release: Bump version to 3.22.0

Bump VERSION and helm-chart versions Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Merge pull request #11989 from Amulyam24/actionpz-ppc64le
2026-03-01 02:02:11 +00:00 · 2025-10-28 16:28:18 +01:00 · 2025-10-28 12:09:03 +00:00 · 2025-10-28 17:09:26 +05:30 · 2025-10-28 11:11:51 +01:00 · 2025-10-27 22:42:37 +01:00
327 changed files with 7184 additions and 2048 deletions
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -7,20 +7,26 @@
 self-hosted-runner:
  # Labels of self-hosted runner that linter should ignore
  labels:
+    - amd64-nvidia-a100
    - arm64-k8s
-    - ubuntu-22.04-arm
+    - containerd-v1.7
+    - containerd-v2.0
+    - containerd-v2.1
+    - containerd-v2.2
    - garm-ubuntu-2004
    - garm-ubuntu-2004-smaller
    - garm-ubuntu-2204
    - garm-ubuntu-2304
    - garm-ubuntu-2304-smaller
    - garm-ubuntu-2204-smaller
-    - k8s-ppc64le
-    - metrics
    - ppc64le
+    - ppc64le-k8s
+    - ppc64le-small
+    - ubuntu-24.04-ppc64le
+    - metrics
    - riscv-builder
    - sev-snp
    - s390x
    - s390x-large
    - tdx
-    - amd64-nvidia-a100
+    - ubuntu-22.04-arm
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@@ -3,23 +3,16 @@ name: Lint GHA workflows
 on:
  workflow_dispatch:
  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-    paths:
-      - '.github/workflows/**'

 permissions: {}

-
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

 jobs:
  run-actionlint:
+    name: run-actionlint
    env:
      GH_TOKEN: ${{ github.token }}
    runs-on: ubuntu-24.04
--- a/.github/workflows/basic-ci-amd64.yaml
+++ b/.github/workflows/basic-ci-amd64.yaml
@@ -17,6 +17,7 @@ permissions: {}

 jobs:
  run-containerd-sandboxapi:
+    name: run-containerd-sandboxapi
    strategy:
      # We can set this to true whenever we're 100% sure that
      # the all the tests are not flaky, otherwise we'll fail
@@ -65,6 +66,7 @@ jobs:
        run: bash tests/integration/cri-containerd/gha-run.sh run

  run-containerd-stability:
+    name: run-containerd-stability
    strategy:
      fail-fast: false
      matrix:
@@ -107,6 +109,7 @@ jobs:
        run: bash tests/stability/gha-run.sh run

  run-nydus:
+    name: run-nydus
    strategy:
      # We can set this to true whenever we're 100% sure that
      # the all the tests are not flaky, otherwise we'll fail
@@ -152,6 +155,7 @@ jobs:
        run: bash tests/integration/nydus/gha-run.sh run

  run-runk:
+    name: run-runk
    # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
    if: false
    runs-on: ubuntu-22.04
@@ -187,6 +191,7 @@ jobs:
        run: bash tests/integration/runk/gha-run.sh run

  run-tracing:
+    name: run-tracing
    strategy:
      fail-fast: false
      matrix:
@@ -231,6 +236,7 @@ jobs:
        run: bash tests/functional/tracing/gha-run.sh run

  run-vfio:
+    name: run-vfio
    strategy:
      fail-fast: false
      matrix:
@@ -274,6 +280,7 @@ jobs:
        run: bash tests/functional/vfio/gha-run.sh run

  run-docker-tests:
+    name: run-docker-tests
    strategy:
      # We can set this to true whenever we're 100% sure that
      # all the tests are not flaky, otherwise we'll fail them
@@ -317,6 +324,7 @@ jobs:
        run: bash tests/integration/docker/gha-run.sh run

  run-nerdctl-tests:
+    name: run-nerdctl-tests
    strategy:
      # We can set this to true whenever we're 100% sure that
      # all the tests are not flaky, otherwise we'll fail them
@@ -376,6 +384,7 @@ jobs:
          retention-days: 1

  run-kata-agent-apis:
+    name: run-kata-agent-apis
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/basic-ci-s390x.yaml
+++ b/.github/workflows/basic-ci-s390x.yaml
@@ -17,6 +17,7 @@ permissions: {}

 jobs:
  run-containerd-sandboxapi:
+    name: run-containerd-sandboxapi
    strategy:
      # We can set this to true whenever we're 100% sure that
      # the all the tests are not flaky, otherwise we'll fail
@@ -65,6 +66,7 @@ jobs:
        run: bash tests/integration/cri-containerd/gha-run.sh run

  run-containerd-stability:
+    name: run-containerd-stability
    strategy:
      fail-fast: false
      matrix:
@@ -106,6 +108,7 @@ jobs:
        run: bash tests/stability/gha-run.sh run

  run-docker-tests:
+    name: run-docker-tests
    strategy:
      # We can set this to true whenever we're 100% sure that
      # all the tests are not flaky, otherwise we'll fail them
--- a/.github/workflows/build-checks-preview-riscv64.yaml
+++ b/.github/workflows/build-checks-preview-riscv64.yaml
@@ -17,6 +17,7 @@ permissions: {}
 name: Build checks preview riscv64
 jobs:
  check:
+    name: check
    runs-on: ${{ inputs.instance }}
    strategy:
      fail-fast: false
@@ -123,9 +124,11 @@ jobs:
          echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
      - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
        run: |
-          cd ${{ matrix.component.path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          ${COMMAND}
        env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component.path }}
          RUST_BACKTRACE: "1"
          RUST_LIB_BACKTRACE: "0"
          SKIP_GO_VERSION_CHECK: "1"
--- a/.github/workflows/build-checks.yaml
+++ b/.github/workflows/build-checks.yaml
@@ -11,6 +11,7 @@ permissions: {}
 name: Build checks
 jobs:
  check:
+    name: check
    runs-on: ${{ inputs.instance }}
    strategy:
      fail-fast: false
@@ -46,6 +47,7 @@ jobs:
            path: src/libs
            needs:
              - rust
+              - protobuf-compiler
          - name: agent-ctl
            path: src/tools/agent-ctl
            needs:
@@ -56,6 +58,7 @@ jobs:
            path: src/tools/kata-ctl
            needs:
              - rust
+              - protobuf-compiler
          - name: trace-forwarder
            path: src/tools/trace-forwarder
            needs:
@@ -126,9 +129,11 @@ jobs:
          echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
      - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
        run: |
-          cd ${{ matrix.component.path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          eval "${COMMAND}"
        env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component.path }}
          RUST_BACKTRACE: "1"
          RUST_LIB_BACKTRACE: "0"
          SKIP_GO_VERSION_CHECK: "1"
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -30,6 +30,7 @@ permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    runs-on: ubuntu-22.04
    permissions:
      contents: read
@@ -96,7 +97,6 @@ jobs:
      - name: Build ${{ matrix.asset }}
        id: build
        run: |
-          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}"
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
          # store-artifact does not work with symlink
@@ -110,12 +110,15 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}

      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
        run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

@@ -157,6 +160,7 @@ jobs:
          if-no-files-found: error

  build-asset-rootfs:
+    name: build-asset-rootfs
    runs-on: ubuntu-22.04
    needs: build-asset
    permissions:
@@ -203,7 +207,6 @@ jobs:
      - name: Build ${{ matrix.asset }}
        id: build
        run: |
-          [[ "${KATA_ASSET}" == *"nvidia"* ]] && echo "KBUILD_SIGN_PIN=${{ secrets.KBUILD_SIGN_PIN }}" >> "${GITHUB_ENV}"
          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
          make "${KATA_ASSET}-tarball"
          build_dir=$(readlink -f build)
@@ -218,6 +221,7 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -229,6 +233,7 @@ jobs:

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
    runs-on: ubuntu-22.04
    needs: build-asset-rootfs
    strategy:
@@ -246,6 +251,7 @@ jobs:

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts-for-release:
+    name: remove-rootfs-binary-artifacts-for-release
    runs-on: ubuntu-22.04
    needs: build-asset-rootfs
    strategy:
@@ -259,6 +265,7 @@ jobs:
          name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
+    name: build-asset-shim-v2
    runs-on: ubuntu-22.04
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
    permissions:
@@ -320,6 +327,7 @@ jobs:
          if-no-files-found: error

  create-kata-tarball:
+    name: create-kata-tarball
    runs-on: ubuntu-22.04
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    permissions:
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -23,11 +23,14 @@ on:
    secrets:
      QUAY_DEPLOYER_PASSWORD:
        required: false
+      KBUILD_SIGN_PIN:
+        required: true

 permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    runs-on: ubuntu-22.04-arm
    permissions:
      contents: read
@@ -44,6 +47,7 @@ jobs:
          - kernel
          - kernel-dragonball-experimental
          - kernel-nvidia-gpu
+          - kernel-cca-confidential
          - nydus
          - ovmf
          - qemu
@@ -87,12 +91,15 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}

      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
        run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

@@ -134,6 +141,7 @@ jobs:
          if-no-files-found: error

  build-asset-rootfs:
+    name: build-asset-rootfs
    runs-on: ubuntu-22.04-arm
    needs: build-asset
    permissions:
@@ -189,6 +197,7 @@ jobs:
          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TARGET_BRANCH: ${{ inputs.target-branch }}
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}

      - name: store-artifact ${{ matrix.asset }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -200,6 +209,7 @@ jobs:

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
    runs-on: ubuntu-22.04-arm
    needs: build-asset-rootfs
    strategy:
@@ -214,6 +224,7 @@ jobs:

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts-for-release:
+    name: remove-rootfs-binary-artifacts-for-release
    runs-on: ubuntu-22.04-arm
    needs: build-asset-rootfs
    strategy:
@@ -227,6 +238,7 @@ jobs:
          name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
+    name: build-asset-shim-v2
    runs-on: ubuntu-22.04-arm
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
    permissions:
@@ -286,6 +298,7 @@ jobs:
          if-no-files-found: error

  create-kata-tarball:
+    name: create-kata-tarball
    runs-on: ubuntu-22.04-arm
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    permissions:
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@@ -28,10 +28,11 @@ permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    permissions:
      contents: read
      packages: write
-    runs-on: ppc64le
+    runs-on: ppc64le-small
    strategy:
      matrix:
        asset:
@@ -87,7 +88,8 @@ jobs:
          if-no-files-found: error

  build-asset-rootfs:
-    runs-on: ppc64le
+    name: build-asset-rootfs
+    runs-on: ppc64le-small
    needs: build-asset
    permissions:
      contents: read
@@ -153,6 +155,7 @@ jobs:

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
    runs-on: ubuntu-22.04
    needs: build-asset-rootfs
    strategy:
@@ -166,7 +169,8 @@ jobs:
          name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
-    runs-on: ppc64le
+    name: build-asset-shim-v2
+    runs-on: ppc64le-small
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
    permissions:
      contents: read
@@ -225,7 +229,8 @@ jobs:
          if-no-files-found: error

  create-kata-tarball:
-    runs-on: ppc64le
+    name: create-kata-tarball
+    runs-on: ppc64le-small
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
    permissions:
      contents: read
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@@ -28,6 +28,7 @@ permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    runs-on: riscv-builder
    permissions:
      contents: read
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -31,6 +31,7 @@ permissions: {}

 jobs:
  build-asset:
+    name: build-asset
    runs-on: s390x
    permissions:
      contents: read
@@ -90,8 +91,10 @@ jobs:
      - name: Parse OCI image name and digest
        id: parse-oci-segments
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
+        env:
+          ASSET: ${{ matrix.asset }}
        run: |
-          oci_image="$(<"build/${{ matrix.asset }}-oci-image")"
+          oci_image="$(<"build/${ASSET}-oci-image")"
          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"

@@ -119,6 +122,7 @@ jobs:
          if-no-files-found: error

  build-asset-rootfs:
+    name: build-asset-rootfs
    runs-on: s390x
    needs: build-asset
    permissions:
@@ -186,6 +190,7 @@ jobs:
          if-no-files-found: error

  build-asset-boot-image-se:
+    name: build-asset-boot-image-se
    runs-on: s390x
    needs: [build-asset, build-asset-rootfs]
    permissions:
@@ -235,6 +240,7 @@ jobs:

  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
  remove-rootfs-binary-artifacts:
+    name: remove-rootfs-binary-artifacts
    runs-on: ubuntu-22.04
    needs: [build-asset-rootfs, build-asset-boot-image-se]
    strategy:
@@ -250,6 +256,7 @@ jobs:
          name: kata-artifacts-s390x-${{ matrix.asset}}${{ inputs.tarball-suffix }}

  build-asset-shim-v2:
+    name: build-asset-shim-v2
    runs-on: s390x
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
    permissions:
@@ -311,6 +318,7 @@ jobs:
          if-no-files-found: error

  create-kata-tarball:
+    name: create-kata-tarball
    runs-on: s390x
    needs:
      - build-asset
--- a/.github/workflows/cargo-deny-runner.yaml
+++ b/.github/workflows/cargo-deny-runner.yaml
@@ -15,6 +15,7 @@ permissions: {}

 jobs:
  cargo-deny-runner:
+    name: cargo-deny-runner
    runs-on: ubuntu-22.04

    steps:
--- a/.github/workflows/ci-nightly-s390x.yaml
+++ b/.github/workflows/ci-nightly-s390x.yaml
@@ -8,6 +8,7 @@ permissions: {}

 jobs:
  check-internal-test-result:
+    name: check-internal-test-result
    runs-on: s390x
    strategy:
      fail-fast: false
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -1,6 +1,6 @@
 name: Kata Containers CI
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
    branches:
      - 'main'
    types:
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -66,6 +66,7 @@ jobs:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-publish-tee-confidential-unencrypted-image:
+    name: build-and-publish-tee-confidential-unencrypted-image
    permissions:
      contents: read
      packages: write
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -86,6 +86,8 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
+    secrets:
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  publish-kata-deploy-payload-arm64:
    needs: build-kata-static-tarball-arm64
@@ -177,12 +179,13 @@ jobs:
      tag: ${{ inputs.tag }}-ppc64le
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
+      runner: ppc64le-small
      arch: ppc64le
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-publish-tee-confidential-unencrypted-image:
+    name: build-and-publish-tee-confidential-unencrypted-image
    permissions:
      contents: read
      packages: write
@@ -224,6 +227,7 @@ jobs:
          file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile

  publish-csi-driver-amd64:
+    name: publish-csi-driver-amd64
    needs: build-kata-static-tarball-amd64
    permissions:
      contents: read
@@ -491,7 +495,7 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
+      runner: ppc64le-small
      arch: ppc64le
      containerd_version: ${{ matrix.params.containerd_version }}
      vmm: ${{ matrix.params.vmm }}
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@@ -8,6 +8,7 @@ permissions: {}

 jobs:
  cleanup-resources:
+    name: cleanup-resources
    runs-on: ubuntu-22.04
    permissions:
      id-token: write # Used for OIDC access to log into Azure
--- a/.github/workflows/darwin-tests.yaml
+++ b/.github/workflows/darwin-tests.yaml
@@ -15,8 +15,17 @@ concurrency:
 name: Darwin tests
 jobs:
  test:
+    name: test
    runs-on: macos-latest
    steps:
+    - name: Install Protoc
+      run: |
+        f=$(mktemp)
+        curl -sSLo "$f" https://github.com/protocolbuffers/protobuf/releases/download/v28.2/protoc-28.2-osx-aarch_64.zip
+        mkdir -p "$HOME/.local"
+        unzip -d "$HOME/.local" "$f"
+        echo "$HOME/.local/bin" >> "${GITHUB_PATH}"
+
    - name: Checkout code
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
@@ -27,5 +36,8 @@ jobs:
        ./tests/install_go.sh -f -p
        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"

+    - name: Install Rust
+      run: ./tests/install_rust.sh
+
    - name: Build utils
      run: ./ci/darwin-test.sh
--- a/.github/workflows/docs-url-alive-check.yaml
+++ b/.github/workflows/docs-url-alive-check.yaml
@@ -1,12 +1,14 @@
 on:
  schedule:
    - cron:  '0 23 * * 0'
+  workflow_dispatch:

 permissions: {}

 name: Docs URL Alive Check
 jobs:
  test:
+    name: test
    runs-on: ubuntu-22.04
    # don't run this action on forks
    if: github.repository_owner == 'kata-containers'
@@ -15,13 +17,12 @@ jobs:
    steps:
    - name: Set env
      run: |
-        echo "GOPATH=${{ github.workspace }}" >> "$GITHUB_ENV"
+        echo "GOPATH=${GITHUB_WORKSPACE}" >> "$GITHUB_ENV"
    - name: Checkout code
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        fetch-depth: 0
        persist-credentials: false
-        path: ./src/github.com/${{ github.repository }}

    - name: Install golang
      run: |
@@ -30,4 +31,4 @@ jobs:

    - name: Docs URL Alive Check
      run: |
-        cd "${GOPATH}/src/github.com/${{ github.repository }}" && make docs-url-alive-check
+        make docs-url-alive-check
--- a/.github/workflows/gatekeeper-skipper.yaml
+++ b/.github/workflows/gatekeeper-skipper.yaml
@@ -35,6 +35,7 @@ permissions: {}

 jobs:
  skipper:
+    name: skipper
    runs-on: ubuntu-22.04
    outputs:
      skip_build: ${{ steps.skipper.outputs.skip_build }}
--- a/.github/workflows/gatekeeper.yaml
+++ b/.github/workflows/gatekeeper.yaml
@@ -5,7 +5,7 @@ name: Gatekeeper
 # reporting the status.

