add support for pkg build authentication (#4137)

Signed-off-by: Avi Deitcher <avi@deitcher.net>

.github/workflows/ci.yml

@@ -50,9 +50,9 @@ jobs:
          GOPATH: ${{runner.workspace}}
 
     - name: golangci-lint CLI
-      uses: golangci/golangci-lint-action@v6
+      uses: golangci/golangci-lint-action@v7
       with:
-        version: v1.59.0
+        version: v2.0.2
         working-directory: src/cmd/linuxkit
         args: --verbose --timeout=10m
     - name: go vet CLI

Makefile

@@ -4,7 +4,7 @@ VERSION="v0.8+"
 TEST_SUITE ?=
 TEST_SHARD ?=
 
-GO_COMPILE=linuxkit/go-compile:c97703655e8510b7257ffc57f25e40337b0f0813
+GO_COMPILE=linuxkit/go-compile:985a9db72a7e6941de5e1eb71c2b41b76bf0556f
 
 ifeq ($(OS),Windows_NT)
 LINUXKIT?=$(CURDIR)/bin/linuxkit.exe
@@ -34,7 +34,7 @@ export VERSION GO_COMPILE GOOS GOARCH LOCAL_TARGET LINUXKIT
 default: linuxkit $(RTF)
 all: default
 
-RTF_COMMIT=b74a4f7c78e5cddcf7e6d2e6be7be312b9f645fc
+RTF_COMMIT=1118e08445438dc37ec62b4c1e216918b3d804d2
 RTF_CMD=github.com/linuxkit/rtf/cmd
 RTF_VERSION=0.0
 $(RTF): tmp_rtf_bin.tar | bin

contrib/open-vm-tools/open-vm-tools-ds.yaml

@@ -30,7 +30,7 @@ spec:
         operator: Exists
         effect: NoSchedule
       containers:
-      - image: linuxkit/open-vm-tools:728ddf726474178eea97604c0baeabd52edab7e9
+      - image: linuxkit/open-vm-tools:8a320f7453711f0544f4b03558aaf0b80c7c23f1
         name: open-vm-tools
         resources:
           requests:

docs/alpine-base-update.md

@@ -101,9 +101,9 @@ In the below, replace `linuxkit-arch` with each build machine's name:
 
 ```sh
 # one of these will not be necessary, as you will likely be executing it on one of these machines
-scp linuxkit-s390x:$LK_ROOT/tools/alpine/versions.s390x $LK_ROOT/tools/alpine/versions.s390x
-scp linuxkit-aarch64:$LK_ROOT/tools/alpine/versions.aarch64 $LK_ROOT/tools/alpine/versions.aarch64
-scp linuxkit-x86_64:$LK_ROOT/tools/alpine/versions.x86_64 $LK_ROOT/tools/alpine/versions.x86_64
+for arch in x86_64 aarch64 riscv64; do
+    scp linuxkit-$arch:$LK_ROOT/tools/alpine/versions.$arch $LK_ROOT/tools/alpine/versions.$arch
+done
 git commit -a -s -m "tools/alpine: Update to latest"
 git push $LK_REMOTE $LK_BRANCH
 ```
@@ -131,7 +131,6 @@ following which is an explanation of each one.
 # Update tools packages
 cd $LK_ROOT/tools
 $LK_ROOT/scripts/update-component-sha.sh --image $LK_ALPINE
-git checkout grub-dev/Dockerfile
 git checkout mkimage-rpi3/Dockerfile
 git commit -a -s -m "tools: Update to the latest linuxkit/alpine"
 
@@ -183,7 +182,6 @@ Note, the `git checkout` reverts the changes made by
 Important is the `git checkout` of some sensitive packages that only can be built with
 specific older versions of upstream packages:
 
-* `grub-dev`
 * `mkimage-rpi3`
 
 Only update those if you know what you are doing with them.

docs/image-cache.md

@@ -59,3 +59,31 @@ is provided, it always will pull, independent of what is in the cache.
 
 The read process is smart enough to check each blob in the local cache before downloading
 it from a registry.
+
+## Imports from local Docker instance
+
+To import an image from your local Docker daemon into LinuxKit, you’ll need to ensure the image is exported in the [OCI image format](https://docs.docker.com/build/exporters/oci-docker/), which LinuxKit understands.
+
+This requires using a `docker-container` [buildx driver](https://docs.docker.com/build/builders/drivers/docker-container/), rather than the default.
+
+Set it up like so:
+
+```shell
+docker buildx create --driver docker-container --driver-opt image=moby/buildkit:latest --name=ocibuilder --bootstrap
+```
+
+Then build and export your image using the OCI format:
+
+```shell
+docker buildx build --builder=ocibuilder --output type=oci,name=foo . > foo.tar
+```
+
+You can now import it into LinuxKit with:
+
+```shell
+linuxkit cache import foo.tar
+```
+
+Note that this process, as described, will only produce images for the platform/architecture you're currently on. To produce multi-platform images requires extra docker build flags and external builder or QEMU support - see [here](https://docs.docker.com/build/building/multi-platform/).
+
+This workaround is only necessary when working with the local Docker daemon. If you’re pulling from Docker Hub or another registry, you don’t need to do any of this.

docs/kernels.md

@@ -274,7 +274,7 @@ your local Docker setup.
 
 The process of modifying the kernel configuration is as follows:
 
-1. Create a `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out.
+1. Create a `linuxkit/kconfig` container image: `make kconfig`. This is not pushed out. By default, this will be for your local architecture, but you can override it with `make kconfig ARCH=${ARCH}`, e.g. `make kconfig ARCH=arm64`. The image is tagged with the architecture, e.g. `linuxkit/kconfig:arm64`.
 1. Run a container based on `linuxkit/kconfig`.
 1. In the container, modify the config to suit your needs using normal kernel tools like `make defconfig` or `make menuconfig`.
 1. Save the config from the image.
@@ -287,7 +287,11 @@ so that `make menuconfig` and `make defconfig` work correctly.
 Run the container as follows:
 
 ```sh
-docker run --rm -ti -v $(pwd):/src linuxkit/kconfig
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig:aarch64
+# or
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig:x86_64
+# or 
+docker run --rm -ti -v $(pwd):/src linuxkit/kconfig:riscv64
 ```
 
