bump runc to v1.3.0 and containerd to v2.1.4 (#4165 )

Signed-off-by: Avi Deitcher <avi@deitcher.net>
add support for pkg build dry-run (#4163 )
2026-03-19 21:18:02 +00:00 · 2025-08-28 21:05:06 +03:00 · 2025-08-28 13:35:52 +03:00 · 2025-08-28 10:34:53 +03:00 · 2025-08-27 19:07:26 +03:00 · 2025-08-14 16:35:56 +03:00
7792 changed files with 1103971 additions and 523595 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,6 +1,9 @@
 name: LinuxKit CI
 on: [push, pull_request]

+env:
+  TOTAL_SHARDS: 12   # change here once
+
 jobs:
  build:
    name: Build & Test
@@ -35,14 +38,14 @@ jobs:
    runs-on: ${{ matrix.target.runner }}
    steps:

-    - name: Set up Go 1.19
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19.2
-      id: go
-
    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
+
+    - name: Set up Go based on go.mod
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: 'src/cmd/linuxkit/go.mod'
+      id: go

    - name: Set path
      run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
@@ -50,9 +53,9 @@ jobs:
         GOPATH: ${{runner.workspace}}

    - name: golangci-lint CLI
-      uses: golangci/golangci-lint-action@v3
+      uses: golangci/golangci-lint-action@v7
      with:
-        version: v1.50.0
+        version: v2.0.2
        working-directory: src/cmd/linuxkit
        args: --verbose --timeout=10m
    - name: go vet CLI
@@ -79,7 +82,7 @@ jobs:
        GOPATH: ${{runner.workspace}}

    - name: Upload binary
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: linuxkit-${{matrix.target.suffix}}
        path: |
@@ -93,14 +96,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Set up binfmt
      # Only register arm64 as we are on amd64 already. s390x is not reliable
      run: docker run --privileged --rm tonistiigi/binfmt --install arm64

    - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
      with:
        name: linuxkit-amd64-linux
        path: bin
@@ -112,7 +115,7 @@ jobs:
        /usr/local/bin/linuxkit version

    - name: Cache Packages
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.linuxkit/cache/
        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -122,28 +125,74 @@ jobs:
    - name: Build Packages
      # Skip s390x as emulation is unreliable
      run: |
-        make OPTIONS="-v --skip-platforms linux/s390x" -C pkg build
+        make OPTIONS="-v 2 --skip-platforms linux/s390x" -C pkg build

    - name: Build Test Packages
      # ensures that the test packages are in linuxkit cache when we need them for tests later
      # Skip s390x as emulation is unreliable
      run: |
-        make OPTIONS="-v --skip-platforms linux/s390x" -C test/pkg build
+        make OPTIONS="-v 2 --skip-platforms linux/s390x" -C test/pkg build
+
+    - name: Check Kernel Dependencies up to date
+      # checks that any kernel dependencies are up to date.
+      # if they are, then running `make update-kernel-yamls` will not change anything
+      run: |
+        echo "checking git diff before running make update-kernel-yamls"
+        git diff --exit-code
+        echo "running make update-kernel-yamls"
+        make -C kernel update-kernel-yamls
+        echo "checking git diff again after running make update-kernel-yamls; should be no changes"
+        git diff --exit-code
+
+    - name: Build Kernels
+      # ensures that the kernel packages are in linuxkit cache when we need them for tests later
+      # no need for excluding s390x, as each build.yml in the kernel explicitly lists archs
+      run: |
+        make OPTIONS="-v 2" -C kernel build

    - name: list cache contents
      run: |
        linuxkit cache ls
+  
+  gen_package_test_matrix:
+    name: Generate Package Test Matrix
+    needs: [ build_packages, build ]
+    runs-on: ubuntu-latest
+    outputs:
+      shard_list: ${{ steps.mk.outputs.list }}
+    steps:
+    - name: Generate Test Matrix
+      id: mk
+      shell: bash
+      run: |
+          set -x
+          N="${{ env.TOTAL_SHARDS }}"
+          # Priority: repo var SHARDS → event-based default (PR=6, else 10)
+          if [ -n "${{ vars.SHARDS }}" ]; then
+            N="${{ vars.SHARDS }}"
+          fi
+
+          # Build JSON array ["1/N","2/N",...,"N/N"]
+          shards=""
+          for i in $(seq 1 "$N"); do
+            if [ -z "$shards" ]; then
+              shards="\"$i/$N\""
+            else
+              shards="$shards,\"$i/$N\""
+            fi
+          done
+          echo "list=[$shards]" >> "$GITHUB_OUTPUT"

  test_packages:
    name: Packages Tests
-    needs: [ build_packages, build ]
+    needs: [ build_packages, build, gen_package_test_matrix ]
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        shard: [1/10,2/10,3/10,4/10,5/10,6/10,7/10,8/10,9/10,10/10]
+        shard: ${{ fromJson(needs.gen_package_test_matrix.outputs.shard_list) }}
    steps:
    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Install Pre-Requisites
      run: |
@@ -153,7 +202,7 @@ jobs:

    - name: Restore RTF From Cache
      id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: bin
        key: rtf-${{hashFiles('Makefile')}}
@@ -167,7 +216,7 @@ jobs:
        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf

    - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
      with:
        name: linuxkit-amd64-linux
        path: bin
@@ -179,7 +228,7 @@ jobs:
        /usr/local/bin/linuxkit version

    - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.linuxkit/cache/
        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -198,7 +247,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Install Pre-Requisites
      run: |
@@ -208,7 +257,7 @@ jobs:

    - name: Restore RTF From Cache
      id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: bin
        key: rtf-${{hashFiles('Makefile')}}
@@ -222,7 +271,7 @@ jobs:
        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf

    - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
      with:
        name: linuxkit-amd64-linux
        path: bin
@@ -234,7 +283,7 @@ jobs:
        /usr/local/bin/linuxkit version

    - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.linuxkit/cache/
        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -254,7 +303,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Install Pre-Requisites
      run: |
@@ -264,13 +313,13 @@ jobs:

    - name: Restore RTF From Cache
      id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: bin
        key: rtf-${{hashFiles('Makefile')}}

    - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.linuxkit/cache/
        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -286,7 +335,7 @@ jobs:
        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf

    - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
      with:
        name: linuxkit-amd64-linux
        path: bin
@@ -310,7 +359,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Install Pre-Requisites
      run: |
@@ -320,7 +369,7 @@ jobs:

    - name: Restore RTF From Cache
      id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: bin
        key: rtf-${{hashFiles('Makefile')}}
@@ -334,7 +383,7 @@ jobs:
        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf

    - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
      with:
        name: linuxkit-amd64-linux
        path: bin
@@ -346,7 +395,7 @@ jobs:
        /usr/local/bin/linuxkit version

    - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.linuxkit/cache/
        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -366,7 +415,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Install Pre-Requisites
      run: |
@@ -376,7 +425,7 @@ jobs:

    - name: Restore RTF From Cache
      id: cache-rtf
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: bin
        key: rtf-${{hashFiles('Makefile')}}
@@ -390,7 +439,7 @@ jobs:
        sudo ln -s $(pwd)/bin/rtf /usr/local/bin/rtf

    - name: Download linuxkit
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
      with:
        name: linuxkit-amd64-linux
        path: bin
@@ -402,7 +451,7 @@ jobs:
        /usr/local/bin/linuxkit version

    - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.linuxkit/cache/
        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
--- a/.github/workflows/package_release.yml
+++ b/.github/workflows/package_release.yml
@@ -0,0 +1,38 @@
+name: Release Tagged Packages
+
+on:
+  create:
+
+jobs:
+  release:
+    name: Release packages
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/pkg-v')
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+    - name: Set up Go based on go.mod
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: 'src/cmd/linuxkit/go.mod'
+      id: go
+    - name: Ensure bin/ directory
+      run: mkdir -p bin
+    - name: Install linuxkit
+      run: |
+        go -C ./src/cmd/linuxkit build -o $(pwd)/bin/linuxkit 
+        sudo mv bin/linuxkit /usr/local/bin/
+    - name: Login to Docker Hub
+      uses: docker/login-action@v2
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - name: Publish Packages as Release
+      # this should not build anything, as they all should be built already
+      # however, it can fail if we push the tag before the merge-to-master build is complete, since that may publish
+      # so *always* wait for any merge-to-master to complete before publishing pkg-v* tags
+      run: |
+        RELEASE_TAG=${GITHUB_REF#refs/tags/pkg-}
+        echo "RELEASE_TAG=${RELEASE_TAG}"
+        [ -n "${RELEASE_TAG}" ] || { echo "Not a tag"; exit 1; }
+        make OPTIONS="--skip-platforms linux/s390x" -C pkg push PUSHOPTIONS="--nobuild --release ${RELEASE_TAG}"
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -14,14 +14,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
    - name: Ensure bin/ directory
      run: mkdir -p bin
    - name: Download linuxkit
-      uses: actions/github-script@v3.1.0
+      uses: actions/github-script@v7
      with:
+        github-token: ${{secrets.GITHUB_TOKEN}}
        script: |
-          var artifacts = await github.actions.listWorkflowRunArtifacts({
+          var artifacts = await github.rest.actions.listWorkflowRunArtifacts({
              owner: context.repo.owner,
              repo: context.repo.repo,
              run_id: ${{github.event.workflow_run.id }},
@@ -29,7 +30,7 @@ jobs:
          var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
            return artifact.name == "${{ env.linuxkit_file }}"
          })[0];
-          var download = await github.actions.downloadArtifact({
+          var download = await github.rest.actions.downloadArtifact({
              owner: context.repo.owner,
              repo: context.repo.repo,
              artifact_id: matchArtifact.id,
@@ -45,7 +46,7 @@ jobs:
        sudo ln -s $(pwd)/bin/${{ env.linuxkit_file }} /usr/local/bin/linuxkit
        /usr/local/bin/linuxkit version
    - name: Restore Package Cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
      with:
        path: ~/.linuxkit/cache/
        key: ${{ runner.os }}-linuxkit-${{ github.sha }}
@@ -63,3 +64,11 @@ jobs:
      # Skip s390x as emulation is unreliable
      run: |
        make OPTIONS="--skip-platforms linux/s390x" -C pkg push PUSHOPTIONS="--nobuild"
+
+    - name: Publish Kernels
+      # this should only push changed ones:
+      #  - unchanged: already in the registry
+      #  - changed: already built and cached, so only will push
+      # No need to skip s390x, since kernel build.yml files all have explicit archs
+      run: |
+        make -C kernel push
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,24 +1,23 @@
-name: Release a tag
+name: Release Tagged Linuxkit

 on:
  create:
-    tags:
-      - v*

 jobs:
-  build:
-    name: Build all targets
-    runs-on: macos-latest
+  build-all:
+    name: Build all targets expect macOS
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
    steps:

-    - name: Set up Go 1.19
-      uses: actions/setup-go@v3
+    - name: Check out code
+      uses: actions/checkout@v4
+    - name: Set up Go based on go.mod
+      uses: actions/setup-go@v5
      with:
-        go-version: 1.19.2
+        go-version-file: 'src/cmd/linuxkit/go.mod'
      id: go

-    - name: Check out code
-      uses: actions/checkout@v3

    - name: Set path
      run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
@@ -27,10 +26,67 @@ jobs:

    - name: Build
      run: |
-        make build-all-targets
+        make build-targets-linux build-targets-windows
      env:
        GOPATH: ${{runner.workspace}}

+    - uses: actions/upload-artifact@v4
+      with:
+        name: release-targets-except-cgo
+        path: bin/
+  
+  # separate macos build because macos needs CGO, and it is very hard to cross-compile that
+  build-macos:
+    name: Build macOS target
+    if: github.ref_type == 'tag' && startsWith(github.ref, 'refs/tags/v')
+    runs-on: macos-latest
+    steps:
+
+    - name: Check out code
+      uses: actions/checkout@v4
+    - name: Set up Go based on go.mod
+      uses: actions/setup-go@v5
+      with:
+        go-version-file: 'src/cmd/linuxkit/go.mod'
+      id: go
+
+
+    - name: Set path
+      run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+      env:
+         GOPATH: ${{runner.workspace}}
+
+    - name: Build
+      run: |
+        make build-targets-macos
+      env:
+        GOPATH: ${{runner.workspace}}
+
+    - uses: actions/upload-artifact@v4
+      with:
+        name: release-targets-macos
+        path: bin/
+    
+  release-artifacts:
+    needs: [build-all, build-macos]
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/download-artifact@v4
+      with:
+        name: release-targets-except-cgo
+        path: bintmp/release-targets-except-cgo
+    - uses: actions/download-artifact@v4
+      with:
+        name: release-targets-macos
+        path: bintmp/release-targets-macos
+    - name: Combine Artifacts
+      run: |
+        mkdir -p bin/
+        cp bintmp/*/* bin/
+    - name: Checksum Artifacts
+      run: |
+        make checksum-targets
    - name: GitHub Release
      uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
      env:
@@ -38,4 +94,4 @@ jobs:
      with:
        draft: true
        files: bin/*
-        generate_release_notes: true
+        generate_release_notes: true
--- a/25
+++ b/25
@@ -4,7 +4,7 @@ VERSION="v0.8+"
 TEST_SUITE ?=
 TEST_SHARD ?=

-GO_COMPILE=linuxkit/go-compile:c97703655e8510b7257ffc57f25e40337b0f0813
+GO_COMPILE=linuxkit/go-compile:985a9db72a7e6941de5e1eb71c2b41b76bf0556f

 ifeq ($(OS),Windows_NT)
 LINUXKIT?=$(CURDIR)/bin/linuxkit.exe
@@ -34,7 +34,7 @@ export VERSION GO_COMPILE GOOS GOARCH LOCAL_TARGET LINUXKIT
 default: linuxkit $(RTF)
 all: default

-RTF_COMMIT=b74a4f7c78e5cddcf7e6d2e6be7be312b9f645fc
+RTF_COMMIT=1118e08445438dc37ec62b4c1e216918b3d804d2
 RTF_CMD=github.com/linuxkit/rtf/cmd
 RTF_VERSION=0.0
 $(RTF): tmp_rtf_bin.tar | bin
@@ -119,18 +119,27 @@ endif
 		./scripts/update-component-sha.sh --image $${img}$(image); \
 	done

-.PHONY: build-all-targets
-build-all-targets: bin
-	$(MAKE) GOOS=darwin GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-arm64 local-build
-	file bin/linuxkit-darwin-arm64
-	$(MAKE) GOOS=darwin GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-amd64 local-build
-	file bin/linuxkit-darwin-amd64
+.PHONY: build-targets-all build-targets-linux build-targets-windows build-targets-macos checksum-targets
+
+build-targets-all: build-targets-linux build-targets-windows build-targets-macos
+
+build-targets-linux: bin
 	$(MAKE) GOOS=linux GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-arm64 local-build
 	file bin/linuxkit-linux-arm64
 	$(MAKE) GOOS=linux GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-amd64 local-build
 	file bin/linuxkit-linux-amd64
 	$(MAKE) GOOS=linux GOARCH=s390x LOCAL_TARGET=$(CURDIR)/bin/linuxkit-linux-s390x local-build
 	file bin/linuxkit-linux-s390x
+
+build-targets-windows: bin
 	$(MAKE) GOOS=windows GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-windows-amd64.exe local-build
 	file bin/linuxkit-windows-amd64.exe
+
+build-targets-macos: bin
+	$(MAKE) GOOS=darwin GOARCH=arm64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-arm64 local-build
+	file bin/linuxkit-darwin-arm64
+	$(MAKE) GOOS=darwin GOARCH=amd64 LOCAL_TARGET=$(CURDIR)/bin/linuxkit-darwin-amd64 local-build
+	file bin/linuxkit-darwin-amd64
+
+checksum-targets: bin
 	cd bin && openssl sha256 -r linuxkit-* | tr -d '*' > checksums.txt
--- a/README.md
+++ b/README.md
@@ -63,8 +63,8 @@ Once you have built the tool, use
 ```
 linuxkit build linuxkit.yml
 ```
-to build the example configuration. You can also specify different output formats, eg `linuxkit build -format raw-bios linuxkit.yml` to
-output a raw BIOS bootable disk image, or `linuxkit build -format iso-efi linuxkit.yml` to output an EFI bootable ISO image. See `linuxkit build -help` for more information.
+to build the example configuration. You can also specify different output formats, eg `linuxkit build --format raw-bios linuxkit.yml` to
+output a raw BIOS bootable disk image, or `linuxkit build --format iso-efi linuxkit.yml` to output an EFI bootable ISO image. See `linuxkit build -help` for more information.