 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
    types:
      - opened
      - synchronize
@@ -20,6 +20,7 @@ concurrency:

 jobs:
  gatekeeper:
+    name: gatekeeper
    runs-on: ubuntu-22.04
    permissions:
      actions: read
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -7,6 +7,7 @@ permissions: {}

 jobs:
  govulncheck:
+    name: govulncheck
    runs-on: ubuntu-22.04
    strategy:
      matrix:
@@ -39,11 +40,14 @@ jobs:
      - name: Build runtime binaries
        run: |
          cd src/runtime
-          make ${{ matrix.make_target }}
+          make "${MAKE_TARGET}"
        env:
+          MAKE_TARGET: ${{ matrix.make_target }}
          SKIP_GO_VERSION_CHECK: "1"

      - name: Run govulncheck on ${{ matrix.binary }}
+        env:
+          BINARY: ${{ matrix.binary }}
        run: |
          cd src/runtime
-          bash ../../tests/govulncheck-runner.sh "./${{ matrix.binary }}"
+          bash ../../tests/govulncheck-runner.sh "./${BINARY}"
--- a/.github/workflows/kata-runtime-classes-sync.yaml
+++ b/.github/workflows/kata-runtime-classes-sync.yaml
@@ -1,3 +1,5 @@
+name: kata-runtime-classes-sync
+
 on:
  pull_request:
    types:
@@ -14,6 +16,7 @@ concurrency:

 jobs:
  kata-deploy-runtime-classes-check:
+    name: kata-deploy-runtime-classes-check
    runs-on: ubuntu-22.04
    steps:
    - name: Checkout code
--- a/.github/workflows/nydus-snapshotter-version-in-sync.yaml
+++ b/.github/workflows/nydus-snapshotter-version-in-sync.yaml
@@ -0,0 +1,35 @@
+name: nydus-snapshotter-version-sync
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  nydus-snapshotter-version-check:
+    name: nydus-snapshotter-version-check
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
+    - name: Ensure nydus-snapshotter-version is in sync inside our repo
+      run: |
+        dockerfile_version=$(grep "ARG NYDUS_SNAPSHOTTER_VERSION" tools/packaging/kata-deploy/Dockerfile | cut -f2 -d'=')
+        versions_version=$(yq ".externals.nydus-snapshotter.version | explode(.)" versions.yaml)
+        if [[ "${dockerfile_version}" != "${versions_version}" ]]; then
+          echo "nydus-snapshotter version must be the same in the following places: "
+          echo "- versions.yaml: ${versions_version}"
+          echo "- tools/packaging/kata-deploy/Dockerfile: ${dockerfile_version}"
+          exit 1
+        fi
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@@ -39,6 +39,7 @@ jobs:
      target-branch: ${{ github.ref_name }}
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  build-assets-s390x:
    permissions:
@@ -130,12 +131,13 @@ jobs:
      repo: kata-containers/kata-deploy-ci
      tag: kata-containers-latest-ppc64le
      target-branch: ${{ github.ref_name }}
-      runner: ppc64le
+      runner: ppc64le-small
      arch: ppc64le
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-manifest:
+    name: publish-manifest
    runs-on: ubuntu-22.04
    permissions:
      contents: read
@@ -160,3 +162,41 @@ jobs:
        env:
          KATA_DEPLOY_IMAGE_TAGS: "kata-containers-latest"
          KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy-ci"
+
+  upload-helm-chart-tarball:
+    name: upload-helm-chart-tarball
+    needs: publish-manifest
+    runs-on: ubuntu-22.04
+    permissions:
+      packages: write # needed to push the helm chart to ghcr.io
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Install helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        id: install
+
+      - name: Login to the OCI registries
+        env:
+          QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
+          QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
+          echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
+
+      - name: Push helm chart to the OCI registries
+        run: |
+          echo "Adjusting the Chart.yaml and values.yaml"
+          yq eval '.version = "0.0.0-dev" | .appVersion = "0.0.0-dev"' -i tools/packaging/kata-deploy/helm-chart/kata-deploy/Chart.yaml
+          yq eval '.image.reference = "quay.io/kata-containers/kata-deploy-ci" | .image.tag = "kata-containers-latest"' -i tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
+
+          echo "Generating the chart package"
+          helm package tools/packaging/kata-deploy/helm-chart/kata-deploy
+
+          echo "Pushing the chart to the OCI registries"
+          helm push "kata-deploy-0.0.0-dev.tgz" oci://quay.io/kata-containers/kata-deploy-charts
+          helm push "kata-deploy-0.0.0-dev.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@@ -38,6 +38,7 @@ permissions: {}

 jobs:
  kata-payload:
+    name: kata-payload
    permissions:
      contents: read
      packages: write
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -29,6 +29,7 @@ jobs:
      attestations: write

  kata-deploy:
+    name: kata-deploy
    needs: build-kata-static-tarball-amd64
    permissions:
      contents: read
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -8,6 +8,8 @@ on:
    secrets:
      QUAY_DEPLOYER_PASSWORD:
        required: true
+      KBUILD_SIGN_PIN:
+        required: true

 permissions: {}

@@ -19,6 +21,7 @@ jobs:
      stage: release
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
    permissions:
      contents: read
      packages: write
@@ -26,6 +29,7 @@ jobs:
      attestations: write

  kata-deploy:
+    name: kata-deploy
    needs: build-kata-static-tarball-arm64
    permissions:
      contents: read
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@@ -26,11 +26,12 @@ jobs:
      attestations: write

  kata-deploy:
+    name: kata-deploy
    needs: build-kata-static-tarball-ppc64le
    permissions:
      contents: read
      packages: write
-    runs-on: ppc64le
+    runs-on: ppc64le-small
    steps:
      - name: Login to Kata Containers ghcr.io
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -30,6 +30,7 @@ jobs:


  kata-deploy:
+    name: kata-deploy
    needs: build-kata-static-tarball-s390x
    permissions:
      contents: read
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -6,6 +6,7 @@ permissions: {}

 jobs:
  release:
+    name: release
    runs-on: ubuntu-22.04
    permissions:
      contents: write # needed for the `gh release create` command
@@ -48,6 +49,7 @@ jobs:
      target-arch: arm64
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}

  build-and-push-assets-s390x:
    needs: release
@@ -77,6 +79,7 @@ jobs:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  publish-multi-arch-images:
+    name: publish-multi-arch-images
    runs-on: ubuntu-22.04
    needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
    permissions:
@@ -114,6 +117,7 @@ jobs:
          KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy ghcr.io/kata-containers/kata-deploy"

  upload-multi-arch-static-tarball:
+    name: upload-multi-arch-static-tarball
    needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
    permissions:
      contents: write # needed for the `gh release` commands
@@ -178,6 +182,7 @@ jobs:
          ARCHITECTURE: ppc64le

  upload-versions-yaml:
+    name: upload-versions-yaml
    needs: release
    runs-on: ubuntu-22.04
    permissions:
@@ -195,6 +200,7 @@ jobs:
          GH_TOKEN: ${{ github.token }}

  upload-cargo-vendored-tarball:
+    name: upload-cargo-vendored-tarball
    needs: release
    runs-on: ubuntu-22.04
    permissions:
@@ -212,6 +218,7 @@ jobs:
          GH_TOKEN: ${{ github.token }}

  upload-libseccomp-tarball:
+    name: upload-libseccomp-tarball
    needs: release
    runs-on: ubuntu-22.04
    permissions:
@@ -229,6 +236,7 @@ jobs:
          GH_TOKEN: ${{ github.token }}

  upload-helm-chart-tarball:
+    name: upload-helm-chart-tarball
    needs: release
    runs-on: ubuntu-22.04
    permissions:
@@ -253,10 +261,11 @@ jobs:
      - name: Login to the OCI registries
        env:
          QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          GITHUB_ACTOR: ${{ github.actor }}
+          QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+          GITHUB_TOKEN: ${{ github.token }}
        run: |
-          echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
-          echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
+          echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
+          echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin

      - name: Push helm chart to the OCI registries
        run: |
@@ -265,6 +274,7 @@ jobs:
          helm push "kata-deploy-${release_version}.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts

  publish-release:
+    name: publish-release
    needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ]
    runs-on: ubuntu-22.04
    permissions:
--- a/.github/workflows/run-containerd-multi-snapshotter-stability-test.yaml
+++ b/.github/workflows/run-containerd-multi-snapshotter-stability-test.yaml
@@ -0,0 +1,164 @@
+name: CI | Run containerd multi-snapshotter stability test
+on:
+  schedule:
+    - cron: "0 */1 * * *" #run every hour
+
+permissions: {}
+
+# This job relies on k8s pre-installed using kubeadm
+jobs:
+  run-containerd-multi-snapshotter-stability-tests:
+    name: run-containerd-multi-snapshotter-stability-tests
+    strategy:
+      fail-fast: false
+      matrix:
+        containerd:
+          - v1.7
+          - v2.0
+          - v2.1
+          - v2.2
+    env:
+      # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here.
+      IMAGES_LIST: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11 ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d
+    runs-on: containerd-${{ matrix.containerd }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Rotate the journal
+        run: sudo journalctl --rotate --vacuum-time 1s
+
+      - name: Pull the kata-deploy image to be used
+        run: sudo ctr -n k8s.io image pull quay.io/kata-containers/kata-deploy-ci:kata-containers-latest
+
+      - name: Deploy Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
+
+      # This is needed as we may hit the createContainerTimeout
+      - name: Adjust Kata Containers' create_container_timeout
+        run: |
+          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      # This is needed in order to have enough tmpfs space inside the guest to pull the image
+      - name: Adjust Kata Containers' default_memory
+        run: |
+          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      - name: Run a few containers using overlayfs
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "overlayfs | Using on image: ${img}"
+            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image="${img}" \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              -- uname -r
+          done
+          
+      - name: Run a the same few containers using a different snapshotter
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "nydus | Using on image: ${img}"
+            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image="${img}" \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              --overrides='{
+                "spec": {
+                  "runtimeClassName": "kata-qemu-coco-dev"
+                }
+              }' \
+              -- uname -r
+          done
+
+      - name: Uninstall Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
+
+      - name: Run a few containers using overlayfs
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "overlayfs | Using on image: ${img}"
+            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image=${img} \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              -- uname -r
+          done
+          
+      - name: Deploy Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
+
+      # This is needed as we may hit the createContainerTimeout
+      - name: Adjust Kata Containers' create_container_timeout
+        run: |
+          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      # This is needed in order to have enough tmpfs space inside the guest to pull the image
+      - name: Adjust Kata Containers' default_memory
+        run: |
+          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
+
+      - name: Run a the same few containers using a different snapshotter
+        run: |
+          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
+          # shellcheck disable=SC2086
+          for img in ${IMAGES_LIST}; do
+            echo "nydus | Using on image: ${img}"
+            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
+            kubectl run "${pod}" \
+              -it --rm \
+              --restart=Never \
+              --image="${img}" \
+              --image-pull-policy=Always \
+              --pod-running-timeout=10m \
+              --overrides='{
+                "spec": {
+                  "runtimeClassName": "kata-qemu-coco-dev"
+                }
+              }' \
+              -- uname -r
+          done
+
+      - name: Uninstall Kata Containers
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup || true
+        if: always()
+        env:
+          KATA_HYPERVISOR: qemu-coco-dev
+          KUBERNETES: vanilla
+          SNAPSHOTTER: nydus
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -38,6 +38,7 @@ permissions: {}

 jobs:
  run-k8s-tests:
+    name: run-k8s-tests
    strategy:
      fail-fast: false
      matrix:
@@ -58,16 +59,13 @@ jobs:
            vmm: clh
            instance-type: small
            genpolicy-pull-method: oci-distribution
-            auto-generate-policy: yes
          - host_os: cbl-mariner
            vmm: clh
            instance-type: small
            genpolicy-pull-method: containerd
-            auto-generate-policy: yes
          - host_os: cbl-mariner
            vmm: clh
            instance-type: normal
-            auto-generate-policy: yes
    runs-on: ubuntu-22.04
    permissions:
      contents: read
@@ -84,7 +82,6 @@ jobs:
      USING_NFD: "false"
      K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }}
      GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
-      AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -148,6 +145,7 @@ jobs:
        run: bash tests/integration/kubernetes/gha-run.sh run-tests

      - name: Refresh OIDC token in case access token expired
+        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
          client-id: ${{ secrets.AZ_APPID }}
--- a/.github/workflows/run-k8s-tests-on-amd64.yaml
+++ b/.github/workflows/run-k8s-tests-on-amd64.yaml
@@ -26,6 +26,7 @@ permissions: {}

 jobs:
  run-k8s-tests-amd64:
+    name: run-k8s-tests-amd64
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/run-k8s-tests-on-arm64.yaml
+++ b/.github/workflows/run-k8s-tests-on-arm64.yaml
@@ -26,6 +26,7 @@ permissions: {}

 jobs:
  run-k8s-tests-on-arm64:
+    name: run-k8s-tests-on-arm64
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
+++ b/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
@@ -29,6 +29,7 @@ permissions: {}

 jobs:
  run-nvidia-gpu-tests-on-amd64:
+    name: run-nvidia-gpu-tests-on-amd64
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml
+++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml
@@ -26,6 +26,7 @@ permissions: {}

 jobs:
  run-k8s-tests:
+    name: run-k8s-tests
    strategy:
      fail-fast: false
      matrix:
@@ -33,7 +34,7 @@ jobs:
          - qemu
        k8s:
          - kubeadm
-    runs-on: k8s-ppc64le
+    runs-on: ppc64le-k8s
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
      DOCKER_REPO: ${{ inputs.repo }}
@@ -62,11 +63,11 @@ jobs:
          ./tests/install_go.sh -f -p
          echo "/usr/local/go/bin" >> "$GITHUB_PATH"

-      - name: Prepare the runner for k8s cluster creation
-        run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"
+      - name: Prepare the runner for k8s test suite
+        run: bash "${HOME}/scripts/k8s_cluster_prepare.sh"

-      - name: Create k8s cluster using kubeadm
-        run: bash "${HOME}/scripts/k8s_cluster_create.sh"
+      - name: Check if cluster is healthy to run the tests
+        run: bash "${HOME}/scripts/k8s_cluster_check.sh"

      - name: Deploy Kata
        timeout-minutes: 10
@@ -75,6 +76,3 @@ jobs:
      - name: Run tests
        timeout-minutes: 30
        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Delete cluster and post cleanup actions
-        run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"
--- a/.github/workflows/run-k8s-tests-on-zvsi.yaml
+++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml
@@ -29,6 +29,7 @@ permissions: {}

 jobs:
  run-k8s-tests:
+    name: run-k8s-tests
    strategy:
      fail-fast: false
      matrix:
@@ -105,7 +106,9 @@ jobs:
      # qemu-runtime-rs only works with overlayfs
      # See: https://github.com/kata-containers/kata-containers/issues/10066
      - name: Configure the ${{ matrix.snapshotter }} snapshotter
-        run: bash tests/integration/kubernetes/gha-run.sh ${{ matrix.deploy-cmd }}
+        env:
+          DEPLOY_CMD: ${{ matrix.deploy-cmd }}
+        run: bash tests/integration/kubernetes/gha-run.sh "${DEPLOY_CMD}"
        if: ${{ matrix.snapshotter != 'overlayfs' }}

      - name: Deploy Kata
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -40,6 +40,7 @@ permissions: {}
 jobs:
  # Generate jobs for testing CoCo on non-TEE environments
  run-stability-k8s-tests-coco-nontee:
+    name: run-stability-k8s-tests-coco-nontee
    strategy:
      fail-fast: false
      matrix:
@@ -140,6 +141,7 @@ jobs:
        run: bash tests/stability/gha-stability-run.sh run-tests

