResponse {
    fn from(from: health::HealthCheckResponse) -> Self {
        Self {
-            status: from.status as u32,
+            status: from.status.value() as u32,
        }
    }
 }
@@ -852,8 +801,7 @@ impl From<VolumeStatsRequest> for agent::VolumeStatsRequest {
    fn from(from: VolumeStatsRequest) -> Self {
        Self {
            volume_guest_path: from.volume_guest_path,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
@@ -862,8 +810,8 @@ impl From<csi::VolumeStatsResponse> for VolumeStatsResponse {
    fn from(from: csi::VolumeStatsResponse) -> Self {
        let result: String = format!(
            "Usage: {:?} Volume Condition: {:?}",
-            from.get_usage(),
-            from.get_volume_condition()
+            from.usage(),
+            from.volume_condition()
        );
        Self { data: result }
    }
@@ -874,8 +822,7 @@ impl From<ResizeVolumeRequest> for agent::ResizeVolumeRequest {
        Self {
            volume_guest_path: from.volume_guest_path,
            size: from.size,
-            unknown_fields: Default::default(),
-            cached_size: Default::default(),
+            ..Default::default()
        }
    }
 }
--- a/src/runtime-rs/crates/agent/src/types.rs
+++ b/src/runtime-rs/crates/agent/src/types.rs
@@ -20,14 +20,9 @@ impl Empty {
    }
 }

-impl Default for FSGroupChangePolicy {
-    fn default() -> Self {
-        FSGroupChangePolicy::Always
-    }
-}
-
-#[derive(Debug, Clone, PartialEq)]
+#[derive(Default, Debug, Clone, PartialEq)]
 pub enum FSGroupChangePolicy {
+    #[default]
    Always = 0,
    OnRootMismatch = 1,
 }
@@ -65,18 +60,13 @@ pub struct Storage {
    pub mount_point: String,
 }

-#[derive(Deserialize, Clone, PartialEq, Eq, Debug, Hash)]
+#[derive(Deserialize, Default, Clone, PartialEq, Eq, Debug, Hash)]
 pub enum IPFamily {
+    #[default]
    V4 = 0,
    V6 = 1,
 }

-impl ::std::default::Default for IPFamily {
-    fn default() -> Self {
-        IPFamily::V4
-    }
-}
-
 #[derive(Deserialize, Debug, PartialEq, Clone, Default)]
 pub struct IPAddress {
    pub family: IPFamily,
--- a/src/runtime-rs/crates/hypervisor/Cargo.toml
+++ b/src/runtime-rs/crates/hypervisor/Cargo.toml
@@ -21,7 +21,7 @@ serde_json = ">=1.0.9"
 slog = "2.5.2"
 slog-scope = "4.4.0"
 thiserror = "1.0"
-tokio = { version = "1.8.0", features = ["sync", "fs"] }
+tokio = { version = "1.28.1", features = ["sync", "fs"] }
 vmm-sys-util = "0.11.0"
 rand = "0.8.4"

--- a/src/runtime-rs/crates/hypervisor/ch-config/Cargo.toml
+++ b/src/runtime-rs/crates/hypervisor/ch-config/Cargo.toml
@@ -13,7 +13,7 @@ edition = "2021"
 anyhow = "1.0.68"
 serde = { version = "1.0.145", features = ["rc", "derive"] }
 serde_json = "1.0.91"
-tokio = { version = "1.25.0", features = ["sync", "rt"] }
+tokio = { version = "1.28.1", features = ["sync", "rt"] }

 # Cloud Hypervisor public HTTP API functions
 # Note that the version specified is not necessarily the version of CH
--- a/src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs
+++ b/src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs
@@ -42,7 +42,7 @@ impl CloudHypervisorInner {
        match device {
            Device::ShareFsDevice(cfg) => self.handle_share_fs_device(cfg).await,
            Device::HybridVsock(cfg) => self.handle_hvsock_device(&cfg).await,
-            _ => return Err(anyhow!("unhandled device: {:?}", device)),
+            _ => Err(anyhow!("unhandled device: {:?}", device)),
        }
    }

--- a/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs
+++ b/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs
@@ -228,11 +228,9 @@ impl CloudHypervisorInner {

        let join_handle = self.cloud_hypervisor_ping_until_ready(CH_POLL_TIME_MS);

-        let result = tokio::time::timeout(Duration::new(timeout_secs as u64, 0), join_handle)
+        tokio::time::timeout(Duration::new(timeout_secs as u64, 0), join_handle)
            .await
-            .context(timeout_msg)?;
-
-        result
+            .context(timeout_msg)?
    }