 ### Booting and Testing

@@ -87,7 +87,7 @@ Currently supported platforms are:
  - [OpenStack](docs/platform-openstack.md) `[x86_64]`
  - [Scaleway](docs/platform-scaleway.md) `[x86_64]`
 - Baremetal:
-  - [packet.net](docs/platform-packet.md) `[x86_64, arm64]`
+  - [deploy.equinix.com](docs/platform-equinixmetal.md) `[x86_64, arm64]`
  - [Raspberry Pi Model 3b](docs/platform-rpi3.md)  `[arm64]`


--- a/contrib/open-vm-tools/open-vm-tools-ds.yaml
+++ b/contrib/open-vm-tools/open-vm-tools-ds.yaml
@@ -30,7 +30,7 @@ spec:
        operator: Exists
        effect: NoSchedule
      containers:
-      - image: linuxkit/open-vm-tools:728ddf726474178eea97604c0baeabd52edab7e9
+      - image: linuxkit/open-vm-tools:aa0a3b513f5020bcea5858632f0a988c81d16ed0
        name: open-vm-tools
        resources:
          requests:
--- a/docs/alpine-base-update.md
+++ b/docs/alpine-base-update.md
@@ -101,9 +101,9 @@ In the below, replace `linuxkit-arch` with each build machine's name:

 ```sh
 # one of these will not be necessary, as you will likely be executing it on one of these machines
-scp linuxkit-s390x:$LK_ROOT/tools/alpine/versions.s390x $LK_ROOT/tools/alpine/versions.s390x
-scp linuxkit-aarch64:$LK_ROOT/tools/alpine/versions.aarch64 $LK_ROOT/tools/alpine/versions.aarch64
-scp linuxkit-x86_64:$LK_ROOT/tools/alpine/versions.x86_64 $LK_ROOT/tools/alpine/versions.x86_64
+for arch in x86_64 aarch64 riscv64; do
+    scp linuxkit-$arch:$LK_ROOT/tools/alpine/versions.$arch $LK_ROOT/tools/alpine/versions.$arch
+done
 git commit -a -s -m "tools/alpine: Update to latest"
 git push $LK_REMOTE $LK_BRANCH
 ```
@@ -131,7 +131,6 @@ following which is an explanation of each one.
 # Update tools packages
 cd $LK_ROOT/tools
 $LK_ROOT/scripts/update-component-sha.sh --image $LK_ALPINE
-git checkout grub-dev/Dockerfile
 git checkout mkimage-rpi3/Dockerfile
 git commit -a -s -m "tools: Update to the latest linuxkit/alpine"

@@ -183,7 +182,6 @@ Note, the `git checkout` reverts the changes made by
 Important is the `git checkout` of some sensitive packages that only can be built with
 specific older versions of upstream packages:

-* `grub-dev`
 * `mkimage-rpi3`

 Only update those if you know what you are doing with them.
--- a/docs/cmdline.md
+++ b/docs/cmdline.md
@@ -0,0 +1,19 @@
+# Kernel command-line options
+
+The kernel command-line is a string of text that the kernel parses as it is starting up. It is passed by the boot loader
+to the kernel and specifies parameters that the kernel uses to configure the system. The command-line is a list of command-line
+options separated by spaces. The options are parsed by the kernel and can be used to enable or disable certain features.
+
+LinuxKit passes all command-line options to the kernel, which uses them in the usual way.
+
+There are several options that can be used to control the behaviour of linuxkit itself, or specifically packages
+within linuxkit. Unless standard Linux options exist, these all are prefaced with `linuxkit.`.
+
+| Option | Description |
+|---|---|
+| `linuxkit.unified_cgroup_hierarchy=0` | Start up cgroups v1. If not present or set to 1, default to cgroups v1. |
+| `linuxkit.runc_debug=1` | Start runc for `onboot` and `onshutdown` containers to run with `--debug`, and add extra logging messages for each stage of starting those containers. If not present or set to 0, default to usual mode. |
+| `linuxkit.runc_console=1` | Send logs for runc for `onboot` and `onshutdown` containers, as well as the output of the containers themselves, to the console, instead of the normal output to logfiles. If not present or set to 0, default to usual mode. |
+
+It often is useful to combine both of the `linuxkit.runc_debug` and `linuxkit.runc_console` options to get the most
+information about what is happening with `onboot` containers.
--- a/docs/image-cache.md
+++ b/docs/image-cache.md
@@ -59,3 +59,31 @@ is provided, it always will pull, independent of what is in the cache.

 The read process is smart enough to check each blob in the local cache before downloading
 it from a registry.
+
+## Imports from local Docker instance
+
+To import an image from your local Docker daemon into LinuxKit, you’ll need to ensure the image is exported in the [OCI image format](https://docs.docker.com/build/exporters/oci-docker/), which LinuxKit understands.
+
+This requires using a `docker-container` [buildx driver](https://docs.docker.com/build/builders/drivers/docker-container/), rather than the default.
+
+Set it up like so:
+
+```shell
+docker buildx create --driver docker-container --driver-opt image=moby/buildkit:latest --name=ocibuilder --bootstrap
+```
+
+Then build and export your image using the OCI format:
+
+```shell
+docker buildx build --builder=ocibuilder --output type=oci,name=foo . > foo.tar
+```
+
+You can now import it into LinuxKit with:
+
+```shell
+linuxkit cache import foo.tar
+```
+
+Note that this process, as described, will only produce images for the platform/architecture you're currently on. To produce multi-platform images requires extra docker build flags and external builder or QEMU support - see [here](https://docs.docker.com/build/building/multi-platform/).
+
+This workaround is only necessary when working with the local Docker daemon. If you’re pulling from Docker Hub or another registry, you don’t need to do any of this.
--- a/docs/kernels.md
+++ b/docs/kernels.md
@@ -167,6 +167,14 @@ Throughout this document, the architecture used is the kernel-recognized one, av
 on most systems as `uname -m`, e.g. `aarch64` or `x86_64`. You may be familiar with the alpine
 or golang one, e.g. `amd64` or `amd64`, which are not used here.

+**Note:** After changing _and committing any changes_ to the kernel directory or any
+subdirectories, you must update tests, examples and other dependencies. This is done
+via:
+
+```bash
+make update-kernel-yamls
+```
+
 Each series of kernels has a dedicated directory in [../kernel/](../kernel),
 e.g. [6.6.x](../kernel/6.6.x) or [5.15.x](../kernel/5.15.x).
 Variants, like rt kernels, have their own directory as well, e.g. [5.11.x-rt](../kernel/5.11.x-rt).
@@ -266,7 +274,7 @@ your local Docker setup.

 The process of modifying the kernel configuration is as follows:

-1. Create a `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out.
+1. Create a `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out. By default, this will be for your local architecture, but you can override it with `make kconfig ARCH=${ARCH}`, e.g. `make kconfig ARCH=arm64`. The image is tagged with the architecture, e.g. `linuxkit/kconfig:arm64`.
 1. Run a container based on `linuxkit/kconfig`.
 1. In the container, modify the config to suit your needs using normal kernel tools like `make defconfig` or `make menuconfig`.
 1. Save the config from the image.
@@ -279,7 +287,11 @@ so that `make menuconfig` and `make defconfig` work correctly.
 Run the container as follows:

 ```sh
-docker run --rm -ti -v $(pwd):/src linuxkit/kconfig
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig:aarch64
+# or
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig:x86_64
+# or 
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig:riscv64
 ```

 This will give you a interactive shell where you can modify the kernel
@@ -313,6 +325,11 @@ make ARCH=arm64 defconfig
 make ARCH=arm64 oldconfig # or menuconfig
 ```

+It is important to note that sometimes the configuration can be subtly different
+when running `make defconfig` across architectures. Of note is that `make ARCH=riscv` on
+x86_64 or aarch64 comes out slightly differently than when run natively on riscv64.
+Feel free to try it cross, but do not be surprised if it generates outputs that are not the same.
+
 Note that the generated file **must** be final. When you actually build the kernel,
 it will check that running `make defconfig` will have no changes. If there are changes,
 the build will fail.
@@ -333,7 +350,8 @@ Finally, test that you can build the kernel with that config as `make build-<ver
 If you want to add a new kernel version within an existing series, e.g. `5.15.27` already exists
 and you want to add (or replace it with) `5.15.148`, apply the following process.

-1. Modify the list of kernels inside the `Makefile` to include the new version, and, optionally, remove the old one, or move it to deprecated.
+1. Determine the series, i.e. the kernel major.minor version, followed by `x`. E.g. for `5.15.148`, the series is `5.15.x`.
+1. Modify the `KERNEL_VERSION` in the `build-args` file in the series directory to the new version. E.g. `5.15.x/build-args`.
 1. Create a new `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out.
 1. Run a container based on `linuxkit/kconfig`.
 ```sh
@@ -344,7 +362,6 @@ docker run --rm -ti -v $(pwd):/src linuxkit/kconfig
 1. If the config file has changed, copy it out of the container and check it in, e.g. `cp .config /src/5.15.x/config-x86_64`.
 1. Repeat for other architectures.
 1. Commit the changed config files.
-1. Modify the `KERNEL_VERSION` in the `build-args` file in the series directory to the new version. E.g. `5.15.x/build-args`.
 1. Test that you can build the kernel with that config as `make build-<version>`, e.g. `make build-5.15.148`.

