gatekeeper: Remove csi-kata-directvolume build from required tests

Since we don't build that anymore. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
Revert "ci: Add no-op step to compile CSI driver"
2026-03-11 07:12:10 +00:00 · 2026-03-10 13:52:22 -05:00 · 2026-03-10 13:51:21 -05:00 · 2026-03-10 13:51:21 -05:00 · 2026-03-10 13:51:21 -05:00 · 2026-03-10 10:39:40 -05:00
437 changed files with 44275 additions and 6358 deletions
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -28,3 +28,9 @@ self-hosted-runner:
    - s390x-large
    - tdx
    - ubuntu-24.04-arm
+
+paths:
+  .github/workflows/**/*.{yml,yaml}:
+    ignore:
+      # We use if: false to "temporarily" skip jobs with issues
+      - 'constant expression "false" in condition'
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -15,6 +15,8 @@ updates:
      - "/src/tools/trace-forwarder"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 7
    ignore:
    # rust-vmm repos might cause incompatibilities on patch versions, so
    # lets handle them manually for now.
@@ -85,8 +87,12 @@ updates:
      - "src/tools/csi-kata-directvolume"
    schedule:
      interval: "daily"
+    cooldown:
+      default-days: 7

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
+    cooldown:
+      default-days: 7
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@@ -13,18 +13,13 @@ concurrency:
 jobs:
  run-actionlint:
    name: run-actionlint
-    env:
-      GH_TOKEN: ${{ github.token }}
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

-      - name: Install actionlint gh extension
-        run: gh extension install https://github.com/cschleiden/gh-actionlint
-
      - name: Run actionlint
-        run:  gh actionlint
+        uses: raven-actions/actionlint@e01d1ea33dd6a5ed517d95b4c0c357560ac6f518  # v2.1.1
--- a/.github/workflows/basic-ci-amd64.yaml
+++ b/.github/workflows/basic-ci-amd64.yaml
@@ -47,6 +47,23 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

+      - name: Install yq
+        run: |
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
      - name: Install dependencies
        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
        env:
--- a/.github/workflows/basic-ci-s390x.yaml
+++ b/.github/workflows/basic-ci-s390x.yaml
@@ -47,8 +47,25 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

+      - name: Install yq
+        run: |
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
      - name: Install dependencies
-        run: bash tests/integration/cri-containerd/gha-run.sh
+        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
        env:
          GH_TOKEN: ${{ github.token }}

--- a/.github/workflows/build-checks-preview-riscv64.yaml
+++ b/.github/workflows/build-checks-preview-riscv64.yaml
@@ -82,11 +82,17 @@ jobs:
          ./ci/install_yq.sh
        env:
          INSTALL_IN_GOPATH: false
-      - name: Install golang
+      - name: Read properties from versions.yaml
        if: contains(matrix.component.needs, 'golang')
        run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        if: contains(matrix.component.needs, 'golang')
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
      - name: Setup rust
        if: contains(matrix.component.needs, 'rust')
        run: |
--- a/.github/workflows/build-checks.yaml
+++ b/.github/workflows/build-checks.yaml
@@ -94,11 +94,19 @@ jobs:
          ./ci/install_yq.sh
        env:
          INSTALL_IN_GOPATH: false
-      - name: Install golang
+      - name: Read properties from versions.yaml
        if: contains(matrix.component.needs, 'golang')
        run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        if: contains(matrix.component.needs, 'golang')
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
+          architecture: ${{ contains(inputs.instance, 'ppc64le') && 'ppc64le' || '' }}
      - name: Setup rust
        if: contains(matrix.component.needs, 'rust')
        run: |
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -143,7 +143,7 @@ jobs:
          if-no-files-found: error

      - name: store-extratarballs-artifact ${{ matrix.asset }}
-        if: ${{ matrix.asset == 'kernel' || startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
+        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }}
@@ -235,7 +235,6 @@ jobs:
        asset:
          - busybox
          - coco-guest-components
-          - kernel-modules
          - kernel-nvidia-gpu-modules
          - pause-image
    steps:
@@ -368,7 +367,6 @@ jobs:
      matrix:
        asset:
          - agent-ctl
-          - csi-kata-directvolume
          - genpolicy
          - kata-ctl
          - kata-manager
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -120,15 +120,6 @@ jobs:
          retention-days: 15
          if-no-files-found: error

-      - name: store-extratarballs-artifact ${{ matrix.asset }}
-        if: ${{ matrix.asset == 'kernel' }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-s390x-${{ matrix.asset }}-modules${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}-modules.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
  build-asset-rootfs:
    name: build-asset-rootfs
    runs-on: s390x
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -17,6 +17,7 @@ jobs:
      pr-number: "dev"
      tag: ${{ github.sha }}-dev
      target-branch: ${{ github.ref_name }}
+      extensive-matrix-autogenerated-policy: "yes"

    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -22,6 +22,7 @@ jobs:
      pr-number: "nightly"
      tag: ${{ github.sha }}-nightly
      target-branch: ${{ github.ref_name }}
+      extensive-matrix-autogenerated-policy: "yes"
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
      AZ_APPID: ${{ secrets.AZ_APPID }}
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -19,6 +19,10 @@ on:
        required: false
        type: string
        default: no
+      extensive-matrix-autogenerated-policy:
+        required: false
+        type: string
+        default: no
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true
@@ -212,61 +216,6 @@ jobs:
          platforms: linux/amd64, linux/s390x
          file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile

-  publish-csi-driver-amd64:
-    name: publish-csi-driver-amd64
-    needs: build-kata-static-tarball-amd64
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-kata-tools-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-tools-static-tarball-amd64-${{ inputs.tag }}
-          path: kata-tools-artifacts
-
-      - name: Install kata-tools
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
-
-      - name: Copy binary into Docker context
-        run: |
-          # Copy to the location where the Dockerfile expects the binary.
-          mkdir -p src/tools/csi-kata-directvolume/bin/
-          cp /opt/kata/bin/csi-kata-directvolume src/tools/csi-kata-directvolume/bin/directvolplugin
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Docker build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
-        with:
-          tags: ghcr.io/kata-containers/csi-kata-directvolume:${{ inputs.pr-number }}
-          push: true
-          context: src/tools/csi-kata-directvolume/
-          platforms: linux/amd64
-          file: src/tools/csi-kata-directvolume/Dockerfile
-
  run-kata-monitor-tests:
    if: ${{ inputs.skip-test != 'yes' }}
    needs: build-kata-static-tarball-amd64
@@ -297,6 +246,21 @@ jobs:
      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

+  run-k8s-tests-on-free-runner:
+    if: ${{ inputs.skip-test != 'yes' }}
+    needs: publish-kata-deploy-payload-amd64
+    permissions:
+      contents: read
+    uses: ./.github/workflows/run-k8s-tests-on-free-runner.yaml
+    with:
+      tarball-suffix: -${{ inputs.tag }}
+      registry: ghcr.io
+      repo: ${{ github.repository_owner }}/kata-deploy-ci
+      tag: ${{ inputs.tag }}-amd64
+      commit-hash: ${{ inputs.commit-hash }}
+      pr-number: ${{ inputs.pr-number }}
+      target-branch: ${{ inputs.target-branch }}
+
  run-k8s-tests-on-arm64:
    if: ${{ inputs.skip-test != 'yes' }}
    needs: publish-kata-deploy-payload-arm64
@@ -330,7 +294,6 @@ jobs:
    needs:
     - publish-kata-deploy-payload-amd64
     - build-and-publish-tee-confidential-unencrypted-image
-     - publish-csi-driver-amd64
    uses: ./.github/workflows/run-kata-coco-tests.yaml
    permissions:
      contents: read
@@ -343,6 +306,7 @@ jobs:
      commit-hash: ${{ inputs.commit-hash }}
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
+      extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
      AZ_APPID: ${{ secrets.AZ_APPID }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -72,7 +72,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
      with:
        languages: ${{ matrix.language }}
        build-mode: ${{ matrix.build-mode }}
@@ -95,6 +95,6 @@ jobs:
        make -C src/runtime

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/darwin-tests.yaml
+++ b/.github/workflows/darwin-tests.yaml
@@ -31,10 +31,22 @@ jobs:
      with:
        persist-credentials: false

-    - name: Install golang
+    - name: Install yq
      run: |
-        ./tests/install_go.sh -f -p
-        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
+        ./ci/install_yq.sh
+      env:
+        INSTALL_IN_GOPATH: false
+
+    - name: Read properties from versions.yaml
+      run: |
+        go_version="$(yq '.languages.golang.version' versions.yaml)"
+        [ -n "$go_version" ]
+        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+    - name: Setup Golang version ${{ env.GO_VERSION }}
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      with:
+        go-version: ${{ env.GO_VERSION }}

    - name: Install Rust
      run: ./tests/install_rust.sh
--- a/.github/workflows/docs-url-alive-check.yaml
+++ b/.github/workflows/docs-url-alive-check.yaml
@@ -24,10 +24,22 @@ jobs:
        fetch-depth: 0
        persist-credentials: false

-    - name: Install golang
+    - name: Install yq
      run: |
-        ./tests/install_go.sh -f -p
-        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
+        ./ci/install_yq.sh
+      env:
+        INSTALL_IN_GOPATH: false
+
+    - name: Read properties from versions.yaml
+      run: |
+        go_version="$(yq '.languages.golang.version' versions.yaml)"
+        [ -n "$go_version" ]
+        echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+    - name: Setup Golang version ${{ env.GO_VERSION }}
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+      with:
+        go-version: ${{ env.GO_VERSION }}

    - name: Docs URL Alive Check
      run: |
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -16,17 +16,17 @@ jobs:
      url: ${{ steps.deployment.outputs.page_url }}
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/configure-pages@v5
-      - uses: actions/checkout@v5
+      - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: 3.x
      - run: pip install zensical
      - run: zensical build --clean
-      - uses: actions/upload-pages-artifact@v4
+      - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
        with:
          path: site
-      - uses: actions/deploy-pages@v4
+      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
        id: deployment
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -27,10 +27,22 @@ jobs:
          fetch-depth: 0
          persist-credentials: false

-      - name: Install golang
+      - name: Install yq
        run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}

      - name: Install govulncheck
        run: |
--- a/.github/workflows/run-cri-containerd-tests.yaml
+++ b/.github/workflows/run-cri-containerd-tests.yaml
@@ -35,8 +35,6 @@ on:
 jobs:
  run-cri-containerd:
    name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
-    strategy:
-      fail-fast: false
    runs-on: ${{ inputs.runner }}
    env:
      CONTAINERD_VERSION: ${{ inputs.containerd_version }}
@@ -55,6 +53,25 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

+      - name: Install yq
+        run: |
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
+          architecture: ${{ inputs.arch == 'ppc64le' && 'ppc64le' || '' }}
+
      - name: Install dependencies
        timeout-minutes: 15
        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -42,17 +42,6 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        host_os:
-          - ubuntu
-        vmm:
-          - clh
-          - dragonball
-          - qemu
-          - qemu-runtime-rs
-          - cloud-hypervisor
-        instance-type:
-          - small
-          - normal
        include:
          - host_os: cbl-mariner
            vmm: clh
@@ -80,6 +69,7 @@ jobs:
      KUBERNETES: "vanilla"
      K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }}
      GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
+      RUNS_ON_AKS: "true"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
--- a/.github/workflows/run-k8s-tests-on-free-runner.yaml
+++ b/.github/workflows/run-k8s-tests-on-free-runner.yaml
@@ -0,0 +1,127 @@
+# Run Kubernetes integration tests on free GitHub runners  with a locally
+# deployed cluster (kubeadm).
+name: CI | Run kubernetes tests on free runner
+on:
+  workflow_call:
+    inputs:
+      tarball-suffix:
+        required: false
+        type: string
+      registry:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+      pr-number:
+        required: true
+        type: string
+      commit-hash:
+        required: false
+        type: string
+      target-branch:
+        required: false
+        type: string
+        default: ""
+
+permissions: {}
+
+jobs:
+  run-k8s-tests:
+    name: run-k8s-tests
+    strategy:
+      fail-fast: false
+      matrix:
+        environment: [
+          { vmm: clh, containerd_version: lts },
+          { vmm: clh, containerd_version: active },
+          { vmm: dragonball, containerd_version: lts },
+          { vmm: dragonball, containerd_version: active },
+          { vmm: qemu, containerd_version: lts },
+          { vmm: qemu, containerd_version: active },
+          { vmm: qemu-runtime-rs, containerd_version: lts },
+          { vmm: qemu-runtime-rs, containerd_version: active },
+          { vmm: cloud-hypervisor, containerd_version: lts },
+          { vmm: cloud-hypervisor, containerd_version: active },
+        ]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HOST_OS: ubuntu
+      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
+      KUBERNETES: vanilla
+      K8S_TEST_HOST_TYPE: baremetal-no-attestation
+      CONTAINER_ENGINE: containerd
+      CONTAINER_ENGINE_VERSION: ${{ matrix.environment.containerd_version }}
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
+      - name: Deploy k8s (kubeadm)
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+
+      - name: Install `bats`
+        run: bash tests/integration/kubernetes/gha-run.sh install-bats
+
+      - name: Deploy Kata
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+
+      - name: Run tests
+        timeout-minutes: 60
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
+      - name: Delete kata-deploy
+        if: always()
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
+
--- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml
+++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml
@@ -57,10 +57,24 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

-      - name: Install golang
+      - name: Install yq
        run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+          ./ci/install_yq.sh
+        env:
+          INSTALL_IN_GOPATH: false
+
+      - name: Read properties from versions.yaml
+        run: |
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          # Setup-go doesn't work properly with ppc64le: https://github.com/actions/setup-go/issues/648
+          architecture: 'ppc64le'

      - name: Prepare the runner for k8s test suite
        run: bash "${HOME}/scripts/k8s_cluster_prepare.sh"
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -24,6 +24,10 @@ on:
        required: false
        type: string
        default: ""
+      extensive-matrix-autogenerated-policy:
+        required: false
+        type: string
+        default: no
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true
@@ -106,10 +110,6 @@ jobs:
        timeout-minutes: 10
        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client

-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
      - name: Run tests
        timeout-minutes: 100
        run: bash tests/integration/kubernetes/gha-run.sh run-tests
@@ -130,175 +130,42 @@ jobs:
          [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}"
          bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

-      - name: Delete CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
-
  # Generate jobs for testing CoCo on non-TEE environments
  run-k8s-tests-coco-nontee:
    name: run-k8s-tests-coco-nontee
    strategy:
      fail-fast: false
      matrix:
-        vmm:
-          - qemu-coco-dev
-          - qemu-coco-dev-runtime-rs
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-        include:
-          - pull-type: experimental-force-guest-pull
-            vmm: qemu-coco-dev
-            snapshotter: ""
-    runs-on: ubuntu-22.04
+        environment: [
+          { vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
+          { vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
+          { vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
+        ]
+    runs-on: ubuntu-24.04
    permissions:
-      id-token: write # Used for OIDC access to log into Azure
+      contents: read
    environment: ci
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
      DOCKER_REPO: ${{ inputs.repo }}
      DOCKER_TAG: ${{ inputs.tag }}
      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
      # Some tests rely on that variable to run (or not)
      KBS: "true"
      # Set the KBS ingress handler (empty string disables handling)
-      KBS_INGRESS: "aks"
+      KBS_INGRESS: "nodeport"
      KUBERNETES: "vanilla"
-      PULL_TYPE: ${{ matrix.pull-type }}
+      PULL_TYPE: ${{ matrix.environment.pull_type }}
      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.pull-type == 'experimental-force-guest-pull' && matrix.vmm || '' }}
-      # Caution: current ingress controller used to expose the KBS service
-      # requires much vCPUs, lefting only a few for the tests. Depending on the
-      # host type chose it will result on the creation of a cluster with
-      # insufficient resources.
+      SNAPSHOTTER: ${{ matrix.environment.snapshotter }}
+      EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.pull_type == 'experimental-force-guest-pull' && matrix.environment.vmm || '' }}
+      AUTO_GENERATE_POLICY: "yes"
      K8S_TEST_HOST_TYPE: "all"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-kata-tools-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-tools-artifacts
-
-      - name: Install kata-tools
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
-
-      - name: Log into the Azure account
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Create AKS cluster
-        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
-        with:
-          timeout_minutes: 15
-          max_attempts: 20
-          retry_on: error
-          retry_wait_seconds: 10
-          command: bash tests/integration/kubernetes/gha-run.sh create-cluster
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Install `kubectl`
-        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
-        with:
-          version: 'latest'
-
-      - name: Download credentials for the Kubernetes CLI to use them
-        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
-
-      - name: Deploy Kata
-        timeout-minutes: 20
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
-        env:
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ env.SNAPSHOTTER == 'nydus' }}
-          AUTO_GENERATE_POLICY: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && 'no' || 'yes' }}
-
-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-
-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
-
-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
-      - name: Run tests
-        timeout-minutes: 80
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Report tests
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh report-tests
-
-      - name: Refresh OIDC token in case access token expired
-        if: always()
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Delete AKS cluster
-        if: always()
-        timeout-minutes: 15
-        run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
-
-  # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
-  run-k8s-tests-coco-nontee-with-erofs-snapshotter:
-    name: run-k8s-tests-coco-nontee-with-erofs-snapshotter
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-coco-dev
-        snapshotter:
-          - erofs
-        pull-type:
-          - default
-    runs-on: ubuntu-24.04
-    environment: ci
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      # Some tests rely on that variable to run (or not)
-      KBS: "false"
-      # Set the KBS ingress handler (empty string disables handling)
-      KBS_INGRESS: ""
-      KUBERNETES: "vanilla"
      CONTAINER_ENGINE: "containerd"
-      CONTAINER_ENGINE_VERSION: "v2.2"
-      PULL_TYPE: ${{ matrix.pull-type }}
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: "true"
-      K8S_TEST_HOST_TYPE: "all"
-      # We are skipping the auto generated policy tests for now,
-      # but those should be enabled as soon as we work on that.
-      AUTO_GENERATE_POLICY: "no"
+      CONTAINER_ENGINE_VERSION: "active"
+      GH_TOKEN: ${{ github.token }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -342,8 +209,6 @@ jobs:
      - name: Deploy kubernetes
        timeout-minutes: 15
        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
-        env:
-          GH_TOKEN: ${{ github.token }}

      - name: Install `bats`
        run: bash tests/integration/kubernetes/gha-run.sh install-bats
@@ -351,10 +216,16 @@ jobs:
      - name: Deploy Kata
        timeout-minutes: 20
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        env:
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.snapshotter == 'nydus' }}

-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+      - name: Deploy CoCo KBS
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client