    async fn cloud_hypervisor_ensure_not_launched(&self) -> Result<()> {
--- a/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs
+++ b/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs
@@ -188,6 +188,9 @@ impl DragonballInner {
            let args: Vec<&str> = opt_list.split(',').collect();
            for arg in args {
                match arg {
+                    "cache=none" => fs_cfg.cache_policy = String::from("none"),
+                    "cache=auto" => fs_cfg.cache_policy = String::from("auto"),
+                    "cache=always" => fs_cfg.cache_policy = String::from("always"),
                    "no_open" => fs_cfg.no_open = true,
                    "open" => fs_cfg.no_open = false,
                    "writeback_cache" => fs_cfg.writeback_cache = true,
--- a/src/runtime-rs/crates/resource/Cargo.toml
+++ b/src/runtime-rs/crates/resource/Cargo.toml
@@ -16,8 +16,10 @@ bitflags = "1.2.1"
 byte-unit = "4.0.14"
 cgroups-rs = "0.3.2"
 futures = "0.3.11"
+hex = "0.4.3"
 lazy_static = "1.4.0"
 libc = ">=0.2.39"
+netns-rs = "0.1.0"
 netlink-sys = "0.8.3"
 netlink-packet-route = "0.13.0"
 nix = "0.24.2"
@@ -28,7 +30,7 @@ serde = { version = "1.0.138", features = ["derive"] }
 serde_json = "1.0.82"
 slog = "2.5.2"
 slog-scope = "4.4.0"
-tokio = { version = "1.8.0", features = ["process"] }
+tokio = { version = "1.28.1", features = ["process"] }
 uuid = { version = "0.4", features = ["v4"] }

 agent = { path = "../agent" }
--- a/src/runtime-rs/crates/resource/src/manager.rs
+++ b/src/runtime-rs/crates/resource/src/manager.rs
@@ -4,6 +4,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //

+use crate::network::NetworkConfig;
 use crate::resource_persist::ResourceState;
 use crate::{manager_inner::ResourceManagerInner, rootfs::Rootfs, volume::Volume, ResourceConfig};
 use agent::{Agent, Storage};
@@ -55,6 +56,11 @@ impl ResourceManager {
        inner.prepare_before_start_vm(device_configs).await
    }

+    pub async fn handle_network(&self, network_config: NetworkConfig) -> Result<()> {
+        let mut inner = self.inner.write().await;
+        inner.handle_network(network_config).await
+    }
+
    pub async fn setup_after_start_vm(&self) -> Result<()> {
        let mut inner = self.inner.write().await;
        inner.setup_after_start_vm().await
--- a/src/runtime-rs/crates/resource/src/manager_inner.rs
+++ b/src/runtime-rs/crates/resource/src/manager_inner.rs
@@ -6,7 +6,7 @@

 use std::{sync::Arc, thread};

-use crate::resource_persist::ResourceState;
+use crate::{network::NetworkConfig, resource_persist::ResourceState};
 use agent::{Agent, Storage};
 use anyhow::{anyhow, Context, Ok, Result};
 use async_trait::async_trait;
@@ -89,32 +89,9 @@ impl ResourceManagerInner {
                    };
                }
                ResourceConfig::Network(c) => {
-                    // 1. When using Rust asynchronous programming, we use .await to
-                    //    allow other task to run instead of waiting for the completion of the current task.
-                    // 2. Also, when handling the pod network, we need to set the shim threads
-                    //    into the network namespace to perform those operations.
-                    // However, as the increase of the I/O intensive tasks, two issues could be caused by the two points above:
-                    // a. When the future is blocked, the current thread (which is in the pod netns)
-                    //    might be take over by other tasks. After the future is finished, the thread take over
-                    //    the current task might not be in the pod netns. But the current task still need to run in pod netns
-                    // b. When finish setting up the network, the current thread will be set back to the host namespace.
-                    //    In Rust Async, if the current thread is taken over by other task, the netns is dropped on another thread,
-                    //    but it is not in netns. So, the previous thread would still remain in the pod netns.
-                    // The solution is to block the future on the current thread, it is enabled by spawn an os thread, create a
-                    // tokio runtime, and block the task on it.
-                    let hypervisor = self.hypervisor.clone();
-                    let network = thread::spawn(move || -> Result<Arc<dyn Network>> {
-                        let rt = runtime::Builder::new_current_thread().enable_io().build()?;
-                        let d = rt.block_on(network::new(&c)).context("new network")?;
-                        rt.block_on(d.setup(hypervisor.as_ref()))
-                            .context("setup network")?;
-                        Ok(d)
-                    })
-                    .join()
-                    .map_err(|e| anyhow!("{:?}", e))
-                    .context("Couldn't join on the associated thread")?
-                    .context("failed to set up network")?;
-                    self.network = Some(network);
+                    self.handle_network(c)
+                        .await
+                        .context("failed to handle network")?;
                }
            };
        }
@@ -122,6 +99,38 @@ impl ResourceManagerInner {
        Ok(())
    }