 ## Adding a new kernel series
@@ -360,12 +377,10 @@ KERNEL_VERSION=<version>
 KERNEL_SERIES=<series>
 BUILD_IMAGE=linuxkit/alpine:<builder>
 ```
-1. Update the list of kernels to build in the `Makefile`

 Since the last major series likely is the best basis for the new one, subject to additional modifications, you can use
 the previous one as a starting point.

-1. Modify the list of kernels inside the `Makefile` to include the new version. You do not need to specify the series anywhere, as the `Makefile` calculates it. E.g. adding `7.0.5` will cause it to calculate the series as `7.0.x` automatically.
 1. Make the directory for the new series, e.g. `mkdir 7.0.x`
 1. Create a new `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out.
 1. Run a container based on `linuxkit/kconfig`.
@@ -608,3 +623,31 @@ Alpine `zfs` utilities are available in `linuxkit/alpine` and the
 version of the kernel module should match the version of the
 tools. The container where you run the `zfs` tools might also need
 `CAP_SYS_MODULE` to be able to load the kernel modules.
+
+## Kernels in examples and tests
+
+All of the linuxkit `.yml` files use the images from `linuxkit/kernel:<tag>`.
+
+When updating the kernel, you run commands to update the tests. The updates to any file that contains
+references to `linuxkit/kernel` in this repository work as follows:
+
+- Semver tags are replaced by the most recent kernel version. For example, `linuxkit/kernel:5.10.104` will become `6.6.13` when available, and then `6.6.15`, and then `7.0.1`, etc. The highest semver always is used.
+- Semver+hash tags are replaced by the most recent hash and patch version for that series. For example, `linuxkit/kernel:5.10.104-abcdef1234` will become `5.10.104-aaaa54232` (same semver, newer hash), and then `5.10.105-bbbb12345` (newer semver, newer hash), etc. The highest semver+hash always is used.
+
+This is not an inherent characteristic of `linuxkit` tool, which **never** will change your `.yml` files. It is part of
+the update process for yml files _in this repository_.
+
+The net of the above is the following rule:
+
+* If you want a reference to a specific kernel series, e.g. a test or example that works only with `5.10.x`, then use a specific hash, e.g. `linuxkit/kernel:5.10.104-abcdef1234`. The hash and patch version will update, but not more. The most common use case for this is kernel version-specific tests.
+* If you want a reference to the most recent kernel, whatever version it is, then use a semver tag, e.g. `linuxkit/kernel:6.6.13`. The most common use case for this is examples that work with any kernel version, which is the vast majority of cases.
+
+You can get the current hash by executing the following:
+
+```bash
+$ cd kernel
+$ make tag-plain-kernel-<version>
+# for example:
+$ make tag-plain-kernel-6.6.13
+linuxkit/kernel:6.6.13-3a8b3faf92390265b1fbee792b9a3fe14d14c26e
+```
--- a/docs/packages.md
+++ b/docs/packages.md
@@ -50,13 +50,14 @@ A package source consists of a directory containing at least two files:

 - `image` _(string)_: *(mandatory)* The name of the image to build
 - `org` _(string)_: The hub/registry organisation to which this package belongs
+- `tag` _(string)_: The tag to use for the image, can be fixed string or template (default: `{{.Hash}}`)
 - `dockerfile` _(string)_: The dockerfile to use to build this package, must be in this directory or below (default: `Dockerfile`)
 - `arches` _(list of string)_: The architectures which this package should be built for (valid entries are `GOARCH` names)
 - `extra-sources` _(list of strings)_: Additional sources for the package outside the package directory. The format is `src:dst`, where `src` can be relative to the package directory and `dst` is the destination in the build context. This is useful for sharing files, such as vendored go code, between packages.
 - `gitrepo` _(string)_: The git repository where the package source is kept.
 - `network` _(bool)_: Allow network access during the package build (default: no)
 - `disable-cache` _(bool)_: Disable build cache for this package (default: no)
- `buildArgs` will forward a list of build arguments down to docker. As if `--build-arg` was specified during `docker build`
+- `buildArgs` will forward a list of build arguments down to docker. As if `--build-arg` was specified during `docker build`. See [BuildArgs][BuildArgs] for more information.
 - `config`: _(struct `github.com/moby/tool/src/moby.ImageConfig`)_: Image configuration, marshalled to JSON and added as `org.mobyproject.config` label on image (default: no label)
 - `depends`: Contains information on prerequisites which must be satisfied in order to build the package. Has subfields:
    - `docker-images`: Docker images to be made available (as `tar` files via `docker image save`) within the package build context. Contains the following nested fields:
@@ -272,6 +273,8 @@ When building packages, the following build-args automatically are set for you:
 * `SOURCE` - the source repository of the package
 * `REVISION` - the git commit that was used for the build
 * `GOPKGVERSION` - the go package version or pseudo-version per https://go.dev/ref/mod#glos-pseudo-version
+* `PKG_HASH` - the git tree hash of the package directory, e.g. `45a1ad5919f0b6acf0f0cf730e9434abfae11fe6`; tag part of `linuxkit pkg show-tag`
+* `PKG_IMAGE` - the name of the image that is being built, e.g. `linuxkit/init`; image name part of `linuxkit pkg show-tag`. Combine with `PKG_HASH` for the full tag.

 Note that the above are set **only** if you do not set them in `build.yaml`. Your settings _always_
 override these built-in ones.
@@ -378,3 +381,68 @@ ARG all_proxy

 LinuxKit does not judge between lower-cased or upper-cased variants of these options, e.g. `http_proxy` vs `HTTP_PROXY`,
 as `docker build` does not either. It just passes them through "as-is".
+
+## Build Args
+
+`linuxkit` does not support passing random CLI flags for build arguments when building packages.
+This is inline with its philosophy, of having as reproducible builds as possible, which requires
+everything to be available on disk and in the repository.
+
+It is possible to bypass this, but this is not recommended.
+
+As described in [Preset build arguments][Preset build arguments], linuxkit automatically sets some build arguments
+when building packages. However, you can also set your own build arguments, which will be passed to the
+`docker build` command.
+You can include your own build args in several ways.
+
+* `build.yml` - you can add a `buildArgs` field to the `build.yml` file, which will be passed as `--build-arg` to `docker build`.
+* `linuxkit pkg build` - you can pass the `--build-arg-file <file>` flag, with one `<key>=<value>` pair per line, which will be passed as `--build-arg` to `docker build`.
+
+When parsing for build args, whether from `build.yml`'s `buildArgs` field or from the `--build-arg-file`,
+linuxkit has support for certain calculated build args for the value of the arg. You can set these using the following syntax.
+
+All calculated build args are prefixed with `@lkt:`.
+
+* `VAR=@lkt:pkg:<path>` - the linuxkit package hash of the path, as determined by `linuxkit pkg show-tag <path>`. The `<path>` can be absolute, or if provided as a relative path, it is relative to the working directory of the file. For example, if provided in the `buildArgs` section of `build.yml`, it is relative to the package directory; if provided in `--build-arg-file <file>`, it is relative to the directory in which <file> exists.
+
+For example:
+
+```yaml
+buildArgs:
+  - DEP_HASH=@lkt:pkg:/usr/local/foo # will be replaced with the value of `linuxkit pkg show-tag /usr/local/foo`
+  - REL_HASH=@lkt:pkg:foo # will be replaced with the value of `linuxkit pkg show-tag foo` relative to this build.yml file
+```
+
+* `VAR_%=@lkt:pkgs:<paths>` - (note `pkgs` plural) the linuxkit package hashes of the multiple packages satisfied by `<paths>`. linuxkit will get the linuxkit package hash of each path in `<paths>`, as determined by `linuxkit pkg show-tag <path>`. The `<paths>` can be absolute, or if provided as a relative path, it is relative to the working directory of the file which contains the build arg, whether `build.yml` in a package or the build arg
+file provided to `--build-arg-file <file>`. The `<paths>` supports basic shell globbing, such as `./foo/*` or `/var/foo{1,2,3}`. Globs that start with `.` will be ignored, e.g. `foo/*` will match `foo/one` and `foo/two` but not `foo/.git` and `foo/.bar`. For each package in `<paths>`, it will create a build arg with the name `VAR_<package-name>` and the value of the package hash, where: the `%` is replaced with the name of the package; an all `/` and `-` characters are replaced with `_`; all characters are upper-cased.
+
+There _must_ be at least one valid environment variable character before the `%` character.
+
+For example:
+
+```yaml
+buildArgs:
+  - DEP_HASH_%=@lkt:pkgs:/usr/local/foo/* 
+```
+
+If there are packages in `/usr/local/foo/` named `bar`, `baz`, and `qux`, and each of them has a package as shown
+by `linuxkit pkg show-tag` as `linuxkit/bar:123abc`, `linuxkit/baz:aabb666`, and `linuxkit/qux:bbcc777`, this will create the following build args:
+
+```
+DEP_HASH_LINUXKIT_BAR=linuxkit/bar:123abc
+DEP_HASH_LINUXKIT_BAZ=linuxkit/baz:aabb666
+DEP_HASH_LINUXKIT_QUX=linuxkit/qux:bbcc777
+```
+
+## Releases
+
+Normally, whenever a package is updated, CI will build and push the package to Docker Hub by calling `linuxkit pkg push`.
+This automatically creates a tag based on the git tree hash of the package's directory.
+For example, the package in `./pkg/init` is tagged as `linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6`.
+
+In addition, you can release semver tags for packages by adding a tag to the git repository that begins with `pkg-` and is
+followed by a valid semver tag. For example, `pkg-v1.0.0`. This will cause CI to build and push the package to Docker Hub
+with the tag `v1.0.0`.
+
+Pure semver tags, like `v1.0.0`, are not used for package releases. They are used for the linuxkit project itself and to
+publish releases of the `linuxkit` binary.
--- a/docs/platform-equinixmetal.md
+++ b/docs/platform-equinixmetal.md
@@ -0,0 +1,142 @@
+# LinuxKit with bare metal on Equinix Metal
+
+[Equinix Metal](http://deploy.equinix.com) is a bare metal hosting provider.
+
+You will need to [create an Equinix Metal account] and a project to
+put this new machine into. You will also need to [create an API key]
+with appropriate read/write permissions to allow the image to boot.
+
+[create an Equinix Metal account]:https://console.equinix.com/sign-up
+[create an API key]:https://deploy.equinix.com/developers/docs/metal/identity-access-management/api-keys/
+
+The `linuxkit run equinixmetal` command can mostly either be configured via
+command line options or with environment variables. see `linuxkit run
+equinixmetal --help` for the options and environment variables.
+
+By default, `linuxkit run` will provision a new machine and remove it
+once you are done. With the `-keep` option the provisioned machine
+will not be removed. You can then use the `-device` option with the
+device ID on subsequent `linuxkit run` invocations to re-use an
+existing machine. These subsequent runs will update the iPXE data so
+you can boot alternative kernels on an existing machine.
+
+There is an example YAML file for [x86_64](../examples/equinixmetal.yml) and
+an additional YAML for [arm64](../examples/equinixmetal.arm64.yml) servers
+which provide both access to the serial console and via ssh and
+configures bonding for network devices via metadata (if supported).
+
+For x86_64 builds for Intel servers we strongly recommend adding
+`ucode: intel-ucode.cpio` to the kernel section in the YAML. This
+updates the Intel CPU microcode to the latest by prepending it to the
+generated initrd file. The `ucode` entry is only recommended when
+booting on baremetal. It should be omitted (but is harmless) when
+building images to boot in VMs.
+
+**Note**: The update of the iPXE configuration sometimes may take some
+time and the first boot may fail. Hitting return on the console to
+retry the boot typically fixes this.
+
+## Boot
+
+LinuxKit on Equinix Metal boots the `kernel+initrd` output from moby via
+[iPXE](https://deploy.equinix.com/developers/docs/metal/operating-systems/custom-ipxe/)
+which also requires a iPXE script. iPXE booting requires a HTTP server
+on which you can store your images. The `-base-url` option specifies
+the URL to a HTTP server from which `<name>-kernel`,
+`<name>-initrd.img`, and `<name>-equinixmetal.ipxe` can be downloaded during
+boot.
+
+If you have your own HTTP server, you can use `linuxkit push equinixmetal`
+to create the files (including the iPXE script) you need to make
+available.
+
+If you don't have a public HTTP server at hand, you can use the
+`-serve` option. This will create a local HTTP server which can either
+be run on another Equinix Metal machine or be made accessible with tools
+like [ngrok](https://ngrok.com/).
+
+For example, to boot the [example](../examples/platform-equinixmetal.yml)
+with a local HTTP server:
+
+```sh
+linuxkit build platform-equinixmetal.yml
+# run the web server
+# run 'ngrok http 8080' in another window
+METAL_AUTH_TOKEN=<API key> METAL_PROJECT_ID=<Project ID> \
+linuxkit run equinixmetal -serve :8080 -base-url <ngrok url> equinixmetal
+```
+
+To boot a `arm64` image for Type 2a machine (`-machine baremetal_2a`)
+you currently need to build using `linuxkit build equinixmetal.yml
+equinixmetal.arm64.yml` and then un-compress both the kernel and the initrd
+before booting, e.g:
+
+```sh
+mv equinixmetal-initrd.img equinixmetal-initrd.img.gz && gzip -d equinixmetal-initrd.img.gz
+mv equinixmetal-kernel equinixmetal-kernel.gz && gzip -d equinixmetal-kernel.gz
+```
+
+The LinuxKit image can then be booted with:
+
+```sh
+METAL_API_TOKEN=<API key> METAL_PROJECT_ID=<Project ID> \
+linuxkit run equinixmetal -machine baremetal_2a  -serve :8080 -base-url -base-url <ngrok url> equinixmetal
+```
+
+Alternatively, `linuxkit push equinixmetal` will uncompress the kernel and
+initrd images on arm machines (or explicitly via the `-decompress`
+flag. There is also a `linuxkit serve` command which will start a
+local HTTP server serving the specified directory.
+
+**Note**: It may take several minutes to deploy a new server. If you
+are attached to the console, you should see the BIOS and the boot
+messages.
+
+
+## Console
+
+By default, `linuxkit run equinixmetal ...` will connect to the
+Equinix Metal
+[SOS ("Serial over SSH") console](https://deploy.equinix.com/developers/docs/metal/resilience-recovery/serial-over-ssh/). This
+requires `ssh` access, i.e., you must have uploaded your SSH keys to
+Equinix Metal beforehand.
+
+You can exit the console vi `~.` on a new line once you are
+disconnected from the serial, e.g. after poweroff.
+
+**Note**: We also require that the Equinix Metal SOS host is in your
+`known_hosts` file, otherwise the connection to the console will
+fail. There is a Equinix Metal SOS host per zone.
+
+You can disable the serial console access with the `-console=false`
+command line option.
+
+
+## Disks
+
+At this moment the Linuxkit server boots from RAM, with no persistent
+storage.  We are working on adding persistent storage support on Equinix Metal.
+
+
+## Networking
+
+On the baremetal type 2a system (arm64 Cavium Thunder X) the network device driver does not get autoloaded by `mdev`. Please add:
+
+```
+  - name: modprobe
+    image: linuxkit/modprobe:<hash>
+    command: ["modprobe", "nicvf"]
+```
+
+to your YAML files before any containers requiring the network to be up, e.g., the `dhcpcd` container.
+
+Some Equinix Metal server types have bonded networks; the `metadata` package has support for setting
+these up, and also for adding additional IP addresses.
+
+
+## Integration services and Metadata
+
+Equinix Metal supports [user state](https://deploy.equinix.com/developers/docs/metal/server-metadata/user-data/)
+during system bringup, which enables the boot process to be more informative about the
+current state of the boot process once the kernel has loaded but before the
+system is ready for login.
--- a/docs/platform-packet.md
+++ b/docs/platform-packet.md
@@ -1,151 +0,0 @@
-# LinuxKit with bare metal on Packet
-
-[Packet](http://packet.net) is a bare metal hosting provider.
-
-You will need to [create a Packet account] and a project to
-put this new machine into. You will also need to [create an API key]
-with appropriate read/write permissions to allow the image to boot.
-
-[create a Packet account]:https://app.packet.net/#/registration/
-[create an API key]:https://help.packet.net/quick-start/api-integrations
-
-Linuxkit is known to boot on the [Type 0] 
-and [Type 1] servers at Packet.
-Support for other server types, including the [Type 2A] ARM server,
-is a work in progress.
-
-[Type 0]:https://www.packet.net/bare-metal/servers/type-0/
-[Type 1]:https://www.packet.net/bare-metal/servers/type-1/
-[Type 2A]:https://www.packet.net/bare-metal/servers/type-2a/
-
-The `linuxkit run packet` command can mostly either be configured via
-command line options or with environment variables. see `linuxkit run
-packet --help` for the options and environment variables.
-
-By default, `linuxkit run` will provision a new machine and remove it
-once you are done. With the `-keep` option the provisioned machine
-will not be removed. You can then use the `-device` option with the
-device ID on subsequent `linuxkit run` invocations to re-use an
-existing machine. These subsequent runs will update the iPXE data so
-you can boot alternative kernels on an existing machine.
-
-There is an example YAML file for [x86_64](../examples/packet.yml) and
-an additional YAML for [arm64](../examples/packet.arm64.yml) servers
-which provide both access to the serial console and via ssh and
-configures bonding for network devices via metadata (if supported).
-
-For x86_64 builds for Intel servers we strongly recommend adding
-`ucode: intel-ucode.cpio` to the kernel section in the YAML. This
-updates the Intel CPU microcode to the latest by prepending it to the
-generated initrd file. The `ucode` entry is only recommended when
-booting on baremetal. It should be omitted (but is harmless) when
-building images to boot in VMs.
-
-**Note**: The update of the iPXE configuration sometimes may take some
-time and the first boot may fail. Hitting return on the console to
-retry the boot typically fixes this.
-
-## Boot
-
-LinuxKit on Packet boots the `kernel+initrd` output from moby via
-[iPXE](https://help.packet.net/technical/infrastructure/custom-ipxe)
-which also requires a iPXE script. iPXE booting requires a HTTP server
-on which you can store your images. The `-base-url` option specifies
-the URL to a HTTP server from which `<name>-kernel`,
-`<name>-initrd.img`, and `<name>-packet.ipxe` can be downloaded during
-boot.
-
-If you have your own HTTP server, you can use `linuxkit push packet`
-to create the files (including the iPXE script) you need to make
-available.
-
-If you don't have a public HTTP server at hand, you can use the
-`-serve` option. This will create a local HTTP server which can either
-be run on another Packet machine or be made accessible with tools
-like [ngrok](https://ngrok.com/).
-
-For example, to boot the [example](../examples/packet.net)
-with a local HTTP server:
-
-```sh
-linuxkit build packet.yml
-# run the web server
-# run 'ngrok http 8080' in another window
-PACKET_API_KEY=<API key> PACKET_PROJECT_ID=<Project ID> \
-linuxkit run packet -serve :8080 -base-url <ngrok url> packet
-```
-
-To boot a `arm64` image for Type 2a machine (`-machine baremetal_2a`)
-you currently need to build using `linuxkit build packet.yml
-packet.arm64.yml` and then un-compress both the kernel and the initrd
-before booting, e.g:
-
-```sh
-mv packet-initrd.img packet-initrd.img.gz && gzip -d packet-initrd.img.gz
-mv packet-kernel packet-kernel.gz && gzip -d packet-kernel.gz
-```
-
-The LinuxKit image can then be booted with:
-
-```sh
-PACKET_API_KEY=<API key> PACKET_PROJECT_ID=<Project ID> \
-linuxkit run packet -machine baremetal_2a  -serve :8080 -base-url -base-url <ngrok url> packet
-```
-
-Alternatively, `linuxkit push packet` will uncompress the kernel and
-initrd images on arm machines (or explicitly via the `-decompress`
-flag. There is also a `linuxkit serve` command which will start a
-local HTTP server serving the specified directory.
-
-**Note**: It may take several minutes to deploy a new server. If you
-are attached to the console, you should see the BIOS and the boot
-messages.
-
-
-## Console
-
-By default, `linuxkit run packet ...` will connect to the
-Packet
-[SOS ("Serial over SSH") console](https://help.packet.net/technical/networking/sos-rescue-mode). This
-requires `ssh` access, i.e., you must have uploaded your SSH keys to
-Packet beforehand.
-
-You can exit the console vi `~.` on a new line once you are
-disconnected from the serial, e.g. after poweroff.
-
-**Note**: We also require that the Packet SOS host is in your
-`known_hosts` file, otherwise the connection to the console will
-fail. There is a Packet SOS host per zone.
-
-You can disable the serial console access with the `-console=false`
-command line option.
-
-
-## Disks
-
-At this moment the Linuxkit server boots from RAM, with no persistent
-storage.  We are working on adding persistent storage support on Packet.
-
-
-## Networking
-
-On the baremetal type 2a system (arm64 Cavium Thunder X) the network device driver does not get autoloaded by `mdev`. Please add:
-
-```
-  - name: modprobe
-    image: linuxkit/modprobe:<hash>
-    command: ["modprobe", "nicvf"]
-```
-
-to your YAML files before any containers requiring the network to be up, e.g., the `dhcpcd` container.
-
-Some Packet server types have bonded networks; the `metadata` package has support for setting
-these up, and also for adding additional IP addresses.
-
-
-## Integration services and Metadata
-
-Packet supports [user state](https://help.packet.net/technical/infrastructure/user-state)
-during system bringup, which enables the boot process to be more informative about the
-current state of the boot process once the kernel has loaded but before the
-system is ready for login.
--- a/docs/yaml.md
+++ b/docs/yaml.md
@@ -3,7 +3,7 @@
 The `linuxkit build` command assembles a set of containerised components into in image. The simplest
 type of image is just a `tar` file of the contents (useful for debugging) but more useful
 outputs add a `Dockerfile` to build a container, or build a full disk image that can be
-booted as a linuxKit VM. The main use case is to build an assembly that includes
+booted as a linuxkit VM. The main use case is to build an assembly that includes
 `containerd` to run a set of containers, but the tooling is very generic.

 The yaml configuration specifies the components used to build up an image . All components
@@ -16,8 +16,19 @@ The Docker images are optionally verified with Docker Content Trust.
 For private registries or private repositories on a registry credentials provided via
 `docker login` are re-used.

-The configuration file is processed in the order `kernel`, `init`, `onboot`, `onshutdown`,
-`services`, `files`. Each section adds files to the root file system. Sections may be omitted.
+## Sections
+
+The configuration file is processed in the order:
+
+1. `kernel`
+1. `init`
+1. `volumes`
+1. `onboot`
+1. `onshutdown`
+1. `services`
+1. `files`
+
+Each section adds files to the root file system. Sections may be omitted.

 Each container that is specified is allocated a unique `uid` and `gid` that it may use if it
 wishes to run as an isolated user (or user namespace). Anywhere you specify a `uid` or `gid`
@@ -40,7 +51,7 @@ files:
    mode: "0600"
 ```

-## `kernel`
+### `kernel`

 The `kernel` section is only required if booting a VM. The files will be put into the `boot/`
 directory, where they are used to build bootable images.
@@ -50,6 +61,9 @@ which should contain a `kernel` file that will be booted (eg a `bzImage` for `am
 called `kernel.tar` which is a tarball that is unpacked into the root, which should usually
 contain a kernel modules directory. `cmdline` specifies the kernel command line options if required.

+The contents of `cmdline` are passed to the kernel as-is. There are several special values that are
+used to control the behaviour of linuxkit packages. See [kernel command line options](../docs/cmdline.md).
+
 To override the names, you can specify the kernel image name with `binary: bzImage` and the tar image
 with `tar: kernel.tar` or the empty string or `none` if you do not want to use a tarball at all.

@@ -57,7 +71,7 @@ Kernel packages may also contain a cpio archive containing CPU microcode which n
 the initrd. To select this option, recommended when booting on bare metal, add `ucode: intel-ucode.cpio`
 to the kernel section.

-## `init`
+### `init`

 The `init` section is a list of images that are used for the `init` system and are unpacked directly
 into the root filesystem. This should bring up `containerd`, start the system and daemon containers,
@@ -65,14 +79,14 @@ and set up basic filesystem mounts. in the case of a LinuxKit system. For ease o
 modification `runc` and `containerd` images, which just contain these programs are added here
 rather than bundled into the `init` container.

-## `onboot`
+### `onboot`

 The `onboot` section is a list of images. These images are run before any other
 images. They are run sequentially and each must exit before the next one is run.
 These images can be used to configure one shot settings. See [Image
 specification](#image-specification) for a list of supported fields.

-## `onshutdown`
+### `onshutdown`

 This is a list of images to run on a clean shutdown. Note that you must not rely on these
 being run at all, as machines may be be powered off or shut down without having time to run
@@ -81,18 +95,149 @@ run and when they are not. Most systems are likely to be "crash only" and not ha
 but you can attempt to deregister cleanly from a network service here, rather than relying
 on timeouts, for example.

-## `services`
+### `services`

 The `services` section is a list of images for long running services which are
 run with `containerd`.  Startup order is undefined, so containers should wait
 on any resources, such as networking, that they need.  See [Image
 specification](#image-specification) for a list of supported fields.