      - name: Refresh OIDC token in case access token expired
+        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
          client-id: ${{ secrets.AZ_APPID }}
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -39,17 +39,17 @@ on:
 permissions: {}

 jobs:
-  run-k8s-tests-on-tdx:
+  run-k8s-tests-on-tee:
+    name: run-k8s-tests-on-tee
    strategy:
      fail-fast: false
      matrix:
-        vmm:
-          - qemu-tdx
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-    runs-on: tdx
+        include:
+          - runner: tdx
+            vmm: qemu-tdx
+          - runner: sev-snp
+            vmm: qemu-snp
+    runs-on: ${{ matrix.runner }}
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
      DOCKER_REPO: ${{ inputs.repo }}
@@ -57,15 +57,15 @@ jobs:
      GH_PR_NUMBER: ${{ inputs.pr-number }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      KUBERNETES: "vanilla"
-      USING_NFD: "true"
+      USING_NFD: "false"
      KBS: "true"
      K8S_TEST_HOST_TYPE: "baremetal"
      KBS_INGRESS: "nodeport"
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      PULL_TYPE: ${{ matrix.pull-type }}
+      SNAPSHOTTER: "nydus"
+      PULL_TYPE: "guest-pull"
      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
+      GH_ITA_KEY: ${{ secrets.ITA_KEY }}
      AUTO_GENERATE_POLICY: "yes"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -80,13 +80,9 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
      - name: Deploy Kata
        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata

      - name: Uninstall previous `kbs-client`
        timeout-minutes: 10
@@ -95,6 +91,8 @@ jobs:
      - name: Deploy CoCo KBS
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+        env:
+          ITA_KEY: ${{ env.KATA_HYPERVISOR == 'qemu-tdx' && env.GH_ITA_KEY || '' }}

      - name: Install `kbs-client`
        timeout-minutes: 10
@@ -108,102 +106,19 @@ jobs:
        timeout-minutes: 100
        run: bash tests/integration/kubernetes/gha-run.sh run-tests

+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
      - name: Delete kata-deploy
        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx
-
-      - name: Delete Snapshotter
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup

      - name: Delete CoCo KBS
        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
-
-      - name: Delete CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
-
-  run-k8s-tests-sev-snp:
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-snp
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-    runs-on: sev-snp
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBECONFIG: /home/kata/.kube/config
-      KUBERNETES: "vanilla"
-      USING_NFD: "false"
-      KBS: "true"
-      KBS_INGRESS: "nodeport"
-      K8S_TEST_HOST_TYPE: "baremetal"
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      PULL_TYPE: ${{ matrix.pull-type }}
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AUTO_GENERATE_POLICY: "yes"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp
-
-      - name: Uninstall previous `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
-
-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-
-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
-
-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
-      - name: Run tests
-        timeout-minutes: 50
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Delete kata-deploy
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp
-
-      - name: Delete Snapshotter
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
-
-      - name: Delete CoCo KBS
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+          [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}"
+          bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

      - name: Delete CSI driver
        timeout-minutes: 5
@@ -211,6 +126,7 @@ jobs:

  # Generate jobs for testing CoCo on non-TEE environments
  run-k8s-tests-coco-nontee:
+    name: run-k8s-tests-coco-nontee
    strategy:
      fail-fast: false
      matrix:
@@ -220,6 +136,9 @@ jobs:
          - nydus
        pull-type:
          - guest-pull
+        include:
+          - pull-type: experimental-force-guest-pull
+            snapshotter: ""
    runs-on: ubuntu-22.04
    permissions:
      id-token: write # Used for OIDC access to log into Azure
@@ -245,7 +164,6 @@ jobs:
      # insufficient resources.
      K8S_TEST_HOST_TYPE: "all"
      USING_NFD: "false"
-      AUTO_GENERATE_POLICY: "yes"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -295,13 +213,13 @@ jobs:
      - name: Download credentials for the Kubernetes CLI to use them
        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials

-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
      - name: Deploy Kata
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
+        env:
+          EXPERIMENTAL_FORCE_GUEST_PULL: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && env.KATA_HYPERVISOR || '' }}
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ env.SNAPSHOTTER == 'nydus' }}
+          AUTO_GENERATE_POLICY: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && 'no' || 'yes' }}

      - name: Deploy CoCo KBS
        timeout-minutes: 10
@@ -324,6 +242,7 @@ jobs:
        run: bash tests/integration/kubernetes/gha-run.sh report-tests

      - name: Refresh OIDC token in case access token expired
+        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
          client-id: ${{ secrets.AZ_APPID }}
@@ -333,3 +252,95 @@ jobs:
      - name: Delete AKS cluster
        if: always()
        run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
+
+  # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
+  run-k8s-tests-coco-nontee-with-erofs-snapshotter:
+    name: run-k8s-tests-coco-nontee-with-erofs-snapshotter
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-coco-dev
+        snapshotter:
+          - erofs
+        pull-type:
+          - default
+    runs-on: ubuntu-24.04
+    environment: ci
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      # Some tests rely on that variable to run (or not)
+      KBS: "false"
+      # Set the KBS ingress handler (empty string disables handling)
+      KBS_INGRESS: ""
+      KUBERNETES: "vanilla"
+      CONTAINER_ENGINE: "containerd"
+      CONTAINER_ENGINE_VERSION: "v2.2"
+      PULL_TYPE: ${{ matrix.pull-type }}
+      SNAPSHOTTER: ${{ matrix.snapshotter }}
+      USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: "true"
+      K8S_TEST_HOST_TYPE: "all"
+      USING_NFD: "false"
+      # We are skipping the auto generated policy tests for now,
+      # but those should be enabled as soon as we work on that.
+      AUTO_GENERATE_POLICY: "no"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
+      - name: Deploy kubernetes
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Install `bats`
+        run: bash tests/integration/kubernetes/gha-run.sh install-bats
+
+      - name: Deploy Kata
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+
+      - name: Deploy CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+
+      - name: Run tests
+        timeout-minutes: 80
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -33,6 +33,7 @@ permissions: {}

 jobs:
  run-kata-deploy-tests:
+    name: run-kata-deploy-tests
    strategy:
      fail-fast: false
      matrix:
@@ -103,6 +104,7 @@ jobs:
        run: bash tests/functional/kata-deploy/gha-run.sh run-tests

      - name: Refresh OIDC token in case access token expired
+        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
          client-id: ${{ secrets.AZ_APPID }}
--- a/.github/workflows/run-kata-deploy-tests.yaml
+++ b/.github/workflows/run-kata-deploy-tests.yaml
@@ -26,6 +26,7 @@ permissions: {}

 jobs:
  run-kata-deploy-tests:
+    name: run-kata-deploy-tests
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/run-kata-monitor-tests.yaml
+++ b/.github/workflows/run-kata-monitor-tests.yaml
@@ -17,6 +17,7 @@ permissions: {}

 jobs:
  run-monitor:
+    name: run-monitor
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/run-metrics.yaml
+++ b/.github/workflows/run-metrics.yaml
@@ -26,6 +26,7 @@ permissions: {}

 jobs:
  run-metrics:
+    name: run-metrics
    strategy:
      # We can set this to true whenever we're 100% sure that
      # the all the tests are not flaky, otherwise we'll fail
--- a/.github/workflows/run-runk-tests.yaml
+++ b/.github/workflows/run-runk-tests.yaml
@@ -17,6 +17,7 @@ permissions: {}

 jobs:
  run-runk:
+    name: run-runk
    # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
    if: false
    runs-on: ubuntu-22.04
--- a/.github/workflows/shellcheck.yaml
+++ b/.github/workflows/shellcheck.yaml
@@ -18,6 +18,7 @@ concurrency:

 jobs:
  shellcheck:
+    name: shellcheck
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout the code
--- a/.github/workflows/shellcheck_required.yaml
+++ b/.github/workflows/shellcheck_required.yaml
@@ -19,6 +19,7 @@ concurrency:

 jobs:
  shellcheck-required:
+    name: shellcheck-required
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout the code
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -8,6 +8,7 @@ permissions: {}

 jobs:
  stale:
+    name: stale
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
--- a/.github/workflows/static-checks-self-hosted.yaml
+++ b/.github/workflows/static-checks-self-hosted.yaml
@@ -30,7 +30,7 @@ jobs:
        instance:
          - "ubuntu-22.04-arm"
          - "s390x"
-          - "ppc64le"
+          - "ubuntu-24.04-ppc64le"
    uses: ./.github/workflows/build-checks.yaml
    with:
      instance: ${{ matrix.instance }}
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -22,6 +22,7 @@ jobs:
      target-branch: ${{ github.event.pull_request.base.ref }}

  check-kernel-config-version:
+    name: check-kernel-config-version
    needs: skipper
    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
    runs-on: ubuntu-22.04
@@ -54,6 +55,7 @@ jobs:
      instance: ubuntu-22.04

  build-checks-depending-on-kvm:
+    name: build-checks-depending-on-kvm
    runs-on: ubuntu-22.04
    needs: skipper
    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
@@ -88,13 +90,16 @@ jobs:
      - name: Running `${{ matrix.command }}` for ${{ matrix.component }}
        run: |
          export PATH="$PATH:${HOME}/.cargo/bin"
-          cd ${{ matrix.component-path }}
-          ${{ matrix.command }}
+          cd "${COMPONENT_PATH}"
+          eval "${COMMAND}"
        env:
+          COMMAND: ${{ matrix.command }}
+          COMPONENT_PATH: ${{ matrix.component-path }}
          RUST_BACKTRACE: "1"
          RUST_LIB_BACKTRACE: "0"

  static-checks:
+    name: static-checks
    runs-on: ubuntu-22.04
    needs: skipper
    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
@@ -117,13 +122,13 @@ jobs:
          path: ./src/github.com/${{ github.repository }}
      - name: Install yq
        run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
          ./ci/install_yq.sh
        env:
          INSTALL_IN_GOPATH: false
      - name: Install golang
        run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
          ./tests/install_go.sh -f -p
          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
      - name: Install system dependencies
@@ -131,7 +136,7 @@ jobs:
          sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
      - name: Install open-policy-agent
        run: |
-          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
          ./tests/install_opa.sh
      - name: Install regorus
        env:
@@ -139,11 +144,13 @@ jobs:
          ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
          ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
        run: |
-          "${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh"
+          "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh"
      - name: Run check
+        env:
+          CMD: ${{ matrix.cmd }}
        run: |
          export PATH="${PATH}:${GOPATH}/bin"
-          cd "${GOPATH}/src/github.com/${{ github.repository }}" && ${{ matrix.cmd }}
+          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD}

  govulncheck:
    needs: skipper
@@ -151,6 +158,7 @@ jobs:
    uses: ./.github/workflows/govulncheck.yaml

  codegen:
+    name: codegen
    runs-on: ubuntu-22.04
    needs: skipper
    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -1,7 +1,6 @@
 name: GHA security analysis

 on:
-  push:
  pull_request:

 permissions: {}
@@ -12,10 +11,8 @@ concurrency:

 jobs:
  zizmor:
+    name: zizmor
    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -24,6 +21,9 @@ jobs:
          persist-credentials: false

      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
        with:
+          advanced-security: false
+          annotations: true
          persona: auditor
+          version: v1.13.0
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -0,0 +1,3 @@
+rules:
+  undocumented-permissions:
+    disable: true
--- a/2
+++ b/2
@@ -1 +1 @@
-3.21.0
+3.22.0
--- a/ci/darwin-test.sh
+++ b/ci/darwin-test.sh
@@ -8,6 +8,7 @@ set -e

 cidir=$(dirname "$0")
 runtimedir=${cidir}/../src/runtime
+genpolicydir=${cidir}/../src/tools/genpolicy

 build_working_packages() {
 	# working packages:
@@ -40,3 +41,11 @@ build_working_packages() {
 }

 build_working_packages
+
+build_genpolicy() {
+	echo "building genpolicy"
+	pushd "${genpolicydir}" &>/dev/null
+	make TRIPLE=aarch64-apple-darwin build
+}
+
+build_genpolicy
--- a/ci/openshift-ci/cluster/install_kata.sh
+++ b/ci/openshift-ci/cluster/install_kata.sh
@@ -43,19 +43,22 @@ WORKAROUND_9206_CRIO=${WORKAROUND_9206_CRIO:-no}
 # Leverage kata-deploy to install Kata Containers in the cluster.
 #
 apply_kata_deploy() {
-	local deploy_file="tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml"
-	pushd "${katacontainers_repo_dir}" || die
-	sed -ri "s#(\s+image:) .*#\1 ${KATA_DEPLOY_IMAGE}#" "${deploy_file}"
+	if ! command -v helm &>/dev/null; then
+		echo "Helm not installed, installing in current location..."
+		PATH=".:${PATH}"
+		curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | HELM_INSTALL_DIR='.' bash -s -- --no-sudo
+	fi

-	info "Applying kata-deploy"
-	oc apply -f tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml
 	oc label --overwrite ns kube-system pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/audit=baseline
-	oc apply -f "${deploy_file}"
-	oc -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod
+	local version chart
+	version=$(curl -sSL https://api.github.com/repos/kata-containers/kata-containers/releases/latest | jq .tag_name | tr -d '"')
+	chart="oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy"

-	info "Adding the kata runtime classes"
-	oc apply -f tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
-	popd || die
+	# Ensure any potential leftover is cleaned up ... and this secret usually is not in case of previous failures
+	oc delete secret sh.helm.release.v1.kata-deploy.v1 -n kube-system || true
+
+	echo "Installing kata using helm ${chart} ${version}"
+	helm install kata-deploy --wait --namespace kube-system --set "image.reference=${KATA_DEPLOY_IMAGE%%:*},image.tag=${KATA_DEPLOY_IMAGE##*:}" "${chart}" --version "${version}"
 }


@@ -174,13 +177,13 @@ wait_for_app_pods_message() {
 	local namespace="$5"
 	[[ -z "${pod_count}" ]] && pod_count=1
 	[[ -z "${timeout}" ]] && timeout=60
-	[[ -n "${namespace}" ]] && namespace=" -n ${namespace} "
+	[[ -n "${namespace}" ]] && namespace=("-n" "${namespace}")
 	local pod
 	local pods
 	local i
 	SECONDS=0
 	while :; do
-		mapfile -t pods < <(oc get pods -l app="${app}" --no-headers=true "${namespace}" | awk '{print $1}')
+		mapfile -t pods < <(oc get pods -l app="${app}" --no-headers=true "${namespace[@]}" | awk '{print $1}')
 		[[ "${#pods}" -ge "${pod_count}" ]] && break
 		if [[ "${SECONDS}" -gt "${timeout}" ]]; then
 			printf "Unable to find ${pod_count} pods for '-l app=\"${app}\"' in ${SECONDS}s (%s)" "${pods[@]}"
@@ -190,7 +193,7 @@ wait_for_app_pods_message() {
 	local log
 	for pod in "${pods[@]}"; do
 		while :; do
-			log=$(oc logs "${namespace}" "${pod}")
+			log=$(oc logs "${namespace[@]}" "${pod}")
 			echo "${log}" | grep "${message}" -q && echo "Found $(echo "${log}" | grep "${message}") in ${pod}'s log (${SECONDS})" && break;
 			if [[ "${SECONDS}" -gt "${timeout}" ]]; then
 				echo -n "Message '${message}' not present in '${pod}' pod of the '-l app=\"${app}\"' "
--- a/ci/openshift-ci/peer-pods-azure.sh
+++ b/ci/openshift-ci/peer-pods-azure.sh
@@ -12,6 +12,33 @@

 SCRIPT_DIR=$(dirname "$0")

+##################
+# Helper functions
+##################
+
+# Sparse "git clone" supporting old git version
+# $1  - origin
+# $2  - revision
+# $3- - sparse checkout paths
+# Note: uses pushd to change into the clonned directory!
+git_sparse_clone() {
+  local origin="$1"
+  local revision="$2"
+  shift 2
+  local sparse_paths=("$@")
+
+  local repo
+  repo=$(basename -s .git "${origin}")
+
+  git init "${repo}"
+  pushd "${repo}" || exit 1
+  git remote add origin "${origin}"
+  git fetch --depth 1 origin "${revision}"
+  git sparse-checkout init --cone
+  git sparse-checkout set "${sparse_paths[@]}"
+  git checkout FETCH_HEAD
+}
+
 ###############################
 # Disable security to allow e2e
 ###############################
@@ -148,11 +175,7 @@ echo "CAA_TAG=\"${CAA_TAG}\""
 echo "PP_IMAGE_ID=\"${PP_IMAGE_ID}\""

 # Clone and configure caa
-git clone --revision "${CAA_GIT_SHA:-main}" --depth 1 --no-checkout https://github.com/confidential-containers/cloud-api-adaptor.git
-pushd cloud-api-adaptor
-git sparse-checkout init --cone
-git sparse-checkout set src/cloud-api-adaptor/install/
-git checkout
+git_sparse_clone "https://github.com/confidential-containers/cloud-api-adaptor.git" "${CAA_GIT_SHA:-main}" "src/cloud-api-adaptor/install/"
 echo "CAA_GIT_SHA=\"$(git rev-parse HEAD)\""
 pushd src/cloud-api-adaptor
 cat <<EOF > install/overlays/azure/workload-identity.yaml
@@ -219,11 +242,7 @@ echo "AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}" >> install/overlays/azure/serv
 echo "AZURE_TENANT_ID=${AZURE_TENANT_ID}" >> install/overlays/azure/service-principal.env

 # Deploy Operator
-git clone --revision "${OPERATOR_SHA:-main}" --depth 1 --no-checkout https://github.com/confidential-containers/operator
-pushd operator
-git sparse-checkout init --cone
-git sparse-checkout set "config/"
-git checkout
+git_sparse_clone "https://github.com/confidential-containers/operator" "${OPERATOR_SHA:-main}" "config/"
 echo "OPERATOR_SHA=\"$(git rev-parse HEAD)\""
 oc apply -k "config/release"
 oc apply -k "config/samples/ccruntime/peer-pods"
--- a/docs/Developer-Guide.md
+++ b/docs/Developer-Guide.md
@@ -450,7 +450,7 @@ You can build and install the guest kernel image as shown [here](../tools/packag
 # Install a hypervisor

 When setting up Kata using a [packaged installation method](install/README.md#installing-on-a-linux-system), the
-`QEMU` VMM is installed automatically. Cloud-Hypervisor, Firecracker and StratoVirt VMMs are available from the [release tarballs](https://github.com/kata-containers/kata-containers/releases), as well as through [`kata-deploy`](../tools/packaging/kata-deploy/README.md).
+`QEMU` VMM is installed automatically. Cloud-Hypervisor, Firecracker and StratoVirt VMMs are available from the [release tarballs](https://github.com/kata-containers/kata-containers/releases), as well as through [`kata-deploy`](../tools/packaging/kata-deploy/helm-chart/README.md).
 You may choose to manually build your VMM/hypervisor.