+    pub async fn handle_network(&mut self, network_config: NetworkConfig) -> Result<()> {
+        // 1. When using Rust asynchronous programming, we use .await to
+        //    allow other task to run instead of waiting for the completion of the current task.
+        // 2. Also, when handling the pod network, we need to set the shim threads
+        //    into the network namespace to perform those operations.
+        // However, as the increase of the I/O intensive tasks, two issues could be caused by the two points above:
+        // a. When the future is blocked, the current thread (which is in the pod netns)
+        //    might be take over by other tasks. After the future is finished, the thread take over
+        //    the current task might not be in the pod netns. But the current task still need to run in pod netns
+        // b. When finish setting up the network, the current thread will be set back to the host namespace.
+        //    In Rust Async, if the current thread is taken over by other task, the netns is dropped on another thread,
+        //    but it is not in netns. So, the previous thread would still remain in the pod netns.
+        // The solution is to block the future on the current thread, it is enabled by spawn an os thread, create a
+        // tokio runtime, and block the task on it.
+        let hypervisor = self.hypervisor.clone();
+        let network = thread::spawn(move || -> Result<Arc<dyn Network>> {
+            let rt = runtime::Builder::new_current_thread().enable_io().build()?;
+            let d = rt
+                .block_on(network::new(&network_config))
+                .context("new network")?;
+            rt.block_on(d.setup(hypervisor.as_ref()))
+                .context("setup network")?;
+            Ok(d)
+        })
+        .join()
+        .map_err(|e| anyhow!("{:?}", e))
+        .context("Couldn't join on the associated thread")?
+        .context("failed to set up network")?;
+        self.network = Some(network);
+        Ok(())
+    }
+
    async fn handle_interfaces(&self, network: &dyn Network) -> Result<()> {
        for i in network.interfaces().await.context("get interfaces")? {
            // update interface
--- a/src/runtime-rs/crates/resource/src/network/mod.rs
+++ b/src/runtime-rs/crates/resource/src/network/mod.rs
@@ -18,7 +18,7 @@ use network_with_netns::NetworkWithNetns;
 mod network_pair;
 use network_pair::NetworkPair;
 mod utils;
-pub use utils::netns::NetnsGuard;
+pub use utils::netns::{generate_netns_name, NetnsGuard};

 use std::sync::Arc;

@@ -38,6 +38,7 @@ pub trait Network: Send + Sync {
    async fn routes(&self) -> Result<Vec<agent::Route>>;
    async fn neighs(&self) -> Result<Vec<agent::ARPNeighbor>>;
    async fn save(&self) -> Option<Vec<EndpointState>>;
+    async fn remove(&self, h: &dyn Hypervisor) -> Result<()>;
 }

 pub async fn new(config: &NetworkConfig) -> Result<Arc<dyn Network>> {
--- a/src/runtime-rs/crates/resource/src/network/network_with_netns.rs
+++ b/src/runtime-rs/crates/resource/src/network/network_with_netns.rs
@@ -4,9 +4,12 @@
 // SPDX-License-Identifier: Apache-2.0
 //

-use std::sync::{
-    atomic::{AtomicU32, Ordering},
-    Arc,
+use std::{
+    fs,
+    sync::{
+        atomic::{AtomicU32, Ordering},
+        Arc,
+    },
 };

 use super::endpoint::endpoint_persist::EndpointState;
@@ -14,6 +17,7 @@ use anyhow::{anyhow, Context, Result};
 use async_trait::async_trait;
 use futures::stream::TryStreamExt;
 use hypervisor::Hypervisor;
+use netns_rs::get_from_path;
 use scopeguard::defer;
 use tokio::sync::RwLock;

@@ -33,11 +37,13 @@ pub struct NetworkWithNetNsConfig {
    pub network_model: String,
    pub netns_path: String,
    pub queues: usize,
+    pub network_created: bool,
 }

 struct NetworkWithNetnsInner {
    netns_path: String,
    entity_list: Vec<NetworkEntity>,
+    network_created: bool,
 }

 impl NetworkWithNetnsInner {
@@ -54,6 +60,7 @@ impl NetworkWithNetnsInner {
        Ok(Self {
            netns_path: config.netns_path.to_string(),
            entity_list,
+            network_created: config.network_created,
        })
    }
 }
@@ -120,6 +127,26 @@ impl Network for NetworkWithNetns {
        }
        Some(endpoint)
    }
+
+    async fn remove(&self, h: &dyn Hypervisor) -> Result<()> {
+        let inner = self.inner.read().await;
+        // The network namespace would have been deleted at this point
+        // if it has not been created by virtcontainers.
+        if !inner.network_created {
+            return Ok(());
+        }
+        {
+            let _netns_guard =
+                netns::NetnsGuard::new(&inner.netns_path).context("net netns guard")?;
+            for e in &inner.entity_list {
+                e.endpoint.detach(h).await.context("detach")?;
+            }
+        }
+        let netns = get_from_path(inner.netns_path.clone())?;
+        netns.remove()?;
+        fs::remove_dir_all(inner.netns_path.clone()).context("failed to remove netns path")?;
+        Ok(())
+    }
 }

 async fn get_entity_from_netns(config: &NetworkWithNetNsConfig) -> Result<Vec<NetworkEntity>> {
--- a/src/runtime-rs/crates/resource/src/network/utils/address.rs
+++ b/src/runtime-rs/crates/resource/src/network/utils/address.rs
@@ -80,9 +80,7 @@ pub(crate) fn parse_ip(ip: &[u8], family: u8) -> Result<IpAddr> {
            octets.copy_from_slice(&ip[..16]);
            Ok(IpAddr::V6(Ipv6Addr::from(octets)))
        }
-        _ => {
-            return Err(anyhow!("unknown IP network family {}", family));
-        }
+        _ => Err(anyhow!("unknown IP network family {}", family)),
    }
 }