-## `files`
+### `volumes`
+
+The volumes section is a list of named volumes that can be used by other containers,
+including those in `services`, `onboot` and `onshutdown`. The volumes are created in a directory
+chosen by linuxkit at build-time. The volumes then can be referenced by other containers and
+mounted into them.
+
+Volumes can be in one of several formats:
+
+* Blank directory: This is the default, and is an empty directory that is created at build-time. It is an overlayfs mount, and can be shared among multiple containers.
+* Image laid out as filesystem: The contents of the image are used to populate the volume. Default format when an image is provided.
+* Image as OCI v1-layout: The image is used as an [OCI v1-layout](https://github.com/opencontainers/image-spec/blob/main/image-layout.md). Indicated by `format: oci`.
+
+Examples of each are given later in this section.
+
+The `volumes` section can declare a volume to be read-write or read-only. If the volume is read-write,
+a volume that is mounted into a container can be mounted read-only or read-write. If the volume is read-only,
+it can be mounted into a container read-only; attempting to do so read-write will generate a build-time error.
+By default, volumes are created read-write, and are mounted read-write.
+
+Volume names **must** be unique, and must contain only lower-case alphanumeric characters, hyphens, and
+underscores.
+
+#### Samples of `volumes`
+
+##### Empty directory
+
+Yaml showing both read-only and read-write:
+
+```yml
+volumes:
+- name: dira
+  readonly: true
+- name: dirb
+  readonly: true
+```
+
+Contents:
+
+```sh
+$ cd dir && ls -la
+drwxr-xr-x   19 root  wheel   608 Sep 30 15:03 .
+drwxrwxrwt  130 root  wheel  4160 Sep 30 15:03 ..
+```
+
+In the above example:
+
+* `dira` is empty and is read-only.
+* `volb` is empty and is read-write.
+
+##### Image directory
+
+Yaml showing both read-only and read-write:
+
+```yml
+volumes:
+- name: vola
+  image: alpine:latest
+  readonly: true
+- name: volb
+  image: alpine:latest
+  format: filesystem     # optional, as this is the default format
+  readonly: false
+```
+
+In the above example:
+
+* `vola` is populated by the contents of `alpine:latest` and is read-only.
+* `volb` is populated by the contents of `alpine:latest` and is read-write.
+
+Contents:
+
+```sh
+$ cd dir && ls -la
+drwxr-xr-x   19 root  wheel   608 Sep 30 15:03 .
+drwxrwxrwt  130 root  wheel  4160 Sep 30 15:03 ..
+drwxr-xr-x   84 root  wheel  2688 Sep  6 14:34 bin
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 dev
+drwxr-xr-x   37 root  wheel  1184 Sep  6 14:34 etc
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 home
+drwxr-xr-x   13 root  wheel   416 Sep  6 14:34 lib
+drwxr-xr-x    5 root  wheel   160 Sep  6 14:34 media
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 mnt
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 opt
+dr-xr-xr-x    2 root  wheel    64 Sep  6 14:34 proc
+drwx------    2 root  wheel    64 Sep  6 14:34 root
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 run
+drwxr-xr-x   63 root  wheel  2016 Sep  6 14:34 sbin
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 srv
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 sys
+drwxr-xr-x    2 root  wheel    64 Sep  6 14:34 tmp
+drwxr-xr-x    7 root  wheel   224 Sep  6 14:34 usr
+drwxr-xr-x   13 root  wheel   416 Sep  6 14:34 var
+```
+
+##### Image OCI Layout
+
+Yaml showing both read-only and read-write, and both all architectures and a limited subset:
+
+```yml
+volumes:
+- name: volo
+  image: alpine:latest
+  format: oci
+  readonly: true
+- name: volp
+  image: alpine:latest
+  readonly: false
+  format: oci
+  platforms:
+    - linux/amd64
+```
+
+In the above example:
+
+* `volo` is populated by the contents of `alpine:latest` as an OCI v1-layout for all architectures and is read-only.
+* `volb` is populated by the contents of `alpine:latest` as an OCI v1-layout just for linux/amd64 and is read-write.
+
+##### Volumes in `services`
+
+Sample usage of volumes in `services` section:
+
+```yml
+services:
+- name: myservice
+  image: alpine:latest
+  binds:
+  - volA:/mnt/volA:ro
+  - volB:/mnt/volB
+```
+
+### `files`

 The files section can be used to add files inline in the config, or from an external file.