      - name: Run tests
        timeout-minutes: 80
@@ -363,3 +234,233 @@ jobs:
      - name: Report tests
        if: always()
        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
+      - name: Delete kata-deploy
+        if: always()
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
+
+      - name: Delete CoCo KBS
+        if: always()
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+
+  # Extensive matrix: autogenerated policy tests (nydus + experimental-force-guest-pull) on k0s, k3s, rke2, microk8s with qemu-coco-dev / qemu-coco-dev-runtime-rs
+  run-k8s-tests-coco-nontee-extensive-matrix:
+    if: ${{ inputs.extensive-matrix-autogenerated-policy == 'yes' }}
+    name: run-k8s-tests-coco-nontee-extensive-matrix
+    strategy:
+      fail-fast: false
+      matrix:
+        environment: [
+          { k8s: k0s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: k0s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
+          { k8s: k0s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: k3s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: k3s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
+          { k8s: k3s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: rke2, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: rke2, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
+          { k8s: rke2, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: nydus, pull_type: guest-pull },
+          { k8s: microk8s, vmm: qemu-coco-dev, snapshotter: "", pull_type: experimental-force-guest-pull },
+          { k8s: microk8s, vmm: qemu-coco-dev-runtime-rs, snapshotter: nydus, pull_type: guest-pull },
+        ]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    environment: ci
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
+      KBS: "true"
+      KBS_INGRESS: "nodeport"
+      KUBERNETES: ${{ matrix.environment.k8s }}
+      SNAPSHOTTER: ${{ matrix.environment.snapshotter }}
+      PULL_TYPE: ${{ matrix.environment.pull_type }}
+      EXPERIMENTAL_FORCE_GUEST_PULL: ${{ matrix.environment.pull_type == 'experimental-force-guest-pull' && matrix.environment.vmm || '' }}
+      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      AUTO_GENERATE_POLICY: "yes"
+      K8S_TEST_HOST_TYPE: "all"
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
+      - name: Deploy ${{ matrix.environment.k8s }}
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+
+      - name: Install `bats`
+        run: bash tests/integration/kubernetes/gha-run.sh install-bats
+
+      - name: Deploy Kata
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+        env:
+          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ matrix.environment.snapshotter == 'nydus' }}
+
+      - name: Deploy CoCo KBS
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+
+      - name: Run tests
+        timeout-minutes: 80
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
+      - name: Delete kata-deploy
+        if: always()
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
+
+      - name: Delete CoCo KBS
+        if: always()
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+
+  # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
+  run-k8s-tests-coco-nontee-with-erofs-snapshotter:
+    name: run-k8s-tests-coco-nontee-with-erofs-snapshotter
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-coco-dev
+        snapshotter:
+          - erofs
+        pull-type:
+          - default
+    runs-on: ubuntu-24.04
+    environment: ci
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      # Some tests rely on that variable to run (or not)
+      KBS: "false"
+      # Set the KBS ingress handler (empty string disables handling)
+      KBS_INGRESS: ""
+      KUBERNETES: "vanilla"
+      CONTAINER_ENGINE: "containerd"
+      CONTAINER_ENGINE_VERSION: "active"
+      PULL_TYPE: ${{ matrix.pull-type }}
+      SNAPSHOTTER: ${{ matrix.snapshotter }}
+      USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: "true"
+      K8S_TEST_HOST_TYPE: "all"
+      # We are skipping the auto generated policy tests for now,
+      # but those should be enabled as soon as we work on that.
+      AUTO_GENERATE_POLICY: "no"
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
+      - name: Remove unnecessary directories to free up space
+        run: |
+          sudo rm -rf /usr/local/.ghcup
+          sudo rm -rf /opt/hostedtoolcache/CodeQL
+          sudo rm -rf /usr/local/lib/android
+          sudo rm -rf /usr/share/dotnet
+          sudo rm -rf /opt/ghc
+          sudo rm -rf /usr/local/share/boost
+          sudo rm -rf /usr/lib/jvm
+          sudo rm -rf /usr/share/swift
+          sudo rm -rf /usr/local/share/powershell
+          sudo rm -rf /usr/local/julia*
+          sudo rm -rf /opt/az
+          sudo rm -rf /usr/local/share/chromium
+          sudo rm -rf /opt/microsoft
+          sudo rm -rf /opt/google
+          sudo rm -rf /usr/lib/firefox
+
+      - name: Deploy kubernetes
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+
+      - name: Install `bats`
+        run: bash tests/integration/kubernetes/gha-run.sh install-bats
+
+      - name: Deploy Kata
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+
+      - name: Run tests
+        timeout-minutes: 80
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
+      - name: Delete kata-deploy
+        if: always()
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -55,6 +55,6 @@ jobs:
      # Upload the results to GitHub's code scanning dashboard (optional).
      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.10
        with:
          sarif_file: results.sarif
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -126,11 +126,16 @@ jobs:
          ./ci/install_yq.sh
        env:
          INSTALL_IN_GOPATH: false
-      - name: Install golang
+      - name: Read properties from versions.yaml
        run: |
          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
+          go_version="$(yq '.languages.golang.version' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+      - name: Setup Golang version ${{ env.GO_VERSION }}
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
      - name: Install system dependencies
        run: |
          sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
--- a/.gitignore
+++ b/.gitignore
@@ -20,3 +20,6 @@ tools/packaging/static-build/agent/install_libseccomp.sh
 .direnv
 **/.DS_Store
 site/
+opt/
+tools/packaging/kernel/configs/**/.config
+root_hash.txt
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -44,9 +44,7 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "async-trait",
- "futures 0.1.31",
 "kata-types",
- "log",
 "logging",
 "nix 0.26.4",
 "oci-spec 0.8.3",
@@ -141,23 +139,12 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532"
 dependencies = [
- "event-listener 5.4.1",
+ "event-listener",
 "event-listener-strategy",
 "futures-core",
 "pin-project-lite",
 ]

-[[package]]
-name = "async-channel"
-version = "1.9.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81953c529336010edd6d8e358f886d9581267795c61b19475b71314bffa46d35"
-dependencies = [
- "concurrent-queue",
- "event-listener 2.5.3",
- "futures-core",
-]
-
 [[package]]
 name = "async-channel"
 version = "2.5.0"
@@ -184,21 +171,6 @@ dependencies = [
 "slab",
 ]

-[[package]]
-name = "async-global-executor"
-version = "2.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c"
-dependencies = [
- "async-channel 2.5.0",
- "async-executor",
- "async-io",
- "async-lock",
- "blocking",
- "futures-lite",
- "once_cell",
-]
-
 [[package]]
 name = "async-io"
 version = "2.6.0"
@@ -223,7 +195,7 @@ version = "3.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5fd03604047cee9b6ce9de9f70c6cd540a0520c813cbd49bae61f33ab80ed1dc"
 dependencies = [
- "event-listener 5.4.1",
+ "event-listener",
 "event-listener-strategy",
 "pin-project-lite",
 ]
@@ -234,14 +206,14 @@ version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc50921ec0055cdd8a16de48773bfeec5c972598674347252c0399676be7da75"
 dependencies = [
- "async-channel 2.5.0",
+ "async-channel",
 "async-io",
 "async-lock",
 "async-signal",
 "async-task",
 "blocking",
 "cfg-if 1.0.0",
- "event-listener 5.4.1",
+ "event-listener",
 "futures-lite",
 "rustix 1.1.2",
 ]
@@ -275,32 +247,6 @@ dependencies = [
 "windows-sys 0.61.2",
 ]

-[[package]]
-name = "async-std"
-version = "1.13.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2c8e079a4ab67ae52b7403632e4618815d6db36d2a010cfe41b02c1b1578f93b"
-dependencies = [
- "async-channel 1.9.0",
- "async-global-executor",
- "async-io",
- "async-lock",
- "crossbeam-utils",
- "futures-channel",
- "futures-core",
- "futures-io",
- "futures-lite",
- "gloo-timers",
- "kv-log-macro",
- "log",
- "memchr",
- "once_cell",
- "pin-project-lite",
- "pin-utils",
- "slab",
- "wasm-bindgen-futures",
-]
-
 [[package]]
 name = "async-task"
 version = "4.7.1"
@@ -447,7 +393,7 @@ version = "1.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e83f8d02be6967315521be875afa792a316e28d57b5a2d401897e2a7921b7f21"
 dependencies = [
- "async-channel 2.5.0",
+ "async-channel",
 "async-task",
 "futures-io",
 "futures-lite",
@@ -644,29 +590,17 @@ dependencies = [
 "containerd-shim-protos",
 "kata-sys-util",
 "kata-types",
- "lazy_static",
 "nix 0.26.4",
 "oci-spec 0.8.3",
- "persist",
 "protobuf",
 "protocols",
 "resource",
 "runtime-spec",
- "serde_json",
- "slog",
- "slog-scope",
 "strum 0.24.1",
 "thiserror 1.0.48",
 "tokio",
- "ttrpc",
 ]

-[[package]]
-name = "common-path"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
-
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -711,7 +645,7 @@ dependencies = [
 "async-trait",
 "cgroups-rs 0.3.4",
 "containerd-shim-protos",
- "futures 0.3.28",
+ "futures",
 "go-flag",
 "lazy_static",
 "libc",
@@ -1044,7 +978,6 @@ dependencies = [
 "dbs-interrupt",
 "dbs-utils",
 "dbs-virtio-devices",
- "downcast-rs",
 "kvm-bindings",
 "kvm-ioctls",
 "libc",
@@ -1057,7 +990,6 @@ dependencies = [
 "vfio-ioctls",
 "virtio-queue",
 "vm-memory",
- "vmm-sys-util 0.11.1",
 ]

 [[package]]
@@ -1074,7 +1006,6 @@ dependencies = [
 name = "dbs-upcall"
 version = "0.3.0"
 dependencies = [
- "anyhow",
 "dbs-utils",
 "dbs-virtio-devices",
 "log",
@@ -1269,12 +1200,6 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1"

-[[package]]
-name = "downcast-rs"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ea835d29036a4087793836fa931b08837ad5e957da9e23886b29586fb9b6650"
-
 [[package]]
 name = "dragonball"
 version = "0.1.0"
@@ -1295,7 +1220,6 @@ dependencies = [
 "dbs-utils",
 "dbs-virtio-devices",
 "derivative",
- "fuse-backend-rs",
 "kvm-bindings",
 "kvm-ioctls",
 "lazy_static",
@@ -1350,6 +1274,18 @@ version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "66b7e2430c6dff6a955451e2cfc438f09cea1965a9d6f87f7e3b90decc014099"

+[[package]]
+name = "enum-as-inner"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.104",
+]
+
 [[package]]
 name = "enumflags2"
 version = "0.7.12"
@@ -1403,12 +1339,6 @@ dependencies = [
 "windows-sys 0.61.2",
 ]

-[[package]]
-name = "event-listener"
-version = "2.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0"
-
 [[package]]
 name = "event-listener"
 version = "5.4.1"
@@ -1426,7 +1356,7 @@ version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8be9f3dfaaffdae2972880079a491a1a8bb7cbed0b8dd7a347f668b4150a3b93"
 dependencies = [
- "event-listener 5.4.1",
+ "event-listener",
 "pin-project-lite",
 ]

@@ -1554,12 +1484,6 @@ dependencies = [
 "vmm-sys-util 0.11.1",
 ]

-[[package]]
-name = "futures"
-version = "0.1.31"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3a471a38ef8ed83cd6e40aa59c1ffe17db6855c18e3604d9c4ed8c08ebc28678"
-
 [[package]]
 name = "futures"
 version = "0.3.28"
@@ -1719,18 +1643,6 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"

-[[package]]
-name = "gloo-timers"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
-dependencies = [
- "futures-channel",
- "futures-core",
- "js-sys",
- "wasm-bindgen",
-]
-
 [[package]]
 name = "go-flag"
 version = "0.1.0"
@@ -1966,7 +1878,7 @@ dependencies = [
 "crossbeam-channel",
 "dbs-utils",
 "dragonball",
- "futures 0.3.28",
+ "futures",
 "go-flag",
 "hyper",
 "hyperlocal",
@@ -1977,10 +1889,8 @@ dependencies = [
 "libc",
 "logging",
 "nix 0.26.4",
- "oci-spec 0.8.3",
 "path-clean",
 "persist",
- "protobuf",
 "protocols",
 "qapi",
 "qapi-qmp",
@@ -1992,7 +1902,6 @@ dependencies = [
 "serde",
 "serde_json",
 "serial_test 2.0.0",
- "shim-interface",
 "slog",
 "slog-scope",
 "tempfile",
@@ -2269,8 +2178,6 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "byteorder",
- "chrono",
- "common-path",
 "fail",
 "hex",
 "kata-types",
@@ -2279,11 +2186,9 @@ dependencies = [
 "mockall",
 "nix 0.26.4",
 "oci-spec 0.8.3",
- "once_cell",
 "pci-ids",
 "rand 0.8.5",
 "runtime-spec",
- "safe-path 0.1.0",
 "serde",
 "serde_json",
 "slog",
@@ -2302,8 +2207,8 @@ dependencies = [
 "byte-unit",
 "flate2",
 "glob",
- "hex",
 "lazy_static",
+ "nix 0.26.4",
 "num_cpus",
 "oci-spec 0.8.3",
 "regex",
@@ -2314,18 +2219,10 @@ dependencies = [
 "sha2 0.10.9",
 "slog",
 "slog-scope",
+ "sysctl",
 "sysinfo",
 "thiserror 1.0.48",
- "toml 0.5.11",
-]
-
-[[package]]
-name = "kv-log-macro"
-version = "1.0.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f"
-dependencies = [
- "log",
+ "toml",
 ]

 [[package]]
@@ -2646,7 +2543,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b65d130ee111430e47eed7896ea43ca693c387f097dd97376bffafbf25812128"
 dependencies = [
 "bytes",
- "futures 0.3.28",
+ "futures",
 "log",
 "netlink-packet-core",
 "netlink-sys",
@@ -2660,7 +2557,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "416060d346fbaf1f23f9512963e3e878f1a78e707cb699ba9215761754244307"
 dependencies = [
 "bytes",
- "futures 0.3.28",
+ "futures",
 "libc",
 "log",
 "tokio",
@@ -2817,7 +2714,7 @@ dependencies = [
 "log",
 "serde",
 "serde_json",
- "toml 0.5.11",
+ "toml",
 ]

 [[package]]
@@ -3044,7 +2941,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e785d273968748578931e4dc3b4f5ec86b26e09d9e0d66b55adda7fce742f7a"
 dependencies = [
 "async-trait",
- "futures 0.3.28",
+ "futures",
 "futures-executor",
 "headers",
 "http",
@@ -3212,11 +3109,9 @@ dependencies = [
 "async-trait",
 "kata-sys-util",
 "kata-types",
- "libc",
 "safe-path 0.1.0",
 "serde",
 "serde_json",
- "shim-interface",
 ]

 [[package]]
@@ -3626,7 +3521,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7b047adab56acc4948d4b9b58693c1f33fd13efef2d6bb5f0f66a47436ceada8"
 dependencies = [
 "bytes",
- "futures 0.3.28",
+ "futures",
 "log",
 "memchr",
 "qapi-qmp",
@@ -3908,11 +3803,10 @@ dependencies = [
 "agent",
 "anyhow",
 "async-trait",
- "bitflags 2.10.0",
 "byte-unit",
 "cgroups-rs 0.5.0",
 "flate2",
- "futures 0.3.28",
+ "futures",
 "hex",
 "hypervisor",
 "inotify",
@@ -3922,7 +3816,6 @@ dependencies = [
 "libc",
 "logging",
 "netlink-packet-route",
- "netlink-sys",
 "netns-rs",
 "nix 0.26.4",
 "oci-spec 0.8.3",
@@ -4007,7 +3900,6 @@ dependencies = [
 "common",
 "containerd-shim-protos",
 "go-flag",
- "logging",
 "nix 0.26.4",
 "runtimes",
 "shim",
@@ -4018,7 +3910,6 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
- "libc",
 "serde",
 "serde_derive",
 "serde_json",
@@ -4031,8 +3922,8 @@ dependencies = [
 "agent",
 "anyhow",
 "common",
+ "containerd-shim-protos",
 "hyper",
- "hyperlocal",
 "hypervisor",
 "kata-sys-util",
 "kata-types",
@@ -4351,7 +4242,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c789ec87f4687d022a2405cf46e0cd6284889f1839de292cadeb6c6019506f2"
 dependencies = [
 "dashmap",
- "futures 0.3.28",
+ "futures",
 "lazy_static",
 "log",
 "parking_lot",
@@ -4365,7 +4256,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0e56dd856803e253c8f298af3f4d7eb0ae5e23a737252cd90bb4f3b435033b2d"
 dependencies = [
 "dashmap",
- "futures 0.3.28",
+ "futures",
 "lazy_static",
 "log",
 "parking_lot",
@@ -4405,12 +4296,10 @@ dependencies = [
 "containerd-shim-protos",
 "kata-types",
 "logging",
- "persist",
 "runtimes",
 "slog",
 "slog-scope",
 "tokio",
- "tracing",
 "ttrpc",
 ]

@@ -4474,9 +4363,7 @@ dependencies = [
 "nix 0.26.4",
 "oci-spec 0.8.3",
 "protobuf",
- "rand 0.8.5",
 "runtime-spec",
- "runtimes",
 "serial_test 0.10.0",
 "service",
 "sha2 0.10.9",
@@ -4485,11 +4372,8 @@ dependencies = [
 "slog-scope",
 "slog-stdlog",
 "tempfile",
- "tests_utils",
 "thiserror 1.0.48",
 "tokio",
- "tracing",
- "tracing-opentelemetry",
 "unix_socket2",
 ]

@@ -4499,7 +4383,6 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "common",
- "logging",
 "runtimes",
 "tokio",
 ]
@@ -4793,6 +4676,20 @@ dependencies = [
 "syn 2.0.104",
 ]

+[[package]]
+name = "sysctl"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
+dependencies = [
+ "bitflags 2.10.0",
+ "byteorder",
+ "enum-as-inner",
+ "libc",
+ "thiserror 2.0.12",
+ "walkdir",
+]
+
 [[package]]
 name = "sysinfo"
 version = "0.34.2"
@@ -5083,21 +4980,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "52a15c15b1bc91f90902347eff163b5b682643aff0c8e972912cca79bd9208dd"
 dependencies = [
 "bytes",
- "futures 0.3.28",
+ "futures",
 "libc",
 "tokio",
 "vsock",
 ]

-[[package]]
-name = "toml"
-version = "0.4.10"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "758664fc71a3a69038656bee8b6be6477d2a6c315a6b81f7081f591bffa4111f"
-dependencies = [
- "serde",
-]
-
 [[package]]
 name = "toml"
 version = "0.5.11"
@@ -5240,7 +5128,7 @@ dependencies = [
 "async-trait",
 "byteorder",
 "crossbeam",
- "futures 0.3.28",
+ "futures",
 "home",
 "libc",
 "log",
@@ -5442,16 +5330,13 @@ version = "0.1.0"
 dependencies = [
 "agent",
 "anyhow",
- "async-std",
 "async-trait",
 "awaitgroup",
 "common",
 "containerd-shim-protos",
- "futures 0.3.28",
 "hypervisor",
 "kata-sys-util",
 "kata-types",
- "lazy_static",
 "libc",
 "logging",
 "nix 0.26.4",
@@ -5467,7 +5352,6 @@ dependencies = [
 "slog-scope",
 "strum 0.24.1",
 "tokio",
- "toml 0.4.10",
 "tracing",
 "url",
 "uuid 1.18.1",
@@ -6100,7 +5984,7 @@ dependencies = [
 "async-trait",
 "blocking",
 "enumflags2",
- "event-listener 5.4.1",
+ "event-listener",
 "futures-core",
 "futures-lite",
 "hex",
--- a/docs/Limitations.md
+++ b/docs/Limitations.md
@@ -187,9 +187,10 @@ different compared to `runc` containers:
 into the guest and exposes it directly to the container.

 **Mounting guest devices**: When the source path of a hostPath volume is
-under `/dev`, and the path either corresponds to a host device or is not
-accessible by the Kata shim, the Kata agent bind mounts the source path
-directly from the *guest* filesystem into the container.
+under `/dev` (or `/dev` itself), and the path corresponds to a
+non-regular file (i.e., a device, directory, or any other special file)
+or is not accessible by the Kata shim, the Kata agent bind mounts the
+source path directly from the *guest* filesystem into the container.

 [runtime-config]: /src/runtime/README.md#configuration
 [k8s-hostpath]: https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
@@ -226,6 +227,35 @@ Importantly, the default behavior to pass the host devices to a
 privileged container is not supported in Kata Containers and needs to be
 disabled, see [Privileged Kata Containers](how-to/privileged.md).

+## Guest pulled container images
+
+When using features like **nydus guest-pull**, set user/group IDs explicitly in the pod spec.
+If the ID values are omitted:
+
+- Your workload might be executed with unexpected user/group ID values, because image layers
+  may be unavailable to containerd, so image config (including user/group) is not applied.
+- If using policy or genpolicy, the generated policy may detect these unexpected values and
+  reject the creation of workload containers.
+
+Set `securityContext` explicitly. Use **pod-level** `spec.securityContext` (for Pods) or
+`spec.template.spec.securityContext` (for controllers like Deployments) and/or **container-level**
+`spec.containers[].securityContext`. Include at least:
+- `runAsUser` — primary user ID
+- `runAsGroup` — primary group ID
+- `fsGroup` — volume group ownership (often reflected as a supplemental group)
+- `supplementalGroups` — list of additional group IDs (if needed)
+
+Example:
+
+ ```yaml
+ # Explicit user/group/supplementary groups to support nydus guest-pull
+ securityContext:
+   runAsUser: 0
+   runAsGroup: 0
+   fsGroup: 0
+   supplementalGroups: [1, 2, 3, 4, 6, 10, 11, 20, 26, 27]
+ ```
+
 # Appendices

 ## The constraints challenge
--- a/docs/how-to/how-to-use-k8s-with-containerd-and-kata.md
+++ b/docs/how-to/how-to-use-k8s-with-containerd-and-kata.md
@@ -49,6 +49,8 @@ In order to allow Kubelet to use containerd (using the CRI interface), configure
  EOF
  ```

+  For Kata Containers (and especially CoCo / Confidential Containers tests), use at least `--runtime-request-timeout=600s` (10m) so CRI CreateContainerRequest does not time out.
+
 - Inform systemd about the new configuration

  ```bash
--- a/docs/how-to/how-to-use-the-kata-agent-policy.md
+++ b/docs/how-to/how-to-use-the-kata-agent-policy.md
@@ -99,6 +99,9 @@ The [`genpolicy`](../../src/tools/genpolicy/) application can be used to generat

 **Warning** Users should review carefully the automatically-generated Policy, and modify the Policy file if needed to match better their use case, before using this Policy.