--- a/src/runtime-rs/crates/resource/src/network/utils/mod.rs
+++ b/src/runtime-rs/crates/resource/src/network/utils/mod.rs
@@ -25,7 +25,7 @@ pub(crate) fn parse_mac(s: &str) -> Option<hypervisor::Address> {

 pub(crate) fn get_mac_addr(b: &[u8]) -> Result<String> {
    if b.len() != 6 {
-        return Err(anyhow!("invalid mac address {:?}", b));
+        Err(anyhow!("invalid mac address {:?}", b))
    } else {
        Ok(format!(
            "{:02x}:{:02x}:{:02x}:{:02x}:{:02x}:{:02x}",
--- a/src/runtime-rs/crates/resource/src/network/utils/netns.rs
+++ b/src/runtime-rs/crates/resource/src/network/utils/netns.rs
@@ -9,6 +9,7 @@ use std::{fs::File, os::unix::io::AsRawFd};
 use anyhow::{Context, Result};
 use nix::sched::{setns, CloneFlags};
 use nix::unistd::{getpid, gettid};
+use rand::Rng;

 pub struct NetnsGuard {
    old_netns: Option<File>,
@@ -50,6 +51,20 @@ impl Drop for NetnsGuard {
    }
 }

+// generate the network namespace name
+pub fn generate_netns_name() -> String {
+    let mut rng = rand::thread_rng();
+    let random_bytes: [u8; 16] = rng.gen();
+    format!(
+        "cnitest-{}-{}-{}-{}-{}",
+        hex::encode(&random_bytes[..4]),
+        hex::encode(&random_bytes[4..6]),
+        hex::encode(&random_bytes[6..8]),
+        hex::encode(&random_bytes[8..10]),
+        hex::encode(&random_bytes[10..])
+    )
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -67,4 +82,14 @@ mod tests {
        let empty_path = "";
        assert!(NetnsGuard::new(empty_path).unwrap().old_netns.is_none());
    }
+
+    #[test]
+    fn test_generate_netns_name() {
+        let name1 = generate_netns_name();
+        let name2 = generate_netns_name();
+        let name3 = generate_netns_name();
+        assert_ne!(name1, name2);
+        assert_ne!(name2, name3);
+        assert_ne!(name1, name3);
+    }
 }
--- a/src/runtime-rs/crates/resource/src/rootfs/mod.rs
+++ b/src/runtime-rs/crates/resource/src/rootfs/mod.rs
@@ -79,7 +79,7 @@ impl RootFsResource {
                        .context("new share fs rootfs")?,
                    ))
                } else {
-                    return Err(anyhow!("share fs is unavailable"));
+                    Err(anyhow!("share fs is unavailable"))
                }
            }
            mounts_vec if is_single_layer_rootfs(mounts_vec) => {
@@ -114,12 +114,10 @@ impl RootFsResource {
                inner.rootfs.push(Arc::clone(&rootfs));
                Ok(rootfs)
            }
-            _ => {
-                return Err(anyhow!(
-                    "unsupported rootfs mounts count {}",
-                    rootfs_mounts.len()
-                ))
-            }
+            _ => Err(anyhow!(
+                "unsupported rootfs mounts count {}",
+                rootfs_mounts.len()
+            )),
        }
    }

--- a/src/runtime-rs/crates/resource/src/rootfs/nydus_rootfs.rs
+++ b/src/runtime-rs/crates/resource/src/rootfs/nydus_rootfs.rs
@@ -3,7 +3,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 //
-use std::{fs, sync::Arc};
+use std::{fs, path::Path, sync::Arc};

 use super::{Rootfs, TYPE_OVERLAY_FS};
 use crate::{
@@ -28,6 +28,8 @@ const NYDUS_ROOTFS_V6: &str = "v6";

 const SNAPSHOT_DIR: &str = "snapshotdir";
 const KATA_OVERLAY_DEV_TYPE: &str = "overlayfs";
+// nydus prefetch file list name
+const NYDUS_PREFETCH_FILE_LIST: &str = "prefetch_file.list";