-```
+```yml
 files:
  - path: dir
    directory: true
@@ -118,7 +263,8 @@ user's home directory.
 In addition there is a `metadata` option that will generate the file. Currently the only value
 supported here is `"yaml"` which will output the yaml used to generate the image into the specified
 file:
-```
+
+```yml
  - path: etc/linuxkit.yml
    metadata: yaml
 ```
@@ -130,7 +276,7 @@ Because a `tmpfs` is mounted onto `/var`, `/run`, and `/tmp` by default, the `tm

 ## Image specification

-Entries in the `onboot` and `services` sections specify an OCI image and
+Entries in the `onboot`, `onshutdown`, `volumes` and `services` sections specify an OCI image and
 options. Default values may be specified using the `org.mobyproject.config` image label.
 For more details see the [OCI specification](https://github.com/opencontainers/runtime-spec/blob/master/spec.md).

@@ -205,7 +351,8 @@ which specifies some actions to take place when the container is being started.
 - `namespace` overrides the LinuxKit default containerd namespace to put the container in; only applicable to services.

 An example of using the `runtime` config to configure a network namespace with `wireguard` and then run `nginx` in that namespace is shown below:
-```
+
+```yml
 onboot:
  - name: dhcpcd
    image: linuxkit/dhcpcd:<hash>
--- a/examples/addbinds.yml
+++ b/examples/addbinds.yml
@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:5.4.30
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    binds.add:
      # this will keep all of the existing ones as well
      - /var/tmp:/var/tmp
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
 files:
  - path: etc/getty.shadow
    # sample sets password for root to "abcdefgh" (without quotes)
--- a/examples/cadvisor.yml
+++ b/examples/cadvisor.yml
@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: sysfs
-    image: linuxkit/sysfs:ec174e06ca756f492e7a3fd6200d5c1672b97511
+    image: linuxkit/sysfs:8d484374bb71b04984fa1e989b1dfc34b3e258a7
  - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:512d4fb6cd40c1d90a4aa8335d1bd167fa34a10e
  - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:54906e884b21aca02bf5ecae65f3741b89d8c4e6
    command: ["/usr/bin/mountie", "/var/lib/docker"]

 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
      - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: ntpd
-    image: linuxkit/openntpd:c90c6dd90f5dfb0ca71a73aac2dad69c8d956af3
+    image: linuxkit/openntpd:c28b50438374f8a413b10297f68c65c0f31bf830

  - name: docker
    image: docker:20.10.6-dind
@@ -46,7 +46,7 @@ services:
      - /etc/docker/daemon.json:/etc/docker/daemon.json
    command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
  - name: cadvisor
-    image: linuxkit/cadvisor:c57efffad1139b2c5df1c3f66c1e3d586ce9e07d
+    image: linuxkit/cadvisor:5de4a2ebf2cc9be79363d1c6f5f2e71d55b5922a
 files:
  - path: var/lib/docker
    directory: true
--- a/examples/containerd-debug-runtime-config.toml
+++ b/examples/containerd-debug-runtime-config.toml
@@ -0,0 +1,4 @@
+cliopts="--log-level trace"
+stderr="/var/log/containerd.err.log"
+stdout="/var/log/containerd.out.log"
+
--- a/examples/containerd-debug.yml
+++ b/examples/containerd-debug.yml
@@ -0,0 +1,42 @@
+# example with volumes, both blank and populated
+kernel:
+  image: linuxkit/kernel:6.6.71
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+onshutdown:
+  - name: shutdown
+    image: busybox:latest
+    command: ["/bin/echo", "so long and thanks for all the fish"]
+services:
+  - name: getty
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
+  - name: nginx
+    image: nginx:1.19.5-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf
+files:
+  - path: etc/linuxkit-config
+    metadata: yaml
+  - path: /etc/containerd/runtime-config.toml
+    source: "containerd-debug-runtime-config.toml"  # must include the file runtime-config.toml in this directory
+    mode: "0644"
--- a/examples/dm-crypt-loop.yml
+++ b/examples/dm-crypt-loop.yml
@@ -1,31 +1,31 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:512d4fb6cd40c1d90a4aa8335d1bd167fa34a10e
    command: ["/usr/bin/format", "/dev/sda"]
  - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:54906e884b21aca02bf5ecae65f3741b89d8c4e6
    command: ["/usr/bin/mountie", "/dev/sda1", "/var/external"]
  - name: loop
-    image: linuxkit/losetup:65e3ad6336a321749394f58c3f28003cfce1e28c
+    image: linuxkit/losetup:2b71926debfd2ca482e694bec4ad85ddeebb63aa
    command: ["/usr/bin/loopy", "--create", "/var/external/storage_file"]
  - name: dm-crypt
-    image: linuxkit/dm-crypt:d49723bc9d10c5ada9e03b0670f4e57416d5d084
+    image: linuxkit/dm-crypt:f5966a7f10705cf259ca80c30e087764b87cbd26
    command: ["/usr/bin/crypto", "crypt_loop_dev", "/dev/loop0"]
  - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:54906e884b21aca02bf5ecae65f3741b89d8c4e6
    command: ["/usr/bin/mountie", "/dev/mapper/crypt_loop_dev", "/var/secure_storage"]
  - name: bbox
    image: busybox
@@ -34,11 +34,11 @@ onboot:
      - /var:/var
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
 files:
  - path: etc/dm-crypt/key
    # the below key is just to keep the example self-contained
--- a/examples/dm-crypt.yml
+++ b/examples/dm-crypt.yml
@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:512d4fb6cd40c1d90a4aa8335d1bd167fa34a10e
    command: ["/usr/bin/format", "/dev/sda"]
  - name: dm-crypt
-    image: linuxkit/dm-crypt:d49723bc9d10c5ada9e03b0670f4e57416d5d084
+    image: linuxkit/dm-crypt:f5966a7f10705cf259ca80c30e087764b87cbd26
    command: ["/usr/bin/crypto", "crypt_dev", "/dev/sda1"]
  - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:54906e884b21aca02bf5ecae65f3741b89d8c4e6
    command: ["/usr/bin/mountie", "/dev/mapper/crypt_dev", "/var/secure_storage"]
  - name: bbox
    image: busybox
@@ -28,11 +28,11 @@ onboot:
      - /var:/var
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
 files:
  - path: etc/dm-crypt/key
    # the below key is just to keep the example self-contained
--- a/examples/docker-for-mac.yml
+++ b/examples/docker-for-mac.yml
@@ -1,32 +1,32 @@
 # This is an example for building the open source components of Docker for Mac
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/vpnkit-expose-port:77e45e4681c78d59f1d8a48818260948d55f9d05 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/vpnkit-expose-port:e39447f4ca312f9ca256e7737a6bec59bd36aec9 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  # support metadata for optional config in /run/config
  - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:db835ad616084adb6b474e7fd804928fd1d5dd5f
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: sysfs
-    image: linuxkit/sysfs:ec174e06ca756f492e7a3fd6200d5c1672b97511
+    image: linuxkit/sysfs:8d484374bb71b04984fa1e989b1dfc34b3e258a7
  - name: binfmt
-    image: linuxkit/binfmt:68604c81876812ca1c9e2d9f098c28f463713e61
+    image: linuxkit/binfmt:0dbbe9b1394561d693fe593aab3ec83d992b20d1
  # Format and mount the disk image in /var/lib/docker
  - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:512d4fb6cd40c1d90a4aa8335d1bd167fa34a10e
  - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:54906e884b21aca02bf5ecae65f3741b89d8c4e6
    command: ["/usr/bin/mountie", "/var/lib"]
  # make a swap file on the mounted disk
  - name: swap
-    image: linuxkit/swap:c57f3319ce770515357f0058035e40519c22b752
+    image: linuxkit/swap:d63836313d3e63712de097aa5a1b4b8cda948106
    command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"]
  # mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding
  - name: mount-vpnkit
@@ -44,41 +44,41 @@ onboot:
        - /var:/host_var
    command: ["sh", "-c", "mv -v /host_var/log /host_var/lib && ln -vs /var/lib/log /host_var/log"]
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  # Enable acpi to shutdown on power events
  - name: acpid
-    image: linuxkit/acpid:3b1560c81d3884e049ebbd9d9bf94ccb394e6cd3
+    image: linuxkit/acpid:0cbffea2a050fae4e5a942f3a3b9f52257c6db28
  # Enable getty for easier debugging
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
        - INSECURE=true
  # Run ntpd to keep time synchronised in the VM
  - name: ntpd
-    image: linuxkit/openntpd:c90c6dd90f5dfb0ca71a73aac2dad69c8d956af3
+    image: linuxkit/openntpd:c28b50438374f8a413b10297f68c65c0f31bf830
  # VSOCK to unix domain socket forwarding. Forwards guest /var/run/docker.sock
  # to a socket on the host.
  - name: vsudd
-    image: linuxkit/vsudd:b4d80d243733f80906cdbcf77f367a7b5744dc09
+    image: linuxkit/vsudd:e98493f495a206c83f4b1b4eb60255e15da7e223
    binds:
        - /var/run:/var/run
    command: ["/vsudd", "-inport", "2376:unix:/var/run/docker.sock"]
  # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. 
  # It needs access to the vpnkit 9P coordination share 
  - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:a89ec807d7d675dccd53773c07382bc707db3396
+    image: linuxkit/vpnkit-forwarder:870678494d2bf615787b036a87ff1bc5f477c850
    binds:
        - /var/vpnkit:/port
    net: host
    command: ["/vpnkit-forwarder", "-vsockPort", "62373"]
  # Monitor for image deletes and invoke a TRIM on the container filesystem
  - name: trim-after-delete
-    image: linuxkit/trim-after-delete:6ba98bfb111a808b7a1ca890aca9fc2b3709fca2
+    image: linuxkit/trim-after-delete:ffcb95df35984f0b28951f3483a38cafb6f2198e
  # When the host resumes from sleep, force a clock resync
  - name: host-timesync-daemon
-    image: linuxkit/host-timesync-daemon:12d443511194774a9fdaf5457e5f2703fd5e882c
+    image: linuxkit/host-timesync-daemon:2c39149907038dcc7ab4731f079e1880cfb19bd7
  # Run dockerd with the vpnkit userland proxy from the vpnkit-forwarder container.
  # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit
  # for vpnkit coordination and /run/config/docker for the configuration file.
--- a/examples/docker.yml
+++ b/examples/docker.yml
@@ -1,32 +1,32 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: sysfs
-    image: linuxkit/sysfs:ec174e06ca756f492e7a3fd6200d5c1672b97511
+    image: linuxkit/sysfs:8d484374bb71b04984fa1e989b1dfc34b3e258a7
  - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:512d4fb6cd40c1d90a4aa8335d1bd167fa34a10e
  - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:54906e884b21aca02bf5ecae65f3741b89d8c4e6
    command: ["/usr/bin/mountie", "/var/lib/docker"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
  - name: ntpd
-    image: linuxkit/openntpd:c90c6dd90f5dfb0ca71a73aac2dad69c8d956af3
+    image: linuxkit/openntpd:c28b50438374f8a413b10297f68c65c0f31bf830
  - name: docker
    image: docker:20.10.6-dind
    capabilities:
--- a/examples/getty.yml
+++ b/examples/getty.yml
@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    # to make insecure with passwordless root login, uncomment following lines
    #env:
    # - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
 files:
  - path: etc/getty.shadow
    # sample sets password for root to "abcdefgh" (without quotes)
--- a/examples/hostmount-writeable-overlay.yml
+++ b/examples/hostmount-writeable-overlay.yml
@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
  - name: shutdown
@@ -18,7 +18,7 @@ onshutdown:
    command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
    runtime:
@@ -30,7 +30,7 @@ services:
          destination: writeable-host-etc
          options: ["rw", "lowerdir=/etc", "upperdir=/run/hostetc/upper", "workdir=/run/hostetc/work"]
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: nginx
    image: nginx:1.13.8-alpine
    capabilities:
--- a/examples/influxdb-os.yml
+++ b/examples/influxdb-os.yml
@@ -1,18 +1,18 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: influxdb
--- a/examples/logging.yml
+++ b/examples/logging.yml
@@ -1,23 +1,23 @@
 # Simple example of using an external logging service
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
-  - linuxkit/memlogd:cb79fd19e6485cfc61b85c607ca172cd860554c5
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
+  - linuxkit/memlogd:c5521cc1bb602f8b6343c071e05da596523a4196
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
 # Inside the getty type `/proc/1/root/usr/bin/logread -F` to follow the log
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
 # A service which generates log messages for testing
@@ -25,6 +25,6 @@ services:
    image: alpine:3.13
    command: ["/bin/sh", "-c", "while /bin/true; do echo hello $(date); sleep 1; done" ]
  - name: write-and-rotate-logs
-    image: linuxkit/logwrite:c1c66d246080a40658903916d650206f2dcd707a
+    image: linuxkit/logwrite:8a0a9aa499adcd30fd6729a29e0567b14a4d468f
  - name: kmsg
-    image: linuxkit/kmsg:423844f262467e1199480dc93d69e38610c78133
+    image: linuxkit/kmsg:c4616ea416202761421215ee1783108610175126
--- a/examples/minimal.yml
+++ b/examples/minimal.yml
@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
 onboot:
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
--- a/examples/node_exporter.yml
+++ b/examples/node_exporter.yml
@@ -1,18 +1,18 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
  - name: node_exporter
-    image: linuxkit/node_exporter:9bcd8479b7ba2844773ef4f01a60c901c4800982
+    image: linuxkit/node_exporter:0acda272031d6475c229e440e1ac0643f290b06c
--- a/examples/openstack.yml
+++ b/examples/openstack.yml
@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:db835ad616084adb6b474e7fd804928fd1d5dd5f
    command: ["/usr/bin/metadata", "openstack"]
 services:
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:240e5e4f716bce51099b3785c209bf37613db8f0
    binds.add:
     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
  - name: nginx
--- a/examples/platform-aws.yml
+++ b/examples/platform-aws.yml
@@ -1,27 +1,27 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:db835ad616084adb6b474e7fd804928fd1d5dd5f
 services:
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: dhcpcd2
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf"]
  - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:240e5e4f716bce51099b3785c209bf37613db8f0
    binds.add:
     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
  - name: nginx
--- a/examples/platform-azure.yml
+++ b/examples/platform-azure.yml
@@ -1,21 +1,21 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
 services:
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
  - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:240e5e4f716bce51099b3785c209bf37613db8f0
    binds.add:
      - /root/.ssh:/root/.ssh
 files:
--- a/examples/platform-equinixmetal.arm64.yml
+++ b/examples/platform-equinixmetal.arm64.yml
@@ -0,0 +1,14 @@
+# This YAML snippet is to be used in conjunction with equinixmetal.yml to
+# build a arm64 image for Equinix Metal. It adds a modprobe of the NIC
+# driver and overrides the kernel section to disable prepending the
+# Intel CPU microcode to the initrd. If writing a YAML specifically
+# for arm64 then the 'ucode' line in the kernel section can be left
+# out.
+kernel:
+  image: linuxkit/kernel:6.6.71
+  cmdline: "console=ttyAMA0"
+  ucode: ""
+onboot:
+  - name: modprobe
+    image: linuxkit/modprobe:c2d61d0989a54b0d41b8622304fb0f1f00e173e3
+    command: ["modprobe", "nicvf"]
--- a/examples/platform-equinixmetal.yml
+++ b/examples/platform-equinixmetal.yml
@@ -0,0 +1,38 @@
+kernel:
+  image: linuxkit/kernel:6.6.71
+  cmdline: console=ttyS1
+  ucode: intel-ucode.cpio
+init:
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
+  - linuxkit/firmware:c9c7d24ecc626db5d293d31ffaaed0a7ffa776e6
+onboot:
+  - name: rngd1
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
+    command: ["/sbin/rngd", "-1"]
+  - name: sysctl
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:db835ad616084adb6b474e7fd804928fd1d5dd5f
+    command: ["/usr/bin/metadata", "equinixmetal"]
+services:
+  - name: rngd
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
+  - name: getty
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
+    env:
+     - INSECURE=true
+  - name: sshd
+    image: linuxkit/sshd:240e5e4f716bce51099b3785c209bf37613db8f0
+    binds.add:
+      - /root/.ssh:/root/.ssh
+files:
+  - path: root/.ssh/authorized_keys
+    source: ~/.ssh/id_rsa.pub
+    mode: "0600"
+    optional: true
--- a/examples/platform-gcp.yml
+++ b/examples/platform-gcp.yml
@@ -1,28 +1,28 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:db835ad616084adb6b474e7fd804928fd1d5dd5f
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:240e5e4f716bce51099b3785c209bf37613db8f0
    binds.add:
     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
  - name: nginx
--- a/examples/platform-hetzner.yml
+++ b/examples/platform-hetzner.yml
@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: console=ttyS1
  ucode: intel-ucode.cpio
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
-  - linuxkit/firmware:8def159583422181ddee3704f7024ecb9c02d348
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
+  - linuxkit/firmware:c9c7d24ecc626db5d293d31ffaaed0a7ffa776e6
 onboot:
  - name: rngd1
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
    command: ["/sbin/rngd", "-1"]
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:db835ad616084adb6b474e7fd804928fd1d5dd5f
    command: ["/usr/bin/metadata", "hetzner"]
 services:
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:240e5e4f716bce51099b3785c209bf37613db8f0
    binds.add:
      - /root/.ssh:/root/.ssh
 files:
--- a/examples/platform-packet.arm64.yml
+++ b/examples/platform-packet.arm64.yml
@@ -1,14 +0,0 @@
-# This YAML snippet is to be used in conjunction with packet.yml to
-# build a arm64 image for packet.net. It adds a modprobe of the NIC
-# driver and overrides the kernel section to disable prepending the
-# Intel CPU microcode to the initrd. If writing a YAML specifically
-# for arm64 then the 'ucode' line in the kernel section can be left
-# out.
-kernel:
-  image: linuxkit/kernel:5.10.104
-  cmdline: "console=ttyAMA0"
-  ucode: ""
-onboot:
-  - name: modprobe
-    image: linuxkit/modprobe:ab5ac4d5e7e7a5f2d103764850f7846b69230676
-    command: ["modprobe", "nicvf"]
--- a/examples/platform-packet.yml
+++ b/examples/platform-packet.yml
@@ -1,38 +0,0 @@
-kernel:
-  image: linuxkit/kernel:5.10.104