 This will give you a interactive shell where you can modify the kernel
@@ -321,6 +325,11 @@ make ARCH=arm64 defconfig
 make ARCH=arm64 oldconfig # or menuconfig
 ```
 
+It is important to note that sometimes the configuration can be subtly different
+when running `make defconfig` across architectures. Of note is that `make ARCH=riscv` on
+x86_64 or aarch64 comes out slightly differently than when run natively on riscv64.
+Feel free to try it cross, but do not be surprised if it generates outputs that are not the same.
+
 Note that the generated file **must** be final. When you actually build the kernel,
 it will check that running `make defconfig` will have no changes. If there are changes,
 the build will fail.

examples/addbinds.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     binds.add:
       # this will keep all of the existing ones as well
       - /var/tmp:/var/tmp
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)

examples/cadvisor.yml

@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: sysfs
-    image: linuxkit/sysfs:ec174e06ca756f492e7a3fd6200d5c1672b97511
+    image: linuxkit/sysfs:7345172dbf4d436c861adfc27150af474194289b
   - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
   - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
       - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: ntpd
-    image: linuxkit/openntpd:c90c6dd90f5dfb0ca71a73aac2dad69c8d956af3
+    image: linuxkit/openntpd:f99c4117763480815553b72022b426639a13ce86
 
   - name: docker
     image: docker:20.10.6-dind
@@ -46,7 +46,7 @@ services:
       - /etc/docker/daemon.json:/etc/docker/daemon.json
     command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
   - name: cadvisor
-    image: linuxkit/cadvisor:c57efffad1139b2c5df1c3f66c1e3d586ce9e07d
+    image: linuxkit/cadvisor:8dfefe0f9593ba21aca5d08fadac16de907d470d
 files:
   - path: var/lib/docker
     directory: true

examples/containerd-debug.yml

@@ -1,17 +1,17 @@
 # example with volumes, both blank and populated
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
   - name: shutdown
@@ -19,11 +19,11 @@ onshutdown:
     command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: nginx
     image: nginx:1.19.5-alpine
     capabilities:

examples/dm-crypt-loop.yml

@@ -1,31 +1,31 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
     command: ["/usr/bin/format", "/dev/sda"]
   - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/dev/sda1", "/var/external"]
   - name: loop
-    image: linuxkit/losetup:65e3ad6336a321749394f58c3f28003cfce1e28c
+    image: linuxkit/losetup:095ff80d8e8fad1707741ea2584a36f3b80e787d
     command: ["/usr/bin/loopy", "--create", "/var/external/storage_file"]
   - name: dm-crypt
-    image: linuxkit/dm-crypt:d49723bc9d10c5ada9e03b0670f4e57416d5d084
+    image: linuxkit/dm-crypt:981fde241bb84616a5ba94c04cdefa1489431a25
     command: ["/usr/bin/crypto", "crypt_loop_dev", "/dev/loop0"]
   - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/dev/mapper/crypt_loop_dev", "/var/secure_storage"]
   - name: bbox
     image: busybox
@@ -34,11 +34,11 @@ onboot:
       - /var:/var
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/dm-crypt/key
     # the below key is just to keep the example self-contained

examples/dm-crypt.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
     command: ["/usr/bin/format", "/dev/sda"]
   - name: dm-crypt
-    image: linuxkit/dm-crypt:d49723bc9d10c5ada9e03b0670f4e57416d5d084
+    image: linuxkit/dm-crypt:981fde241bb84616a5ba94c04cdefa1489431a25
     command: ["/usr/bin/crypto", "crypt_dev", "/dev/sda1"]
   - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/dev/mapper/crypt_dev", "/var/secure_storage"]
   - name: bbox
     image: busybox
@@ -28,11 +28,11 @@ onboot:
       - /var:/var
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/dm-crypt/key
     # the below key is just to keep the example self-contained

examples/docker-for-mac.yml

@@ -1,32 +1,32 @@
 # This is an example for building the open source components of Docker for Mac
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/vpnkit-expose-port:77e45e4681c78d59f1d8a48818260948d55f9d05 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/vpnkit-expose-port:b30e8456ac128b2ac360329898368b309ea6e477 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   # support metadata for optional config in /run/config
   - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: sysfs
-    image: linuxkit/sysfs:ec174e06ca756f492e7a3fd6200d5c1672b97511
+    image: linuxkit/sysfs:7345172dbf4d436c861adfc27150af474194289b
   - name: binfmt
-    image: linuxkit/binfmt:68604c81876812ca1c9e2d9f098c28f463713e61
+    image: linuxkit/binfmt:ce9509ccfa25002227ccd7ed8dd48d6947854427
   # Format and mount the disk image in /var/lib/docker
   - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
   - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/var/lib"]
   # make a swap file on the mounted disk
   - name: swap
-    image: linuxkit/swap:c57f3319ce770515357f0058035e40519c22b752
+    image: linuxkit/swap:f4b8ffef87c8c72165bd8a92b790ac252ccf1821
     command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"]
   # mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding
   - name: mount-vpnkit
@@ -44,41 +44,41 @@ onboot:
         - /var:/host_var
     command: ["sh", "-c", "mv -v /host_var/log /host_var/lib && ln -vs /var/lib/log /host_var/log"]
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   # Enable acpi to shutdown on power events
   - name: acpid
-    image: linuxkit/acpid:3b1560c81d3884e049ebbd9d9bf94ccb394e6cd3
+    image: linuxkit/acpid:6cb5575e487a8fcbd4c3eb6721c23299e6ea452f
   # Enable getty for easier debugging
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
         - INSECURE=true
   # Run ntpd to keep time synchronised in the VM
   - name: ntpd
-    image: linuxkit/openntpd:c90c6dd90f5dfb0ca71a73aac2dad69c8d956af3
+    image: linuxkit/openntpd:f99c4117763480815553b72022b426639a13ce86
   # VSOCK to unix domain socket forwarding. Forwards guest /var/run/docker.sock
   # to a socket on the host.
   - name: vsudd
-    image: linuxkit/vsudd:b4d80d243733f80906cdbcf77f367a7b5744dc09
+    image: linuxkit/vsudd:127acd1453f7bfda791491ac4c55be0d2b9223cc
     binds:
         - /var/run:/var/run
     command: ["/vsudd", "-inport", "2376:unix:/var/run/docker.sock"]
   # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. 
   # It needs access to the vpnkit 9P coordination share 
   - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:a89ec807d7d675dccd53773c07382bc707db3396
+    image: linuxkit/vpnkit-forwarder:e22bb70abdb5550c369f91ae7068c24e19beff73
     binds:
         - /var/vpnkit:/port
     net: host
     command: ["/vpnkit-forwarder", "-vsockPort", "62373"]
   # Monitor for image deletes and invoke a TRIM on the container filesystem
   - name: trim-after-delete
-    image: linuxkit/trim-after-delete:6ba98bfb111a808b7a1ca890aca9fc2b3709fca2
+    image: linuxkit/trim-after-delete:fe73247abd4ab7584a75e95083543af97fe90d4d
   # When the host resumes from sleep, force a clock resync
   - name: host-timesync-daemon
-    image: linuxkit/host-timesync-daemon:0d351aee24b5cf853927647e4f5e6998014959db
+    image: linuxkit/host-timesync-daemon:548bfe9d35c930ee42d6c0485bb4bf25d2729bad
   # Run dockerd with the vpnkit userland proxy from the vpnkit-forwarder container.
   # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit
   # for vpnkit coordination and /run/config/docker for the configuration file.

examples/docker.yml

@@ -1,32 +1,32 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: sysfs
-    image: linuxkit/sysfs:ec174e06ca756f492e7a3fd6200d5c1672b97511
+    image: linuxkit/sysfs:7345172dbf4d436c861adfc27150af474194289b
   - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
   - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/var/lib/docker"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: ntpd
-    image: linuxkit/openntpd:c90c6dd90f5dfb0ca71a73aac2dad69c8d956af3
+    image: linuxkit/openntpd:f99c4117763480815553b72022b426639a13ce86
   - name: docker
     image: docker:20.10.6-dind
     capabilities:

examples/getty.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     # to make insecure with passwordless root login, uncomment following lines
     #env:
     # - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)

examples/hostmount-writeable-overlay.yml

@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
   - name: shutdown
@@ -18,7 +18,7 @@ onshutdown:
     command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
     runtime:
@@ -30,7 +30,7 @@ services:
           destination: writeable-host-etc
           options: ["rw", "lowerdir=/etc", "upperdir=/run/hostetc/upper", "workdir=/run/hostetc/work"]
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: nginx
     image: nginx:1.13.8-alpine
     capabilities:

examples/influxdb-os.yml

@@ -1,18 +1,18 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: influxdb

examples/logging.yml

@@ -1,23 +1,23 @@
 # Simple example of using an external logging service
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
-  - linuxkit/memlogd:cb79fd19e6485cfc61b85c607ca172cd860554c5
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
+  - linuxkit/memlogd:e28ecaa23a3693ae96575fb3bc421bc1d9f46c4f
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
 # Inside the getty type `/proc/1/root/usr/bin/logread -F` to follow the log
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
 # A service which generates log messages for testing
@@ -25,6 +25,6 @@ services:
     image: alpine:3.13
     command: ["/bin/sh", "-c", "while /bin/true; do echo hello $(date); sleep 1; done" ]
   - name: write-and-rotate-logs
-    image: linuxkit/logwrite:c1c66d246080a40658903916d650206f2dcd707a
+    image: linuxkit/logwrite:3f138a010098862845b7270fc3715a03d0e3871e
   - name: kmsg
-    image: linuxkit/kmsg:423844f262467e1199480dc93d69e38610c78133
+    image: linuxkit/kmsg:9b0a33abebde8de005a3bfaf8dc06f183a9ba7b8

examples/minimal.yml

@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true

examples/node_exporter.yml

@@ -1,18 +1,18 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: node_exporter
-    image: linuxkit/node_exporter:9bcd8479b7ba2844773ef4f01a60c901c4800982
+    image: linuxkit/node_exporter:1415b52c08ddc5799b2fc83cf3f080c56c3ff5a9

examples/openstack.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
     command: ["/usr/bin/metadata", "openstack"]
 services:
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
     binds.add:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx

examples/platform-aws.yml

@@ -1,27 +1,27 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
 services:
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd2
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf"]
   - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
     binds.add:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx

examples/platform-azure.yml

@@ -1,21 +1,21 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
 services:
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
     binds.add:
       - /root/.ssh:/root/.ssh
 files:

examples/platform-equinixmetal.arm64.yml

@@ -5,10 +5,10 @@
 # for arm64 then the 'ucode' line in the kernel section can be left
 # out.
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyAMA0"
   ucode: ""
 onboot:
   - name: modprobe
-    image: linuxkit/modprobe:ab5ac4d5e7e7a5f2d103764850f7846b69230676
+    image: linuxkit/modprobe:773ee174006ecbb412830e48889795bae40b62f9
     command: ["modprobe", "nicvf"]

examples/platform-equinixmetal.yml

@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: console=ttyS1
   ucode: intel-ucode.cpio
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
-  - linuxkit/firmware:8def159583422181ddee3704f7024ecb9c02d348
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
+  - linuxkit/firmware:bfc7802f909c4b760de5dd2bc02a7f52e86b78f7
 onboot:
   - name: rngd1
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
     command: ["/sbin/rngd", "-1"]
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
     command: ["/usr/bin/metadata", "equinixmetal"]
 services:
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
     binds.add:
       - /root/.ssh:/root/.ssh
 files:

examples/platform-gcp.yml

@@ -1,28 +1,28 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
     binds.add:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx

examples/platform-hetzner.yml

@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: console=ttyS1
   ucode: intel-ucode.cpio
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
-  - linuxkit/firmware:8def159583422181ddee3704f7024ecb9c02d348
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
+  - linuxkit/firmware:bfc7802f909c4b760de5dd2bc02a7f52e86b78f7
 onboot:
   - name: rngd1
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
     command: ["/sbin/rngd", "-1"]
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
     command: ["/usr/bin/metadata", "hetzner"]
 services:
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
     binds.add:
       - /root/.ssh:/root/.ssh
 files:

examples/platform-rt-for-vmware.yml

@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:6.6.13-rt
+  image: linuxkit/kernel:6.6.71-rt
   cmdline: "console=tty0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: open-vm-tools
-    image: linuxkit/open-vm-tools:728ddf726474178eea97604c0baeabd52edab7e9
+    image: linuxkit/open-vm-tools:8a320f7453711f0544f4b03558aaf0b80c7c23f1
   - name: nginx
     image: nginx:1.13.8-alpine
     capabilities:

examples/platform-scaleway.yml

@@ -1,26 +1,26 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: rngd1
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
     command: ["/sbin/rngd", "-1"]
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032

examples/platform-vmware.yml

@@ -1,23 +1,23 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: nginx
     image: nginx:1.13.8-alpine
     capabilities:

examples/platform-vultr.yml

@@ -1,29 +1,29 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: metadata
-    image: linuxkit/metadata:b082f1bf97a9034d1e4c0e36a5d2923f4e58f540
+    image: linuxkit/metadata:4f81c0c3a2b245567fd7d32d799018c9614a9907
     command: ["/usr/bin/metadata", "vultr"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
     binds.add:
      - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
   - name: nginx

examples/redis-os.yml

@@ -1,19 +1,19 @@
 # Minimal YAML to run a redis server (used at DockerCon'17)
 # connect: nc localhost 6379
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   # Currently redis:4.0.6-alpine has trust issue with multi-arch

examples/sshd.yml

@@ -1,28 +1,28 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: rngd1
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
     command: ["/sbin/rngd", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
   - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
     binds.add:
       - /root/.ssh:/root/.ssh
 files:

examples/static-ip.yml

@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: ip
-    image: linuxkit/ip:bb250017b05de5e16ac436b1eb19a39c87b5a252
+    image: linuxkit/ip:9696394a7d57b384ae919662ae162c9152029156
     binds:
      - /etc/ip:/etc/ip
     command: ["ip", "-b", "/etc/ip/eth0.conf"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
 files:     

examples/swap.yml

@@ -1,31 +1,31 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: format
-    image: linuxkit/format:e040f4f045f03138a1ee8a22bb6feae7fd5596a6
+    image: linuxkit/format:3fb088f60ed73ba4a15be41e44654b74112fd3f9
   - name: mount
-    image: linuxkit/mount:19ff89c251a4156bda8ed11c95faad2f40eb770e
+    image: linuxkit/mount:cb8caa72248f7082fc2074ce843d53cdc15df04a
     command: ["/usr/bin/mountie", "/var/external"]
   - name: swap
-    image: linuxkit/swap:c57f3319ce770515357f0058035e40519c22b752
+    image: linuxkit/swap:f4b8ffef87c8c72165bd8a92b790ac252ccf1821
     # to use unencrypted swap, use:
     # command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"]
     command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032

examples/tpm.yml

@@ -1,26 +1,26 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: tss
-    image: linuxkit/tss:856286012a613598d6ef6869b196f9a72245b7d2
+    image: linuxkit/tss:dbdcce4c3a840f8337d20991807439b2096a1457
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
 files:
   - path: etc/getty.shadow
     # sample sets password for root to "abcdefgh" (without quotes)

examples/volumes.yml

@@ -1,17 +1,17 @@
 # example with volumes, both blank and populated
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
   - name: shutdown
@@ -19,11 +19,11 @@ onshutdown:
     command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:cdb919e4aee49fed0bf6075f0a104037cba83c39
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: nginx
     image: nginx:1.19.5-alpine
     capabilities:
@@ -39,7 +39,7 @@ services:
 volumes:
 - name: blank   # blank volume
 - name: alpine  # populated volume
-  image: alpine:3.19
+  image: alpine:3.21
 files:
   - path: etc/linuxkit-config
     metadata: yaml

examples/vpnkit-forwarder.yml

@@ -1,13 +1,13 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: mount-vpnkit
     image: alpine:3.13
@@ -19,11 +19,11 @@ onboot:
     command: ["sh", "-c", "mkdir /host_var/vpnkit && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
 services:
   - name: sshd
-    image: linuxkit/sshd:75f399fbfb6455dfccd4cb30543d0b4b494d28c8
+    image: linuxkit/sshd:9bdd85427ef99640276d97a32a7a3cc31bb017b3
     binds.add:
       - /root/.ssh:/root/.ssh
   - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:a89ec807d7d675dccd53773c07382bc707db3396
+    image: linuxkit/vpnkit-forwarder:e22bb70abdb5550c369f91ae7068c24e19beff73
     binds:
         - /var/vpnkit:/port
     net: host

examples/vsudd-containerd.yml

@@ -1,17 +1,17 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
 onboot:
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
   - name: vsudd
-    image: linuxkit/vsudd:b4d80d243733f80906cdbcf77f367a7b5744dc09
