Merge pull request 'update to new v1.3.1 tag' (#325 ) from dbekhit/Factory:main into main

Reviewed-on: suse-edge/Factory#325 Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org> Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
switch to official tag
2025-12-11 12:04:58 +01:00 · 2025-12-10 23:45:44 -05:00 · 2025-12-10 13:21:34 +00:00 · 2025-12-09 10:23:12 -05:00 · 2025-12-09 10:44:08 +01:00 · 2025-12-09 11:17:06 +02:00
300 changed files with 9417 additions and 34356 deletions
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,15 +1,170 @@
-[submodule "obs-service-set_version"]
-	path = obs-service-set_version
-	url = https://src.opensuse.org/SLFO-pool/obs-service-set_version.git
 [submodule "cri-tools"]
 	path = cri-tools
 	url = https://src.opensuse.org/pool/cri-tools.git
-[submodule "fakeroot"]
-	path = fakeroot
-	url = https://src.opensuse.org/pool/fakeroot.git
 [submodule "crudini"]
 	path = crudini
 	url = https://src.opensuse.org/pool/crudini.git
-[submodule "autoconf"]
-	path = autoconf
-	url = https://src.opensuse.org/SLFO-pool/autoconf.git
+[submodule "cni-plugins"]
+	path = cni-plugins
+	url = https://src.opensuse.org/pool/cni-plugins
+[submodule "python-kubernetes"]
+	path = python-kubernetes
+	url = https://src.opensuse.org/pool/python-kubernetes
+	branch = leap-16.0
+[submodule "python-durationpy"]
+	path = python-durationpy
+	url = https://src.opensuse.org/pool/python-durationpy
+	branch = leap-16.0
+[submodule "python-recommonmark"]
+	path = python-recommonmark
+	url = https://src.opensuse.org/pool/python-recommonmark
+	branch = leap-16.0
+[submodule "python-iniparse"]
+	path = python-iniparse
+	url = https://src.opensuse.org/pool/python-iniparse
+	branch = leap-16.0
+[submodule "python-commonmark"]
+	path = python-commonmark
+	url = https://src.opensuse.org/pool/python-commonmark
+	branch = leap-16.0
+[submodule "cni"]
+	path = cni
+	url = https://src.opensuse.org/pool/cni
+[submodule "python-tenacity"]
+	path = python-tenacity
+	url = https://src.opensuse.org/pool/python-tenacity
+[submodule "python-pint"]
+	path = python-pint
+	url = https://src.opensuse.org/pool/python-pint
+	branch = leap-16.0
+[submodule "python-flexcache"]
+	path = python-flexcache
+	url = https://src.opensuse.org/pool/python-flexcache
+	branch = leap-16.0
+[submodule "python-flexparser"]
+	path = python-flexparser
+	url = https://src.opensuse.org/pool/python-flexparser
+	branch = leap-16.0
+[submodule "python-uncertainties"]
+	path = python-uncertainties
+	url = https://src.opensuse.org/pool/python-uncertainties
+	branch = leap-16.0
+[submodule "python-dogpile.cache"]
+	path = python-dogpile.cache
+	url = https://src.opensuse.org/pool/python-dogpile.cache
+	branch = leap-16.0
+[submodule "python-pytest-mpl"]
+	path = python-pytest-mpl
+	url = https://src.opensuse.org/pool/python-pytest-mpl
+	branch = leap-16.0
+[submodule "python-zeroconf"]
+	path = python-zeroconf
+	url = https://src.opensuse.org/pool/python-zeroconf
+	branch = leap-16.0
+[submodule "python-ifaddr"]
+	path = python-ifaddr
+	url = https://src.opensuse.org/pool/python-ifaddr
+	branch = leap-16.0
+[submodule "python-yappi"]
+	path = python-yappi
+	url = https://src.opensuse.org/pool/python-yappi
+[submodule "python-routes"]
+	path = python-routes
+	url = https://src.opensuse.org/pool/python-routes
+	branch = leap-16.0
+[submodule "python-repoze.lru"]
+	path = python-repoze.lru
+	url = https://src.opensuse.org/pool/python-repoze.lru
+	branch = leap-16.0
+[submodule "ipxe"]
+	path = ipxe
+	url = https://src.opensuse.org/pool/ipxe
+	branch = leap-16.0
+[submodule "python-setproctitle"]
+	path = python-setproctitle
+	url = https://src.opensuse.org/pool/python-setproctitle
+	branch = leap-16.0
+[submodule "python-requests-kerberos"]
+	path = python-requests-kerberos
+	url = https://src.opensuse.org/pool/python-requests-kerberos
+	branch = leap-16.0
+[submodule "python-pecan"]
+	path = python-pecan
+	url = https://src.opensuse.org/pool/python-pecan
+	branch = leap-16.0
+[submodule "python-pycdlib"]
+	path = python-pycdlib
+	url = https://src.opensuse.org/pool/python-pycdlib
+[submodule "python-cliff"]
+	path = python-cliff
+	url = https://src.opensuse.org/pool/python-cliff
+[submodule "python-autopage"]
+	path = python-autopage
+	url = https://src.opensuse.org/pool/python-autopage
+[submodule "python-cmd2"]
+	path = python-cmd2
+	url = https://src.opensuse.org/pool/python-cmd2
+	branch = leap-16.0
+[submodule "uwsgi"]
+	path = uwsgi
+	url = https://src.opensuse.org/pool/uwsgi
+	branch = leap-16.0
+[submodule "python-requestsexceptions"]
+	path = python-requestsexceptions
+	url = https://src.opensuse.org/pool/python-requestsexceptions
+[submodule "python-python-memcached"]
+	path = python-python-memcached
+	url = https://src.opensuse.org/pool/python-python-memcached
+[submodule "python-kombu"]
+	path = python-kombu
+	url = https://src.opensuse.org/pool/python-kombu
+[submodule "python-amqp"]
+	path = python-amqp
+	url = https://src.opensuse.org/pool/python-amqp
+	branch = leap-16.0
+[submodule "python-statsd"]
+	path = python-statsd
+	url = https://src.opensuse.org/pool/python-statsd
+[submodule "python-warlock"]
+	path = python-warlock
+	url = https://src.opensuse.org/pool/python-warlock
+[submodule "python-case"]
+	path = python-case
+	url = https://src.opensuse.org/pool/python-case
+	branch = leap-16.0
+[submodule "python-vine"]
+	path = python-vine
+	url = https://src.opensuse.org/pool/python-vine
+	branch = leap-16.0
+[submodule "python-Pyro5"]
+	path = python-Pyro5
+	url = https://src.opensuse.org/pool/python-Pyro5
+	branch = leap-16.0
+[submodule "python-pre-commit"]
+	path = python-pre-commit
+	url = https://src.opensuse.org/pool/python-pre-commit
+[submodule "python-serpent"]
+	path = python-serpent
+	url = https://src.opensuse.org/pool/python-serpent
+	branch = leap-16.0
+[submodule "python-google-cloud-monitoring"]
+	path = python-google-cloud-monitoring
+	url = https://src.opensuse.org/pool/python-google-cloud-monitoring
+[submodule "python-google-cloud-pubsub"]
+	path = python-google-cloud-pubsub
+	url = https://src.opensuse.org/pool/python-google-cloud-pubsub
+[submodule "python-cfgv"]
+	path = python-cfgv
+	url = https://src.opensuse.org/pool/python-cfgv
+[submodule "python-identify"]
+	path = python-identify
+	url = https://src.opensuse.org/pool/python-identify
+[submodule "python-pandas"]
+	path = python-pandas
+	url = https://src.opensuse.org/pool/python-pandas
+[submodule "python-grpc-google-iam-v1"]
+	path = python-grpc-google-iam-v1
+	url = https://src.opensuse.org/pool/python-grpc-google-iam-v1
+[submodule "python-editdistance"]
+	path = python-editdistance
+	url = https://src.opensuse.org/pool/python-editdistance
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -3,7 +3,7 @@ repos:
    hooks:
      - id: check-manifest
        name: "Check release-manifest"
-        entry: .obs/manifest-check.py
+        entry: python3 .obs/manifest-check.py
        language: python
        additional_dependencies: ['ruamel.yaml']
        pass_filenames: false
--- a/124
+++ b/124
@@ -1,8 +1,11 @@
-Prefer: -libqpid-proton10 -python311-urllib3_1
-Prefer: -cargo1.58 -cargo1.57 cargo1.88
+Prefer: -libqpid-proton10 -python313-urllib3_1
+Prefer: -cargo1.58 -cargo1.57 cargo1.89
+Prefer: chrony-pool-suse
+Prefer: -postgresql17-devel-mini
+
+BuildFlags: excludebuild:python-pandas:test-py313

 Macros:
-%__python3 /usr/bin/python3.11
 %registry_url %(echo %{vendor} | cut -d '/' -f 3 | sed 's/build/registry/')
 :Macros

@@ -46,67 +49,43 @@ Macros:
 :Macros
 %endif

-# Missing deps for testsuite
-BuildFlags: excludebuild:autoconf:el
-BuildFlags: excludebuild:autoconf:testsuite
-
 # Only build manifest embedding images here
 %if "%_repository" == "test_manifest_images"
 BuildFlags: onlybuild:edge-image-builder-image
 BuildFlags: onlybuild:release-manifest-image
-  # Exclude the images selected by the following section
-  # as the standard repository is a dependency
-  %ifarch aarch64
-    BuildFlags: excludebuild:baremetal-operator-image
-    BuildFlags: excludebuild:endpoint-copier-operator-image
-    BuildFlags: excludebuild:ironic-image
-    BuildFlags: excludebuild:ironic-ipa-downloader-image
-    BuildFlags: excludebuild:kiwi-builder-image
-    BuildFlags: excludebuild:kubectl-image
-    BuildFlags: excludebuild:kube-rbac-proxy-image
-    BuildFlags: excludebuild:metallb-controller-image
-    BuildFlags: excludebuild:metallb-speaker-image
-  %endif
 %else
-# Only a subset of stack is arm64 ready
+# Only a subset of stack is arm64 ready exclude what is not ready
  %ifarch aarch64
-    BuildFlags: onlybuild:autoconf
-    BuildFlags: onlybuild:baremetal-operator
-    BuildFlags: onlybuild:baremetal-operator-image
-    BuildFlags: onlybuild:ca-certificates-suse
-    BuildFlags: onlybuild:container-build-checks
-    BuildFlags: onlybuild:crudini
-    BuildFlags: onlybuild:edge-build-checks
-    BuildFlags: onlybuild:edge-image-builder
-    BuildFlags: onlybuild:edge-image-builder-image
-    BuildFlags: onlybuild:endpoint-copier-operator
-    BuildFlags: onlybuild:endpoint-copier-operator-image
-    BuildFlags: onlybuild:fakeroot
-    BuildFlags: onlybuild:hauler
-    BuildFlags: onlybuild:ipcalc
-    BuildFlags: onlybuild:ironic-image
-    BuildFlags: onlybuild:ironic-ipa-downloader-image
-    BuildFlags: onlybuild:ironic-ipa-ramdisk
-    BuildFlags: onlybuild:kubectl
-    BuildFlags: onlybuild:kubectl-image
-    BuildFlags: onlybuild:kube-rbac-proxy
-    BuildFlags: onlybuild:kube-rbac-proxy-image
-    BuildFlags: onlybuild:metallb
-    BuildFlags: onlybuild:metallb-controller-image
-    BuildFlags: onlybuild:metallb-speaker-image
-    BuildFlags: onlybuild:nm-configurator
-    BuildFlags: onlybuild:shim-noarch
+    # Akri
+    BuildFlags: excludebuild:akri
+    BuildFlags: excludebuild:akri-agent-image
+    BuildFlags: excludebuild:akri-controller-image
+    BuildFlags: excludebuild:akri-debug-echo-discovery-handler-image
+    BuildFlags: excludebuild:akri-onvif-discovery-handler-image
+    BuildFlags: excludebuild:akri-opcua-discovery-handler-image
+    BuildFlags: excludebuild:akri-udev-discovery-handler-image
+    BuildFlags: excludebuild:akri-webhook-configuration-image
+    BuildFlags: excludebuild:cri-tools
+
+    # FRR
+    BuildFlags: excludebuild:frr-image
+    BuildFlags: excludebuild:frr-k8s
+    BuildFlags: excludebuild:frr-k8s-image
+    
+    # Upgrade controller
+    BuildFlags: excludebuild:release-manifest-image
+    BuildFlags: excludebuild:upgrade-controller
+    BuildFlags: excludebuild:upgrade-controller-image 
  %endif
 %endif

 %if "%_repository" == "images" || "%_repository" == "test_manifest_images"
-    Prefer: container:sles15-image
    Type: docker
    Repotype: none
    Patterntype: none
    BuildEngine: podman
-    Prefer: sles-release
-    BuildFlags: dockerarg:SLE_VERSION=15.7
+    Prefer: SLES-release
+    BuildFlags: dockerarg:SLE_VERSION=16.0

    # Publish multi-arch container images only once all archs have been built
    PublishFlags: archsync
@@ -121,45 +100,6 @@ BuildFlags: onlybuild:release-manifest-image

 %endif

-%if "%_repository" == "images_16.0"
-    Prefer: container:sles15-image
-    Type: docker
-    BuildEngine: podman
-    Repotype: none
-    Patterntype: none
-    BuildFlags: dockerarg:SLE_VERSION=16.0
-    BuildFlags: onlybuild:kiwi-builder-image
-    
-    Substitute: system-packages:podman podman buildah createrepo_c release-compare skopeo umoci
-
-    # Publish multi-arch container images only once all archs have been built
-    PublishFlags: archsync
-
-    # Exclude the images selected by the aarch64 section
-    %ifarch aarch64
-      BuildFlags: excludebuild:baremetal-operator-image
-      BuildFlags: excludebuild:edge-image-builder-image
-      BuildFlags: excludebuild:endpoint-copier-operator-image
-      BuildFlags: excludebuild:ironic-image
-      BuildFlags: excludebuild:ironic-ipa-downloader-image
-      BuildFlags: excludebuild:kubectl-image
-      BuildFlags: excludebuild:kube-rbac-proxy-image
-      BuildFlags: excludebuild:metallb-controller-image
-      BuildFlags: excludebuild:metallb-speaker-image
-    %endif
-
-%else
-    %if "%{sub %{reverse %_project} 1 7}" != "%{reverse :ToTest}" && "%{sub %{reverse %_project} 1 9}" != "%{reverse :Snapshot}"
-      BuildFlags: excludebuild:kiwi-builder-image
-    %else
-      %ifarch aarch64
-        BuildFlags: onlybuild:kiwi-builder-image
-      %endif
-    %endif
-%endif
-
-
-
 %if "%_repository" == "charts" || "%_repository" == "phantomcharts" || "%_repository" == "releasecharts"
    Type: helm
    Repotype: helm
@@ -176,12 +116,16 @@ BuildFlags: onlybuild:release-manifest-image

    # ironic-ipa-ramdisk are noarch packages that need to be availble to both archs
    ExportFilter: ^ironic-ipa-ramdisk-.*\.noarch\.rpm$ aarch64 x86_64
+    ExportFilter: ^grub2-.*-efi-.*\.noarch\.rpm$ aarch64 x86_64
 %endif

+%if "%_repository" != "standard"
+    BuildFlags: excludebuild:grub-aggregate 
+%endif
 # Enable reproducible builds
 # https://en.opensuse.org/openSUSE:Reproducible_Builds\#With_OBS
 Macros:
-%source_date_epoch_from_changelog Y
+%source_date_epoch_from_changelog N
 %clamp_mtime_to_source_date_epoch Y
 %use_source_date_epoch_as_buildtime Y
 %_buildhost reproducible
--- a/18
+++ b/18
@@ -34,20 +34,15 @@
    <arch>x86_64</arch>
  </repository>
 {%- endif %}
-{%- for repository in ["images", "images_16.0", "test_manifest_images"] %}
+{%- for repository in ["images", "test_manifest_images"] %}
  <repository name="{{ repository }}">
    {%- if release_project is defined and repository != "test_manifest_images" %}
    <releasetarget project="{{ release_project }}" repository="images" trigger="manual"/>
    {%- endif %}
    <path project="SUSE:Registry" repository="standard"/>
-    {%- if repository == "images_16.0" %}
-      <path project="SUSE:CA" repository="16.0"/>
-      <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
-      <path project="SUSE:SLFO:Main:Build" repository="standard"/>
-    {%- else %}
-      <path project="SUSE:CA" repository="SLE_15_SP7"/>
-      <path project="{{ project }}" repository="standard"/>
-    {%- endif %}
+    <path project="{{ ironic_base }}:Factory" repository="16.0"/>
+    <path project="SUSE:CA" repository="openSUSE_Tumbleweed"/>
+    <path project="{{ project }}" repository="standard"/>
    <arch>x86_64</arch>
    <arch>aarch64</arch>
  </repository>
@@ -56,8 +51,9 @@
    {%- if release_project is defined and not for_release %}
    <releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/>
    {%- endif %}
-    <path project="{{ ironic_base }}:2025.1" repository="15.7"/>
-    <path project="SUSE:SLE-15-SP7:Update" repository="standard"/>
+    <path project="{{ ironic_base }}:Factory" repository="16.0"/>
+    <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
+    <path project="SUSE:SLFO:1.2" repository="standard"/>
    <arch>x86_64</arch>
    <arch>aarch64</arch>
  </repository>
--- a/akri-dashboard-extension-chart/Chart.yaml
+++ b/akri-dashboard-extension-chart/Chart.yaml
@@ -1,5 +1,5 @@
-#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.1
-#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.1-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.2
+#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.2-%RELEASE%
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/namespace: cattle-ui-plugin-system
@@ -12,10 +12,10 @@ annotations:
  catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
  catalog.cattle.io/kube-version: '>= v1.26.0-0'
 apiVersion: v2
-appVersion: 303.0.2+up1.3.1
+appVersion: 1.3.2
 description: 'SUSE Edge: Akri extension for Rancher Dashboard'
 name: akri-dashboard-extension
 type: application
-version: "%%CHART_MAJOR%%.0.2+up1.3.1"
+version: "%%CHART_MAJOR%%.0.4+up1.3.2"
 icon: >-
  https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg
--- a/akri-dashboard-extension-chart/templates/cr.yaml
+++ b/akri-dashboard-extension-chart/templates/cr.yaml
@@ -8,7 +8,7 @@ spec:
  plugin:
    name: {{ include "extension-server.fullname" . }}
    version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/303.0.2+up1.3.1
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.3.2
    noCache: {{ .Values.plugin.noCache }}
    noAuth: {{ .Values.plugin.noAuth }}
    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
--- a/1
+++ b/1
--- a/baremetal-operator-image/Dockerfile
+++ b/baremetal-operator-image/Dockerfile
@@ -6,7 +6,7 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
-RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator inotify-tools procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
+RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator python3-watchdog procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*