+**Important — User / Group / Supplemental groups for Policy and genpolicy**
+When using features like **nydus guest-pull**, set user/group IDs explicitly in the pod spec, as described in [Limitations](../Limitations.md#guest-pulled-container-images).
+
 See the [`genpolicy` documentation](../../src/tools/genpolicy/README.md) and the [Policy contents examples](#policy-contents) for additional information.

 ## Policy contents
--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@@ -743,12 +743,6 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"

-[[package]]
-name = "common-path"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
-
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -985,6 +979,12 @@ dependencies = [
 "parking_lot_core",
 ]

+[[package]]
+name = "data-encoding"
+version = "2.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476"
+
 [[package]]
 name = "deranged"
 version = "0.5.5"
@@ -1098,6 +1098,18 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "enum-as-inner"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.101",
+]
+
 [[package]]
 name = "enumflags2"
 version = "0.7.11"
@@ -2102,8 +2114,6 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "byteorder",
- "chrono",
- "common-path",
 "fail",
 "hex",
 "kata-types",
@@ -2112,11 +2122,9 @@ dependencies = [
 "mockall",
 "nix 0.26.4",
 "oci-spec",
- "once_cell",
 "pci-ids",
 "rand",
 "runtime-spec",
- "safe-path",
 "serde",
 "serde_json",
 "slog",
@@ -2135,8 +2143,8 @@ dependencies = [
 "byte-unit",
 "flate2",
 "glob",
- "hex",
 "lazy_static",
+ "nix 0.26.4",
 "num_cpus",
 "oci-spec",
 "regex",
@@ -2147,6 +2155,7 @@ dependencies = [
 "sha2 0.10.9",
 "slog",
 "slog-scope",
+ "sysctl",
 "sysinfo",
 "thiserror 1.0.69",
 "toml",
@@ -2306,7 +2315,6 @@ name = "mem-agent"
 version = "0.2.0"
 dependencies = [
 "anyhow",
- "async-trait",
 "chrono",
 "maplit",
 "nix 0.30.1",
@@ -3426,6 +3434,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "843c3d97f07e3b5ac0955d53ad0af4c91fe4a4f8525843ece5bf014f27829b73"
 dependencies = [
 "anyhow",
+ "data-encoding",
 "lazy_static",
 "rand",
 "regex",
@@ -3575,7 +3584,6 @@ dependencies = [
 name = "runtime-spec"
 version = "0.1.0"
 dependencies = [
- "libc",
 "serde",
 "serde_derive",
 "serde_json",
@@ -4215,6 +4223,20 @@ dependencies = [
 "syn 2.0.101",
 ]

+[[package]]
+name = "sysctl"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cca424247104946a59dacd27eaad296223b7feec3d168a6dd04585183091eb0b"
+dependencies = [
+ "bitflags 2.9.0",
+ "byteorder",
+ "enum-as-inner",
+ "libc",
+ "thiserror 2.0.12",
+ "walkdir",
+]
+
 [[package]]
 name = "sysinfo"
 version = "0.34.2"
--- a/src/agent/policy/Cargo.toml
+++ b/src/agent/policy/Cargo.toml
@@ -18,6 +18,8 @@ serde_json.workspace = true
 # Agent Policy
 regorus = { version = "0.2.8", default-features = false, features = [
    "arc",
+    "base64",
+    "base64url",
    "regex",
    "std",
 ] }
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -2308,9 +2308,6 @@ fn is_sealed_secret_path(source_path: &str) -> bool {
 }

 async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
-    if !confidential_data_hub::is_cdh_client_initialized() {
-        return Ok(());
-    }
    let linux = oci
        .linux()
        .as_ref()
@@ -2320,26 +2317,8 @@ async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
        for specdev in devices.iter() {
            if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) {
                let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor());
-                let secure_storage_integrity = AGENT_CONFIG.secure_storage_integrity.to_string();
-                info!(
-                    sl(),
-                    "trusted_store device major:min {}, enable data integrity {}",
-                    dev_major_minor,
-                    secure_storage_integrity
-                );
-
-                let options = std::collections::HashMap::from([
-                    ("deviceId".to_string(), dev_major_minor),
-                    ("encryptType".to_string(), "LUKS".to_string()),
-                    ("dataIntegrity".to_string(), secure_storage_integrity),
-                ]);
-                confidential_data_hub::secure_mount(
-                    "BlockDevice",
-                    &options,
-                    vec![],
-                    KATA_IMAGE_WORK_DIR,
-                )
-                .await?;
+                cdh_secure_mount("BlockDevice", &dev_major_minor, "LUKS", KATA_IMAGE_WORK_DIR)
+                    .await?;
                break;
            }
        }
@@ -2347,6 +2326,38 @@ async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
    Ok(())
 }

+pub(crate) async fn cdh_secure_mount(
+    device_type: &str,
+    device_id: &str,
+    encrypt_type: &str,
+    mount_point: &str,
+) -> Result<()> {
+    if !confidential_data_hub::is_cdh_client_initialized() {
+        return Ok(());
+    }
+
+    let integrity = AGENT_CONFIG.secure_storage_integrity.to_string();
+
+    info!(
+        sl(),
+        "cdh_secure_mount: device_type {}, device_id {}, encrypt_type {}, integrity {}",
+        device_type,
+        device_id,
+        encrypt_type,
+        integrity
+    );
+
+    let options = std::collections::HashMap::from([
+        ("deviceId".to_string(), device_id.to_string()),
+        ("encryptType".to_string(), encrypt_type.to_string()),
+        ("dataIntegrity".to_string(), integrity),
+    ]);
+
+    confidential_data_hub::secure_mount(device_type, &options, vec![], mount_point).await?;
+
+    Ok(())
+}
+
 async fn cdh_handler_sealed_secrets(oci: &mut Spec) -> Result<()> {
    if !confidential_data_hub::is_cdh_client_initialized() {
        return Ok(());
--- a/src/agent/src/sandbox.rs
+++ b/src/agent/src/sandbox.rs
@@ -65,6 +65,12 @@ type UeventWatcher = (Box<dyn UeventMatcher>, oneshot::Sender<Uevent>);
 pub struct StorageState {
    count: Arc<AtomicU32>,
    device: Arc<dyn StorageDevice>,
+
+    /// Whether the storage is shared across multiple containers (e.g.
+    /// block-based emptyDirs). Shared storages should not be cleaned up
+    /// when a container exits; cleanup happens only when the sandbox is
+    /// destroyed.
+    shared: bool,
 }

 impl Debug for StorageState {
@@ -74,17 +80,11 @@ impl Debug for StorageState {
 }

 impl StorageState {
-    fn new() -> Self {
+    fn new(shared: bool) -> Self {
        StorageState {
            count: Arc::new(AtomicU32::new(1)),
            device: Arc::new(StorageDeviceGeneric::default()),
-        }
-    }
-
-    pub fn from_device(device: Arc<dyn StorageDevice>) -> Self {
-        Self {
-            count: Arc::new(AtomicU32::new(1)),
-            device,
+            shared,
        }
    }

@@ -92,6 +92,10 @@ impl StorageState {
        self.device.path()
    }

+    pub fn is_shared(&self) -> bool {
+        self.shared
+    }
+
    pub async fn ref_count(&self) -> u32 {
        self.count.load(Ordering::Relaxed)
    }
@@ -171,8 +175,10 @@ impl Sandbox {

    /// Add a new storage object or increase reference count of existing one.
    /// The caller may detect new storage object by checking `StorageState.refcount == 1`.
+    /// The `shared` flag indicates if this storage is shared across multiple containers;
+    /// if true, cleanup will be skipped when containers exit.
    #[instrument]
-    pub async fn add_sandbox_storage(&mut self, path: &str) -> StorageState {
+    pub async fn add_sandbox_storage(&mut self, path: &str, shared: bool) -> StorageState {
        match self.storages.entry(path.to_string()) {
            Entry::Occupied(e) => {
                let state = e.get().clone();
@@ -180,7 +186,7 @@ impl Sandbox {
                state
            }
            Entry::Vacant(e) => {
-                let state = StorageState::new();
+                let state = StorageState::new(shared);
                e.insert(state.clone());
                state
            }
@@ -188,22 +194,32 @@ impl Sandbox {
    }

    /// Update the storage device associated with a path.
+    /// Preserves the existing shared flag and reference count.
    pub fn update_sandbox_storage(
        &mut self,
        path: &str,
        device: Arc<dyn StorageDevice>,
    ) -> std::result::Result<Arc<dyn StorageDevice>, Arc<dyn StorageDevice>> {
-        if !self.storages.contains_key(path) {
-            return Err(device);
+        match self.storages.get(path) {
+            None => Err(device),
+            Some(existing) => {
+                let state = StorageState {
+                    device,
+                    ..existing.clone()
+                };
+                // Safe to unwrap() because we have just ensured existence of entry via get().
+                let state = self.storages.insert(path.to_string(), state).unwrap();
+                Ok(state.device)
+            }
        }
-
-        let state = StorageState::from_device(device);
-        // Safe to unwrap() because we have just ensured existence of entry.
-        let state = self.storages.insert(path.to_string(), state).unwrap();
-        Ok(state.device)
    }

    /// Decrease reference count and destroy the storage object if reference count reaches zero.
+    ///
+    /// For shared storages (e.g., emptyDir volumes), cleanup is skipped even when refcount
+    /// reaches zero. The storage entry is kept in the map so subsequent containers can reuse
+    /// the already-mounted storage. Actual cleanup happens when the sandbox is destroyed.
+    ///
    /// Returns `Ok(true)` if the reference count has reached zero and the storage object has been
    /// removed.
    #[instrument]
@@ -212,6 +228,10 @@ impl Sandbox {
            None => Err(anyhow!("Sandbox storage with path {} not found", path)),
            Some(state) => {
                if state.dec_and_test_ref_count().await {
+                    if state.is_shared() {
+                        state.count.store(1, Ordering::Release);
+                        return Ok(false);
+                    }
                    if let Some(storage) = self.storages.remove(path) {
                        storage.device.cleanup()?;
                    }
@@ -720,7 +740,7 @@ mod tests {
        let tmpdir_path = tmpdir.path().to_str().unwrap();

        // Add a new sandbox storage
-        let new_storage = s.add_sandbox_storage(tmpdir_path).await;
+        let new_storage = s.add_sandbox_storage(tmpdir_path, false).await;

        // Check the reference counter
        let ref_count = new_storage.ref_count().await;
@@ -730,7 +750,7 @@ mod tests {
        );

        // Use the existing sandbox storage
-        let new_storage = s.add_sandbox_storage(tmpdir_path).await;
+        let new_storage = s.add_sandbox_storage(tmpdir_path, false).await;

        // Since we are using existing storage, the reference counter
        // should be 2 by now.
@@ -771,7 +791,7 @@ mod tests {

        assert!(bind_mount(srcdir_path, destdir_path, &logger).is_ok());

-        s.add_sandbox_storage(destdir_path).await;
+        s.add_sandbox_storage(destdir_path, false).await;
        let storage = StorageDeviceGeneric::new(destdir_path.to_string());
        assert!(s
            .update_sandbox_storage(destdir_path, Arc::new(storage))
@@ -789,7 +809,7 @@ mod tests {
            let other_dir_path = other_dir.path().to_str().unwrap();
            other_dir_str = other_dir_path.to_string();

-            s.add_sandbox_storage(other_dir_path).await;
+            s.add_sandbox_storage(other_dir_path, false).await;
            let storage = StorageDeviceGeneric::new(other_dir_path.to_string());
            assert!(s
                .update_sandbox_storage(other_dir_path, Arc::new(storage))
@@ -808,9 +828,9 @@ mod tests {
        let storage_path = "/tmp/testEphe";

        // Add a new sandbox storage
-        s.add_sandbox_storage(storage_path).await;
+        s.add_sandbox_storage(storage_path, false).await;
        // Use the existing sandbox storage
-        let state = s.add_sandbox_storage(storage_path).await;
+        let state = s.add_sandbox_storage(storage_path, false).await;
        assert!(
            state.ref_count().await > 1,
            "Expects false as the storage is not new."
--- a/src/agent/src/storage/block_handler.rs
+++ b/src/agent/src/storage/block_handler.rs
@@ -6,7 +6,7 @@

 use crate::linux_abi::pcipath_from_dev_tree_path;
 use std::fs;
-use std::os::unix::fs::PermissionsExt;
+use std::os::unix::fs::{MetadataExt, PermissionsExt};
 use std::path::Path;
 use std::sync::Arc;

@@ -17,6 +17,7 @@ use kata_types::device::{
    DRIVER_BLK_MMIO_TYPE, DRIVER_BLK_PCI_TYPE, DRIVER_NVDIMM_TYPE, DRIVER_SCSI_TYPE,
 };
 use kata_types::mount::StorageDevice;
+use nix::sys::stat::{major, minor};
 use protocols::agent::Storage;
 use tracing::instrument;

@@ -29,10 +30,44 @@ use crate::device::block_device_handler::{
 };
 use crate::device::nvdimm_device_handler::wait_for_pmem_device;
 use crate::device::scsi_device_handler::get_scsi_device_name;
-use crate::storage::{common_storage_handler, new_device, StorageContext, StorageHandler};
+use crate::storage::{
+    common_storage_handler, new_device, set_ownership, StorageContext, StorageHandler,
+};
+use slog::Logger;
 #[cfg(target_arch = "s390x")]
 use std::str::FromStr;

+fn get_device_number(dev_path: &str, metadata: Option<&fs::Metadata>) -> Result<String> {
+    let dev_id = match metadata {
+        Some(m) => m.rdev(),
+        None => {
+            let m =
+                fs::metadata(dev_path).context(format!("get metadata on file {:?}", dev_path))?;
+            m.rdev()
+        }
+    };
+    Ok(format!("{}:{}", major(dev_id), minor(dev_id)))
+}
+
+async fn handle_block_storage(
+    logger: &Logger,
+    storage: &Storage,
+    dev_num: &str,
+) -> Result<Arc<dyn StorageDevice>> {
+    let has_ephemeral_encryption = storage
+        .driver_options
+        .contains(&"encryption_key=ephemeral".to_string());
+
+    if has_ephemeral_encryption {
+        crate::rpc::cdh_secure_mount("BlockDevice", dev_num, "LUKS", &storage.mount_point).await?;
+        set_ownership(logger, storage)?;
+        new_device(storage.mount_point.clone())
+    } else {
+        let path = common_storage_handler(logger, storage)?;
+        new_device(path)
+    }
+}
+
 #[derive(Debug)]
 pub struct VirtioBlkMmioHandler {}

@@ -75,6 +110,8 @@ impl StorageHandler for VirtioBlkPciHandler {
        mut storage: Storage,
        ctx: &mut StorageContext,
    ) -> Result<Arc<dyn StorageDevice>> {
+        let dev_num: String;
+
        // If hot-plugged, get the device node path based on the PCI path
        // otherwise use the virt path provided in Storage Source
        if storage.source.starts_with("/dev") {
@@ -84,15 +121,16 @@ impl StorageHandler for VirtioBlkPciHandler {
            if mode & libc::S_IFBLK == 0 {
                return Err(anyhow!("Invalid device {}", &storage.source));
            }
+            dev_num = get_device_number(&storage.source, Some(&metadata))?;
        } else {
            let (root_complex, pcipath) = pcipath_from_dev_tree_path(&storage.source)?;
            let dev_path =
                get_virtio_blk_pci_device_name(ctx.sandbox, root_complex, &pcipath).await?;
            storage.source = dev_path;
+            dev_num = get_device_number(&storage.source, None)?;
        }

-        let path = common_storage_handler(ctx.logger, &storage)?;
-        new_device(path)
+        handle_block_storage(ctx.logger, &storage, &dev_num).await
    }
 }

@@ -151,10 +189,10 @@ impl StorageHandler for ScsiHandler {
    ) -> Result<Arc<dyn StorageDevice>> {
        // Retrieve the device path from SCSI address.
        let dev_path = get_scsi_device_name(ctx.sandbox, &storage.source).await?;
-        storage.source = dev_path;
+        storage.source = dev_path.clone();

-        let path = common_storage_handler(ctx.logger, &storage)?;
-        new_device(path)
+        let dev_num = get_device_number(&dev_path, None)?;
+        handle_block_storage(ctx.logger, &storage, &dev_num).await
    }
 }

--- a/src/agent/src/storage/mod.rs
+++ b/src/agent/src/storage/mod.rs
@@ -172,7 +172,11 @@ pub async fn add_storages(

    for storage in storages {
        let path = storage.mount_point.clone();
-        let state = sandbox.lock().await.add_sandbox_storage(&path).await;
+        let state = sandbox
+            .lock()
+            .await
+            .add_sandbox_storage(&path, storage.shared)
+            .await;
        if state.ref_count().await > 1 {
            if let Some(path) = state.path() {
                if !path.is_empty() {
--- a/src/dragonball/Cargo.toml
+++ b/src/dragonball/Cargo.toml
@@ -48,7 +48,6 @@ vmm-sys-util = { workspace = true }
 virtio-queue = { workspace = true, optional = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 crossbeam-channel = "0.5.6"
-fuse-backend-rs = "0.10.5"
 vfio-bindings = { workspace = true, optional = true }
 vfio-ioctls = { workspace = true, optional = true }

@@ -86,3 +85,6 @@ host-device = ["dep:vfio-bindings", "dep:vfio-ioctls", "dep:dbs-pci"]
 unexpected_cfgs = { level = "warn", check-cfg = [
  'cfg(feature, values("test-mock"))',
 ] }
+
+[package.metadata.cargo-machete]
+ignored = ["vfio-bindings"]
--- a/src/dragonball/dbs_legacy_devices/src/serial.rs
+++ b/src/dragonball/dbs_legacy_devices/src/serial.rs
@@ -242,7 +242,7 @@ mod tests {

        let metrics = Arc::new(SerialDeviceMetrics::default());

-        let out: Arc<Mutex<Option<Box<(dyn std::io::Write + Send + 'static)>>>> =
+        let out: Arc<Mutex<Option<Box<dyn std::io::Write + Send + 'static>>>> =
            Arc::new(Mutex::new(Some(Box::new(std::io::sink()))));
        let mut serial = SerialDevice {
            serial: Serial::with_events(
--- a/src/dragonball/dbs_pci/Cargo.toml
+++ b/src/dragonball/dbs_pci/Cargo.toml
@@ -23,24 +23,22 @@ dbs-interrupt = { workspace = true, features = [
    "kvm-legacy-irq",
    "kvm-msi-irq",
 ] }
-downcast-rs = "1.2.0"
 byteorder = "1.4.3"
 serde = "1.0.27"

-vm-memory = {workspace = true}
-kvm-ioctls = {workspace = true}
-kvm-bindings = {workspace = true}
-vfio-ioctls = {workspace = true}
-vfio-bindings = {workspace = true}
+vm-memory = { workspace = true }
+kvm-ioctls = { workspace = true }
+kvm-bindings = { workspace = true }
+vfio-ioctls = { workspace = true }
+vfio-bindings = { workspace = true }
 libc = "0.2.39"
-vmm-sys-util = {workspace = true}
-virtio-queue = {workspace = true}
-dbs-utils = {workspace = true}
+virtio-queue = { workspace = true }
+dbs-utils = { workspace = true }


 [dev-dependencies]
 dbs-arch = { workspace = true }
-kvm-ioctls = {workspace = true}
+kvm-ioctls = { workspace = true }
 test-utils = { workspace = true }
 nix = { workspace = true }

--- a/src/dragonball/dbs_pci/src/virtio_pci.rs
+++ b/src/dragonball/dbs_pci/src/virtio_pci.rs
@@ -1174,7 +1174,6 @@ pub(crate) mod tests {
    use dbs_virtio_devices::Result as VirtIoResult;
    use dbs_virtio_devices::{
        ActivateResult, VirtioDeviceConfig, VirtioDeviceInfo, VirtioSharedMemory,
-        DEVICE_ACKNOWLEDGE, DEVICE_DRIVER, DEVICE_DRIVER_OK, DEVICE_FEATURES_OK, DEVICE_INIT,
    };

    use dbs_address_space::{AddressSpaceLayout, AddressSpaceRegion, AddressSpaceRegionType};
--- a/src/dragonball/dbs_upcall/Cargo.toml
+++ b/src/dragonball/dbs_upcall/Cargo.toml
@@ -11,7 +11,6 @@ keywords = ["dragonball", "secure-sandbox", "devices", "upcall", "virtio"]
 readme = "README.md"