-  cmdline: console=ttyS1
-  ucode: intel-ucode.cpio
-init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
-  - linuxkit/firmware:8def159583422181ddee3704f7024ecb9c02d348
-onboot:
-  - name: rngd1
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
-    command: ["/sbin/rngd", "-1"]
-  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-  - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
-    command: ["/usr/bin/metadata", "packet"]
-services:
-  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
-  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
-    env:
-     - INSECURE=true
-  - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
-    binds.add:
-      - /root/.ssh:/root/.ssh
-files:
-  - path: root/.ssh/authorized_keys
-    source: ~/.ssh/id_rsa.pub
-    mode: "0600"
-    optional: true
--- a/examples/platform-rt-for-vmware.yml
+++ b/examples/platform-rt-for-vmware.yml
@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:5.11.4-rt
+  image: linuxkit/kernel:6.6.71-rt
  cmdline: "console=tty0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
  - name: open-vm-tools
-    image: linuxkit/open-vm-tools:728ddf726474178eea97604c0baeabd52edab7e9
+    image: linuxkit/open-vm-tools:aa0a3b513f5020bcea5858632f0a988c81d16ed0
  - name: nginx
    image: nginx:1.13.8-alpine
    capabilities:
--- a/examples/platform-scaleway.yml
+++ b/examples/platform-scaleway.yml
@@ -1,26 +1,26 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: rngd1
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
    command: ["/sbin/rngd", "-1"]
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:db835ad616084adb6b474e7fd804928fd1d5dd5f
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
--- a/examples/platform-vmware.yml
+++ b/examples/platform-vmware.yml
@@ -1,23 +1,23 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
  - name: nginx
    image: nginx:1.13.8-alpine
    capabilities:
--- a/examples/platform-vultr.yml
+++ b/examples/platform-vultr.yml
@@ -1,29 +1,29 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:db835ad616084adb6b474e7fd804928fd1d5dd5f
    command: ["/usr/bin/metadata", "vultr"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:240e5e4f716bce51099b3785c209bf37613db8f0
    binds.add:
     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
  - name: nginx
--- a/examples/redis-os.yml
+++ b/examples/redis-os.yml
@@ -1,19 +1,19 @@
 # Minimal YAML to run a redis server (used at DockerCon'17)
 # connect: nc localhost 6379
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
 onboot:
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  # Currently redis:4.0.6-alpine has trust issue with multi-arch
--- a/examples/sshd.yml
+++ b/examples/sshd.yml
@@ -1,28 +1,28 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: rngd1
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
    command: ["/sbin/rngd", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
  - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:240e5e4f716bce51099b3785c209bf37613db8f0
    binds.add:
      - /root/.ssh:/root/.ssh
 files:
--- a/examples/static-ip.yml
+++ b/examples/static-ip.yml
@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
 onboot:
  - name: ip
-    image: linuxkit/ip:bb250017b05de5e16ac436b1eb19a39c87b5a252
+    image: linuxkit/ip:afb85d0e238bb26f35546d98c14d41b6f41ccd50
    binds:
     - /etc/ip:/etc/ip
    command: ["ip", "-b", "/etc/ip/eth0.conf"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
 files:     
--- a/examples/swap.yml
+++ b/examples/swap.yml
@@ -1,31 +1,31 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:512d4fb6cd40c1d90a4aa8335d1bd167fa34a10e
  - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:54906e884b21aca02bf5ecae65f3741b89d8c4e6
    command: ["/usr/bin/mountie", "/var/external"]
  - name: swap
-    image: linuxkit/swap:c57f3319ce770515357f0058035e40519c22b752
+    image: linuxkit/swap:d63836313d3e63712de097aa5a1b4b8cda948106
    # to use unencrypted swap, use:
    # command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"]
    command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
--- a/examples/tpm.yml
+++ b/examples/tpm.yml
@@ -1,26 +1,26 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: tss
-    image: linuxkit/tss:856286012a613598d6ef6869b196f9a72245b7d2
+    image: linuxkit/tss:3da81eb650611fcdd465499b1af659039dc03af6
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
 files:
  - path: etc/getty.shadow
    # sample sets password for root to "abcdefgh" (without quotes)
--- a/examples/volumes.yml
+++ b/examples/volumes.yml
@@ -0,0 +1,45 @@
+# example with volumes, both blank and populated
+kernel:
+  image: linuxkit/kernel:6.6.71
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+onshutdown:
+  - name: shutdown
+    image: busybox:latest
+    command: ["/bin/echo", "so long and thanks for all the fish"]
+services:
+  - name: getty
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
+  - name: nginx
+    image: nginx:1.19.5-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf
+     - blank:/blank
+     - alpine:/alpine
+volumes:
+- name: blank   # blank volume
+- name: alpine  # populated volume
+  image: alpine:3.21
+files:
+  - path: etc/linuxkit-config
+    metadata: yaml
--- a/examples/vpnkit-forwarder.yml
+++ b/examples/vpnkit-forwarder.yml
@@ -1,13 +1,13 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
 onboot:
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: mount-vpnkit
    image: alpine:3.13
@@ -19,11 +19,11 @@ onboot:
    command: ["sh", "-c", "mkdir /host_var/vpnkit && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
 services:
  - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:240e5e4f716bce51099b3785c209bf37613db8f0
    binds.add:
      - /root/.ssh:/root/.ssh
  - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:a89ec807d7d675dccd53773c07382bc707db3396
+    image: linuxkit/vpnkit-forwarder:870678494d2bf615787b036a87ff1bc5f477c850
    binds:
        - /var/vpnkit:/port
    net: host
--- a/examples/vsudd-containerd.yml
+++ b/examples/vsudd-containerd.yml
@@ -1,17 +1,17 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
 onboot:
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: vsudd
-    image: linuxkit/vsudd:b4d80d243733f80906cdbcf77f367a7b5744dc09
+    image: linuxkit/vsudd:e98493f495a206c83f4b1b4eb60255e15da7e223
    binds:
        - /run/containerd/containerd.sock:/run/containerd/containerd.sock
    command: ["/vsudd",
--- a/examples/wireguard.yml
+++ b/examples/wireguard.yml
@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:5.10.104
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: wg0
-    image: linuxkit/ip:bb250017b05de5e16ac436b1eb19a39c87b5a252
+    image: linuxkit/ip:afb85d0e238bb26f35546d98c14d41b6f41ccd50
    net: new
    binds:
      - /etc/wireguard:/etc/wireguard
@@ -26,7 +26,7 @@ onboot:
      bindNS:
          net: /run/netns/wg0
  - name: wg1
-    image: linuxkit/ip:bb250017b05de5e16ac436b1eb19a39c87b5a252
+    image: linuxkit/ip:afb85d0e238bb26f35546d98c14d41b6f41ccd50
    net: new
    binds:
      - /etc/wireguard:/etc/wireguard
@@ -40,12 +40,12 @@ onboot:
          net: /run/netns/wg1
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
    net: /run/netns/wg1
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: nginx
    image: nginx:1.13.8-alpine
    net: /run/netns/wg0
--- a/pkg/init/vendor/github.com/vishvananda/netns/go.sum
+++ b/pkg/init/vendor/github.com/vishvananda/netns/go.sum
--- a/pkg/init/vendor/github.com/willf/bitset/go.sum
+++ b/pkg/init/vendor/github.com/willf/bitset/go.sum
--- a/pkg/metadata/vendor/github.com/pierrec/lz4/v4/go.sum
+++ b/pkg/metadata/vendor/github.com/pierrec/lz4/v4/go.sum
--- a/kernel/5.15.x/build-args
+++ b/kernel/5.15.x/build-args
@@ -0,0 +1,3 @@
+KERNEL_VERSION=5.15.27
+KERNEL_SERIES=5.15.x
+BUILD_IMAGE=linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e
--- a/kernel/5.15.x/deprecated
+++ b/kernel/5.15.x/deprecated
--- a/kernel/5.4.x/deprecated
+++ b/kernel/5.4.x/deprecated
--- a/kernel/6.6.x/build-args
+++ b/kernel/6.6.x/build-args
@@ -1,3 +1,3 @@
-KERNEL_VERSION=6.6.13
+KERNEL_VERSION=6.6.71
 KERNEL_SERIES=6.6.x
-BUILD_IMAGE=linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e
+BUILD_IMAGE=linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a
--- a/kernel/6.6.x/config-aarch64
+++ b/kernel/6.6.x/config-aarch64
@@ -1,20 +1,21 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.6.13 Kernel Configuration
+# Linux/arm64 6.6.71 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="gcc (Alpine 13.2.1_git20231014) 13.2.1 20231014"
+CONFIG_CC_VERSION_TEXT="gcc (Alpine 14.2.0) 14.2.0"
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=130201
+CONFIG_GCC_VERSION=140200
 CONFIG_CLANG_VERSION=0
 CONFIG_AS_IS_GNU=y
-CONFIG_AS_VERSION=24100
+CONFIG_AS_VERSION=24301
 CONFIG_LD_IS_BFD=y
-CONFIG_LD_VERSION=24100
+CONFIG_LD_VERSION=24301
 CONFIG_LLD_VERSION=0
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
 CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
+CONFIG_TOOLS_SUPPORT_RELR=y
 CONFIG_CC_HAS_ASM_INLINE=y
 CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
 CONFIG_PAHOLE_VERSION=0
@@ -157,7 +158,7 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
 CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
 CONFIG_CC_HAS_INT128=y
 CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
-CONFIG_GCC11_NO_ARRAY_BOUNDS=y
+CONFIG_GCC10_NO_ARRAY_BOUNDS=y
 CONFIG_CC_NO_ARRAY_BOUNDS=y
 CONFIG_ARCH_SUPPORTS_INT128=y
 CONFIG_CGROUPS=y
@@ -371,7 +372,10 @@ CONFIG_ARM64_ERRATUM_2067961=y
 CONFIG_ARM64_ERRATUM_2441009=y
 CONFIG_ARM64_ERRATUM_2457168=y
 CONFIG_ARM64_ERRATUM_2645198=y
+CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD=y
 CONFIG_ARM64_ERRATUM_2966298=y
+CONFIG_ARM64_ERRATUM_3117295=y
+CONFIG_ARM64_ERRATUM_3194386=y
 CONFIG_CAVIUM_ERRATUM_22375=y
 CONFIG_CAVIUM_ERRATUM_23154=y
 CONFIG_CAVIUM_ERRATUM_27456=y
@@ -488,7 +492,6 @@ CONFIG_ARM64_EPAN=y
 # end of ARMv8.7 architectural features

 CONFIG_ARM64_SVE=y
-CONFIG_ARM64_SME=y
 # CONFIG_ARM64_PSEUDO_NMI is not set
 CONFIG_RELOCATABLE=y
 CONFIG_RANDOMIZE_BASE=y
@@ -631,6 +634,7 @@ CONFIG_KVM_GENERIC_HARDWARE_ENABLING=y
 CONFIG_VIRTUALIZATION=y
 CONFIG_KVM=y
 # CONFIG_NVHE_EL2_DEBUG is not set
+CONFIG_CPU_MITIGATIONS=y

 #
 # General architecture-dependent options
@@ -730,6 +734,7 @@ CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
 CONFIG_ARCH_USE_MEMREMAP_PROT=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
 CONFIG_ARCH_HAS_RELR=y
+CONFIG_RELR=y
 CONFIG_HAVE_PREEMPT_DYNAMIC=y
 CONFIG_HAVE_PREEMPT_DYNAMIC_KEY=y
 CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y
@@ -905,6 +910,7 @@ CONFIG_PAGE_REPORTING=y
 CONFIG_MIGRATION=y
 CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
 CONFIG_ARCH_ENABLE_THP_MIGRATION=y
+CONFIG_PCP_BATCH_SCALE_MAX=5
 CONFIG_PHYS_ADDR_T_64BIT=y
 CONFIG_MMU_NOTIFIER=y
 CONFIG_KSM=y
@@ -3354,7 +3360,6 @@ CONFIG_MFD_CORE=y
 # CONFIG_MFD_SKY81452 is not set
 # CONFIG_MFD_STMPE is not set
 CONFIG_MFD_SYSCON=y
-# CONFIG_MFD_TI_AM335X_TSCADC is not set
 # CONFIG_MFD_LP3943 is not set
 # CONFIG_MFD_LP8788 is not set
 # CONFIG_MFD_TI_LMU is not set
@@ -3413,6 +3418,7 @@ CONFIG_MFD_VEXPRESS_SYSREG=y
 # Graphics support
 #
 CONFIG_APERTURE_HELPERS=y
+CONFIG_SCREEN_INFO=y
 CONFIG_VIDEO_CMDLINE=y
 # CONFIG_AUXDISPLAY is not set
 # CONFIG_DRM is not set
@@ -3474,6 +3480,7 @@ CONFIG_FB_SYS_IMAGEBLIT=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 CONFIG_FB_SYS_FOPS=y
 CONFIG_FB_DEFERRED_IO=y
+CONFIG_FB_IOMEM_FOPS=y
 CONFIG_FB_IOMEM_HELPERS=y
 CONFIG_FB_SYSMEM_HELPERS=y
 CONFIG_FB_SYSMEM_HELPERS_DEFERRED=y
@@ -3600,6 +3607,7 @@ CONFIG_HID_GENERIC=y
 # CONFIG_HID_ZYDACRON is not set
 # CONFIG_HID_SENSOR_HUB is not set
 # CONFIG_HID_ALPS is not set
+# CONFIG_HID_MCP2200 is not set
 # CONFIG_HID_MCP2221 is not set
 # end of Special HID drivers

@@ -3821,8 +3829,6 @@ CONFIG_MMC_SDHCI_PLTFM=m
 # CONFIG_MMC_TOSHIBA_PCI is not set
 # CONFIG_MMC_MTK is not set
 # CONFIG_MMC_SDHCI_XENON is not set
-# CONFIG_MMC_SDHCI_OMAP is not set
-# CONFIG_MMC_SDHCI_AM654 is not set
 # CONFIG_SCSI_UFSHCD is not set
 # CONFIG_MEMSTICK is not set
 # CONFIG_NEW_LEDS is not set
@@ -4726,6 +4732,9 @@ CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_USER_DECRYPTED_DATA is not set
 CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_SECURITY_DMESG_RESTRICT=y
+CONFIG_PROC_MEM_ALWAYS_FORCE=y
+# CONFIG_PROC_MEM_FORCE_PTRACE is not set
+# CONFIG_PROC_MEM_NO_FORCE is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
@@ -4821,6 +4830,7 @@ CONFIG_CRYPTO_ALGAPI=y
 CONFIG_CRYPTO_ALGAPI2=y
 CONFIG_CRYPTO_AEAD=y
 CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_SIG=y
 CONFIG_CRYPTO_SIG2=y
 CONFIG_CRYPTO_SKCIPHER=y
 CONFIG_CRYPTO_SKCIPHER2=y
@@ -5191,7 +5201,6 @@ CONFIG_DMA_DIRECT_REMAP=y
 # CONFIG_DMA_MAP_BENCHMARK is not set
 CONFIG_SGL_ALLOC=y
 CONFIG_CHECK_SIGNATURE=y
-# CONFIG_FORCE_NR_CPUS is not set
 CONFIG_CPU_RMAP=y
 CONFIG_DQL=y
 CONFIG_GLOB=y
--- a/kernel/6.6.x/config-riscv64
+++ b/kernel/6.6.x/config-riscv64
--- a/kernel/6.6.x/config-x86_64
+++ b/kernel/6.6.x/config-x86_64
@@ -1,15 +1,15 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.6.13 Kernel Configuration
+# Linux/x86 6.6.71 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="gcc (Alpine 13.2.1_git20231014) 13.2.1 20231014"
+CONFIG_CC_VERSION_TEXT="gcc (Alpine 14.2.0) 14.2.0"
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=130201
+CONFIG_GCC_VERSION=140200
 CONFIG_CLANG_VERSION=0
 CONFIG_AS_IS_GNU=y
-CONFIG_AS_VERSION=24100
+CONFIG_AS_VERSION=24301
 CONFIG_LD_IS_BFD=y
-CONFIG_LD_VERSION=24100
+CONFIG_LD_VERSION=24301
 CONFIG_LLD_VERSION=0
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
@@ -180,7 +180,7 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
 CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
 CONFIG_CC_HAS_INT128=y
 CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
-CONFIG_GCC11_NO_ARRAY_BOUNDS=y
+CONFIG_GCC10_NO_ARRAY_BOUNDS=y
 CONFIG_CC_NO_ARRAY_BOUNDS=y
 CONFIG_ARCH_SUPPORTS_INT128=y
 CONFIG_CGROUPS=y
@@ -470,7 +470,6 @@ CONFIG_PHYSICAL_ALIGN=0x1000000
 CONFIG_DYNAMIC_MEMORY_LAYOUT=y
 CONFIG_RANDOMIZE_MEMORY=y
 CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
-# CONFIG_ADDRESS_MASKING is not set
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_COMPAT_VDSO is not set
 # CONFIG_LEGACY_VSYSCALL_XONLY is not set
@@ -490,7 +489,7 @@ CONFIG_CALL_PADDING=y
 CONFIG_HAVE_CALL_THUNKS=y
 CONFIG_CALL_THUNKS=y
 CONFIG_PREFIX_SYMBOLS=y
-CONFIG_SPECULATION_MITIGATIONS=y
+CONFIG_CPU_MITIGATIONS=y
 CONFIG_PAGE_TABLE_ISOLATION=y
 CONFIG_RETPOLINE=y
 CONFIG_RETHUNK=y
@@ -502,6 +501,8 @@ CONFIG_CPU_IBRS_ENTRY=y
 CONFIG_CPU_SRSO=y
 # CONFIG_SLS is not set
 # CONFIG_GDS_FORCE_MITIGATION is not set
+CONFIG_MITIGATION_RFDS=y
+CONFIG_MITIGATION_SPECTRE_BHI=y
 CONFIG_ARCH_HAS_ADD_PAGES=y

 #
@@ -684,6 +685,7 @@ CONFIG_AS_SHA256_NI=y
 CONFIG_AS_TPAUSE=y
 CONFIG_AS_GFNI=y
 CONFIG_AS_WRUSS=y
+CONFIG_ARCH_CONFIGURES_CPU_MITIGATIONS=y

 #
 # General architecture-dependent options
@@ -1004,6 +1006,7 @@ CONFIG_DEVICE_MIGRATION=y
 CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
 CONFIG_ARCH_ENABLE_THP_MIGRATION=y
 CONFIG_CONTIG_ALLOC=y
+CONFIG_PCP_BATCH_SCALE_MAX=5
 CONFIG_PHYS_ADDR_T_64BIT=y
 CONFIG_MMU_NOTIFIER=y
 CONFIG_KSM=y
@@ -3177,7 +3180,6 @@ CONFIG_LPC_SCH=y
 CONFIG_MFD_SM501=y
 # CONFIG_MFD_SKY81452 is not set
 # CONFIG_MFD_SYSCON is not set
-# CONFIG_MFD_TI_AM335X_TSCADC is not set
 # CONFIG_MFD_LP3943 is not set
 # CONFIG_MFD_LP8788 is not set
 # CONFIG_MFD_TI_LMU is not set
@@ -3219,6 +3221,7 @@ CONFIG_MFD_VX855=y
 # Graphics support
 #
 CONFIG_APERTURE_HELPERS=y
+CONFIG_SCREEN_INFO=y
 CONFIG_VIDEO_CMDLINE=y
 CONFIG_VIDEO_NOMODESET=y
 # CONFIG_AUXDISPLAY is not set
@@ -3290,6 +3293,7 @@ CONFIG_FB_SYS_IMAGEBLIT=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 CONFIG_FB_SYS_FOPS=y
 CONFIG_FB_DEFERRED_IO=y
+CONFIG_FB_IOMEM_FOPS=y
 CONFIG_FB_IOMEM_HELPERS=y
 CONFIG_FB_SYSMEM_HELPERS=y
 CONFIG_FB_SYSMEM_HELPERS_DEFERRED=y
@@ -4352,6 +4356,9 @@ CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_USER_DECRYPTED_DATA is not set
 CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_SECURITY_DMESG_RESTRICT=y
+CONFIG_PROC_MEM_ALWAYS_FORCE=y
+# CONFIG_PROC_MEM_FORCE_PTRACE is not set
+# CONFIG_PROC_MEM_NO_FORCE is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
@@ -4447,6 +4454,7 @@ CONFIG_CRYPTO_ALGAPI=y
 CONFIG_CRYPTO_ALGAPI2=y
 CONFIG_CRYPTO_AEAD=y
 CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_SIG=y
 CONFIG_CRYPTO_SIG2=y
 CONFIG_CRYPTO_SKCIPHER=y
 CONFIG_CRYPTO_SKCIPHER2=y
@@ -4798,7 +4806,6 @@ CONFIG_SWIOTLB=y
 # CONFIG_DMA_MAP_BENCHMARK is not set
 CONFIG_SGL_ALLOC=y
 CONFIG_CHECK_SIGNATURE=y
-# CONFIG_FORCE_NR_CPUS is not set
 CONFIG_CPU_RMAP=y
 CONFIG_DQL=y
 CONFIG_GLOB=y
@@ -4957,6 +4964,7 @@ CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y
 CONFIG_HAVE_ARCH_KASAN=y
 CONFIG_HAVE_ARCH_KASAN_VMALLOC=y
 CONFIG_CC_HAS_KASAN_GENERIC=y
+CONFIG_CC_HAS_KASAN_SW_TAGS=y
 CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y
 # CONFIG_KASAN is not set
 CONFIG_HAVE_ARCH_KFENCE=y
--- a/kernel/Dockerfile
+++ b/kernel/Dockerfile
@@ -115,6 +115,9 @@ RUN case $(uname -m) in \
    aarch64) \
        KERNEL_DEF_CONF=/linux/arch/arm64/configs/defconfig; \
        ;; \
+    riscv64) \
+        KERNEL_DEF_CONF=/linux/arch/riscv/configs/defconfig; \
+        ;; \
    esac  && \
    cp /src/${KERNEL_SERIES}/config-$(uname -m) ${KERNEL_DEF_CONF}; \
    if [ -n "${EXTRA}" ] && [ -f "/src/${KERNEL_SERIES}-${EXTRA}/config-$(uname -m)" ]; then \
@@ -139,6 +142,9 @@ RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
    aarch64) \
        cp arch/arm64/boot/Image.gz /out/kernel; \
        ;; \
+    riscv64) \
+        cp arch/riscv/boot/Image.gz /out/kernel; \
+        ;; \
    esac && \
    cp System.map /out && \
    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
--- a/kernel/Dockerfile.bcc
+++ b/kernel/Dockerfile.bcc
@@ -1,6 +1,8 @@
 ARG BUILD_IMAGE
+ARG KERNEL_VERSION
+ARG PKG_HASH

-FROM ${KERNEL_VERSION}-${HASH} as ksrc
+FROM linuxkit/kernel:${KERNEL_VERSION}-${PKG_HASH} as ksrc

 FROM ${BUILD_IMAGE} AS build
 RUN apk update && apk upgrade -a && \