+    image: linuxkit/vsudd:127acd1453f7bfda791491ac4c55be0d2b9223cc
     binds:
         - /run/containerd/containerd.sock:/run/containerd/containerd.sock
     command: ["/vsudd",

examples/wireguard.yml

@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
   - name: wg0
-    image: linuxkit/ip:bb250017b05de5e16ac436b1eb19a39c87b5a252
+    image: linuxkit/ip:9696394a7d57b384ae919662ae162c9152029156
     net: new
     binds:
       - /etc/wireguard:/etc/wireguard
@@ -26,7 +26,7 @@ onboot:
       bindNS:
           net: /run/netns/wg0
   - name: wg1
-    image: linuxkit/ip:bb250017b05de5e16ac436b1eb19a39c87b5a252
+    image: linuxkit/ip:9696394a7d57b384ae919662ae162c9152029156
     net: new
     binds:
       - /etc/wireguard:/etc/wireguard
@@ -40,12 +40,12 @@ onboot:
           net: /run/netns/wg1
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
     net: /run/netns/wg1
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: nginx
     image: nginx:1.13.8-alpine
     net: /run/netns/wg0

kernel/6.6.x/build-args

@@ -1,3 +1,3 @@
-KERNEL_VERSION=6.6.13
+KERNEL_VERSION=6.6.71
 KERNEL_SERIES=6.6.x
-BUILD_IMAGE=linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e
+BUILD_IMAGE=linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a

kernel/6.6.x/config-aarch64

@@ -1,20 +1,21 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.6.13 Kernel Configuration
+# Linux/arm64 6.6.71 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="gcc (Alpine 13.2.1_git20231014) 13.2.1 20231014"
+CONFIG_CC_VERSION_TEXT="gcc (Alpine 14.2.0) 14.2.0"
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=130201
+CONFIG_GCC_VERSION=140200
 CONFIG_CLANG_VERSION=0
 CONFIG_AS_IS_GNU=y
-CONFIG_AS_VERSION=24100
+CONFIG_AS_VERSION=24301
 CONFIG_LD_IS_BFD=y
-CONFIG_LD_VERSION=24100
+CONFIG_LD_VERSION=24301
 CONFIG_LLD_VERSION=0
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
 CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
+CONFIG_TOOLS_SUPPORT_RELR=y
 CONFIG_CC_HAS_ASM_INLINE=y
 CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
 CONFIG_PAHOLE_VERSION=0
@@ -157,7 +158,7 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
 CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
 CONFIG_CC_HAS_INT128=y
 CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
-CONFIG_GCC11_NO_ARRAY_BOUNDS=y
+CONFIG_GCC10_NO_ARRAY_BOUNDS=y
 CONFIG_CC_NO_ARRAY_BOUNDS=y
 CONFIG_ARCH_SUPPORTS_INT128=y
 CONFIG_CGROUPS=y
@@ -371,7 +372,10 @@ CONFIG_ARM64_ERRATUM_2067961=y
 CONFIG_ARM64_ERRATUM_2441009=y
 CONFIG_ARM64_ERRATUM_2457168=y
 CONFIG_ARM64_ERRATUM_2645198=y
+CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD=y
 CONFIG_ARM64_ERRATUM_2966298=y
+CONFIG_ARM64_ERRATUM_3117295=y
+CONFIG_ARM64_ERRATUM_3194386=y
 CONFIG_CAVIUM_ERRATUM_22375=y
 CONFIG_CAVIUM_ERRATUM_23154=y
 CONFIG_CAVIUM_ERRATUM_27456=y
@@ -488,7 +492,6 @@ CONFIG_ARM64_EPAN=y
 # end of ARMv8.7 architectural features
 
 CONFIG_ARM64_SVE=y
-CONFIG_ARM64_SME=y
 # CONFIG_ARM64_PSEUDO_NMI is not set
 CONFIG_RELOCATABLE=y
 CONFIG_RANDOMIZE_BASE=y
@@ -631,6 +634,7 @@ CONFIG_KVM_GENERIC_HARDWARE_ENABLING=y
 CONFIG_VIRTUALIZATION=y
 CONFIG_KVM=y
 # CONFIG_NVHE_EL2_DEBUG is not set
+CONFIG_CPU_MITIGATIONS=y
 
 #
 # General architecture-dependent options
@@ -730,6 +734,7 @@ CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y
 CONFIG_ARCH_USE_MEMREMAP_PROT=y
 # CONFIG_LOCK_EVENT_COUNTS is not set
 CONFIG_ARCH_HAS_RELR=y
+CONFIG_RELR=y
 CONFIG_HAVE_PREEMPT_DYNAMIC=y
 CONFIG_HAVE_PREEMPT_DYNAMIC_KEY=y
 CONFIG_ARCH_WANT_LD_ORPHAN_WARN=y
@@ -905,6 +910,7 @@ CONFIG_PAGE_REPORTING=y
 CONFIG_MIGRATION=y
 CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
 CONFIG_ARCH_ENABLE_THP_MIGRATION=y
+CONFIG_PCP_BATCH_SCALE_MAX=5
 CONFIG_PHYS_ADDR_T_64BIT=y
 CONFIG_MMU_NOTIFIER=y
 CONFIG_KSM=y
@@ -3354,7 +3360,6 @@ CONFIG_MFD_CORE=y
 # CONFIG_MFD_SKY81452 is not set
 # CONFIG_MFD_STMPE is not set
 CONFIG_MFD_SYSCON=y
-# CONFIG_MFD_TI_AM335X_TSCADC is not set
 # CONFIG_MFD_LP3943 is not set
 # CONFIG_MFD_LP8788 is not set
 # CONFIG_MFD_TI_LMU is not set
@@ -3413,6 +3418,7 @@ CONFIG_MFD_VEXPRESS_SYSREG=y
 # Graphics support
 #
 CONFIG_APERTURE_HELPERS=y
+CONFIG_SCREEN_INFO=y
 CONFIG_VIDEO_CMDLINE=y
 # CONFIG_AUXDISPLAY is not set
 # CONFIG_DRM is not set
@@ -3474,6 +3480,7 @@ CONFIG_FB_SYS_IMAGEBLIT=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 CONFIG_FB_SYS_FOPS=y
 CONFIG_FB_DEFERRED_IO=y
+CONFIG_FB_IOMEM_FOPS=y
 CONFIG_FB_IOMEM_HELPERS=y
 CONFIG_FB_SYSMEM_HELPERS=y
 CONFIG_FB_SYSMEM_HELPERS_DEFERRED=y
@@ -3600,6 +3607,7 @@ CONFIG_HID_GENERIC=y
 # CONFIG_HID_ZYDACRON is not set
 # CONFIG_HID_SENSOR_HUB is not set
 # CONFIG_HID_ALPS is not set
+# CONFIG_HID_MCP2200 is not set
 # CONFIG_HID_MCP2221 is not set
 # end of Special HID drivers
 
@@ -3821,8 +3829,6 @@ CONFIG_MMC_SDHCI_PLTFM=m
 # CONFIG_MMC_TOSHIBA_PCI is not set
 # CONFIG_MMC_MTK is not set
 # CONFIG_MMC_SDHCI_XENON is not set
-# CONFIG_MMC_SDHCI_OMAP is not set
-# CONFIG_MMC_SDHCI_AM654 is not set
 # CONFIG_SCSI_UFSHCD is not set
 # CONFIG_MEMSTICK is not set
 # CONFIG_NEW_LEDS is not set
@@ -4726,6 +4732,9 @@ CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_USER_DECRYPTED_DATA is not set
 CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_SECURITY_DMESG_RESTRICT=y
+CONFIG_PROC_MEM_ALWAYS_FORCE=y
+# CONFIG_PROC_MEM_FORCE_PTRACE is not set
+# CONFIG_PROC_MEM_NO_FORCE is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
@@ -4821,6 +4830,7 @@ CONFIG_CRYPTO_ALGAPI=y
 CONFIG_CRYPTO_ALGAPI2=y
 CONFIG_CRYPTO_AEAD=y
 CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_SIG=y
 CONFIG_CRYPTO_SIG2=y
 CONFIG_CRYPTO_SKCIPHER=y
 CONFIG_CRYPTO_SKCIPHER2=y
@@ -5191,7 +5201,6 @@ CONFIG_DMA_DIRECT_REMAP=y
 # CONFIG_DMA_MAP_BENCHMARK is not set
 CONFIG_SGL_ALLOC=y
 CONFIG_CHECK_SIGNATURE=y
-# CONFIG_FORCE_NR_CPUS is not set
 CONFIG_CPU_RMAP=y
 CONFIG_DQL=y
 CONFIG_GLOB=y

kernel/6.6.x/config-x86_64

@@ -1,15 +1,15 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.6.13 Kernel Configuration
+# Linux/x86 6.6.71 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="gcc (Alpine 13.2.1_git20231014) 13.2.1 20231014"
+CONFIG_CC_VERSION_TEXT="gcc (Alpine 14.2.0) 14.2.0"
 CONFIG_CC_IS_GCC=y
-CONFIG_GCC_VERSION=130201
+CONFIG_GCC_VERSION=140200
 CONFIG_CLANG_VERSION=0
 CONFIG_AS_IS_GNU=y
-CONFIG_AS_VERSION=24100
+CONFIG_AS_VERSION=24301
 CONFIG_LD_IS_BFD=y
-CONFIG_LD_VERSION=24100
+CONFIG_LD_VERSION=24301
 CONFIG_LLD_VERSION=0
 CONFIG_CC_CAN_LINK=y
 CONFIG_CC_CAN_LINK_STATIC=y
@@ -180,7 +180,7 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
 CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
 CONFIG_CC_HAS_INT128=y
 CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
-CONFIG_GCC11_NO_ARRAY_BOUNDS=y
+CONFIG_GCC10_NO_ARRAY_BOUNDS=y
 CONFIG_CC_NO_ARRAY_BOUNDS=y
 CONFIG_ARCH_SUPPORTS_INT128=y
 CONFIG_CGROUPS=y
@@ -470,7 +470,6 @@ CONFIG_PHYSICAL_ALIGN=0x1000000
 CONFIG_DYNAMIC_MEMORY_LAYOUT=y
 CONFIG_RANDOMIZE_MEMORY=y
 CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
-# CONFIG_ADDRESS_MASKING is not set
 CONFIG_HOTPLUG_CPU=y
 # CONFIG_COMPAT_VDSO is not set
 # CONFIG_LEGACY_VSYSCALL_XONLY is not set
@@ -490,7 +489,7 @@ CONFIG_CALL_PADDING=y
 CONFIG_HAVE_CALL_THUNKS=y
 CONFIG_CALL_THUNKS=y
 CONFIG_PREFIX_SYMBOLS=y
-CONFIG_SPECULATION_MITIGATIONS=y
+CONFIG_CPU_MITIGATIONS=y
 CONFIG_PAGE_TABLE_ISOLATION=y
 CONFIG_RETPOLINE=y
 CONFIG_RETHUNK=y
@@ -502,6 +501,8 @@ CONFIG_CPU_IBRS_ENTRY=y
 CONFIG_CPU_SRSO=y
 # CONFIG_SLS is not set
 # CONFIG_GDS_FORCE_MITIGATION is not set
+CONFIG_MITIGATION_RFDS=y
+CONFIG_MITIGATION_SPECTRE_BHI=y
 CONFIG_ARCH_HAS_ADD_PAGES=y
 
 #
@@ -684,6 +685,7 @@ CONFIG_AS_SHA256_NI=y
 CONFIG_AS_TPAUSE=y
 CONFIG_AS_GFNI=y
 CONFIG_AS_WRUSS=y
+CONFIG_ARCH_CONFIGURES_CPU_MITIGATIONS=y
 
 #
 # General architecture-dependent options
@@ -1004,6 +1006,7 @@ CONFIG_DEVICE_MIGRATION=y
 CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
 CONFIG_ARCH_ENABLE_THP_MIGRATION=y
 CONFIG_CONTIG_ALLOC=y
+CONFIG_PCP_BATCH_SCALE_MAX=5
 CONFIG_PHYS_ADDR_T_64BIT=y
 CONFIG_MMU_NOTIFIER=y
 CONFIG_KSM=y
@@ -3177,7 +3180,6 @@ CONFIG_LPC_SCH=y
 CONFIG_MFD_SM501=y
 # CONFIG_MFD_SKY81452 is not set
 # CONFIG_MFD_SYSCON is not set
-# CONFIG_MFD_TI_AM335X_TSCADC is not set
 # CONFIG_MFD_LP3943 is not set
 # CONFIG_MFD_LP8788 is not set
 # CONFIG_MFD_TI_LMU is not set
@@ -3219,6 +3221,7 @@ CONFIG_MFD_VX855=y
 # Graphics support
 #
 CONFIG_APERTURE_HELPERS=y
+CONFIG_SCREEN_INFO=y
 CONFIG_VIDEO_CMDLINE=y
 CONFIG_VIDEO_NOMODESET=y
 # CONFIG_AUXDISPLAY is not set
@@ -3290,6 +3293,7 @@ CONFIG_FB_SYS_IMAGEBLIT=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 CONFIG_FB_SYS_FOPS=y
 CONFIG_FB_DEFERRED_IO=y
+CONFIG_FB_IOMEM_FOPS=y
 CONFIG_FB_IOMEM_HELPERS=y
 CONFIG_FB_SYSMEM_HELPERS=y
 CONFIG_FB_SYSMEM_HELPERS_DEFERRED=y
@@ -4352,6 +4356,9 @@ CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_USER_DECRYPTED_DATA is not set
 CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_SECURITY_DMESG_RESTRICT=y
+CONFIG_PROC_MEM_ALWAYS_FORCE=y
+# CONFIG_PROC_MEM_FORCE_PTRACE is not set
+# CONFIG_PROC_MEM_NO_FORCE is not set
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
@@ -4447,6 +4454,7 @@ CONFIG_CRYPTO_ALGAPI=y
 CONFIG_CRYPTO_ALGAPI2=y
 CONFIG_CRYPTO_AEAD=y
 CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_SIG=y
 CONFIG_CRYPTO_SIG2=y
 CONFIG_CRYPTO_SKCIPHER=y
 CONFIG_CRYPTO_SKCIPHER2=y
@@ -4798,7 +4806,6 @@ CONFIG_SWIOTLB=y
 # CONFIG_DMA_MAP_BENCHMARK is not set
 CONFIG_SGL_ALLOC=y
 CONFIG_CHECK_SIGNATURE=y
-# CONFIG_FORCE_NR_CPUS is not set
 CONFIG_CPU_RMAP=y
 CONFIG_DQL=y
 CONFIG_GLOB=y
@@ -4957,6 +4964,7 @@ CONFIG_ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP=y
 CONFIG_HAVE_ARCH_KASAN=y
 CONFIG_HAVE_ARCH_KASAN_VMALLOC=y
 CONFIG_CC_HAS_KASAN_GENERIC=y
+CONFIG_CC_HAS_KASAN_SW_TAGS=y
 CONFIG_CC_HAS_WORKING_NOSANITIZE_ADDRESS=y
 # CONFIG_KASAN is not set
 CONFIG_HAVE_ARCH_KFENCE=y

kernel/Dockerfile

@@ -115,6 +115,9 @@ RUN case $(uname -m) in \
     aarch64) \
         KERNEL_DEF_CONF=/linux/arch/arm64/configs/defconfig; \
         ;; \
+    riscv64) \
+        KERNEL_DEF_CONF=/linux/arch/riscv/configs/defconfig; \
+        ;; \
     esac  && \
     cp /src/${KERNEL_SERIES}/config-$(uname -m) ${KERNEL_DEF_CONF}; \
     if [ -n "${EXTRA}" ] && [ -f "/src/${KERNEL_SERIES}-${EXTRA}/config-$(uname -m)" ]; then \
@@ -139,6 +142,9 @@ RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
     aarch64) \
         cp arch/arm64/boot/Image.gz /out/kernel; \
         ;; \
+    riscv64) \
+        cp arch/riscv/boot/Image.gz /out/kernel; \
+        ;; \
     esac && \
     cp System.map /out && \
     ([ -n "${DEBUG}" ] && cp vmlinux /out || true)

kernel/Dockerfile.bcc

@@ -24,11 +24,11 @@ RUN apk update && apk upgrade -a && \
   iperf3 \
   libedit-dev \
   libtool \
-  llvm \
-  llvm-dev \
-  llvm-static \
-  llvm17-gtest \
-  luajit-dev \
+  libxml2 \
+  llvm19 \
+  llvm19-dev \
+  llvm19-static \
+  llvm19-gtest \
   m4 \
   musl-fts-dev \
   python3 \
@@ -38,21 +38,8 @@ RUN apk update && apk upgrade -a && \
   zlib-dev \
   && true
 
-# this is just here to make later copies easier; do not forget to change this if the python version updates
-ENV PYTHON_VERSION=3.11
-
-RUN ln -s /usr/lib/cmake/llvm10/ /usr/lib/cmake/llvm && \
-    ln -s /usr/include/llvm10/llvm-c/ /usr/include/llvm-c && \
-    ln -s /usr/include/llvm10/llvm/ /usr/include/llvm
-
 WORKDIR /build
 
-ENV BCC_COMMIT=v0.29.1
-RUN git clone https://github.com/iovisor/bcc.git && \
-    cd bcc && \
-    git checkout $BCC_COMMIT && \
-    sed -i 's/<error.h>/<errno.h>/' examples/cpp/KModRetExample.cc
-
 COPY --from=ksrc /kernel-headers.tar /build
 COPY --from=ksrc /kernel-dev.tar /build
 COPY --from=ksrc /kernel.tar /build
@@ -60,15 +47,6 @@ RUN tar xf /build/kernel-headers.tar && \
     tar xf /build/kernel-dev.tar && \
     tar xf /build/kernel.tar
 
-RUN mkdir -p bcc/build && cd bcc/build && \
-    cmake .. -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON \
-             -DCMAKE_C_FLAGS="-I/build/usr/include" \
-             -DPYTHON_CMD=python3 \
-             -DCMAKE_CXX_FLAGS="-I/build/usr/include" \
-             -DCMAKE_INSTALL_PREFIX=/usr && \
-    make && \
-    make install
-
 RUN mkdir -p /out/usr/ && \
     cp -a /build/usr/src /out/usr/ && \
     cp -a /build/usr/include /out/usr
@@ -76,23 +54,25 @@ RUN mkdir -p /out/usr/lib && \
     cp -a /usr/lib/libelf* /out/usr/lib/ && \
     cp -a /usr/lib/libstdc* /out/usr/lib/ && \
     cp -a /usr/lib/libintl* /out/usr/lib/
-RUN mkdir -p /out/usr/lib/python${PYTHON_VERSION} && \
-    cp -a /usr/lib/python${PYTHON_VERSION}/site-packages /out/usr/lib/python${PYTHON_VERSION}/
-RUN mkdir -p /out/usr/share && \
-    cp -a /usr/share/bcc /out/usr/share/
-RUN mkdir -p /out/usr/bin && \
-    cp -a /usr/bin/bcc-lua /out/usr/bin/
 
+RUN PYTHONPATH=$(python3 -c "import sysconfig; print(sysconfig.get_path('stdlib'))") && mkdir -p /out${PYTHONPATH} && \
+    cp -a ${PYTHONPATH}/site-packages /out/${PYTHONPATH}
 FROM ${BUILD_IMAGE} as mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk update && apk upgrade -a && \
   apk add --no-cache --initdb -p /out \
+  bcc \
+  bcc-dev \
+  bcc-tools \
   busybox \
-  luajit \
   python3 \
   zlib \
   && true
 
+# lua/luajit is not available on all platforms, but we do not consider it blocking
+RUN apk add --no-cache -p /out luajit || true
+RUN apk add --no-cache -p /out bcc-lua || true
+
 FROM scratch
 ENTRYPOINT []
 CMD []

kernel/Dockerfile.kconfig

@@ -43,8 +43,9 @@ RUN set -e && \
                patch -t -F0 -N -u -p1 < "$patch"; \
            done; \
         fi && \
-        [ ! -f /config-${SERIES}-x86_64 ] || mv /config-${SERIES}-x86_64 arch/x86/configs/x86_64_defconfig && \
+        [ ! -f /config-${SERIES}-x86_64 ] || mv /config-${SERIES}-x86_64 arch/x86/configs/x86_64_defconfig ; \
         [ ! -f /config-${SERIES}-aarch64 ] || mv /config-${SERIES}-aarch64 arch/arm64/configs/defconfig ; \
+        [ ! -f /config-${SERIES}-riscv64 ] || mv /config-${SERIES}-riscv64 arch/riscv64/configs/riscv64_defconfig ; \
     done
 
 ENTRYPOINT ["/bin/sh"]

kernel/Dockerfile.kconfigx

@@ -58,6 +58,9 @@ for VERSION in ${KERNEL_VERSIONS}; do
 	elif [ ${TARGETARCH} = "arm64" ] ; then
 		cp /config-${SERIES}-aarch64 .config
 		ARCH=arm64 make oldconfig
+    elif [ ${TARGETARCH} = "riscv64" ] ; then
+		cp /config-${SERIES}-riscv64 .config
+		ARCH=riscv64 make oldconfig
 	fi
 done
 EOF

kernel/Dockerfile.perf

@@ -53,7 +53,7 @@ RUN make -C libtraceevent all install V=1
 WORKDIR /linux
 
 RUN mkdir -p /out && \
-    make -C tools/perf LDFLAGS=-static V=1 && \
+    make -C tools/perf EXTRA_CFLAGS="-Wno-alloc-size -Wno-calloc-transposed-args" LDFLAGS=-static V=1 && \
     strip tools/perf/perf && \
     cp tools/perf/perf /out
 

kernel/Makefile

@@ -16,7 +16,7 @@ RM = rm -f
 # Name and Org on Hub
 ORG?=linuxkit
 IMAGE?=kernel
-IMAGE_BUILDER=linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e
+IMAGE_BUILDER=linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a
 
 # You can specify an extra options for the Makefile. This will:
 # - append a config$(EXTRA) to the kernel config for your kernel/arch
@@ -37,21 +37,23 @@ endif
 REPO_ROOT:=$(shell git rev-parse --show-toplevel)
 
 # determine our architecture
-BUILDERARCH=
+ARCH?=$(shell uname -m)
+BUILDERARCH=$(ARCH)
 ifneq ($(ARCH),)
 ifeq ($(ARCH),$(filter $(ARCH),x86_64 amd64))
 override ARCH=x86_64
-BUILDERARCH=amd64
+override BUILDERARCH=amd64
 endif
 ifeq ($(ARCH),$(filter $(ARCH),aarch64 arm64))
 override ARCH=aarch64
-BUILDERARCH=arm64
+override BUILDERARCH=arm64
+endif
+ifeq ($(ARCH),riscv64)
+override BUILDERARCH=riscv64
 endif
 endif
 
-ifneq ($(BUILDERARCH),)
-PLATFORMS=--platforms linux/$(BUILDERARCH)
-endif
+BUILD_PLATFORM=linux/$(BUILDERARCH)
 
 HASHTAG=$(HASH)$(DIRTY)
 
@@ -124,11 +126,11 @@ buildkerneldeps-%: Dockerfile Makefile $(wildcard patches-$(call series,$*)/*) $
 
 buildplainkernel-%: buildkerneldeps-%
 	$(eval KERNEL_SERIES=$(call series,$*))
-	linuxkit pkg build . $(FORCE) $(PLATFORMS) --build-yml ./build-kernel.yml --tag "$*-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args 
+	linuxkit pkg build . $(FORCE) --platforms $(BUILD_PLATFORM) --build-yml ./build-kernel.yml --tag "$*-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args 
 
 builddebugkernel-%: buildkerneldeps-%
 	$(eval KERNEL_SERIES=$(call series,$*))
-	linuxkit pkg build . $(FORCE) $(PLATFORMS) --build-yml ./build-kernel.yml --tag "$*-dbg-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args --build-arg-file build-args-debug
+	linuxkit pkg build . $(FORCE) --platforms $(BUILD_PLATFORM) --build-yml ./build-kernel.yml --tag "$*-dbg-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args --build-arg-file build-args-debug
 
 push-%: notdirty build-% pushkernel-% tagbuilder-% pushtools-%;
 
@@ -163,7 +165,7 @@ buildtool-%:
 	$(eval TOOL=$(call toolname,$*))
 	$(eval KERNEL_VERSION=$(call toolkernel,$*))
 	$(eval KERNEL_SERIES=$(call series,$(KERNEL_VERSION)))
-	linuxkit pkg build . $(FORCE) $(PLATFORMS) --build-yml ./build-$(TOOL).yml --tag "$(KERNEL_VERSION)-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args
+	linuxkit pkg build . $(FORCE) --platforms $(BUILD_PLATFORM) --build-yml ./build-$(TOOL).yml --tag "$(KERNEL_VERSION)-{{.Hash}}" --build-arg-file $(KERNEL_SERIES)/build-args
 
 pushtools-%: $(addprefix pushtool-%$(RELEASESEP),$(TOOLS));
 
@@ -206,34 +208,34 @@ update-kernel-semver-yaml-%:
 update-kernel-yamls: $(addprefix update-kernel-hash-yaml-,$(KERNELS)) update-kernel-semver-yaml-$(KERNEL_HIGHEST);
 
 # Target for kernel config
-kconfig:
-ifeq (${KCONFIG_TAG},)
-	docker build --no-cache -f Dockerfile.kconfig \
-		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
-		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
-		-t linuxkit/kconfig  .
-else
-	docker build --no-cache -f Dockerfile.kconfig \
-		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
-		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
-		-t linuxkit/kconfig:${KCONFIG_TAG}  .
+KCONFIG_TAG_EXTENSION=
+ifneq (${KCONFIG_TAG},)
+KCONFIG_TAG_EXTENSION=-${KCONFIG_TAG}
 endif
 
+kconfig:
+	docker build --no-cache -f Dockerfile.kconfig \
+		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
+		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