 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
--- a/baremetal-operator-image/bmo-run
+++ b/baremetal-operator-image/bmo-run
@@ -3,10 +3,11 @@ export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPD
 export IRONIC_CACERT_FILE=${IRONIC_CACERT_FILE:-"/opt/metal3/certs/ca/tls.crt"}

 if [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
-    # shellcheck disable=SC2034
-    inotifywait -m -e delete_self "${IRONIC_CACERT_FILE}" | while read -r file event; do
-        kill $(pgrep baremetal-opera)
-    done &
+     watchmedo shell-command \
+            --patterns="$(basename "${IRONIC_CACERT_FILE}")" \
+            --ignore-directories \
+            --command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -TERM baremetal-opera; fi' \
+            "$(dirname "${IRONIC_CACERT_FILE}")" &
 fi

 exec /usr/bin/baremetal-operator $@
--- a/baremetal-operator/0001-Enable-exhaustive-linter.patch
+++ b/baremetal-operator/0001-Enable-exhaustive-linter.patch
@@ -0,0 +1,163 @@
+From f8c1ba1696fd8555e8e94246ec5afa38536fa8bd Mon Sep 17 00:00:00 2001
+From: erjavaskivuori <erja.vaskivuori@est.tech>
+Date: Thu, 5 Jun 2025 09:49:47 +0000
+Subject: [PATCH 1/5] Enable exhaustive linter
+
+Enable exhaustive linter to check exhaustiveness of switch statements of enum-like
+constants.
+
+Signed-off-by: erjavaskivuori <erja.vaskivuori@est.tech>
+(cherry picked from commit a5a81b8717c9e6642ae626ea97933e3615fe11c0)
+---
+ .golangci.yaml                                |  4 ++-
+ .../metal3.io/v1alpha1/baremetalhost_types.go |  1 +
+ .../metal3.io/baremetalhost_controller.go     |  2 ++
+ .../metal3.io/host_state_machine.go           |  4 +++
+ pkg/provisioner/ironic/ironic.go              | 26 +++++++++----------
+ 5 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/.golangci.yaml b/.golangci.yaml
+index 58e54b31..c758b93c 100644
+--- a/.golangci.yaml
+++ b/.golangci.yaml
+@@ -21,7 +21,7 @@ linters:
+   - errchkjson
+   #- errname
+   #- errorlint
+-  #- exhaustive
+  - exhaustive
+   - exptostd
+   - fatcontext
+   #- forbidigo
+@@ -78,6 +78,8 @@ linters:
+   # Run with --fast=false for more extensive checks
+   fast: true
+ linters-settings:
+  exhaustive:
+    default-signifies-exhaustive: true
+   gosec:
+     severity: medium
+     confidence: medium
+diff --git a/apis/metal3.io/v1alpha1/baremetalhost_types.go b/apis/metal3.io/v1alpha1/baremetalhost_types.go
+index ba1b4333..426a7a89 100644
+--- a/apis/metal3.io/v1alpha1/baremetalhost_types.go
+++ b/apis/metal3.io/v1alpha1/baremetalhost_types.go
+@@ -1113,6 +1113,7 @@ func (host *BareMetalHost) OperationMetricForState(operation ProvisioningState)
+ 		metric = &history.Provision
+ 	case StateDeprovisioning:
+ 		metric = &history.Deprovision
+	default:
+ 	}
+ 	return
+ }
+diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
+index 33310bf7..1998627e 100644
+--- a/internal/controller/metal3.io/baremetalhost_controller.go
+++ b/internal/controller/metal3.io/baremetalhost_controller.go
+@@ -586,6 +586,7 @@ func getCurrentImage(host *metal3api.BareMetalHost) *metal3api.Image {
+ 		if host.Spec.Image != nil && host.Spec.Image.URL != "" {
+ 			return host.Spec.Image.DeepCopy()
+ 		}
+	default:
+ 	}
+ 	return nil
+ }
+@@ -816,6 +817,7 @@ func (r *BareMetalHostReconciler) registerHost(prov provisioner.Provisioner, inf
+ 		if info.host.Spec.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
+ 			preprovImgFormats = nil
+ 		}
+	default:
+ 	}
+ 
+ 	preprovImg, err := r.getPreprovImage(info, preprovImgFormats)
+diff --git a/internal/controller/metal3.io/host_state_machine.go b/internal/controller/metal3.io/host_state_machine.go
+index 8b382553..6d88591b 100644
+--- a/internal/controller/metal3.io/host_state_machine.go
+++ b/internal/controller/metal3.io/host_state_machine.go
+@@ -107,6 +107,7 @@ func (hsm *hostStateMachine) updateHostStateFrom(initialState metal3api.Provisio
+ 			if actionRes := hsm.ensureCapacity(info, hsm.NextState); actionRes != nil {
+ 				return actionRes
+ 			}
+		default:
+ 		}
+ 
+ 		info.log.Info("changing provisioning state",
+@@ -137,6 +138,7 @@ func (hsm *hostStateMachine) updateHostStateFrom(initialState metal3api.Provisio
+ 				info.log.Info("saving boot mode",
+ 					"new mode", hsm.Host.Status.Provisioning.BootMode)
+ 			}
+		default:
+ 		}
+ 	}
+ 
+@@ -163,6 +165,7 @@ func (hsm *hostStateMachine) checkDelayedHost(info *reconcileInfo) actionResult
+ 		if actionRes := hsm.ensureCapacity(info, info.host.Status.Provisioning.State); actionRes != nil {
+ 			return actionRes
+ 		}
+	default:
+ 	}
+ 
+ 	return nil
+@@ -299,6 +302,7 @@ func (hsm *hostStateMachine) checkDetachedHost(info *reconcileInfo) (result acti
+ 		switch info.host.Status.Provisioning.State {
+ 		case metal3api.StateProvisioned, metal3api.StateExternallyProvisioned, metal3api.StateReady, metal3api.StateAvailable:
+ 			return hsm.Reconciler.detachHost(hsm.Provisioner, info)
+		default:
+ 		}
+ 	}
+ 	if info.host.Status.ErrorType == metal3api.DetachError {
+diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
+index 9a4b4589..4c4923ad 100644
+--- a/pkg/provisioner/ironic/ironic.go
+++ b/pkg/provisioner/ironic/ironic.go
+@@ -335,21 +335,17 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
+ 		return result, err
+ 	}
+ 
+	if data.State == metal3api.StateProvisioning && data.CurrentImage.IsLiveISO() {
+		// Live ISO doesn't need pre-provisioning image
+		return result, nil
+	}
+
+	if data.State == metal3api.StateDeprovisioning && data.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
+		// No need for pre-provisioning image if cleaning disabled
+		return result, nil
+	}
+
+ 	switch data.State {
+-	case metal3api.StateProvisioning,
+-		metal3api.StateDeprovisioning:
+-		if data.State == metal3api.StateProvisioning {
+-			if data.CurrentImage.IsLiveISO() {
+-				// Live ISO doesn't need pre-provisioning image
+-				return result, nil
+-			}
+-		} else {
+-			if data.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
+-				// No need for pre-provisioning image if cleaning disabled
+-				return result, nil
+-			}
+-		}
+-		fallthrough
+ 	case metal3api.StateInspecting,
+ 		metal3api.StatePreparing:
+ 		if deployImageInfo == nil {
+@@ -360,6 +356,7 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
+ 			}
+ 			return result, err
+ 		}
+	default:
+ 	}
+ 
+ 	return result, nil
+@@ -1724,6 +1721,7 @@ func (p *ironicProvisioner) loadBusyHosts() (hosts map[string]struct{}, err erro
+ 			if !strings.Contains(node.BootInterface, "virtual-media") {
+ 				hosts[node.Name] = struct{}{}
+ 			}
+		default:
+ 		}
+ 	}
+ 
+-- 
+2.50.1
+
--- a/baremetal-operator/0002-Stop-requiring-DEPLOY_KERNEL-RAMDISK.patch
+++ b/baremetal-operator/0002-Stop-requiring-DEPLOY_KERNEL-RAMDISK.patch
@@ -0,0 +1,91 @@
+From 509ba92a8ed7303a418c5277f7544db2765c3802 Mon Sep 17 00:00:00 2001
+From: Dmitry Tantsur <dtantsur@protonmail.com>
+Date: Wed, 2 Jul 2025 17:33:46 +0200
+Subject: [PATCH 2/5] Stop requiring DEPLOY_KERNEL/RAMDISK
+
+Ironic has global configuration that allows specifying them, even
+depending on the architecture. Our ironic-image supports that when
+IPA downloader is used (and should start supporting explicit variables
+too).
+
+Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
+(cherry picked from commit 0f1ef6cbeb8815f19d853ba5eab1e70c7d85e2ec)
+---
+ pkg/provisioner/ironic/factory.go      |  6 ++----
+ pkg/provisioner/ironic/factory_test.go |  9 ++-------
+ pkg/provisioner/ironic/ironic.go       | 10 +++-------
+ 3 files changed, 7 insertions(+), 18 deletions(-)
+
+diff --git a/pkg/provisioner/ironic/factory.go b/pkg/provisioner/ironic/factory.go
+index 19571eb0..15f636b3 100644
+--- a/pkg/provisioner/ironic/factory.go
+++ b/pkg/provisioner/ironic/factory.go
+@@ -114,10 +114,8 @@ func loadConfigFromEnv(havePreprovImgBuilder bool) (ironicConfig, error) {
+ 	c.deployRamdiskURL = os.Getenv("DEPLOY_RAMDISK_URL")
+ 	c.deployISOURL = os.Getenv("DEPLOY_ISO_URL")
+ 	if !havePreprovImgBuilder {
+-		if c.deployISOURL == "" &&
+-			(c.deployKernelURL == "" || c.deployRamdiskURL == "") {
+-			return c, errors.New("either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set")
+-		}
+		// NOTE(dtantsur): with a PreprovisioningImage controller, it makes sense to set only the kernel.
+		// Without it, either both or neither must be set.
+ 		if (c.deployKernelURL == "" && c.deployRamdiskURL != "") ||
+ 			(c.deployKernelURL != "" && c.deployRamdiskURL == "") {
+ 			return c, errors.New("DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together")
+diff --git a/pkg/provisioner/ironic/factory_test.go b/pkg/provisioner/ironic/factory_test.go
+index db47d8b2..0d32eccb 100644
+--- a/pkg/provisioner/ironic/factory_test.go
+++ b/pkg/provisioner/ironic/factory_test.go
+@@ -98,24 +98,19 @@ func TestLoadConfigFromEnv(t *testing.T) {
+ 				ramdiskURL: "http://ramdisk",
+ 			},
+ 		},
+-		{
+-			name:          "no deploy info",
+-			env:           EnvFixture{},
+-			expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
+-		},
+ 		{
+ 			name: "only kernel",
+ 			env: EnvFixture{
+ 				kernelURL: "http://kernel",
+ 			},
+-			expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
+			expectedError: "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
+ 		},
+ 		{
+ 			name: "only ramdisk",
+ 			env: EnvFixture{
+ 				ramdiskURL: "http://ramdisk",
+ 			},
+-			expectedError:         "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
+			expectedError:         "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
+ 			expectedImgBuildError: "DEPLOY_RAMDISK_URL requires DEPLOY_KERNEL_URL to be set also",
+ 		},
+ 		{
+diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
+index 4c4923ad..48db865a 100644
+--- a/pkg/provisioner/ironic/ironic.go
+++ b/pkg/provisioner/ironic/ironic.go
+@@ -348,14 +348,10 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
+ 	switch data.State {
+ 	case metal3api.StateInspecting,
+ 		metal3api.StatePreparing:
+-		if deployImageInfo == nil {
+-			if p.config.havePreprovImgBuilder {
+-				result, err = transientError(provisioner.ErrNeedsPreprovisioningImage)
+-			} else {
+-				result, err = operationFailed("no preprovisioning image available")
+-			}
+-			return result, err
+		if deployImageInfo == nil && p.config.havePreprovImgBuilder {
+			result, err = transientError(provisioner.ErrNeedsPreprovisioningImage)
+ 		}
+		return result, err
+ 	default:
+ 	}
+ 
+-- 
+2.50.1
+
--- a/baremetal-operator/0003-Remove-DEPLOY_KERNEL_URL-from-deployment-scripts-for.patch
+++ b/baremetal-operator/0003-Remove-DEPLOY_KERNEL_URL-from-deployment-scripts-for.patch
@@ -0,0 +1,49 @@
+From ea10df866f0fc491cac15ba5005f3b820e1ccecb Mon Sep 17 00:00:00 2001
+From: Dmitry Tantsur <dtantsur@protonmail.com>
+Date: Wed, 2 Jul 2025 17:55:48 +0200
+Subject: [PATCH 3/5] Remove DEPLOY_KERNEL_URL from deployment scripts for main
+
+Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
+(cherry picked from commit ddcf3d915819b6344f79fbcec3e28250b217a597)
+---
+ config/default/ironic.env      | 2 --
+ config/overlays/e2e/ironic.env | 2 --
+ config/render/capm3.yaml       | 2 --
+ 3 files changed, 6 deletions(-)
+
+diff --git a/config/default/ironic.env b/config/default/ironic.env
+index e72cb3c3..3fe36d25 100644
+--- a/config/default/ironic.env
+++ b/config/default/ironic.env
+@@ -1,7 +1,5 @@
+ HTTP_PORT=6180
+ PROVISIONING_INTERFACE=eth2
+ DHCP_RANGE=172.22.0.10,172.22.0.100
+-DEPLOY_KERNEL_URL=http://172.22.0.2:6180/images/ironic-python-agent.kernel
+-DEPLOY_RAMDISK_URL=http://172.22.0.2:6180/images/ironic-python-agent.initramfs
+ IRONIC_ENDPOINT=http://172.22.0.2:6385/v1/
+ CACHEURL=http://172.22.0.1/images
+diff --git a/config/overlays/e2e/ironic.env b/config/overlays/e2e/ironic.env
+index 44147ae0..6f200720 100644
+--- a/config/overlays/e2e/ironic.env
+++ b/config/overlays/e2e/ironic.env
+@@ -1,3 +1 @@
+-DEPLOY_KERNEL_URL=http://192.168.222.1:6180/images/ironic-python-agent.kernel
+-DEPLOY_RAMDISK_URL=http://192.168.222.1:6180/images/ironic-python-agent.initramfs
+ IRONIC_ENDPOINT=https://192.168.222.1:6385/v1/
+diff --git a/config/render/capm3.yaml b/config/render/capm3.yaml
+index 42283193..7568288f 100644
+--- a/config/render/capm3.yaml
+++ b/config/render/capm3.yaml
+@@ -2510,8 +2510,6 @@ subjects:
+ apiVersion: v1
+ data:
+   CACHEURL: http://172.22.0.1/images
+-  DEPLOY_KERNEL_URL: http://172.22.0.2:6180/images/ironic-python-agent.kernel
+-  DEPLOY_RAMDISK_URL: http://172.22.0.2:6180/images/ironic-python-agent.initramfs
+   DHCP_RANGE: 172.22.0.10,172.22.0.100
+   HTTP_PORT: "6180"
+   IRONIC_ENDPOINT: http://172.22.0.2:6385/v1/
+-- 
+2.50.1
+
--- a/baremetal-operator/0004-Refactor-setting-various-Ironic-properties.patch
+++ b/baremetal-operator/0004-Refactor-setting-various-Ironic-properties.patch
@@ -0,0 +1,422 @@
+From b2e8a1a42c95a3338c9c83a4781ba4744da5ff6a Mon Sep 17 00:00:00 2001
+From: Dmitry Tantsur <dtantsur@protonmail.com>
+Date: Tue, 24 Jun 2025 18:53:42 +0200
+Subject: [PATCH 4/5] Refactor setting various Ironic properties
+
+Currently, Ironic instance_info and properties fields are populated at
+random either in most states or before deployment. While potentially
+convenient, it makes it very hard to reason about the code.
+
+Now, the logic is split into two parts:
+1. configureNode (renamed from configureImages) writes fields that are
+   considered properties of the node itself: CPU architecture, deploy
+   images, capabilities, etc.
+2. getInstanceUpdateOpts (merge of getImageUpdateOptsForNode and
+   getUpdateOptsForNode) writes fields that are required for deployment
+   and thus are properties of instance. This includes images, checksums,
+   runtime capabilities. As an exception, root device hints fall under
+   this category and thus are now set in instance_info, not properties.
+
+Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
+(cherry picked from commit 0c70cba38c926c474f4fa129a7e99ef9827d6ce9)
+---
+ .../metal3.io/baremetalhost_controller.go     |  2 +-
+ pkg/provisioner/ironic/ironic.go              | 49 +++++-------
+ pkg/provisioner/ironic/provision_test.go      | 27 +++----
+ pkg/provisioner/ironic/register.go            |  3 +-
+ pkg/provisioner/ironic/register_test.go       | 78 +------------------
+ pkg/provisioner/provisioner.go                |  2 +-
+ 6 files changed, 40 insertions(+), 121 deletions(-)
+
+diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
+index 1998627e..0d0c9562 100644
+--- a/internal/controller/metal3.io/baremetalhost_controller.go
+++ b/internal/controller/metal3.io/baremetalhost_controller.go
+@@ -848,6 +848,7 @@ func (r *BareMetalHostReconciler) registerHost(prov provisioner.Provisioner, inf
+ 			PreprovisioningNetworkData: preprovisioningNetworkData,
+ 			HasCustomDeploy:            hasCustomDeploy(info.host),
+ 			DisablePowerOff:            info.host.Spec.DisablePowerOff,
+			CPUArchitecture:            getHostArchitecture(info.host),
+ 		},
+ 		credsChanged,
+ 		info.host.Status.ErrorType == metal3api.RegistrationError)
+@@ -1271,7 +1272,6 @@ func (r *BareMetalHostReconciler) actionProvisioning(prov provisioner.Provisione
+ 		BootMode:        info.host.Status.Provisioning.BootMode,
+ 		HardwareProfile: hwProf,
+ 		RootDeviceHints: info.host.Status.Provisioning.RootDeviceHints.DeepCopy(),
+-		CPUArchitecture: getHostArchitecture(info.host),
+ 	}, forceReboot)
+ 	if err != nil {
+ 		return actionError{errors.Wrap(err, "failed to provision")}
+diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
+index 48db865a..b8e6d72b 100644
+--- a/pkg/provisioner/ironic/ironic.go
+++ b/pkg/provisioner/ironic/ironic.go
+@@ -311,20 +311,24 @@ func (p *ironicProvisioner) createPXEEnabledNodePort(uuid, macAddress string) er
+ 	return nil
+ }
+ 
+-func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
+func (p *ironicProvisioner) configureNode(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
+ 	updater := clients.UpdateOptsBuilder(p.log)
+ 