@@ -22,11 +24,11 @@ RUN apk update && apk upgrade -a && \
  iperf3 \
  libedit-dev \
  libtool \
-  llvm \
-  llvm-dev \
-  llvm-static \
-  llvm17-gtest \
-  luajit-dev \
+  libxml2 \
+  llvm19 \
+  llvm19-dev \
+  llvm19-static \
+  llvm19-gtest \
  m4 \
  musl-fts-dev \
  python3 \
@@ -36,21 +38,8 @@ RUN apk update && apk upgrade -a && \
  zlib-dev \
  && true

-# this is just here to make later copies easier; do not forget to change this if the python version updates
-ENV PYTHON_VERSION=3.11
-
-RUN ln -s /usr/lib/cmake/llvm10/ /usr/lib/cmake/llvm && \
-    ln -s /usr/include/llvm10/llvm-c/ /usr/include/llvm-c && \
-    ln -s /usr/include/llvm10/llvm/ /usr/include/llvm
-
 WORKDIR /build

-ENV BCC_COMMIT=v0.29.1
-RUN git clone https://github.com/iovisor/bcc.git && \
-    cd bcc && \
-    git checkout $BCC_COMMIT && \
-    sed -i 's/<error.h>/<errno.h>/' examples/cpp/KModRetExample.cc
-
 COPY --from=ksrc /kernel-headers.tar /build
 COPY --from=ksrc /kernel-dev.tar /build
 COPY --from=ksrc /kernel.tar /build
@@ -58,15 +47,6 @@ RUN tar xf /build/kernel-headers.tar && \
    tar xf /build/kernel-dev.tar && \
    tar xf /build/kernel.tar

-RUN mkdir -p bcc/build && cd bcc/build && \
-    cmake .. -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON \
-             -DCMAKE_C_FLAGS="-I/build/usr/include" \
-             -DPYTHON_CMD=python3 \
-             -DCMAKE_CXX_FLAGS="-I/build/usr/include" \
-             -DCMAKE_INSTALL_PREFIX=/usr && \
-    make && \
-    make install
-
 RUN mkdir -p /out/usr/ && \
    cp -a /build/usr/src /out/usr/ && \
    cp -a /build/usr/include /out/usr
@@ -74,23 +54,25 @@ RUN mkdir -p /out/usr/lib && \
    cp -a /usr/lib/libelf* /out/usr/lib/ && \
    cp -a /usr/lib/libstdc* /out/usr/lib/ && \
    cp -a /usr/lib/libintl* /out/usr/lib/
-RUN mkdir -p /out/usr/lib/python${PYTHON_VERSION} && \
-    cp -a /usr/lib/python${PYTHON_VERSION}/site-packages /out/usr/lib/python${PYTHON_VERSION}/
-RUN mkdir -p /out/usr/share && \
-    cp -a /usr/share/bcc /out/usr/share/
-RUN mkdir -p /out/usr/bin && \
-    cp -a /usr/bin/bcc-lua /out/usr/bin/

+RUN PYTHONPATH=$(python3 -c "import sysconfig; print(sysconfig.get_path('stdlib'))") && mkdir -p /out${PYTHONPATH} && \
+    cp -a ${PYTHONPATH}/site-packages /out/${PYTHONPATH}
 FROM ${BUILD_IMAGE} as mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk update && apk upgrade -a && \
  apk add --no-cache --initdb -p /out \
+  bcc \
+  bcc-dev \
+  bcc-tools \
  busybox \
-  luajit \
  python3 \
  zlib \
  && true

+# lua/luajit is not available on all platforms, but we do not consider it blocking
+RUN apk add --no-cache -p /out luajit || true
+RUN apk add --no-cache -p /out bcc-lua || true
+
 FROM scratch
 ENTRYPOINT []
 CMD []
--- a/kernel/Dockerfile.kconfig
+++ b/kernel/Dockerfile.kconfig
@@ -43,8 +43,9 @@ RUN set -e && \
               patch -t -F0 -N -u -p1 < "$patch"; \
           done; \
        fi && \
-        [ ! -f /config-${SERIES}-x86_64 ] || mv /config-${SERIES}-x86_64 arch/x86/configs/x86_64_defconfig && \
+        [ ! -f /config-${SERIES}-x86_64 ] || mv /config-${SERIES}-x86_64 arch/x86/configs/x86_64_defconfig ; \
        [ ! -f /config-${SERIES}-aarch64 ] || mv /config-${SERIES}-aarch64 arch/arm64/configs/defconfig ; \
+        [ ! -f /config-${SERIES}-riscv64 ] || mv /config-${SERIES}-riscv64 arch/riscv64/configs/riscv64_defconfig ; \
    done

 ENTRYPOINT ["/bin/sh"]
--- a/kernel/Dockerfile.kconfigx
+++ b/kernel/Dockerfile.kconfigx
@@ -58,6 +58,9 @@ for VERSION in ${KERNEL_VERSIONS}; do
 	elif [ ${TARGETARCH} = "arm64" ] ; then
 		cp /config-${SERIES}-aarch64 .config
 		ARCH=arm64 make oldconfig
+    elif [ ${TARGETARCH} = "riscv64" ] ; then
+		cp /config-${SERIES}-riscv64 .config
+		ARCH=riscv64 make oldconfig
 	fi
 done
 EOF
--- a/kernel/Dockerfile.perf
+++ b/kernel/Dockerfile.perf
@@ -1,8 +1,10 @@
 # This Dockerfile extracts the source code and headers from a kernel package,
 # builds the perf utility, and places it into a scratch image
 ARG BUILD_IMAGE
+ARG KERNEL_VERSION
+ARG PKG_HASH

-FROM ${KERNEL_VERSION}-${HASH} AS ksrc
+FROM linuxkit/kernel:${KERNEL_VERSION}-${PKG_HASH} as ksrc

 FROM ${BUILD_IMAGE} AS build
 RUN apk add \
@@ -51,7 +53,7 @@ RUN make -C libtraceevent all install V=1
 WORKDIR /linux

 RUN mkdir -p /out && \
-    make -C tools/perf LDFLAGS=-static V=1 && \
+    make -C tools/perf EXTRA_CFLAGS="-Wno-alloc-size -Wno-calloc-transposed-args" LDFLAGS=-static V=1 && \
    strip tools/perf/perf && \
    cp tools/perf/perf /out

--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -16,7 +16,7 @@ RM = rm -f
 # Name and Org on Hub
 ORG?=linuxkit
 IMAGE?=kernel
-IMAGE_BUILDER=linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e
+IMAGE_BUILDER=linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a

 # You can specify an extra options for the Makefile. This will:
 # - append a config$(EXTRA) to the kernel config for your kernel/arch
@@ -34,27 +34,26 @@ DIRTY:=$(shell git update-index -q --refresh && git diff-index --quiet HEAD -- $
 endif
 endif

-# Path to push-manifest.sh
-PUSH_MANIFEST:=$(shell git rev-parse --show-toplevel)/scripts/push-manifest.sh
+REPO_ROOT:=$(shell git rev-parse --show-toplevel)

 # determine our architecture
-BUILDERARCH=
+ARCH?=$(shell uname -m)
+BUILDERARCH=$(ARCH)
 ifneq ($(ARCH),)
 ifeq ($(ARCH),$(filter $(ARCH),x86_64 amd64))
-SUFFIX=-amd64
 override ARCH=x86_64
-BUILDERARCH=amd64
+override BUILDERARCH=amd64
 endif
 ifeq ($(ARCH),$(filter $(ARCH),aarch64 arm64))
-SUFFIX=-arm64
 override ARCH=aarch64
-BUILDERARCH=arm64
+override BUILDERARCH=arm64
+endif
+ifeq ($(ARCH),riscv64)
+override BUILDERARCH=riscv64
 endif
 endif

-ifneq ($(BUILDERARCH),)
-PLATFORMS=--platforms linux/$(BUILDERARCH)
-endif
+BUILD_PLATFORM=linux/$(BUILDERARCH)

 HASHTAG=$(HASH)$(DIRTY)

@@ -65,7 +64,10 @@ notdirty:
 # utility function
 SPACE := $(eval) $(eval)
 PERIOD := .
+# series - convert a version to a series, e.g. 6.6.13 -> 6.6.x
 series = $(word 1,$(subst ., ,$(1))).$(word 2,$(subst ., ,$(1))).x
+# serieswithhash - convert a version with or without a hash to a series with a hash, e.g. 6.6.13-anbcd -> 6.6.x-[0-9a-f]+
+serieswithhash = $(word 1,$(subst ., ,$(1))).$(word 2,$(subst ., ,$(1))).[0-9]+-[0-9a-f]+

 # word 1 is the release, word 2 is the tool
 RELEASESEP := PART
@@ -76,21 +78,25 @@ baseimage = $(ORG)/$(IMAGE)$(call baseimageextension,$(1))
 uniq = $(if $1,$(firstword $1) $(call uniq,$(filter-out $(firstword $1),$1)))


+# DEPRECATED : all kernel versions (actually series) marked as deprecated
+# You might still be able to build them, but they are not built by default or supported
+DEPRECATED_list=$(wildcard */deprecated)
+DEPRECATED := $(patsubst %/deprecated,%,$(DEPRECATED_list))
 #
-# Kernel versions to build.
-# Use all for kernels to be built on all platforms; use KERNELS_x86_64 or KERNELS_aarch64 for platform-specific kernels
-KERNELS_all=6.6.13 5.15.27
-KERNELS_x86_64=
-KERNELS_aarch64=
+# KERNELS : all potential kernel versions, based on the build-args files

-# deprecated versions. You might still be able to build them, but they are not built by default or supported
-# Use all for kernels to be built on all platforms; use DEPRECATED_x86_64 or DEPRECATED_aarch64 for platform-specific kernels
-DEPRECATED_all=5.10.104 5.11.4-rt
-DEPRECATED_x86_64=5.4.172 
-DEPRECATED_aarch64=
+# first find all known build-args files
+KERNELS_buildargfiles=$(wildcard */build-args)
+# get their directories
+KERNELS_alldirs=$(patsubst %/build-args,%,$(KERNELS_buildargfiles))
+# remove any directories that are marked as deprecated; what is left is valid dirs
+KERNELS_validdirs=$(filter-out $(DEPRECATED),$(KERNELS_alldirs))
+# get the values from the valid dirs
+KERNELS=$(shell awk -F= '/^KERNEL_VERSION=/ {print $$2}' $(addsuffix /build-args,$(KERNELS_validdirs)))
+
+# get the highest supported one
+KERNEL_HIGHEST=$(shell echo $(KERNELS) | tr ' ' '\n' | sort -V | tail -n 1)

-KERNELS?=$(KERNELS_all) $(KERNELS_$(ARCH))
-DEPRECATED?=$(DEPRECATED_all) $(DEPRECATED_$(ARCH))

 # we build all tools across all platforms and kernels that we build
 TOOLS=bcc perf
@@ -120,19 +126,21 @@ buildkerneldeps-%: Dockerfile Makefile $(wildcard patches-$(call series,$*)/*) $

 buildplainkernel-%: buildkerneldeps-%
 	$(eval KERNEL_SERIES=$(call series,$*))
-	linuxkit pkg build . $(FORCE) $(PLATFORMS) --build-yml ./build-kernel.yml --tag "$*-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args 
+	linuxkit pkg build . $(FORCE) --platforms $(BUILD_PLATFORM) --build-yml ./build-kernel.yml --tag "$*-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args 

 builddebugkernel-%: buildkerneldeps-%
 	$(eval KERNEL_SERIES=$(call series,$*))
-	linuxkit pkg build . $(FORCE) $(PLATFORMS) --build-yml ./build-kernel.yml --tag "$*-dbg-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args --build-arg-file build-args-debug
+	linuxkit pkg build . $(FORCE) --platforms $(BUILD_PLATFORM) --build-yml ./build-kernel.yml --tag "$*-dbg-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args --build-arg-file build-args-debug

 push-%: notdirty build-% pushkernel-% tagbuilder-% pushtools-%;

+# tagbuilder-% tags the builder image with the kernel version and `-builder` and pushes it
+# checks if it already matches on the registry before pushing
+# because the build may have been on a remote builder, or we may not have had to do a local build,
+# we cannot assume that IMAGE_BUILDER is available locally, whether in docker image cache or limuxkit cache
 tagbuilder-%: notdirty
 	$(eval BUILDER_IMAGE=$(call baseimage,$*)-builder)
-	docker tag $(IMAGE_BUILDER) $(BUILDER_IMAGE)$(SUFFIX) && \
-	docker push $(BUILDER_IMAGE)$(SUFFIX) && \
-	$(PUSH_MANIFEST) $(BUILDER_IMAGE)
+	linuxkit pkg remote-tag $(IMAGE_BUILDER) $(BUILDER_IMAGE)

 pushkernel-%: pushplainkernel-% pushdebugkernel-%;

@@ -157,7 +165,7 @@ buildtool-%:
 	$(eval TOOL=$(call toolname,$*))
 	$(eval KERNEL_VERSION=$(call toolkernel,$*))
 	$(eval KERNEL_SERIES=$(call series,$(KERNEL_VERSION)))
-	linuxkit pkg build . $(FORCE) $(PLATFORMS) --build-yml ./build-$(TOOL).yml --tag "$(KERNEL_VERSION)-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args
+	linuxkit pkg build . $(FORCE) --platforms $(BUILD_PLATFORM) --build-yml ./build-$(TOOL).yml --tag "$(KERNEL_VERSION)-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args

 pushtools-%: $(addprefix pushtool-%$(RELEASESEP),$(TOOLS));

@@ -170,35 +178,64 @@ pushtool-%: buildtool-%
 	linuxkit cache push $(HASHED_IMAGE)
 	linuxkit cache push $(HASHED_IMAGE) --remote-name $(PLAIN_IMAGE)

+#
+# targets for getting names of particular tags and replacing them, like what scripts/update-component-sha.sh does
+#
+
+# get the tag for the normal kernel for a particular version. Accepts version or series
+tag-plainkernel-%:
+	@linuxkit pkg show-tag . --build-yml ./build-kernel.yml --tag "$*-{{.Hash}}"
+
+# get the tag for the debug kernel for a particular version. Accepts version or series
+tag-debugkernel-%:
+	@linuxkit pkg show-tag . --build-yml ./build-kernel.yml --tag "$*-dbg-{{.Hash}}"
+
+# find and replace any usage of the normal kernel with hash for a particular series
+# will update hash for same semver and/or patch version
+update-kernel-hash-yaml-%:
+	$(eval NEWTAG=$(shell $(MAKE) tag-plainkernel-$*))
+	$(eval OLDTAG=$(call serieswithhash,$(NEWTAG)))
+	@cd $(REPO_ROOT) && ./scripts/update-component-sha.sh --hash "$(OLDTAG)" "$(NEWTAG)"
+
+# find and replace any usage of the normal kernel with semver for most recent series
+update-kernel-semver-yaml-%:
+	$(eval NEWTAG=linuxkit/kernel:$*)
+	$(eval OLDTAG=linuxkit/kernel:[0-9]+.[0-9]+.[0-9]+)
+	@cd $(REPO_ROOT) && ./scripts/update-component-sha.sh --hash "$(OLDTAG)" "$(NEWTAG)"
+
+# update-kernel-yamls updates the latest hash for each supported series,
+# as well as the most recent supported semver
+update-kernel-yamls: $(addprefix update-kernel-hash-yaml-,$(KERNELS)) update-kernel-semver-yaml-$(KERNEL_HIGHEST);
+
 # Target for kernel config
-kconfig:
-ifeq (${KCONFIG_TAG},)
-	docker build --no-cache -f Dockerfile.kconfig \
-		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
-		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
-		-t linuxkit/kconfig  .
-else
-	docker build --no-cache -f Dockerfile.kconfig \
-		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
-		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
-		-t linuxkit/kconfig:${KCONFIG_TAG}  .
+KCONFIG_TAG_EXTENSION=
+ifneq (${KCONFIG_TAG},)
+KCONFIG_TAG_EXTENSION=-${KCONFIG_TAG}
 endif

+kconfig:
+	docker build --no-cache -f Dockerfile.kconfig \
+		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
+		--platform $(BUILD_PLATFORM) \
+		-t linuxkit/kconfig:$(ARCH)${KCONFIG_TAG_EXTENSION} .
+
 kconfigx:
 ifeq (${KCONFIG_TAG},)
 	docker buildx build --no-cache -f Dockerfile.kconfigx \
-		--platform=$(PLATFORMS) \
+		--platform $(BUILD_PLATFORM) \
 		--output . \
 		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
 		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
-		-t linuxkit/kconfigx  .
+		-t linuxkit/kconfigx:$(ARCH)  .
 	cp linux_arm64/config-${KERNEL_VERSIONS}-arm64 config-${KERNEL_SERIES}-aarch64
 	cp linux_amd64/config-${KERNEL_VERSIONS}-amd64 config-${KERNEL_SERIES}-x86_64
+	cp linux_amd64/config-${KERNEL_VERSIONS}-riscv64 config-${KERNEL_SERIES}-riscv64
 else
 	docker buildx build --no-cache -f Dockerfile.kconfigx \
-		--platform=$(PLATFORMS) --push \
+		--platform $(BUILD_PLATFORM) --push \
 		--output . \
 		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
 		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
-		-t linuxkit/kconfigx:${KCONFIG_TAG}  .
+		-t linuxkit/kconfigx:$(ARCH)${KCONFIG_TAG_EXTENSION}  .
 endif
--- a/kernel/build-bcc.yml
+++ b/kernel/build-bcc.yml
@@ -1,2 +1,3 @@
 image: kernel-bcc
 network: true
+dockerfile: Dockerfile.bcc
--- a/kernel/build-perf.yml
+++ b/kernel/build-perf.yml
@@ -1,2 +1,3 @@
 image: kernel-perf
 network: true
+dockerfile: Dockerfile.perf
--- a/linuxkit-template.yml
+++ b/linuxkit-template.yml
@@ -1,5 +1,5 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
  - "@pkg:./pkg/init"
--- a/linuxkit.yml
+++ b/linuxkit.yml
@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:45a1ad5919f0b6acf0f0cf730e9434abfae11fe6
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:e7a92d9f3282039eac5fb1b07cac2b8664cbf0ad
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:680da6e6f79bb8236a095147d532cd2160e23c9f
+  - linuxkit/runc:2dfee46421e963d6c0d946137e46fe36fa606d29
+  - linuxkit/containerd:838b745e38e43309393675ce3cf04bee9047eb91
+  - linuxkit/ca-certificates:a4f15fe71bb0ad7560ff78f48504dd2af500a442
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:2fad4cdf96faa97bf7888696b8c3ca00f98137af
  - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:4681273eeea47c26d980958656e60fe70d49e318
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
  - name: shutdown
@@ -18,11 +18,11 @@ onshutdown:
    command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
  - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:37a16fb37f56ad0aee6532c1a39d780416f7fb80
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:80f22b0f60d23c29ce28d06674bc77fe3775a38b
  - name: nginx
    image: nginx:1.19.5-alpine
    capabilities:
--- a/pkg/acpid/Dockerfile
+++ b/pkg/acpid/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS mirror

 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
@@ -6,7 +6,7 @@ RUN apk add --no-cache --initdb -p /out \
    busybox
 RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache

-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror2
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS mirror2
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
    acpid
--- a/pkg/auditd/Dockerfile
+++ b/pkg/auditd/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS mirror

 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --initdb -p /out alpine-baselayout apk-tools audit busybox tini
--- a/pkg/binfmt/Dockerfile
+++ b/pkg/binfmt/Dockerfile
@@ -1,5 +1,5 @@
 # Use Debian testing Qemu 4.2.0 until https://bugs.alpinelinux.org/issues/8131 is resolved.
-FROM debian@sha256:d828cca5497a2519da9c6d42372066895fa28a69f1e8a46a38ce8f750bd2adf0 AS qemu
+FROM debian@sha256:731dd1380d6a8d170a695dbeb17fe0eade0e1c29f654cf0a3a07f372191c3f4b AS qemu
 RUN apt-get update && apt-get install -y qemu-user-static && \
    mv /usr/bin/qemu-aarch64-static /usr/bin/qemu-aarch64 && \
    mv /usr/bin/qemu-arm-static /usr/bin/qemu-arm && \
@@ -9,7 +9,7 @@ RUN apt-get update && apt-get install -y qemu-user-static && \
    mv /usr/bin/qemu-loongarch64-static /usr/bin/qemu-loongarch64 && \
    rm /usr/bin/qemu-*-static

-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS mirror

 RUN apk add --no-cache go musl-dev
 ENV GOPATH=/go PATH=$PATH:/go/bin
--- a/pkg/bpftrace/Dockerfile
+++ b/pkg/bpftrace/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS build
 RUN apk add --update \
    bison \
    build-base \
--- a/pkg/ca-certificates/Dockerfile
+++ b/pkg/ca-certificates/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e as alpine
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 as alpine

 RUN apk add ca-certificates

--- a/pkg/cadvisor/Dockerfile
+++ b/pkg/cadvisor/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e as build
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 as build

 RUN apk add --no-cache bash go git musl-dev linux-headers make patch
 # Hack to work around an issue with go on arm64 requiring gcc
@@ -7,7 +7,7 @@ RUN [ $(uname -m) = aarch64 ] && apk add --no-cache gcc || true
 ENV GOPATH=/go PATH=$PATH:/go/bin
 ENV GITBASE=github.com/google
 ENV GITREPO=github.com/google/cadvisor
-ENV COMMIT=v0.36.0
+ENV COMMIT=v0.51.0

 ADD /static.patch /tmp/

@@ -18,10 +18,10 @@ RUN mkdir -p /go/src/${GITBASE} \
    && git checkout ${COMMIT} \
    && patch -p1 build/build.sh </tmp/static.patch \
    && make build \
-    && mv cadvisor /usr/bin/
+    && mv _output/cadvisor /usr/bin/


-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS mirror

 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
--- a/pkg/cadvisor/build.yml
+++ b/pkg/cadvisor/build.yml
@@ -3,6 +3,7 @@ network: true