+		--platform $(BUILD_PLATFORM) \
+		-t linuxkit/kconfig:$(ARCH)${KCONFIG_TAG_EXTENSION} .
+
 kconfigx:
 ifeq (${KCONFIG_TAG},)
 	docker buildx build --no-cache -f Dockerfile.kconfigx \
-		--platform=$(PLATFORMS) \
+		--platform $(BUILD_PLATFORM) \
 		--output . \
 		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
 		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
-		-t linuxkit/kconfigx  .
+		-t linuxkit/kconfigx:$(ARCH)  .
 	cp linux_arm64/config-${KERNEL_VERSIONS}-arm64 config-${KERNEL_SERIES}-aarch64
 	cp linux_amd64/config-${KERNEL_VERSIONS}-amd64 config-${KERNEL_SERIES}-x86_64
+	cp linux_amd64/config-${KERNEL_VERSIONS}-riscv64 config-${KERNEL_SERIES}-riscv64
 else
 	docker buildx build --no-cache -f Dockerfile.kconfigx \
-		--platform=$(PLATFORMS) --push \
+		--platform $(BUILD_PLATFORM) --push \
 		--output . \
 		--build-arg KERNEL_VERSIONS="$(KERNEL_VERSIONS)" \
 		--build-arg BUILD_IMAGE=$(IMAGE_BUILDER) \
-		-t linuxkit/kconfigx:${KCONFIG_TAG}  .
+		-t linuxkit/kconfigx:$(ARCH)${KCONFIG_TAG_EXTENSION}  .
 endif

linuxkit-template.yml

@@ -1,5 +1,5 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
   - "@pkg:./pkg/init"

linuxkit.yml

@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:6.6.13
+  image: linuxkit/kernel:6.6.71
   cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:e120ea2a30d906bd1ee1874973d6e4b1403b5ca3
-  - linuxkit/runc:6062483d748609d505f2bcde4e52ee64a3329f5f
-  - linuxkit/containerd:39301e7312f13eedf19bd5d5551af7b37001d435
-  - linuxkit/ca-certificates:5aaa343474e5ac3ac01f8b917e82efb1063d80ff
+  - linuxkit/init:8eea386739975a43af558eec757a7dcb3a3d2e7b
+  - linuxkit/runc:667e7ea2c426a2460ca21e3da065a57dbb3369c9
+  - linuxkit/containerd:a988a1a8bcbacc2c0390ca0c08f949e2b4b5915d
+  - linuxkit/ca-certificates:7b32a26ca9c275d3ef32b11fe2a83dbd2aee2fdb
 onboot:
   - name: sysctl
-    image: linuxkit/sysctl:5a374e4bf3e5a7deeacff6571d0f30f7ea8f56db
+    image: linuxkit/sysctl:5f56434b81004b50b47ed629b222619168c2bcdf
   - name: dhcpcd
-    image: linuxkit/dhcpcd:e9e3580f2de00e73e7b316a007186d22fea056ee
+    image: linuxkit/dhcpcd:157df9ef45a035f1542ec2270e374f18efef98a5
     command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
   - name: shutdown
@@ -18,11 +18,11 @@ onshutdown:
     command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
   - name: getty
-    image: linuxkit/getty:5d86a2ce2d890c14ab66b13638dcadf74f29218b
+    image: linuxkit/getty:05eca453695984a69617f1f1f0bcdae7f7032967
     env:
      - INSECURE=true
   - name: rngd
-    image: linuxkit/rngd:83a6481f04da73e710c1d416355920b8ff4dc1dd
+    image: linuxkit/rngd:1a18f2149e42a0a1cb9e7d37608a494342c26032
   - name: nginx
     image: nginx:1.19.5-alpine
     capabilities:

pkg/acpid/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
@@ -6,7 +6,7 @@ RUN apk add --no-cache --initdb -p /out \
     busybox
 RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
 
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror2
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror2
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
     acpid

pkg/auditd/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --initdb -p /out alpine-baselayout apk-tools audit busybox tini

pkg/binfmt/Dockerfile

@@ -9,7 +9,7 @@ RUN apt-get update && apt-get install -y qemu-user-static && \
     mv /usr/bin/qemu-loongarch64-static /usr/bin/qemu-loongarch64 && \
     rm /usr/bin/qemu-*-static
 
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 
 RUN apk add --no-cache go musl-dev
 ENV GOPATH=/go PATH=$PATH:/go/bin

pkg/bpftrace/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS build
 RUN apk add --update \
     bison \
     build-base \

pkg/ca-certificates/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e as alpine
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a as alpine
 
 RUN apk add ca-certificates
 

pkg/cadvisor/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e as build
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a as build
 
 RUN apk add --no-cache bash go git musl-dev linux-headers make patch
 # Hack to work around an issue with go on arm64 requiring gcc
@@ -7,7 +7,7 @@ RUN [ $(uname -m) = aarch64 ] && apk add --no-cache gcc || true
 ENV GOPATH=/go PATH=$PATH:/go/bin
 ENV GITBASE=github.com/google
 ENV GITREPO=github.com/google/cadvisor
-ENV COMMIT=v0.36.0
+ENV COMMIT=v0.51.0
 
 ADD /static.patch /tmp/
 
@@ -18,10 +18,10 @@ RUN mkdir -p /go/src/${GITBASE} \
     && git checkout ${COMMIT} \
     && patch -p1 build/build.sh </tmp/static.patch \
     && make build \
-    && mv cadvisor /usr/bin/
+    && mv _output/cadvisor /usr/bin/
 
 
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \

pkg/cadvisor/build.yml

@@ -3,6 +3,7 @@ network: true
 arches:
   - amd64
   - arm64
+  - riscv64
 config:
   pid: host
   binds:

pkg/cadvisor/static.patch

@@ -1,6 +1,6 @@
 --- build/build.sh.orig	2017-11-16 16:29:18.281342577 +0000
 +++ build/build.sh	2017-11-16 16:29:55.534787421 +0000
-@@ -44,6 +44,7 @@
+@@ -47,6 +47,7 @@
    -X ${repo_path}/version.BuildDate${ldseparator}${BUILD_DATE}
    -X ${repo_path}/version.GoVersion${ldseparator}${go_version}"
  

pkg/containerd/Dockerfile

@@ -1,15 +1,15 @@
 # Dockerfile to build linuxkit/containerd for linuxkit
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e as alpine
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a as alpine
 
 RUN apk add tzdata binutils
 RUN mkdir -p /etc/init.d && ln -s /usr/bin/service /etc/init.d/020-containerd
 
-FROM linuxkit/containerd-dev:af26a5c09a71b919ee8113501d783a5bf299482d as containerd-dev
+FROM linuxkit/containerd-dev:fb4bf37a114ce1eb8a2c4ed3db91a50301805e2c as containerd-dev
 
 FROM scratch
 ENTRYPOINT []
 WORKDIR /
-COPY --from=containerd-dev /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim /usr/bin/containerd-shim-runc-v2 /usr/bin/
+COPY --from=containerd-dev /usr/bin/containerd /usr/bin/ctr /usr/bin/containerd-shim-runc-v2 /usr/bin/
 COPY --from=alpine /usr/share/zoneinfo/UTC /etc/localtime
 COPY --from=alpine /etc/init.d/ /etc/init.d/
 COPY etc etc/

pkg/dhcpcd/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
     alpine-baselayout \

pkg/dm-crypt/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out  \
     alpine-baselayout \

pkg/dummy/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS build
 RUN apk add --no-cache --initdb make
 
 FROM scratch

pkg/extend/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
@@ -15,7 +15,7 @@ RUN apk add --no-cache --initdb -p /out \
     && true
 RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
 
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS build
 
 RUN apk add --no-cache go musl-dev
 ENV GOPATH=/go PATH=$PATH:/go/bin

pkg/extend/extend.go

@@ -22,8 +22,9 @@ import (
 const timeout = 60
 
 var (
-	fsTypeVar string
-	driveKeys []string
+	fsTypeVar   string
+	stopOnError bool
+	driveKeys   []string
 )
 
 // Fdisk is the JSON output from libfdisk
@@ -57,7 +58,12 @@ func autoextend(fsType string) error {
 			continue
 		}
 		if err := extend(d, fsType); err != nil {
-			return err
+			if stopOnError {
+				return err
+			}
+
+			log.Printf("Could not extend partition on device %s. Skipping", d)
+			continue
 		}
 	}
 	return nil
@@ -76,6 +82,11 @@ func extend(d, fsType string) error {
 		return fmt.Errorf("Unable to unmarshal partition table from sfdisk: %v", err)
 	}
 
+	if len(f.PartitionTable.Partitions) == 0 {
+		log.Printf("Disk %s has no partitions. Skipping", d)
+		return nil
+	}
+
 	if len(f.PartitionTable.Partitions) > 1 {
 		log.Printf("Disk %s has more than 1 partition. Skipping", d)
 		return nil
@@ -312,11 +323,13 @@ func findDrives() {
 
 func init() {
 	flag.StringVar(&fsTypeVar, "type", "ext4", "Type of filesystem to create")
+	flag.BoolVar(&stopOnError, "stop-on-error", true, "Stops extending the remaining devices on first error")
 }
 
 func main() {
 	flag.Parse()
 	findDrives()
+
 	if flag.NArg() == 0 {
 		if err := autoextend(fsTypeVar); err != nil {
 			log.Fatalf("%v", err)

pkg/firmware-all/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS build
 RUN apk add --no-cache git
 
 # Make sure you also update the FW_COMMIT in ../firmware/Dockerfile

pkg/firmware-all/build.yml

@@ -3,3 +3,4 @@ network: true
 arches:
   - amd64
   - arm64
+  - riscv64

pkg/firmware/Dockerfile

@@ -1,7 +1,7 @@
 # Make modules from a recentish kernel available
-FROM linuxkit/kernel:6.6.13 AS kernel
+FROM linuxkit/kernel:6.6.71 AS kernel
 
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS build
 RUN apk add --no-cache git kmod
 
 # Clone the firmware repository

pkg/firmware/build.yml

@@ -3,3 +3,5 @@ network: true
 arches:
   - amd64
   - arm64
+  - riscv64
+  

pkg/format/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \
@@ -15,7 +15,7 @@ RUN apk add --no-cache --initdb -p /out \
     && true
 RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
 
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS build
 
 RUN apk add --no-cache go musl-dev
 ENV GOPATH=/go PATH=$PATH:/go/bin

pkg/getty/Dockerfile

@@ -1,5 +1,5 @@
 # Dockerfile to build linuxkit/getty for linuxkit
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out \

pkg/host-timesync-daemon/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 
 RUN apk add --no-cache go musl-dev git
 ENV GOPATH=/go PATH=$PATH:/go/bin

pkg/init/Dockerfile

@@ -1,6 +1,6 @@
 # Dockerfile to build linuxkit/init for linuxkit
-FROM linuxkit/containerd-dev:af26a5c09a71b919ee8113501d783a5bf299482d AS containerd-dev
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS build
+FROM linuxkit/containerd-dev:fb4bf37a114ce1eb8a2c4ed3db91a50301805e2c AS containerd-dev
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS build
 RUN apk add --no-cache --initdb alpine-baselayout make gcc musl-dev git linux-headers
 
 ADD usermode-helper.c ./
@@ -27,7 +27,7 @@ RUN go-compile.sh /go/src/cmd/service
 # volumes link to start
 RUN mkdir -p /etc/init.d && ln -s /usr/bin/service /etc/init.d/005-volumes
 
-FROM linuxkit/alpine:146f540f25cd92ec8ff0c5b0c98342a9a95e479e AS mirror
+FROM linuxkit/alpine:35b33c6b03c40e51046c3b053dd131a68a26c37a AS mirror
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
 RUN apk add --no-cache --initdb -p /out alpine-baselayout busybox musl
 

pkg/init/cmd/service/cmd.go

@@ -8,9 +8,9 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/containerd/containerd"
-	"github.com/containerd/containerd/cio"
-	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/v2/client"
+	"github.com/containerd/containerd/v2/pkg/cio"
+	"github.com/containerd/containerd/v2/pkg/namespaces"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	log "github.com/sirupsen/logrus"
 )
@@ -104,7 +104,7 @@ func stop(ctx context.Context, service, sock, basePath string) (string, uint32,
 
 	runtimeConfig := getRuntimeConfig(path)
 
-	client, err := containerd.New(sock)
+	cli, err := client.New(sock)
 	if err != nil {
 		return "", 0, "creating containerd client", err
 	}
@@ -113,7 +113,7 @@ func stop(ctx context.Context, service, sock, basePath string) (string, uint32,
 		ctx = namespaces.WithNamespace(ctx, runtimeConfig.Namespace)
 	}
 
-	ctr, err := client.LoadContainer(ctx, service)
+	ctr, err := cli.LoadContainer(ctx, service)
 	if err != nil {
 		return "", 0, "loading container", err
 	}
@@ -160,7 +160,7 @@ func start(ctx context.Context, service, sock, basePath, dumpSpec string) (strin
 		return "", 0, "preparing filesystem", err
 	}
 
-	client, err := containerd.New(sock)
+	cli, err := client.New(sock)
 	if err != nil {
 		return "", 0, "creating containerd client", err
 	}
@@ -193,7 +193,7 @@ func start(ctx context.Context, service, sock, basePath, dumpSpec string) (strin
 		ctx = namespaces.WithNamespace(ctx, runtimeConfig.Namespace)
 	}
 
-	ctr, err := client.NewContainer(ctx, service, containerd.WithSpec(spec))
+	ctr, err := cli.NewContainer(ctx, service, client.WithSpec(spec))
 	if err != nil {
 		return "", 0, "failed to create container", err
 	}

pkg/init/cmd/service/main.go

@@ -8,7 +8,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/containerd/containerd/namespaces"
+	"github.com/containerd/containerd/v2/pkg/namespaces"
 	log "github.com/sirupsen/logrus"
 )
 

pkg/init/cmd/service/system_init.go

@@ -12,8 +12,8 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/containerd/containerd"
-	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/v2/client"
+	"github.com/containerd/errdefs"
 	"github.com/pelletier/go-toml"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
@@ -23,7 +23,7 @@ const (
 	containerdOptsFile = "/etc/containerd/runtime-config.toml"
 )
 
-func cleanupTask(ctx context.Context, ctr containerd.Container) error {
+func cleanupTask(ctx context.Context, ctr client.Container) error {
 	task, err := ctr.Task(ctx, nil)
 	if err != nil {
 		if errdefs.IsNotFound(err) {
@@ -143,7 +143,7 @@ func systemInitCmd(ctx context.Context, args []string) {
 	}
 
 	// connect to containerd
-	client, err := containerd.New(*sock)
+	client, err := client.New(*sock)
 	if err != nil {
 		log.WithError(err).Fatal("creating containerd client")
 	}

pkg/init/go.mod

@@ -1,60 +1,70 @@
 module github.com/linuxkit/linuxkit/pkg/init
 
-go 1.21.0
+go 1.22.0
+
+toolchain go1.23.1
 
 require (
-	github.com/containerd/containerd v1.7.19
+	github.com/containerd/containerd/v2 v2.0.2
+	github.com/containerd/errdefs v1.0.0
 	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.3
-	github.com/vishvananda/netlink v1.2.1-beta.2
-	golang.org/x/sys v0.22.0
+	github.com/vishvananda/netlink v1.3.0
+	golang.org/x/sys v0.26.0
 )
 
 require (
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
 	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/Microsoft/hcsshim v0.12.5 // indirect
+	github.com/Microsoft/hcsshim v0.12.9 // indirect
 	github.com/containerd/cgroups/v3 v3.0.3 // indirect
-	github.com/containerd/containerd/api v1.7.19 // indirect
-	github.com/containerd/continuity v0.4.3 // indirect
-	github.com/containerd/errdefs v0.1.0 // indirect
+	github.com/containerd/containerd/api v1.8.0 // indirect
+	github.com/containerd/continuity v0.4.4 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v0.2.1 // indirect
-	github.com/containerd/ttrpc v1.2.5 // indirect
-	github.com/containerd/typeurl/v2 v2.2.0 // indirect
+	github.com/containerd/platforms v1.0.0-rc.1 // indirect
+	github.com/containerd/plugin v1.0.0 // indirect
+	github.com/containerd/ttrpc v1.2.7 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/uuid v1.6.0 // indirect
-	github.com/klauspost/compress v1.17.9 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/sys/mountinfo v0.7.1 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/signal v0.7.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
+	github.com/moby/sys/mountinfo v0.7.2 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/signal v0.7.1 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/opencontainers/selinux v1.11.0 // indirect
+	github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
+	github.com/opencontainers/selinux v1.11.1 // indirect
+	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
-	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	google.golang.org/genproto v0.0.0-20240711142825-46eb208f015d // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d // indirect
-	google.golang.org/grpc v1.65.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
+	go.opentelemetry.io/otel v1.31.0 // indirect
+	go.opentelemetry.io/otel/metric v1.31.0 // indirect
+	go.opentelemetry.io/otel/trace v1.31.0 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect
+	google.golang.org/grpc v1.67.1 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+	tags.cncf.io/container-device-interface v0.8.0 // indirect
+	tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
 )

pkg/init/go.sum

@@ -1,49 +1,55 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 h1:dIScnXFlF784X79oi7MzVT6GWqr/W1uUt0pB5CsDs9M=
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2/go.mod h1:gCLVsLfv1egrcZu+GoJATN5ts75F2s62ih/457eWzOw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0=
-github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8=
+github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6lLg=
+github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0=
 github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
-github.com/containerd/containerd v1.7.19 h1:/xQ4XRJ0tamDkdzrrBAUy/LE5nCcxFKdBm4EcPrSMEE=
-github.com/containerd/containerd v1.7.19/go.mod h1:h4FtNYUUMB4Phr6v+xG89RYKj9XccvbNSCKjdufCrkc=
-github.com/containerd/containerd/api v1.7.19 h1:VWbJL+8Ap4Ju2mx9c9qS1uFSB1OVYr5JJrW2yT5vFoA=
-github.com/containerd/containerd/api v1.7.19/go.mod h1:fwGavl3LNwAV5ilJ0sbrABL44AQxmNjDRcwheXDb6Ig=
-github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
-github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
-github.com/containerd/errdefs v0.1.0 h1:m0wCRBiu1WJT/Fr+iOoQHMQS/eP5myQ8lCv4Dz5ZURM=
-github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0=
+github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
+github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
+github.com/containerd/containerd/v2 v2.0.2 h1:GmH/tRBlTvrXOLwSpWE2vNAm8+MqI6nmxKpKBNKY8Wc=
+github.com/containerd/containerd/v2 v2.0.2/go.mod h1:wIqEvQ/6cyPFUGJ5yMFanspPabMLor+bF865OHvNTTI=
+github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII=
+github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY=
 github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
-github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
-github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oLU=
-github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
-github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsPEmzLso=
-github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g=
+github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsWaRoJX4C41E=
+github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
+github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y=
+github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8=
+github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
+github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