 pub(crate) struct NydusRootfs {
    guest_path: String,
@@ -42,6 +44,9 @@ impl NydusRootfs {
        cid: &str,
        rootfs: &Mount,
    ) -> Result<Self> {
+        let prefetch_list_path =
+            get_nydus_prefetch_files(h.hypervisor_config().await.prefetch_list_path).await;
+
        let share_fs_mount = share_fs.get_share_fs_mount();
        let extra_options =
            NydusExtraOptions::new(rootfs).context("failed to parse nydus extra options")?;
@@ -59,7 +64,7 @@ impl NydusRootfs {
                    rafs_meta.to_string(),
                    rafs_mnt,
                    extra_options.config.clone(),
-                    None,
+                    prefetch_list_path,
                )
                .await
                .context("failed to do rafs mount")?;
@@ -151,3 +156,67 @@ impl Rootfs for NydusRootfs {
        Ok(())
    }
 }
+
+// Check prefetch files list path, and if invalid, discard it directly.
+// As the result of caller `rafs_mount`, it returns `Option<String>`.
+async fn get_nydus_prefetch_files(nydus_prefetch_path: String) -> Option<String> {
+    // nydus_prefetch_path is an annotation and pod with it will indicate
+    // that prefetch_files will be included.
+    if nydus_prefetch_path.is_empty() {
+        info!(sl!(), "nydus prefetch files path not set, just skip it.");
+
+        return None;
+    }
+
+    // Ensure the string ends with "/prefetch_files.list"
+    if !nydus_prefetch_path.ends_with(format!("/{}", NYDUS_PREFETCH_FILE_LIST).as_str()) {
+        info!(
+            sl!(),
+            "nydus prefetch file path no {:?} file exist.", NYDUS_PREFETCH_FILE_LIST
+        );
+
+        return None;
+    }
+
+    // ensure the prefetch_list_path is a regular file.
+    let prefetch_list_path = Path::new(nydus_prefetch_path.as_str());
+    if !prefetch_list_path.is_file() {
+        info!(
+            sl!(),
+            "nydus prefetch list file {:?} not a regular file", &prefetch_list_path
+        );
+
+        return None;
+    }
+
+    return Some(prefetch_list_path.display().to_string());
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::{fs::File, path::PathBuf};
+    use tempfile::tempdir;
+
+    #[tokio::test]
+    async fn test_get_nydus_prefetch_files() {
+        let temp_dir = tempdir().unwrap();
+        let prefetch_list_path01 = temp_dir.path().join("nydus_prefetch_files");
+        // /tmp_dir/nydus_prefetch_files/
+        std::fs::create_dir_all(prefetch_list_path01.clone()).unwrap();
+        // /tmp_dir/nydus_prefetch_files/prefetch_file.list
+        let prefetch_list_path02 = prefetch_list_path01
+            .as_path()
+            .join(NYDUS_PREFETCH_FILE_LIST);
+        let file = File::create(prefetch_list_path02.clone());
+        assert!(file.is_ok());
+
+        let prefetch_file =
+            get_nydus_prefetch_files(prefetch_list_path02.as_path().display().to_string()).await;
+        assert!(prefetch_file.is_some());
+        assert_eq!(PathBuf::from(prefetch_file.unwrap()), prefetch_list_path02);
+
+        drop(file);
+        temp_dir.close().unwrap_or_default();
+    }
+}
--- a/src/runtime-rs/crates/runtimes/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/Cargo.toml
@@ -8,9 +8,10 @@ license = "Apache-2.0"
 [dependencies]
 anyhow = "^1.0"
 lazy_static = "1.4.0"
+netns-rs = "0.1.0"
 slog = "2.5.2"
 slog-scope = "4.4.0"
-tokio = { version = "1.8.0", features = ["rt-multi-thread"] }
+tokio = { version = "1.28.1", features = ["rt-multi-thread"] }
 hyper = { version = "0.14.20", features = ["stream", "server", "http1"] }
 hyperlocal = "0.8"
 serde_json = "1.0.88"
@@ -26,6 +27,8 @@ oci = { path = "../../../libs/oci" }
 shim-interface = { path = "../../../libs/shim-interface" }
 persist = { path = "../persist" }
 hypervisor = { path = "../hypervisor" }
+resource = { path = "../resource" }
+
 # runtime handler
 linux_container = { path = "./linux_container", optional = true }
 virt_container = { path = "./virt_container", optional = true }
--- a/src/runtime-rs/crates/runtimes/common/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/common/Cargo.toml
@@ -10,17 +10,17 @@ license = "Apache-2.0"
 [dependencies]
 anyhow = "^1.0"
 async-trait = "0.1.48"
-containerd-shim-protos = { version = "0.2.0", features = ["async"]}
+containerd-shim-protos = { version = "0.3.0", features = ["async"]}
 lazy_static = "1.4.0"
 nix = "0.24.2"
-protobuf = "2.27.0"
+protobuf = "3.2.0"
 serde_json = "1.0.39"
 slog = "2.5.2"
 slog-scope = "4.4.0"
 strum = { version = "0.24.0", features = ["derive"] }
 thiserror = "^1.0"
-tokio = { version = "1.8.0", features = ["rt-multi-thread", "process", "fs"] }
-ttrpc = { version = "0.6.1" }
+tokio = { version = "1.28.1", features = ["rt-multi-thread", "process", "fs"] }
+ttrpc = { version = "0.7.1" }
 persist = {path = "../../persist"}
 agent = { path = "../../agent" }
 kata-sys-util = { path = "../../../../libs/kata-sys-util" }
--- a/src/runtime-rs/crates/runtimes/common/src/lib.rs
+++ b/src/runtime-rs/crates/runtimes/common/src/lib.rs
@@ -11,5 +11,5 @@ pub mod message;
 mod runtime_handler;
 pub use runtime_handler::{RuntimeHandler, RuntimeInstance};
 mod sandbox;
-pub use sandbox::Sandbox;
+pub use sandbox::{Sandbox, SandboxNetworkEnv};
 pub mod types;
--- a/src/runtime-rs/crates/runtimes/common/src/sandbox.rs
+++ b/src/runtime-rs/crates/runtimes/common/src/sandbox.rs
@@ -7,14 +7,20 @@
 use anyhow::Result;
 use async_trait::async_trait;