 [dependencies]
-anyhow = "1"
 log = "0.4.14"
 thiserror = "1"
 timerfd = "1.2.0"
--- a/src/dragonball/dbs_utils/src/epoll_manager.rs
+++ b/src/dragonball/dbs_utils/src/epoll_manager.rs
@@ -99,76 +99,61 @@ impl Default for EpollManager {
 #[cfg(test)]
 mod tests {
    use super::*;
-    use std::os::unix::io::AsRawFd;
+    use std::os::fd::AsRawFd;
+    use std::sync::mpsc::channel;
+    use std::time::Duration;
    use vmm_sys_util::{epoll::EventSet, eventfd::EventFd};

    struct DummySubscriber {
-        pub event: EventFd,
+        pub event: Arc<EventFd>,
+        pub notify: std::sync::mpsc::Sender<()>,
    }

    impl DummySubscriber {
-        fn new() -> Self {
-            Self {
-                event: EventFd::new(0).unwrap(),
-            }
+        fn new(event: Arc<EventFd>, notify: std::sync::mpsc::Sender<()>) -> Self {
+            Self { event, notify }
        }
    }

    impl MutEventSubscriber for DummySubscriber {
-        fn process(&mut self, events: Events, _ops: &mut EventOps) {
-            let source = events.fd();
-            let event_set = events.event_set();
-            assert_ne!(source, self.event.as_raw_fd());
-            match event_set {
-                EventSet::IN => {
-                    unreachable!()
-                }
-                EventSet::OUT => {
-                    self.event.read().unwrap();
-                }
-                _ => {
-                    unreachable!()
-                }
-            }
+        fn init(&mut self, ops: &mut EventOps) {
+            ops.add(Events::new(self.event.as_ref(), EventSet::IN))
+                .unwrap();
        }

-        fn init(&mut self, _ops: &mut EventOps) {}
+        fn process(&mut self, events: Events, _ops: &mut EventOps) {
+            if events.fd() == self.event.as_raw_fd() && events.event_set().contains(EventSet::IN) {
+                let _ = self.event.read();
+                let _ = self.notify.send(());
+            }
+        }
    }

    #[test]
    fn test_epoll_manager() {
-        let mut epoll_manager = EpollManager::default();
-        let epoll_manager_clone = epoll_manager.clone();
-        let thread = std::thread::spawn(move || loop {
-            let count = epoll_manager_clone.handle_events(-1).unwrap();
-            if count == 0 {
-                continue;
+        let epoll_manager = EpollManager::default();
+        let (stop_tx, stop_rx) = channel::<()>();
+        let worker_mgr = epoll_manager.clone();
+        let worker = std::thread::spawn(move || {
+            while stop_rx.try_recv().is_err() {
+                let _ = worker_mgr.handle_events(50);
            }
-            assert_eq!(count, 1);
-            break;
        });
-        let handler = DummySubscriber::new();
-        let event = handler.event.try_clone().unwrap();
+
+        let (notify_tx, notify_rx) = channel::<()>();
+
+        let event = Arc::new(EventFd::new(0).unwrap());
+        let handler = DummySubscriber::new(event.clone(), notify_tx);
        let id = epoll_manager.add_subscriber(Box::new(handler));

-        thread.join().unwrap();
-
-        epoll_manager
-            .add_event(id, Events::new(&event, EventSet::OUT))
-            .unwrap();
        event.write(1).unwrap();

-        let epoll_manager_clone = epoll_manager.clone();
-        let thread = std::thread::spawn(move || loop {
-            let count = epoll_manager_clone.handle_events(-1).unwrap();
-            if count == 0 {
-                continue;
-            }
-            assert_eq!(count, 2);
-            break;
-        });
+        notify_rx
+            .recv_timeout(Duration::from_secs(2))
+            .expect("timeout waiting for subscriber to be processed");

-        thread.join().unwrap();
-        epoll_manager.remove_subscriber(id).unwrap();
+        epoll_manager.clone().remove_subscriber(id).unwrap();
+        let _ = stop_tx.send(());
+        worker.join().unwrap();
    }
 }
--- a/src/dragonball/dbs_virtio_devices/Cargo.toml
+++ b/src/dragonball/dbs_virtio_devices/Cargo.toml
@@ -24,8 +24,8 @@ dbs-boot = { workspace = true }
 epoll = ">=4.3.1, <4.3.2"
 io-uring = "0.5.2"
 fuse-backend-rs = { version = "0.10.5", optional = true }
-kvm-bindings = { workspace = true}
-kvm-ioctls = {workspace = true}
+kvm-bindings = { workspace = true }
+kvm-ioctls = { workspace = true }
 libc = "0.2.119"
 log = "0.4.14"
 nix = "0.24.3"
@@ -37,19 +37,16 @@ serde = "1.0.27"
 serde_json = "1.0.9"
 thiserror = "1"
 threadpool = "1"
-virtio-bindings = {workspace = true}
-virtio-queue = {workspace = true}
-vmm-sys-util = {workspace = true}
+virtio-bindings = { workspace = true }
+virtio-queue = { workspace = true }
+vmm-sys-util = { workspace = true }
 vm-memory = { workspace = true, features = ["backend-mmap"] }
 sendfd = "0.4.3"
 vhost-rs = { version = "0.6.1", package = "vhost", optional = true }
 timerfd = "1.0"

 [dev-dependencies]
-vm-memory = { workspace = true, features = [
-    "backend-mmap",
-    "backend-atomic",
-] }
+vm-memory = { workspace = true, features = ["backend-mmap", "backend-atomic"] }
 test-utils = { workspace = true }

 [features]
--- a/src/dragonball/dbs_virtio_devices/src/lib.rs
+++ b/src/dragonball/dbs_virtio_devices/src/lib.rs
@@ -439,19 +439,19 @@ pub mod tests {
            VirtqDesc { desc }
        }

-        pub fn addr(&self) -> VolatileRef<u64> {
+        pub fn addr(&self) -> VolatileRef<'_, u64> {
            self.desc.get_ref(offset_of!(DescriptorTmp, addr)).unwrap()
        }

-        pub fn len(&self) -> VolatileRef<u32> {
+        pub fn len(&self) -> VolatileRef<'_, u32> {
            self.desc.get_ref(offset_of!(DescriptorTmp, len)).unwrap()
        }

-        pub fn flags(&self) -> VolatileRef<u16> {
+        pub fn flags(&self) -> VolatileRef<'_, u16> {
            self.desc.get_ref(offset_of!(DescriptorTmp, flags)).unwrap()
        }

-        pub fn next(&self) -> VolatileRef<u16> {
+        pub fn next(&self) -> VolatileRef<'_, u16> {
            self.desc.get_ref(offset_of!(DescriptorTmp, next)).unwrap()
        }

@@ -513,11 +513,11 @@ pub mod tests {
            self.start.unchecked_add(self.ring.len() as GuestUsize)
        }

-        pub fn flags(&self) -> VolatileRef<u16> {
+        pub fn flags(&self) -> VolatileRef<'_, u16> {
            self.ring.get_ref(0).unwrap()
        }

-        pub fn idx(&self) -> VolatileRef<u16> {
+        pub fn idx(&self) -> VolatileRef<'_, u16> {
            self.ring.get_ref(2).unwrap()
        }

@@ -525,12 +525,12 @@ pub mod tests {
            4 + mem::size_of::<T>() * (i as usize)
        }

-        pub fn ring(&self, i: u16) -> VolatileRef<T> {
+        pub fn ring(&self, i: u16) -> VolatileRef<'_, T> {
            assert!(i < self.qsize);
            self.ring.get_ref(Self::ring_offset(i)).unwrap()
        }

-        pub fn event(&self) -> VolatileRef<u16> {
+        pub fn event(&self) -> VolatileRef<'_, u16> {
            self.ring.get_ref(Self::ring_offset(self.qsize)).unwrap()
        }

@@ -602,7 +602,7 @@ pub mod tests {
            (self.dtable.len() / VirtqDesc::dtable_len(1)) as u16
        }

-        pub fn dtable(&self, i: u16) -> VirtqDesc {
+        pub fn dtable(&self, i: u16) -> VirtqDesc<'_> {
            VirtqDesc::new(&self.dtable, i)
        }

--- a/src/dragonball/dbs_virtio_devices/src/vhost/vhost_kern/net.rs
+++ b/src/dragonball/dbs_virtio_devices/src/vhost/vhost_kern/net.rs
@@ -690,6 +690,15 @@ mod tests {
    use crate::tests::{create_address_space, create_vm_and_irq_manager};
    use crate::{create_queue_notifier, VirtioQueueConfig};

+    fn unique_tap_name(prefix: &str) -> String {
+        use std::sync::atomic::{AtomicUsize, Ordering};
+        static CNT: AtomicUsize = AtomicUsize::new(0);
+        let n = CNT.fetch_add(1, Ordering::Relaxed);
+
+        // "vtap" + pid(<=5) + n(<=3) => max len <= 15
+        format!("{}{:x}{:x}", prefix, std::process::id() & 0xfff, n & 0xfff)
+    }
+
    fn create_vhost_kern_net_epoll_handler(
        id: String,
    ) -> NetEpollHandler<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> {
@@ -723,13 +732,16 @@ mod tests {
        let guest_mac = MacAddr::parse_str(guest_mac_str).unwrap();
        let queue_sizes = Arc::new(vec![128]);
        let epoll_mgr = EpollManager::default();
-        let mut dev: Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> = Net::new(
-            String::from("test_vhosttap"),
-            Some(&guest_mac),
-            queue_sizes,
-            epoll_mgr,
-        )
-        .unwrap();
+        let tap_name = unique_tap_name("vtap");
+        let dev_result: VirtioResult<Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap>> =
+            Net::new(tap_name.clone(), Some(&guest_mac), queue_sizes, epoll_mgr);
+        let mut dev: Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> = match dev_result {
+            Ok(d) => d,
+            Err(e) => {
+                eprintln!("skip test: failed to create tap {}: {:?}", tap_name, e);
+                return;
+            }
+        };

        assert_eq!(dev.device_type(), TYPE_NET);

@@ -765,14 +777,16 @@ mod tests {
        {
            let queue_sizes = Arc::new(vec![128]);
            let epoll_mgr = EpollManager::default();
-            let mut dev: Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> = Net::new(
-                String::from("test_vhosttap"),
-                Some(&guest_mac),
-                queue_sizes,
-                epoll_mgr,
-            )
-            .unwrap();
-
+            let tap_name = unique_tap_name("vtap");
+            let dev_result: VirtioResult<Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap>> =
+                Net::new(tap_name.clone(), Some(&guest_mac), queue_sizes, epoll_mgr);
+            let mut dev: Net<Arc<GuestMemoryMmap>, QueueSync, GuestRegionMmap> = match dev_result {
+                Ok(d) => d,
+                Err(e) => {
+                    eprintln!("skip test: failed to create tap {}: {:?}", tap_name, e);
+                    return;
+                }
+            };
            let queues = vec![
                VirtioQueueConfig::create(128, 0).unwrap(),
                VirtioQueueConfig::create(128, 0).unwrap(),
@@ -809,13 +823,17 @@ mod tests {
            let queue_eventfd2 = Arc::new(EventFd::new(0).unwrap());
            let queue_sizes = Arc::new(vec![128, 128]);
            let epoll_mgr = EpollManager::default();
-            let mut dev: Net<Arc<GuestMemoryMmap>, Queue, GuestRegionMmap> = Net::new(
-                String::from("test_vhosttap"),
-                Some(&guest_mac),
-                queue_sizes,
-                epoll_mgr,
-            )
-            .unwrap();
+
+            let tap_name = unique_tap_name("vtap");
+            let dev_result: VirtioResult<Net<Arc<GuestMemoryMmap>, Queue, GuestRegionMmap>> =
+                Net::new(tap_name.clone(), Some(&guest_mac), queue_sizes, epoll_mgr);
+            let mut dev: Net<Arc<GuestMemoryMmap>, Queue, GuestRegionMmap> = match dev_result {
+                Ok(d) => d,
+                Err(e) => {
+                    eprintln!("skip test: failed to create tap {}: {:?}", tap_name, e);
+                    return;
+                }
+            };

            let queues = vec![
                VirtioQueueConfig::new(queue, queue_eventfd, notifier.clone(), 1),
--- a/src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/fs.rs
+++ b/src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/fs.rs
@@ -865,11 +865,11 @@ mod tests {
            0
        );
        let config: [u8; 8] = [0; 8];
-        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
+        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
            &mut dev, 0, &config,
        );
        let mut data: [u8; 8] = [1; 8];
-        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
+        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
            &mut dev, 0, &mut data,
        );
        assert_eq!(config, data);
--- a/src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/net.rs
+++ b/src/dragonball/dbs_virtio_devices/src/vhost/vhost_user/net.rs
@@ -590,6 +590,7 @@ where
 mod tests {
    use std::sync::Arc;
    use std::thread;
+    use std::time::{Duration, Instant};

    use dbs_device::resources::DeviceResources;
    use dbs_interrupt::{InterruptManager, InterruptSourceType, MsiNotifier, NoopNotifier};
@@ -609,19 +610,16 @@ mod tests {
    };
    use crate::{VirtioDevice, VirtioDeviceConfig, VirtioQueueConfig, TYPE_NET};

-    fn connect_slave(path: &str) -> Option<Endpoint<MasterReq>> {
-        let mut retry_count = 5;
+    fn connect_slave(path: &str, timeout: Duration) -> Option<Endpoint<MasterReq>> {
+        let deadline = Instant::now() + timeout;
        loop {
            match Endpoint::<MasterReq>::connect(path) {
-                Ok(endpoint) => return Some(endpoint),
+                Ok(ep) => return Some(ep),
                Err(_) => {
-                    if retry_count > 0 {
-                        std::thread::sleep(std::time::Duration::from_millis(100));
-                        retry_count -= 1;
-                        continue;
-                    } else {
+                    if Instant::now() >= deadline {
                        return None;
                    }
+                    thread::sleep(Duration::from_millis(20));
                }
            }
        }
@@ -639,62 +637,88 @@ mod tests {

    #[test]
    fn test_vhost_user_net_virtio_device_normal() {
-        let device_socket = concat!("vhost.", line!());
-        let queue_sizes = Arc::new(vec![128]);
+        let dir_path = std::path::Path::new("/tmp");
+        let socket_path = dir_path.join(format!(
+            "vhost-user-net-{}-{:?}.sock",
+            std::process::id(),
+            thread::current().id()
+        ));
+        let socket_str = socket_path.to_str().unwrap().to_string();
+
+        let _ = std::fs::remove_file(&socket_path);
+
+        let queue_sizes = Arc::new(vec![128u16]);
        let epoll_mgr = EpollManager::default();
-        let handler = thread::spawn(move || {
-            let mut slave = connect_slave(device_socket).unwrap();
+
+        let socket_for_slave = socket_str.clone();
+        let slave_th = thread::spawn(move || {
+            let mut slave = connect_slave(&socket_for_slave, Duration::from_secs(5))
+                .unwrap_or_else(|| panic!("slave connect timeout: {}", socket_for_slave));
            create_vhost_user_net_slave(&mut slave);
        });
-        let mut dev: VhostUserNet<Arc<GuestMemoryMmap>> =
-            VhostUserNet::new_server(device_socket, None, queue_sizes, epoll_mgr).unwrap();
+
+        let (tx, rx) = std::sync::mpsc::channel();
+        let socket_for_master = socket_str.clone();
+        let queue_sizes_for_master = queue_sizes.clone();
+        let epoll_mgr_for_master = epoll_mgr.clone();
+        thread::spawn(move || {
+            let res = VhostUserNet::<Arc<GuestMemoryMmap>>::new_server(
+                &socket_for_master,
+                None,
+                queue_sizes_for_master,
+                epoll_mgr_for_master,
+            );
+            let _ = tx.send(res);
+        });
+
+        let dev_res = rx
+            .recv_timeout(Duration::from_secs(5))
+            .unwrap_or_else(|_| panic!("new_server() stuck/timeout: {}", socket_str));
+
+        let dev: VhostUserNet<Arc<GuestMemoryMmap>> = dev_res.unwrap_or_else(|e| {
+            panic!(
+                "new_server() returned error: {:?}, socket={}",
+                e, socket_str
+            )
+        });
+
        assert_eq!(
            VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::device_type(&dev),
            TYPE_NET
        );
-        let queue_size = [128];
+
+        let queue_size = [128u16];
        assert_eq!(
            VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::queue_max_sizes(
                &dev
            ),
            &queue_size[..]
        );
-        assert_eq!(
-            VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::get_avail_features(&dev, 0),
-            dev.device().device_info.get_avail_features(0)
-        );
-        assert_eq!(
-            VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::get_avail_features(&dev, 1),
-            dev.device().device_info.get_avail_features(1)
-        );
-        assert_eq!(
-            VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::get_avail_features(&dev, 2),
-            dev.device().device_info.get_avail_features(2)
-        );
-        VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::set_acked_features(
-            &mut dev, 2, 0,
-        );
-        assert_eq!(VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::get_avail_features(&dev, 2), 0);
-        let config: [u8; 8] = [0; 8];
-        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::write_config(
-            &mut dev, 0, &config,
-        );
-        let mut data: [u8; 8] = [1; 8];
-        let _ = VirtioDevice::<Arc<GuestMemoryMmap<()>>, QueueSync, GuestRegionMmap>::read_config(
-            &mut dev, 0, &mut data,
-        );
-        assert_eq!(config, data);
-        handler.join().unwrap();
+
+        slave_th.join().unwrap();
+
+        let _ = std::fs::remove_file(&socket_path);
+        drop(dev);
    }

    #[test]
    fn test_vhost_user_net_virtio_device_activate() {
        skip_if_kvm_unaccessable!();
-        let device_socket = concat!("vhost.", line!());
-        let queue_sizes = Arc::new(vec![128]);
+        let dir_path = std::path::Path::new("/tmp");
+        let socket_path = dir_path.join(format!(
+            "vhost-user-net-{}-{:?}.sock",
+            std::process::id(),
+            thread::current().id()
+        ));
+        let socket_str = socket_path.to_str().unwrap().to_string();
+        let _ = std::fs::remove_file(&socket_path);
+
+        let queue_sizes = Arc::new(vec![128u16]);
        let epoll_mgr = EpollManager::default();
-        let handler = thread::spawn(move || {
-            let mut slave = connect_slave(device_socket).unwrap();
+        let socket_for_slave = socket_str.clone();
+        let slave_th = thread::spawn(move || {
+            let mut slave = connect_slave(&socket_for_slave, Duration::from_secs(10))
+                .unwrap_or_else(|| panic!("slave connect timeout: {}", socket_for_slave));
            create_vhost_user_net_slave(&mut slave);
            let mut pfeatures = VhostUserProtocolFeatures::all();
            // A workaround for no support for `INFLIGHT_SHMFD`. File an issue to track
@@ -702,8 +726,30 @@ mod tests {
            pfeatures -= VhostUserProtocolFeatures::INFLIGHT_SHMFD;
            negotiate_slave(&mut slave, pfeatures, true, 1);
        });
-        let mut dev: VhostUserNet<Arc<GuestMemoryMmap>> =
-            VhostUserNet::new_server(device_socket, None, queue_sizes, epoll_mgr).unwrap();
+
+        let (tx, rx) = std::sync::mpsc::channel();
+        let socket_for_master = socket_str.clone();
+        let queue_sizes_for_master = queue_sizes.clone();
+        let epoll_mgr_for_master = epoll_mgr.clone();
+        thread::spawn(move || {
+            let res = VhostUserNet::<Arc<GuestMemoryMmap>>::new_server(
+                &socket_for_master,
+                None,
+                queue_sizes_for_master,
+                epoll_mgr_for_master,
+            );
+            let _ = tx.send(res);
+        });
+        let mut dev: VhostUserNet<Arc<GuestMemoryMmap>> = rx
+            .recv_timeout(Duration::from_secs(10))
+            .unwrap_or_else(|_| panic!("new_server() stuck/timeout: {}", socket_str))
+            .unwrap_or_else(|e| {
+                panic!(
+                    "new_server() returned error: {:?}, socket={}",
+                    e, socket_str
+                )
+            });
+
        // invalid queue size
        {
            let kvm = Kvm::new().unwrap();
@@ -760,6 +806,9 @@ mod tests {
                );
            dev.activate(config).unwrap();
        }
-        handler.join().unwrap();
+        slave_th.join().unwrap();
+
+        let _ = std::fs::remove_file(&socket_path);
+        drop(dev);
    }
 }
--- a/src/dragonball/dbs_virtio_devices/src/vsock/backend/inner.rs
+++ b/src/dragonball/dbs_virtio_devices/src/vsock/backend/inner.rs
@@ -867,56 +867,96 @@ mod tests {
            .set_read_timeout(Some(Duration::from_millis(150)))
            .is_ok());