+github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
+github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
-github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -71,33 +77,46 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
-github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
-github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
-github.com/moby/sys/signal v0.7.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg=
-github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
-github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
+github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
+github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/sys/signal v0.7.1 h1:PrQxdvxcGijdo6UXXo/lU/TvHUWyPhj7UOpSo8tuvk0=
+github.com/moby/sys/signal v0.7.1/go.mod h1:Se1VGehYokAkrSQwL4tDzHvETwUZlnY7S5XtQ50mQp8=
+github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
+github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
+github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
+github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
+github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0=
+github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
+github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
+github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -105,36 +124,48 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
-github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
-github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
-github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=
+github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
-go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
-go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 h1:UP6IpuHFkUgOQL9FFQFrZ+5LiwhhYRbi7VZSIx6Nj5s=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0/go.mod h1:qxuZLtbq5QDtdeSHsS7bcf6EH6uO6jUAgk764zd3rhM=
+go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY=
+go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE=
+go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE=
+go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY=
+go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys=
+go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -144,6 +175,8 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -153,31 +186,31 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -195,17 +228,15 @@ google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20240711142825-46eb208f015d h1:/hmn0Ku5kWij/kjGsrcJeC1T/MrJi2iNWwgAqrihFwc=
-google.golang.org/genproto v0.0.0-20240711142825-46eb208f015d/go.mod h1:FfBgJBJg9GcpPvKIuHSZ/aE1g2ecGL74upMzGZjiGEY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d h1:JU0iKnSg02Gmb5ZdV8nYsKEKsP6o/FGVWTrw4i1DA9A=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -215,11 +246,19 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
+google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+tags.cncf.io/container-device-interface v0.8.0 h1:8bCFo/g9WODjWx3m6EYl3GfUG31eKJbaggyBDxEldRc=
+tags.cncf.io/container-device-interface v0.8.0/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
+tags.cncf.io/container-device-interface/specs-go v0.8.0 h1:QYGFzGxvYK/ZLMrjhvY0RjpUavIn4KcmRmVP/JjdBTA=
+tags.cncf.io/container-device-interface/specs-go v0.8.0/go.mod h1:BhJIkjjPh4qpys+qm4DAYtUyryaTDg9zris+AczXyws=

pkg/init/vendor/github.com/AdaLogics/go-fuzz-headers/consumer.go

@@ -48,6 +48,7 @@ type ConsumeFuzzer struct {
 	NumberOfCalls        int
 	position             uint32
 	fuzzUnexportedFields bool
+	forceUTF8Strings     bool
 	curDepth             int
 	Funcs                map[reflect.Type]reflect.Value
 }
@@ -104,6 +105,14 @@ func (f *ConsumeFuzzer) DisallowUnexportedFields() {
 	f.fuzzUnexportedFields = false
 }
 
+func (f *ConsumeFuzzer) AllowNonUTF8Strings() {
+	f.forceUTF8Strings = false
+}
+
+func (f *ConsumeFuzzer) DisallowNonUTF8Strings() {
+	f.forceUTF8Strings = true
+}
+
 func (f *ConsumeFuzzer) GenerateStruct(targetStruct interface{}) error {
 	e := reflect.ValueOf(targetStruct).Elem()
 	return f.fuzzStruct(e, false)
@@ -224,6 +233,14 @@ func (f *ConsumeFuzzer) fuzzStruct(e reflect.Value, customFunctions bool) error
 		if e.CanSet() {
 			e.Set(uu)
 		}
+	case reflect.Uint:
+		newInt, err := f.GetUint()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetUint(uint64(newInt))
+		}
 	case reflect.Uint16:
 		newInt, err := f.GetUint16()
 		if err != nil {
@@ -309,6 +326,14 @@ func (f *ConsumeFuzzer) fuzzStruct(e reflect.Value, customFunctions bool) error
 		if e.CanSet() {
 			e.SetUint(uint64(b))
 		}
+	case reflect.Bool:
+		b, err := f.GetBool()
+		if err != nil {
+			return err
+		}
+		if e.CanSet() {
+			e.SetBool(b)
+		}
 	}
 	return nil
 }
@@ -410,6 +435,23 @@ func (f *ConsumeFuzzer) GetUint64() (uint64, error) {
 	return binary.BigEndian.Uint64(u64), nil
 }
 
+func (f *ConsumeFuzzer) GetUint() (uint, error) {
+	var zero uint
+	size := int(unsafe.Sizeof(zero))
+	if size == 8 {
+		u64, err := f.GetUint64()
+		if err != nil {
+			return 0, err
+		}
+		return uint(u64), nil
+	}
+	u32, err := f.GetUint32()
+	if err != nil {
+		return 0, err
+	}
+	return uint(u32), nil
+}
+
 func (f *ConsumeFuzzer) GetBytes() ([]byte, error) {
 	var length uint32
 	var err error
@@ -461,7 +503,11 @@ func (f *ConsumeFuzzer) GetString() (string, error) {
 		return "nil", errors.New("numbers overflow")
 	}
 	f.position = byteBegin + length
-	return string(f.data[byteBegin:f.position]), nil
+	s := string(f.data[byteBegin:f.position])
+	if f.forceUTF8Strings {
+		s = strings.ToValidUTF8(s, "")
+	}
+	return s, nil
 }
 
 func (f *ConsumeFuzzer) GetBool() (bool, error) {

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/hns/hnsendpoint.go

@@ -29,7 +29,7 @@ const (
 )
 
 func (es EndpointState) String() string {
-	return [...]string{"Uninitialized", "Attached", "AttachedSharing", "Detached", "Degraded", "Destroyed"}[es]
+	return [...]string{"Uninitialized", "Created", "Attached", "AttachedSharing", "Detached", "Degraded", "Destroyed"}[es]
 }
 
 // HNSEndpoint represents a network endpoint in HNS

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/jobobject/jobobject.go

@@ -188,7 +188,7 @@ func Open(ctx context.Context, options *Options) (_ *JobObject, err error) {
 			return nil, winapi.RtlNtStatusToDosError(status)
 		}
 	} else {
-		jobHandle, err = winapi.OpenJobObject(winapi.JOB_OBJECT_ALL_ACCESS, 0, unicodeJobName.Buffer)
+		jobHandle, err = winapi.OpenJobObject(winapi.JOB_OBJECT_ALL_ACCESS, false, unicodeJobName.Buffer)
 		if err != nil {
 			return nil, err
 		}
@@ -523,12 +523,9 @@ func (job *JobObject) ApplyFileBinding(root, target string, readOnly bool) error
 func isJobSilo(h windows.Handle) bool {
 	// None of the information from the structure that this info class expects will be used, this is just used as
 	// the call will fail if the job hasn't been upgraded to a silo so we can use this to tell when we open a job
-	// if it's a silo or not. Because none of the info matters simply define a dummy struct with the size that the call
-	// expects which is 16 bytes.
-	type isSiloObj struct {
-		_ [16]byte
-	}
-	var siloInfo isSiloObj
+	// if it's a silo or not. We still need to define the struct layout as expected by Win32, else the struct
+	// alignment might be different and the call will fail.
+	var siloInfo winapi.SILOOBJECT_BASIC_INFORMATION
 	err := winapi.QueryInformationJobObject(
 		h,
 		winapi.JobObjectSiloBasicInformation,

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/oc/errors.go

@@ -6,7 +6,7 @@ import (
 	"net"
 	"os"
 
-	"github.com/containerd/errdefs"
+	errdefs "github.com/containerd/errdefs/pkg/errgrpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/vhdx/doc.go

@@ -0,0 +1,3 @@
+// vhdx package adds the utility methods necessary to deal with the vhdx that are used as the scratch
+// space for the containers and the uvm.
+package vhdx

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/vhdx/info.go

@@ -0,0 +1,233 @@
+//go:build windows
+
+package vhdx
+
+import (
+	"bytes"
+	"context"
+	"encoding/binary"
+	"fmt"
+	"os"
+	"syscall"
+	"unsafe"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	"github.com/Microsoft/go-winio/vhd"
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/sirupsen/logrus"
+	"go.opencensus.io/trace"
+	"golang.org/x/sys/windows"
+)
+
+const _IOCTL_DISK_GET_DRIVE_LAYOUT_EX = 0x00070050
+
+var partitionBasicDataGUID = guid.GUID{
+	Data1: 0xebd0a0a2,
+	Data2: 0xb9e5,
+	Data3: 0x4433,
+	Data4: [8]byte{0x87, 0xc0, 0x68, 0xb6, 0xb7, 0x26, 0x99, 0xc7},
+}
+
+const (
+	partitionStyleMBR uint32 = iota
+	partitionStyleGPT
+	partitionStyleRaw
+)
+
+// type partitionInformationMBR struct {
+// 	PartitionType       uint8
+// 	BootIndicator       uint8
+// 	RecognizedPartition uint8
+// 	HiddenSectors       uint32
+// 	PartitionId         guid.GUID
+// }
+
+type partitionInformationGPT struct {
+	PartitionType guid.GUID
+	PartitionId   guid.GUID
+	Attributes    uint64
+	Name          [72]byte // wide char
+}
+
+type partitionInformationEx struct {
+	PartitionStyle     uint32
+	StartingOffset     int64
+	PartitionLength    int64
+	PartitionNumber    uint32
+	RewritePartition   uint8
+	IsServicePartition uint8
+	_                  uint16
+	// A union of partitionInformationMBR and partitionInformationGPT
+	// since partitionInformationGPT is largest with 112 bytes
+	GptMbrUnion [112]byte
+}
+
+type driveLayoutInformationGPT struct {
+	DiskID               guid.GUID
+	StartingUsableOffset int64
+	UsableLength         int64
+	MaxPartitionCount    uint32
+}
+
+// type driveLayoutInformationMBR struct {
+// 	Signature uint32
+// 	Checksum  uint32
+// }
+
+type driveLayoutInformationEx struct {
+	PartitionStyle uint32
+	PartitionCount uint32
+	// A union of driveLayoutInformationGPT and driveLayoutInformationMBR
+	// since driveLayoutInformationGPT is largest with 40 bytes
+	GptMbrUnion    [40]byte
+	PartitionEntry [1]partitionInformationEx
+}
+
+// Takes the physical path of a disk and retrieves the drive layout information of that disk.  Returns the
+// driveLayoutInformationEx struct and a slice of partitionInfomrationEx struct containing one element for
+// each partition found on the vhdx. Note: some of the members like (GptMbrUnion) of these structs are raw
+// byte arrays and it is the responsibility of the calling function to properly parse them.
+func getDriveLayout(ctx context.Context, drivePhysicalPath string) (driveLayoutInformationEx, []partitionInformationEx, error) {
+	var (
+		outBytes uint32
+		err      error
+		volume   *os.File
+	)
+
+	layoutData := struct {
+		info driveLayoutInformationEx
+		// driveLayoutInformationEx has a flexible array member at the end. The data returned
+		// by IOCTL_DISK_GET_DRIVE_LAYOUT_EX usually has driveLayoutInformationEx.PartitionCount
+		// number of elements in this array. For all practical purposes we don't expect to have
+		// more than 64 partitions in a container/uvm vhdx.
+		partitions [63]partitionInformationEx
+	}{}
+
+	volume, err = os.OpenFile(drivePhysicalPath, os.O_RDONLY, 0)
+	if err != nil {
+		return layoutData.info, layoutData.partitions[:0], fmt.Errorf("failed to open drive: %w", err)
+	}
+	defer volume.Close()
+
+	err = windows.DeviceIoControl(windows.Handle(volume.Fd()),
+		_IOCTL_DISK_GET_DRIVE_LAYOUT_EX,
+		nil,
+		0,
+		(*byte)(unsafe.Pointer(&layoutData)),
+		uint32(unsafe.Sizeof(layoutData)),
+		&outBytes,
+		nil)
+	if err != nil {
+		return layoutData.info, layoutData.partitions[:0], fmt.Errorf("IOCTL to get disk layout failed: %w", err)
+	}
+
+	if layoutData.info.PartitionCount == 0 {
+		return layoutData.info, []partitionInformationEx{}, nil
+	} else {
+		// parse the retrieved data into driveLayoutInformationEx and partitionInformationEx
+		partitions := make([]partitionInformationEx, layoutData.info.PartitionCount)
+		partitions[0] = layoutData.info.PartitionEntry[0]
+		copy(partitions[1:], layoutData.partitions[:layoutData.info.PartitionCount-1])
+		return layoutData.info, partitions, nil
+	}
+}
+
+// Scratch VHDs are formatted with GPT style and have 1 MSFT_RESERVED
+// partition and 1 BASIC_DATA partition.  This struct contains the
+// partitionID of this BASIC_DATA partition and the DiskID of this
+// scratch vhdx.
+type ScratchVhdxPartitionInfo struct {
+	DiskID      guid.GUID
+	PartitionID guid.GUID
+}
+
+// Returns the VhdxInfo of a GPT vhdx at path vhdxPath.
+func GetScratchVhdPartitionInfo(ctx context.Context, vhdxPath string) (_ ScratchVhdxPartitionInfo, err error) {
+	var (
+		diskHandle       syscall.Handle
+		driveLayout      driveLayoutInformationEx
+		partitions       []partitionInformationEx
+		gptDriveLayout   driveLayoutInformationGPT
+		gptPartitionInfo partitionInformationGPT
+		volumePath       string
+	)
+
+	title := "hcsshim::GetScratchVhdPartitionInfo"
+	ctx, span := trace.StartSpan(ctx, title)
+	defer span.End()
+	defer func() { oc.SetSpanStatus(span, err) }()
+	span.AddAttributes(
+		trace.StringAttribute("path", vhdxPath))
+
+	diskHandle, err = vhd.OpenVirtualDisk(vhdxPath, vhd.VirtualDiskAccessNone, vhd.OpenVirtualDiskFlagNone)
+	if err != nil {
+		return ScratchVhdxPartitionInfo{}, fmt.Errorf("get scratch vhd info failed: %w", err)
+	}
+	defer func() {
+		if closeErr := syscall.CloseHandle(diskHandle); closeErr != nil {
+			log.G(ctx).WithFields(logrus.Fields{
+				"disk path": vhdxPath,
+				"error":     closeErr,
+			}).Warn("failed to close vhd handle")
+		}
+	}()
+
+	err = vhd.AttachVirtualDisk(diskHandle, vhd.AttachVirtualDiskFlagNone, &vhd.AttachVirtualDiskParameters{Version: 2})
+	if err != nil {
+		return ScratchVhdxPartitionInfo{}, fmt.Errorf("get scratch vhd info failed: %w", err)
+	}
+
+	defer func() {
+		if detachErr := vhd.DetachVirtualDisk(diskHandle); detachErr != nil {
+			log.G(ctx).WithFields(logrus.Fields{
+				"disk path": vhdxPath,
+				"error":     detachErr,
+			}).Warn("failed to detach vhd")
+		}
+	}()
+
+	volumePath, err = vhd.GetVirtualDiskPhysicalPath(diskHandle)
+	if err != nil {
+		return ScratchVhdxPartitionInfo{}, fmt.Errorf("get vhd physical path: %w", err)
+	}
+
+	driveLayout, partitions, err = getDriveLayout(ctx, volumePath)
+	if err != nil {
+		return ScratchVhdxPartitionInfo{}, err
+	}
+
+	if driveLayout.PartitionStyle != partitionStyleGPT {
+		return ScratchVhdxPartitionInfo{}, fmt.Errorf("drive Layout:Expected partition style GPT(%d) found %d", partitionStyleGPT, driveLayout.PartitionStyle)
+	}
+
+	if driveLayout.PartitionCount != 2 || len(partitions) != 2 {
+		return ScratchVhdxPartitionInfo{}, fmt.Errorf("expected exactly 2 partitions. Got %d partitions and partition count of %d", len(partitions), driveLayout.PartitionCount)
+	}
+
+	if partitions[1].PartitionStyle != partitionStyleGPT {
+		return ScratchVhdxPartitionInfo{}, fmt.Errorf("partition Info:Expected partition style GPT(%d) found %d", partitionStyleGPT, partitions[1].PartitionStyle)
+	}
+
+	bufReader := bytes.NewBuffer(driveLayout.GptMbrUnion[:])
+	if err := binary.Read(bufReader, binary.LittleEndian, &gptDriveLayout); err != nil {
+		return ScratchVhdxPartitionInfo{}, fmt.Errorf("failed to parse drive GPT layout: %w", err)
+	}
+
+	bufReader = bytes.NewBuffer(partitions[1].GptMbrUnion[:])
+	if err := binary.Read(bufReader, binary.LittleEndian, &gptPartitionInfo); err != nil {
+		return ScratchVhdxPartitionInfo{}, fmt.Errorf("failed to parse GPT partition info: %w", err)
+	}
+
+	if gptPartitionInfo.PartitionType != partitionBasicDataGUID {
+		return ScratchVhdxPartitionInfo{}, fmt.Errorf("expected partition type to have %s GUID found %s instead", partitionBasicDataGUID, gptPartitionInfo.PartitionType)
+	}
+
+	log.G(ctx).WithFields(logrus.Fields{
+		"Disk ID":          gptDriveLayout.DiskID,
+		"GPT Partition ID": gptPartitionInfo.PartitionId,
+	}).Debug("Scratch VHD partition info")
+
+	return ScratchVhdxPartitionInfo{DiskID: gptDriveLayout.DiskID, PartitionID: gptPartitionInfo.PartitionId}, nil
+
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/wclayer/cim/LayerWriter.go

@@ -0,0 +1,289 @@
+//go:build windows
+
+package cim
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/oc"
+	"github.com/Microsoft/hcsshim/internal/wclayer"
+	"github.com/Microsoft/hcsshim/osversion"
+	"github.com/Microsoft/hcsshim/pkg/cimfs"
+	"go.opencensus.io/trace"
+)
+
+// A CimLayerWriter implements the wclayer.LayerWriter interface to allow writing container
+// image layers in the cim format.
+// A cim layer consist of cim files (which are usually stored in the `cim-layers` directory and
+// some other files which are stored in the directory of that layer (i.e the `path` directory).
+type CimLayerWriter struct {
+	ctx context.Context
+	s   *trace.Span
+	// path to the layer (i.e layer's directory) as provided by the caller.
+	// Even if a layer is stored as a cim in the cim directory, some files associated
+	// with a layer are still stored in this path.
+	path string
+	// parent layer paths
+	parentLayerPaths []string
+	// Handle to the layer cim - writes to the cim file
+	cimWriter *cimfs.CimFsWriter
+	// Handle to the writer for writing files in the local filesystem
+	stdFileWriter *stdFileWriter
+	// reference to currently active writer either cimWriter or stdFileWriter
+	activeWriter io.Writer
+	// denotes if this layer has the UtilityVM directory
+	hasUtilityVM bool
+	// some files are written outside the cim during initial import (via stdFileWriter) because we need to
+	// make some modifications to these files before writing them to the cim. The pendingOps slice
+	// maintains a list of such delayed modifications to the layer cim. These modifications are applied at
+	// the very end of layer import process.
+	pendingOps []pendingCimOp
+}
+
+type hive struct {
+	name  string
+	base  string
+	delta string
+}
+
+var (
+	hives = []hive{
+		{"SYSTEM", "SYSTEM_BASE", "SYSTEM_DELTA"},
+		{"SOFTWARE", "SOFTWARE_BASE", "SOFTWARE_DELTA"},
+		{"SAM", "SAM_BASE", "SAM_DELTA"},
+		{"SECURITY", "SECURITY_BASE", "SECURITY_DELTA"},
+		{"DEFAULT", "DEFAULTUSER_BASE", "DEFAULTUSER_DELTA"},
+	}
+)
+
+func isDeltaOrBaseHive(path string) bool {
+	for _, hv := range hives {
+		if strings.EqualFold(path, filepath.Join(wclayer.HivesPath, hv.delta)) ||