+#[derive(Clone)]
+pub struct SandboxNetworkEnv {
+    pub netns: Option<String>,
+    pub network_created: bool,
+}
+
 #[async_trait]
 pub trait Sandbox: Send + Sync {
    async fn start(
        &self,
-        netns: Option<String>,
        dns: Vec<String>,
        spec: &oci::Spec,
        state: &oci::State,
+        network_env: SandboxNetworkEnv,
    ) -> Result<()>;
    async fn stop(&self) -> Result<()>;
    async fn cleanup(&self) -> Result<()>;
--- a/src/runtime-rs/crates/runtimes/common/src/types/trans_from_agent.rs
+++ b/src/runtime-rs/crates/runtimes/common/src/types/trans_from_agent.rs
@@ -151,7 +151,7 @@ impl From<Option<agent::StatsContainerResponse>> for StatsInfo {
            }

            if !cg_stats.hugetlb_stats.is_empty() {
-                let mut p_huge = ::protobuf::RepeatedField::new();
+                let mut p_huge = Vec::new();
                for (k, v) in cg_stats.hugetlb_stats {
                    let mut h = metrics::HugetlbStat::new();
                    h.set_pagesize(k);
@@ -166,7 +166,7 @@ impl From<Option<agent::StatsContainerResponse>> for StatsInfo {

        let net_stats = stats.network_stats;
        if !net_stats.is_empty() {
-            let mut p_net = ::protobuf::RepeatedField::new();
+            let mut p_net = Vec::new();
            for v in net_stats.iter() {
                let mut h = metrics::NetworkStat::new();
                h.set_name(v.name.clone());
@@ -195,10 +195,8 @@ impl From<Option<agent::StatsContainerResponse>> for StatsInfo {
    }
 }

-fn copy_blkio_entry(
-    entry: &[agent::BlkioStatsEntry],
-) -> ::protobuf::RepeatedField<metrics::BlkIOEntry> {
-    let mut p_entry = ::protobuf::RepeatedField::new();
+fn copy_blkio_entry(entry: &[agent::BlkioStatsEntry]) -> Vec<metrics::BlkIOEntry> {
+    let mut p_entry = Vec::new();

    for e in entry.iter() {
        let mut blk = metrics::BlkIOEntry::new();
--- a/src/runtime-rs/crates/runtimes/common/src/types/trans_from_shim.rs
+++ b/src/runtime-rs/crates/runtimes/common/src/types/trans_from_shim.rs
@@ -16,7 +16,7 @@ use std::{
    path::PathBuf,
 };

-fn trans_from_shim_mount(from: api::Mount) -> Mount {
+fn trans_from_shim_mount(from: &api::Mount) -> Mount {
    let options = from.options.to_vec();
    let mut read_only = false;
    for o in &options {
@@ -29,7 +29,7 @@ fn trans_from_shim_mount(from: api::Mount) -> Mount {
    Mount {
        source: from.source.clone(),
        destination: PathBuf::from(&from.target),
-        fs_type: from.field_type,
+        fs_type: from.type_.clone(),
        options,
        device_id: None,
        host_shared_fs_path: None,
@@ -41,19 +41,14 @@ impl TryFrom<api::CreateTaskRequest> for Request {
    type Error = anyhow::Error;
    fn try_from(from: api::CreateTaskRequest) -> Result<Self> {
        let options = if from.has_options() {
-            Some(from.get_options().get_value().to_vec())
+            Some(from.options().value.to_vec())
        } else {
            None
        };
        Ok(Request::CreateContainer(ContainerConfig {
            container_id: from.id.clone(),
            bundle: from.bundle.clone(),
-            rootfs_mounts: from
-                .rootfs
-                .to_vec()
-                .into_iter()
-                .map(trans_from_shim_mount)
-                .collect(),
+            rootfs_mounts: from.rootfs.iter().map(trans_from_shim_mount).collect(),
            terminal: from.terminal,
            options,
            stdin: (!from.stdin.is_empty()).then(|| from.stdin.clone()),
@@ -84,15 +79,15 @@ impl TryFrom<api::DeleteRequest> for Request {
 impl TryFrom<api::ExecProcessRequest> for Request {
    type Error = anyhow::Error;
    fn try_from(from: api::ExecProcessRequest) -> Result<Self> {
-        let spec = from.get_spec();
+        let spec = from.spec();
        Ok(Request::ExecProcess(ExecProcessRequest {
            process: ContainerProcess::new(&from.id, &from.exec_id).context("new process id")?,
            terminal: from.terminal,
            stdin: (!from.stdin.is_empty()).then(|| from.stdin.clone()),
            stdout: (!from.stdout.is_empty()).then(|| from.stdout.clone()),
            stderr: (!from.stderr.is_empty()).then(|| from.stderr.clone()),
-            spec_type_url: spec.get_type_url().to_string(),
-            spec_value: spec.get_value().to_vec(),
+            spec_type_url: spec.type_url.to_string(),
+            spec_value: spec.value.to_vec(),
        }))
    }
 }
@@ -182,7 +177,7 @@ impl TryFrom<api::UpdateTaskRequest> for Request {
    fn try_from(from: api::UpdateTaskRequest) -> Result<Self> {
        Ok(Request::UpdateContainer(UpdateRequest {
            container_id: from.id.to_string(),
-            value: from.get_resources().get_value().to_vec(),
+            value: from.resources().value.to_vec(),
        }))
    }
 }
--- a/src/runtime-rs/crates/runtimes/common/src/types/trans_into_shim.rs
+++ b/src/runtime-rs/crates/runtimes/common/src/types/trans_into_shim.rs
@@ -16,24 +16,24 @@ use containerd_shim_protos::api;
 use super::{ProcessExitStatus, ProcessStateInfo, ProcessStatus, Response};
 use crate::error::Error;