-        let cond_pair = Arc::new((Mutex::new(false), Condvar::new()));
-        let cond_pair_2 = Arc::clone(&cond_pair);
-        let handler = thread::Builder::new()
-            .spawn(move || {
-                // notify handler thread start
-                let (lock, cvar) = &*cond_pair_2;
-                let mut started = lock.lock().unwrap();
-                *started = true;
+        // stage:
+        // 0 = handler started
+        // 1 = first read timed out (main can do first write now)
+        // 2 = timeout cancelled, handler is about to do 3rd blocking read
+        let stage = Arc::new((Mutex::new(0u32), Condvar::new()));
+        let stage2 = Arc::clone(&stage);
+
+        let handler = thread::spawn(move || {
+            // notify started
+            {
+                let (lock, cvar) = &*stage2;
+                let mut s = lock.lock().unwrap();
+                *s = 0;
                cvar.notify_one();
-                drop(started);
+            }

-                let start_time1 = Instant::now();
-                let mut reader_buf = [0; 5];
-                // first read would timed out
-                assert_eq!(
-                    outer_stream.read_exact(&mut reader_buf).unwrap_err().kind(),
-                    ErrorKind::TimedOut
-                );
-                let end_time1 = Instant::now().duration_since(start_time1).as_millis();
-                assert!((150..250).contains(&end_time1));
+            let mut reader_buf = [0u8; 5];

-                // second read would ok
-                assert!(outer_stream.read_exact(&mut reader_buf).is_ok());
-                assert_eq!(reader_buf, [1, 2, 3, 4, 5]);
+            // 1) first read should timed out
+            let start_time1 = Instant::now();
+            assert_eq!(
+                outer_stream.read_exact(&mut reader_buf).unwrap_err().kind(),
+                ErrorKind::TimedOut
+            );
+            let end_time1 = start_time1.elapsed().as_millis();
+            assert!((150..300).contains(&end_time1));

-                // cancel the read timeout
-                let start_time2 = Instant::now();
-                outer_stream.set_read_timeout(None).unwrap();
-                assert!(outer_stream.read_exact(&mut reader_buf).is_ok());
-                let end_time2 = Instant::now().duration_since(start_time2).as_millis();
-                assert!(end_time2 >= 500);
-            })
-            .unwrap();
+            outer_stream
+                .set_read_timeout(Some(Duration::from_secs(10)))
+                .unwrap();

-        // wait handler thread started
-        let (lock, cvar) = &*cond_pair;
-        let mut started = lock.lock().unwrap();
-        while !*started {
-            started = cvar.wait(started).unwrap();
+            // notify main: timeout observed, now do first write
+            {
+                let (lock, cvar) = &*stage2;
+                let mut s = lock.lock().unwrap();
+                *s = 1;
+                cvar.notify_one();
+            }
+
+            // 2) second read should ok (main will write after stage==1)
+            outer_stream.read_exact(&mut reader_buf).unwrap();
+            assert_eq!(reader_buf, [1, 2, 3, 4, 5]);
+
+            // 3) cancel timeout, then do a blocking read; notify main before blocking
+            outer_stream.set_read_timeout(None).unwrap();
+            {
+                let (lock, cvar) = &*stage2;
+                let mut s = lock.lock().unwrap();
+                *s = 2;
+                cvar.notify_one();
+            }
+
+            let start_time2 = Instant::now();
+            outer_stream.read_exact(&mut reader_buf).unwrap();
+            let end_time2 = start_time2.elapsed().as_millis();
+            assert!(end_time2 >= 500);
+            assert_eq!(reader_buf, [1, 2, 3, 4, 5]);
+        });
+
+        // wait handler started (stage==0)
+        {
+            let (lock, cvar) = &*stage;
+            let mut s = lock.lock().unwrap();
+            while *s != 0 {
+                s = cvar.wait(s).unwrap();
+            }
        }

-        // sleep 300ms, test timeout
-        thread::sleep(Duration::from_millis(300));
-        let writer_buf = [1, 2, 3, 4, 5];
-        inner_stream.write_all(&writer_buf).unwrap();
+        // wait first timeout done (stage==1), then do first write
+        {
+            let (lock, cvar) = &*stage;
+            let mut s = lock.lock().unwrap();
+            while *s < 1 {
+                s = cvar.wait(s).unwrap();
+            }
+        }
+        inner_stream.write_all(&[1, 2, 3, 4, 5]).unwrap();
+
+        // wait handler cancelled timeout and is about to block-read (stage==2)
+        {
+            let (lock, cvar) = &*stage;
+            let mut s = lock.lock().unwrap();
+            while *s < 2 {
+                s = cvar.wait(s).unwrap();
+            }
+        }

        // sleep 500ms again, test cancel timeout
        thread::sleep(Duration::from_millis(500));
-        let writer_buf = [1, 2, 3, 4, 5];
-        inner_stream.write_all(&writer_buf).unwrap();
+        inner_stream.write_all(&[1, 2, 3, 4, 5]).unwrap();

        handler.join().unwrap();
    }
--- a/src/dragonball/dbs_virtio_devices/src/vsock/mod.rs
+++ b/src/dragonball/dbs_virtio_devices/src/vsock/mod.rs
@@ -339,7 +339,7 @@ mod tests {
            }
        }

-        pub fn create_event_handler_context(&self) -> EventHandlerContext {
+        pub fn create_event_handler_context(&self) -> EventHandlerContext<'_> {
            const QSIZE: u16 = 256;

            let guest_rxvq = GuestQ::new(GuestAddress(0x0010_0000), &self.mem, QSIZE);
--- a/src/dragonball/src/signal_handler.rs
+++ b/src/dragonball/src/signal_handler.rs
@@ -120,7 +120,7 @@ mod tests {

    use libc::{cpu_set_t, syscall};
    use std::convert::TryInto;
-    use std::{mem, process, thread};
+    use std::{mem, thread};

    use seccompiler::{apply_filter, BpfProgram, SeccompAction, SeccompFilter};

@@ -157,6 +157,16 @@ mod tests {
        let child = thread::spawn(move || {
            assert!(register_signal_handlers().is_ok());

+            // Trigger SIGBUS/SIGSEGV *before* installing the seccomp filter.
+            // Call SIGBUS signal handler.
+            assert_eq!(METRICS.read().unwrap().signals.sigbus.count(), 0);
+            unsafe { libc::raise(SIGBUS) };
+
+            // Call SIGSEGV signal handler.
+            assert_eq!(METRICS.read().unwrap().signals.sigsegv.count(), 0);
+            unsafe { libc::raise(SIGSEGV) };
+
+            // Install a seccomp filter that traps a known syscall so that we can verify SIGSYS handling.
            let filter = SeccompFilter::new(
                vec![(libc::SYS_mkdirat, vec![])].into_iter().collect(),
                SeccompAction::Allow,
@@ -168,20 +178,8 @@ mod tests {
            assert!(apply_filter(&TryInto::<BpfProgram>::try_into(filter).unwrap()).is_ok());
            assert_eq!(METRICS.read().unwrap().seccomp.num_faults.count(), 0);

-            // Call the blacklisted `SYS_mkdirat`.
+            // Invoke the blacklisted syscall to trigger SIGSYS and exercise the SIGSYS handler.
            unsafe { syscall(libc::SYS_mkdirat, "/foo/bar\0") };
-
-            // Call SIGBUS signal handler.
-            assert_eq!(METRICS.read().unwrap().signals.sigbus.count(), 0);
-            unsafe {
-                syscall(libc::SYS_kill, process::id(), SIGBUS);
-            }
-
-            // Call SIGSEGV signal handler.
-            assert_eq!(METRICS.read().unwrap().signals.sigsegv.count(), 0);
-            unsafe {
-                syscall(libc::SYS_kill, process::id(), SIGSEGV);
-            }
        });
        assert!(child.join().is_ok());

--- a/src/libs/kata-sys-util/Cargo.toml
+++ b/src/libs/kata-sys-util/Cargo.toml
@@ -13,13 +13,10 @@ edition = "2018"
 [dependencies]
 anyhow = "1.0.31"
 byteorder = "1.4.3"
-chrono = "0.4.0"
-common-path = "=1.0.0"
 fail = "0.5.0"
 lazy_static = "1.4.0"
 libc = "0.2.100"
 nix = "0.26.4"
-once_cell = "1.9.0"
 serde = { version = "1.0.138", features = ["derive"] }
 serde_json = "1.0.73"
 slog = "2.5.2"
@@ -34,10 +31,7 @@ mockall = "0.13.1"
 kata-types = { path = "../kata-types" }
 oci-spec = { version = "0.8.1", features = ["runtime"] }
 runtime-spec = { path = "../runtime-spec" }
-safe-path = { path = "../safe-path" }

 [dev-dependencies]
-num_cpus = "1.13.1"
-serial_test = "0.5.1"
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }
--- a/src/libs/kata-types/Cargo.toml
+++ b/src/libs/kata-types/Cargo.toml
@@ -29,12 +29,14 @@ serde-enum-str = "0.4"
 sysinfo = "0.34.2"
 sha2 = "0.10.8"
 flate2 = "1.1"
-hex = "0.4"
-
+nix = "0.26.4"
 oci-spec = { version = "0.8.1", features = ["runtime"] }

 safe-path = { path = "../safe-path", optional = true }

+[target.'cfg(target_os = "macos")'.dependencies]
+sysctl = "0.7.1"
+
 [dev-dependencies]
 tempfile = "3.19.1"
 test-utils = { path = "../test-utils" }
--- a/src/libs/kata-types/src/config/hypervisor/ch.rs
+++ b/src/libs/kata-types/src/config/hypervisor/ch.rs
@@ -13,6 +13,7 @@ use super::{default, register_hypervisor_plugin};
 use crate::config::default::MAX_CH_VCPUS;
 use crate::config::default::MIN_CH_MEMORY_SIZE_MB;

+use crate::config::hypervisor::VIRTIO_BLK_MMIO;
 use crate::config::{ConfigPlugin, TomlConfig};
 use crate::{resolve_path, validate_path};

@@ -104,6 +105,16 @@ impl ConfigPlugin for CloudHypervisorConfig {
                ));
            }

+            // CoCo guest hardening: virtio-mmio is not hardened for confidential computing.
+            if ch.security_info.confidential_guest
+                && ch.boot_info.vm_rootfs_driver == VIRTIO_BLK_MMIO
+            {
+                return Err(std::io::Error::other(
+                    "Confidential guests must not use virtio-blk-mmio (use virtio-blk-pci); \
+                     virtio-mmio is not hardened for CoCo",
+                ));
+            }
+
            if ch.boot_info.kernel.is_empty() {
                return Err(std::io::Error::other("Guest kernel image for CH is empty"));
            }
--- a/src/libs/kata-types/src/config/hypervisor/mod.rs
+++ b/src/libs/kata-types/src/config/hypervisor/mod.rs
@@ -26,7 +26,6 @@
 use super::{default, ConfigOps, ConfigPlugin, TomlConfig};
 use crate::annotations::KATA_ANNO_CFG_HYPERVISOR_PREFIX;
 use crate::{resolve_path, sl, validate_path};
-use byte_unit::{Byte, Unit};
 use lazy_static::lazy_static;
 use regex::RegexSet;
 use serde_enum_str::{Deserialize_enum_str, Serialize_enum_str};
@@ -34,7 +33,6 @@ use std::collections::HashMap;
 use std::io::{self, Result};
 use std::path::Path;
 use std::sync::{Arc, Mutex};
-use sysinfo::{MemoryRefreshKind, RefreshKind, System};

 mod dragonball;
 pub use self::dragonball::{DragonballConfig, HYPERVISOR_NAME_DRAGONBALL};
@@ -1007,6 +1005,57 @@ fn default_guest_swap_create_threshold_secs() -> u64 {
    60
 }

+/// Get host memory size in MiB.
+/// Retrieves the total physical memory of the host across different platforms.
+fn host_memory_mib() -> io::Result<u64> {
+    // Select a platform-specific implementation via a function pointer.
+    let get_memory: fn() -> io::Result<u64> = {
+        #[cfg(target_os = "linux")]
+        {
+            || {
+                let info = nix::sys::sysinfo::sysinfo().map_err(io::Error::other)?;
+                Ok(info.ram_total() / (1024 * 1024)) // MiB
+            }
+        }
+
+        #[cfg(target_os = "macos")]
+        {
+            || {
+                use sysctl::{Ctl, CtlValue, Sysctl};
+
+                let v = Ctl::new("hw.memsize")
+                    .map_err(io::Error::other)?
+                    .value()
+                    .map_err(io::Error::other)?;
+
+                let bytes = match v {
+                    CtlValue::S64(x) if x >= 0 => x as u64,
+                    other => {
+                        return Err(io::Error::new(
+                            io::ErrorKind::InvalidData,
+                            format!("unexpected sysctl hw.memsize value type: {:?}", other),
+                        ));
+                    }
+                };
+
+                Ok(bytes / (1024 * 1024)) // MiB
+            }
+        }
+
+        #[cfg(not(any(target_os = "linux", target_os = "macos")))]
+        {
+            || {
+                Err(io::Error::new(
+                    io::ErrorKind::Unsupported,
+                    "host memory query not implemented on this platform",
+                ))
+            }
+        }
+    };
+
+    get_memory()
+}
+
 impl MemoryInfo {
    /// Adjusts the configuration information after loading from a configuration file.
    ///
@@ -1018,13 +1067,15 @@ impl MemoryInfo {
            self.file_mem_backend,
            "Memory backend file {} is invalid: {}"
        )?;
-        if self.default_maxmemory == 0 {
-            let s = System::new_with_specifics(
-                RefreshKind::nothing().with_memory(MemoryRefreshKind::everything()),
-            );
-            self.default_maxmemory = Byte::from_u64(s.total_memory())
-                .get_adjusted_unit(Unit::MiB)
-                .get_value() as u32;
+
+        let host_memory = host_memory_mib()?;
+
+        if u64::from(self.default_memory) > host_memory {
+            self.default_memory = host_memory as u32;
+        }
+
+        if self.default_maxmemory == 0 || u64::from(self.default_maxmemory) > host_memory {
+            self.default_maxmemory = host_memory as u32;
        }
        Ok(())
    }
@@ -1167,6 +1218,29 @@ pub struct SecurityInfo {
    #[serde(default)]
    pub sev_snp_guest: bool,

+    /// SNP 'ID Block' and 'ID Authentication Information Structure'.
+    /// If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
+    /// Notice that the default SNP policy of QEMU (0x30000) is used by Kata, if not explicitly
+    /// set via 'snp_guest_policy' option. The IDBlock contains the guest policy as field, and
+    /// it must match the value from 'snp_guest_policy' or, if unset, the QEMU default policy.
+    /// 96-byte, base64-encoded blob to provide the 'ID Block' structure for the
+    /// SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
+    #[serde(default)]
+    pub snp_id_block: String,
+
+    /// 4096-byte, base64-encoded blob to provide the 'ID Authentication Information Structure'
+    /// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
+    #[serde(default)]
+    pub snp_id_auth: String,
+
+    /// SNP Guest Policy, the 'POLICY' parameter to the SNP_LAUNCH_START command.
+    /// If unset, the QEMU default policy (0x30000) will be used.
+    /// Notice that the guest policy is enforced at VM launch, and your pod VMs
+    /// won't start at all if the policy denys it. This will be indicated by a
+    /// 'SNP_LAUNCH_START' error.
+    #[serde(default = "default_snp_guest_policy")]
+    pub snp_guest_policy: u32,
+
    /// Path to OCI hook binaries in the *guest rootfs*.
    ///
    /// This setting does not affect host-side hooks, which must instead be
@@ -1228,6 +1302,10 @@ fn default_qgs_port() -> u32 {
    4050
 }

+fn default_snp_guest_policy() -> u32 {
+    0x30000
+}
+
 impl SecurityInfo {
    /// Adjusts the security configuration information after loading from a configuration file.
    ///
--- a/src/libs/kata-types/src/config/hypervisor/qemu.rs
+++ b/src/libs/kata-types/src/config/hypervisor/qemu.rs
@@ -124,6 +124,17 @@ impl ConfigPlugin for QemuConfig {
                ));
            }

+            // CoCo guest hardening: virtio-mmio transport is not hardened for confidential
+            // computing; only virtio-pci is. Ensure we never use virtio-blk-mmio for rootfs.
+            if qemu.security_info.confidential_guest
+                && qemu.boot_info.vm_rootfs_driver == VIRTIO_BLK_MMIO
+            {
+                return Err(std::io::Error::other(
+                    "Confidential guests must not use virtio-blk-mmio (use virtio-blk-pci); \
+                     virtio-mmio is not hardened for CoCo",
+                ));
+            }
+
            if qemu.boot_info.kernel.is_empty() {
                return Err(std::io::Error::other(
                    "Guest kernel image for qemu is empty",
--- a/src/libs/mem-agent/Cargo.toml
+++ b/src/libs/mem-agent/Cargo.toml
@@ -10,7 +10,6 @@ anyhow = "1.0"
 page_size = "0.6"
 chrono = "0.4"
 tokio = { version = "1.45.1", features = ["full"] }
-async-trait = "0.1"
 maplit = "1.0"
 nix = { version = "0.30.1", features = ["fs", "sched"] }

--- a/src/libs/protocols/protos/agent.proto
+++ b/src/libs/protocols/protos/agent.proto
@@ -520,6 +520,11 @@ message Storage {
 	// FSGroup consists of the group ID and group ownership change policy
 	// that the mounted volume must have its group ID changed to when specified.
 	FSGroup fs_group = 7;
+	// Shared indicates this storage is shared across multiple containers
+	// (e.g., block-based emptyDirs). When true, the agent should not clean up
+	// the storage when a container using it exits, as other containers
+	// may still need it. Cleanup will happen when the sandbox is destroyed.
+	bool shared = 8;
 }

 // Device represents only the devices that could have been defined through the
--- a/src/libs/runtime-spec/Cargo.toml
+++ b/src/libs/runtime-spec/Cargo.toml
@@ -9,4 +9,3 @@ license = "Apache-2.0"
 serde = "1.0.131"
 serde_derive = "1.0.131"
 serde_json = "1.0.73"
-libc = "0.2.112"
--- a/src/runtime-rs/Cargo.toml
+++ b/src/runtime-rs/Cargo.toml
@@ -28,5 +28,4 @@ nix = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 shim = { path = "crates/shim" }
 common = { workspace = true }
-logging = { workspace = true }
 runtimes = { workspace = true }
--- a/src/runtime-rs/crates/agent/Cargo.toml
+++ b/src/runtime-rs/crates/agent/Cargo.toml
@@ -5,13 +5,9 @@ authors = { workspace = true }
 edition = { workspace = true }
 license = { workspace = true }

-[dev-dependencies]
-futures = "0.1.27"
-
 [dependencies]
 anyhow = { workspace = true }
 async-trait = { workspace = true }
-log = { workspace = true }
 protobuf = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
@@ -31,3 +27,6 @@ protocols = { workspace = true, features = ["async"] }

 [features]
 default = []
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]
--- a/src/runtime-rs/crates/hypervisor/Cargo.toml
+++ b/src/runtime-rs/crates/hypervisor/Cargo.toml
@@ -28,8 +28,6 @@ path-clean = "1.0.1"
 lazy_static = { workspace = true }
 tracing = { workspace = true }
 ttrpc = { workspace = true, features = ["async"] }
-protobuf = { workspace = true }
-oci-spec = { workspace = true }
 futures = "0.3.25"
 safe-path = "0.1.0"
 crossbeam-channel = "0.5.6"
@@ -44,7 +42,6 @@ kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
 logging = { workspace = true }
 protocols = { workspace = true, features = ["async"] }
-shim-interface = { workspace = true }
 persist = { workspace = true }
 ch-config = { workspace = true, optional = true }
 tests_utils = { workspace = true }
--- a/src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs
+++ b/src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs
@@ -110,6 +110,16 @@ pub struct DeviceConfig {
    pub pci_segment: u16,
 }

+#[derive(Serialize, Deserialize, Clone, Copy, Debug, PartialEq, Eq, Default)]
+pub enum ImageType {
+    FixedVhd,
+    Qcow2,
+    Raw,
+    Vhdx,
+    #[default]
+    Unknown,
+}
+
 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]
 pub struct DiskConfig {
    pub path: Option<PathBuf>,
@@ -135,6 +145,8 @@ pub struct DiskConfig {
    pub disable_io_uring: bool,
    #[serde(default)]
    pub pci_segment: u16,
+    #[serde(default)]
+    pub image_type: ImageType,
 }