 ## Build a custom QEMU
--- a/docs/Limitations.md
+++ b/docs/Limitations.md
@@ -166,19 +166,65 @@ moment.
 See [this issue](https://github.com/kata-containers/runtime/issues/2812) for more details.
 [Another issue](https://github.com/kata-containers/kata-containers/issues/1728) focuses on the case of `emptyDir`.

-## Host resource sharing
+### Kubernetes [hostPath][k8s-hostpath] volumes

-### Privileged containers
+In Kata, Kubernetes hostPath volumes can mount host directories and
+regular files into the guest VM via filesystem sharing, if it is enabled
+through the `shared_fs` [configuration][runtime-config] flag.
+
+By default:
+
+ - Non-TEE environment: Filesystem sharing is used to mount host files.
+ - TEE environment: Filesystem sharing is disabled. Instead, host files
+   are copied into the guest VM when the container starts, and file
+   changes are *not* synchronized between the host and the guest.
+
+In some cases, the behavior of hostPath volumes in Kata is further
+different compared to `runc` containers:
+
+**Mounting host block devices**: When a hostPath volume is of type
+[`BlockDevice`][k8s-blockdevice], Kata hotplugs the host block device
+into the guest and exposes it directly to the container.
+
+**Mounting guest devices**: When the source path of a hostPath volume is
+under `/dev`, and the path either corresponds to a host device or is not
+accessible by the Kata shim, the Kata agent bind mounts the source path
+directly from the *guest* filesystem into the container.
+
+[runtime-config]: /src/runtime/README.md#configuration
+[k8s-hostpath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
+[k8s-blockdevice]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-volume-types
+
+### Mounting `procfs` and `sysfs`
+
+For security reasons, the following mounts are disallowed:
+
+| Type              | Source    | Destination                      | Rationale      |
+|-------------------|-----------|----------------------------------|----------------|
+| `bind`            | `!= proc` | `/proc`                          | CVE-2019-16884 |
+| `bind`            | `*`       | `/proc/*` (see exceptions below) | CVE-2019-16884 |
+| `proc \|\| sysfs` | `*`       | not a directory (e.g. symlink)   | CVE-2019-19921 |
+
+For bind mounts under /proc, these destinations are allowed:
+	
+ * `/proc/cpuinfo`
+ * `/proc/diskstats`
+ * `/proc/meminfo`
+ * `/proc/stat`
+ * `/proc/swaps`
+ * `/proc/uptime`
+ * `/proc/loadavg`
+ * `/proc/net/dev`
+
+## Privileged containers

 Privileged support in Kata is essentially different from `runc` containers.
-The container runs with elevated capabilities within the guest and is granted
-access to guest devices instead of the host devices.
+The container runs with elevated capabilities within the guest.
 This is also true with using `securityContext privileged=true` with Kubernetes.

-The container may also be granted full access to a subset of host devices
-(https://github.com/kata-containers/runtime/issues/1568).
-
-See [Privileged Kata Containers](how-to/privileged.md) for how to configure some of this behavior.
+Importantly, the default behavior to pass the host devices to a
+privileged container is not supported in Kata Containers and needs to be
+disabled, see [Privileged Kata Containers](how-to/privileged.md).

 # Appendices

--- a/docs/how-to/README.md
+++ b/docs/how-to/README.md
@@ -48,3 +48,4 @@
 - [How to use the Kata Agent Policy](how-to-use-the-kata-agent-policy.md)
 - [How to pull images in the guest](how-to-pull-images-in-guest-with-kata.md)
 - [How to use mem-agent to decrease the memory usage of Kata container](how-to-use-memory-agent.md)
+- [How to use seccomp with runtime-rs](how-to-use-seccomp-with-runtime-rs.md)
--- a/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md
+++ b/docs/how-to/how-to-run-kata-containers-with-SE-VMs.md
@@ -318,7 +318,7 @@ Finally, an operational kata container with IBM Secure Execution is now running.

 It is reasonable to expect that the manual steps mentioned above can be easily executed.
 Typically, you can use
-[kata-deploy](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/README.md)
+[kata-deploy](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/README.md)
 to install Kata Containers on a Kubernetes cluster. However, when leveraging IBM Secure Execution,
 you need to employ the confidential container's
 [operator](https://github.com/confidential-containers/operator).
--- a/docs/how-to/how-to-use-seccomp-with-runtime-rs.md
+++ b/docs/how-to/how-to-use-seccomp-with-runtime-rs.md
@@ -0,0 +1,44 @@
+## Introduction
+
+To enhance security, Kata Containers supports using seccomp to restrict the hypervisor's system calls. Previously, this was only supported for a subset of hypervisors in runtime-go. Now, the runtime-rs also supports seccomp. This document describes how to enable/disable the seccomp feature for the corresponding hypervisor in runtime-rs.
+
+## Pre-requisites
+
+1. Ensure your system's kernel supports **seccomp**.
+2. Confirm that each of the following virtual machines can run correctly on your system.
+
+## Configure seccomp
+
+With the exception of `qemu`, seccomp is enabled by default for all other supported hypervisors. Their corresponding built-in functionalities are also enabled by default.
+
+### QEMU
+
+As with runtime-go, you need to modify the following in your **configuration file**. These parameters will be passed directly to the `qemu` startup command line. For more details on the parameters, you can refer to: [https://www.qemu.org/docs/master/system/qemu-manpage.html](https://www.qemu.org/docs/master/system/qemu-manpage.html)
+
+``` toml
+# Qemu seccomp sandbox feature
+# comma-separated list of seccomp sandbox features to control the syscall access.
+# For example, `seccompsandbox= "on,obsolete=deny,spawn=deny,resourcecontrol=deny"`
+# Note: "elevateprivileges=deny" doesn't work with daemonize option, so it's removed from the seccomp sandbox
+# Another note: enabling this feature may reduce performance, you may enable
+# /proc/sys/net/core/bpf_jit_enable to reduce the impact. see https://man7.org/linux/man-pages/man8/bpfc.8.html
+seccompsandbox="on,obsolete=deny,spawn=deny,resourcecontrol=deny"
+```
+### Cloud Hypervisor, Firecracker and Dragonball
+
+The **seccomp** functionality is enabled by default for the following three hypervisors: `cloud hypervisor`, `firecracker`, and `dragonball`.
+
+The seccomp rules for `cloud hypervisor` and `firecracker` are built directly into their executable files. For `dragonball`, the relevant configuration is currently located at `src/runtime-rs/crates/hypervisor/src/dragonball/seccomp.rs`.
+
+To disable this functionality for these hypervisors, you can modify the following configuration options in your **configuration file**.
+
+``` toml
+# Disable the 'seccomp' feature from Cloud Hypervisor, firecracker or dragonball, default false
+disable_seccomp = true
+```
+
+## Implementation details
+
+For `qemu`, `cloud hypervisor`, and `firecracker`, their **seccomp** functionality is built into the respective executable files you are using. **runtime-rs** simply provides command-line arguments for their launch based on the configuration file.
+
+For `dragonball`, a set of allowed system calls is currently provided for the entire **runtime-rs** process, and the process is prevented from using any system calls outside of this whitelist. As mentioned above, this set is located at `src/runtime-rs/crates/hypervisor/src/dragonball/seccomp.rs`.
--- a/docs/how-to/how-to-use-virtio-fs-with-kata.md
+++ b/docs/how-to/how-to-use-virtio-fs-with-kata.md
@@ -6,4 +6,4 @@ Container deployments utilize explicit or implicit file sharing between host fil

 As of the 2.0 release of Kata Containers, [virtio-fs](https://virtio-fs.gitlab.io/) is the default filesystem sharing mechanism.

-virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](../../tools/packaging/kata-deploy/README.md#kubernetes-quick-start).
+virtio-fs support works out of the box for `cloud-hypervisor` and `qemu`, when Kata Containers is deployed using `kata-deploy`. Learn more about `kata-deploy` and how to use `kata-deploy` in Kubernetes [here](../../tools/packaging/kata-deploy/helm-chart/README.md).
--- a/docs/how-to/privileged.md
+++ b/docs/how-to/privileged.md
@@ -1,22 +1,25 @@
 # Privileged Kata Containers

+> [!WARNING]
+> Whilst this functionality is supported, it can decrease the security of Kata Containers if not configured correctly.
+
 Kata Containers supports creation of containers that are "privileged" (i.e. have additional capabilities and access
 that is not normally granted).

-## Warnings
+## Enabling privileged containers without host devices

-**Warning:** Whilst this functionality is supported, it can decrease the security of Kata Containers if not configured 
-correctly.
+> [!TIP]
+> When Kata Containers is installed through
+> [kata-deploy](/tools/packaging/kata-deploy/helm-chart/README.md#kata-deploy-helm-chart), this mitigation is configured
+> out of the box, hence there is no action required in that case.

-### Host Devices
+By default, a privileged container attempts to expose all devices from the host. This is generally not supported in Kata
+Containers as the container is running a different kernel than the host.

-By default, when privileged is enabled for a container, all the `/dev/*` block devices from the host are mounted
-into the guest. This will allow the privileged container inside the Kata guest to gain access to mount any block device 
-from the host, a potentially undesirable side-effect that decreases the security of Kata.
+Instead, the following sections document how to disable this behavior in different container runtimes. Note that this
+mitigation does not affect a container's ability to mount *guest* devices.

-The following sections document how to configure this behavior in different container runtimes.
-
-#### Containerd
+## Containerd

 The Containerd allows configuring the privileged host devices behavior for each runtime in the containerd config. This is
 done with the `privileged_without_host_devices` option. Setting this to `true` will disable hot plugging of the host 
@@ -43,7 +46,7 @@ See below example config:
 - [How to use Kata Containers and containerd with Kubernetes](how-to-use-k8s-with-containerd-and-kata.md)
 - [Containerd CRI config documentation](https://github.com/containerd/containerd/blob/main/docs/cri/config.md)

-#### CRI-O
+## CRI-O

 Similar to containerd, CRI-O allows configuring the privileged host devices
 behavior for each runtime in the CRI config. This is done with the 
--- a/docs/install/kata-containers-3.0-rust-runtime-installation-guide.md
+++ b/docs/install/kata-containers-3.0-rust-runtime-installation-guide.md
@@ -32,7 +32,7 @@ architectures:

 ### Kata Deploy Installation

-Follow the [`kata-deploy`](../../tools/packaging/kata-deploy/README.md).
+Follow the [`kata-deploy`](../../tools/packaging/kata-deploy/helm-chart/README.md).
 ### Official packages
 `ToDo`
 ### Automatic Installation
--- a/docs/use-cases/using-Intel-QAT-and-kata.md
+++ b/docs/use-cases/using-Intel-QAT-and-kata.md
@@ -419,7 +419,7 @@ You might need to disable Docker before initializing Kubernetes. Be aware
 that the OpenSSL container image built above will need to be exported from
 Docker and imported into containerd.

-If Kata is installed through [`kata-deploy`](../../tools/packaging/kata-deploy/README.md)
+If Kata is installed through [`kata-deploy`](../../tools/packaging/kata-deploy/helm-chart/README.md)
 there will be multiple `configuration.toml` files associated with different
 hypervisors. Rather than add in the custom Kata kernel, Kata rootfs, and
 kernel modules to each `configuration.toml` as the default, instead use
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@@ -665,30 +665,6 @@ dependencies = [
 "shlex",
 ]

-[[package]]
-name = "cdi"
-version = "0.1.0"
-source = "git+https://github.com/cncf-tags/container-device-interface-rs?rev=3b1e83dda5efcc83c7a4f134466ec006b37109c9#3b1e83dda5efcc83c7a4f134466ec006b37109c9"
-dependencies = [
- "anyhow",
- "clap",
- "const_format",
- "jsonschema",
- "lazy_static",
- "libc",
- "nix 0.24.3",
- "notify",
- "oci-spec",
- "once_cell",
- "path-clean",
- "regex",
- "semver",
- "serde",
- "serde_derive",
- "serde_json",
- "serde_yaml",
-]
-
 [[package]]
 name = "cfg-if"
 version = "1.0.0"
@@ -808,6 +784,31 @@ dependencies = [
 "unicode-xid",
 ]

+[[package]]
+name = "container-device-interface"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "653849f0c250f73d9afab4b2a9a6b07adaee1f34c44ffa6f2d2c3f9392002c1a"
+dependencies = [
+ "anyhow",
+ "clap",
+ "const_format",
+ "jsonschema",
+ "lazy_static",
+ "libc",
+ "nix 0.24.3",
+ "notify",
+ "oci-spec",
+ "once_cell",
+ "path-clean",
+ "regex",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "serde_yaml",
+]
+
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -2049,11 +2050,11 @@ dependencies = [
 "async-trait",
 "base64 0.22.1",
 "capctl",
- "cdi",
 "cfg-if",
 "cgroups-rs",
 "clap",
 "const_format",
+ "container-device-interface",
 "derivative",
 "futures",
 "ipnetwork",
@@ -2064,7 +2065,7 @@ dependencies = [
 "libc",
 "log",
 "logging",
- "mem-agent-lib",
+ "mem-agent",
 "netlink-packet-core",
 "netlink-packet-route",
 "netlink-sys 0.7.0",
@@ -2350,7 +2351,7 @@ dependencies = [
 ]

 [[package]]
-name = "mem-agent-lib"
+name = "mem-agent"
 version = "0.2.0"
 dependencies = [
 "anyhow",
--- a/src/agent/Cargo.toml
+++ b/src/agent/Cargo.toml
@@ -13,8 +13,12 @@ lazy_static = "1.3.0"
 ttrpc = { version = "0.8.4", features = ["async"], default-features = false }
 protobuf = "3.7.2"
 libc = "0.2.94"
-# Notes: nix needs to stay in sync with libs
+
+# Notes:
+# - Needs to stay in sync with libs
+# - Upgrading to 0.27+ will require code changes (see #11842)
 nix = "0.26.4"
+
 capctl = "0.2.0"
 scan_fmt = "0.2.6"
 scopeguard = "1.0.0"
@@ -81,10 +85,10 @@ kata-agent-policy = { path = "policy" }
 rustjail = { path = "rustjail" }
 vsock-exporter = { path = "vsock-exporter" }