-fn system_time_into(time: time::SystemTime) -> ::protobuf::well_known_types::Timestamp {
-    let mut proto_time = ::protobuf::well_known_types::Timestamp::new();
-    proto_time.set_seconds(
-        time.duration_since(time::UNIX_EPOCH)
-            .unwrap_or_default()
-            .as_secs()
-            .try_into()
-            .unwrap_or_default(),
-    );
+fn system_time_into(time: time::SystemTime) -> ::protobuf::well_known_types::timestamp::Timestamp {
+    let mut proto_time = ::protobuf::well_known_types::timestamp::Timestamp::new();
+    proto_time.seconds = time
+        .duration_since(time::UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs()
+        .try_into()
+        .unwrap_or_default();
+
    proto_time
 }

 fn option_system_time_into(
    time: Option<time::SystemTime>,
-) -> ::protobuf::SingularPtrField<::protobuf::well_known_types::Timestamp> {
+) -> protobuf::MessageField<protobuf::well_known_types::timestamp::Timestamp> {
    match time {
-        Some(v) => ::protobuf::SingularPtrField::some(system_time_into(v)),
-        None => ::protobuf::SingularPtrField::none(),
+        Some(v) => ::protobuf::MessageField::some(system_time_into(v)),
+        None => ::protobuf::MessageField::none(),
    }
 }

@@ -66,7 +66,7 @@ impl From<ProcessStateInfo> for api::StateResponse {
            id: from.container_id.clone(),
            bundle: from.bundle.clone(),
            pid: from.pid.pid,
-            status: from.status.into(),
+            status: protobuf::EnumOrUnknown::new(from.status.into()),
            stdin: from.stdin.unwrap_or_default(),
            stdout: from.stdout.unwrap_or_default(),
            stderr: from.stderr.unwrap_or_default(),
@@ -164,13 +164,13 @@ impl TryFrom<Response> for api::StateResponse {
 impl TryFrom<Response> for api::StatsResponse {
    type Error = anyhow::Error;
    fn try_from(from: Response) -> Result<Self> {
-        let mut any = ::protobuf::well_known_types::Any::new();
+        let mut any = ::protobuf::well_known_types::any::Any::new();
        let mut response = api::StatsResponse::new();
        match from {
            Response::StatsContainer(resp) => {
                if let Some(value) = resp.value {
-                    any.set_type_url(value.type_url);
-                    any.set_value(value.value);
+                    any.type_url = value.type_url;
+                    any.value = value.value;
                    response.set_stats(any);
                }
                Ok(response)
@@ -193,8 +193,7 @@ impl TryFrom<Response> for api::PidsResponse {
                let mut res = api::PidsResponse::new();
                p_info.set_pid(resp.pid);
                processes.push(p_info);
-                let v = protobuf::RepeatedField::<api::ProcessInfo>::from_vec(processes);
-                res.set_processes(v);
+                res.set_processes(processes);
                Ok(res)
            }
            _ => Err(anyhow!(Error::UnexpectedResponse(
--- a/src/runtime-rs/crates/runtimes/linux_container/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/linux_container/Cargo.toml
@@ -7,7 +7,7 @@ edition = "2018"
 [dependencies]
 anyhow = "^1.0"
 async-trait = "0.1.48"
-tokio = { version = "1.8.0" }
+tokio = { version = "1.28.1" }

 common = { path = "../common" }
-kata-types = { path = "../../../../libs/kata-types" }
+kata-types = { path = "../../../../libs/kata-types" }
--- a/src/runtime-rs/crates/runtimes/src/manager.rs
+++ b/src/runtime-rs/crates/runtimes/src/manager.rs
@@ -4,20 +4,22 @@
 // SPDX-License-Identifier: Apache-2.0
 //

-use std::{str::from_utf8, sync::Arc};
-
-use anyhow::{anyhow, Context, Result};
+use std::{path::PathBuf, str::from_utf8, sync::Arc};

 use crate::{shim_mgmt::server::MgmtServer, static_resource::StaticResourceManager};
+use anyhow::{anyhow, Context, Result};
 use common::{
    message::Message,
    types::{Request, Response},
-    RuntimeHandler, RuntimeInstance, Sandbox,
+    RuntimeHandler, RuntimeInstance, Sandbox, SandboxNetworkEnv,
 };
 use hypervisor::Param;
+use kata_sys_util::spec::load_oci_spec;
 use kata_types::{
    annotations::Annotation, config::default::DEFAULT_GUEST_DNS_FILE, config::TomlConfig,
 };
+use netns_rs::NetNs;
+use resource::network::generate_netns_name;

 #[cfg(feature = "linux")]
 use linux_container::LinuxContainer;
@@ -53,7 +55,7 @@ impl RuntimeHandlerManagerInner {
        &mut self,
        spec: &oci::Spec,
        state: &oci::State,
-        netns: Option<String>,
+        network_env: SandboxNetworkEnv,
        dns: Vec<String>,
        config: Arc<TomlConfig>,
    ) -> Result<()> {
@@ -77,7 +79,7 @@ impl RuntimeHandlerManagerInner {
        // start sandbox
        runtime_instance
            .sandbox
-            .start(netns, dns, spec, state)
+            .start(dns, spec, state, network_env)
            .await
            .context("start sandbox")?;
        self.runtime_instance = Some(Arc::new(runtime_instance));
@@ -104,23 +106,6 @@ impl RuntimeHandlerManagerInner {
        #[cfg(feature = "virt")]
        VirtContainer::init().context("init virt container")?;