+ 	deployImageInfo := setDeployImage(p.config, bmcAccess, data.PreprovisioningImage)
+ 	updater.SetDriverInfoOpts(deployImageInfo, ironicNode)
+ 
+-	// NOTE(dtantsur): It is risky to update image information for active nodes since it may affect the ability to clean up.
+-	if (data.CurrentImage != nil || data.HasCustomDeploy) && ironicNode.ProvisionState != string(nodes.Active) {
+-		p.getImageUpdateOptsForNode(ironicNode, data.CurrentImage, data.BootMode, data.HasCustomDeploy, updater)
+-	}
+ 	updater.SetTopLevelOpt("automated_clean",
+ 		data.AutomatedCleaningMode != metal3api.CleaningModeDisabled,
+ 		ironicNode.AutomatedClean)
+ 
+	opts := clients.UpdateOptsData{
+		"capabilities": buildCapabilitiesValue(ironicNode, data.BootMode),
+	}
+	if data.CPUArchitecture != "" {
+		opts["cpu_arch"] = data.CPUArchitecture
+	}
+	updater.SetPropertiesOpts(opts, ironicNode)
+
+ 	_, success, result, err := p.tryUpdateNode(ironicNode, updater)
+ 	if !success {
+ 		return result, err
+@@ -656,40 +660,29 @@ func (p *ironicProvisioner) setCustomDeployUpdateOptsForNode(ironicNode *nodes.N
+ 		SetTopLevelOpt("deploy_interface", "custom-agent", ironicNode.DeployInterface)
+ }
+ 
+-func (p *ironicProvisioner) getImageUpdateOptsForNode(ironicNode *nodes.Node, imageData *metal3api.Image, bootMode metal3api.BootMode, hasCustomDeploy bool, updater *clients.NodeUpdater) {
+func (p *ironicProvisioner) getInstanceUpdateOpts(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
+	updater := clients.UpdateOptsBuilder(p.log)
+
+	hasCustomDeploy := data.CustomDeploy != nil && data.CustomDeploy.Method != ""
+
+ 	// instance_uuid
+ 	updater.SetTopLevelOpt("instance_uuid", string(p.objectMeta.UID), ironicNode.InstanceUUID)
+ 
+ 	updater.SetInstanceInfoOpts(clients.UpdateOptsData{
+-		"capabilities": buildInstanceInfoCapabilities(bootMode),
+		"capabilities": buildInstanceInfoCapabilities(data.BootMode),
+		"root_device":  devicehints.MakeHintMap(data.RootDeviceHints),
+ 	}, ironicNode)
+ 
+ 	if hasCustomDeploy {
+ 		// Custom deploy process
+-		p.setCustomDeployUpdateOptsForNode(ironicNode, imageData, updater)
+-	} else if imageData.IsLiveISO() {
+		p.setCustomDeployUpdateOptsForNode(ironicNode, &data.Image, updater)
+	} else if data.Image.IsLiveISO() {
+ 		// Set live-iso format options
+-		p.setLiveIsoUpdateOptsForNode(ironicNode, imageData, updater)
+		p.setLiveIsoUpdateOptsForNode(ironicNode, &data.Image, updater)
+ 	} else {
+ 		// Set deploy_interface direct options when not booting a live-iso
+-		p.setDirectDeployUpdateOptsForNode(ironicNode, imageData, updater)
+		p.setDirectDeployUpdateOptsForNode(ironicNode, &data.Image, updater)
+ 	}
+-}
+-
+-func (p *ironicProvisioner) getUpdateOptsForNode(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
+-	updater := clients.UpdateOptsBuilder(p.log)
+-
+-	hasCustomDeploy := data.CustomDeploy != nil && data.CustomDeploy.Method != ""
+-	p.getImageUpdateOptsForNode(ironicNode, &data.Image, data.BootMode, hasCustomDeploy, updater)
+-
+-	opts := clients.UpdateOptsData{
+-		"root_device":  devicehints.MakeHintMap(data.RootDeviceHints),
+-		"capabilities": buildCapabilitiesValue(ironicNode, data.BootMode),
+-	}
+-	if data.CPUArchitecture != "" {
+-		opts["cpu_arch"] = data.CPUArchitecture
+-	}
+-	updater.SetPropertiesOpts(opts, ironicNode)
+ 
+ 	return updater
+ }
+@@ -792,7 +785,7 @@ func (p *ironicProvisioner) setUpForProvisioning(ironicNode *nodes.Node, data pr
+ 	p.log.Info("starting provisioning", "node properties", ironicNode.Properties)
+ 
+ 	ironicNode, success, result, err := p.tryUpdateNode(ironicNode,
+-		p.getUpdateOptsForNode(ironicNode, data))
+		p.getInstanceUpdateOpts(ironicNode, data))
+ 	if !success {
+ 		return result, err
+ 	}
+diff --git a/pkg/provisioner/ironic/provision_test.go b/pkg/provisioner/ironic/provision_test.go
+index 72ee57b7..40c714e9 100644
+--- a/pkg/provisioner/ironic/provision_test.go
+++ b/pkg/provisioner/ironic/provision_test.go
+@@ -713,7 +713,7 @@ func TestGetUpdateOptsForNodeWithRootHints(t *testing.T) {
+ 		BootMode:        metal3api.DefaultBootMode,
+ 		RootDeviceHints: host.Status.Provisioning.RootDeviceHints,
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+@@ -723,7 +723,7 @@ func TestGetUpdateOptsForNodeWithRootHints(t *testing.T) {
+ 		Value interface{}       // the value being passed to ironic (or value associated with the key)
+ 	}{
+ 		{
+-			Path:  "/properties/root_device",
+			Path:  "/instance_info/root_device",
+ 			Value: "userdefined_devicename",
+ 			Map: map[string]string{
+ 				"name":                 "s== userd_devicename",
+@@ -807,7 +807,7 @@ func TestGetUpdateOptsForNodeVirtual(t *testing.T) {
+ 		BootMode:        metal3api.DefaultBootMode,
+ 		HardwareProfile: hwProf,
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+@@ -903,9 +903,8 @@ func TestGetUpdateOptsForNodeDell(t *testing.T) {
+ 		Image:           *host.Spec.Image,
+ 		BootMode:        metal3api.DefaultBootMode,
+ 		HardwareProfile: hwProf,
+-		CPUArchitecture: "x86_64",
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+@@ -930,10 +929,6 @@ func TestGetUpdateOptsForNodeDell(t *testing.T) {
+ 			Path:  "/instance_uuid",
+ 			Value: "27720611-e5d1-45d3-ba3a-222dcfaa4ca2",
+ 		},
+-		{
+-			Path:  "/properties/cpu_arch",
+-			Value: "x86_64",
+-		},
+ 	}
+ 
+ 	for _, e := range expected {
+@@ -971,7 +966,7 @@ func TestGetUpdateOptsForNodeLiveIso(t *testing.T) {
+ 		Image:    *host.Spec.Image,
+ 		BootMode: metal3api.DefaultBootMode,
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+@@ -1038,7 +1033,7 @@ func TestGetUpdateOptsForNodeImageToLiveIso(t *testing.T) {
+ 		Image:    *host.Spec.Image,
+ 		BootMode: metal3api.DefaultBootMode,
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+@@ -1116,7 +1111,7 @@ func TestGetUpdateOptsForNodeLiveIsoToImage(t *testing.T) {
+ 		Image:    *host.Spec.Image,
+ 		BootMode: metal3api.DefaultBootMode,
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+@@ -1188,7 +1183,7 @@ func TestGetUpdateOptsForNodeCustomDeploy(t *testing.T) {
+ 		BootMode:     metal3api.DefaultBootMode,
+ 		CustomDeploy: host.Spec.CustomDeploy,
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+@@ -1245,7 +1240,7 @@ func TestGetUpdateOptsForNodeCustomDeployWithImage(t *testing.T) {
+ 		BootMode:     metal3api.DefaultBootMode,
+ 		CustomDeploy: host.Spec.CustomDeploy,
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+@@ -1312,7 +1307,7 @@ func TestGetUpdateOptsForNodeImageToCustomDeploy(t *testing.T) {
+ 		BootMode:     metal3api.DefaultBootMode,
+ 		CustomDeploy: host.Spec.CustomDeploy,
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+@@ -1405,7 +1400,7 @@ func TestGetUpdateOptsForNodeSecureBoot(t *testing.T) {
+ 		BootMode:        metal3api.UEFISecureBoot,
+ 		HardwareProfile: hwProf,
+ 	}
+-	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
+ 
+ 	t.Logf("patches: %v", patches)
+ 
+diff --git a/pkg/provisioner/ironic/register.go b/pkg/provisioner/ironic/register.go
+index 390e463f..9a600189 100644
+--- a/pkg/provisioner/ironic/register.go
+++ b/pkg/provisioner/ironic/register.go
+@@ -220,7 +220,7 @@ func (p *ironicProvisioner) Register(data provisioner.ManagementAccessData, cred
+ 		fallthrough
+ 
+ 	default:
+-		result, err = p.configureImages(data, ironicNode, bmcAccess)
+		result, err = p.configureNode(data, ironicNode, bmcAccess)
+ 		return result, provID, err
+ 	}
+ }
+@@ -246,6 +246,7 @@ func (p *ironicProvisioner) enrollNode(data provisioner.ManagementAccessData, bm
+ 		DisablePowerOff:     &data.DisablePowerOff,
+ 		Properties: map[string]interface{}{
+ 			"capabilities": buildCapabilitiesValue(nil, data.BootMode),
+			"cpu_arch":     data.CPUArchitecture,
+ 		},
+ 	}
+ 
+diff --git a/pkg/provisioner/ironic/register_test.go b/pkg/provisioner/ironic/register_test.go
+index e6c302b5..8e524dad 100644
+--- a/pkg/provisioner/ironic/register_test.go
+++ b/pkg/provisioner/ironic/register_test.go
+@@ -72,7 +72,7 @@ func TestRegisterMACOptional(t *testing.T) {
+ 	assert.Equal(t, "", result.ErrorMessage)
+ }
+ 
+-func TestRegisterCreateNodeNoImage(t *testing.T) {
+func TestRegisterCreateNode(t *testing.T) {
+ 	// Create a host without a bootMACAddress and with a BMC that
+ 	// does not require one.
+ 	host := makeHost()
+@@ -146,79 +146,6 @@ func TestRegisterCreateNodeOldInspection(t *testing.T) {
+ 	assert.Equal(t, "inspector", createdNode.InspectInterface)
+ }
+ 
+-func TestRegisterCreateWithImage(t *testing.T) {
+-	// Create a host with Image specified in the Spec
+-	host := makeHost()
+-	host.Status.Provisioning.ID = "" // so we don't lookup by uuid
+-	host.Spec.Image.URL = "theimagefoo"
+-	host.Spec.Image.Checksum = "thechecksumxyz"
+-	host.Spec.Image.ChecksumType = "auto"
+-
+-	var createdNode *nodes.Node
+-
+-	createCallback := func(node nodes.Node) {
+-		createdNode = &node
+-	}
+-
+-	ironic := testserver.NewIronic(t).WithDrivers().CreateNodes(createCallback).NoNode(host.Namespace + nameSeparator + host.Name).NoNode(host.Name)
+-	ironic.AddDefaultResponse("/v1/nodes/node-0", "PATCH", http.StatusOK, "{}")
+-	ironic.Start()
+-	defer ironic.Stop()
+-
+-	auth := clients.AuthConfig{Type: clients.NoAuth}
+-	prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, nullEventPublisher, ironic.Endpoint(), auth)
+-	if err != nil {
+-		t.Fatalf("could not create provisioner: %s", err)
+-	}
+-
+-	result, provID, err := prov.Register(provisioner.ManagementAccessData{CurrentImage: host.Spec.Image.DeepCopy()}, false, false)
+-	if err != nil {
+-		t.Fatalf("error from Register: %s", err)
+-	}
+-	assert.Equal(t, "", result.ErrorMessage)
+-	assert.Equal(t, createdNode.UUID, provID)
+-	assert.Equal(t, "", createdNode.DeployInterface)
+-	updates, _ := ironic.GetLastRequestFor("/v1/nodes/node-0", http.MethodPatch)
+-	assert.Contains(t, updates, "/instance_info/image_source")
+-	assert.Contains(t, updates, host.Spec.Image.URL)
+-	assert.Contains(t, updates, "/instance_info/image_checksum")
+-	assert.Contains(t, updates, host.Spec.Image.Checksum)
+-}
+-
+-func TestRegisterCreateWithLiveIso(t *testing.T) {
+-	// Create a host with Image specified in the Spec
+-	host := makeHostLiveIso()
+-	host.Status.Provisioning.ID = "" // so we don't lookup by uuid
+-
+-	var createdNode *nodes.Node
+-
+-	createCallback := func(node nodes.Node) {
+-		createdNode = &node
+-	}
+-
+-	ironic := testserver.NewIronic(t).WithDrivers().CreateNodes(createCallback).NoNode(host.Namespace + nameSeparator + host.Name).NoNode(host.Name)
+-	ironic.AddDefaultResponse("/v1/nodes/node-0", "PATCH", http.StatusOK, "{}")
+-	ironic.Start()
+-	defer ironic.Stop()
+-
+-	auth := clients.AuthConfig{Type: clients.NoAuth}
+-	prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, nullEventPublisher, ironic.Endpoint(), auth)
+-	if err != nil {
+-		t.Fatalf("could not create provisioner: %s", err)
+-	}
+-
+-	result, provID, err := prov.Register(provisioner.ManagementAccessData{CurrentImage: host.Spec.Image.DeepCopy()}, false, false)
+-	if err != nil {
+-		t.Fatalf("error from Register: %s", err)
+-	}
+-	assert.Equal(t, "", result.ErrorMessage)
+-	assert.Equal(t, createdNode.UUID, provID)
+-	assert.Equal(t, "ramdisk", createdNode.DeployInterface)
+-	updates, _ := ironic.GetLastRequestFor("/v1/nodes/node-0", http.MethodPatch)
+-	assert.Contains(t, updates, "/instance_info/boot_iso")
+-	assert.Contains(t, updates, host.Spec.Image.URL)
+-}
+-
+ func TestRegisterExistingNode(t *testing.T) {
+ 	// Create a host without a bootMACAddress and with a BMC that
+ 	// does not require one.
+@@ -342,6 +269,7 @@ func TestRegisterExistingNodeContinue(t *testing.T) {
+ 					"test_password":  "******", // ironic returns a placeholder
+ 					"test_port":      "42",
+ 				},
+				Properties: map[string]interface{}{"capabilities": ""},
+ 			}).NodeUpdate(nodes.Node{
+ 				UUID: "uuid",
+ 			})
+@@ -521,6 +449,7 @@ func TestRegisterExistingSteadyStateNoUpdate(t *testing.T) {
+ 				DeployInterface: imageType.DeployInterface,
+ 				InstanceInfo:    imageType.InstanceInfo,
+ 				DriverInfo:      imageType.DriverInfo,
+				Properties:      map[string]interface{}{"capabilities": ""},
+ 			}).NodeUpdate(nodes.Node{
+ 				UUID: "uuid",
+ 			})
+@@ -577,6 +506,7 @@ func TestRegisterExistingNodeWaiting(t *testing.T) {
+ 					"test_password":  "******", // ironic returns a placeholder
+ 					"test_port":      "42",
+ 				},
+				Properties: map[string]interface{}{"capabilities": ""},
+ 			}
+ 			ironic := testserver.NewIronic(t).CreateNodes(createCallback).Node(node).NodeUpdate(nodes.Node{
+ 				UUID: "uuid",
+diff --git a/pkg/provisioner/provisioner.go b/pkg/provisioner/provisioner.go
+index faddd0fd..e2018e63 100644
+--- a/pkg/provisioner/provisioner.go
+++ b/pkg/provisioner/provisioner.go
+@@ -82,6 +82,7 @@ type ManagementAccessData struct {
+ 	PreprovisioningNetworkData string
+ 	HasCustomDeploy            bool
+ 	DisablePowerOff            bool
+	CPUArchitecture            string
+ }
+ 
+ type AdoptData struct {
+@@ -122,7 +123,6 @@ type ProvisionData struct {
+ 	HardwareProfile profile.Profile
+ 	RootDeviceHints *metal3api.RootDeviceHints
+ 	CustomDeploy    *metal3api.CustomDeploy
+-	CPUArchitecture string
+ }
+ 
+ type HTTPHeaders []map[string]string
+-- 
+2.50.1
+
--- a/baremetal-operator/0005-Provide-inline-docs-for-node-configuration-calls.patch
+++ b/baremetal-operator/0005-Provide-inline-docs-for-node-configuration-calls.patch
@@ -0,0 +1,46 @@
+From 5419f8d95306efed8667936156d8081c21e068ed Mon Sep 17 00:00:00 2001
+From: Dmitry Tantsur <dtantsur@protonmail.com>
+Date: Wed, 9 Jul 2025 14:02:23 +0200
+Subject: [PATCH 5/5] Provide inline docs for node configuration calls
+
+Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
+(cherry picked from commit 778d9342747aefc8079f1ccaa6a14f83b26f28ff)
+---
+ pkg/provisioner/ironic/ironic.go | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
+index b8e6d72b..166d929c 100644
+--- a/pkg/provisioner/ironic/ironic.go
+++ b/pkg/provisioner/ironic/ironic.go
+@@ -311,6 +311,10 @@ func (p *ironicProvisioner) createPXEEnabledNodePort(uuid, macAddress string) er
+ 	return nil
+ }
+ 
+// configureNode configures Node properties that are not related to any specific provisioning phase.
+// It populates the AutomatedClean field, as well as capabilities and architecture in Properties.
+// It also calls setDeployImage to populate IPA parameters in DriverInfo and
+// checks if the required PreprovisioningImage is provided and ready.
+ func (p *ironicProvisioner) configureNode(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
+ 	updater := clients.UpdateOptsBuilder(p.log)
+ 
+@@ -426,6 +430,8 @@ func setExternalURL(p *ironicProvisioner, driverInfo map[string]interface{}) map
+ 	return driverInfo
+ }
+ 
+// setDeployImage configures the IPA ramdisk parameters in the Node's DriverInfo.
+// It can use either the provided PreprovisioningImage or the global configuration from ironicConfig.
+ func setDeployImage(config ironicConfig, accessDetails bmc.AccessDetails, hostImage *provisioner.PreprovisioningImage) clients.UpdateOptsData {
+ 	deployImageInfo := clients.UpdateOptsData{
+ 		deployKernelKey:  nil,
+@@ -660,6 +666,7 @@ func (p *ironicProvisioner) setCustomDeployUpdateOptsForNode(ironicNode *nodes.N
+ 		SetTopLevelOpt("deploy_interface", "custom-agent", ironicNode.DeployInterface)
+ }
+ 
+// getInstanceUpdateOpts constructs InstanceInfo options required to provision a Node in Ironic.
+ func (p *ironicProvisioner) getInstanceUpdateOpts(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
+ 	updater := clients.UpdateOptsBuilder(p.log)
+ 
+-- 
+2.50.1
+
--- a/baremetal-operator/_service
+++ b/baremetal-operator/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/metal3-io/baremetal-operator</param>
    <param name="scm">git</param>
-    <param name="revision">v0.9.1</param>
+    <param name="revision">v0.10.2</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
--- a/baremetal-operator/baremetal-operator.spec
+++ b/baremetal-operator/baremetal-operator.spec
@@ -17,14 +17,21 @@