-mem-agent = { path = "../mem-agent", package = "mem-agent-lib" }
+mem-agent = { path = "../libs/mem-agent" }

 kata-sys-util = { path = "../libs/kata-sys-util" }
-kata-types = { path = "../libs/kata-types" }
+kata-types = { path = "../libs/kata-types", features = ["safe-path"] }
 # Note: this crate sets the slog 'max_*' features which allows the log level
 # to be modified at runtime.
 logging = { path = "../libs/logging" }
@@ -163,9 +167,6 @@ clap.workspace = true
 strum.workspace = true
 strum_macros.workspace = true

-# Agent Policy
-cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "3b1e83dda5efcc83c7a4f134466ec006b37109c9" }
-
 # Local dependencies
 kata-agent-policy = { workspace = true, optional = true }
 mem-agent.workspace = true
@@ -185,6 +186,8 @@ base64 = "0.22"
 sha2 = "0.10.8"
 async-compression = { version = "0.4.22", features = ["tokio", "gzip"] }

+container-device-interface = "0.1.0"
+
 [target.'cfg(target_arch = "s390x")'.dependencies]
 pv_core = { git = "https://github.com/ibm-s390-linux/s390-tools", rev = "4942504a9a2977d49989a5e5b7c1c8e07dc0fa41", package = "s390_pv_core" }

--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -1037,6 +1037,12 @@ impl BaseContainer for LinuxContainer {
        let child_stderr: std::process::Stdio;

        if tty {
+            // NOTE(#11842): This code will require changes if we upgrade to nix 0.27+:
+            // - `pseudo` will contain OwnedFds instead of RawFds.
+            // - We'll have to use `OwnedFd::into_raw_fd()` which will
+            //   transfer the ownership to the caller.
+            // - The duplication strategy will not change.
+
            let pseudo = pty::openpty(None, None)?;
            p.term_master = Some(pseudo.master);
            let _ = fcntl::fcntl(pseudo.master, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC))
@@ -1045,8 +1051,8 @@ impl BaseContainer for LinuxContainer {
                .map_err(|e| warn!(logger, "fcntl pseudo.slave {:?}", e));

            child_stdin = unsafe { std::process::Stdio::from_raw_fd(pseudo.slave) };
-            child_stdout = unsafe { std::process::Stdio::from_raw_fd(pseudo.slave) };
-            child_stderr = unsafe { std::process::Stdio::from_raw_fd(pseudo.slave) };
+            child_stdout = unsafe { std::process::Stdio::from_raw_fd(unistd::dup(pseudo.slave)?) };
+            child_stderr = unsafe { std::process::Stdio::from_raw_fd(unistd::dup(pseudo.slave)?) };

            if let Some(proc_io) = &mut p.proc_io {
                // A reference count used to clean up the term master fd.
@@ -1914,7 +1920,7 @@ mod tests {
        let cgroups_path = format!(
            "/{}/dummycontainer{}",
            CGROUP_PARENT,
-            since_the_epoch.as_millis()
+            since_the_epoch.as_micros()
        );

        let mut spec = SpecBuilder::default()
--- a/src/agent/rustjail/src/mount.rs
+++ b/src/agent/rustjail/src/mount.rs
@@ -5,6 +5,7 @@

 use anyhow::{anyhow, Context, Result};
 use libc::uid_t;
+use nix::errno::Errno;
 use nix::fcntl::{self, OFlag};
 #[cfg(not(test))]
 use nix::mount;
@@ -336,25 +337,19 @@ fn check_proc_mount(m: &Mount) -> Result<()> {

    if mount_dest == PROC_PATH {
        // only allow a mount on-top of proc if it's source is "proc"
-        unsafe {
-            let mut stats = MaybeUninit::<libc::statfs>::uninit();
-            let mount_source = m.source().as_ref().unwrap().display().to_string();
-            if mount_source
-                .with_nix_path(|path| libc::statfs(path.as_ptr(), stats.as_mut_ptr()))
-                .is_ok()
-            {
-                if stats.assume_init().f_type == PROC_SUPER_MAGIC {
-                    return Ok(());
-                }
-            } else {
-                return Ok(());
-            }
+        let mount_source = m.source().as_ref().unwrap().display().to_string();

-            return Err(anyhow!(format!(
+        let mut stats = MaybeUninit::<libc::statfs>::uninit();
+        let statfs_ret = mount_source
+            .with_nix_path(|path| unsafe { libc::statfs(path.as_ptr(), stats.as_mut_ptr()) })?;
+
+        return match Errno::result(statfs_ret) {
+            Ok(_) if unsafe { stats.assume_init().f_type } == PROC_SUPER_MAGIC => Ok(()),
+            Ok(_) | Err(_) => Err(anyhow!(format!(
                "{} cannot be mounted to {} because it is not of type proc",
                &mount_source, &mount_dest
-            )));
-        }
+            ))),
+        };
    }

    if mount_dest.starts_with(PROC_PATH) {
--- a/src/agent/src/device/mod.rs
+++ b/src/agent/src/device/mod.rs
@@ -15,6 +15,7 @@ use anyhow::{anyhow, Context, Result};
 use cdi::annotations::parse_annotations;
 use cdi::cache::{new_cache, with_auto_refresh, CdiOption};
 use cdi::spec_dirs::with_spec_dirs;
+use container_device_interface as cdi;
 use kata_types::device::DeviceHandlerManager;
 use nix::sys::stat;
 use oci::{LinuxDeviceCgroup, Spec};
--- a/src/agent/src/netlink.rs
+++ b/src/agent/src/netlink.rs
@@ -401,7 +401,11 @@ impl Handle {
                }

                if let RouteAttribute::Oif(index) = attribute {
-                    route.device = self.find_link(LinkFilter::Index(*index)).await?.name();
+                    route.device = self
+                        .find_link(LinkFilter::Index(*index))
+                        .await
+                        .context(format!("error looking up device {index}"))?
+                        .name();
                }
            }

@@ -909,10 +913,15 @@ mod tests {
    use super::*;
    use netlink_packet_route::address::AddressHeader;
    use netlink_packet_route::link::LinkHeader;
+    use serial_test::serial;
    use std::iter;
    use std::process::Command;
    use test_utils::skip_if_not_root;

+    // Constants for ARP neighbor tests
+    const TEST_DUMMY_INTERFACE: &str = "dummy_for_arp";
+    const TEST_ARP_IP: &str = "192.0.2.127";
+
    #[tokio::test]
    async fn find_link_by_name() {
        let message = Handle::new()
@@ -972,11 +981,15 @@ mod tests {
    }

    #[tokio::test]
+    #[serial(arp_neighbor_tests)]
    async fn list_routes() {
+        clean_env_for_test_add_one_arp_neighbor(TEST_DUMMY_INTERFACE, TEST_ARP_IP);
+        let devices: Vec<Interface> = Handle::new().unwrap().list_interfaces().await.unwrap();
        let all = Handle::new()
            .unwrap()
            .list_routes()
            .await
+            .context(format!("available devices: {:?}", devices))
            .expect("Failed to list routes");

        assert_ne!(all.len(), 0);
@@ -1088,7 +1101,7 @@ mod tests {
            .expect("prepare: failed to delete neigh");
    }

-    fn prepare_env_for_test_add_one_arp_neighbor(dummy_name: &str, ip: &str) {
+    async fn prepare_env_for_test_add_one_arp_neighbor(dummy_name: &str, ip: &str) {
        clean_env_for_test_add_one_arp_neighbor(dummy_name, ip);
        // modprobe dummy
        Command::new("modprobe")
@@ -1102,9 +1115,9 @@ mod tests {
            .output()
            .expect("failed to add dummy interface");

-        // ip addr add 192.168.0.2/16 dev dummy
+        // ip addr add 192.0.2.2/24 dev dummy
        Command::new("ip")
-            .args(["addr", "add", "192.168.0.2/16", "dev", dummy_name])
+            .args(["addr", "add", "192.0.2.2/24", "dev", dummy_name])
            .output()
            .expect("failed to add ip for dummy");

@@ -1113,24 +1126,26 @@ mod tests {
            .args(["link", "set", dummy_name, "up"])
            .output()
            .expect("failed to up dummy");
+
+        // Wait briefly to ensure the IP address addition is fully complete
+        tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;
    }

    #[tokio::test]
+    #[serial(arp_neighbor_tests)]
    async fn test_add_one_arp_neighbor() {
        skip_if_not_root!();

        let mac = "6a:92:3a:59:70:aa";
-        let to_ip = "169.254.1.1";
-        let dummy_name = "dummy_for_arp";

-        prepare_env_for_test_add_one_arp_neighbor(dummy_name, to_ip);
+        prepare_env_for_test_add_one_arp_neighbor(TEST_DUMMY_INTERFACE, TEST_ARP_IP).await;

        let mut ip_address = IPAddress::new();
-        ip_address.set_address(to_ip.to_string());
+        ip_address.set_address(TEST_ARP_IP.to_string());

        let mut neigh = ARPNeighbor::new();
        neigh.set_toIPAddress(ip_address);
-        neigh.set_device(dummy_name.to_string());
+        neigh.set_device(TEST_DUMMY_INTERFACE.to_string());
        neigh.set_lladdr(mac.to_string());
        neigh.set_state(0x80);

@@ -1141,15 +1156,24 @@ mod tests {
            .expect("Failed to add ARP neighbor");

        // ip neigh show dev dummy ip
-        let stdout = Command::new("ip")
-            .args(["neigh", "show", "dev", dummy_name, to_ip])
+        let output = Command::new("ip")
+            .args(["neigh", "show", "dev", TEST_DUMMY_INTERFACE, TEST_ARP_IP])
            .output()
-            .expect("failed to show neigh")
-            .stdout;
+            .expect("failed to show neigh");

-        let stdout = std::str::from_utf8(&stdout).expect("failed to convert stdout");
-        assert_eq!(stdout.trim(), format!("{} lladdr {} PERMANENT", to_ip, mac));
+        let stdout = std::str::from_utf8(&output.stdout).expect("failed to convert stdout");
+        let stderr = std::str::from_utf8(&output.stderr).expect("failed to convert stderr");
+        assert!(
+            output.status.success(),
+            "`ip neigh show` returned exit code {:?}. stderr: {:?}",
+            output.status.code(),
+            stderr
+        );
+        assert_eq!(
+            stdout.trim(),
+            format!("{} lladdr {} PERMANENT", TEST_ARP_IP, mac)
+        );

-        clean_env_for_test_add_one_arp_neighbor(dummy_name, to_ip);
+        clean_env_for_test_add_one_arp_neighbor(TEST_DUMMY_INTERFACE, TEST_ARP_IP);
    }
 }
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -2417,7 +2417,7 @@ mod tests {
        let cgroups_path = format!(
            "/{}/dummycontainer{}",
            CGROUP_PARENT,
-            since_the_epoch.as_millis()
+            since_the_epoch.as_micros()
        );

        let spec = SpecBuilder::default()
--- a/src/agent/src/sandbox.rs
+++ b/src/agent/src/sandbox.rs
@@ -858,7 +858,7 @@ mod tests {
        let cgroups_path = format!(
            "/{}/dummycontainer{}",
            CGROUP_PARENT,
-            since_the_epoch.as_millis()
+            since_the_epoch.as_micros()
        );

        let spec = SpecBuilder::default()
--- a/src/dragonball/Cargo.lock
+++ b/src/dragonball/Cargo.lock
@@ -344,20 +344,26 @@ name = "dbs-pci"
 version = "0.1.0"
 dependencies = [
 "byteorder",
+ "dbs-address-space",
 "dbs-allocator",
 "dbs-arch",
 "dbs-boot",
 "dbs-device",
 "dbs-interrupt",
+ "dbs-utils",
+ "dbs-virtio-devices",
 "downcast-rs",
 "kvm-bindings",
 "kvm-ioctls",
 "libc",
 "log",
+ "serde",
 "thiserror 1.0.48",
 "vfio-bindings",
 "vfio-ioctls",
+ "virtio-queue",
 "vm-memory",
+ "vmm-sys-util",
 ]

 [[package]]
@@ -1810,9 +1816,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"

 [[package]]
 name = "seccompiler"
-version = "0.2.0"
+version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e01d1292a1131b22ccea49f30bd106f1238b5ddeec1a98d39268dcc31d540e68"
+checksum = "a4ae55de56877481d112a559bbc12667635fdaf5e005712fd4e2b2fa50ffc884"
 dependencies = [
 "libc",
 ]
--- a/src/dragonball/Cargo.toml
+++ b/src/dragonball/Cargo.toml
@@ -33,7 +33,7 @@ event-manager = "0.2.1"
 kvm-bindings = "0.6.0"
 kvm-ioctls = "0.12.0"
 linux-loader = "0.8.0"
-seccompiler = "0.2.0"
+seccompiler = "0.5.0"
 vfio-bindings = "0.3.0"
 vfio-ioctls = "0.1.0"
 virtio-bindings = "0.1.0"
--- a/src/dragonball/dbs_device/src/device_manager.rs
+++ b/src/dragonball/dbs_device/src/device_manager.rs
@@ -18,7 +18,7 @@
 //!
 //! # Examples
 //!
-//! Creating a dummy deivce which implement DeviceIo trait, and register it to [IoManager] with
+//! Creating a dummy device which implement DeviceIo trait, and register it to [IoManager] with
 //! trapped MMIO/PIO address ranges:
 //!
 //! ```
--- a/src/dragonball/src/api/v1/vmm_action.rs
+++ b/src/dragonball/src/api/v1/vmm_action.rs
@@ -479,14 +479,13 @@ impl VmmService {
        use self::StartMicroVmError::MicroVMAlreadyRunning;
        use self::VmmActionError::StartMicroVm;

-        let vmm_seccomp_filter = vmm.vmm_seccomp_filter();
-        let vcpu_seccomp_filter = vmm.vcpu_seccomp_filter();
+        let seccomp_filters = vmm.seccomp_filters();
        let vm = vmm.get_vm_mut().ok_or(VmmActionError::InvalidVMID)?;
        if vm.is_vm_initialized() {
            return Err(StartMicroVm(MicroVMAlreadyRunning));
        }

-        vm.start_microvm(event_mgr, vmm_seccomp_filter, vcpu_seccomp_filter)
+        vm.start_microvm(event_mgr, seccomp_filters)
            .map(|_| VmmData::Empty)
            .map_err(StartMicroVm)
    }
--- a/src/dragonball/src/error.rs
+++ b/src/dragonball/src/error.rs
@@ -219,6 +219,10 @@ pub enum StartMicroVmError {
    /// Failed to register DMA memory address range.
    #[error("failure while registering DMA address range: {0:?}")]
    RegisterDMAAddress(#[source] VfioDeviceError),
+
+    /// Cannot build seccomp filters.
+    #[error("failure while configuring seccomp filters: {0}")]
+    SeccompFilters(#[source] seccompiler::Error),
 }

 /// Errors associated with starting the instance.
--- a/src/dragonball/src/lib.rs
+++ b/src/dragonball/src/lib.rs
@@ -48,7 +48,7 @@ mod vmm;

 pub use self::error::StartMicroVmError;
 pub use self::io_manager::IoManagerCached;
-pub use self::vmm::Vmm;
+pub use self::vmm::{Vmm, ALL_THREADS, VCPU_THREAD, VMM_THREAD};

 /// Success exit code.
 pub const EXIT_CODE_OK: u8 = 0;
--- a/src/dragonball/src/vm/mod.rs
+++ b/src/dragonball/src/vm/mod.rs
@@ -1,6 +1,7 @@
 // Copyright (C) 2021 Alibaba Cloud. All rights reserved.
 // SPDX-License-Identifier: Apache-2.0

+use std::collections::HashMap;
 use std::io::{self, Read, Seek, SeekFrom};
 use std::ops::Deref;
 use std::os::unix::io::RawFd;
@@ -18,6 +19,7 @@ use dbs_utils::time::TimestampUs;
 use kvm_ioctls::VmFd;
 use linux_loader::loader::{KernelLoader, KernelLoaderResult};
 use seccompiler::BpfProgram;
+use seccompiler::{apply_filter_all_threads, Error as SecError};
 use serde_derive::{Deserialize, Serialize};
 use slog::{error, info};
 use vm_memory::{Bytes, GuestAddress, GuestAddressSpace};
@@ -42,6 +44,7 @@ use crate::resource_manager::ResourceManager;
 use crate::vcpu::{VcpuManager, VcpuManagerError};
 #[cfg(feature = "hotplug")]
 use crate::vcpu::{VcpuResizeError, VcpuResizeInfo};
+use crate::{ALL_THREADS, VCPU_THREAD, VMM_THREAD};
 #[cfg(target_arch = "aarch64")]
 use dbs_arch::gic::Error as GICError;