+			strings.EqualFold(path, filepath.Join(wclayer.RegFilesPath, hv.name)) {
+			return true
+		}
+	}
+	return false
+}
+
+// checks if this particular file should be written with a stdFileWriter instead of
+// using the cimWriter.
+func isStdFile(path string) bool {
+	return (isDeltaOrBaseHive(path) ||
+		path == filepath.Join(wclayer.UtilityVMPath, wclayer.RegFilesPath, "SYSTEM") ||
+		path == filepath.Join(wclayer.UtilityVMPath, wclayer.RegFilesPath, "SOFTWARE") ||
+		path == wclayer.BcdFilePath || path == wclayer.BootMgrFilePath)
+}
+
+// Add adds a file to the layer with given metadata.
+func (cw *CimLayerWriter) Add(name string, fileInfo *winio.FileBasicInfo, fileSize int64, securityDescriptor []byte, extendedAttributes []byte, reparseData []byte) error {
+	if name == wclayer.UtilityVMPath {
+		cw.hasUtilityVM = true
+	}
+	if isStdFile(name) {
+		// create a pending op for this file
+		cw.pendingOps = append(cw.pendingOps, &addOp{
+			pathInCim:          name,
+			hostPath:           filepath.Join(cw.path, name),
+			fileInfo:           fileInfo,
+			securityDescriptor: securityDescriptor,
+			extendedAttributes: extendedAttributes,
+			reparseData:        reparseData,
+		})
+		if err := cw.stdFileWriter.Add(name); err != nil {
+			return err
+		}
+		cw.activeWriter = cw.stdFileWriter
+	} else {
+		if err := cw.cimWriter.AddFile(name, fileInfo, fileSize, securityDescriptor, extendedAttributes, reparseData); err != nil {
+			return err
+		}
+		cw.activeWriter = cw.cimWriter
+	}
+	return nil
+}
+
+// AddLink adds a hard link to the layer. The target must already have been added.
+func (cw *CimLayerWriter) AddLink(name string, target string) error {
+	// set active write to nil so that we panic if layer tar is incorrectly formatted.
+	cw.activeWriter = nil
+	if isStdFile(target) {
+		// If this is a link to a std file it will have to be added later once the
+		// std file is written to the CIM. Create a pending op for this
+		cw.pendingOps = append(cw.pendingOps, &linkOp{
+			oldPath: target,
+			newPath: name,
+		})
+		return nil
+	} else if isStdFile(name) {
+		// None of the predefined std files are links. If they show up as links this is unexpected
+		// behavior. Error out.
+		return fmt.Errorf("unexpected link %s in layer", name)
+	} else {
+		return cw.cimWriter.AddLink(target, name)
+	}
+}
+
+// AddAlternateStream creates another alternate stream at the given
+// path. Any writes made after this call will go to that stream.
+func (cw *CimLayerWriter) AddAlternateStream(name string, size uint64) error {
+	if isStdFile(name) {
+		// As of now there is no known case of std file having multiple data streams.
+		// If such a file is encountered our assumptions are wrong. Error out.
+		return fmt.Errorf("unexpected alternate stream %s in layer", name)
+	}
+
+	if err := cw.cimWriter.CreateAlternateStream(name, size); err != nil {
+		return err
+	}
+	cw.activeWriter = cw.cimWriter
+	return nil
+}
+
+// Remove removes a file that was present in a parent layer from the layer.
+func (cw *CimLayerWriter) Remove(name string) error {
+	// set active write to nil so that we panic if layer tar is incorrectly formatted.
+	cw.activeWriter = nil
+	return cw.cimWriter.Unlink(name)
+}
+
+// Write writes data to the current file. The data must be in the format of a Win32
+// backup stream.
+func (cw *CimLayerWriter) Write(b []byte) (int, error) {
+	return cw.activeWriter.Write(b)
+}
+
+// Close finishes the layer writing process and releases any resources.
+func (cw *CimLayerWriter) Close(ctx context.Context) (retErr error) {
+	if err := cw.stdFileWriter.Close(ctx); err != nil {
+		return err
+	}
+
+	// cimWriter must be closed even if there are errors.
+	defer func() {
+		if err := cw.cimWriter.Close(); retErr == nil {
+			retErr = err
+		}
+	}()
+
+	// Find out the osversion of this layer, both base & non-base layers can have UtilityVM layer.
+	processUtilityVM := false
+	if cw.hasUtilityVM {
+		uvmSoftwareHivePath := filepath.Join(cw.path, wclayer.UtilityVMPath, wclayer.RegFilesPath, "SOFTWARE")
+		osvStr, err := getOsBuildNumberFromRegistry(uvmSoftwareHivePath)
+		if err != nil {
+			return fmt.Errorf("read os version string from UtilityVM SOFTWARE hive: %w", err)
+		}
+
+		osv, err := strconv.ParseUint(osvStr, 10, 16)
+		if err != nil {
+			return fmt.Errorf("parse os version string (%s): %w", osvStr, err)
+		}
+
+		// write this version to a file for future reference by the shim process
+		if err = wclayer.WriteLayerUvmBuildFile(cw.path, uint16(osv)); err != nil {
+			return fmt.Errorf("write uvm build version: %w", err)
+		}
+
+		// CIMFS for hyperV isolated is only supported after 20348, processing UtilityVM layer on 2048
+		// & lower will cause failures since those images won't have CIMFS specific UVM files (mostly
+		// BCD entries required for CIMFS)
+		processUtilityVM = (osv > osversion.LTSC2022)
+		log.G(ctx).Debugf("import image os version %d, processing UtilityVM layer: %t\n", osv, processUtilityVM)
+	}
+
+	if len(cw.parentLayerPaths) == 0 {
+		if err := cw.processBaseLayer(ctx, processUtilityVM); err != nil {
+			return fmt.Errorf("process base layer: %w", err)
+		}
+	} else {
+		if err := cw.processNonBaseLayer(ctx, processUtilityVM); err != nil {
+			return fmt.Errorf("process non base layer: %w", err)
+		}
+	}
+
+	for _, op := range cw.pendingOps {
+		if err := op.apply(cw.cimWriter); err != nil {
+			return fmt.Errorf("apply pending operations: %w", err)
+		}
+	}
+	return nil
+}
+
+func NewCimLayerWriter(ctx context.Context, path string, parentLayerPaths []string) (_ *CimLayerWriter, err error) {
+	if !cimfs.IsCimFSSupported() {
+		return nil, fmt.Errorf("CimFs not supported on this build")
+	}
+
+	ctx, span := trace.StartSpan(ctx, "hcsshim::NewCimLayerWriter")
+	defer func() {
+		if err != nil {
+			oc.SetSpanStatus(span, err)
+			span.End()
+		}
+	}()
+	span.AddAttributes(
+		trace.StringAttribute("path", path),
+		trace.StringAttribute("parentLayerPaths", strings.Join(parentLayerPaths, ", ")))
+
+	parentCim := ""
+	cimDirPath := GetCimDirFromLayer(path)
+	if _, err = os.Stat(cimDirPath); os.IsNotExist(err) {
+		// create cim directory
+		if err = os.Mkdir(cimDirPath, 0755); err != nil {
+			return nil, fmt.Errorf("failed while creating cim layers directory: %w", err)
+		}
+	} else if err != nil {
+		return nil, fmt.Errorf("unable to access cim layers directory: %w", err)
+
+	}
+
+	if len(parentLayerPaths) > 0 {
+		parentCim = GetCimNameFromLayer(parentLayerPaths[0])
+	}
+
+	cim, err := cimfs.Create(cimDirPath, parentCim, GetCimNameFromLayer(path))
+	if err != nil {
+		return nil, fmt.Errorf("error in creating a new cim: %w", err)
+	}
+
+	sfw, err := newStdFileWriter(path, parentLayerPaths)
+	if err != nil {
+		return nil, fmt.Errorf("error in creating new standard file writer: %w", err)
+	}
+	return &CimLayerWriter{
+		ctx:              ctx,
+		s:                span,
+		path:             path,
+		parentLayerPaths: parentLayerPaths,
+		cimWriter:        cim,
+		stdFileWriter:    sfw,
+	}, nil
+}
+
+// DestroyCimLayer destroys a cim layer i.e it removes all the cimfs files for the given layer as well as
+// all of the other files that are stored in the layer directory (at path `layerPath`).
+// If this is not a cimfs layer (i.e a cim file for the given layer does not exist) then nothing is done.
+func DestroyCimLayer(ctx context.Context, layerPath string) error {
+	cimPath := GetCimPathFromLayer(layerPath)
+
+	// verify that such a cim exists first, sometimes containerd tries to call
+	// this with the root snapshot directory as the layer path. We don't want to
+	// destroy everything inside the snapshots directory.
+	if _, err := os.Stat(cimPath); err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	return cimfs.DestroyCim(ctx, cimPath)
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/wclayer/cim/bcd.go

@@ -0,0 +1,107 @@
+//go:build windows
+
+package cim
+
+import (
+	"bytes"
+	"fmt"
+	"os/exec"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+)
+
+const (
+	bcdFilePath              = "UtilityVM\\Files\\EFI\\Microsoft\\Boot\\BCD"
+	cimfsDeviceOptionsID     = "{763e9fea-502d-434f-aad9-5fabe9c91a7b}"
+	vmbusDeviceID            = "{c63c9bdf-5fa5-4208-b03f-6b458b365592}"
+	compositeDeviceOptionsID = "{e1787220-d17f-49e7-977a-d8fe4c8537e2}"
+	bootContainerID          = "{b890454c-80de-4e98-a7ab-56b74b4fbd0c}"
+)
+
+func bcdExec(storePath string, args ...string) error {
+	var out bytes.Buffer
+	argsArr := []string{"/store", storePath, "/offline"}
+	argsArr = append(argsArr, args...)
+	cmd := exec.Command("bcdedit.exe", argsArr...)
+	cmd.Stdout = &out
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("bcd command (%s) failed: %w", cmd, err)
+	}
+	return nil
+}
+
+// A registry configuration required for the uvm.
+func setBcdRestartOnFailure(storePath string) error {
+	return bcdExec(storePath, "/set", "{default}", "restartonfailure", "yes")
+}
+
+func setBcdCimBootDevice(storePath, cimPathRelativeToVSMB string, diskID, partitionID guid.GUID) error {
+	// create options for cimfs boot device
+	if err := bcdExec(storePath, "/create", cimfsDeviceOptionsID, "/d", "CimFS Device Options", "/device"); err != nil {
+		return err
+	}
+
+	// Set options. For now we need to set 2 options. First is the parent device i.e the device under
+	// which all cim files will be available. Second is the path of the cim (from which this UVM should
+	// boot) relative to the parent device. Note that even though the 2nd option is named
+	// `cimfsrootdirectory` it expects a path to the cim file and not a directory path.
+	if err := bcdExec(storePath, "/set", cimfsDeviceOptionsID, "cimfsparentdevice", fmt.Sprintf("vmbus=%s", vmbusDeviceID)); err != nil {
+		return err
+	}
+
+	if err := bcdExec(storePath, "/set", cimfsDeviceOptionsID, "cimfsrootdirectory", fmt.Sprintf("\\%s", cimPathRelativeToVSMB)); err != nil {
+		return err
+	}
+
+	// create options for the composite device
+	if err := bcdExec(storePath, "/create", compositeDeviceOptionsID, "/d", "Composite Device Options", "/device"); err != nil {
+		return err
+	}
+
+	// We need to specify the diskID & the partition ID of the boot disk and we need to set the cimfs boot
+	// options ID
+	partitionStr := fmt.Sprintf("gpt_partition={%s};{%s}", diskID, partitionID)
+	if err := bcdExec(storePath, "/set", compositeDeviceOptionsID, "primarydevice", partitionStr); err != nil {
+		return err
+	}
+
+	if err := bcdExec(storePath, "/set", compositeDeviceOptionsID, "secondarydevice", fmt.Sprintf("cimfs=%s,%s", bootContainerID, cimfsDeviceOptionsID)); err != nil {
+		return err
+	}
+
+	if err := bcdExec(storePath, "/set", "{default}", "device", fmt.Sprintf("composite=0,%s", compositeDeviceOptionsID)); err != nil {
+		return err
+	}
+
+	if err := bcdExec(storePath, "/set", "{default}", "osdevice", fmt.Sprintf("composite=0,%s", compositeDeviceOptionsID)); err != nil {
+		return err
+	}
+
+	// Since our UVM file are stored under UtilityVM\Files directory inside the CIM we must prepend that
+	// directory in front of paths used by bootmgr
+	if err := bcdExec(storePath, "/set", "{default}", "path", "\\UtilityVM\\Files\\Windows\\System32\\winload.efi"); err != nil {
+		return err
+	}
+
+	if err := bcdExec(storePath, "/set", "{default}", "systemroot", "\\UtilityVM\\Files\\Windows"); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// updateBcdStoreForBoot Updates the bcd store at path layerPath + UtilityVM\Files\EFI\Microsoft\Boot\BCD` to
+// boot with the disk with given ID and given partitionID.  cimPathRelativeToVSMB is the path of the cim which
+// will be used for booting this UVM relative to the VSMB share. (Usually, the entire snapshots directory will
+// be shared over VSMB, so if this is the cim-layers\1.cim under that directory, the value of
+// `cimPathRelativeToVSMB` should be cim-layers\1.cim)
+func updateBcdStoreForBoot(storePath string, cimPathRelativeToVSMB string, diskID, partitionID guid.GUID) error {
+	if err := setBcdRestartOnFailure(storePath); err != nil {
+		return err
+	}
+
+	if err := setBcdCimBootDevice(storePath, cimPathRelativeToVSMB, diskID, partitionID); err != nil {
+		return err
+	}
+	return nil
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/wclayer/cim/common.go

@@ -0,0 +1,41 @@
+//go:build windows
+
+package cim
+
+import (
+	"os"
+	"path/filepath"
+)
+
+const (
+	// name of the directory in which cims are stored
+	cimDir = "cim-layers"
+)
+
+// Usually layers are stored at ./root/io.containerd.snapshotter.v1.windows/snapshots/<layerid>. For cimfs we
+// must store all layer cims in the same directory (for forked cims to work). So all cim layers are stored in
+// /root/io.containerd.snapshotter.v1.windows/snapshots/cim-layers. And the cim file representing each
+// individual layer is stored at /root/io.containerd.snapshotter.v1.windows/snapshots/cim-layers/<layerid>.cim
+
+// CimName is the filename (<layerid>.cim) of the file representing the cim
+func GetCimNameFromLayer(layerPath string) string {
+	return filepath.Base(layerPath) + ".cim"
+}
+
+// CimPath is the path to the CimDir/<layerid>.cim file that represents a layer cim.
+func GetCimPathFromLayer(layerPath string) string {
+	return filepath.Join(GetCimDirFromLayer(layerPath), GetCimNameFromLayer(layerPath))
+}
+
+// CimDir is the directory inside which all cims are stored.
+func GetCimDirFromLayer(layerPath string) string {
+	dir := filepath.Dir(layerPath)
+	return filepath.Join(dir, cimDir)
+}
+
+// IsCimLayer returns `true` if the layer at path `layerPath` is a cim layer. Returns `false` otherwise.
+func IsCimLayer(layerPath string) bool {
+	cimPath := GetCimPathFromLayer(layerPath)
+	_, err := os.Stat(cimPath)
+	return (err == nil)
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/wclayer/cim/doc.go

@@ -0,0 +1,3 @@
+// This package provides utilities for working with container image layers in the cim format
+// via the wclayer APIs.
+package cim

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/wclayer/cim/file_writer.go

@@ -0,0 +1,90 @@
+//go:build windows
+
+package cim
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"syscall"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/Microsoft/hcsshim/internal/safefile"
+	"github.com/Microsoft/hcsshim/internal/winapi"
+)
+
+// stdFileWriter writes the files of a layer to the layer folder instead of writing them inside the cim.
+// For some files (like the Hive files or some UtilityVM files) it is necessary to write them as a normal file
+// first, do some modifications on them (for example merging of hives or processing of UtilityVM files)
+// and then write the modified versions into the cim. This writer is used for such files.
+type stdFileWriter struct {
+	activeFile *os.File
+	// parent layer paths
+	parentLayerPaths []string
+	// path to the current layer
+	path string
+	// the open handle to the path directory
+	root *os.File
+}
+
+func newStdFileWriter(root string, parentRoots []string) (sfw *stdFileWriter, err error) {
+	sfw = &stdFileWriter{
+		path:             root,
+		parentLayerPaths: parentRoots,
+	}
+	sfw.root, err = safefile.OpenRoot(root)
+	if err != nil {
+		return
+	}
+	return
+}
+
+func (sfw *stdFileWriter) closeActiveFile() (err error) {
+	if sfw.activeFile != nil {
+		err = sfw.activeFile.Close()
+		sfw.activeFile = nil
+	}
+	return
+}
+
+// Adds a new file or an alternate data stream to an existing file inside the layer directory.
+func (sfw *stdFileWriter) Add(name string) error {
+	if err := sfw.closeActiveFile(); err != nil {
+		return err
+	}
+
+	// The directory of this file might be created inside the cim.
+	// make sure we have the same parent directory chain here
+	if err := safefile.MkdirAllRelative(filepath.Dir(name), sfw.root); err != nil {
+		return fmt.Errorf("failed to create file %s: %w", name, err)
+	}
+
+	f, err := safefile.OpenRelative(
+		name,
+		sfw.root,
+		syscall.GENERIC_READ|syscall.GENERIC_WRITE|winio.WRITE_DAC|winio.WRITE_OWNER,
+		syscall.FILE_SHARE_READ,
+		winapi.FILE_CREATE,
+		0,
+	)
+	if err != nil {
+		return fmt.Errorf("error creating file %s: %w", name, err)
+	}
+	sfw.activeFile = f
+	return nil
+}
+
+// Write writes data to the current file. The data must be in the format of a Win32
+// backup stream.
+func (sfw *stdFileWriter) Write(b []byte) (int, error) {
+	return sfw.activeFile.Write(b)
+}
+
+// Close finishes the layer writing process and releases any resources.
+func (sfw *stdFileWriter) Close(ctx context.Context) error {
+	if err := sfw.closeActiveFile(); err != nil {
+		return fmt.Errorf("failed to close active file %s : %w", sfw.activeFile.Name(), err)
+	}
+	return nil
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/wclayer/cim/mount.go

@@ -0,0 +1,89 @@
+//go:build windows
+
+package cim
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"sync"
+
+	"github.com/Microsoft/go-winio/pkg/guid"
+	hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2"
+	cimfs "github.com/Microsoft/hcsshim/pkg/cimfs"
+)
+
+// a cache of cim layer to its mounted volume - The mount manager plugin currently doesn't have an option of
+// querying a mounted cim to get the volume at which it is mounted, so we maintain a cache of that here
+var (
+	cimMounts       map[string]string = make(map[string]string)
+	cimMountMapLock sync.Mutex
+	// A random GUID used as a namespace for generating cim mount volume GUIDs: 6827367b-c388-4e9b-95ec-961c6d2c936c
+	cimMountNamespace guid.GUID = guid.GUID{Data1: 0x6827367b, Data2: 0xc388, Data3: 0x4e9b, Data4: [8]byte{0x96, 0x1c, 0x6d, 0x2c, 0x93, 0x6c}}
+)
+
+// MountCimLayer mounts the cim at path `cimPath` and returns the mount location of that cim.  This method
+// uses the `CimMountFlagCacheFiles` mount flag when mounting the cim.  The containerID is used to generated
+// the volumeID for the volume at which this CIM is mounted.  containerID is used so that if the shim process
+// crashes for any reason, the mounted cim can be correctly cleaned up during `shim delete` call.
+func MountCimLayer(ctx context.Context, cimPath, containerID string) (string, error) {
+	volumeGUID, err := guid.NewV5(cimMountNamespace, []byte(containerID))
+	if err != nil {
+		return "", fmt.Errorf("generated cim mount GUID: %w", err)