 #[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, Default)]
--- a/src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs
+++ b/src/runtime-rs/crates/hypervisor/src/ch/inner_device.rs
@@ -27,6 +27,7 @@ use ch_config::ch_api::{
 };
 use ch_config::convert::DEFAULT_NUM_PCI_SEGMENTS;
 use ch_config::DiskConfig;
+use ch_config::ImageType;
 use ch_config::{net_util::MacAddr, DeviceConfig, FsConfig, NetConfig, VsockConfig};
 use kata_sys_util::netns::NetnsGuard;
 use kata_types::config::hypervisor::RateLimiterConfig;
@@ -469,7 +470,10 @@ impl CloudHypervisorInner {
                    net_config.id = None;

                    net_config.num_queues = network_queues_pairs * 2;
-                    info!(sl!(), "network device queue pairs {:?}", network_queues_pairs);
+                    info!(
+                        sl!(),
+                        "network device queue pairs {:?}", network_queues_pairs
+                    );

                    // we need ensure opening network device happens in netns.
                    let netns = self.netns.clone().unwrap_or_default();
@@ -550,6 +554,7 @@ impl TryFrom<BlockConfig> for DiskConfig {
            readonly: blkcfg.is_readonly,
            num_queues: blkcfg.num_queues,
            queue_size: blkcfg.queue_size as u16,
+            image_type: ImageType::Raw,
            ..Default::default()
        };

--- a/src/runtime-rs/crates/hypervisor/src/device/driver/virtio_blk.rs
+++ b/src/runtime-rs/crates/hypervisor/src/device/driver/virtio_blk.rs
@@ -13,17 +13,17 @@ use crate::device::DeviceType;
 use crate::Hypervisor as hypervisor;
 use anyhow::{Context, Result};
 use async_trait::async_trait;
+pub use kata_types::device::{
+    DRIVER_BLK_CCW_TYPE as KATA_CCW_DEV_TYPE, DRIVER_BLK_MMIO_TYPE as KATA_MMIO_BLK_DEV_TYPE,
+    DRIVER_BLK_PCI_TYPE as KATA_BLK_DEV_TYPE, DRIVER_NVDIMM_TYPE as KATA_NVDIMM_DEV_TYPE,
+    DRIVER_SCSI_TYPE as KATA_SCSI_DEV_TYPE,
+};

 /// VIRTIO_BLOCK_PCI indicates block driver is virtio-pci based
 pub const VIRTIO_BLOCK_PCI: &str = "virtio-blk-pci";
 pub const VIRTIO_BLOCK_MMIO: &str = "virtio-blk-mmio";
 pub const VIRTIO_BLOCK_CCW: &str = "virtio-blk-ccw";
 pub const VIRTIO_PMEM: &str = "virtio-pmem";
-pub const KATA_MMIO_BLK_DEV_TYPE: &str = "mmioblk";
-pub const KATA_BLK_DEV_TYPE: &str = "blk";
-pub const KATA_CCW_DEV_TYPE: &str = "ccw";
-pub const KATA_NVDIMM_DEV_TYPE: &str = "nvdimm";
-pub const KATA_SCSI_DEV_TYPE: &str = "scsi";

 #[derive(Clone, Copy, Debug, Default)]
 pub enum BlockDeviceAio {
@@ -95,6 +95,9 @@ pub struct BlockConfig {
    /// scsi_addr is of the format SCSI-Id:LUN
    pub scsi_addr: Option<String>,

+    /// CCW device address for virtio-blk-ccw on s390x (e.g., "0.0.0005")
+    pub ccw_addr: Option<String>,
+
    /// device attach count
    pub attach_count: u64,

--- a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
+++ b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
@@ -256,29 +256,8 @@ struct Memory {

 impl Memory {
    fn new(config: &HypervisorConfig) -> Memory {
-        // Move this to QemuConfig::adjust_config()?
-
-        let mut mem_size = config.memory_info.default_memory as u64;
-        let mut max_mem_size = config.memory_info.default_maxmemory as u64;
-
-        if let Ok(sysinfo) = nix::sys::sysinfo::sysinfo() {
-            let host_memory = sysinfo.ram_total() >> 20;
-
-            if mem_size > host_memory {
-                info!(sl!(), "'default_memory' given in configuration.toml is greater than host memory, adjusting to host memory");
-                mem_size = host_memory
-            }
-
-            if max_mem_size == 0 || max_mem_size > host_memory {
-                max_mem_size = host_memory
-            }
-        } else {
-            warn!(sl!(), "Failed to get host memory size, cannot verify or adjust configuration.toml's 'default_maxmemory'");
-
-            if max_mem_size == 0 {
-                max_mem_size = mem_size;
-            };
-        }
+        let mem_size = config.memory_info.default_memory as u64;
+        let max_mem_size = config.memory_info.default_maxmemory as u64;

        // Memory sizes are given in megabytes in configuration.toml so we
        // need to convert them to bytes for storage.
@@ -300,6 +279,18 @@ impl Memory {
        self.memory_backend_file = Some(mem_file.clone());
        self
    }
+
+    #[allow(dead_code)]
+    fn set_maxmem_size(&mut self, max_size: u64) -> &mut Self {
+        self.max_size = max_size;
+        self
+    }
+
+    #[allow(dead_code)]
+    fn set_num_slots(&mut self, num_slots: u32) -> &mut Self {
+        self.num_slots = num_slots;
+        self
+    }
 }

 #[async_trait]
@@ -392,7 +383,7 @@ impl ToQemuParams for Cpu {
 /// Error type for CCW Subchannel operations
 #[derive(Debug)]
 #[allow(dead_code)]
-enum CcwError {
+pub enum CcwError {
    DeviceAlreadyExists(String), // Error when trying to add an existing device
    #[allow(dead_code)]
    DeviceNotFound(String), // Error when trying to remove a nonexistent device
@@ -423,7 +414,7 @@ impl CcwSubChannel {
    /// # Returns
    /// - `Result<u32, CcwError>`: slot index of the added device
    ///   or an error if the device already exists
-    fn add_device(&mut self, dev_id: &str) -> Result<u32, CcwError> {
+    pub fn add_device(&mut self, dev_id: &str) -> Result<u32, CcwError> {
        if self.devices.contains_key(dev_id) {
            Err(CcwError::DeviceAlreadyExists(dev_id.to_owned()))
        } else {
@@ -442,8 +433,7 @@ impl CcwSubChannel {
    /// # Returns
    /// - `Result<(), CcwError>`: Ok(()) if the device was removed
    ///   or an error if the device was not found
-    #[allow(dead_code)]
-    fn remove_device(&mut self, dev_id: &str) -> Result<(), CcwError> {
+    pub fn remove_device(&mut self, dev_id: &str) -> Result<(), CcwError> {
        if self.devices.remove(dev_id).is_some() {
            Ok(())
        } else {
@@ -451,17 +441,30 @@ impl CcwSubChannel {
        }
    }

-    /// Formats the CCW address for a given slot
+    /// Formats the CCW address for a given slot.
+    /// Uses the 0xfe channel subsystem ID used by QEMU.
    ///
    /// # Arguments
    /// - `slot`: slot index
    ///
    /// # Returns
    /// - `String`: formatted CCW address (e.g. `fe.0.0000`)
-    fn address_format_ccw(&self, slot: u32) -> String {
+    pub fn address_format_ccw(&self, slot: u32) -> String {
        format!("fe.{:x}.{:04x}", self.addr, slot)
    }

+    /// Formats the guest-visible CCW address for a given slot.
+    /// Uses channel subsystem ID 0 (guest perspective).
+    ///
+    /// # Arguments
+    /// - `slot`: slot index
+    ///
+    /// # Returns
+    /// - `String`: formatted guest-visible CCW address (e.g. `0.0.0000`)
+    pub fn address_format_ccw_for_virt_server(&self, slot: u32) -> String {
+        format!("0.{:x}.{:04x}", self.addr, slot)
+    }
+
    /// Sets the address of the subchannel.
    /// # Arguments
    /// - `addr`: subchannel address to set
@@ -1876,6 +1879,7 @@ struct ObjectSevSnpGuest {
    reduced_phys_bits: u32,
    kernel_hashes: bool,
    host_data: Option<String>,
+    policy: u32,
    is_snp: bool,
 }

@@ -1887,9 +1891,15 @@ impl ObjectSevSnpGuest {
            reduced_phys_bits,
            kernel_hashes: true,
            host_data,
+            policy: 0x30000,
            is_snp,
        }
    }
+
+    fn set_policy(&mut self, policy: u32) -> &mut Self {
+        self.policy = policy;
+        self
+    }
 }

 #[async_trait]
@@ -1912,6 +1922,7 @@ impl ToQemuParams for ObjectSevSnpGuest {
                "kernel-hashes={}",
                if self.kernel_hashes { "on" } else { "off" }
            ));
+            params.push(format!("policy=0x{:x}", self.policy));
            if let Some(host_data) = &self.host_data {
                params.push(format!("host-data={host_data}"))
            }
@@ -2274,6 +2285,12 @@ impl<'a> QemuCmdLine<'a> {
        Ok(qemu_cmd_line)
    }

+    /// Takes ownership of the CCW subchannel, leaving `None` in its place.
+    /// Used to transfer boot-time CCW state to Qmp for hotplug allocation.
+    pub fn take_ccw_subchannel(&mut self) -> Option<CcwSubChannel> {
+        self.ccw_subchannel.take()
+    }
+
    fn add_monitor(&mut self, proto: &str) -> Result<()> {
        let monitor = QmpSocket::new(self.id.as_str(), MonitorProtocol::new(proto))?;
        self.devices.push(Box::new(monitor));
@@ -2561,13 +2578,19 @@ impl<'a> QemuCmdLine<'a> {
        firmware: &str,
        host_data: &Option<String>,
    ) {
-        let sev_snp_object =
+        // For SEV-SNP, memory overcommit is not supported. we only set the memory size.
+        self.memory.set_maxmem_size(0).set_num_slots(0);
+
+        let mut sev_snp_object =
            ObjectSevSnpGuest::new(true, cbitpos, phys_addr_reduction, host_data.clone());
+        sev_snp_object.set_policy(self.config.security_info.snp_guest_policy);
+
        self.devices.push(Box::new(sev_snp_object));

        self.devices.push(Box::new(Bios::new(firmware.to_owned())));

        self.machine
+            .set_kernel_irqchip("split")
            .set_confidential_guest_support("snp")
            .set_nvdimm(false);

--- a/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
+++ b/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
@@ -9,7 +9,8 @@ use crate::device::topology::PCIePort;
 use crate::qemu::qmp::get_qmp_socket_path;
 use crate::{
    device::driver::ProtectionDeviceConfig, hypervisor_persist::HypervisorState, selinux,
-    HypervisorConfig, MemoryConfig, VcpuThreadIds, VsockDevice, HYPERVISOR_QEMU,
+    HypervisorConfig, MemoryConfig, VcpuThreadIds, VsockDevice, HYPERVISOR_QEMU, KATA_BLK_DEV_TYPE,
+    KATA_CCW_DEV_TYPE, KATA_NVDIMM_DEV_TYPE, KATA_SCSI_DEV_TYPE,
 };

 use crate::utils::{
@@ -21,7 +22,7 @@ use anyhow::{anyhow, Context, Result};
 use async_trait::async_trait;
 use kata_sys_util::netns::NetnsGuard;
 use kata_types::build_path;
-use kata_types::config::hypervisor::RootlessUser;
+use kata_types::config::hypervisor::{RootlessUser, VIRTIO_BLK_CCW};
 use kata_types::rootless::is_rootless;
 use kata_types::{
    capabilities::{Capabilities, CapabilityBits},
@@ -133,19 +134,20 @@ impl QemuInner {
                        continue;
                    }
                    match block_dev.config.driver_option.as_str() {
-                        "nvdimm" => cmdline.add_nvdimm(
+                        KATA_NVDIMM_DEV_TYPE => cmdline.add_nvdimm(
                            &block_dev.config.path_on_host,
                            block_dev.config.is_readonly,
                        )?,
-                        "ccw" | "blk" | "scsi" => cmdline.add_block_device(
-                            block_dev.device_id.as_str(),
-                            &block_dev.config.path_on_host,
-                            block_dev
-                                .config
-                                .is_direct
-                                .unwrap_or(self.config.blockdev_info.block_device_cache_direct),
-                            block_dev.config.driver_option.as_str() == "scsi",
-                        )?,
+                        KATA_CCW_DEV_TYPE | KATA_BLK_DEV_TYPE | KATA_SCSI_DEV_TYPE => cmdline
+                            .add_block_device(
+                                block_dev.device_id.as_str(),
+                                &block_dev.config.path_on_host,
+                                block_dev
+                                    .config
+                                    .is_direct
+                                    .unwrap_or(self.config.blockdev_info.block_device_cache_direct),
+                                block_dev.config.driver_option.as_str() == KATA_SCSI_DEV_TYPE,
+                            )?,
                        unsupported => {
                            info!(sl!(), "unsupported block device driver: {}", unsupported)
                        }
@@ -285,7 +287,12 @@ impl QemuInner {
        let qmp_socket_path = get_qmp_socket_path(self.id.as_str());

        match Qmp::new(&qmp_socket_path) {
-            Ok(qmp) => self.qmp = Some(qmp),
+            Ok(mut qmp) => {
+                if let Some(subchannel) = cmdline.take_ccw_subchannel() {
+                    qmp.set_ccw_subchannel(subchannel);
+                }
+                self.qmp = Some(qmp);
+            }
            Err(e) => {
                error!(sl!(), "couldn't initialise QMP: {:?}", e);
                return Err(e);
@@ -842,9 +849,10 @@ impl QemuInner {
                qmp.hotplug_network_device(&netdev, &virtio_net_device)?
            }
            DeviceType::Block(mut block_device) => {
-                let (pci_path, scsi_addr) = qmp
+                let block_driver = &self.config.blockdev_info.block_device_driver;
+                let (pci_path, addr_str) = qmp
                    .hotplug_block_device(
-                        &self.config.blockdev_info.block_device_driver,
+                        block_driver,
                        block_device.config.index,
                        &block_device.config.path_on_host,
                        &block_device.config.blkdev_aio.to_string(),
@@ -857,8 +865,12 @@ impl QemuInner {
                if pci_path.is_some() {
                    block_device.config.pci_path = pci_path;
                }
-                if scsi_addr.is_some() {
-                    block_device.config.scsi_addr = scsi_addr;
+                if let Some(addr) = addr_str {
+                    if block_driver == VIRTIO_BLK_CCW {
+                        block_device.config.ccw_addr = Some(addr);
+                    } else {
+                        block_device.config.scsi_addr = Some(addr);
+                    }
                }

                return Ok(DeviceType::Block(block_device));
--- a/src/runtime-rs/crates/hypervisor/src/qemu/qmp.rs
+++ b/src/runtime-rs/crates/hypervisor/src/qemu/qmp.rs
@@ -4,12 +4,12 @@
 //

 use crate::device::pci_path::PciPath;
-use crate::qemu::cmdline_generator::{DeviceVirtioNet, Netdev, QMP_SOCKET_FILE};
+use crate::qemu::cmdline_generator::{CcwSubChannel, DeviceVirtioNet, Netdev, QMP_SOCKET_FILE};
 use crate::utils::get_jailer_root;
 use crate::VcpuThreadIds;

 use anyhow::{anyhow, Context, Result};
-use kata_types::config::hypervisor::VIRTIO_SCSI;
+use kata_types::config::hypervisor::{VIRTIO_BLK_CCW, VIRTIO_SCSI};
 use kata_types::rootless::is_rootless;
 use nix::sys::socket::{sendmsg, ControlMessage, MsgFlags};
 use qapi_qmp::{
@@ -50,6 +50,11 @@ pub struct Qmp {
    // blocks seem ever to be onlined in the guest by kata-agent.
    // Store as u64 to keep up the convention of bytes being represented as u64.
    guest_memory_block_size: u64,
+
+    // CCW subchannel for s390x device address management.
+    // Transferred from QemuCmdLine after boot so that hotplug allocations
+    // continue from where boot-time allocations left off.
+    ccw_subchannel: Option<CcwSubChannel>,
 }

 // We have to implement Debug since the Hypervisor trait requires it and Qmp
@@ -76,6 +81,7 @@ impl Qmp {
                    stream,
                )),
                guest_memory_block_size: 0,
+                ccw_subchannel: None,
            };

            let info = qmp.qmp.handshake().context("qmp handshake failed")?;
@@ -102,6 +108,10 @@ impl Qmp {
            .with_context(|| format!("timed out waiting for QMP ready: {}", qmp_sock_path))
    }

+    pub fn set_ccw_subchannel(&mut self, subchannel: CcwSubChannel) {
+        self.ccw_subchannel = Some(subchannel);
+    }
+
    pub fn set_ignore_shared_memory_capability(&mut self) -> Result<()> {
        self.qmp
            .execute(&migrate_set_capabilities {
@@ -177,11 +187,21 @@ impl Qmp {
                        continue;
                    }
                    (None, _) => {
-                        warn!(sl!(), "hotpluggable vcpu {} has no socket_id for driver {}, skipping", core_id, driver);
+                        warn!(
+                            sl!(),
+                            "hotpluggable vcpu {} has no socket_id for driver {}, skipping",
+                            core_id,
+                            driver
+                        );
                        continue;
                    }
                    (_, None) => {
-                        warn!(sl!(), "hotpluggable vcpu {} has no thread_id for driver {}, skipping", core_id, driver);
+                        warn!(
+                            sl!(),
+                            "hotpluggable vcpu {} has no thread_id for driver {}, skipping",
+                            core_id,
+                            driver
+                        );
                        continue;
                    }
                }
@@ -605,6 +625,13 @@ impl Qmp {
    /// {"execute":"device_add","arguments":{"driver":"scsi-hd","drive":"virtio-scsi0","id":"scsi_device_0","bus":"virtio-scsi1.0"}}
    /// {"return": {}}
    ///
+    /// Hotplug virtio-blk-ccw block device on s390x
+    /// # virtio-blk-ccw0
+    /// {"execute":"blockdev_add", "arguments": {"file":"/path/to/block.image","format":"qcow2","id":"virtio-blk-ccw0"}}
+    /// {"return": {}}
+    /// {"execute":"device_add","arguments":{"driver":"virtio-blk-ccw","id":"virtio-blk-ccw0","drive":"virtio-blk-ccw0","devno":"fe.0.0005","share-rw":true}}
+    /// {"return": {}}
+    ///
    #[allow(clippy::too_many_arguments)]
    pub fn hotplug_block_device(
        &mut self,
@@ -711,6 +738,14 @@ impl Qmp {
            blkdev_add_args.insert("lun".to_string(), lun.into());
            blkdev_add_args.insert("share-rw".to_string(), true.into());

+            info!(
+                sl!(),
+                "hotplug_block_device(): device_add arguments: bus: {}, id: {}, driver: {}, blkdev_add_args: {:#?}",
+                "scsi0.0",
+                node_name,
+                "scsi-hd",
+                blkdev_add_args
+            );
            self.qmp
                .execute(&qmp::device_add {
                    bus: Some("scsi0.0".to_string()),
@@ -727,11 +762,59 @@ impl Qmp {
            );

            Ok((None, Some(scsi_addr)))
+        } else if block_driver == VIRTIO_BLK_CCW {
+            let subchannel = self.ccw_subchannel.as_mut().ok_or_else(|| {
+                anyhow!("CCW subchannel not available for virtio-blk-ccw hotplug")
+            })?;
+
+            let slot = subchannel
+                .add_device(&node_name)
+                .map_err(|e| anyhow!("CCW subchannel add_device failed: {:?}", e))?;
+            let devno = subchannel.address_format_ccw(slot);
+            let ccw_addr = subchannel.address_format_ccw_for_virt_server(slot);
+
+            blkdev_add_args.insert("devno".to_owned(), devno.clone().into());
+            blkdev_add_args.insert("share-rw".to_string(), true.into());
+
+            info!(
+                sl!(),
+                "hotplug_block_device(): CCW device_add: id: {}, driver: {}, blkdev_add_args: {:#?}, ccw_addr: {}",
+                node_name,
+                block_driver,
+                blkdev_add_args,
+                ccw_addr
+            );
+            let device_add_result = self.qmp.execute(&qmp::device_add {
+                bus: None,
+                id: Some(node_name.clone()),
+                driver: block_driver.to_string(),
+                arguments: blkdev_add_args,
+            });
+            if let Err(e) = device_add_result {
+                // Roll back CCW subchannel state if QMP device_add fails
+                let _ = subchannel.remove_device(&node_name);
+                return Err(anyhow!("device_add {:?}", e));
+            }
+
+            info!(
+                sl!(),
+                "hotplug CCW block device return ccw address: {:?}", &ccw_addr
+            );
+
+            Ok((None, Some(ccw_addr)))
        } else {
            let (bus, slot) = self.find_free_slot()?;
            blkdev_add_args.insert("addr".to_owned(), format!("{slot:02}").into());
            blkdev_add_args.insert("share-rw".to_string(), true.into());