@@ -709,10 +712,27 @@ impl Vm {
    pub fn start_microvm(
        &mut self,
        event_mgr: &mut EventManager,
-        vmm_seccomp_filter: BpfProgram,
-        vcpu_seccomp_filter: BpfProgram,
+        seccomp_filters: HashMap<String, BpfProgram>,
    ) -> std::result::Result<(), StartMicroVmError> {
        info!(self.logger, "VM: received instance start command");
+
+        if let Some(process_seccomp_filter) = seccomp_filters.get(ALL_THREADS) {
+            // Load seccomp filters for the whole process.
+            // Execution panics if filters cannot be loaded, use --seccomp-level=0 if skipping filters
+            // altogether is the desired behaviour.
+            if let Err(e) = apply_filter_all_threads(process_seccomp_filter) {
+                if !matches!(e, SecError::EmptyFilter) {
+                    error!(
+                        self.logger,
+                        "VM: failed to apply process-wide seccomp filters: {}", e
+                    );
+                    return Err(StartMicroVmError::SeccompFilters(e));
+                }
+            } else {
+                info!(self.logger, "VM: process-wide seccomp filters applied");
+            }
+        }
+
        if self.is_vm_initialized() {
            return Err(StartMicroVmError::MicroVMAlreadyRunning);
        }
@@ -738,8 +758,14 @@ impl Vm {
                AddressManagerError::GuestMemoryNotInitialized,
            ))?;

-        self.init_vcpu_manager(vm_as.clone(), vcpu_seccomp_filter)
-            .map_err(StartMicroVmError::Vcpu)?;
+        self.init_vcpu_manager(
+            vm_as.clone(),
+            seccomp_filters
+                .get(VCPU_THREAD)
+                .cloned()
+                .unwrap_or_default(),
+        )
+        .map_err(StartMicroVmError::Vcpu)?;
        self.init_microvm(event_mgr.epoll_manager(), vm_as.clone(), request_ts)?;
        self.init_configure_system(&vm_as)?;
        #[cfg(feature = "dbs-upcall")]
@@ -751,7 +777,7 @@ impl Vm {
        info!(self.logger, "VM: start vcpus");
        self.vcpu_manager()
            .map_err(StartMicroVmError::Vcpu)?
-            .start_boot_vcpus(vmm_seccomp_filter)
+            .start_boot_vcpus(seccomp_filters.get(VMM_THREAD).cloned().unwrap_or_default())
            .map_err(StartMicroVmError::Vcpu)?;

        // Use expect() to crash if the other thread poisoned this lock.
--- a/src/dragonball/src/vmm.rs
+++ b/src/dragonball/src/vmm.rs
@@ -6,6 +6,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the THIRD-PARTY file.

+use std::collections::HashMap;
 use std::fmt::Formatter;
 use std::os::unix::io::RawFd;
 use std::sync::{Arc, Mutex, RwLock};
@@ -22,6 +23,19 @@ use crate::event_manager::{EventContext, EventManager};
 use crate::vm::Vm;
 use crate::{EXIT_CODE_GENERIC_ERROR, EXIT_CODE_OK};

+// Thread types to which the seccomp restrictions apply
+// Currently the restrictions are applied to the whole process
+// More thread types can be added later to accommodate more granular constraints.
+
+/// Union of restrictions for all threads;
+/// The corresponding restrictions are applied to the whole process
+/// This type should be used with any other thread type which has specific restrictions
+pub const ALL_THREADS: &str = "all";
+/// VMM thread
+pub const VMM_THREAD: &str = "vmm";
+/// Vcpu thread
+pub const VCPU_THREAD: &str = "vcpu";
+
 /// Global coordinator to manage API servers, virtual machines, upgrade etc.
 ///
 /// Originally firecracker assumes an VMM only manages an VM, and doesn't distinguish VMM and VM.
@@ -41,8 +55,7 @@ pub struct Vmm {
    // Will change to a HashMap when enabling 1 VMM with multiple VMs.
    vm: Vm,

-    vcpu_seccomp_filter: BpfProgram,
-    vmm_seccomp_filter: BpfProgram,
+    seccomp_filters: HashMap<String, BpfProgram>,
 }

 impl Vmm {
@@ -50,8 +63,7 @@ impl Vmm {
    pub fn new(
        api_shared_info: Arc<RwLock<InstanceInfo>>,
        api_event_fd: EventFd,
-        vmm_seccomp_filter: BpfProgram,
-        vcpu_seccomp_filter: BpfProgram,
+        seccomp_filters: HashMap<String, BpfProgram>,
        kvm_fd: Option<RawFd>,
    ) -> Result<Self> {
        let epoll_manager = EpollManager::default();
@@ -59,8 +71,7 @@ impl Vmm {
            api_shared_info,
            api_event_fd,
            epoll_manager,
-            vmm_seccomp_filter,
-            vcpu_seccomp_filter,
+            seccomp_filters,
            kvm_fd,
        )
    }
@@ -70,8 +81,7 @@ impl Vmm {
        api_shared_info: Arc<RwLock<InstanceInfo>>,
        api_event_fd: EventFd,
        epoll_manager: EpollManager,
-        vmm_seccomp_filter: BpfProgram,
-        vcpu_seccomp_filter: BpfProgram,
+        seccomp_filters: HashMap<String, BpfProgram>,
        kvm_fd: Option<RawFd>,
    ) -> Result<Self> {
        let vm = Vm::new(kvm_fd, api_shared_info, epoll_manager.clone())?;
@@ -81,8 +91,7 @@ impl Vmm {
            event_ctx,
            epoll_manager,
            vm,
-            vcpu_seccomp_filter,
-            vmm_seccomp_filter,
+            seccomp_filters,
        })
    }

@@ -96,14 +105,9 @@ impl Vmm {
        Some(&mut self.vm)
    }

-    /// Get the seccomp rules for vCPU threads.
-    pub fn vcpu_seccomp_filter(&self) -> BpfProgram {
-        self.vcpu_seccomp_filter.clone()
-    }
-
-    /// Get the seccomp rules for VMM threads.
-    pub fn vmm_seccomp_filter(&self) -> BpfProgram {
-        self.vmm_seccomp_filter.clone()
+    /// Get all seccomp rules.
+    pub fn seccomp_filters(&self) -> HashMap<String, BpfProgram> {
+        self.seccomp_filters.clone()
    }

    /// Run the event loop to service API requests.
@@ -206,14 +210,15 @@ impl std::fmt::Debug for Vmm {
        f.debug_struct("Vmm")
            .field("event_ctx", &self.event_ctx)
            .field("vm", &self.vm.shared_info())
-            .field("vcpu_seccomp_filter", &self.vcpu_seccomp_filter)
-            .field("vmm_seccomp_filter", &self.vmm_seccomp_filter)
+            .field("seccomp_filters", &self.seccomp_filters)
            .finish()
    }
 }

 #[cfg(test)]
 pub(crate) mod tests {
+    use std::collections::HashMap;
+
    use test_utils::skip_if_not_root;

    use super::*;
@@ -221,17 +226,8 @@ pub(crate) mod tests {
    pub fn create_vmm_instance(epoll_manager: EpollManager) -> Vmm {
        let info = Arc::new(RwLock::new(InstanceInfo::default()));
        let event_fd = EventFd::new(libc::EFD_NONBLOCK).unwrap();
-        let seccomp_filter: BpfProgram = Vec::new();

-        Vmm::new_with_epoll_manager(
-            info,
-            event_fd,
-            epoll_manager,
-            seccomp_filter.clone(),
-            seccomp_filter,
-            None,
-        )
-        .unwrap()
+        Vmm::new_with_epoll_manager(info, event_fd, epoll_manager, HashMap::new(), None).unwrap()
    }

    #[test]
--- a/src/libs/Cargo.toml
+++ b/src/libs/Cargo.toml
@@ -3,8 +3,9 @@ members = [
    "kata-sys-util",
    "kata-types",
    "logging",
-    "runtime-spec",
+    "mem-agent",
    "protocols",
+    "runtime-spec",
    "safe-path",
    "shim-interface",
    "test-utils",
--- a/src/libs/kata-sys-util/src/mount.rs
+++ b/src/libs/kata-sys-util/src/mount.rs
@@ -1088,7 +1088,7 @@ mod tests {
        assert!(parse_mount_options(&options).is_err());

        let idx = options.len() - 1;
-        options[idx] = " ".repeat(4097);
+        options[idx] = " ".repeat(*MAX_MOUNT_PARAM_SIZE + 1);
        assert!(parse_mount_options(&options).is_err());
    }

--- a/src/libs/kata-sys-util/src/pcilibs/pci_manager.rs
+++ b/src/libs/kata-sys-util/src/pcilibs/pci_manager.rs
@@ -297,18 +297,16 @@ mod tests {
    use super::*;
    use std::fs;
    use std::io::Write;
-    use std::path::{Path, PathBuf};
+    use std::path::PathBuf;

-    const MOCK_PCI_DEVICES_ROOT: &str = "tests/mock_devices";
    // domain number
    const TEST_PCI_DEV_DOMAIN: &str = "0000";
-    // sysfs path
-    const MOCK_SYS_BUS_PCI_DEVICES: &str = "/tmp/bus/pci/devices";

    // Mock data
-    fn setup_mock_device_files() {
+    fn setup_mock_device_files() -> tempfile::TempDir {
+        let dir = tempfile::tempdir().expect("tempdir should not fail");
        // Create mock path and files for PCI devices
-        let device_path = PathBuf::from(MOCK_PCI_DEVICES_ROOT).join("0000:ff:1f.0");
+        let device_path = dir.path().join("0000:ff:1f.0");
        fs::create_dir_all(&device_path).unwrap();
        fs::write(device_path.join("vendor"), "0x8086").unwrap();
        fs::write(device_path.join("device"), "0x1234").unwrap();
@@ -319,13 +317,7 @@ mod tests {
            "0x00000000 0x0000ffff 0x00000404\n",
        )
        .unwrap();
-    }
-    // Mock data
-    fn cleanup_mock_device_files() {
-        // Create mock path and files for PCI devices
-        let device_path = PathBuf::from(MOCK_PCI_DEVICES_ROOT).join("0000:ff:1f.0");
-        // Clean up
-        let _ = fs::remove_file(device_path);
+        dir
    }

    #[test]
@@ -380,10 +372,10 @@ mod tests {
    #[test]
    fn test_get_all_devices() {
        // Setup mock data
-        setup_mock_device_files();
+        let tmpdir = setup_mock_device_files();

        // Initialize PCI device manager with the mock path
-        let manager = PCIDeviceManager::new(MOCK_PCI_DEVICES_ROOT);
+        let manager = PCIDeviceManager::new(&tmpdir.path().to_string_lossy());

        // Get all devices
        let devices_result = manager.get_all_devices(None);
@@ -396,17 +388,14 @@ mod tests {
        assert_eq!(device.vendor, 0x8086);
        assert_eq!(device.device, 0x1234);
        assert_eq!(device.class, 0x060100);
-
-        // Cleanup mock data
-        cleanup_mock_device_files()
    }

    #[test]
    fn test_parse_resources() {
-        setup_mock_device_files();
+        let tmpdir = setup_mock_device_files();

-        let manager = PCIDeviceManager::new(MOCK_PCI_DEVICES_ROOT);
-        let device_path = PathBuf::from(MOCK_PCI_DEVICES_ROOT).join("0000:ff:1f.0");
+        let manager = PCIDeviceManager::new(&tmpdir.path().to_string_lossy());
+        let device_path = tmpdir.path().join("0000:ff:1f.0");

        let resources_result = manager.parse_resources(&device_path);
        assert!(resources_result.is_ok());
@@ -418,17 +407,14 @@ mod tests {
        assert_eq!(resource.start, 0x00000000);
        assert_eq!(resource.end, 0x0000ffff);
        assert_eq!(resource.flags, 0x00000404);
-
-        cleanup_mock_device_files();
    }

    #[test]
    fn test_is_pcie_device() {
        // Create a mock PCI device config file
        let bdf = format!("{}:ff:00.0", TEST_PCI_DEV_DOMAIN);
-        let config_path = Path::new(MOCK_SYS_BUS_PCI_DEVICES)
-            .join(&bdf)
-            .join("config");
+        let tmpdir = tempfile::tempdir().expect("tempdir should not fail");
+        let config_path = tmpdir.path().join(&bdf).join("config");
        let _ = fs::create_dir_all(config_path.parent().unwrap());

        // Write a file with a size larger than PCI_CONFIG_SPACE_SZ
@@ -437,9 +423,6 @@ mod tests {
        file.write_all(&vec![0; 512]).unwrap();

        // It should be true
-        assert!(is_pcie_device("ff:00.0", MOCK_SYS_BUS_PCI_DEVICES));
-
-        // Clean up
-        let _ = fs::remove_file(config_path);
+        assert!(is_pcie_device("ff:00.0", &tmpdir.path().to_string_lossy()));
    }
 }
--- a/src/libs/kata-types/Cargo.toml
+++ b/src/libs/kata-types/Cargo.toml
@@ -32,7 +32,8 @@ flate2 = { version = "1.0", features = ["zlib"] }
 hex = "0.4"

 oci-spec = { version = "0.8.1", features = ["runtime"] }
-safe-path = { path = "../safe-path" }
+
+safe-path = { path = "../safe-path", optional = true }

 [dev-dependencies]
 tempfile = "3.19.1"
@@ -42,3 +43,4 @@ nix = "0.26.4"
 [features]
 default = []
 enable-vendor = []
+safe-path = ["dep:safe-path"] # safe-path is platform-specific
--- a/src/libs/kata-types/src/config/hypervisor/mod.rs
+++ b/src/libs/kata-types/src/config/hypervisor/mod.rs
@@ -49,7 +49,7 @@ mod remote;
 pub use self::remote::{RemoteConfig, HYPERVISOR_NAME_REMOTE};

 mod rate_limiter;
-pub use self::rate_limiter::RateLimiterConfig;
+pub use self::rate_limiter::{RateLimiterConfig, DEFAULT_RATE_LIMITER_REFILL_TIME};

 /// Virtual PCI block device driver.
 pub const VIRTIO_BLK_PCI: &str = "virtio-blk-pci";
@@ -878,6 +878,26 @@ impl NetworkInfo {
    }
 }

+/// Configuration information for rootless user.
+#[derive(Clone, Debug, Default, Deserialize, Serialize)]
+pub struct RootlessUser {
+    /// The UID of the rootless user.
+    #[serde(default)]
+    pub uid: u32,
+
+    /// The GID of the rootless user.
+    #[serde(default)]
+    pub gid: u32,
+
+    /// The supplementary groups of the rootless user.
+    #[serde(default)]
+    pub groups: Vec<u32>,
+
+    /// The username of the rootless user.
+    #[serde(default)]
+    pub user_name: String,
+}
+
 /// Configuration information for security settings.
 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
 pub struct SecurityInfo {
@@ -889,6 +909,14 @@ pub struct SecurityInfo {
    #[serde(default)]
    pub rootless: bool,

+    /// Configuration information for rootless user.
+    ///
+    /// This field must be set if the `rootless` configuration above is enabled.
+    /// It contains the UID, GID, supplementary groups, and the user name of the non-root user
+    /// that will be used to run the VMM process.
+    #[serde(default)]
+    pub rootless_user: Option<RootlessUser>,
+
    /// Disables `seccomp` for the guest VM.
    #[serde(default)]
    pub disable_seccomp: bool,
--- a/src/libs/kata-types/src/config/hypervisor/rate_limiter.rs
+++ b/src/libs/kata-types/src/config/hypervisor/rate_limiter.rs
@@ -6,10 +6,10 @@

 use serde::{Deserialize, Serialize};

-// The DEFAULT_RATE_LIMITER_REFILL_TIME is used for calculating the rate at
-// which a TokenBucket is replinished, in cases where a RateLimiter is
-// applied to either network or disk I/O.
-pub(crate) const DEFAULT_RATE_LIMITER_REFILL_TIME: u64 = 1000;
+/// The DEFAULT_RATE_LIMITER_REFILL_TIME is used for calculating the rate at
+/// which a TokenBucket is replinished, in cases where a RateLimiter is
+/// applied to either network or disk I/O.
+pub const DEFAULT_RATE_LIMITER_REFILL_TIME: u64 = 1000;

 #[derive(Clone, Copy, Debug, Default, Deserialize, Serialize, PartialEq, Eq)]
 pub struct TokenBucketConfig {
--- a/src/libs/kata-types/src/initdata.rs
+++ b/src/libs/kata-types/src/initdata.rs
@@ -175,7 +175,7 @@ fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec<u8> {
 }