 Name:           baremetal-operator
-Version:        0.9.1
+Version:        0.10.2
 Release:        0
 Summary:        Implements a Kubernetes API for managing bare metal hosts
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/baremetal-operator
 Source:         baremetal-operator-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.23
+# Patches related to multi-architecture support, upstream PRs #2506 #2559 #2537
+Patch0:		0001-Enable-exhaustive-linter.patch
+Patch1:		0002-Stop-requiring-DEPLOY_KERNEL-RAMDISK.patch
+Patch2:		0003-Remove-DEPLOY_KERNEL_URL-from-deployment-scripts-for.patch
+Patch3:		0004-Refactor-setting-various-Ironic-properties.patch
+Patch4:		0005-Provide-inline-docs-for-node-configuration-calls.patch
+
+BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}

--- a/cdi-chart/Chart.yaml
+++ b/cdi-chart/Chart.yaml
@@ -1,9 +1,9 @@
-#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.0_up0.5.0
-#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.0_up0.5.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.1_up0.6.0
+#!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.1_up0.6.0-%RELEASE%
 apiVersion: v2
-appVersion: 1.61.0
+appVersion: 1.62.0
 description: A Helm chart for Containerized Data Importer (CDI)
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
 name: cdi
 type: application
-version: "%%CHART_MAJOR%%.0.0+up0.5.0"
+version: "%%CHART_MAJOR%%.0.1+up0.6.0"
--- a/cdi-chart/crds/cdi.yaml
+++ b/cdi-chart/crds/cdi.yaml
@@ -109,9 +109,9 @@ spec:
                  description: CDIConfig at CDI level
                  properties:
                    dataVolumeTTLSeconds:
-                      description: DataVolumeTTLSeconds is the time in seconds after
-                        DataVolume completion it can be garbage collected. Disabled
-                        by default.
+                      description: |-
+                        DataVolumeTTLSeconds is the time in seconds after DataVolume completion it can be garbage collected. Disabled by default.
+                        Deprecated: Removed in v1.62.
                      format: int32
                      type: integer
                    featureGates:
@@ -2641,9 +2641,9 @@ spec:
                  description: CDIConfig at CDI level
                  properties:
                    dataVolumeTTLSeconds:
-                      description: DataVolumeTTLSeconds is the time in seconds after
-                        DataVolume completion it can be garbage collected. Disabled
-                        by default.
+                      description: |-
+                        DataVolumeTTLSeconds is the time in seconds after DataVolume completion it can be garbage collected. Disabled by default.
+                        Deprecated: Removed in v1.62.
                      format: int32
                      type: integer
                    featureGates:
--- a/cdi-chart/templates/cdi-operator.yaml
+++ b/cdi-chart/templates/cdi-operator.yaml
@@ -599,6 +599,8 @@ spec:
  strategy: {}
  template:
    metadata:
+      annotations:
+        openshift.io/required-scc: restricted-v2
      labels:
        cdi.kubevirt.io: cdi-operator
        name: cdi-operator
--- a/cdi-chart/templates/cdi.yaml
+++ b/cdi-chart/templates/cdi.yaml
@@ -18,4 +18,8 @@ spec:
  {{- with .Values.cdi.workload }}
  workload:
  {{- toYaml . | nindent 4 }}
-  {{- end }}
+  {{- end }}
+  {{- with .Values.cdi.customizeComponents }}
+  customizeComponents:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
--- a/cdi-chart/values.yaml
+++ b/cdi-chart/values.yaml
@@ -1,12 +1,12 @@
 deployment:
-  version: 1.61.0-150600.3.12.1
-  operatorImage: registry.suse.com/suse/sles/15.6/cdi-operator
-  controllerImage: registry.suse.com/suse/sles/15.6/cdi-controller
-  importerImage: registry.suse.com/suse/sles/15.6/cdi-importer
-  clonerImage: registry.suse.com/suse/sles/15.6/cdi-cloner
-  apiserverImage: registry.suse.com/suse/sles/15.6/cdi-apiserver
-  uploadserverImage: registry.suse.com/suse/sles/15.6/cdi-uploadserver
-  uploadproxyImage: registry.suse.com/suse/sles/15.6/cdi-uploadproxy
+  version: 1.62.0-150700.9.3.1
+  operatorImage: registry.suse.com/suse/sles/15.7/cdi-operator
+  controllerImage: registry.suse.com/suse/sles/15.7/cdi-controller
+  importerImage: registry.suse.com/suse/sles/15.7/cdi-importer
+  clonerImage: registry.suse.com/suse/sles/15.7/cdi-cloner
+  apiserverImage: registry.suse.com/suse/sles/15.7/cdi-apiserver
+  uploadserverImage: registry.suse.com/suse/sles/15.7/cdi-uploadserver
+  uploadproxyImage: registry.suse.com/suse/sles/15.7/cdi-uploadproxy
  pullPolicy: IfNotPresent
  affinity:
    podAffinity:
@@ -30,6 +30,7 @@ cdi:
    featureGates:
      - HonorWaitForFirstConsumer
  imagePullPolicy: "IfNotPresent"
+  customizeComponents: {}
  infra:
    nodeSelector:
      kubernetes.io/os: linux
@@ -41,7 +42,7 @@ cdi:
    nodeSelector:
      kubernetes.io/os: linux

-hookImage: registry.rancher.com/rancher/kubectl:v1.30.10
+hookImage: registry.rancher.com/rancher/kubectl:v1.33.1
 hookRestartPolicy: OnFailure
 hookSecurityContext:
  seccompProfile:
--- a/1
+++ b/1
--- a/1
+++ b/1
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/edge-image-builder-image/Dockerfile
+++ b/edge-image-builder-image/Dockerfile
@@ -1,5 +1,5 @@
-#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.2.1
-#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.2.1-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.1
+#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.1-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION
 MAINTAINER SUSE LLC (https://www.suse.com/)
@@ -7,18 +7,18 @@ MAINTAINER SUSE LLC (https://www.suse.com/)
 COPY artifacts.yaml artifacts.yaml

 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins; zypper -n clean; rm -rf /var/log/*
+RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins pigz zstd cpio && zypper -n clean && rm -rf /var/log/*

 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.application.edge-image-builder
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE edge-image-builder Container Image"
 LABEL org.opencontainers.image.description="edge-image-builder based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="1.2.1"
+LABEL org.opencontainers.image.version="1.3.1"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.2.1-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.3.1-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -32,8 +32,7 @@ LABEL com.suse.release-stage="released"
 # and also expects the boot kernel to be a portable executable (PE), not ELF.
 RUN mkdir -p /usr/share/edk2/aarch64 && \
  cp /usr/share/qemu/aavmf-aarch64-code.bin /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw && \
-  cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw && \
-  mv /boot/vmlinux* /boot/backup-vmlinux
+  cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw

 ENTRYPOINT ["/usr/bin/eib"]

--- a/edge-image-builder-image/artifacts.yaml
+++ b/edge-image-builder-image/artifacts.yaml
@@ -1,7 +1,7 @@
 metallb:
  chart: metallb
  repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
-  version: "%%CHART_MAJOR%%.0.0+up0.14.9"
+  version: "%%CHART_MAJOR%%.0.1+up0.15.2"
 endpoint-copier-operator:
  chart: endpoint-copier-operator
  repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
@@ -10,6 +10,10 @@ kubernetes:
  k3s:
    selinuxPackage: k3s-selinux-1.6-1.slemicro.noarch
    selinuxRepository: https://rpm.rancher.io/k3s/stable/common/slemicro/noarch
+    selinuxRepositoryPriority: 1
+    releaseURL: https://github.com/k3s-io/k3s/releases/download/
  rke2:
    selinuxPackage: rke2-selinux
    selinuxRepository: https://rpm.rancher.io/rke2/stable/common/slemicro/noarch
+    selinuxRepositoryPriority: 1
+    releaseURL: https://github.com/rancher/rke2/releases/download/
--- a/edge-image-builder/_service
+++ b/edge-image-builder/_service
@@ -3,9 +3,9 @@
    <param name="url">https://github.com/suse-edge/edge-image-builder.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="revision">v1.2.1</param>
+    <param name="revision">v1.3.1</param>
    <!-- Uncomment and set this For Pre-Release Version -->
-    <!-- <param name="version">1.2.0~rc1</param> -->
+    <!-- <param name="version">1.3.1</param> -->
    <!-- Uncomment and this for regular version -->
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">v(\d+).(\d+).(\d+)</param>
--- a/edge-image-builder/edge-image-builder.spec
+++ b/edge-image-builder/edge-image-builder.spec
@@ -17,7 +17,7 @@


 Name:           edge-image-builder
-Version:        1.2.1
+Version:        1.3.1
 Release:        0
 Summary:        Edge Image Builder
 License:        Apache-2.0
@@ -52,7 +52,7 @@ Requires: ca-certificates-suse
 Tool for creating and configuring a set of images to automate the deployment of Edge environments

 %prep
-%autosetup -a1 -n edge-image-builder-%{version}
+%autosetup -a1 -n edge-image-builder-%{version} -p1

 %build
 tar -xf %{SOURCE1}
--- a/1
+++ b/1
--- a/frr-image/Dockerfile
+++ b/frr-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: MIT
-#!BuildTag: %%IMG_PREFIX%%frr:8.5.6
-#!BuildTag: %%IMG_PREFIX%%frr:8.5.6-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%frr:10.2.1
+#!BuildTag: %%IMG_PREFIX%%frr:10.2.1-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

@@ -14,11 +14,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="FRR Container Image"
 LABEL org.opencontainers.image.description="frr based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="8.5.6"
+LABEL org.opencontainers.image.version="10.2.1"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:8.5.6-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:10.2.1-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/frr-k8s/_service
+++ b/frr-k8s/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/metallb/frr-k8s</param>
    <param name="scm">git</param>
-    <param name="revision">v0.0.16</param>
+    <param name="revision">v0.0.20</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
@@ -18,4 +18,4 @@
  <service name="go_modules">
  </service>
  <service mode="buildtime" name="set_version" />
-</services>
+</services>
--- a/frr-k8s/frr-k8s.spec
+++ b/frr-k8s/frr-k8s.spec
@@ -17,14 +17,14 @@


 Name:           frr-k8s
-Version:        0.0.16
-Release:        0.0.16
+Version:        0.0.20
+Release:        0.0.20
 Summary:        A kubernetes based daemonset that exposes a subset of the FRR API in a kubernetes compliant manner.
 License:        Apache-2.0
 URL:            https://github.com/metallb/frr-k8s
 Source:         frr-k8s-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}

@@ -63,4 +63,4 @@ install -D -m0755 frr-k8s %{buildroot}/frr-k8s
 /frr-metrics
 /frr-k8s

-%changelog
+%changelog
--- a/grub-aggregate/_aggregate
+++ b/grub-aggregate/_aggregate
@@ -0,0 +1,7 @@
+<aggregatelist>
+  <aggregate project="SUSE:SLFO:1.2" >
+    <binary>grub2-x86_64-efi</binary>
+    <binary>grub2-arm64-efi</binary>
+    <repository target="standard" source="standard" />
+  </aggregate>
+</aggregatelist>
--- a/hauler/_service
+++ b/hauler/_service
@@ -4,7 +4,7 @@
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="scm">git</param>
    <param name="exclude">.get</param>
-    <param name="revision">v1.2.1</param>
+    <param name="revision">v1.2.5</param>
    <param name="versionrewrite-pattern">v(.*)</param>
    <param name="changesgenerate">enable</param>
  </service>
--- a/hauler/hauler.spec
+++ b/hauler/hauler.spec
@@ -18,7 +18,7 @@
 %define project github.com/hauler-dev/hauler