+	}
+
+	vol, err := cimfs.Mount(cimPath, volumeGUID, hcsschema.CimMountFlagCacheFiles)
+	if err != nil {
+		return "", err
+	}
+
+	cimMountMapLock.Lock()
+	defer cimMountMapLock.Unlock()
+	cimMounts[fmt.Sprintf("%s_%s", containerID, cimPath)] = vol
+
+	return vol, nil
+}
+
+// Unmount unmounts the cim at mounted for given container.
+func UnmountCimLayer(ctx context.Context, cimPath, containerID string) error {
+	cimMountMapLock.Lock()
+	defer cimMountMapLock.Unlock()
+	if vol, ok := cimMounts[fmt.Sprintf("%s_%s", containerID, cimPath)]; !ok {
+		return fmt.Errorf("cim %s not mounted", cimPath)
+	} else {
+		delete(cimMounts, fmt.Sprintf("%s_%s", containerID, cimPath))
+		err := cimfs.Unmount(vol)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// GetCimMountPath returns the volume at which a cim is mounted. If the cim is not mounted returns error
+func GetCimMountPath(cimPath, containerID string) (string, error) {
+	cimMountMapLock.Lock()
+	defer cimMountMapLock.Unlock()
+
+	if vol, ok := cimMounts[fmt.Sprintf("%s_%s", containerID, cimPath)]; !ok {
+		return "", fmt.Errorf("cim %s not mounted", cimPath)
+	} else {
+		return vol, nil
+	}
+}
+
+func CleanupContainerMounts(containerID string) error {
+	volumeGUID, err := guid.NewV5(cimMountNamespace, []byte(containerID))
+	if err != nil {
+		return fmt.Errorf("generated cim mount GUID: %w", err)
+	}
+
+	volPath := fmt.Sprintf("\\\\?\\Volume{%s}\\", volumeGUID.String())
+	if _, err := os.Stat(volPath); err == nil {
+		err = cimfs.Unmount(volPath)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/wclayer/cim/pending.go

@@ -0,0 +1,68 @@
+//go:build windows
+
+package cim
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/Microsoft/hcsshim/pkg/cimfs"
+	"golang.org/x/sys/windows"
+)
+
+type pendingCimOp interface {
+	apply(cw *cimfs.CimFsWriter) error
+}
+
+// add op represents a pending operation of adding a new file inside the cim
+type addOp struct {
+	// path inside the cim at which the file should be added
+	pathInCim string
+	// host path where this file was temporarily written.
+	hostPath string
+	// other file metadata fields that were provided during the add call.
+	fileInfo           *winio.FileBasicInfo
+	securityDescriptor []byte
+	extendedAttributes []byte
+	reparseData        []byte
+}
+
+func (o *addOp) apply(cw *cimfs.CimFsWriter) error {
+	f, err := os.Open(o.hostPath)
+	if err != nil {
+		return fmt.Errorf("open file %s: %w", o.hostPath, err)
+	}
+	defer f.Close()
+
+	fs, err := f.Stat()
+	if err != nil {
+		return fmt.Errorf("stat file %s: %w", o.hostPath, err)
+	}
+
+	if err := cw.AddFile(o.pathInCim, o.fileInfo, fs.Size(), o.securityDescriptor, o.extendedAttributes, o.reparseData); err != nil {
+		return fmt.Errorf("cim add file %s: %w", o.hostPath, err)
+	}
+
+	if o.fileInfo.FileAttributes != windows.FILE_ATTRIBUTE_DIRECTORY {
+		written, err := io.Copy(cw, f)
+		if err != nil {
+			return fmt.Errorf("write file %s inside cim: %w", o.hostPath, err)
+		} else if written != fs.Size() {
+			return fmt.Errorf("short write to cim for file %s, expected %d bytes wrote %d", o.hostPath, fs.Size(), written)
+		}
+	}
+	return nil
+}
+
+// linkOp represents a pending link file operation inside the cim
+type linkOp struct {
+	// old & new paths inside the cim where the link should be created
+	oldPath string
+	newPath string
+}
+
+func (o *linkOp) apply(cw *cimfs.CimFsWriter) error {
+	return cw.AddLink(o.oldPath, o.newPath)
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/wclayer/cim/process.go

@@ -0,0 +1,230 @@
+//go:build windows
+
+package cim
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"syscall"
+	"time"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/Microsoft/go-winio/vhd"
+	"github.com/Microsoft/hcsshim/computestorage"
+	"github.com/Microsoft/hcsshim/internal/memory"
+	"github.com/Microsoft/hcsshim/internal/security"
+	"github.com/Microsoft/hcsshim/internal/vhdx"
+	"github.com/Microsoft/hcsshim/internal/wclayer"
+	"golang.org/x/sys/windows"
+)
+
+const defaultVHDXBlockSizeInMB = 1
+
+// processUtilityVMLayer is similar to createContainerBaseLayerVHDs but along with the scratch creation it
+// also does some BCD modifications to allow the UVM to boot from the CIM. It expects that the UVM BCD file is
+// present at layerPath/`wclayer.BcdFilePath` and a UVM SYSTEM hive is present at
+// layerPath/UtilityVM/`wclayer.RegFilesPath`/SYSTEM. The scratch VHDs are created under the `layerPath`
+// directory.
+func processUtilityVMLayer(ctx context.Context, layerPath string) error {
+	// func createUtilityVMLayerVHDs(ctx context.Context, layerPath string) error {
+	baseVhdPath := filepath.Join(layerPath, wclayer.UtilityVMPath, wclayer.UtilityVMBaseVhd)
+	diffVhdPath := filepath.Join(layerPath, wclayer.UtilityVMPath, wclayer.UtilityVMScratchVhd)
+	defaultVhdSize := uint64(10)
+
+	// Just create the vhdx for utilityVM layer, no need to format it.
+	createParams := &vhd.CreateVirtualDiskParameters{
+		Version: 2,
+		Version2: vhd.CreateVersion2{
+			MaximumSize:      defaultVhdSize * memory.GiB,
+			BlockSizeInBytes: defaultVHDXBlockSizeInMB * memory.MiB,
+		},
+	}
+
+	handle, err := vhd.CreateVirtualDisk(baseVhdPath, vhd.VirtualDiskAccessNone, vhd.CreateVirtualDiskFlagNone, createParams)
+	if err != nil {
+		return fmt.Errorf("failed to create vhdx: %w", err)
+	}
+
+	defer func() {
+		if err != nil {
+			os.RemoveAll(baseVhdPath)
+			os.RemoveAll(diffVhdPath)
+		}
+	}()
+
+	err = computestorage.FormatWritableLayerVhd(ctx, windows.Handle(handle))
+	closeErr := syscall.CloseHandle(handle)
+	if err != nil {
+		return err
+	} else if closeErr != nil {
+		return fmt.Errorf("failed to close vhdx handle: %w", closeErr)
+	}
+
+	partitionInfo, err := vhdx.GetScratchVhdPartitionInfo(ctx, baseVhdPath)
+	if err != nil {
+		return fmt.Errorf("failed to get base vhd layout info: %w", err)
+	}
+	// relativeCimPath needs to be the cim path relative to the snapshots directory. The snapshots
+	// directory is shared inside the UVM over VSMB, so during the UVM boot this relative path will be
+	// used to find the cim file under that VSMB share.
+	relativeCimPath := filepath.Join(filepath.Base(GetCimDirFromLayer(layerPath)), GetCimNameFromLayer(layerPath))
+	bcdPath := filepath.Join(layerPath, bcdFilePath)
+	if err = updateBcdStoreForBoot(bcdPath, relativeCimPath, partitionInfo.DiskID, partitionInfo.PartitionID); err != nil {
+		return fmt.Errorf("failed to update BCD: %w", err)
+	}
+
+	if err := enableCimBoot(filepath.Join(layerPath, wclayer.UtilityVMPath, wclayer.RegFilesPath, "SYSTEM")); err != nil {
+		return fmt.Errorf("failed to setup cim image for uvm boot: %w", err)
+	}
+
+	// Note: diff vhd creation and granting of vm group access must be done AFTER
+	// getting the partition info of the base VHD. Otherwise it causes the vhd parent
+	// chain to get corrupted.
+	// TODO(ambarve): figure out why this happens so that bcd update can be moved to a separate function
+
+	// Create the differencing disk that will be what's copied for the final rw layer
+	// for a container.
+	if err = vhd.CreateDiffVhd(diffVhdPath, baseVhdPath, defaultVHDXBlockSizeInMB); err != nil {
+		return fmt.Errorf("failed to create differencing disk: %w", err)
+	}
+
+	if err := security.GrantVmGroupAccess(baseVhdPath); err != nil {
+		return fmt.Errorf("failed to grant vm group access to %s: %w", baseVhdPath, err)
+	}
+	if err := security.GrantVmGroupAccess(diffVhdPath); err != nil {
+		return fmt.Errorf("failed to grant vm group access to %s: %w", diffVhdPath, err)
+	}
+	return nil
+}
+
+// processBaseLayerHives make the base layer specific modifications on the hives and emits equivalent the
+// pendingCimOps that should be applied on the CIM.  In base layer we need to create hard links from registry
+// hives under Files/Windows/Sysetm32/config into Hives/*_BASE. This function creates these links outside so
+// that the registry hives under Hives/ are available during children layers import.  Then we write these hive
+// files inside the cim and create links inside the cim.
+func processBaseLayerHives(layerPath string) ([]pendingCimOp, error) {
+	pendingOps := []pendingCimOp{}
+
+	// make hives directory both outside and in the cim
+	if err := os.Mkdir(filepath.Join(layerPath, wclayer.HivesPath), 0755); err != nil {
+		return pendingOps, fmt.Errorf("hives directory creation: %w", err)
+	}
+
+	hivesDirInfo := &winio.FileBasicInfo{
+		CreationTime:   windows.NsecToFiletime(time.Now().UnixNano()),
+		LastAccessTime: windows.NsecToFiletime(time.Now().UnixNano()),
+		LastWriteTime:  windows.NsecToFiletime(time.Now().UnixNano()),
+		ChangeTime:     windows.NsecToFiletime(time.Now().UnixNano()),
+		FileAttributes: windows.FILE_ATTRIBUTE_DIRECTORY,
+	}
+	pendingOps = append(pendingOps, &addOp{
+		pathInCim: wclayer.HivesPath,
+		hostPath:  filepath.Join(layerPath, wclayer.HivesPath),
+		fileInfo:  hivesDirInfo,
+	})
+
+	// add hard links from base hive files.
+	for _, hv := range hives {
+		oldHivePathRelative := filepath.Join(wclayer.RegFilesPath, hv.name)
+		newHivePathRelative := filepath.Join(wclayer.HivesPath, hv.base)
+		if err := os.Link(filepath.Join(layerPath, oldHivePathRelative), filepath.Join(layerPath, newHivePathRelative)); err != nil {
+			return pendingOps, fmt.Errorf("hive link creation: %w", err)
+		}
+
+		pendingOps = append(pendingOps, &linkOp{
+			oldPath: oldHivePathRelative,
+			newPath: newHivePathRelative,
+		})
+	}
+	return pendingOps, nil
+}
+
+// processLayoutFile creates a file named "layout" in the root of the base layer. This allows certain
+// container startup related functions to understand that the hives are a part of the container rootfs.
+func processLayoutFile(layerPath string) ([]pendingCimOp, error) {
+	fileContents := "vhd-with-hives\n"
+	if err := os.WriteFile(filepath.Join(layerPath, "layout"), []byte(fileContents), 0755); err != nil {
+		return []pendingCimOp{}, fmt.Errorf("write layout file: %w", err)
+	}
+
+	layoutFileInfo := &winio.FileBasicInfo{
+		CreationTime:   windows.NsecToFiletime(time.Now().UnixNano()),
+		LastAccessTime: windows.NsecToFiletime(time.Now().UnixNano()),
+		LastWriteTime:  windows.NsecToFiletime(time.Now().UnixNano()),
+		ChangeTime:     windows.NsecToFiletime(time.Now().UnixNano()),
+		FileAttributes: windows.FILE_ATTRIBUTE_NORMAL,
+	}
+
+	op := &addOp{
+		pathInCim: "layout",
+		hostPath:  filepath.Join(layerPath, "layout"),
+		fileInfo:  layoutFileInfo,
+	}
+	return []pendingCimOp{op}, nil
+}
+
+// Some of the layer files that are generated during the processBaseLayer call must be added back
+// inside the cim, some registry file links must be updated. This function takes care of all those
+// steps. This function opens the cim file for writing and updates it.
+func (cw *CimLayerWriter) processBaseLayer(ctx context.Context, processUtilityVM bool) (err error) {
+	if processUtilityVM {
+		if err = processUtilityVMLayer(ctx, cw.path); err != nil {
+			return fmt.Errorf("process utilityVM layer: %w", err)
+		}
+	}
+
+	ops, err := processBaseLayerHives(cw.path)
+	if err != nil {
+		return err
+	}
+	cw.pendingOps = append(cw.pendingOps, ops...)
+
+	ops, err = processLayoutFile(cw.path)
+	if err != nil {
+		return err
+	}
+	cw.pendingOps = append(cw.pendingOps, ops...)
+	return nil
+}
+
+// processNonBaseLayer takes care of the processing required for a non base layer. As of now
+// the only processing required for non base layer is to merge the delta registry hives of the
+// non-base layer with it's parent layer.
+func (cw *CimLayerWriter) processNonBaseLayer(ctx context.Context, processUtilityVM bool) (err error) {
+	for _, hv := range hives {
+		baseHive := filepath.Join(wclayer.HivesPath, hv.base)
+		deltaHive := filepath.Join(wclayer.HivesPath, hv.delta)
+		_, err := os.Stat(filepath.Join(cw.path, deltaHive))
+		// merge with parent layer if delta exists.
+		if err != nil && !os.IsNotExist(err) {
+			return fmt.Errorf("stat delta hive %s: %w", filepath.Join(cw.path, deltaHive), err)
+		} else if err == nil {
+			// merge base hive of parent layer with the delta hive of this layer and write it as
+			// the base hive of this layer.
+			err = mergeHive(filepath.Join(cw.parentLayerPaths[0], baseHive), filepath.Join(cw.path, deltaHive), filepath.Join(cw.path, baseHive))
+			if err != nil {
+				return err
+			}
+
+			// the newly created merged file must be added to the cim
+			cw.pendingOps = append(cw.pendingOps, &addOp{
+				pathInCim: baseHive,
+				hostPath:  filepath.Join(cw.path, baseHive),
+				fileInfo: &winio.FileBasicInfo{
+					CreationTime:   windows.NsecToFiletime(time.Now().UnixNano()),
+					LastAccessTime: windows.NsecToFiletime(time.Now().UnixNano()),
+					LastWriteTime:  windows.NsecToFiletime(time.Now().UnixNano()),
+					ChangeTime:     windows.NsecToFiletime(time.Now().UnixNano()),
+					FileAttributes: windows.FILE_ATTRIBUTE_NORMAL,
+				},
+			})
+		}
+	}
+
+	if processUtilityVM {
+		return processUtilityVMLayer(ctx, cw.path)
+	}
+	return nil
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/wclayer/cim/registry.go

@@ -0,0 +1,172 @@
+//go:build windows
+
+package cim
+
+import (
+	"encoding/binary"
+	"fmt"
+	"os"
+	"unsafe"
+
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/winapi"
+	"github.com/Microsoft/hcsshim/osversion"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+// enableCimBoot Opens the SYSTEM registry hive at path `hivePath` and updates it to include a CIMFS Start
+// registry key. This prepares the uvm to boot from a cim file if requested. The registry changes required to
+// actually make the uvm boot from a cim will be added in the uvm config (look at
+// addBootFromCimRegistryChanges for details).  This registry key needs to be available in the early boot
+// phase and so including it in the uvm config doesn't work.
+func enableCimBoot(hivePath string) (err error) {
+	dataZero := make([]byte, 4)
+	dataOne := make([]byte, 4)
+	binary.LittleEndian.PutUint32(dataOne, 1)
+	dataFour := make([]byte, 4)
+	binary.LittleEndian.PutUint32(dataFour, 4)
+
+	bootGUID, err := windows.UTF16FromString(bootContainerID)
+	if err != nil {
+		return fmt.Errorf("failed to encode boot guid to utf16: %w", err)
+	}
+
+	overrideBootPath, err := windows.UTF16FromString("\\Windows\\")
+	if err != nil {
+		return fmt.Errorf("failed to encode override boot path to utf16: %w", err)
+	}
+
+	regChanges := []struct {
+		keyPath   string
+		valueName string
+		valueType winapi.RegType
+		data      *byte
+		dataLen   uint32
+	}{
+		{"ControlSet001\\Control", "BootContainerGuid", winapi.REG_TYPE_SZ, (*byte)(unsafe.Pointer(&bootGUID[0])), 2 * uint32(len(bootGUID))},
+		{"ControlSet001\\Services\\UnionFS", "Start", winapi.REG_TYPE_DWORD, &dataZero[0], uint32(len(dataZero))},
+		{"ControlSet001\\Services\\wcifs", "Start", winapi.REG_TYPE_DWORD, &dataFour[0], uint32(len(dataZero))},
+		// The bootmgr loads the uvm files from the cim and so uses the relative path `UtilityVM\\Files` inside the cim to access the uvm files. However, once the cim is mounted UnionFS will merge the correct directory (UtilityVM\\Files) of the cim with the scratch and then that point onwards we don't need to use the relative path. Below registry key tells the kernel that the boot path that was provided in BCD should now be overriden with this new path.
+		{"Setup", "BootPathOverride", winapi.REG_TYPE_SZ, (*byte)(unsafe.Pointer(&overrideBootPath[0])), 2 * uint32(len(overrideBootPath))},
+	}
+
+	var storeHandle winapi.ORHKey
+	if err = winapi.OROpenHive(hivePath, &storeHandle); err != nil {
+		return fmt.Errorf("failed to open registry store at %s: %w", hivePath, err)
+	}
+
+	for _, change := range regChanges {
+		var changeKey winapi.ORHKey
+		if err = winapi.ORCreateKey(storeHandle, change.keyPath, 0, 0, 0, &changeKey, nil); err != nil {
+			return fmt.Errorf("failed to open reg key %s: %w", change.keyPath, err)
+		}
+
+		if err = winapi.ORSetValue(changeKey, change.valueName, uint32(change.valueType), change.data, change.dataLen); err != nil {
+			return fmt.Errorf("failed to set value for regkey %s\\%s : %w", change.keyPath, change.valueName, err)
+		}
+	}
+
+	// remove the existing file first
+	if err := os.Remove(hivePath); err != nil {
+		return fmt.Errorf("failed to remove existing registry %s: %w", hivePath, err)
+	}
+
+	if err = winapi.ORSaveHive(winapi.ORHKey(storeHandle), hivePath, uint32(osversion.Get().MajorVersion), uint32(osversion.Get().MinorVersion)); err != nil {
+		return fmt.Errorf("error saving the registry store: %w", err)
+	}
+
+	// close hive irrespective of the errors
+	if err := winapi.ORCloseHive(winapi.ORHKey(storeHandle)); err != nil {
+		return fmt.Errorf("error closing registry store; %w", err)
+	}
+	return nil
+
+}
+
+// mergeHive merges the hive located at parentHivePath with the hive located at deltaHivePath and stores
+// the result into the file at mergedHivePath. If a file already exists at path `mergedHivePath` then it
+// throws an error.
+func mergeHive(parentHivePath, deltaHivePath, mergedHivePath string) (err error) {
+	var baseHive, deltaHive, mergedHive winapi.ORHKey
+	if err := winapi.OROpenHive(parentHivePath, &baseHive); err != nil {
+		return fmt.Errorf("failed to open base hive %s: %w", parentHivePath, err)
+	}
+	defer func() {
+		err2 := winapi.ORCloseHive(baseHive)
+		if err == nil {
+			err = errors.Wrap(err2, "failed to close base hive")
+		}
+	}()
+	if err := winapi.OROpenHive(deltaHivePath, &deltaHive); err != nil {
+		return fmt.Errorf("failed to open delta hive %s: %w", deltaHivePath, err)
+	}
+	defer func() {
+		err2 := winapi.ORCloseHive(deltaHive)
+		if err == nil {
+			err = errors.Wrap(err2, "failed to close delta hive")
+		}
+	}()
+	if err := winapi.ORMergeHives([]winapi.ORHKey{baseHive, deltaHive}, &mergedHive); err != nil {
+		return fmt.Errorf("failed to merge hives: %w", err)
+	}
+	defer func() {
+		err2 := winapi.ORCloseHive(mergedHive)
+		if err == nil {
+			err = errors.Wrap(err2, "failed to close merged hive")
+		}
+	}()
+	if err := winapi.ORSaveHive(mergedHive, mergedHivePath, uint32(osversion.Get().MajorVersion), uint32(osversion.Get().MinorVersion)); err != nil {
+		return fmt.Errorf("failed to save hive: %w", err)
+	}
+	return
+}