+            info!(
+                sl!(),
+                "hotplug_block_device(): device_add arguments: bus: {}, id: {}, driver: {}, blkdev_add_args: {:#?}",
+                bus,
+                node_name,
+                block_driver,
+                blkdev_add_args
+            );
            self.qmp
                .execute(&qmp::device_add {
                    bus: Some(bus),
--- a/src/runtime-rs/crates/persist/Cargo.toml
+++ b/src/runtime-rs/crates/persist/Cargo.toml
@@ -8,12 +8,10 @@ license = { workspace = true }
 [dependencies]
 async-trait = { workspace = true }
 anyhow = { workspace = true }
-libc = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }

 # Local dependencies
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
-shim-interface = { workspace = true }
 safe-path = { workspace = true }
--- a/src/runtime-rs/crates/resource/Cargo.toml
+++ b/src/runtime-rs/crates/resource/Cargo.toml
@@ -15,7 +15,6 @@ test-utils = { workspace = true }
 actix-rt = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
-bitflags = "2.9.0"
 byte-unit = "5.1.6"
 cgroups-rs = { version = "0.5.0", features = ["oci"] }
 futures = "0.3.11"
@@ -41,7 +40,6 @@ hex = "0.4"

 ## Dependencies from `rust-netlink`
 netlink-packet-route = "0.26"
-netlink-sys = "0.8"
 rtnetlink = "0.19"

 # Local dependencies
@@ -54,3 +52,7 @@ persist = { workspace = true }
 tests_utils = { workspace = true }

 [features]
+
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]
--- a/src/runtime-rs/crates/resource/src/manager_inner.rs
+++ b/src/runtime-rs/crates/resource/src/manager_inner.rs
@@ -429,14 +429,16 @@ impl ResourceManagerInner {
                        .await
                        .context("do handle device")?;

-                    // create block device for kata agent,
-                    // if driver is virtio-blk-pci, the id will be pci address.
+                    // create block device for kata agent.
+                    // The device ID is derived from the available address: PCI, SCSI,
+                    // CCW, or virtual path, depending on the driver and configuration.
                    if let DeviceType::Block(device) = device_info {
-                        // The following would work for drivers virtio-blk-pci and virtio-mmio and virtio-scsi.
                        let id = if let Some(pci_path) = device.config.pci_path {
                            pci_path.to_string()
                        } else if let Some(scsi_address) = device.config.scsi_addr {
                            scsi_address
+                        } else if let Some(ccw_addr) = device.config.ccw_addr {
+                            ccw_addr
                        } else {
                            device.config.virt_path.clone()
                        };
--- a/src/runtime-rs/crates/resource/src/rootfs/block_rootfs.rs
+++ b/src/runtime-rs/crates/resource/src/rootfs/block_rootfs.rs
@@ -100,7 +100,13 @@ impl BlockRootfs {
                VIRTIO_BLK_MMIO => {
                    storage.source = device.config.virt_path;
                }
-                VIRTIO_SCSI | VIRTIO_BLK_CCW | VIRTIO_PMEM => {
+                VIRTIO_BLK_CCW => {
+                    storage.source = device
+                        .config
+                        .ccw_addr
+                        .ok_or_else(|| anyhow!("CCW address missing for ccw block device"))?;
+                }
+                VIRTIO_SCSI | VIRTIO_PMEM => {
                    return Err(anyhow!(
                        "Complete support for block driver {} has not been implemented yet",
                        block_driver
--- a/src/runtime-rs/crates/resource/src/volume/utils.rs
+++ b/src/runtime-rs/crates/resource/src/volume/utils.rs
@@ -15,6 +15,10 @@ use crate::{
 };
 use anyhow::{anyhow, Context, Result};
 use kata_sys_util::mount::{get_mount_options, get_mount_path};
+use kata_types::device::{
+    DRIVER_BLK_CCW_TYPE as KATA_CCW_DEV_TYPE, DRIVER_BLK_PCI_TYPE as KATA_BLK_DEV_TYPE,
+    DRIVER_SCSI_TYPE as KATA_SCSI_DEV_TYPE,
+};
 use oci_spec::runtime as oci;

 use hypervisor::device::DeviceType;
@@ -22,9 +26,6 @@ use hypervisor::device::DeviceType;
 pub const DEFAULT_VOLUME_FS_TYPE: &str = "ext4";
 pub const KATA_MOUNT_BIND_TYPE: &str = "bind";

-pub const KATA_BLK_DEV_TYPE: &str = "blk";
-pub const KATA_SCSI_DEV_TYPE: &str = "scsi";
-
 pub fn get_file_name<P: AsRef<Path>>(src: P) -> Result<String> {
    let file_name = src
        .as_ref()
@@ -104,6 +105,13 @@ pub async fn handle_block_volume(
                    return Err(anyhow!("block driver is scsi but no scsi address exists"));
                }
            }
+            KATA_CCW_DEV_TYPE => {
+                if let Some(ccw_addr) = device.config.ccw_addr {
+                    ccw_addr.to_string()
+                } else {
+                    return Err(anyhow!("block driver is ccw but no ccw address exists"));
+                }
+            }
            _ => device.config.virt_path,
        };
        device_id = device.device_id;
--- a/src/runtime-rs/crates/runtimes/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/Cargo.toml
@@ -11,6 +11,7 @@ lazy_static = { workspace = true }
 netns-rs = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
+containerd-shim-protos = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
 tracing = { workspace = true }
 tracing-opentelemetry = { workspace = true }
@@ -26,7 +27,6 @@ opentelemetry-jaeger = { version = "0.17.0", features = [
 ] }
 tracing-subscriber = { version = "0.3", features = ["registry", "std"] }
 hyper = { workspace = true, features = ["stream", "server", "http1"] }
-hyperlocal = { workspace = true }
 serde_json = { workspace = true }
 nix = "0.25.0"
 url = { workspace = true }
--- a/src/runtime-rs/crates/runtimes/common/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/common/Cargo.toml
@@ -11,20 +11,14 @@ license = { workspace = true }
 anyhow = { workspace = true }
 async-trait = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["sandbox"] }
-lazy_static = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
-serde_json = { workspace = true }
-slog = { workspace = true }
-slog-scope = { workspace = true }
 strum = { workspace = true }
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread", "process", "fs"] }
-ttrpc = { workspace = true }
 oci-spec = { workspace = true }

 # Local dependencies
-persist = { workspace = true }
 agent = { workspace = true }
 kata-sys-util = { workspace = true }
 kata-types = { workspace = true }
--- a/src/runtime-rs/crates/runtimes/common/src/message.rs
+++ b/src/runtime-rs/crates/runtimes/common/src/message.rs
@@ -6,7 +6,7 @@
 use std::sync::Arc;

 use anyhow::{Context, Result};
-use containerd_shim_protos::events::task::{TaskExit, TaskOOM};
+use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskExit, TaskOOM, TaskStart};
 use containerd_shim_protos::protobuf::Message as ProtobufMessage;
 use tokio::sync::mpsc::{channel, Receiver, Sender};

@@ -49,9 +49,15 @@ impl Message {

 const TASK_OOM_EVENT_TOPIC: &str = "/tasks/oom";
 const TASK_EXIT_EVENT_TOPIC: &str = "/tasks/exit";
+const TASK_START_EVENT_TOPIC: &str = "/tasks/start";
+const TASK_CREATE_EVENT_TOPIC: &str = "/tasks/create";
+const TASK_DELETE_EVENT_TOPIC: &str = "/tasks/delete";

 const TASK_OOM_EVENT_URL: &str = "containerd.events.TaskOOM";
 const TASK_EXIT_EVENT_URL: &str = "containerd.events.TaskExit";
+const TASK_START_EVENT_URL: &str = "containerd.events.TaskStart";
+const TASK_CREATE_EVENT_URL: &str = "containerd.events.TaskCreate";
+const TASK_DELETE_EVENT_URL: &str = "containerd.events.TaskDelete";

 pub trait Event: std::fmt::Debug + Send {
    fn r#type(&self) -> String;
@@ -86,3 +92,45 @@ impl Event for TaskExit {
        self.write_to_bytes().context("get exit value")
    }
 }
+
+impl Event for TaskStart {
+    fn r#type(&self) -> String {
+        TASK_START_EVENT_TOPIC.to_string()
+    }
+
+    fn type_url(&self) -> String {
+        TASK_START_EVENT_URL.to_string()
+    }
+
+    fn value(&self) -> Result<Vec<u8>> {
+        self.write_to_bytes().context("get start value")
+    }
+}
+
+impl Event for TaskCreate {
+    fn r#type(&self) -> String {
+        TASK_CREATE_EVENT_TOPIC.to_string()
+    }
+
+    fn type_url(&self) -> String {
+        TASK_CREATE_EVENT_URL.to_string()
+    }
+
+    fn value(&self) -> Result<Vec<u8>> {
+        self.write_to_bytes().context("get create value")
+    }
+}
+
+impl Event for TaskDelete {
+    fn r#type(&self) -> String {
+        TASK_DELETE_EVENT_TOPIC.to_string()
+    }
+
+    fn type_url(&self) -> String {
+        TASK_DELETE_EVENT_URL.to_string()
+    }
+
+    fn value(&self) -> Result<Vec<u8>> {
+        self.write_to_bytes().context("get delete value")
+    }
+}
--- a/src/runtime-rs/crates/runtimes/src/manager.rs
+++ b/src/runtime-rs/crates/runtimes/src/manager.rs
@@ -6,14 +6,16 @@

 use anyhow::{anyhow, Context, Result};
 use common::{
-    message::Message,
+    message::{Action, Message},
    types::{
-        ContainerProcess, PlatformInfo, SandboxConfig, SandboxRequest, SandboxResponse,
-        SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse, DEFAULT_SHM_SIZE,
+        ContainerProcess, PlatformInfo, ProcessType, SandboxConfig, SandboxRequest,
+        SandboxResponse, SandboxStatusInfo, StartSandboxInfo, TaskRequest, TaskResponse,
+        DEFAULT_SHM_SIZE,
    },
    RuntimeHandler, RuntimeInstance, Sandbox, SandboxNetworkEnv,
 };

+use containerd_shim_protos::events::task::{TaskCreate, TaskDelete, TaskStart};
 use hypervisor::{
    utils::{create_dir_all_with_inherit_owner, create_vmm_user, remove_vmm_user},
    Param,
@@ -33,13 +35,13 @@ use netns_rs::{Env, NetNs};
 use nix::{sys::statfs, unistd::User};
 use oci_spec::runtime as oci;
 use persist::sandbox_persist::Persist;
+use protobuf::Message as ProtobufMessage;
 use resource::{
    cpu_mem::initial_size::InitialSizeManager,
    network::{dan_config_path, generate_netns_name},
 };
 use runtime_spec as spec;
 use shim_interface::shim_mgmt::ERR_NO_SHIM_SERVER;
-use protobuf::Message as ProtobufMessage;
 use std::{
    collections::HashMap,
    env,
@@ -480,6 +482,7 @@ impl RuntimeHandlerManager {
                .await
                .context("start sandbox in task handler")?;

+            let bundle = container_config.bundle.clone();
            let container_id = container_config.container_id.clone();
            let shim_pid = instance
                .container_manager
@@ -501,6 +504,19 @@ impl RuntimeHandlerManager {
                }
            });

+            let msg_sender = self.inner.read().await.msg_sender.clone();
+            let event = TaskCreate {
+                container_id,
+                bundle,
+                pid,
+                ..Default::default()
+            };
+            let msg = Message::new(Action::Event(Arc::new(event)));
+            msg_sender
+                .send(msg)
+                .await
+                .context("send task create event")?;
+
            Ok(TaskResponse::CreateContainer(shim_pid))
        } else {
            self.handler_task_request(req)
@@ -570,6 +586,7 @@ impl RuntimeHandlerManager {
            .context("get runtime instance")?;
        let sandbox = instance.sandbox.clone();
        let cm = instance.container_manager.clone();
+        let msg_sender = self.inner.read().await.msg_sender.clone();

        match req {
            TaskRequest::CreateContainer(req) => Err(anyhow!("Unreachable TaskRequest {:?}", req)),
@@ -579,6 +596,20 @@ impl RuntimeHandlerManager {
            }
            TaskRequest::DeleteProcess(process_id) => {
                let resp = cm.delete_process(&process_id).await.context("do delete")?;
+                if process_id.process_type == ProcessType::Container {
+                    let event = TaskDelete {
+                        id: process_id.container_id().to_string(),
+                        pid: resp.pid.pid,
+                        exit_status: resp.exit_status as u32,
+                        ..Default::default()
+                    };
+                    let msg = Message::new(Action::Event(Arc::new(event)));
+                    msg_sender
+                        .send(msg)
+                        .await
+                        .context("send task delete event")?;
+                }
+
                Ok(TaskResponse::DeleteProcess(resp))
            }
            TaskRequest::ExecProcess(req) => {
@@ -614,12 +645,28 @@ impl RuntimeHandlerManager {
                    .context("start process")?;

                let pid = shim_pid.pid;
+                let process_type = process_id.process_type;
+                let container_id = process_id.container_id().to_string();
                tokio::spawn(async move {
                    let result = sandbox.wait_process(cm, process_id, pid).await;
                    if let Err(e) = result {
                        error!(sl!(), "sandbox wait process error: {:?}", e);
                    }
                });
+
+                if process_type == ProcessType::Container {
+                    let event = TaskStart {
+                        container_id,
+                        pid,
+                        ..Default::default()
+                    };
+                    let msg = Message::new(Action::Event(Arc::new(event)));
+                    msg_sender
+                        .send(msg)
+                        .await
+                        .context("send task start event")?;
+                }
+
                Ok(TaskResponse::StartProcess(shim_pid))
            }

--- a/src/runtime-rs/crates/runtimes/virt_container/Cargo.toml
+++ b/src/runtime-rs/crates/runtimes/virt_container/Cargo.toml
@@ -10,8 +10,6 @@ anyhow = { workspace = true }
 async-trait = { workspace = true }
 awaitgroup = "0.6.0"
 containerd-shim-protos = { workspace = true }
-futures = "0.3.19"
-lazy_static = { workspace = true }
 libc = { workspace = true }
 nix = { workspace = true }
 protobuf = { workspace = true }
@@ -21,9 +19,7 @@ serde_json = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true }
-toml = "0.4.2"
 url = { workspace = true }
-async-std = "1.12.0"
 tracing = { workspace = true }
 oci-spec = { workspace = true }
 strum = { workspace = true }
@@ -48,3 +44,7 @@ cloud-hypervisor = ["hypervisor/cloud-hypervisor"]

 # Enable the build-in VMM Dragtonball
 dragonball = ["hypervisor/dragonball"]
+
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]
--- a/src/runtime-rs/crates/service/Cargo.toml
+++ b/src/runtime-rs/crates/service/Cargo.toml
@@ -11,7 +11,6 @@ async-trait = { workspace = true }
 slog = { workspace = true }
 slog-scope = { workspace = true }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
-tracing = { workspace = true }
 ttrpc = { workspace = true }
 containerd-shim-protos = { workspace = true, features = ["async", "sandbox"] }
 containerd-shim = { workspace = true }
@@ -21,4 +20,7 @@ common = { workspace = true }
 logging = { workspace = true }
 kata-types = { workspace = true }
 runtimes = { workspace = true }
-persist = { workspace = true }
+
+
+[package.metadata.cargo-machete]
+ignored = ["slog-scope"]
--- a/src/runtime-rs/crates/shim-ctl/Cargo.toml
+++ b/src/runtime-rs/crates/shim-ctl/Cargo.toml
@@ -9,9 +9,8 @@ license = { workspace = true }

 [dependencies]
 anyhow = { workspace = true }
-tokio = { workspace = true, features = [ "rt", "rt-multi-thread" ] }
+tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }

 # Local dependencies
 common = { workspace = true }
-logging = { workspace = true }
 runtimes = { workspace = true }
--- a/src/runtime-rs/crates/shim/Cargo.toml
+++ b/src/runtime-rs/crates/shim/Cargo.toml
@@ -36,8 +36,6 @@ slog-stdlog = "4.1.0"
 thiserror = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 unix_socket2 = "0.5.4"
-tracing = { workspace = true }
-tracing-opentelemetry = { workspace = true }
 oci-spec = { workspace = true }

 # Local dependencies
@@ -46,12 +44,7 @@ kata-sys-util = { workspace = true }
 logging = { workspace = true }
 runtime-spec = { workspace = true }
 service = { workspace = true }
-runtimes = { workspace = true }

 [dev-dependencies]
 tempfile = { workspace = true }
-rand = { workspace = true }
 serial_test = "0.10.0"
-
-# Local dev-dependencies
-tests_utils = { workspace = true }
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -147,10 +147,14 @@ DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4)
 FIRMWAREPATH :=
 FIRMWAREVOLUMEPATH :=

+FIRMWAREPATH_NV = $(FIRMWAREPATH)
+
 FIRMWARETDVFPATH := $(PREFIXDEPS)/share/ovmf/OVMF.inteltdx.fd
+FIRMWARETDVFPATH_NV := $(FIRMWARETDVFPATH)
 FIRMWARETDVFVOLUMEPATH :=

 FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
+FIRMWARESNPPATH_NV := $(FIRMWARESNPPATH)

 KERNELVERITYPARAMS ?= ""
 KERNELVERITYPARAMS_NV ?= ""
@@ -221,6 +225,8 @@ DEFENABLEANNOTATIONS := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_pa
 DEFENABLEANNOTATIONS_COCO := [\"enable_iommu\", \"virtio_fs_extra_args\", \"kernel_params\", \"kernel_verity_params\", \"default_vcpus\", \"default_memory\", \"cc_init_data\"]
 DEFDISABLEGUESTSECCOMP := true
 DEFDISABLEGUESTEMPTYDIR := false
+DEFEMPTYDIRMODE := shared-fs
+DEFEMPTYDIRMODE_COCO := block-encrypted
 #Default experimental features enabled
 DEFAULTEXPFEATURES := []

@@ -272,6 +278,7 @@ DEFVIRTIOFSEXTRAARGS ?= [\"--thread-pool-size=1\", \"--announce-submounts\"]
 DEFENABLEIOTHREADS := false
 DEFINDEPIOTHREADS := 0
 DEFENABLEVHOSTUSERSTORE := false
+DEFENABLEVIRTIOMEM ?= false
 DEFVHOSTUSERSTOREPATH := $(PKGRUNDIR)/vhost-user
 DEFVALIDVHOSTUSERSTOREPATHS := [\"$(DEFVHOSTUSERSTOREPATH)\"]
 DEFFILEMEMBACKEND := ""
@@ -300,9 +307,11 @@ DEFDANCONF := /run/kata-containers/dans

 DEFFORCEGUESTPULL := false

+DEFKUBELETROOTDIR := /var/lib/kubelet
+
 # Device cold plug
 DEFPODRESOURCEAPISOCK := ""
-DEFPODRESOURCEAPISOCK_NV := "/var/lib/kubelet/pod-resources/kubelet.sock"
+DEFPODRESOURCEAPISOCK_NV := "$(DEFKUBELETROOTDIR)/pod-resources/kubelet.sock"

 SED = sed

@@ -467,8 +476,8 @@ ifneq (,$(QEMUCMD))
    KERNELSEPATH = $(KERNELDIR)/$(KERNELSENAME)

    # NVIDIA GPU specific options (all should be suffixed by _NV)
-    # Normal: uncompressed (KERNELTYPE). Confidential: compressed (KERNELCONFIDENTIALTYPE).
-    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE))
+    KERNELTYPE_NV = compressed
+    KERNELNAME_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELTYPE_NV))
    KERNELPATH_NV = $(KERNELDIR)/$(KERNELNAME_NV)
    KERNELNAME_CONFIDENTIAL_NV = $(call MAKE_KERNEL_NAME_NV,$(KERNELCONFIDENTIALTYPE))
    KERNELPATH_CONFIDENTIAL_NV = $(KERNELDIR)/$(KERNELNAME_CONFIDENTIAL_NV)
@@ -484,6 +493,9 @@ ifneq (,$(QEMUCMD))
    # using an image and /dev is already mounted.
    KERNELPARAMS_NV = "cgroup_no_v1=all"
    KERNELPARAMS_NV += "devtmpfs.mount=0"
+    KERNELPARAMS_NV += "pci=realloc"
+    KERNELPARAMS_NV += "pci=nocrs"
+    KERNELPARAMS_NV += "pci=assign-busses"