 /// Parse initdata
-fn parse_initdata(initdata_str: &str) -> Result<InitData> {
+pub fn parse_initdata(initdata_str: &str) -> Result<InitData> {
    let initdata: InitData = toml::from_str(initdata_str)?;
    initdata.validate()?;

@@ -209,12 +209,12 @@ pub fn calculate_initdata_digest(

 /// Encodes initdata as an annotation
 pub fn encode_initdata(init_data: &InitData) -> String {
-    let toml_str = toml::to_string(&init_data).unwrap();
+    let toml_str = toml::to_string_pretty(&init_data).unwrap();
    create_encoded_input(&toml_str)
 }

-/// Decodes initdata annotation
-pub fn decode_initdata(initdata_annotation: &str) -> Result<InitData> {
+/// Decodes a base64-encoded gzipped initdata document to its raw TOML representation.
+fn decode_raw_initdata(initdata_annotation: &str) -> Result<String> {
    // Base64 decode the annotation value
    let b64_decoded =
        base64::decode_config(initdata_annotation, base64::STANDARD).context("base64 decode")?;
@@ -225,7 +225,12 @@ pub fn decode_initdata(initdata_annotation: &str) -> Result<InitData> {
    gz_decoder
        .read_to_string(&mut initdata_str)
        .context("gz decoder failed")?;
+    Ok(initdata_str)
+}

+/// Decodes initdata annotation
+pub fn decode_initdata(initdata_annotation: &str) -> Result<InitData> {
+    let initdata_str = decode_raw_initdata(initdata_annotation)?;
    // Return parsed initdata
    let initdata = parse_initdata(&initdata_str).context("parse initdata overrides")?;

@@ -509,4 +514,31 @@ key = "value"
        let invalid_data = base64::encode("raw uncompressed data");
        assert!(add_hypervisor_initdata_overrides(&invalid_data).is_err());
    }
+
+    #[test]
+    fn test_pretty_initdata() {
+        let nested_toml = r#"
+algorithm = "sha384"
+version = "0.1.0"
+
+[data]
+"aa.toml" = '''
+[token_configs]
+[token_configs.coco_as]
+url = 'http://kbs-service.xxx.cluster.local:8080'
+
+[token_configs.kbs]
+url = 'http://kbs-service.xxx.cluster.local:8080'
+'''
+        "#;
+        let init_data = parse_initdata(nested_toml).expect("canned initdata document should parse");
+
+        let doc = decode_raw_initdata(&encode_initdata(&init_data))
+            .expect("encoding and decoding again should work");
+        assert!(
+            !doc.contains("\\n"),
+            "the encoded initdata toml should not contain escaped newlines, but does:\n{}",
+            doc
+        )
+    }
 }
--- a/src/libs/kata-types/src/lib.rs
+++ b/src/libs/kata-types/src/lib.rs
@@ -6,6 +6,7 @@
 //! Constants and Data Types shared by Kata Containers components.

 #![deny(missing_docs)]
+
 #[macro_use]
 extern crate slog;
 #[macro_use]
@@ -47,6 +48,13 @@ pub mod fs;
 /// any well-defined data from an untrusted host into a TEE (Trusted Execution Environment).
 pub mod initdata;

+/// rootless vmm
+pub mod rootless;
+
+use std::path::Path;
+
+use crate::rootless::{is_rootless, rootless_dir};
+
 /// Common error codes.
 #[derive(thiserror::Error, Debug)]
 pub enum Error {
@@ -107,3 +115,21 @@ macro_rules! validate_path {
        }
    }};
 }
+
+/// Helper function that builds paths based on the vmm's rootless state.
+pub fn build_path(path: &str) -> String {
+    if is_rootless() {
+        let path = Path::new(path);
+        let path = if path.is_absolute() {
+            path.strip_prefix("/").unwrap_or(path)
+        } else {
+            path
+        };
+        Path::new(&rootless_dir())
+            .join(path)
+            .to_string_lossy()
+            .to_string()
+    } else {
+        path.to_string()
+    }
+}
--- a/src/libs/kata-types/src/mount.rs
+++ b/src/libs/kata-types/src/mount.rs
@@ -6,8 +6,9 @@

 use anyhow::{anyhow, Context, Error, Result};
 use std::convert::TryFrom;
-use std::{collections::HashMap, fs, path::PathBuf};
+use std::{collections::HashMap, path::PathBuf};

+use crate::build_path;
 use crate::handler::HandlerManager;

 /// Prefix to mark a volume as Kata special.
@@ -31,8 +32,8 @@ pub const KATA_MOUNT_INFO_FILE_NAME: &str = "mountInfo.json";
 /// Specify `fsgid` for a volume or mount, `fsgid=1`.
 pub const KATA_MOUNT_OPTION_FS_GID: &str = "fsgid";

-/// KATA_DIRECT_VOLUME_ROOT_PATH is the root path used for concatenating with the direct-volume mount info file path
-pub const KATA_DIRECT_VOLUME_ROOT_PATH: &str = "/run/kata-containers/shared/direct-volumes";
+/// DEFAULT_KATA_DIRECT_VOLUME_ROOT_PATH is the default root path used for concatenating with the direct-volume mount info file path
+pub const DEFAULT_KATA_DIRECT_VOLUME_ROOT_PATH: &str = "/run/kata-containers/shared/direct-volumes";

 /// Key to indentify directory creation in `Storage.driver_options`.
 pub const KATA_VOLUME_OVERLAYFS_CREATE_DIR: &str =
@@ -78,6 +79,16 @@ pub const SHM_DEVICE: &str = "/dev/shm";
 /// Manager to manage registered storage device handlers.
 pub type StorageHandlerManager<H> = HandlerManager<H>;

+/// Get the root path used for concatenating with the direct-volume mount info file path.
+pub fn kata_direct_volume_root_path() -> String {
+    build_path(DEFAULT_KATA_DIRECT_VOLUME_ROOT_PATH)
+}
+
+/// Get the sandbox bind mounts directory.
+pub fn kata_guest_sandbox_dir() -> String {
+    build_path(DEFAULT_KATA_GUEST_SANDBOX_DIR)
+}
+
 /// Information about a mount.
 #[derive(Debug, Clone, Default, serde::Serialize, serde::Deserialize)]
 pub struct Mount {
@@ -472,6 +483,8 @@ pub trait StorageDevice: Send + Sync {
 /// Joins a user-provided volume path with the Kata direct-volume root path.
 ///
 /// The `volume_path` is base64-url-encoded and then safely joined to the `prefix`.
+/// `safe_path` is OS-specific.
+#[cfg(feature = "safe-path")]
 pub fn join_path(prefix: &str, volume_path: &str) -> Result<PathBuf> {
    if volume_path.is_empty() {
        return Err(anyhow!(std::io::ErrorKind::NotFound));
@@ -482,10 +495,12 @@ pub fn join_path(prefix: &str, volume_path: &str) -> Result<PathBuf> {
 }

 /// Gets `DirectVolumeMountInfo` from `mountinfo.json`.
+/// `safe_path` is OS-specific.
+#[cfg(feature = "safe-path")]
 pub fn get_volume_mount_info(volume_path: &str) -> Result<DirectVolumeMountInfo> {
-    let volume_path = join_path(KATA_DIRECT_VOLUME_ROOT_PATH, volume_path)?;
+    let volume_path = join_path(kata_direct_volume_root_path().as_str(), volume_path)?;
    let mount_info_file_path = volume_path.join(KATA_MOUNT_INFO_FILE_NAME);
-    let mount_info_file = fs::read_to_string(mount_info_file_path)?;
+    let mount_info_file = std::fs::read_to_string(mount_info_file_path)?;
    let mount_info: DirectVolumeMountInfo = serde_json::from_str(&mount_info_file)?;

    Ok(mount_info)
--- a/src/libs/kata-types/src/rootless.rs
+++ b/src/libs/kata-types/src/rootless.rs
@@ -0,0 +1,54 @@
+// Copyright 2025 Kata Contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use std::env;
+use std::sync::Mutex;
+
+use lazy_static::lazy_static;
+
+use crate::sl;
+
+lazy_static! {
+    static ref ROOTLESS_STATE: Mutex<bool> = Mutex::new(false);
+    static ref ROOTLESS_DIR: String = env::var("XDG_RUNTIME_DIR")
+        .inspect_err(|_| error!(sl!(), "XDG_RUNTIME_DIR is not set yet"))
+        .unwrap();
+}
+
+/// Set the rootless state of vmm.
+pub fn set_rootless(rootless: bool) {
+    *ROOTLESS_STATE.lock().unwrap() = rootless;
+}
+
+/// Check whether the current vmm's state is rootless.
+pub fn is_rootless() -> bool {
+    *ROOTLESS_STATE.lock().unwrap()
+}
+
+/// Get the rootless directory's path of rootless vmm.
+pub fn rootless_dir() -> String {
+    ROOTLESS_DIR.clone()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_is_rootless() {
+        set_rootless(true);
+        assert!(is_rootless());
+
+        set_rootless(false);
+        assert!(!is_rootless());
+    }
+
+    #[test]
+    fn test_rootless_dir() {
+        let temp_dir = env::temp_dir().to_str().unwrap().to_string();
+        env::set_var("XDG_RUNTIME_DIR", temp_dir.as_str());
+        assert_eq!(rootless_dir(), temp_dir);
+    }
+}
--- a/src/libs/mem-agent/.gitignore
+++ b/src/libs/mem-agent/.gitignore
--- a/src/libs/mem-agent/Cargo.toml
+++ b/src/libs/mem-agent/Cargo.toml
@@ -1,5 +1,5 @@
 [package]
-name = "mem-agent-lib"
+name = "mem-agent"
 version = "0.2.0"
 edition = "2021"

@@ -20,3 +20,5 @@ slog-term = "2.9.0"
 slog-async = "2.7"
 once_cell = "1.9.0"
 lazy_static = "1.4"
+nix = { version = "0.30.1", features = ["user"] }
+test-utils = { path = "../test-utils" }
--- a/src/libs/mem-agent/src/agent.rs
+++ b/src/libs/mem-agent/src/agent.rs
@@ -105,7 +105,7 @@ async fn async_get_remaining_tokio_duration(

 fn agent_work(mut memcg: memcg::MemCG, mut comp: compact::Compact) -> Result<Duration> {
    let memcg_work_list = memcg.get_timeout_list();
-    if memcg_work_list.len() > 0 {
+    if !memcg_work_list.is_empty() {
        info!("memcg.work start");
        memcg
            .work(&memcg_work_list)
@@ -202,10 +202,8 @@ async fn mem_agent_loop(
            });

            mas.timeout = false;
-        } else {
-            if mas.refresh() {
-                continue;
-            }
+        } else if mas.refresh() {
+            continue;
        }

        info!("mem_agent_loop wait timeout {:?}", mas.duration);
@@ -346,9 +344,11 @@ impl MemAgent {
 #[cfg(test)]
 mod tests {
    use super::*;
+    use test_utils::skip_if_not_root;

    #[test]
    fn test_agent() {
+        skip_if_not_root!();
        let mut memcg_config = memcg::Config::default();
        memcg_config.default.disabled = true;
        let compact_config = compact::Config {
@@ -381,6 +381,7 @@ mod tests {

    #[test]
    fn test_agent_memcg_status() {
+        skip_if_not_root!();
        let mut memcg_config = memcg::Config::default();
        memcg_config.default.disabled = true;
        let compact_config = compact::Config {
--- a/src/libs/mem-agent/src/cgroup.rs
+++ b/src/libs/mem-agent/src/cgroup.rs
--- a/src/libs/mem-agent/src/compact.rs
+++ b/src/libs/mem-agent/src/compact.rs
@@ -2,6 +2,10 @@
 //
 // SPDX-License-Identifier: Apache-2.0

+// TODO: Enable precedence and identity_op check
+#![allow(clippy::precedence)]
+#![allow(clippy::identity_op)]
+
 use crate::cgroup::CGROUP_PATH;
 use crate::proc;
 use crate::psi;
@@ -63,7 +67,7 @@ impl Default for Config {
            compact_sec_max: 5 * 60,
            compact_order: PAGE_REPORTING_MIN_ORDER,
            compact_threshold: 2 << PAGE_REPORTING_MIN_ORDER,
-            compact_force_times: std::u64::MAX,
+            compact_force_times: u64::MAX,
        }
    }
 }
@@ -129,7 +133,7 @@ impl CompactCore {
    }

    fn need_force_compact(&self) -> bool {
-        if self.config.compact_force_times == std::u64::MAX {
+        if self.config.compact_force_times == u64::MAX {
            return false;
        }

@@ -350,14 +354,12 @@ impl Compact {
                        } else {
                            debug!("compact killed and keep wait");
                        }
-                    } else {
-                        if rest_sec <= 0 {
-                            debug!("compact timeout");
-                            child
-                                .kill()
-                                .map_err(|e| anyhow!("child.kill failed: {}", e))?;
-                            killed = true;
-                        }
+                    } else if rest_sec <= 0 {
+                        debug!("compact timeout");
+                        child
+                            .kill()
+                            .map_err(|e| anyhow!("child.kill failed: {}", e))?;
+                        killed = true;
                    }

                    let percent = compact_psi
--- a/src/libs/mem-agent/src/lib.rs
+++ b/src/libs/mem-agent/src/lib.rs
--- a/src/libs/mem-agent/src/memcg.rs
+++ b/src/libs/mem-agent/src/memcg.rs
@@ -14,7 +14,7 @@ use page_size;
 use std::collections::HashMap;
 use std::collections::HashSet;
 use std::hash::Hash;
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use tokio::sync::RwLock;
 use tokio::time::Duration as TokioDuration;
@@ -113,24 +113,13 @@ impl SingleConfig {
    }
 }

-#[derive(Debug, Clone, PartialEq)]
+#[derive(Debug, Clone, PartialEq, Default)]
 pub struct CgroupConfig {
    pub no_subdir: bool,
    pub numa_id: Vec<u32>,
    pub config: SingleConfig,
 }

-impl Default for CgroupConfig {
-    fn default() -> Self {
-        Self {
-            no_subdir: false,
-            // empty numa_id means this config not limit numa
-            numa_id: vec![],
-            config: SingleConfig::default(),
-        }
-    }
-}
-
 impl CgroupConfig {
    fn set(&mut self, config: &CgroupOptionConfig) -> bool {
        let mut need_reset = false;
@@ -222,7 +211,7 @@ impl Config {

        // make sure the empty numa_id CgroupConfig at the end of Cgroup
        for vec in self.cgroups.values_mut() {
-            let (keep, moved) = vec.drain(..).partition(|c| c.numa_id.len() > 0);
+            let (keep, moved) = vec.drain(..).partition(|c| !c.numa_id.is_empty());
            *vec = keep;
            vec.extend(moved);
        }
@@ -300,7 +289,7 @@ pub struct Numa {
 }

 impl Numa {
-    fn new(mglru: &MGenLRU, path: &str, psi_path: &PathBuf) -> Self {
+    fn new(mglru: &MGenLRU, path: &str, psi_path: &Path) -> Self {
        Self {
            max_seq: mglru.max_seq,
            min_seq: mglru.min_seq,
@@ -362,9 +351,9 @@ impl MemCgroup {
        id: &usize,
        ino: &usize,
        path: &str,
-        numa: &Vec<u32>,
+        numa: &[u32],
        hmg: &HashMap<usize, MGenLRU>,
-        psi_path: &PathBuf,
+        psi_path: &Path,
    ) -> Self {
        let m = Self {
            id: *id as u16,
@@ -372,11 +361,8 @@ impl MemCgroup {
            numa: numa
                .iter()
                .filter_map(|numa_id| {
-                    if let Some(hmg) = hmg.get(&(*numa_id as usize)) {
-                        Some((*numa_id, Numa::new(hmg, path, psi_path)))
-                    } else {
-                        None
-                    }
+                    hmg.get(&(*numa_id as usize))
+                        .map(|hmg| (*numa_id, Numa::new(hmg, path, psi_path)))
                })
                .collect(),
        };
@@ -389,7 +375,7 @@ impl MemCgroup {
        &mut self,
        numa: &Vec<u32>,
        path: &str,
-        psi_path: &PathBuf,
+        psi_path: &Path,
        hmg: &HashMap<usize, MGenLRU>,
    ) {
        for numa_id in numa {
@@ -452,7 +438,7 @@ impl Info {
    fn new(path: &str, memcg_id: usize, numa_id: usize, numa: &Numa) -> Self {
        Self {
            memcg_id,
-            numa_id: numa_id,
+            numa_id,
            path: path.to_string(),
            min_seq: numa.min_seq,
            max_seq: numa.max_seq,
@@ -534,9 +520,9 @@ impl MemCgroups {
                    }
                    should_keep
                });
-                path_cgs.len() != 0
+                !path_cgs.is_empty()
            });
-            period_cgs.cgs.len() != 0
+            !period_cgs.cgs.is_empty()
        });

        self.cgroups.retain(|path, cgroup| {
@@ -574,7 +560,7 @@ impl MemCgroups {
            let need_insert = if update_cgroups {
                if let Some(mg) = self.cgroups.get_mut(path) {
                    // Update current
-                    mg.update_from_hostmemcg(&hmg);
+                    mg.update_from_hostmemcg(hmg);
                    false
                } else {
                    true
@@ -594,8 +580,8 @@ impl MemCgroups {
                    loop {
                        if let Some(secs_config_map) = self.config_map.get_mut(&config.period_secs)
                        {
-                            if let Some(config_map) = secs_config_map.cgs.get_mut(&config) {
-                                if let Some(_) = config_map.get_mut(path) {
+                            if let Some(config_map) = secs_config_map.cgs.get_mut(config) {
+                                if config_map.get_mut(path).is_some() {
                                    error!(
                                        "update_and_add found an memcg {:?} {} existed",
                                        config, path
@@ -624,7 +610,7 @@ impl MemCgroups {
                                            );