+
+// getOsBuildNumberFromRegistry fetches the "CurrentBuild" value at path
+// "Microsoft\Windows NT\CurrentVersion" from the SOFTWARE registry hive at path
+// `regHivePath`. This is used to detect the build version of the uvm.
+func getOsBuildNumberFromRegistry(regHivePath string) (_ string, err error) {
+	var storeHandle, keyHandle winapi.ORHKey
+	var dataType, dataLen uint32
+	keyPath := "Microsoft\\Windows NT\\CurrentVersion"
+	valueName := "CurrentBuild"
+	dataLen = 16 // build version string can't be more than 5 wide chars?
+	dataBuf := make([]byte, dataLen)
+
+	if err = winapi.OROpenHive(regHivePath, &storeHandle); err != nil {
+		return "", fmt.Errorf("failed to open registry store at %s: %w", regHivePath, err)
+	}
+	defer func() {
+		if closeErr := winapi.ORCloseHive(storeHandle); closeErr != nil {
+			log.L.WithFields(logrus.Fields{
+				"error": closeErr,
+				"hive":  regHivePath,
+			}).Warnf("failed to close hive")
+		}
+	}()
+
+	if err = winapi.OROpenKey(storeHandle, keyPath, &keyHandle); err != nil {
+		return "", fmt.Errorf("failed to open key at %s: %w", keyPath, err)
+	}
+	defer func() {
+		if closeErr := winapi.ORCloseKey(keyHandle); closeErr != nil {
+			log.L.WithFields(logrus.Fields{
+				"error": closeErr,
+				"hive":  regHivePath,
+				"key":   keyPath,
+				"value": valueName,
+			}).Warnf("failed to close hive key")
+		}
+	}()
+
+	if err = winapi.ORGetValue(keyHandle, "", valueName, &dataType, &dataBuf[0], &dataLen); err != nil {
+		return "", fmt.Errorf("failed to get value of %s: %w", valueName, err)
+	}
+
+	if dataType != uint32(winapi.REG_TYPE_SZ) {
+		return "", fmt.Errorf("unexpected build number data type (%d)", dataType)
+	}
+
+	return winapi.ParseUtf16LE(dataBuf[:(dataLen - 2)]), nil
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/winapi/jobobject.go

@@ -28,7 +28,7 @@ const (
 // https://docs.microsoft.com/en-us/windows/win32/procthread/job-object-security-and-access-rights
 const (
 	JOB_OBJECT_QUERY      = 0x0004
-	JOB_OBJECT_ALL_ACCESS = 0x1F001F
+	JOB_OBJECT_ALL_ACCESS = 0x1F003F
 )
 
 // IO limit flags
@@ -160,6 +160,21 @@ type JOBOBJECT_ASSOCIATE_COMPLETION_PORT struct {
 	CompletionPort windows.Handle
 }
 
+//	typedef struct _SILOOBJECT_BASIC_INFORMATION {
+//	    DWORD SiloId;
+//	    DWORD SiloParentId;
+//	    DWORD NumberOfProcesses;
+//	    BOOLEAN IsInServerSilo;
+//	    BYTE  Reserved[3];
+//	} SILOOBJECT_BASIC_INFORMATION, *PSILOOBJECT_BASIC_INFORMATION;
+type SILOOBJECT_BASIC_INFORMATION struct {
+	SiloID            uint32
+	SiloParentID      uint32
+	NumberOfProcesses uint32
+	IsInServerSilo    bool
+	Reserved          [3]uint8
+}
+
 // BOOL IsProcessInJob(
 // 		HANDLE ProcessHandle,
 // 		HANDLE JobHandle,
@@ -184,7 +199,7 @@ type JOBOBJECT_ASSOCIATE_COMPLETION_PORT struct {
 //		LPCWSTR lpName
 // );
 //
-//sys OpenJobObject(desiredAccess uint32, inheritHandle int32, lpName *uint16) (handle windows.Handle, err error) = kernel32.OpenJobObjectW
+//sys OpenJobObject(desiredAccess uint32, inheritHandle bool, lpName *uint16) (handle windows.Handle, err error) = kernel32.OpenJobObjectW
 
 // DWORD SetIoRateControlInformationJobObject(
 //		HANDLE                                hJob,

pkg/init/vendor/github.com/Microsoft/hcsshim/internal/winapi/zsyscall_windows.go

@@ -470,8 +470,12 @@ func LocalFree(ptr uintptr) {
 	return
 }
 
-func OpenJobObject(desiredAccess uint32, inheritHandle int32, lpName *uint16) (handle windows.Handle, err error) {
-	r0, _, e1 := syscall.SyscallN(procOpenJobObjectW.Addr(), uintptr(desiredAccess), uintptr(inheritHandle), uintptr(unsafe.Pointer(lpName)))
+func OpenJobObject(desiredAccess uint32, inheritHandle bool, lpName *uint16) (handle windows.Handle, err error) {
+	var _p0 uint32
+	if inheritHandle {
+		_p0 = 1
+	}
+	r0, _, e1 := syscall.SyscallN(procOpenJobObjectW.Addr(), uintptr(desiredAccess), uintptr(_p0), uintptr(unsafe.Pointer(lpName)))
 	handle = windows.Handle(r0)
 	if handle == 0 {
 		err = errnoErr(e1)

pkg/init/vendor/github.com/Microsoft/hcsshim/pkg/cimfs/cim_writer_windows.go

@@ -0,0 +1,291 @@
+//go:build windows
+// +build windows
+
+package cimfs
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"unsafe"
+
+	"github.com/Microsoft/go-winio"
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/winapi"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+)
+
+// CimFsWriter represents a writer to a single CimFS filesystem instance. On disk, the
+// image is composed of a filesystem file and several object ID and region files.
+// Note: The CimFsWriter isn't thread safe!
+type CimFsWriter struct {
+	// name of this cim. Usually a <name>.cim file will be created to represent this cim.
+	name string
+	// handle is the CIMFS_IMAGE_HANDLE that must be passed when calling CIMFS APIs.
+	handle winapi.FsHandle
+	// name of the active file i.e the file to which we are currently writing.
+	activeName string
+	// stream to currently active file.
+	activeStream winapi.StreamHandle
+	// amount of bytes that can be written to the activeStream.
+	activeLeft uint64
+}
+
+// Create creates a new cim image. The CimFsWriter returned can then be used to do
+// operations on this cim.
+func Create(imagePath string, oldFSName string, newFSName string) (_ *CimFsWriter, err error) {
+	var oldNameBytes *uint16
+	// CimCreateImage API call has different behavior if the value of oldNameBytes / newNameBytes
+	// is empty than if it is nil. So we have to convert those strings into *uint16 here.
+	fsName := oldFSName
+	if oldFSName != "" {
+		oldNameBytes, err = windows.UTF16PtrFromString(oldFSName)
+		if err != nil {
+			return nil, err
+		}
+	}
+	var newNameBytes *uint16
+	if newFSName != "" {
+		fsName = newFSName
+		newNameBytes, err = windows.UTF16PtrFromString(newFSName)
+		if err != nil {
+			return nil, err
+		}
+	}
+	var handle winapi.FsHandle
+	if err := winapi.CimCreateImage(imagePath, oldNameBytes, newNameBytes, &handle); err != nil {
+		return nil, fmt.Errorf("failed to create cim image at path %s, oldName: %s, newName: %s: %w", imagePath, oldFSName, newFSName, err)
+	}
+	return &CimFsWriter{handle: handle, name: filepath.Join(imagePath, fsName)}, nil
+}
+
+// CreateAlternateStream creates alternate stream of given size at the given path inside the cim. This will
+// replace the current active stream. Always, finish writing current active stream and then create an
+// alternate stream.
+func (c *CimFsWriter) CreateAlternateStream(path string, size uint64) (err error) {
+	err = c.closeStream()
+	if err != nil {
+		return err
+	}
+	err = winapi.CimCreateAlternateStream(c.handle, path, size, &c.activeStream)
+	if err != nil {
+		return fmt.Errorf("failed to create alternate stream for path %s: %w", path, err)
+	}
+	c.activeName = path
+	return nil
+}
+
+// closes the currently active stream.
+func (c *CimFsWriter) closeStream() error {
+	if c.activeStream == 0 {
+		return nil
+	}
+	err := winapi.CimCloseStream(c.activeStream)
+	if err == nil && c.activeLeft > 0 {
+		// Validate here because CimCloseStream does not and this improves error
+		// reporting. Otherwise the error will occur in the context of
+		// cimWriteStream.
+		err = fmt.Errorf("incomplete write, %d bytes left in the stream %s", c.activeLeft, c.activeName)
+	}
+	if err != nil {
+		err = &PathError{Cim: c.name, Op: "closeStream", Path: c.activeName, Err: err}
+	}
+	c.activeLeft = 0
+	c.activeStream = 0
+	c.activeName = ""
+	return err
+}
+
+// AddFile adds a new file to the image. The file is added at the specified path. After
+// calling this function, the file is set as the active stream for the image, so data can
+// be written by calling `Write`.
+func (c *CimFsWriter) AddFile(path string, info *winio.FileBasicInfo, fileSize int64, securityDescriptor []byte, extendedAttributes []byte, reparseData []byte) error {
+	err := c.closeStream()
+	if err != nil {
+		return err
+	}
+	fileMetadata := &winapi.CimFsFileMetadata{
+		Attributes:     info.FileAttributes,
+		FileSize:       fileSize,
+		CreationTime:   info.CreationTime,
+		LastWriteTime:  info.LastWriteTime,
+		ChangeTime:     info.ChangeTime,
+		LastAccessTime: info.LastAccessTime,
+	}
+	if len(securityDescriptor) == 0 {
+		// Passing an empty security descriptor creates a CIM in a weird state.
+		// Pass the NULL DACL.
+		securityDescriptor = nullSd
+	}
+	fileMetadata.SecurityDescriptorBuffer = unsafe.Pointer(&securityDescriptor[0])
+	fileMetadata.SecurityDescriptorSize = uint32(len(securityDescriptor))
+	if len(reparseData) > 0 {
+		fileMetadata.ReparseDataBuffer = unsafe.Pointer(&reparseData[0])
+		fileMetadata.ReparseDataSize = uint32(len(reparseData))
+	}
+	if len(extendedAttributes) > 0 {
+		fileMetadata.ExtendedAttributes = unsafe.Pointer(&extendedAttributes[0])
+		fileMetadata.EACount = uint32(len(extendedAttributes))
+	}
+	// remove the trailing `\` if present, otherwise it trips off the cim writer
+	path = strings.TrimSuffix(path, "\\")
+	err = winapi.CimCreateFile(c.handle, path, fileMetadata, &c.activeStream)
+	if err != nil {
+		return &PathError{Cim: c.name, Op: "addFile", Path: path, Err: err}
+	}
+	c.activeName = path
+	if info.FileAttributes&(windows.FILE_ATTRIBUTE_DIRECTORY) == 0 {
+		c.activeLeft = uint64(fileSize)
+	}
+	return nil
+}
+
+// Write writes bytes to the active stream.
+func (c *CimFsWriter) Write(p []byte) (int, error) {
+	if c.activeStream == 0 {
+		return 0, fmt.Errorf("no active stream")
+	}
+	if uint64(len(p)) > c.activeLeft {
+		return 0, &PathError{Cim: c.name, Op: "write", Path: c.activeName, Err: fmt.Errorf("wrote too much")}
+	}
+	err := winapi.CimWriteStream(c.activeStream, uintptr(unsafe.Pointer(&p[0])), uint32(len(p)))
+	if err != nil {
+		err = &PathError{Cim: c.name, Op: "write", Path: c.activeName, Err: err}
+		return 0, err
+	}
+	c.activeLeft -= uint64(len(p))
+	return len(p), nil
+}
+
+// AddLink adds a hard link from `oldPath` to `newPath` in the image.
+func (c *CimFsWriter) AddLink(oldPath string, newPath string) error {
+	err := c.closeStream()
+	if err != nil {
+		return err
+	}
+	err = winapi.CimCreateHardLink(c.handle, newPath, oldPath)
+	if err != nil {
+		err = &LinkError{Cim: c.name, Op: "addLink", Old: oldPath, New: newPath, Err: err}
+	}
+	return err
+}
+
+// Unlink deletes the file at `path` from the image.
+func (c *CimFsWriter) Unlink(path string) error {
+	err := c.closeStream()
+	if err != nil {
+		return err
+	}
+	//TODO(ambarve): CimDeletePath currently returns an error if the file isn't found but we ideally want
+	// to put a tombstone at that path so that when cims are merged it removes that file from the lower
+	// layer
+	err = winapi.CimDeletePath(c.handle, path)
+	if err != nil && !os.IsNotExist(err) {
+		err = &PathError{Cim: c.name, Op: "unlink", Path: path, Err: err}
+		return err
+	}
+	return nil
+}
+
+func (c *CimFsWriter) commit() error {
+	err := c.closeStream()
+	if err != nil {
+		return err
+	}
+	err = winapi.CimCommitImage(c.handle)
+	if err != nil {
+		err = &OpError{Cim: c.name, Op: "commit", Err: err}
+	}
+	return err
+}
+
+// Close closes the CimFS filesystem.
+func (c *CimFsWriter) Close() error {
+	if c.handle == 0 {
+		return fmt.Errorf("invalid writer")
+	}
+	if err := c.commit(); err != nil {
+		return &OpError{Cim: c.name, Op: "commit", Err: err}
+	}
+	if err := winapi.CimCloseImage(c.handle); err != nil {
+		return &OpError{Cim: c.name, Op: "close", Err: err}
+	}
+	c.handle = 0
+	return nil
+}
+
+// DestroyCim finds out the region files, object files of this cim and then delete
+// the region files, object files and the <layer-id>.cim file itself.
+func DestroyCim(ctx context.Context, cimPath string) (retErr error) {
+	regionFilePaths, err := getRegionFilePaths(ctx, cimPath)
+	if err != nil {
+		log.G(ctx).WithError(err).Warnf("get region files for cim %s", cimPath)
+		if retErr == nil { //nolint:govet // nilness: consistency with below
+			retErr = err
+		}
+	}
+	objectFilePaths, err := getObjectIDFilePaths(ctx, cimPath)
+	if err != nil {
+		log.G(ctx).WithError(err).Warnf("get objectid file for cim %s", cimPath)
+		if retErr == nil {
+			retErr = err
+		}
+	}
+
+	log.G(ctx).WithFields(logrus.Fields{
+		"cimPath":     cimPath,
+		"regionFiles": regionFilePaths,
+		"objectFiles": objectFilePaths,
+	}).Debug("destroy cim")
+
+	for _, regFilePath := range regionFilePaths {
+		if err := os.Remove(regFilePath); err != nil {
+			log.G(ctx).WithError(err).Warnf("remove file %s", regFilePath)
+			if retErr == nil {
+				retErr = err
+			}
+		}
+	}
+
+	for _, objFilePath := range objectFilePaths {
+		if err := os.Remove(objFilePath); err != nil {
+			log.G(ctx).WithError(err).Warnf("remove file %s", objFilePath)
+			if retErr == nil {
+				retErr = err
+			}
+		}
+	}
+
+	if err := os.Remove(cimPath); err != nil {
+		log.G(ctx).WithError(err).Warnf("remove file %s", cimPath)
+		if retErr == nil {
+			retErr = err
+		}
+	}
+	return retErr
+}
+
+// GetCimUsage returns the total disk usage in bytes by the cim at path `cimPath`.
+func GetCimUsage(ctx context.Context, cimPath string) (uint64, error) {
+	regionFilePaths, err := getRegionFilePaths(ctx, cimPath)
+	if err != nil {
+		return 0, fmt.Errorf("get region file paths for cim %s: %w", cimPath, err)
+	}
+	objectFilePaths, err := getObjectIDFilePaths(ctx, cimPath)
+	if err != nil {
+		return 0, fmt.Errorf("get objectid file for cim %s: %w", cimPath, err)
+	}
+
+	var totalUsage uint64
+	for _, f := range append(regionFilePaths, objectFilePaths...) {
+		fi, err := os.Stat(f)
+		if err != nil {
+			return 0, fmt.Errorf("stat file %s: %w", f, err)
+		}
+		totalUsage += uint64(fi.Size())
+	}
+	return totalUsage, nil
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/pkg/cimfs/cimfs.go

@@ -0,0 +1,17 @@
+//go:build windows
+// +build windows
+
+package cimfs
+
+import (
+	"github.com/Microsoft/hcsshim/osversion"
+	"github.com/sirupsen/logrus"
+)
+
+func IsCimFSSupported() bool {
+	rv, err := osversion.BuildRevision()
+	if err != nil {
+		logrus.WithError(err).Warn("get build revision")
+	}
+	return osversion.Build() == 20348 && rv >= 2031
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/pkg/cimfs/common.go

@@ -0,0 +1,134 @@
+//go:build windows
+// +build windows
+
+package cimfs
+
+import (
+	"bytes"
+	"context"
+	"encoding/binary"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/pkg/cimfs/format"
+)
+
+var (
+	// Equivalent to SDDL of "D:NO_ACCESS_CONTROL".
+	nullSd = []byte{1, 0, 4, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+)
+
+type OpError struct {
+	Cim string
+	Op  string
+	Err error
+}
+
+func (e *OpError) Error() string {
+	s := "cim " + e.Op + " " + e.Cim
+	s += ": " + e.Err.Error()
+	return s
+}
+
+// PathError is the error type returned by most functions in this package.
+type PathError struct {
+	Cim  string
+	Op   string
+	Path string
+	Err  error
+}
+
+func (e *PathError) Error() string {
+	s := "cim " + e.Op + " " + e.Cim
+	s += ":" + e.Path
+	s += ": " + e.Err.Error()
+	return s
+}
+
+type LinkError struct {
+	Cim string
+	Op  string
+	Old string
+	New string
+	Err error
+}
+
+func (e *LinkError) Error() string {
+	return "cim " + e.Op + " " + e.Old + " " + e.New + ": " + e.Err.Error()
+}
+
+func validateHeader(h *format.CommonHeader) error {
+	if !bytes.Equal(h.Magic[:], format.MagicValue[:]) {
+		return fmt.Errorf("not a cim file")
+	}
+	if h.Version.Major > format.CurrentVersion.Major || h.Version.Major < format.MinSupportedVersion.Major {
+		return fmt.Errorf("unsupported cim version. cim version %v must be between %v & %v", h.Version, format.MinSupportedVersion, format.CurrentVersion)
+	}
+	return nil
+}
+
+func readFilesystemHeader(f *os.File) (format.FilesystemHeader, error) {
+	var fsh format.FilesystemHeader
+
+	if err := binary.Read(f, binary.LittleEndian, &fsh); err != nil {
+		return fsh, fmt.Errorf("reading filesystem header: %w", err)
+	}
+
+	if err := validateHeader(&fsh.Common); err != nil {
+		return fsh, fmt.Errorf("validating filesystem header: %w", err)
+	}
+	return fsh, nil
+}
+
+// Returns the paths of all the objectID files associated with the cim at `cimPath`.
+func getObjectIDFilePaths(ctx context.Context, cimPath string) ([]string, error) {
+	f, err := os.Open(cimPath)
+	if err != nil {
+		return []string{}, fmt.Errorf("open cim file %s: %w", cimPath, err)
+	}
+	defer f.Close()
+
+	fsh, err := readFilesystemHeader(f)
+	if err != nil {
+		return []string{}, fmt.Errorf("readingp cim header: %w", err)
+	}
+
+	paths := []string{}
+	for i := 0; i < int(fsh.Regions.Count); i++ {
+		path := filepath.Join(filepath.Dir(cimPath), fmt.Sprintf("%s_%v_%d", format.ObjectIDFileName, fsh.Regions.ID, i))
+		if _, err := os.Stat(path); err == nil {
+			paths = append(paths, path)
+		} else {
+			log.G(ctx).WithError(err).Warnf("stat for object file %s", path)
+		}
+
+	}
+	return paths, nil
+}
+
+// Returns the paths of all the region files associated with the cim at `cimPath`.
+func getRegionFilePaths(ctx context.Context, cimPath string) ([]string, error) {
+	f, err := os.Open(cimPath)
+	if err != nil {
+		return []string{}, fmt.Errorf("open cim file %s: %w", cimPath, err)
+	}
+	defer f.Close()
+
+	fsh, err := readFilesystemHeader(f)
+	if err != nil {
+		return []string{}, fmt.Errorf("reading cim header: %w", err)
+	}
+
+	paths := []string{}
+	for i := 0; i < int(fsh.Regions.Count); i++ {
+		path := filepath.Join(filepath.Dir(cimPath), fmt.Sprintf("%s_%v_%d", format.RegionFileName, fsh.Regions.ID, i))
+		if _, err := os.Stat(path); err == nil {
+			paths = append(paths, path)
+		} else {
+			log.G(ctx).WithError(err).Warnf("stat for region file %s", path)
+		}
+	}
+	return paths, nil
+}

pkg/init/vendor/github.com/Microsoft/hcsshim/pkg/cimfs/doc.go

@@ -0,0 +1,3 @@
+// This package provides simple go wrappers on top of the win32 CIMFS mount APIs.
+// The mounting/unmount of cim layers is done by the cim mount functions the internal/wclayer/cim package.
+package cimfs

pkg/init/vendor/github.com/Microsoft/hcsshim/pkg/cimfs/format/doc.go

@@ -0,0 +1,4 @@
+// format package maintains some basic structures to allows us to read header of a cim file. This is mostly
+// required to understand the region & objectid files associated with a particular cim. Otherwise, we don't
+// need to parse the cim format.
+package format