-        let netns = if let Some(linux) = &spec.linux {
-            let mut netns = None;
-            for ns in &linux.namespaces {
-                if ns.r#type.as_str() != oci::NETWORKNAMESPACE {
-                    continue;
-                }
-
-                if !ns.path.is_empty() {
-                    netns = Some(ns.path.clone());
-                    break;
-                }
-            }
-            netns
-        } else {
-            None
-        };
-
        for m in &spec.mounts {
            if m.destination == DEFAULT_GUEST_DNS_FILE {
                let contents = fs::read_to_string(&m.source).await?;
@@ -129,7 +114,42 @@ impl RuntimeHandlerManagerInner {
        }

        let config = load_config(spec, options).context("load config")?;
-        self.init_runtime_handler(spec, state, netns, dns, Arc::new(config))
+
+        let mut network_created = false;
+        // set netns to None if we want no network for the VM
+        let netns = if config.runtime.disable_new_netns {
+            None
+        } else {
+            let mut netns_path = None;
+            if let Some(linux) = &spec.linux {
+                for ns in &linux.namespaces {
+                    if ns.r#type.as_str() != oci::NETWORKNAMESPACE {
+                        continue;
+                    }
+                    // get netns path from oci spec
+                    if !ns.path.is_empty() {
+                        netns_path = Some(ns.path.clone());
+                    }
+                    // if we get empty netns from oci spec, we need to create netns for the VM
+                    else {
+                        let ns_name = generate_netns_name();
+                        let netns = NetNs::new(ns_name)?;
+                        let path = PathBuf::from(netns.path()).to_str().map(|s| s.to_string());
+                        info!(sl!(), "the netns path is {:?}", path);
+                        netns_path = path;
+                        network_created = true;
+                    }
+                    break;
+                }
+            }
+            netns_path
+        };
+
+        let network_env = SandboxNetworkEnv {
+            netns,
+            network_created,
+        };
+        self.init_runtime_handler(spec, state, network_env, dns, Arc::new(config))
            .await
            .context("init runtime handler")?;

@@ -171,9 +191,16 @@ impl RuntimeHandlerManager {
        let sender = inner.msg_sender.clone();
        let sandbox_state = persist::from_disk::<SandboxState>(&inner.id)
            .context("failed to load the sandbox state")?;
+
+        let config = if let Ok(spec) = load_oci_spec() {
+            load_config(&spec, &None).context("load config")?
+        } else {
+            TomlConfig::default()
+        };
+
        let sandbox_args = SandboxRestoreArgs {
            sid: inner.id.clone(),
-            toml_config: TomlConfig::default(),
+            toml_config: config,
            sender,
        };
        match sandbox_state.sandbox_type.clone() {
@@ -189,6 +216,10 @@ impl RuntimeHandlerManager {
            }
            #[cfg(feature = "virt")]
            name if name == VirtContainer::name() => {
+                if sandbox_args.toml_config.runtime.keep_abnormal {
+                    info!(sl!(), "skip cleanup for keep_abnormal");
+                    return Ok(());
+                }
                let sandbox = VirtSandbox::restore(sandbox_args, sandbox_state)
                    .await
                    .context("failed to restore the sandbox")?;
@@ -236,7 +267,7 @@ impl RuntimeHandlerManager {
                id: container_config.container_id.to_string(),
                status: oci::ContainerState::Creating,
                pid: 0,
-                bundle: bundler_path,
+                bundle: container_config.bundle.clone(),
                annotations: spec.annotations.clone(),
            };

@@ -366,12 +397,11 @@ fn load_config(spec: &oci::Spec, option: &Option<Vec<u8>>) -> Result<TomlConfig>
        path
    } else if let Some(option) = option {
        // get rid of the special characters in options to get the config path
-        let path = if option.len() > 2 {
+        if option.len() > 2 {
            from_utf8(&option[2..])?.to_string()
        } else {
            String::from("")
-        };
-        path
+        }
    } else {
        String::from("")
    };
--- a/src/runtime-rs/crates/runtimes/virt_container/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/virt_container/Cargo.toml
@@ -9,18 +9,18 @@ license = "Apache-2.0"
 anyhow = "^1.0"
 async-trait = "0.1.48"
 awaitgroup = "0.6.0"
-containerd-shim-protos = { version = "0.2.0", features = ["async"]}
+containerd-shim-protos = { version = "0.3.0", features = ["async"]}
 futures = "0.3.19"
 lazy_static = "1.4.0"
 libc = ">=0.2.39"
 nix = "0.24.2"
-protobuf = "2.27.0"
+protobuf = "3.2.0"
 serde = { version = "1.0.100", features = ["derive"] }
 serde_derive = "1.0.27"
 serde_json = "1.0.82"
 slog = "2.5.2"
 slog-scope = "4.4.0"
-tokio = { version = "1.8.0" }
+tokio = { version = "1.28.1" }
 toml = "0.4.2"
 url = "2.1.1"
 async-std = "1.12.0"
--- a/Show More
+++ b/Show More