 Name:           hauler
-Version:        1.2.1
+Version:        1.2.5
 Release:        0
 Summary:        Airgap Swiss Army Knife
 License:        Apache-2.0
--- a/ib-sriov-cni-image/Dockerfile
+++ b/ib-sriov-cni-image/Dockerfile
@@ -0,0 +1,33 @@
+# SPDX-License-Identifier: Apache-2.0
+#!BuildTag: %%IMG_PREFIX%%ib-sriov-cni:v%%ib-sriov-cni_version%%
+#!BuildTag: %%IMG_PREFIX%%ib-sriov-cni:v%%ib-sriov-cni_version%%-%RELEASE%
+ARG SLE_VERSION
+FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
+
+FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
+COPY --from=micro / /installroot/
+RUN zypper --installroot /installroot --non-interactive install --no-recommends ib-sriov-cni gawk which; \
+    zypper -n clean; \
+    rm -rf /var/log/*
+
+FROM micro AS final
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=com.suse.application.ib-sriov-cni
+LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
+LABEL org.opencontainers.image.title="SLE ib-sriov-cni Container Image"
+LABEL org.opencontainers.image.description="ib-sriov-cni based on the SLE Base Container Image."
+LABEL org.opencontainers.image.version="%%ib-sriov-cni_version%%"
+LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="SUSE LLC"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ib-sriov-cni:%%ib-sriov-cni_version%%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
+LABEL com.suse.eula="SUSE Combined EULA February 2024"
+LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
+LABEL com.suse.image-type="application"
+LABEL com.suse.release-stage="released"
+# endlabelprefix
+
+COPY --from=base /installroot /
+ENTRYPOINT ["/entrypoint.sh"]
--- a/ib-sriov-cni-image/_service
+++ b/ib-sriov-cni-image/_service
@@ -0,0 +1,19 @@
+<services>
+  <service name="kiwi_metainfo_helper" mode="buildtime"/>
+  <service name="docker_label_helper" mode="buildtime"/>
+  <service name="replace_using_package_version" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="regex">%%ib-sriov-cni_version%%</param>
+    <param name="package">ib-sriov-cni</param>
+    <param name="parse-version">patch</param>
+  </service>
+  <service name="replace_using_env" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="var">IMG_PREFIX</param>
+    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
+    <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
+  </service>
+</services>
--- a/ib-sriov-cni/_service
+++ b/ib-sriov-cni/_service
@@ -0,0 +1,25 @@
+<services>
+ <service name="obs_scm">
+    <param name="url">https://github.com/k8snetworkplumbingwg/ib-sriov-cni</param>
+    <param name="scm">git</param>
+    <param name="revision">v1.3.0</param>
+    <param name="version">_auto_</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="changesgenerate">enable</param>
+    <param name="changesauthor">antonio.alarcon@suse.com</param>
+    <param name="match-tag">v*</param>
+    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
+    <param name="without-version">yes</param>
+    <param name="versionrewrite-replacement">\1</param>
+  </service>
+  <service mode="buildtime" name="tar">
+    <param name="obsinfo">ib-sriov-cni.obsinfo</param>
+  </service>
+  <service name="go_modules" />
+  <service mode="buildtime" name="set_version" />
+  <service name="replace_using_env" mode="buildtime">
+    <param name="file">ib-sriov-cni.spec</param>
+    <param name="var">SOURCE_COMMIT</param>
+    <param name="eval">SOURCE_COMMIT=$(grep commit ib-sriov-cni.obsinfo | cut -d" " -f2)</param>
+  </service>
+</services>
--- a/ib-sriov-cni/ib-sriov-cni.spec
+++ b/ib-sriov-cni/ib-sriov-cni.spec
@@ -0,0 +1,64 @@
+#
+# spec file for package ib-sriov-cni
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           ib-sriov-cni
+Version:        0
+Release:        0
+Summary:        Implements a Kubernetes CNI plugin operator for Infiniband SRIOV VFs
+License:        Apache-2.0
+URL:            https://github.com/k8snetworkplumbingwg/ib-sriov-cni
+Source:         %{name}-%{version}.tar
+Source1:        vendor.tar.gz
+BuildRequires:  golang(API) = 1.24
+ExcludeArch:    s390
+ExcludeArch:    %{ix86}
+
+%description
+Network Interface Cards (NICs) with SR-IOV capabilities are managed through physical functions (PFs) and virtual functions (VFs).
+A PF is used by the host and usually represents a single NIC port. VF configurations are applied through the PF.
+The SR-IOV CNI allows each VF to be treated as a separate network interface, assigned to a container, and configured with its own
+MAC, VLAN, IP and more.
+
+Infiniband SR-IOV CNI plugin works with Infiniband SR-IOV device plugin for VF allocation in Kubernetes. A CNI metaplugin such as Multus
+gets the allocated VF's deviceID(PCI address) and is responsible for invoking the Infiniband SR-IOV CNI plugin with that deviceID.
+
+%prep
+%autosetup -a1 -n %{name}-%{version} -p1
+
+%build
+# CGO is disabled by default in upstream Makefile:
+%define cgoenabled "0"
+# go build constrain (aka tag) "no_openssl" is set by default in upstream Makefile
+%define gotags "no_openssl"
+%define buildtime %(date +%%Y-%%m-%%dT%%H:%%M:%%S%%z)
+%define buildcommit %%SOURCE_COMMIT%%
+%define buildldflags "-X main.version=%{version} -X main.commit=%{buildcommit}% -X main.date=%{buildtime}%"
+CGO_ENABLED=%{cgoenabled} go build -mod=vendor -buildmode=pie -tags %{gotags} -ldflags %{buildldflags} -o ib-sriov cmd/ib-sriov-cni/main.go
+
+%install
+install -D -m0755 ib-sriov %{buildroot}%{_bindir}/ib-sriov
+install -D -m0755 images/entrypoint.sh %{buildroot}/entrypoint.sh
+
+
+%files
+%license LICENSE
+%doc README.md
+%{_bindir}/ib-sriov
+/entrypoint.sh
+
+%changelog
--- a/1
+++ b/1
--- a/ironic-image/Dockerfile
+++ b/ironic-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.1
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.1-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4
+#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE%

 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -17,13 +17,19 @@ RUN /bin/prepare-efi.sh
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf

+RUN zypper --installroot /installroot --non-interactive install --no-recommends \
+    python3-devel python3 python3-pip \
+    python313-sushy \
+    python3-watchdog python313-ironicclient \
+    git curl sles-release tar gzip vim gawk \
+    dnsmasq dosfstools apache2 ipcalc ipmitool iproute2 \
+    bind-utils procps qemu-tools sqlite3 util-linux xorriso \
+    tftp ipxe-bootimgs crudini \
+    openstack-ironic
+
 #!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "x86_64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
-    fi
-#!ArchExclusiveLine: aarch64
-RUN if [ "$(uname -m)" = "aarch64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
+      zypper --installroot /installroot --non-interactive install --no-recommends syslinux  ; \
    fi
    
 # DATABASE
@@ -41,8 +47,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="29.0.4.1"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.1-%RELEASE%"
+LABEL org.opencontainers.image.version="29.0.4.4"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -53,8 +59,8 @@ LABEL com.suse.release-stage="released"

 COPY --from=base /installroot /

-RUN set -euo pipefail; ln -s /usr/bin/python3.11 /usr/local/bin/python3; \
-    ln -s /usr/bin/pydoc3.11 /usr/local/bin/pydoc
+RUN set -euo pipefail; ln -s /usr/bin/python3.13 /usr/local/bin/python3; \
+    ln -s /usr/bin/pydoc3.13 /usr/local/bin/pydoc

 ENV GRUB_DIR=/tftpboot/boot/grub

@@ -88,8 +94,7 @@ RUN if [ "$(uname -m)" = "aarch64" ]; then\
      cp /usr/share/ipxe/snp-arm64.efi /tftpboot/ipxe.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp-arm64.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp.efi ;\
    fi
    
-COPY --from=base /tmp/esp-x86_64.img /tmp/uefi_esp-x86_64.img
-COPY --from=base /tmp/esp-aarch64.img /tmp/uefi_esp-arm64.img
+COPY --from=base /tmp/uefi_esp_*.img /templates/

 COPY ironic-config/ironic.conf.j2 ironic-config/network-data-schema-empty.json /etc/ironic/

--- a/ironic-image/ironic-config/apache2-vmedia.conf.j2
+++ b/ironic-image/ironic-config/apache2-vmedia.conf.j2
@@ -11,6 +11,19 @@ Listen [::]:{{ env.VMEDIA_TLS_PORT }}
    SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
    SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}

+    {% if "IRONIC_VMEDIA_TLS_12_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_12_CIPHERS %}
+    SSLCipherSuite {{ env.IRONIC_VMEDIA_TLS_12_CIPHERS }}
+    {% endif %}
+    {% if "IRONIC_VMEDIA_TLS_13_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_13_CIPHERS %}
+    SSLCipherSuite TLSv1.3 {{ env.IRONIC_VMEDIA_TLS_13_CIPHERS }}
+    {% endif %}
+    {% if "IRONIC_VMEDIA_CURVES" in env and env.IRONIC_VMEDIA_CURVES %}
+    SSLOpenSSLConfCmd Curves {{ env.IRONIC_VMEDIA_CURVES }}
+    {% endif %}
+    {% if env.IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER | lower == "true" %}
+    SSLHonorCipherOrder on
+    {% endif %}
+
    <Directory "/shared/html/">
        Options Indexes FollowSymLinks
        AllowOverride None
--- a/ironic-image/ironic-config/ironic.conf.j2
+++ b/ironic-image/ironic-config/ironic.conf.j2
@@ -91,21 +91,23 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 send_sensor_data_interval = 160
-{% if env.VMEDIA_TLS_PORT %}
-bootloader = {{ env.IRONIC_HTTPS_VMEDIA_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
-{% else %}
-bootloader = {{ env.IRONIC_HTTP_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
-{% endif %}
+bootloader_by_arch = {{ env.BOOTLOADER_BY_ARCH }}
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
 node_history = False
 # Provide for a timeout longer than 60 seconds for certain vendor's hardware
 power_state_change_timeout = 120
-{% if env.IRONIC_DEFAULT_KERNEL is defined %}
-deploy_kernel = file://{{ env.IRONIC_DEFAULT_KERNEL }}
+{% if env.DEPLOY_KERNEL_URL is defined %}
+deploy_kernel = {{ env.DEPLOY_KERNEL_URL }}
 {% endif %}
-{% if env.IRONIC_DEFAULT_RAMDISK is defined %}
-deploy_ramdisk = file://{{ env.IRONIC_DEFAULT_RAMDISK }}
+{% if env.DEPLOY_KERNEL_BY_ARCH is defined %}
+deploy_kernel_by_arch = {{ env.DEPLOY_KERNEL_BY_ARCH }}
+{% endif %}
+{% if env.DEPLOY_RAMDISK_URL is defined %}
+deploy_ramdisk = {{ env.DEPLOY_RAMDISK_URL }}
+{% endif %}
+{% if env.DEPLOY_RAMDISK_BY_ARCH is defined %}
+deploy_ramdisk_by_arch = {{ env.DEPLOY_RAMDISK_BY_ARCH }}
 {% endif %}
 {% if env.DISABLE_DEEP_IMAGE_INSPECTION | lower == "true" %}
 disable_deep_image_inspection = True
@@ -211,7 +213,7 @@ images_path = /shared/html/tmp
 instance_master_path = /shared/html/master_images
 tftp_master_path = /shared/tftpboot/master_images
 tftp_root = /shared/tftpboot
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 # This makes networking boot templates generated even for nodes using local
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
@@ -224,14 +226,14 @@ ipxe_config_template = /tmp/ipxe_config.template

 [redfish]
 use_swift = false
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}

 [ilo]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 use_web_server_for_images = true

 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}

 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}
--- a/ironic-image/prepare-efi.sh
+++ b/ironic-image/prepare-efi.sh
@@ -9,7 +9,7 @@ declare -A efi_arch=(

 for arch in "${!efi_arch[@]}"; do
  
-  DEST=/tmp/esp-${arch}.img
+  DEST=/tmp/uefi_esp_${arch}.img

  dd bs=1024 count=6400 if=/dev/zero of=$DEST
  mkfs.msdos -F 12 -n 'ESP_IMAGE' $DEST
--- a/ironic-image/scripts/configure-ironic.sh
+++ b/ironic-image/scripts/configure-ironic.sh
@@ -76,10 +76,41 @@ if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
    fi
 fi

-IMAGE_CACHE_PREFIX="/shared/html/images/ironic-python-agent-${DEPLOY_ARCHITECTURE}"
-if [[ -f "${IMAGE_CACHE_PREFIX}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}.initramfs" ]]; then
-    export IRONIC_DEFAULT_KERNEL="${IMAGE_CACHE_PREFIX}.kernel"
-    export IRONIC_DEFAULT_RAMDISK="${IMAGE_CACHE_PREFIX}.initramfs"
+IMAGE_CACHE_PREFIX="/shared/html/images/ironic-python-agent"
+if [[ -z "${DEPLOY_KERNEL_URL:-}" ]] && [[ -z "${DEPLOY_RAMDISK_URL:-}" ]] && \
+       [[ -f "${IMAGE_CACHE_PREFIX}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}.initramfs" ]]; then
+    export DEPLOY_KERNEL_URL="file://${IMAGE_CACHE_PREFIX}.kernel"
+    export DEPLOY_RAMDISK_URL="file://${IMAGE_CACHE_PREFIX}.initramfs"
+fi
+
+declare -A detected_arch
+for var_arch in "${!DEPLOY_KERNEL_URL_@}"; do
+    IPA_ARCH="${var_arch#DEPLOY_KERNEL_URL}"
+    detected_arch["${IPA_ARCH,,}"]=1
+done
+for file_arch in "${IMAGE_CACHE_PREFIX}"_*.kernel; do
+    if [[ -f "${file_arch}" ]]; then
+        IPA_ARCH="$(basename "${file_arch#"${IMAGE_CACHE_PREFIX}"_}" .kernel)"
+        detected_arch["${IPA_ARCH}"]=1
+    fi
+done
+
+DEPLOY_KERNEL_BY_ARCH=""
+DEPLOY_RAMDISK_BY_ARCH=""
+for IPA_ARCH in "${!detected_arch[@]}"; do
+    kernel_var="DEPLOY_KERNEL_URL_${IPA_ARCH^^}"
+    ramdisk_var="DEPLOY_RAMDISK_URL_${IPA_ARCH^^}"
+    if [[ -z "${!kernel_var:-}" ]] && [[ -z "${!ramdisk_var:-}" ]] && \
+        [[ -f "${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.initramfs" ]]; then
+      export "${kernel_var}"="file://${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.kernel"
+      export "${ramdisk_var}"="file://${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.initramfs"
+    fi
+    DEPLOY_KERNEL_BY_ARCH+="${!kernel_var:+${IPA_ARCH}:${!kernel_var},}"
+    DEPLOY_RAMDISK_BY_ARCH+="${!ramdisk_var:+${IPA_ARCH}:${!ramdisk_var},}"
+done
+if [[ -n "${DEPLOY_KERNEL_BY_ARCH}" ]] && [[ -n "${DEPLOY_RAMDISK_BY_ARCH}" ]]; then
+    export DEPLOY_KERNEL_BY_ARCH="${DEPLOY_KERNEL_BY_ARCH%?}"
+    export DEPLOY_RAMDISK_BY_ARCH="${DEPLOY_RAMDISK_BY_ARCH%?}"
 fi

 if [[ -f "${IRONIC_CONF_DIR}/ironic.conf" ]]; then
@@ -87,6 +118,13 @@ if [[ -f "${IRONIC_CONF_DIR}/ironic.conf" ]]; then
    cp "${IRONIC_CONF_DIR}/ironic.conf" "${IRONIC_CONF_DIR}/ironic.conf.orig"
 fi

+BOOTLOADER_BY_ARCH=""
+for bootloader in /templates/uefi_esp_*.img; do
+    BOOTLOADER_ARCH="$(basename "${bootloader#/templates/uefi_esp_}" .img)"
+    BOOTLOADER_BY_ARCH+="${BOOTLOADER_ARCH}:file://${bootloader},"
+done
+export BOOTLOADER_BY_ARCH="${BOOTLOADER_BY_ARCH%?}"
+
 # oslo.config also supports Config Opts From Environment, log them to stdout
 echo 'Options set from Environment variables'
 env | grep "^OS_" || true
--- a/ironic-image/scripts/ironic-common.sh
+++ b/ironic-image/scripts/ironic-common.sh
@@ -262,7 +262,7 @@ wait_for_interface_or_ip()

 render_j2_config()
 {
-    python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
+    python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
 }

 run_ironic_dbsync()
--- a/ironic-image/scripts/rundnsmasq
+++ b/ironic-image/scripts/rundnsmasq
@@ -36,7 +36,7 @@ fi
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory
 # where we can't write
-python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/tmp/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
+python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/tmp/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"

 for iface in $(echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
    sed -i -e "/^interface=.*/ a\except-interface=${iface}" "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
--- a/ironic-image/scripts/runhttpd
+++ b/ironic-image/scripts/runhttpd
@@ -37,7 +37,6 @@ export INSPECTOR_EXTRA_ARGS

 # Copy files to shared mount
 render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe
-cp /tmp/uefi_esp*.img /shared/html/
 # cp -r /etc/httpd/* "${HTTPD_DIR}"
 if [[ -f "${HTTPD_CONF_DIR}/httpd.conf" ]]; then
    mv "${HTTPD_CONF_DIR}/httpd.conf" "${HTTPD_CONF_DIR}/httpd.conf.example"
--- a/ironic-image/scripts/runlogwatch.sh
+++ b/ironic-image/scripts/runlogwatch.sh
@@ -1,17 +1,32 @@
 #!/usr/bin/bash

 # Ramdisk logs path
-LOG_DIR="/shared/log/ironic/deploy"
+export LOG_DIR="/shared/log/ironic/deploy"

 mkdir -p "${LOG_DIR}"

-# shellcheck disable=SC2034
-python3.11 -m pyinotify --raw-format -e IN_CLOSE_WRITE -v "${LOG_DIR}" |
-    while read -r event dir mask maskname filename filepath pathname wd; do
-        #NOTE(elfosardo): a pyinotify event looks like this:
-        # <Event dir=False mask=0x8 maskname=IN_CLOSE_WRITE name=mylogs.gzip path=/shared/log/ironic/deploy pathname=/shared/log/ironic/deploy/mylogs.gzip wd=1 >
-        FILENAME=$(echo "${filename}" | cut -d'=' -f2-)
-        echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
-        tar -xOzvvf "${LOG_DIR}/${FILENAME}" | sed -e "s/^/${FILENAME}: /"
-        rm -f "${LOG_DIR}/${FILENAME}"
+# Function to process log files
+process_log_file() {
+    local FILEPATH="$1"
+    # shellcheck disable=SC2155
+    local FILENAME=$(basename "${FILEPATH}")
+
+    echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
+    tar -tzf "${FILEPATH}" | while read -r entry; do
+        echo "${FILENAME}: **** Entry: ${entry} ****"
+        tar -xOzf "${FILEPATH}" "${entry}" | sed -e "s/^/${FILENAME}: /"
+        echo
    done
+    rm -f "${FILEPATH}"
+}
+
+# Export the function so watchmedo can use it
+export -f process_log_file
+
+# Use watchmedo to monitor for file close events
+# shellcheck disable=SC2016
+watchmedo shell-command \
+    --patterns="*" \
+    --ignore-directories \
+    --command='if [[ "${watch_event_type}" == "closed" ]]; then process_log_file "${watch_src_path}"; fi' \
+    "${LOG_DIR}"
--- a/ironic-image/scripts/tls-common.sh
+++ b/ironic-image/scripts/tls-common.sh
@@ -105,11 +105,17 @@ configure_restart_on_certificate_update()

    if [[ "${enabled}" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
        if [[ "${service}" == httpd ]]; then
+            # shellcheck disable=SC2034
            signal="WINCH"
        fi
-        python3 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${cert_file}" |
-            while read -r; do
-                pkill "-${signal}" "${service}"
-            done &
+
+        # Use watchmedo to monitor certificate file deletion
+        # shellcheck disable=SC2016
+        watchmedo shell-command \
+            --patterns="$(basename "${cert_file}")" \
+            --ignore-directories \
+            --command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -'"${signal}"' '"${service}"'; fi' \
+            "$(dirname "${cert_file}")" &
    fi
 }
+
--- a/ironic-ipa-downloader-image/Dockerfile
+++ b/ironic-ipa-downloader-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.10
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils

-RUN cp /usr/bin/getopt /installroot/
-
 FROM micro AS final

 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -18,11 +16,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.8"
+LABEL org.opencontainers.image.version="3.0.10"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix

 COPY --from=base /installroot /
-RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/
--- a/ironic-ipa-downloader-image/Dockerfile.aarch64
+++ b/ironic-ipa-downloader-image/Dockerfile.aarch64
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.10
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.10-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils

-RUN cp /usr/bin/getopt /installroot/
-
 FROM micro AS final

 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -18,11 +16,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.8"
+LABEL org.opencontainers.image.version="3.0.10"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix

 COPY --from=base /installroot /
-RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/
--- a/ironic-ipa-downloader-image/Dockerfile.x86_64
+++ b/ironic-ipa-downloader-image/Dockerfile.x86_64
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.10
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.10-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 tar gawk curl xz zstd shadow cpio findutils

-RUN cp /usr/bin/getopt /installroot/
-
 FROM micro AS final

 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -18,11 +16,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.8"
+LABEL org.opencontainers.image.version="3.0.10"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix

 COPY --from=base /installroot /
-RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/
--- a/ironic-ipa-downloader-image/get-resource.sh
+++ b/ironic-ipa-downloader-image/get-resource.sh
@@ -29,13 +29,12 @@ if [ -z "${IPA_BASEURI}" ]; then
  # SLES BASED IPA - ironic-ipa-ramdisk-x86_64 and ironic-ipa-ramdisk-aarch64 packages
  mkdir -p /shared/html/images
  if [ -f ${IMAGES_BASE_PATH}/initrd-x86_64.zst ]; then
-    cp ${IMAGES_BASE_PATH}/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
-    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
+    cp ${IMAGES_BASE_PATH}/initrd-x86_64.zst /shared/html/images/ironic-python-agent_x86_64.initramfs
+    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent_x86_64.kernel
  fi
-  # Use arm64 as destination for iPXE compatibility
  if [ -f ${IMAGES_BASE_PATH}/initrd-aarch64.zst ]; then
-    cp ${IMAGES_BASE_PATH}/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
-    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
+    cp ${IMAGES_BASE_PATH}/initrd-aarch64.zst /shared/html/images/ironic-python-agent_aarch64.initramfs
+    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent_aarch64.kernel
  fi

  cp /tmp/images.sha256 /shared/images.sha256
@@ -87,8 +86,8 @@ else
      chmod 755 "$TMPDIR"
      mv "$TMPDIR" "$FILENAME-$ETAG"
      ln -sf "$FILENAME-$ETAG/$FFILENAME.headers" "$FFILENAME.headers"
-      ln -sf "$FILENAME-$ETAG/$FILENAME.initramfs" "$FILENAME-${ARCH,,}.initramfs"
-      ln -sf "$FILENAME-$ETAG/$FILENAME.kernel" "$FILENAME-${ARCH,,}.kernel"
+      ln -sf "$FILENAME-$ETAG/$FILENAME.initramfs" "${FILENAME}_${ARCH,,}.initramfs"
+      ln -sf "$FILENAME-$ETAG/$FILENAME.kernel" "${FILENAME}_${ARCH,,}.kernel"
      
      IMAGE_CHANGED=1
  else
@@ -100,7 +99,7 @@ if [ "${CERTS_CHANGED:-0}" = "1" ] || [ "${IMAGE_CHANGED:-0}" = "1" ]; then
  mkdir -p /tmp/ca/tmp-initrd && cd /tmp/ca/tmp-initrd
  mkdir -p etc/ironic-python-agent.d/ca-certs
  cp /tmp/ironic-certificates/* etc/ironic-python-agent.d/ca-certs/
-  for initramfs in /shared/html/images/ironic-python-agent-*.initramfs; do
+  for initramfs in /shared/html/images/ironic-python-agent_*.initramfs; do
    find . | cpio -o -H newc --reproducible | zstd -c >> "${initramfs}"
  done
  cp /tmp/certificates.sha256 /shared/certificates.sha256
--- a/ironic-ipa-ramdisk/config.sh
+++ b/ironic-ipa-ramdisk/config.sh
@@ -16,7 +16,7 @@ baseSetupBuildDay
 #==========================================
 # remove unneded kernel files
 #------------------------------------------
-suseStripKernel
+#suseStripKernel
 baseStripLocales en_US.utf-8 C.utf8

 #======================================
--- a/ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi
+++ b/ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi
@@ -28,68 +28,6 @@
      <source path="dir:///.build.binaries"/>
    </repository>

-    <drivers>
-        <file name="crypto/*"/>
-        <file name="drivers/acpi/*"/>
-        <file name="drivers/acpi/dock.ko"/>
-        <file name="drivers/ata/*"/>
-        <file name="drivers/block/brd.ko"/>
-        <file name="drivers/block/cciss.ko"/>
-        <file name="drivers/block/loop.ko"/>
-        <file name="drivers/block/virtio_blk.ko"/>
-        <file name="drivers/cdrom/*"/>
-        <file name="drivers/char/hw_random/virtio-rng.ko"/>
-        <file name="drivers/char/lp.ko"/>
-        <file name="drivers/char/ipmi/*"/>
-        <file name="drivers/firmware/iscsi_ibft.ko"/>
-        <file name="drivers/firmware/edd.ko"/>
-        <file name="drivers/gpu/drm/*"/>
-        <file name="drivers/hid/*"/>
-        <file name="drivers/hv/*"/>
-        <file name="drivers/hwmon/*"/>
-        <file name="drivers/ide/*"/>
-        <file name="drivers/input/keyboard/*"/>
-        <file name="drivers/input/mouse/*"/>
-        <file name="drivers/md/*"/>
-        <file name="drivers/message/fusion/*"/>
-        <file name="drivers/misc/hpilo.ko"/>
-        <file name="drivers/net/*"/>
-        <file name="drivers/parport/*"/>
-        <file name="drivers/scsi/*"/>
-        <file name="drivers/staging/hv/*"/>
-        <file name="drivers/target/*"/>
-        <file name="drivers/thermal/*"/>
-        <file name="drivers/usb/*"/>
-        <file name="drivers/virtio/*"/>
-        <file name="fs/binfmt_aout.ko"/>
-        <file name="fs/binfmt_misc.ko"/>
-        <file name="fs/overlayfs/*"/>
-        <file name="fs/btrfs/*"/>
-        <file name="fs/exportfs/*"/>
-        <file name="fs/ext4/*"/>
-        <file name="fs/fat/*"/>
-        <file name="fs/fuse/*"/>
-        <file name="fs/hfs/*"/>
-        <file name="fs/jbd2/*"/>
-        <file name="fs/nfs/*"/>
-        <file name="fs/mbcache.ko"/>
-        <file name="fs/nls/nls_cp437.ko"/>
-        <file name="fs/nls/nls_iso8859-1.ko"/>
-        <file name="fs/nls/nls_utf8.ko"/>
-        <file name="fs/quota_v1.ko"/>
-        <file name="fs/quota_v2.ko"/>
-        <file name="fs/squashfs/*"/>
-        <file name="fs/udf/*"/>
-        <file name="fs/vfat/*"/>
-        <file name="fs/xfs/*"/>
-        <file name="fs/isofs/*"/>
-        <file name="lib/crc-t10dif.ko"/>
-        <file name="lib/crc16.ko"/>
-        <file name="lib/libcrc32c.ko"/>
-        <file name="lib/zlib_deflate/zlib_deflate.ko"/>
-        <file name="net/packet/*"/>
-    </drivers>
-
    <packages type="delete">
        <package name="gpg2"/>
        <package name="libcairo2"/>
@@ -138,6 +76,7 @@
        <package name="grub2-i386-pc" arch="x86_64"/>
        <package name="grub2-x86_64-efi" arch="x86_64"/>
        <package name="grub2"/>
+        <package name="gettext-runtime"/>
        <package name="iproute2"/>
        <package name="iputils"/>
        <package name="kernel-default"/>
@@ -149,6 +88,7 @@
        <package name="timezone"/>
        <package name="which"/>
        <!-- ironic-python-agent specific -->
+        <package name="chrony"/>
        <package name="dmidecode"/>
        <package name="efibootmgr"/>
        <package name="gptfdisk"/>
@@ -157,15 +97,14 @@
        <package name="ipmitool"/>
        <package name="iputils"/>
        <package name="kbd"/>
+        <package name="krb5"/>
        <package name="lshw"/>
        <package name="lvm2"/>
        <package name="net-tools"/>
-        <package name="ntp"/>
        <package name="open-iscsi"/>
        <package name="openstack-ironic-python-agent"/>
        <package name="parted"/>
        <package name="psmisc"/>
-        <package name="python311-proliantutils"/>
        <package name="qemu-tools"/>
        <package name="timezone"/>
        <package name="which"/>
--- a/ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec
+++ b/ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec
@@ -19,7 +19,7 @@


 Name:           ironic-ipa-ramdisk
-Version:        3.0.7
+Version:        3.0.8
 Release:        0
 Summary:        Kernel and ramdisk image for OpenStack Ironic
 License:        SUSE-EULA
@@ -29,12 +29,12 @@ Source0:        config.sh
 Source10:       ironic-ipa-ramdisk.kiwi
 Source20:       root

+#!BuildIgnore:  systemd-mini
+BuildRequires: systemd
 BuildRequires:  -post-build-checks
 BuildRequires:  bash
 BuildRequires:  kiwi
-BuildRequires:  kiwi-tools
 BuildRequires:  zypper
-BuildArch:      noarch

 BuildRequires:  checkmedia
 BuildRequires:  acl
@@ -55,7 +55,6 @@ BuildRequires:  grub2-x86_64-efi
 %ifarch aarch64
 BuildRequires:  grub2-arm64-efi
 %endif
-BuildRequires:  haveged
 BuildRequires:  hdparm
 BuildRequires:  hwinfo
 BuildRequires:  ipmitool
@@ -65,7 +64,7 @@ BuildRequires:  kernel-default
 BuildRequires:  kernel-firmware-all
 BuildRequires:  lvm2
 BuildRequires:  net-tools
-BuildRequires:  ntp
+BuildRequires:  chrony
 BuildRequires:  open-iscsi
 BuildRequires:  openssh
 BuildRequires:  openstack-ironic-python-agent
@@ -77,7 +76,6 @@ BuildRequires:  pkgconfig
 BuildRequires:  Mesa-gallium
 BuildRequires:  plymouth
 BuildRequires:  plymouth-scripts
-BuildRequires:  python311-proliantutils
 BuildRequires:  psmisc
 BuildRequires:  qemu-tools
 BuildRequires:  sg3_utils
@@ -105,6 +103,9 @@ BuildRequires:  lshw
 BuildRequires:  kbd
 BuildRequires:  dmidecode
 BuildRequires:  efibootmgr
+BuildRequires:  glibc-locale
+BuildRequires:  krb5
+BuildRequires:  gettext-runtime
 %ifarch x86_64
 BuildRequires:  syslinux
 %endif
@@ -113,10 +114,9 @@ BuildRequires:  syslinux
 Kernel and ramdisk image for use with Metal3

 %package %{_arch}
+BuildArch:      noarch
 Summary:        Kernel and ramdisk image for Metal3
 Group:          System/Management
-Provides:       openstack-ironic-python-agent = %{version}
-Obsoletes:      openstack-ironic-python-agent < %{version}

 %description %{_arch}
 Kernel and ramdisk image for use with Metal3
--- a/kiwi-builder-image/Dockerfile
+++ b/kiwi-builder-image/Dockerfile
@@ -1,8 +1,8 @@
-#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.12.0-%RELEASE%
-#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.12.0
+#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.29.1-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.29.1

 # Base image version, should match the tag above
-ARG KIWIVERSION="10.2.12"
+ARG KIWIVERSION="10.2.29"
 FROM registry.suse.com/bci/kiwi:${KIWIVERSION}
 ARG KIWIVERSION

@@ -33,4 +33,6 @@ RUN mkdir -p /micro-sdk/defs
 ADD SL-Micro.kiwi /micro-sdk/defs
 ADD SL-Micro.kiwi.4096 /micro-sdk/defs
 ADD config.sh /micro-sdk/defs
+ADD disk.sh /micro-sdk/defs
 ADD editbootinstall_rpi.sh /micro-sdk/defs
+ADD editbootinstall_pine64.sh /micro-sdk/defs
--- a/kiwi-builder-image/README.build.md
+++ b/kiwi-builder-image/README.build.md
@@ -0,0 +1,28 @@
+The following files are coming from _upstream_ https://build.opensuse.org/package/show/SUSE:SLFO:Products:SL-Micro:6.2/SL-Micro :
+
+* SL-Micro.kiwi
+* disk.sh
+* config.sh
+* editbootinstall_pine64.sh
+* editbootinstall_rpi.sh
+
+Those can be downloaded as:
+
+```
+curl -LO https://src.suse.de/products/SL-Micro/raw/branch/6.2/SL-Micro/SL-Micro.kiwi
+```
+
+The SL-Micro.kiwi file needs to be modified to append a few packages on the bootstrap stanza to be able to generate images with no SSL errors:
+
+```
+     <packages type="bootstrap">
+         <package name="filesystem"/>
+        <package name="coreutils"/>
+        <package name="ca-certificates"/>
+        <package name="ca-certificates-mozilla"/>
+     </packages>
+```
+
+The SL-Micro.kiwi.4096 file needs to be modified to modify the `target_blocksize="4096"` where appropiate.
+
+All the other files are used verbatim.
--- a/kiwi-builder-image/SL-Micro.kiwi
+++ b/kiwi-builder-image/SL-Micro.kiwi
@@ -30,16 +30,13 @@
        <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
-        <profile name="aarch64" description="Raw disk for aarch64 - uEFI" arch="aarch64">
-            <requires profile="bootloader"/>
-        </profile>
        <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-rt" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
-        <profile name="aarch64-rt-rpi" description="Raw disk for aarch64 with RT kernel on Raspberry Pi" arch="aarch64">
+        <profile name="aarch64-rt-encrypted" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-rt-self_install" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
@@ -60,6 +57,15 @@
        <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
+        <profile name="rpi-self_install" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64-encrypted" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
        <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
@@ -89,6 +95,15 @@
        </profile>
        <profile name="ppc64le-4096ss-self_install" description="Raw disk for PPc64 - 4096 sector size" arch="ppc64le">
            <requires profile="bootloader"/>
+        </profile> 
+       	<profile name="aarch64-64kb" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+       	<profile name="aarch64-64kb-encrypted" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+       	<profile name="aarch64-64kb-self_install" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
        </profile>
        <!-- Images (flavor + platform) -->
        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
@@ -154,18 +169,10 @@
            <requires profile="full"/>
            <requires profile="aarch64"/>
        </profile>
-        <profile name="Default-RPi" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
-            <requires profile="full"/>
-            <requires profile="rpi"/>
-        </profile>
        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64"/>
        </profile>
-        <profile name="Base-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
-            <requires profile="container-host"/>
-            <requires profile="rpi"/>
-        </profile>
        <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt"/>
@@ -179,10 +186,6 @@
            <requires profile="container-host"/>
            <requires profile="aarch64-rt"/>
        </profile>
-        <profile name="Base-RT-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
-            <requires profile="container-host"/>
-            <requires profile="aarch64-rt-rpi"/>
-        </profile>
        <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-rt-self_install"/>
@@ -277,10 +280,42 @@
            <requires profile="ppc64le-4096ss-self_install"/>
            <requires profile="self_install"/>
        </profile>
+	<profile name="Default-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb-self_install"/>
+        </profile>
+	<profile name="Base-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb-self_install"/>
+        </profile>
+	<profile name="Default-64kb" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb"/>
+        </profile>
+	<profile name="Base-64kb" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb"/>
+        </profile>
+	<profile name="Default-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb-encrypted"/>
+        </profile>
+	<profile name="Base-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb-encrypted"/>
+        </profile>
+	<profile name="RaspberryPi-SelfInstall" description="SL Micro for Rapsberry Pi" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi-self_install"/>
+        </profile>
+	<profile name="RaspberryPi" description="SL Micro for Raspberry Pi" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi"/>
+        </profile>
    </profiles>

    <preferences profiles="x86-encrypted,x86-rt-encrypted">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -291,7 +326,8 @@
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -323,7 +359,7 @@
        </type>
    </preferences>
    <preferences profiles="x86,x86-rt">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -334,7 +370,8 @@
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -359,7 +396,7 @@
    </preferences>