    # Setting this to false can lead to cgroup leakages in the host
    # Best practice for production is to set this to true
@@ -680,10 +692,13 @@ USER_VARS += KERNELPATH_FC
 USER_VARS += KERNELPATH_STRATOVIRT
 USER_VARS += KERNELVIRTIOFSPATH
 USER_VARS += FIRMWAREPATH
+USER_VARS += FIRMWAREPATH_NV
 USER_VARS += FIRMWARETDVFPATH
 USER_VARS += FIRMWAREVOLUMEPATH
 USER_VARS += FIRMWARETDVFVOLUMEPATH
 USER_VARS += FIRMWARESNPPATH
+USER_VARS += FIRMWARETDVFPATH_NV
+USER_VARS += FIRMWARESNPPATH_NV
 USER_VARS += MACHINEACCELERATORS
 USER_VARS += CPUFEATURES
 USER_VARS += TDXCPUFEATURES
@@ -737,6 +752,8 @@ USER_VARS += DEFNETWORKMODEL_FC
 USER_VARS += DEFNETWORKMODEL_QEMU
 USER_VARS += DEFNETWORKMODEL_STRATOVIRT
 USER_VARS += DEFDISABLEGUESTEMPTYDIR
+USER_VARS += DEFEMPTYDIRMODE
+USER_VARS += DEFEMPTYDIRMODE_COCO
 USER_VARS += DEFDISABLEGUESTSECCOMP
 USER_VARS += DEFDISABLESELINUX
 USER_VARS += DEFDISABLEGUESTSELINUX
@@ -764,6 +781,7 @@ USER_VARS += DEFENABLEANNOTATIONS
 USER_VARS += DEFENABLEANNOTATIONS_COCO
 USER_VARS += DEFENABLEIOTHREADS
 USER_VARS += DEFINDEPIOTHREADS
+USER_VARS += DEFENABLEVIRTIOMEM
 USER_VARS += DEFSECCOMPSANDBOXPARAM
 USER_VARS += DEFENABLEVHOSTUSERSTORE
 USER_VARS += DEFVHOSTUSERSTOREPATH
@@ -783,6 +801,7 @@ USER_VARS += DEFSTATICRESOURCEMGMT_NV
 USER_VARS += DEFBINDMOUNTS
 USER_VARS += DEFCREATECONTAINERTIMEOUT
 USER_VARS += DEFDANCONF
+USER_VARS += DEFKUBELETROOTDIR
 USER_VARS += DEFFORCEGUESTPULL
 USER_VARS += DEFVFIOMODE
 USER_VARS += DEFVFIOMODE_SE
--- a/src/runtime/arch/s390x-options.mk
+++ b/src/runtime/arch/s390x-options.mk
@@ -18,3 +18,6 @@ ifneq (,$(NEEDS_CC_SETTING))
 	CC := gcc
 	export CC
 endif
+
+# Enable virtio-mem for s390x
+DEFENABLEVIRTIOMEM = true
--- a/src/runtime/cmd/kata-monitor/main.go
+++ b/src/runtime/cmd/kata-monitor/main.go
@@ -196,7 +196,7 @@ func indexPageText(w http.ResponseWriter, r *http.Request) {
 	formatter := fmt.Sprintf("%%-%ds: %%s\n", spacing)

 	for _, endpoint := range endpoints {
-		w.Write([]byte(fmt.Sprintf(formatter, endpoint.path, endpoint.desc)))
+		fmt.Fprintf(w, formatter, endpoint.path, endpoint.desc)
 	}
 }

--- a/src/runtime/cmd/kata-runtime/kata-check_amd64.go
+++ b/src/runtime/cmd/kata-runtime/kata-check_amd64.go
@@ -63,7 +63,7 @@ func setCPUtype(hypervisorType vc.HypervisorType) error {
 	cpuType = getCPUtype()

 	if cpuType == cpuTypeUnknown {
-		return fmt.Errorf("Unknow CPU Type")
+		return fmt.Errorf("Unknown CPU Type")
 	} else if cpuType == cpuTypeIntel {
 		var kvmIntelParams map[string]string
 		onVMM, err := vc.RunningOnVMM(procCPUInfo)
--- a/src/runtime/cmd/kata-runtime/kata-check_amd64_test.go
+++ b/src/runtime/cmd/kata-runtime/kata-check_amd64_test.go
@@ -55,18 +55,17 @@ func TestCCCheckCLIFunction(t *testing.T) {
 	var moduleData []testModuleData

 	cpuType = getCPUtype()
-	if cpuType == cpuTypeIntel {
+	moduleData = []testModuleData{}
+
+	switch cpuType {
+	case cpuTypeIntel:
 		cpuData = []testCPUData{
 			{archGenuineIntel, "lm vmx sse4_1", false},
 		}
-
-		moduleData = []testModuleData{}
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		cpuData = []testCPUData{
 			{archAuthenticAMD, "lm svm sse4_1", false},
 		}
-
-		moduleData = []testModuleData{}
 	}

 	genericCheckCLIFunction(t, cpuData, moduleData)
@@ -276,7 +275,8 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 	var moduleData []testModuleData
 	cpuType = getCPUtype()

-	if cpuType == cpuTypeIntel {
+	switch cpuType {
+	case cpuTypeIntel:
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"Intel", "", true},
@@ -292,7 +292,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/nested"), "Y", false},
 			{filepath.Join(sysModuleDir, "kvm_intel/parameters/unrestricted_guest"), "Y", false},
 		}
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		cpuData = []testCPUData{
 			{"", "", true},
 			{"AMD", "", true},
@@ -340,7 +340,7 @@ func TestCheckHostIsVMContainerCapable(t *testing.T) {
 		// Write the following into the denylist file
 		// blacklist <mod>
 		// install <mod> /bin/false
-		_, err = denylistFile.WriteString(fmt.Sprintf("blacklist %s\ninstall %s /bin/false\n", mod, mod))
+		_, err = fmt.Fprintf(denylistFile, "blacklist %s\ninstall %s /bin/false\n", mod, mod)
 		assert.Nil(err)
 	}
 	denylistFile.Close()
@@ -505,9 +505,10 @@ func TestSetCPUtype(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)

 	cpuType = getCPUtype()
-	if cpuType == cpuTypeIntel {
+	switch cpuType {
+	case cpuTypeIntel:
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}

--- a/src/runtime/cmd/kata-runtime/kata-check_test.go
+++ b/src/runtime/cmd/kata-runtime/kata-check_test.go
@@ -17,7 +17,6 @@ import (
 	"testing"

 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
-	ktu "github.com/kata-containers/kata-containers/src/runtime/pkg/katatestutils"
 	"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils"
 	vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers"
 	"github.com/sirupsen/logrus"
@@ -509,7 +508,7 @@ func TestCheckCheckCPUAttribs(t *testing.T) {
 }

 func TestCheckHaveKernelModule(t *testing.T) {
-	if tc.NotValid(ktu.NeedRoot()) {
+	if tc.NotValid(katatestutils.NeedRoot()) {
 		t.Skip(testDisabledAsNonRoot)
 	}

@@ -638,8 +637,8 @@ func TestCheckCheckKernelModules(t *testing.T) {
 func TestCheckCheckKernelModulesUnreadableFile(t *testing.T) {
 	assert := assert.New(t)

-	if tc.NotValid(ktu.NeedNonRoot()) {
-		t.Skip(ktu.TestDisabledNeedNonRoot)
+	if tc.NotValid(katatestutils.NeedNonRoot()) {
+		t.Skip(katatestutils.TestDisabledNeedNonRoot)
 	}

 	dir := t.TempDir()
--- a/src/runtime/cmd/kata-runtime/kata-env_amd64_test.go
+++ b/src/runtime/cmd/kata-runtime/kata-env_amd64_test.go
@@ -56,9 +56,10 @@ func TestEnvGetEnvInfoSetsCPUType(t *testing.T) {
 	assert.NotEmpty(archRequiredKernelModules)

 	cpuType = getCPUtype()
-	if cpuType == cpuTypeIntel {
+	switch cpuType {
+	case cpuTypeIntel:
 		assert.Equal(archRequiredCPUFlags["vmx"], "Virtualization support")
-	} else if cpuType == cpuTypeAMD {
+	case cpuTypeAMD:
 		assert.Equal(archRequiredCPUFlags["svm"], "Virtualization support")
 	}

--- a/src/runtime/cmd/kata-runtime/kata-env_test.go
+++ b/src/runtime/cmd/kata-runtime/kata-env_test.go
@@ -14,7 +14,6 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
-	goruntime "runtime"
 	"strings"
 	"testing"

@@ -184,7 +183,7 @@ func genericGetExpectedHostDetails(tmpdir string, expectedVendor string, expecte
 	}

 	const expectedKernelVersion = "99.1"
-	const expectedArch = goruntime.GOARCH
+	const expectedArch = runtime.GOARCH

 	expectedDistro := DistroInfo{
 		Name:    "Foo",
@@ -254,7 +253,7 @@ VERSION_ID="%s"
 		}
 	}

-	if goruntime.GOARCH == "arm64" {
+	if runtime.GOARCH == "arm64" {
 		expectedHostDetails.CPU.Vendor = "ARM Limited"
 		expectedHostDetails.CPU.Model = "v8"
 	}
--- a/src/runtime/cmd/kata-runtime/kata-iptables.go
+++ b/src/runtime/cmd/kata-runtime/kata-iptables.go
@@ -55,9 +55,9 @@ var getIPTablesCommand = cli.Command{
 			return err
 		}

-		url := containerdshim.IPTablesUrl
+		url := containerdshim.IPTablesURL
 		if isIPv6 {
-			url = containerdshim.IP6TablesUrl
+			url = containerdshim.IP6TablesURL
 		}
 		body, err := shimclient.DoGet(sandboxID, defaultTimeout, url)
 		if err != nil {
@@ -108,9 +108,9 @@ var setIPTablesCommand = cli.Command{
 			return err
 		}

-		url := containerdshim.IPTablesUrl
+		url := containerdshim.IPTablesURL
 		if isIPv6 {
-			url = containerdshim.IP6TablesUrl
+			url = containerdshim.IP6TablesURL
 		}

 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {
--- a/src/runtime/cmd/kata-runtime/kata-policy.go
+++ b/src/runtime/cmd/kata-runtime/kata-policy.go
@@ -62,7 +62,7 @@ var setPolicyCommand = cli.Command{
 			return err
 		}

-		url := containerdshim.PolicyUrl
+		url := containerdshim.PolicyURL

 		if err = shimclient.DoPut(sandboxID, defaultTimeout, url, "application/octet-stream", buf); err != nil {
 			return fmt.Errorf("Error observed when making policy-set request(%s): %s", policyFile, err)
--- a/src/runtime/cmd/kata-runtime/kata-volume.go
+++ b/src/runtime/cmd/kata-runtime/kata-volume.go
@@ -126,7 +126,7 @@ var resizeCommand = cli.Command{

 // Stats retrieves the filesystem stats of the direct volume inside the guest.
 func Stats(volumePath string) ([]byte, error) {
-	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
+	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
 	if err != nil {
 		return nil, err
 	}
@@ -136,8 +136,8 @@ func Stats(volumePath string) ([]byte, error) {
 	}

 	urlSafeDevicePath := url.PathEscape(volumeMountInfo.Device)
-	body, err := shimclient.DoGet(sandboxId, defaultTimeout,
-		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatUrl, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
+	body, err := shimclient.DoGet(sandboxID, defaultTimeout,
+		fmt.Sprintf("%s?%s=%s", containerdshim.DirectVolumeStatURL, containerdshim.DirectVolumePathKey, urlSafeDevicePath))
 	if err != nil {
 		return nil, err
 	}
@@ -146,7 +146,7 @@ func Stats(volumePath string) ([]byte, error) {

 // Resize resizes a direct volume inside the guest.
 func Resize(volumePath string, size uint64) error {
-	sandboxId, err := volume.GetSandboxIdForVolume(volumePath)
+	sandboxID, err := volume.GetSandboxIDForVolume(volumePath)
 	if err != nil {
 		return err
 	}
@@ -163,5 +163,5 @@ func Resize(volumePath string, size uint64) error {
 	if err != nil {
 		return err
 	}
-	return shimclient.DoPost(sandboxId, defaultTimeout, containerdshim.DirectVolumeResizeUrl, "application/json", encoded)
+	return shimclient.DoPost(sandboxID, defaultTimeout, containerdshim.DirectVolumeResizeURL, "application/json", encoded)
 }
--- a/src/runtime/cmd/kata-runtime/release.go
+++ b/src/runtime/cmd/kata-runtime/release.go
@@ -94,11 +94,12 @@ func releaseURLIsValid(url string) error {
 func getReleaseURL(currentVersion semver.Version) (url string, err error) {
 	major := currentVersion.Major

-	if major == 0 {
+	switch major {
+	case 0:
 		return "", fmt.Errorf("invalid current version: %v", currentVersion)
-	} else if major == 1 {
+	case 1:
 		url = kataLegacyReleaseURL
-	} else {
+	default:
 		url = kataReleaseURL
 	}

--- a/src/runtime/config/configuration-clh.toml.in
+++ b/src/runtime/config/configuration-clh.toml.in
@@ -463,6 +463,18 @@ vfio_mode = "@DEFVFIOMODE@"
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
 disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@

+# Specifies how Kubernetes emptyDir volumes are handled.
+# Options:
+#
+#   - shared-fs (default)
+#     Shares the emptyDir folder with the guest using the method given
+#     by the `shared_fs` setting.
+#
+#   - block-encrypted
+#     Plugs a block device to be encrypted in the guest.
+#
+emptydir_mode = "@DEFEMPTYDIRMODE@"
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # they may break compatibility, and are prepared for a big version bump.
@@ -491,6 +503,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"

+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the
--- a/src/runtime/config/configuration-fc.toml.in
+++ b/src/runtime/config/configuration-fc.toml.in
@@ -354,6 +354,18 @@ static_sandbox_resource_mgmt = @DEFSTATICRESOURCEMGMT_FC@
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
 disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@

+# Specifies how Kubernetes emptyDir volumes are handled.
+# Options:
+#
+#   - shared-fs (default)
+#     Shares the emptyDir folder with the guest using the method given
+#     by the `shared_fs` setting.
+#
+#   - block-encrypted
+#     Plugs a block device to be encrypted in the guest.
+#
+emptydir_mode = "@DEFEMPTYDIRMODE@"
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # they may break compatibility, and are prepared for a big version bump.
@@ -382,6 +394,11 @@ create_container_timeout = @DEFCREATECONTAINERTIMEOUT@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"

+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the
--- a/src/runtime/config/configuration-qemu-cca.toml.in
+++ b/src/runtime/config/configuration-qemu-cca.toml.in
@@ -638,6 +638,18 @@ vfio_mode = "@DEFVFIOMODE@"
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
 disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@

+# Specifies how Kubernetes emptyDir volumes are handled.
+# Options:
+#
+#   - shared-fs (default)
+#     Shares the emptyDir folder with the guest using the method given
+#     by the `shared_fs` setting.
+#
+#   - block-encrypted
+#     Plugs a block device to be encrypted in the guest.
+#
+emptydir_mode = "@DEFEMPTYDIRMODE@"
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # they may break compatibility, and are prepared for a big version bump.
@@ -670,6 +682,12 @@ dan_conf = "@DEFDANCONF@"
 # the container image should be pulled in the guest, without using an external snapshotter.
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@
+
+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the
--- a/src/runtime/config/configuration-qemu-coco-dev.toml.in
+++ b/src/runtime/config/configuration-qemu-coco-dev.toml.in
@@ -701,6 +701,18 @@ vfio_mode = "@DEFVFIOMODE@"
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
 disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@

+# Specifies how Kubernetes emptyDir volumes are handled.
+# Options:
+#
+#   - shared-fs (default)
+#     Shares the emptyDir folder with the guest using the method given
+#     by the `shared_fs` setting.
+#
+#   - block-encrypted
+#     Plugs a block device to be encrypted in the guest.
+#
+emptydir_mode = "@DEFEMPTYDIRMODE_COCO@"
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # they may break compatibility, and are prepared for a big version bump.
@@ -734,6 +746,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@

+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
@@ -99,7 +99,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"

 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARESNPPATH@"
+firmware = "@FIRMWARESNPPATH_NV@"

 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -717,6 +717,18 @@ vfio_mode = "@DEFVFIOMODE@"
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
 disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@

+# Specifies how Kubernetes emptyDir volumes are handled.
+# Options:
+#
+#   - shared-fs (default)
+#     Shares the emptyDir folder with the guest using the method given
+#     by the `shared_fs` setting.
+#
+#   - block-encrypted
+#     Plugs a block device to be encrypted in the guest.
+#
+emptydir_mode = "@DEFEMPTYDIRMODE@"
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # they may break compatibility, and are prepared for a big version bump.
@@ -750,6 +762,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@

+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
@@ -76,7 +76,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"

 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWARETDVFPATH@"
+firmware = "@FIRMWARETDVFPATH_NV@"

 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -694,6 +694,18 @@ vfio_mode = "@DEFVFIOMODE@"
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
 disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@

+# Specifies how Kubernetes emptyDir volumes are handled.
+# Options:
+#
+#   - shared-fs (default)
+#     Shares the emptyDir folder with the guest using the method given
+#     by the `shared_fs` setting.
+#
+#   - block-encrypted
+#     Plugs a block device to be encrypted in the guest.
+#
+emptydir_mode = "@DEFEMPTYDIRMODE@"
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # they may break compatibility, and are prepared for a big version bump.
@@ -727,6 +739,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@

+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the
--- a/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in
@@ -58,7 +58,7 @@ kernel_verity_params = "@KERNELVERITYPARAMS_NV@"

 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWAREPATH@"
+firmware = "@FIRMWAREPATH_NV@"

 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
@@ -696,6 +696,18 @@ vfio_mode = "@DEFVFIOMODE@"
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
 disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@

+# Specifies how Kubernetes emptyDir volumes are handled.
+# Options:
+#
+#   - shared-fs (default)
+#     Shares the emptyDir folder with the guest using the method given
+#     by the `shared_fs` setting.
+#
+#   - block-encrypted
+#     Plugs a block device to be encrypted in the guest.
+#
+emptydir_mode = "@DEFEMPTYDIRMODE@"
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # they may break compatibility, and are prepared for a big version bump.
@@ -724,6 +736,11 @@ create_container_timeout = @DEFAULTTIMEOUT_NV@
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"

+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the
--- a/src/runtime/config/configuration-qemu-se.toml.in
+++ b/src/runtime/config/configuration-qemu-se.toml.in
@@ -679,6 +679,18 @@ vfio_mode = "@DEFVFIOMODE_SE@"
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
 disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@

+# Specifies how Kubernetes emptyDir volumes are handled.
+# Options:
+#
+#   - shared-fs (default)
+#     Shares the emptyDir folder with the guest using the method given
+#     by the `shared_fs` setting.
+#
+#   - block-encrypted
+#     Plugs a block device to be encrypted in the guest.
+#
+emptydir_mode = "@DEFEMPTYDIRMODE@"
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # they may break compatibility, and are prepared for a big version bump.
@@ -712,6 +724,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@

+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the
--- a/src/runtime/config/configuration-qemu-snp.toml.in
+++ b/src/runtime/config/configuration-qemu-snp.toml.in
@@ -704,6 +704,18 @@ vfio_mode = "@DEFVFIOMODE@"
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
 disable_guest_empty_dir = @DEFDISABLEGUESTEMPTYDIR@

+# Specifies how Kubernetes emptyDir volumes are handled.
+# Options:
+#
+#   - shared-fs (default)
+#     Shares the emptyDir folder with the guest using the method given
+#     by the `shared_fs` setting.
+#
+#   - block-encrypted
+#     Plugs a block device to be encrypted in the guest.
+#
+emptydir_mode = "@DEFEMPTYDIRMODE_COCO@"
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # they may break compatibility, and are prepared for a big version bump.
@@ -737,6 +749,11 @@ dan_conf = "@DEFDANCONF@"
 # This is an experimental feature and might be removed in the future.
 experimental_force_guest_pull = @DEFFORCEGUESTPULL@

+# kubelet_root_dir is the kubelet root directory used to match ConfigMap/Secret
+# volume paths for propagation. Override for distros that use a different path
+# (e.g. k0s: /var/lib/k0s/kubelet).
+kubelet_root_dir = "@DEFKUBELETROOTDIR@"
+
 # pod_resource_api_sock specifies the unix socket for the Kubelet's
 # PodResource API endpoint. If empty, kubernetes based cold plug
 # will not be attempted. In order for this feature to work, the
--- a/Show More
+++ b/Show More