                                            cgroups.add_numa(
-                                                &numa_id,
+                                                numa_id,
                                                path,
                                                &self.config.psi_path,
                                                hmg,
@@ -641,7 +627,7 @@ impl MemCgroups {
                                                    id,
                                                    ino,
                                                    path,
-                                                    &numa_id,
+                                                    numa_id,
                                                    hmg,
                                                    &self.config.psi_path,
                                                ),
@@ -682,7 +668,7 @@ impl MemCgroups {
                for (path, numa_map) in path_map {
                    if let Some(mcg) = self.cgroups.get_mut(path) {
                        for numa_id in &numa_map.numa {
-                            if let Some(numa) = mcg.numa.get_mut(&numa_id) {
+                            if let Some(numa) = mcg.numa.get_mut(numa_id) {
                                let pass = match numa
                                    .check_psi(single_config.period_psi_percent_limit as u64)
                                {
@@ -702,7 +688,7 @@ impl MemCgroups {
                                }

                                info_ret.push(Info::new(
-                                    &path,
+                                    path,
                                    mcg.id as usize,
                                    *numa_id as usize,
                                    numa,
@@ -718,7 +704,7 @@ impl MemCgroups {
                    }
                }

-                if info_ret.len() > 0 {
+                if !info_ret.is_empty() {
                    infos_ret.push((single_config.clone(), info_ret));
                }
            }
@@ -809,7 +795,7 @@ impl MemCgroups {
    pub fn get_remaining_tokio_duration(&self) -> TokioDuration {
        let mut ret = TokioDuration::MAX;

-        for (_, secs_map) in &self.config_map {
+        for secs_map in self.config_map.values() {
            let cur = secs_map.timeout.remaining_tokio_duration();

            trace!(
@@ -822,7 +808,7 @@ impl MemCgroups {
                // check secs_map, make sure it has enabled config
                let mut has_enable_config = false;

-                for (single_config, _) in &secs_map.cgs {
+                for single_config in secs_map.cgs.keys() {
                    if !single_config.disabled {
                        has_enable_config = true;
                        break;
@@ -855,11 +841,7 @@ impl MemCgroups {
            let cur_path = format_path(&path);
            let should_del = if let Some(configs) = self.config.cgroups.get_mut(&cur_path) {
                configs.retain(|cfg| cfg.numa_id != numa);
-                if configs.is_empty() {
-                    true
-                } else {
-                    false
-                }
+                configs.is_empty()
            } else {
                false
            };
@@ -888,8 +870,10 @@ impl MemCgroups {
                        }
                    }

-                    let mut numa_cg = CgroupConfig::default();
-                    numa_cg.numa_id = numa;
+                    let mut numa_cg = CgroupConfig {
+                        numa_id: numa,
+                        ..Default::default()
+                    };
                    numa_cg.set(&oc);

                    numa_cgs.push(numa_cg);
@@ -1024,7 +1008,7 @@ impl MemCG {

        let mut mgs = self.memcgs.blocking_write();

-        if target_paths.len() == 0 {
+        if target_paths.is_empty() {
            mgs.remove_changed(&mg_hash);
        }
        mgs.update_and_add(&mg_hash, true);
@@ -1032,7 +1016,7 @@ impl MemCG {
        Ok(())
    }

-    fn run_aging(&mut self, config_infov: &mut Vec<(SingleConfig, Vec<Info>)>) {
+    fn run_aging(&mut self, config_infov: &mut [(SingleConfig, Vec<Info>)]) {
        for (config, infov) in config_infov.iter_mut() {
            debug!("run_aging_single_config {:?}", config);
            self.run_aging_single_config(infov, config.swap);
@@ -1094,10 +1078,10 @@ impl MemCG {
        c as u8
    }

-    fn run_eviction(&mut self, config_infov: &mut Vec<(SingleConfig, Vec<Info>)>) -> Result<()> {
+    fn run_eviction(&mut self, config_infov: &mut [(SingleConfig, Vec<Info>)]) -> Result<()> {
        for (config, infov) in config_infov.iter_mut() {
            debug!("run_eviction_single_config {:?}", config);
-            self.run_eviction_single_config(infov, &config)?;
+            self.run_eviction_single_config(infov, config)?;
        }

        Ok(())
@@ -1119,7 +1103,7 @@ impl MemCG {
        }

        let psi_path = self.memcgs.blocking_read().config.psi_path.clone();
-        for info in infov.into_iter() {
+        for info in infov.iter_mut() {
            info.eviction = Some(EvictionInfo {
                psi: psi::Period::new(&psi_path.join(info.path.trim_start_matches('/')), false),
                last_min_lru_file: 0,
@@ -1135,7 +1119,7 @@ impl MemCG {

        let mut ret = Ok(());

-        'main_loop: while infov.len() != 0 {
+        'main_loop: while !infov.is_empty() {
            // update infov
            let path_set: HashSet<String> = infov.iter().map(|info| info.path.clone()).collect();
            match self.refresh(&path_set) {
@@ -1212,16 +1196,14 @@ impl MemCG {
                        );
                        ei.file_page_count += released;

-                        if !ei.only_swap_mode {
-                            if ci.min_lru_file == 0 {
-                                info!(
-                                "{} {} run_eviction stop because min_lru_file is 0, release {} {} pages",
-                                ci.path, ci.numa_id, ei.anon_page_count, ei.file_page_count,
-                            );
-                                ei.stop_reason = EvictionStopReason::NoMinLru;
-                                removed_infov.push(infov.remove(i));
-                                continue;
-                            }
+                        if !ei.only_swap_mode && ci.min_lru_file == 0 {
+                            info!(
+                            "{} {} run_eviction stop because min_lru_file is 0, release {} {} pages",
+                            ci.path, ci.numa_id, ei.anon_page_count, ei.file_page_count,
+                        );
+                            ei.stop_reason = EvictionStopReason::NoMinLru;
+                            removed_infov.push(infov.remove(i));
+                            continue;
                        }

                        let percent = match ei.psi.get_percent() {
@@ -1314,7 +1296,7 @@ impl MemCG {
        }

        let mut mgs = self.memcgs.blocking_write();
-        mgs.record_eviction(&infov);
+        mgs.record_eviction(infov);
        mgs.record_eviction(&removed_infov);

        ret
@@ -1353,12 +1335,15 @@ impl MemCG {
    }
 }

+#[cfg(test)]
 mod tests {
    #[allow(unused_imports)]
    use super::*;
+    use test_utils::skip_if_not_root;

    #[test]
    fn test_memcg_swap_not_available() {
+        skip_if_not_root!();
        let is_cg_v2 = crate::cgroup::is_cgroup_v2().unwrap();
        let m = MemCG::new(is_cg_v2, Config::default()).unwrap();
        assert!(m.swap_not_available().is_ok());
@@ -1366,6 +1351,7 @@ mod tests {

    #[test]
    fn test_memcg_get_swappiness() {
+        skip_if_not_root!();
        let is_cg_v2 = crate::cgroup::is_cgroup_v2().unwrap();
        let m = MemCG::new(is_cg_v2, Config::default()).unwrap();
        assert_eq!(m.get_swappiness(100, 50), 133);
@@ -1373,8 +1359,9 @@ mod tests {

    #[test]
    fn test_memcg_get_timeout_list() {
+        skip_if_not_root!();
        let is_cg_v2 = crate::cgroup::is_cgroup_v2().unwrap();
        let m = MemCG::new(is_cg_v2, Config::default()).unwrap();
-        assert_eq!(m.get_timeout_list().len() > 0, true);
+        assert!(!m.get_timeout_list().is_empty());
    }
 }
--- a/src/libs/mem-agent/src/mglru.rs
+++ b/src/libs/mem-agent/src/mglru.rs
@@ -26,7 +26,8 @@ fn lru_gen_head_parse(line: &str) -> Result<(usize, String)> {
        return Err(anyhow!("line {} format is not right", line));
    }

-    let id = usize::from_str_radix(words[1], 10)
+    let id = words[1]
+        .parse::<usize>()
        .map_err(|e| anyhow!("parse line {} failed: {}", line, e))?;

    Ok((id, words[2].to_string()))
@@ -77,7 +78,7 @@ impl MGenLRU {
 fn lru_gen_lines_parse(reader: &mut BufReader<File>) -> Result<(String, HashMap<usize, MGenLRU>)> {
    let mut line = String::new();
    let mut ret_hash = HashMap::new();
-    while line.len() > 0
+    while !line.is_empty()
        || reader
            .read_line(&mut line)
            .map_err(|e| anyhow!("read file {} failed: {}", LRU_GEN_PATH, e))?
@@ -86,7 +87,8 @@ fn lru_gen_lines_parse(reader: &mut BufReader<File>) -> Result<(String, HashMap<
        let words: Vec<&str> = line.split_whitespace().map(|word| word.trim()).collect();
        if words.len() == 2 && words[0] == "node" {
            // Got a new node
-            let node_id = usize::from_str_radix(words[1], 10)
+            let node_id = words[1]
+                .parse::<usize>()
                .map_err(|e| anyhow!("parse line {} failed: {}", line, e))?;
            let (ret_line, node_size) = lru_gen_seq_lines_parse(reader)
                .map_err(|e| anyhow!("lru_gen_seq_lines_parse failed: {}", e))?;
@@ -108,7 +110,7 @@ fn str_to_u64(str: &str) -> Result<u64> {
        warn!("{} format {} is not right", LRU_GEN_PATH, str);
        return Ok(0);
    }
-    Ok(u64::from_str_radix(str, 10)?)
+    Ok(str.parse::<u64>()?)
 }

 //result:
@@ -129,7 +131,8 @@ fn lru_gen_seq_lines_parse(reader: &mut BufReader<File>) -> Result<(String, Opti
            break;
        }

-        let msecs = i64::from_str_radix(words[1], 10)
+        let msecs = words[1]
+            .parse::<i64>()
            .map_err(|e| anyhow!("parse line {} failed: {}", line, e))?;
        // Use milliseconds because will got build error with try_milliseconds.
        #[allow(deprecated)]
@@ -138,11 +141,12 @@ fn lru_gen_seq_lines_parse(reader: &mut BufReader<File>) -> Result<(String, Opti
        let mut gen = GenLRU::new();
        gen.birth = birth;

-        gen.seq = u64::from_str_radix(words[0], 10)
+        gen.seq = words[0]
+            .parse::<u64>()
            .map_err(|e| anyhow!("parse line {} failed: {}", line, e))?;
-        gen.anon = str_to_u64(&words[2 + WORKINGSET_ANON])
+        gen.anon = str_to_u64(words[2 + WORKINGSET_ANON])
            .map_err(|e| anyhow!("parse line {} failed: {}", line, e))?;
-        gen.file = str_to_u64(&words[2 + WORKINGSET_FILE])
+        gen.file = str_to_u64(words[2 + WORKINGSET_FILE])
            .map_err(|e| anyhow!("parse line {} failed: {}", line, e))?;

        if !got {
@@ -173,14 +177,15 @@ fn lru_gen_seq_lines_parse(reader: &mut BufReader<File>) -> Result<(String, Opti
 // HashMap<node_id, MGenLRU> will be empty.
 //result:
 // HashMap<path, (id, HashMap<node_id, MGenLRU>)>
+#[allow(clippy::type_complexity)]
 fn lru_gen_file_parse(
-    mut reader: &mut BufReader<File>,
+    reader: &mut BufReader<File>,
    target_patchs: &HashSet<String>,
    parse_line: bool,
 ) -> Result<HashMap<String, (usize, HashMap<usize, MGenLRU>)>> {
    let mut line = String::new();
    let mut ret_hash = HashMap::new();
-    while line.len() > 0
+    while !line.is_empty()
        || reader
            .read_line(&mut line)
            .map_err(|e| anyhow!("read file {} failed: {}", LRU_GEN_PATH, e))?
@@ -189,9 +194,9 @@ fn lru_gen_file_parse(
        let mut clear_line = true;
        // Not handle the Err of lru_gen_head_parse because all lines of file will be checked.
        if let Ok((id, path)) = lru_gen_head_parse(&line) {
-            if target_patchs.len() == 0 || target_patchs.contains(&path) {
+            if target_patchs.is_empty() || target_patchs.contains(&path) {
                let seq_data = if parse_line {
-                    let (ret_line, data) = lru_gen_lines_parse(&mut reader).map_err(|e| {
+                    let (ret_line, data) = lru_gen_lines_parse(reader).map_err(|e| {
                        anyhow!(
                            "lru_gen_seq_lines_parse file {} failed: {}",
                            LRU_GEN_PATH,
@@ -222,6 +227,7 @@ fn lru_gen_file_parse(
    Ok(ret_hash)
 }

+#[allow(clippy::type_complexity)]
 fn file_parse(
    target_patchs: &HashSet<String>,
    parse_line: bool,
@@ -236,6 +242,7 @@ fn file_parse(

 //result:
 // HashMap<path, (id, ino, HashMap<node_id, MGenLRU>)>
+#[allow(clippy::type_complexity)]
 pub fn host_memcgs_get(
    target_patchs: &HashSet<String>,
    parse_line: bool,
@@ -276,8 +283,8 @@ pub fn check() -> Result<()> {
    let content = fs::read_to_string(LRU_GEN_ENABLED_PATH)
        .map_err(|e| anyhow!("open file {} failed: {}", LRU_GEN_ENABLED_PATH, e))?;
    let content = content.trim();
-    let r = if content.starts_with("0x") {
-        u32::from_str_radix(&content[2..], 16)
+    let r = if let Some(stripped) = content.strip_prefix("0x") {
+        u32::from_str_radix(stripped, 16)
    } else {
        content.parse()
    };
@@ -336,9 +343,7 @@ mod tests {
    use maplit::hashmap;
    use once_cell::sync::OnceCell;
    use slog::{Drain, Level, Logger};
-    use slog_async;
    use slog_scope::set_global_logger;
-    use slog_term;
    use std::collections::HashMap;
    use std::fs;
    use std::fs::File;
--- a/src/libs/mem-agent/src/misc.rs
+++ b/src/libs/mem-agent/src/misc.rs
@@ -9,35 +9,35 @@ pub fn sl() -> slog::Logger {
 #[macro_export]
 macro_rules! error {
    ($($arg:tt)*) => {
-        slog::error!(crate::misc::sl(), "{}", format_args!($($arg)*))
+        slog::error!($crate::misc::sl(), "{}", format_args!($($arg)*))
    }
 }

 #[macro_export]
 macro_rules! warn {
    ($($arg:tt)*) => {
-        slog::warn!(crate::misc::sl(), "{}", format_args!($($arg)*))
+        slog::warn!($crate::misc::sl(), "{}", format_args!($($arg)*))
    }
 }

 #[macro_export]
 macro_rules! info {
    ($($arg:tt)*) => {
-        slog::info!(crate::misc::sl(), "{}", format_args!($($arg)*))
+        slog::info!($crate::misc::sl(), "{}", format_args!($($arg)*))
    }
 }

 #[macro_export]
 macro_rules! trace {
    ($($arg:tt)*) => {
-        slog::trace!(crate::misc::sl(), "{}", format_args!($($arg)*))
+        slog::trace!($crate::misc::sl(), "{}", format_args!($($arg)*))
    }
 }

 #[macro_export]
 macro_rules! debug {
    ($($arg:tt)*) => {
-        slog::debug!(crate::misc::sl(), "{}", format_args!($($arg)*))
+        slog::debug!($crate::misc::sl(), "{}", format_args!($($arg)*))
    }
 }

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .21.0
 .22.0