    <preferences profiles="x86-self_install,x86-rt-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -374,7 +411,8 @@
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -397,9 +435,8 @@
            </systemdisk>
        </type>
    </preferences>
-
-    <preferences profiles="rpi,aarch64-rt-rpi">
-        <version>6.1</version>
+    <preferences profiles="aarch64,aarch64-rt,aarch64-64kb">
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -414,11 +451,96 @@
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="8192"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
+        <version>6.2</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="8192"
+            luks_version="luks2"
+            luks="1234"
+	    luks_randomize="false"
+	    luks_pbkdf="pbkdf2"
+        >
+            <luksformat>
+                <option name="--cipher" value="aes-xts-plain64"/>
+            </luksformat>
+            <bootloader name="grub2" console="gfxterm" use_disk_password="true" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="rpi">
+        <version>6.2</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
-            efipartsize="128"
            editbootinstall="editbootinstall_rpi.sh"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
@@ -438,9 +560,8 @@
            </systemdisk>
        </type>
    </preferences>
-
-    <preferences profiles="aarch64,aarch64-rt">
-        <version>6.1</version>
+    <preferences profiles="aarch64-self_install,aarch64-rt-self_install,aarch64-64kb-self_install">
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -450,19 +571,20 @@
            image="oem"
            initrd_system="dracut"
            installiso="true"
+            installpxe="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
-            fsmountoptions="noatime"
            firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
+            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
-            efipartsize="128"
            btrfs_root_is_readonly_snapshot="true"
-            btrfs_quota_groups="false"
-            disk_start_sector="4096"
+            btrfs_quota_groups="true"
+            disk_start_sector="8192"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
@@ -478,8 +600,8 @@
            </systemdisk>
        </type>
    </preferences>
-    <preferences profiles="aarch64-self_install,aarch64-rt-self_install">
-        <version>6.1</version>
+    <preferences profiles="rpi-self_install">
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -494,13 +616,14 @@
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
-            efipartsize="128"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
+            editbootinstall="editbootinstall_rpi.sh"
            btrfs_quota_groups="true"
            disk_start_sector="4096"
        >
@@ -520,7 +643,7 @@
    </preferences>

    <preferences profiles="s390-kvm">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -558,7 +681,7 @@


    <preferences profiles="s390-dasd">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -596,7 +719,7 @@


    <preferences profiles="s390-fba">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -631,7 +754,7 @@
    </preferences>

    <preferences profiles="s390-fcp">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -670,7 +793,7 @@
    </preferences>

    <preferences profiles="x86-vmware">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -681,6 +804,7 @@
            filesystem="btrfs"
            format="vmdk"
            firmware="uefi"
+            efipartsize="512"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -701,11 +825,11 @@
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">24</size>
-            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
+            <machine memory="1024" HWversion="17" guestOS="suse-64"/>
        </type>
    </preferences>
    <preferences profiles="x86-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -716,7 +840,8 @@
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -740,9 +865,9 @@
            <size unit="G">32</size>
        </type>
    </preferences>
-
+ 
    <preferences profiles="aarch64-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -753,8 +878,8 @@
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
-            efipartsize="128"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"     
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -765,7 +890,7 @@
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
@@ -777,7 +902,7 @@
    </preferences>

    <preferences profiles="ppc64le-512ss">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -788,7 +913,7 @@
            image="oem"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -800,7 +925,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -810,7 +935,7 @@
        </type>
    </preferences>
    <preferences profiles="ppc64le-4096ss">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -824,7 +949,7 @@
            target_blocksize="4096"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -836,7 +961,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -847,7 +972,7 @@
    </preferences>

    <preferences profiles="ppc64le-512ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -860,7 +985,7 @@
            installpxe="true"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -877,7 +1002,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -887,7 +1012,7 @@
        </type>
    </preferences>
    <preferences profiles="ppc64le-4096ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -903,7 +1028,7 @@
            target_blocksize="4096"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -920,7 +1045,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -936,20 +1061,17 @@
    </repository>

    <packages type="image" profiles="full">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
-        <namedCollection name="salt_minion"/>
-	<package name="patterns-base-salt_minion"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="kvm_host"/>
-	<package name="patterns-base-kvm_host"/>
+	<package name="patterns-micro-kvm_host"/>
 	<package name="lzop"/>
        <namedCollection name="container_runtime_podman"/>
-        <package name="patterns-container-runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/> 
        <namedCollection name="cockpit"/>
-        <package name="patterns-base-cockpit"/>
+        <package name="patterns-cockpit"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
-        <package name="policycoreutils-python-utils"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -959,7 +1081,7 @@
 	<package name="libpwquality-tools"/>
    </packages>

-    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
+    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted,aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
        <!-- full disk encryption stuff -->
        <package name="device-mapper"/>
        <package name="cryptsetup"/>
@@ -972,13 +1094,12 @@
    </packages>

    <packages type="image" profiles="container-host">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="container_runtime_podman"/>
        <package name="patterns-container-runtime_podman"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
-        <package name="policycoreutils-python-utils"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1002,16 +1123,16 @@
 	<package name="jeos-firstboot"/>
    </packages>

-    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
+    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow,ppc64le-512ss,ppc64le-4096ss,s390-dasd,s390-fcp">
        <package name="cloud-init"/>
        <package name="cloud-init-config-suse"/>
    </packages>

    <packages type="image">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="hardware"/>
-        <package name="patterns-base-hardware"/>
+        <package name="patterns-micro-hardware"/>
        <package name="grub2"/>
        <package name="glibc-locale-base"/>
        <package name="ca-certificates"/>
@@ -1030,9 +1151,10 @@
        <package name="NetworkManager"/>
        <package name="NetworkManager-branding-SLE"/>
 	<package name="ModemManager"/>
-	<!-- FIXME does not build without control file which is obsolete
+	<!-- FIXME does not build without control file which is obsolete 
 	<package name="live-add-yast-repos"/> -->
 	<package name="parted"/> <!-- seems missing to deploy the image -->
+	<package name="iptables"/> <!-- needed by RKE2 -->
    </packages>

    <packages type="image" profiles="bootloader">
@@ -1049,14 +1171,18 @@
 	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
    </packages>
    <!-- rpi kernel-default-base does not provide all necessary drivers -->
-    <packages type="image" profiles="rpi,aarch64-self_install,x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,x86,x86-encrypted,aarch64-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
        <package name="kernel-default"/>
        <package name="kernel-firmware-all"/>
    </packages>
-    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64-64kb,aarch64-64kb-encrypted,aarch64-64kb-self_install">
+        <package name="kernel-64kb"/>
+        <package name="kernel-firmware-all"/>
+    </packages>
+    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
        <package name="kernel-rt"/>
        <package name="kernel-firmware-all"/>
-	<!-- FIXME intentionally removed from ALP code stream
+	<!-- FIXME intentionally removed from ALP code stream 
        <package name="cpuset"/> -->
    </packages>
    <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba,s390-fcp">
@@ -1068,17 +1194,18 @@
    <packages type="image" profiles="s390-fcp">
        <package name="multipath-tools"/>
    </packages>
-    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64,aarch64-qcow,rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <!-- "oem" images uses kiwi for partition/fs resize (-repart) and SelfInstall images in addition for deployment (-dump). -->
+    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,aarch64,aarch64-encrypted,aarch64-64kb-encrypted,rpi,rpi-self_install,aarch64-self_install,aarch64-64kb,aarch64-64kb-self_install,aarch64-rt,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="dracut-kiwi-oem-dump"/>
    </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="rpi,rpi-self_install">
        <package name="raspberrypi-firmware" arch="aarch64"/>
        <package name="raspberrypi-firmware-config" arch="aarch64"/>
        <package name="raspberrypi-firmware-dt" arch="aarch64"/>
        <package name="u-boot-rpiarm64" arch="aarch64"/>
    </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,aarch64-rt,aarch64-64kb,aarch64-rt-self_install,aarch64-encrypted,aarch64-rt-encrypted,aarchte-64kb-encrypted">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="bcm43xx-firmware"/>
        <package name="wireless-regdb"/>
@@ -1086,6 +1213,7 @@
        <package name="wpa_supplicant"/>
        <package name="grub2-arm64-efi"/>
    </packages>
+    <!-- NOTE(edge): Added coreutils, ca-certificates and ca-certificates-mozilla to prevent SSL errors when building the images -->
    <packages type="bootstrap">
        <package name="filesystem"/>
        <package name="coreutils"/>
@@ -1102,14 +1230,15 @@
    <packages type="image" profiles="x86-qcow,aarch64-qcow">
        <package name="qemu-guest-agent"/>
    </packages>
-
+    
    <!-- jsc#PED-8599 -->
-    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096">
+    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096,Base-64kb-encrypted,Default-64kb-encrypted">
        <package name="usbguard"/>
    </packages>

    <!-- jsc#PED-8788 -->
-    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
        <package name="stalld"/>
    </packages>
 </image>
+
--- a/kiwi-builder-image/SL-Micro.kiwi.4096
+++ b/kiwi-builder-image/SL-Micro.kiwi.4096
@@ -30,16 +30,13 @@
        <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
-        <profile name="aarch64" description="Raw disk for aarch64 - uEFI" arch="aarch64">
-            <requires profile="bootloader"/>
-        </profile>
        <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-rt" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
-        <profile name="aarch64-rt-rpi" description="Raw disk for aarch64 with RT kernel on Raspberry Pi" arch="aarch64">
+        <profile name="aarch64-rt-encrypted" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-rt-self_install" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
@@ -60,6 +57,15 @@
        <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
+        <profile name="rpi-self_install" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+        <profile name="aarch64-encrypted" description="Raw disk for Raspberry Pi" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
        <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
@@ -89,6 +95,15 @@
        </profile>
        <profile name="ppc64le-4096ss-self_install" description="Raw disk for PPc64 - 4096 sector size" arch="ppc64le">
            <requires profile="bootloader"/>
+        </profile> 
+       	<profile name="aarch64-64kb" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+       	<profile name="aarch64-64kb-encrypted" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
+        </profile>
+       	<profile name="aarch64-64kb-self_install" description="Build 64K page size aarch64 images" arch="aarch64">
+            <requires profile="bootloader"/>
        </profile>
        <!-- Images (flavor + platform) -->
        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
@@ -154,18 +169,10 @@
            <requires profile="full"/>
            <requires profile="aarch64"/>
        </profile>
-        <profile name="Default-RPi" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
-            <requires profile="full"/>
-            <requires profile="rpi"/>
-        </profile>
        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64"/>
        </profile>
-        <profile name="Base-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
-            <requires profile="container-host"/>
-            <requires profile="rpi"/>
-        </profile>
        <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt"/>
@@ -179,10 +186,6 @@
            <requires profile="container-host"/>
            <requires profile="aarch64-rt"/>
        </profile>
-        <profile name="Base-RT-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
-            <requires profile="container-host"/>
-            <requires profile="aarch64-rt-rpi"/>
-        </profile>
        <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-rt-self_install"/>
@@ -277,21 +280,55 @@
            <requires profile="ppc64le-4096ss-self_install"/>
            <requires profile="self_install"/>
        </profile>
+	<profile name="Default-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb-self_install"/>
+        </profile>
+	<profile name="Base-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb-self_install"/>
+        </profile>
+	<profile name="Default-64kb" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb"/>
+        </profile>
+	<profile name="Base-64kb" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb"/>
+        </profile>
+	<profile name="Default-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="aarch64-64kb-encrypted"/>
+        </profile>
+	<profile name="Base-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
+            <requires profile="container-host"/>
+            <requires profile="aarch64-64kb-encrypted"/>
+        </profile>
+	<profile name="RaspberryPi-SelfInstall" description="SL Micro for Rapsberry Pi" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi-self_install"/>
+        </profile>
+	<profile name="RaspberryPi" description="SL Micro for Raspberry Pi" arch="aarch64">
+            <requires profile="full"/>
+            <requires profile="rpi"/>
+        </profile>
    </profiles>

    <preferences profiles="x86-encrypted,x86-rt-encrypted">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -301,9 +338,8 @@
            luks_version="luks2"
            luks="1234"
 	    luks_randomize="false"
-	    luks_pbkdf="pbkdf2"
+			luks_pbkdf="pbkdf2"
            target_blocksize="4096"
-            efipartsize="200"
        >
            <luksformat>
                <option name="--cipher" value="aes-xts-plain64"/>
@@ -325,18 +361,20 @@
        </type>
    </preferences>
    <preferences profiles="x86,x86-rt">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -344,7 +382,6 @@
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            target_blocksize="4096"
-            efipartsize="200"
        >
    	    <bootloader name="grub2" console="gfxterm" timeout="3"/>
            <systemdisk>
@@ -363,12 +400,13 @@
    </preferences>

    <preferences profiles="x86-self_install,x86-rt-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
@@ -378,7 +416,8 @@
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -386,7 +425,6 @@
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            target_blocksize="4096"
-            efipartsize="200"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
@@ -403,9 +441,97 @@
            </systemdisk>
        </type>
    </preferences>
-
-    <preferences profiles="rpi,aarch64-rt-rpi">
-        <version>6.1</version>
+    <preferences profiles="aarch64,aarch64-rt,aarch64-64kb">
+        <version>6.2</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="8192"
+            target_blocksize="4096"
+        >
+            <bootloader name="grub2" console="gfxterm" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
+        <version>6.2</version>
+        <packagemanager>zypper</packagemanager>
+        <bootsplash-theme>SLE</bootsplash-theme>
+        <bootloader-theme>SLE</bootloader-theme>
+        <rpm-excludedocs>true</rpm-excludedocs>
+        <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
+        <type
+            image="oem"
+            initrd_system="dracut"
+            installiso="true"
+            filesystem="btrfs"
+            installboot="install"
+            install_continue_on_timeout="false"
+            fsmountoptions="noatime"
+            firmware="uefi"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
+            bootpartition="false"
+            devicepersistency="by-uuid"
+            btrfs_root_is_snapshot="true"
+            btrfs_root_is_readonly_snapshot="true"
+            btrfs_quota_groups="false"
+            disk_start_sector="8192"
+            luks_version="luks2"
+            luks="1234"
+	    luks_randomize="false"
+	    luks_pbkdf="pbkdf2"
+            target_blocksize="4096"
+        >
+            <luksformat>
+                <option name="--cipher" value="aes-xts-plain64"/>
+            </luksformat>
+            <bootloader name="grub2" console="gfxterm" use_disk_password="true" timeout="3" />
+            <systemdisk>
+                <volume name="home"/>
+                <volume name="root"/>
+                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
+                <volume name="opt"/>
+                <volume name="srv"/>
+                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
+                <volume name="boot/writable"/>
+                <volume name="usr/local"/>
+                <volume name="var" copy_on_write="false"/>
+            </systemdisk>
+        </type>
+    </preferences>
+    <preferences profiles="rpi">
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -420,11 +546,11 @@
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
-            efipartsize="128"
            editbootinstall="editbootinstall_rpi.sh"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
@@ -444,31 +570,33 @@
            </systemdisk>
        </type>
    </preferences>
-
-    <preferences profiles="aarch64,aarch64-rt">
-        <version>6.1</version>
+    <preferences profiles="aarch64-self_install,aarch64-rt-self_install,aarch64-64kb-self_install">
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
+        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
+            installpxe="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
-            fsmountoptions="noatime"
            firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
+            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
-            efipartsize="128"
            btrfs_root_is_readonly_snapshot="true"
-            btrfs_quota_groups="false"
-            disk_start_sector="4096"
+            btrfs_quota_groups="true"
+            disk_start_sector="8192"
+            target_blocksize="4096"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
@@ -484,8 +612,8 @@
            </systemdisk>
        </type>
    </preferences>
-    <preferences profiles="aarch64-self_install,aarch64-rt-self_install">
-        <version>6.1</version>
+    <preferences profiles="rpi-self_install">
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -500,13 +628,14 @@
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
-            efipartsize="128"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
+            editbootinstall="editbootinstall_rpi.sh"
            btrfs_quota_groups="true"
            disk_start_sector="4096"
        >
@@ -526,7 +655,7 @@
    </preferences>

    <preferences profiles="s390-kvm">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -564,7 +693,7 @@


    <preferences profiles="s390-dasd">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -602,7 +731,7 @@


    <preferences profiles="s390-fba">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -637,7 +766,7 @@
    </preferences>

    <preferences profiles="s390-fcp">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -676,7 +805,7 @@
    </preferences>

    <preferences profiles="x86-vmware">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -687,6 +816,7 @@
            filesystem="btrfs"
            format="vmdk"
            firmware="uefi"
+            efipartsize="512"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -707,11 +837,11 @@
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">24</size>
-            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
+            <machine memory="1024" HWversion="17" guestOS="suse-64"/>
        </type>
    </preferences>
    <preferences profiles="x86-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -722,15 +852,14 @@
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"
+            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
-            target_blocksize="4096"
-            efipartsize="200"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
@@ -748,9 +877,9 @@
            <size unit="G">32</size>
        </type>
    </preferences>
-
+ 
    <preferences profiles="aarch64-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -761,8 +890,8 @@
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
-            efipartsize="128"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"     
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -773,7 +902,7 @@
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
@@ -785,7 +914,7 @@
    </preferences>

    <preferences profiles="ppc64le-512ss">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -796,7 +925,7 @@
            image="oem"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -808,7 +937,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -818,7 +947,7 @@
        </type>
    </preferences>
    <preferences profiles="ppc64le-4096ss">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -832,7 +961,7 @@
            target_blocksize="4096"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -844,7 +973,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -855,7 +984,7 @@
    </preferences>

    <preferences profiles="ppc64le-512ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -868,7 +997,7 @@
            installpxe="true"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -885,7 +1014,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -895,7 +1024,7 @@
        </type>
    </preferences>
    <preferences profiles="ppc64le-4096ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -911,7 +1040,7 @@
            target_blocksize="4096"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -928,7 +1057,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -944,20 +1073,17 @@
    </repository>

    <packages type="image" profiles="full">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
-        <namedCollection name="salt_minion"/>
-	<package name="patterns-base-salt_minion"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="kvm_host"/>
-	<package name="patterns-base-kvm_host"/>
+	<package name="patterns-micro-kvm_host"/>
 	<package name="lzop"/>
        <namedCollection name="container_runtime_podman"/>
-        <package name="patterns-container-runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/> 
        <namedCollection name="cockpit"/>
-        <package name="patterns-base-cockpit"/>
+        <package name="patterns-cockpit"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
-        <package name="policycoreutils-python-utils"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -967,7 +1093,7 @@
 	<package name="libpwquality-tools"/>
    </packages>

-    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
+    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted,aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
        <!-- full disk encryption stuff -->
        <package name="device-mapper"/>
        <package name="cryptsetup"/>
@@ -980,13 +1106,12 @@
    </packages>