 arches:
  - amd64
  - arm64
+  - riscv64
 config:
  pid: host
  binds:
--- a/pkg/cadvisor/static.patch
+++ b/pkg/cadvisor/static.patch
@@ -1,6 +1,6 @@
 --- build/build.sh.orig	2017-11-16 16:29:18.281342577 +0000
 +++ build/build.sh	2017-11-16 16:29:55.534787421 +0000
-@@ -44,6 +44,7 @@
+@@ -47,6 +47,7 @@
   -X ${repo_path}/version.BuildDate${ldseparator}${BUILD_DATE}
   -X ${repo_path}/version.GoVersion${ldseparator}${go_version}"
 
--- a/pkg/containerd/Dockerfile
+++ b/pkg/containerd/Dockerfile
@@ -1,15 +1,15 @@
 # Dockerfile to build linuxkit/containerd for linuxkit
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e as alpine
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 as alpine

 RUN apk add tzdata binutils
 RUN mkdir -p /etc/init.d && ln -s /usr/bin/service /etc/init.d/020-containerd

-FROM linuxkit/containerd-dev:25522a7fcffd14465d807fadc3d3e4f6da7b10ec as containerd-dev
+FROM linuxkit/containerd-dev:1a4eee3fc0d683667c9115256f035f792f681f30 as containerd-dev

 FROM scratch
 ENTRYPOINT []
 WORKDIR /
-COPY --from=containerd-dev /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/containerd-shim-runc-v2 /usr/bin/
+COPY --from=containerd-dev /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim-runc-v2 /usr/bin/
 COPY --from=alpine /usr/share/zoneinfo/UTC /etc/localtime
 COPY --from=alpine /etc/init.d/ /etc/init.d/
 COPY etc etc/
--- a/pkg/containerd/etc/containerd/config.toml
+++ b/pkg/containerd/etc/containerd/config.toml
@@ -1,6 +1,10 @@
+version = 2
 state = "/run/containerd"
 root = "/var/lib/containerd"
-disabled_plugins = ["cri"]
+
+
+[plugins."io.containerd.grpc.v1.cri"]
+  disabled = true

 [grpc]
  address = "/run/containerd/containerd.sock"
--- a/pkg/dhcpcd/Dockerfile
+++ b/pkg/dhcpcd/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
    alpine-baselayout \
--- a/pkg/dm-crypt/Dockerfile
+++ b/pkg/dm-crypt/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out  \
    alpine-baselayout \
--- a/pkg/dummy/Dockerfile
+++ b/pkg/dummy/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS build
 RUN apk add --no-cache --initdb make

 FROM scratch
--- a/pkg/extend/Dockerfile
+++ b/pkg/extend/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS mirror

 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
@@ -15,7 +15,7 @@ RUN apk add --no-cache --initdb -p /out \
    && true
 RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache

-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/alpine:6090baae063eb5023c9601966e88df831f789a70 AS build

 RUN apk add --no-cache go musl-dev
 ENV GOPATH=/go PATH=$PATH:/go/bin
--- a/pkg/extend/extend.go
+++ b/pkg/extend/extend.go
@@ -22,8 +22,9 @@ import (
 const timeout = 60

 var (
-	fsTypeVar string
-	driveKeys []string
+	fsTypeVar   string
+	stopOnError bool
+	driveKeys   []string
 )

 // Fdisk is the JSON output from libfdisk
@@ -57,7 +58,12 @@ func autoextend(fsType string) error {
 			continue
 		}
 		if err := extend(d, fsType); err != nil {
-			return err
+			if stopOnError {
+				return err
+			}
+
+			log.Printf("Could not extend partition on device %s. Skipping", d)
+			continue
 		}
 	}
 	return nil
@@ -76,6 +82,11 @@ func extend(d, fsType string) error {
 		return fmt.Errorf("Unable to unmarshal partition table from sfdisk: %v", err)
 	}

+	if len(f.PartitionTable.Partitions) == 0 {
+		log.Printf("Disk %s has no partitions. Skipping", d)
+		return nil
+	}
+
 	if len(f.PartitionTable.Partitions) > 1 {
 		log.Printf("Disk %s has more than 1 partition. Skipping", d)
 		return nil
@@ -312,11 +323,13 @@ func findDrives() {

 func init() {
 	flag.StringVar(&fsTypeVar, "type", "ext4", "Type of filesystem to create")
+	flag.BoolVar(&stopOnError, "stop-on-error", true, "Stops extending the remaining devices on first error")
 }

 func main() {
 	flag.Parse()
 	findDrives()
+
 	if flag.NArg() == 0 {
 		if err := autoextend(fsTypeVar); err != nil {
 			log.Fatalf("%v", err)
--- a/pkg/extend/go.mod
+++ b/pkg/extend/go.mod
@@ -1,5 +1,5 @@
 module github.com/linuxkit/linuxkit/pkg/extend

-go 1.15
+go 1.21

-require golang.org/x/sys v0.0.0-20170802141912-e312636bdaa2
+require golang.org/x/sys v0.22.0
--- a/pkg/extend/go.sum
+++ b/pkg/extend/go.sum
@@ -1,2 +1,2 @@
-golang.org/x/sys v0.0.0-20170802141912-e312636bdaa2 h1:rn9VfHLpovNshEHhLAFADpPdWI+EUYgtyaUcQysy5P8=
-golang.org/x/sys v0.0.0-20170802141912-e312636bdaa2/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
--- a/pkg/extend/vendor/golang.org/x/sys/AUTHORS
+++ b/pkg/extend/vendor/golang.org/x/sys/AUTHORS
@@ -1,3 +0,0 @@
-# This source code refers to The Go Authors for copyright purposes.
-# The master list of authors is in the main Go distribution,
-# visible at http://tip.golang.org/AUTHORS.
--- a/pkg/extend/vendor/golang.org/x/sys/CONTRIBUTORS
+++ b/pkg/extend/vendor/golang.org/x/sys/CONTRIBUTORS
@@ -1,3 +0,0 @@
-# This source code was written by the Go contributors.
-# The master list of contributors is in the main Go distribution,
-# visible at http://tip.golang.org/CONTRIBUTORS.
--- a/pkg/extend/vendor/golang.org/x/sys/unix/.gitignore
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/.gitignore
@@ -1 +1,2 @@
 _obj/
+unix.test
--- a/pkg/extend/vendor/golang.org/x/sys/unix/README.md
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/README.md
@@ -14,7 +14,7 @@ migrating the build system to use containers so the builds are reproducible.
 This is being done on an OS-by-OS basis. Please update this documentation as
 components of the build system change.

-### Old Build System (currently for `GOOS != "Linux" || GOARCH == "sparc64"`)
+### Old Build System (currently for `GOOS != "linux"`)

 The old build system generates the Go files based on the C header files
 present on your system. This means that files
@@ -32,9 +32,9 @@ To build the files for your current OS and architecture, make sure GOOS and
 GOARCH are set correctly and run `mkall.sh`. This will generate the files for
 your specific system. Running `mkall.sh -n` shows the commands that will be run.

-Requirements: bash, perl, go
+Requirements: bash, go

-### New Build System (currently for `GOOS == "Linux" && GOARCH != "sparc64"`)
+### New Build System (currently for `GOOS == "linux"`)

 The new build system uses a Docker container to generate the go files directly
 from source checkouts of the kernel and various system libraries. This means
@@ -52,14 +52,14 @@ system and have your GOOS and GOARCH set accordingly. Running `mkall.sh` will
 then generate all of the files for all of the GOOS/GOARCH pairs in the new build
 system. Running `mkall.sh -n` shows the commands that will be run.

-Requirements: bash, perl, go, docker
+Requirements: bash, go, docker

 ## Component files

 This section describes the various files used in the code generation process.
 It also contains instructions on how to modify these files to add a new
 architecture/OS or to add additional syscalls, types, or constants. Note that
-if you are using the new build system, the scripts cannot be called normally.
+if you are using the new build system, the scripts/programs cannot be called normally.
 They must be called from within the docker container.

 ### asm files
@@ -76,30 +76,30 @@ arguments can be passed to the kernel. The third is for low-level use by the
 ForkExec wrapper. Unlike the first two, it does not call into the scheduler to
 let it know that a system call is running.

-When porting Go to an new architecture/OS, this file must be implemented for
+When porting Go to a new architecture/OS, this file must be implemented for
 each GOOS/GOARCH pair.

 ### mksysnum

-Mksysnum is a script located at `${GOOS}/mksysnum.pl` (or `mksysnum_${GOOS}.pl`
-for the old system). This script takes in a list of header files containing the
+Mksysnum is a Go program located at `${GOOS}/mksysnum.go` (or `mksysnum_${GOOS}.go`
+for the old system). This program takes in a list of header files containing the
 syscall number declarations and parses them to produce the corresponding list of
 Go numeric constants. See `zsysnum_${GOOS}_${GOARCH}.go` for the generated
 constants.

 Adding new syscall numbers is mostly done by running the build on a sufficiently
 new installation of the target OS (or updating the source checkouts for the
-new build system). However, depending on the OS, you make need to update the
+new build system). However, depending on the OS, you may need to update the
 parsing in mksysnum.

-### mksyscall.pl
+### mksyscall.go

 The `syscall.go`, `syscall_${GOOS}.go`, `syscall_${GOOS}_${GOARCH}.go` are
 hand-written Go files which implement system calls (for unix, the specific OS,
 or the specific OS/Architecture pair respectively) that need special handling
 and list `//sys` comments giving prototypes for ones that can be generated.

-The mksyscall.pl script takes the `//sys` and `//sysnb` comments and converts
+The mksyscall.go program takes the `//sys` and `//sysnb` comments and converts
 them into syscalls. This requires the name of the prototype in the comment to
 match a syscall number in the `zsysnum_${GOOS}_${GOARCH}.go` file. The function
 prototype can be exported (capitalized) or not.
@@ -107,7 +107,7 @@ prototype can be exported (capitalized) or not.
 Adding a new syscall often just requires adding a new `//sys` function prototype
 with the desired arguments and a capitalized name so it is exported. However, if
 you want the interface to the syscall to be different, often one will make an
-unexported `//sys` prototype, an then write a custom wrapper in
+unexported `//sys` prototype, and then write a custom wrapper in
 `syscall_${GOOS}.go`.

 ### types files
@@ -137,7 +137,7 @@ some `#if/#elif` macros in your include statements.

 This script is used to generate the system's various constants. This doesn't
 just include the error numbers and error strings, but also the signal numbers
-an a wide variety of miscellaneous constants. The constants come from the list
+and a wide variety of miscellaneous constants. The constants come from the list
 of include files in the `includes_${uname}` variable. A regex then picks out
 the desired `#define` statements, and generates the corresponding Go constants.
 The error numbers and strings are generated from `#include <errno.h>`, and the
@@ -149,10 +149,21 @@ To add a constant, add the header that includes it to the appropriate variable.
 Then, edit the regex (if necessary) to match the desired constant. Avoid making
 the regex too broad to avoid matching unintended constants.

+### internal/mkmerge
+
+This program is used to extract duplicate const, func, and type declarations
+from the generated architecture-specific files listed below, and merge these
+into a common file for each OS.
+
+The merge is performed in the following steps:
+1. Construct the set of common code that is idential in all architecture-specific files.
+2. Write this common code to the merged file.
+3. Remove the common code from all architecture-specific files.
+

 ## Generated files

-### `zerror_${GOOS}_${GOARCH}.go`
+### `zerrors_${GOOS}_${GOARCH}.go`

 A file containing all of the system's generated error numbers, error strings,
 signal numbers, and constants. Generated by `mkerrors.sh` (see above).
@@ -160,7 +171,7 @@ signal numbers, and constants. Generated by `mkerrors.sh` (see above).
 ### `zsyscall_${GOOS}_${GOARCH}.go`

 A file containing all the generated syscalls for a specific GOOS and GOARCH.
-Generated by `mksyscall.pl` (see above).
+Generated by `mksyscall.go` (see above).

 ### `zsysnum_${GOOS}_${GOARCH}.go`

--- a/pkg/extend/vendor/golang.org/x/sys/unix/affinity_linux.go
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/affinity_linux.go
@@ -0,0 +1,86 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// CPU affinity functions
+
+package unix
+
+import (
+	"math/bits"
+	"unsafe"
+)
+
+const cpuSetSize = _CPU_SETSIZE / _NCPUBITS
+
+// CPUSet represents a CPU affinity mask.
+type CPUSet [cpuSetSize]cpuMask
+
+func schedAffinity(trap uintptr, pid int, set *CPUSet) error {
+	_, _, e := RawSyscall(trap, uintptr(pid), uintptr(unsafe.Sizeof(*set)), uintptr(unsafe.Pointer(set)))
+	if e != 0 {
+		return errnoErr(e)
+	}
+	return nil
+}
+
+// SchedGetaffinity gets the CPU affinity mask of the thread specified by pid.
+// If pid is 0 the calling thread is used.
+func SchedGetaffinity(pid int, set *CPUSet) error {
+	return schedAffinity(SYS_SCHED_GETAFFINITY, pid, set)
+}
+
+// SchedSetaffinity sets the CPU affinity mask of the thread specified by pid.
+// If pid is 0 the calling thread is used.
+func SchedSetaffinity(pid int, set *CPUSet) error {
+	return schedAffinity(SYS_SCHED_SETAFFINITY, pid, set)
+}
+
+// Zero clears the set s, so that it contains no CPUs.
+func (s *CPUSet) Zero() {
+	for i := range s {
+		s[i] = 0
+	}
+}
+
+func cpuBitsIndex(cpu int) int {
+	return cpu / _NCPUBITS
+}
+
+func cpuBitsMask(cpu int) cpuMask {
+	return cpuMask(1 << (uint(cpu) % _NCPUBITS))
+}
+
+// Set adds cpu to the set s.
+func (s *CPUSet) Set(cpu int) {
+	i := cpuBitsIndex(cpu)
+	if i < len(s) {
+		s[i] |= cpuBitsMask(cpu)
+	}
+}
+
+// Clear removes cpu from the set s.
+func (s *CPUSet) Clear(cpu int) {
+	i := cpuBitsIndex(cpu)
+	if i < len(s) {
+		s[i] &^= cpuBitsMask(cpu)
+	}
+}
+
+// IsSet reports whether cpu is in the set s.
+func (s *CPUSet) IsSet(cpu int) bool {
+	i := cpuBitsIndex(cpu)
+	if i < len(s) {
+		return s[i]&cpuBitsMask(cpu) != 0
+	}
+	return false
+}
+
+// Count returns the number of CPUs in the set s.
+func (s *CPUSet) Count() int {
+	c := 0
+	for _, b := range s {
+		c += bits.OnesCount64(uint64(b))
+	}
+	return c
+}
--- a/pkg/extend/vendor/golang.org/x/sys/unix/aliases.go
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/aliases.go
@@ -0,0 +1,13 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris || zos
+
+package unix
+
+import "syscall"
+
+type Signal = syscall.Signal
+type Errno = syscall.Errno
+type SysProcAttr = syscall.SysProcAttr
--- a/pkg/extend/vendor/golang.org/x/sys/unix/asm_aix_ppc64.s
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/asm_aix_ppc64.s
@@ -0,0 +1,17 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build gc
+
+#include "textflag.h"
+
+//
+// System calls for ppc64, AIX are implemented in runtime/syscall_aix.go
+//
+
+TEXT ·syscall6(SB),NOSPLIT,$0-88
+	JMP	syscall·syscall6(SB)
+
+TEXT ·rawSyscall6(SB),NOSPLIT,$0-88
+	JMP	syscall·rawSyscall6(SB)
--- a/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_386.s
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_386.s
@@ -0,0 +1,27 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build (freebsd || netbsd || openbsd) && gc
+
+#include "textflag.h"
+
+// System call support for 386 BSD
+
+// Just jump to package syscall's implementation for all these functions.
+// The runtime may know about them.
+
+TEXT	·Syscall(SB),NOSPLIT,$0-28
+	JMP	syscall·Syscall(SB)
+
+TEXT	·Syscall6(SB),NOSPLIT,$0-40
+	JMP	syscall·Syscall6(SB)
+
+TEXT	·Syscall9(SB),NOSPLIT,$0-52
+	JMP	syscall·Syscall9(SB)
+
+TEXT	·RawSyscall(SB),NOSPLIT,$0-28
+	JMP	syscall·RawSyscall(SB)
+
+TEXT	·RawSyscall6(SB),NOSPLIT,$0-40
+	JMP	syscall·RawSyscall6(SB)
--- a/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_amd64.s
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_amd64.s
@@ -0,0 +1,27 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build (darwin || dragonfly || freebsd || netbsd || openbsd) && gc
+
+#include "textflag.h"
+
+// System call support for AMD64 BSD
+
+// Just jump to package syscall's implementation for all these functions.
+// The runtime may know about them.
+
+TEXT	·Syscall(SB),NOSPLIT,$0-56
+	JMP	syscall·Syscall(SB)
+
+TEXT	·Syscall6(SB),NOSPLIT,$0-80
+	JMP	syscall·Syscall6(SB)
+
+TEXT	·Syscall9(SB),NOSPLIT,$0-104
+	JMP	syscall·Syscall9(SB)
+
+TEXT	·RawSyscall(SB),NOSPLIT,$0-56
+	JMP	syscall·RawSyscall(SB)
+
+TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
+	JMP	syscall·RawSyscall6(SB)
--- a/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_arm.s
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_arm.s
@@ -0,0 +1,27 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build (freebsd || netbsd || openbsd) && gc
+
+#include "textflag.h"
+
+// System call support for ARM BSD
+
+// Just jump to package syscall's implementation for all these functions.
+// The runtime may know about them.
+
+TEXT	·Syscall(SB),NOSPLIT,$0-28
+	B	syscall·Syscall(SB)
+
+TEXT	·Syscall6(SB),NOSPLIT,$0-40
+	B	syscall·Syscall6(SB)
+
+TEXT	·Syscall9(SB),NOSPLIT,$0-52
+	B	syscall·Syscall9(SB)
+
+TEXT	·RawSyscall(SB),NOSPLIT,$0-28
+	B	syscall·RawSyscall(SB)
+
+TEXT	·RawSyscall6(SB),NOSPLIT,$0-40
+	B	syscall·RawSyscall6(SB)
--- a/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_arm64.s
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_arm64.s
@@ -0,0 +1,27 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build (darwin || freebsd || netbsd || openbsd) && gc
+
+#include "textflag.h"
+
+// System call support for ARM64 BSD
+
+// Just jump to package syscall's implementation for all these functions.
+// The runtime may know about them.
+
+TEXT	·Syscall(SB),NOSPLIT,$0-56
+	JMP	syscall·Syscall(SB)
+
+TEXT	·Syscall6(SB),NOSPLIT,$0-80
+	JMP	syscall·Syscall6(SB)
+
+TEXT	·Syscall9(SB),NOSPLIT,$0-104
+	JMP	syscall·Syscall9(SB)
+
+TEXT	·RawSyscall(SB),NOSPLIT,$0-56
+	JMP	syscall·RawSyscall(SB)
+
+TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
+	JMP	syscall·RawSyscall6(SB)
--- a/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_ppc64.s
+++ b/pkg/extend/vendor/golang.org/x/sys/unix/asm_bsd_ppc64.s
@@ -0,0 +1,29 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build (darwin || freebsd || netbsd || openbsd) && gc
+
+#include "textflag.h"
+
+//
+// System call support for ppc64, BSD
+//
+
+// Just jump to package syscall's implementation for all these functions.
+// The runtime may know about them.
+
+TEXT	·Syscall(SB),NOSPLIT,$0-56
+	JMP	syscall·Syscall(SB)
+
+TEXT	·Syscall6(SB),NOSPLIT,$0-80
+	JMP	syscall·Syscall6(SB)
+
+TEXT	·Syscall9(SB),NOSPLIT,$0-104
+	JMP	syscall·Syscall9(SB)
+
+TEXT	·RawSyscall(SB),NOSPLIT,$0-56
+	JMP	syscall·RawSyscall(SB)
+
+TEXT	·RawSyscall6(SB),NOSPLIT,$0-80
+	JMP	syscall·RawSyscall6(SB)
--- a/Show More
+++ b/Show More