    <packages type="image" profiles="container-host">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="container_runtime_podman"/>
        <package name="patterns-container-runtime_podman"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
-        <package name="policycoreutils-python-utils"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1010,16 +1135,16 @@
 	<package name="jeos-firstboot"/>
    </packages>

-    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
+    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow,ppc64le-512ss,ppc64le-4096ss,s390-dasd,s390-fcp">
        <package name="cloud-init"/>
        <package name="cloud-init-config-suse"/>
    </packages>

    <packages type="image">
-        <namedCollection name="base_transactional"/>
-        <package name="patterns-base-transactional"/>
+        <namedCollection name="transactional_base"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="hardware"/>
-        <package name="patterns-base-hardware"/>
+        <package name="patterns-micro-hardware"/>
        <package name="grub2"/>
        <package name="glibc-locale-base"/>
        <package name="ca-certificates"/>
@@ -1038,9 +1163,10 @@
        <package name="NetworkManager"/>
        <package name="NetworkManager-branding-SLE"/>
 	<package name="ModemManager"/>
-	<!-- FIXME does not build without control file which is obsolete
+	<!-- FIXME does not build without control file which is obsolete 
 	<package name="live-add-yast-repos"/> -->
 	<package name="parted"/> <!-- seems missing to deploy the image -->
+	<package name="iptables"/> <!-- needed by RKE2 -->
    </packages>

    <packages type="image" profiles="bootloader">
@@ -1057,14 +1183,18 @@
 	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
    </packages>
    <!-- rpi kernel-default-base does not provide all necessary drivers -->
-    <packages type="image" profiles="rpi,aarch64-self_install,x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,x86,x86-encrypted,aarch64-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
        <package name="kernel-default"/>
        <package name="kernel-firmware-all"/>
    </packages>
-    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64-64kb,aarch64-64kb-encrypted,aarch64-64kb-self_install">
+        <package name="kernel-64kb"/>
+        <package name="kernel-firmware-all"/>
+    </packages>
+    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
        <package name="kernel-rt"/>
        <package name="kernel-firmware-all"/>
-	<!-- FIXME intentionally removed from ALP code stream
+	<!-- FIXME intentionally removed from ALP code stream 
        <package name="cpuset"/> -->
    </packages>
    <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba,s390-fcp">
@@ -1076,17 +1206,18 @@
    <packages type="image" profiles="s390-fcp">
        <package name="multipath-tools"/>
    </packages>
-    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64,aarch64-qcow,rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <!-- "oem" images uses kiwi for partition/fs resize (-repart) and SelfInstall images in addition for deployment (-dump). -->
+    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,aarch64,aarch64-encrypted,aarch64-64kb-encrypted,rpi,rpi-self_install,aarch64-self_install,aarch64-64kb,aarch64-64kb-self_install,aarch64-rt,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="dracut-kiwi-oem-dump"/>
    </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="rpi,rpi-self_install">
        <package name="raspberrypi-firmware" arch="aarch64"/>
        <package name="raspberrypi-firmware-config" arch="aarch64"/>
        <package name="raspberrypi-firmware-dt" arch="aarch64"/>
        <package name="u-boot-rpiarm64" arch="aarch64"/>
    </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,aarch64-rt,aarch64-64kb,aarch64-rt-self_install,aarch64-encrypted,aarch64-rt-encrypted,aarchte-64kb-encrypted">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="bcm43xx-firmware"/>
        <package name="wireless-regdb"/>
@@ -1094,6 +1225,7 @@
        <package name="wpa_supplicant"/>
        <package name="grub2-arm64-efi"/>
    </packages>
+    <!-- NOTE(edge): Added coreutils, ca-certificates and ca-certificates-mozilla to prevent SSL errors when building the images -->
    <packages type="bootstrap">
        <package name="filesystem"/>
        <package name="coreutils"/>
@@ -1110,14 +1242,15 @@
    <packages type="image" profiles="x86-qcow,aarch64-qcow">
        <package name="qemu-guest-agent"/>
    </packages>
-
+    
    <!-- jsc#PED-8599 -->
-    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096">
+    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096,Base-64kb-encrypted,Default-64kb-encrypted">
        <package name="usbguard"/>
    </packages>

    <!-- jsc#PED-8788 -->
-    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
        <package name="stalld"/>
    </packages>
 </image>
+
--- a/kiwi-builder-image/build-image.sh
+++ b/kiwi-builder-image/build-image.sh
@@ -28,7 +28,7 @@ LARGEBLOCK=false
 usage(){
  cat <<-EOF
  =====================================
-  SUSE Linux Micro 6.1 Kiwi SDK Builder
+  SUSE Linux Micro 6.2 Kiwi SDK Builder
  =====================================

  Usage: ${0} [-p <profile>] [-b]
@@ -36,13 +36,12 @@ usage(){
  Profile Options (-p):
  * Default: RAW Disk Image with default packages (incl. Podman & KVM)
  * Default-SelfInstall: SelfInstall ISO with default packages
-  * Default-RPi: RAW Disk Image for Raspberry Pi (aarch64 only with MBR)
  * Base: RAW Disk Image with reduced package set (no KVM)
  * Base-SelfInstall: SelfInstall ISO with reduced packages
  * Base-RT: RAW Disk Image with reduced packages and kernel-rt
  * Base-RT-SelfInstall: SelfInstall ISO with reduced packages and kernel-rt
-  * Base-RT-RPi: RAW Disk image for Raspberry Pi with kernel-rt (aarch64 only with MBR)
-  * Base-RPi: RAW Disk Image for Raspberry Pi with reduced packages (aarch64 only with MBR)
+  * RaspberryPi: RAW Disk Image for Raspberry Pi with default packages (aarch64 only with MBR)
+  * RaspberryPi-SelfInstall: SelfInstall ISO for Raspberry Pi with default packages (aarch64 only with MBR)

  4096 Blocksize (-b): If specified, use a 4096 blocksize (rather than 512) when generating the image.

@@ -83,14 +82,34 @@ if $LARGEBLOCK; then
  mv /micro-sdk/defs/SL-Micro.kiwi.4096 /micro-sdk/defs/SL-Micro.kiwi
 fi

+# Create temporary directory that supports seclabel
+dir=$(mktemp -d)
+mkdir -p /tmp/output/tmp-dir
+mount -t tmpfs $dir /tmp/output/tmp-dir
+
 # Build the image
-kiwi-ng --debug --profile $PROFILE system build \
-    --description /micro-sdk/defs --target-dir /tmp/output --ignore-repos-used-for-build $REPOS
+kiwi-ng --temp-dir /tmp/output/tmp-dir --debug --profile $PROFILE \
+    system build --description /micro-sdk/defs --target-dir /tmp/output \
+    --ignore-repos-used-for-build $REPOS

 # Print output
 RESULT=$?
 if [ $RESULT -eq 0 ]; then
  echo -e "\n\nINFO: Image build successful, generated images are available in the 'output' directory."
+  # The -n flag is being used to avoid the \n at the end of the line
+  echo -n "INFO: Generating sha256 checksum file... " && {
+  # This returns the iso or raw image from the kiwi.result.json file, preferring iso
+  FILE_PATH=$(python3 -c 'import json, sys; data = json.load(sys.stdin); iso = data.get("installation_image", {}).get("filename"); raw = data.get("disk_image", {}).get("filename"); print(iso if iso else raw)' < /tmp/output/kiwi.result.json)
+  # Generate the checksum if the file path was successfully extracted
+  if [ -n "$FILE_PATH" ]; then
+    # The sed trims the full path to just the filename (e.g., "sum filename")
+    sha256sum "$FILE_PATH" | sed -E 's/\s+.*\/([^/]+)$/  \1/' > "$FILE_PATH.sha256" && echo "done"
+  else
+    # Or fail if it is not there
+    echo "ERROR: Neither ISO nor RAW file path found in JSON."
+  fi
+  # Catch-all just in case something fails inside the block
+  } || echo "ERROR: Command failed during processing."
 else
  echo -e "\n\nERROR: Failed to build the image, please see above logs."
 fi
--- a/kiwi-builder-image/config.sh
+++ b/kiwi-builder-image/config.sh
@@ -188,7 +188,6 @@ cat >/etc/fstab.script <<"EOF"
 #!/bin/sh
 set -eux

-/usr/sbin/setup-fstab-for-overlayfs
 # If /var is on a different partition than /...
 if [ "$(findmnt -snT / -o SOURCE)" != "$(findmnt -snT /var -o SOURCE)" ]; then
 	# ... set options for autoexpanding /var
--- a/kiwi-builder-image/disk.sh
+++ b/kiwi-builder-image/disk.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# Copyright (c) 2025 SUSE LLC
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# 
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+# 
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+set -euxo pipefail
+
+/usr/libexec/setup-etc-subvol
--- a/kiwi-builder-image/editbootinstall_pine64.sh
+++ b/kiwi-builder-image/editbootinstall_pine64.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+set -euxo pipefail
+
+diskname=$1
+devname="$2"
+loopname="${devname%*p?}"
+loopdev=/dev/${loopname#/dev/mapper/*}
+
+#==========================================
+# The GPT spans the first 33 sectors, but we need to write our
+# at sector 16. Shrink the GPT to only span 5 sectors
+# (16 partitions) to give us some space.
+#------------------------------------------
+# echo -e 'x\ns\n16\nw\ny' > gdisk.tmp
+# Shrink GPT does not work anymore, so let's use legacy MBR for now
+cat > gdisk.tmp <<-'EOF'
+		x
+		r
+		g
+		t
+		1
+		c
+		w
+		y
+	EOF
+dd if=$loopdev of=mbrid.bin bs=1 skip=440 count=4
+gdisk $loopdev < gdisk.tmp
+dd of=$loopdev if=mbrid.bin bs=1 seek=440 count=4
+rm -f mbrid.bin
+rm -f gdisk.tmp
+
+#==========================================
+# Installing All-in-one U-Boot/SPL
+#------------------------------------------
+echo "Installing All-in-one U-Boot/SPL..."
+if ! dd if=boot/u-boot-sunxi-with-spl.bin of=$diskname bs=1024 seek=8 conv=notrunc; then
+	echo "Couldn't install SPL on $diskname"
+	exit 1
+fi
+
--- a/kiwi-builder-image/editbootinstall_rpi.sh
+++ b/kiwi-builder-image/editbootinstall_rpi.sh
@@ -3,12 +3,9 @@ set -euxo pipefail

 diskname=$1
 devname="$2"
-
 loopname="${devname%*p?}"
 loopdev=/dev/${loopname#/dev/*}

-if [ ! -f $loopdev ]; then loopdev=/dev/${loopdev#/dev/mapper/}; fi
-
 #==========================================
 # copy Raspberry Pi firmware to EFI partition
 #------------------------------------------
--- a/kube-rbac-proxy/_service
+++ b/kube-rbac-proxy/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/brancz/kube-rbac-proxy</param>
    <param name="scm">git</param>
-    <param name="revision">v0.18.1</param>
+    <param name="revision">v0.19.1</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
--- a/kube-rbac-proxy/kube-rbac-proxy.spec
+++ b/kube-rbac-proxy/kube-rbac-proxy.spec
@@ -17,14 +17,14 @@


 Name:           kube-rbac-proxy
-Version:        0.18.1
-Release:        0.18.1
+Version:        0.19.1
+Release:        0.19.1
 Summary:        The kube-rbac-proxy is a small HTTP proxy for a single upstream
 License:        Apache-2.0
 URL:            https://github.com/brancz/kube-rbac-proxy
 Source:         kube-rbac-proxy-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.23
+BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}

--- a/kubectl-image/Dockerfile
+++ b/kubectl-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.32.4
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.32.4-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.34.2
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.34.2-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

@@ -15,11 +15,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE kubectl image"
 LABEL org.opencontainers.image.description="kubectl on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="1.32.4"
+LABEL org.opencontainers.image.version="1.34.2"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.32.4-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.34.2-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/kubectl/kubectl.spec
+++ b/kubectl/kubectl.spec
@@ -1,7 +1,7 @@
 %global debug_package %{nil}

 Name: kubectl
-Version: 1.32.4
+Version: 1.34.2
 Release: 0
 Summary: Command-line utility for interacting with a Kubernetes cluster

--- a/kubectl/kubectl_1.32.4.orig.tar.gz
+++ b/kubectl/kubectl_1.32.4.orig.tar.gz
--- a/kubectl/kubectl_1.34.2.orig.tar.gz
+++ b/kubectl/kubectl_1.34.2.orig.tar.gz
--- a/kubevirt-chart/Chart.yaml
+++ b/kubevirt-chart/Chart.yaml
@@ -1,9 +1,9 @@
-#!BuildTag: %%CHART_PREFIX%%kubevirt:%%CHART_MAJOR%%.0.0_up0.5.0-%RELEASE%
-#!BuildTag: %%CHART_PREFIX%%kubevirt:%%CHART_MAJOR%%.0.0_up0.5.0
+#!BuildTag: %%CHART_PREFIX%%kubevirt:%%CHART_MAJOR%%.0.1_up0.6.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%kubevirt:%%CHART_MAJOR%%.0.1_up0.6.0
 apiVersion: v2
-appVersion: 1.4.0
+appVersion: 1.5.2
 description: A Helm chart for KubeVirt
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
 name: kubevirt
 type: application
-version: "%%CHART_MAJOR%%.0.0+up0.5.0"
+version: "%%CHART_MAJOR%%.0.1+up0.6.0"
--- a/kubevirt-chart/crds/kubevirt.yaml
+++ b/kubevirt-chart/crds/kubevirt.yaml
@@ -593,6 +593,13 @@ spec:
                            If set to true, migrations will still start in pre-copy, but switch to post-copy when
                            CompletionTimeoutPerGiB triggers. Defaults to false
                          type: boolean
+                        allowWorkloadDisruption:
+                          description: |-
+                            AllowWorkloadDisruption indicates that the migration shouldn't be
+                            canceled after acceptableCompletionTime is exceeded. Instead, if
+                            permitted, migration will be switched to post-copy or the VMI will be
+                            paused to allow the migration to complete
+                          type: boolean
                        bandwidthPerMigration:
                          anyOf:
                            - type: integer
@@ -605,8 +612,8 @@ spec:
                        completionTimeoutPerGiB:
                          description: |-
                            CompletionTimeoutPerGiB is the maximum number of seconds per GiB a migration is allowed to take.
-                            If a live-migration takes longer to migrate than this value multiplied by the size of the VMI,
-                            the migration will be cancelled, unless AllowPostCopy is true. Defaults to 150
+                            If the timeout is reached, the migration will be either paused, switched
+                            to post-copy or cancelled depending on other settings. Defaults to 150
                          format: int64
                          type: integer
                        disableTLS:
@@ -964,17 +971,17 @@ spec:
                          type: object
                      type: object
                    vmRolloutStrategy:
-                      description: VMRolloutStrategy defines how changes to a VM object
-                        propagate to its VMI
+                      description: |-
+                        VMRolloutStrategy defines how live-updatable fields, like CPU sockets, memory,
+                        tolerations, and affinity, are propagated from a VM to its VMI.
                      enum:
                        - Stage
                        - LiveUpdate
                      nullable: true
                      type: string
                    vmStateStorageClass:
-                      description: |-
-                        VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM.
-                        The storage class must support RWX in filesystem mode.
+                      description: VMStateStorageClass is the name of the storage class
+                        to use for the PVCs created to preserve VM state, like TPM.
                      type: string
                    webhookConfiguration:
                      description: |-
@@ -3850,6 +3857,13 @@ spec:
                            If set to true, migrations will still start in pre-copy, but switch to post-copy when
                            CompletionTimeoutPerGiB triggers. Defaults to false
                          type: boolean
+                        allowWorkloadDisruption:
+                          description: |-
+                            AllowWorkloadDisruption indicates that the migration shouldn't be
+                            canceled after acceptableCompletionTime is exceeded. Instead, if
+                            permitted, migration will be switched to post-copy or the VMI will be
+                            paused to allow the migration to complete
+                          type: boolean
                        bandwidthPerMigration:
                          anyOf:
                            - type: integer
@@ -3862,8 +3876,8 @@ spec:
                        completionTimeoutPerGiB:
                          description: |-
                            CompletionTimeoutPerGiB is the maximum number of seconds per GiB a migration is allowed to take.
-                            If a live-migration takes longer to migrate than this value multiplied by the size of the VMI,
-                            the migration will be cancelled, unless AllowPostCopy is true. Defaults to 150
+                            If the timeout is reached, the migration will be either paused, switched
+                            to post-copy or cancelled depending on other settings. Defaults to 150
                          format: int64
                          type: integer
                        disableTLS:
@@ -4221,17 +4235,17 @@ spec:
                          type: object
                      type: object
                    vmRolloutStrategy:
-                      description: VMRolloutStrategy defines how changes to a VM object
-                        propagate to its VMI
+                      description: |-
+                        VMRolloutStrategy defines how live-updatable fields, like CPU sockets, memory,
+                        tolerations, and affinity, are propagated from a VM to its VMI.
                      enum:
                        - Stage
                        - LiveUpdate
                      nullable: true
                      type: string
                    vmStateStorageClass:
-                      description: |-
-                        VMStateStorageClass is the name of the storage class to use for the PVCs created to preserve VM state, like TPM.
-                        The storage class must support RWX in filesystem mode.
+                      description: VMStateStorageClass is the name of the storage class
+                        to use for the PVCs created to preserve VM state, like TPM.
                      type: string
                    webhookConfiguration:
                      description: |-
--- a/kubevirt-chart/templates/kubevirt-operator.yaml
+++ b/kubevirt-chart/templates/kubevirt-operator.yaml
@@ -608,6 +608,7 @@ rules:
    resources:
      - virtualmachinesnapshots
      - virtualmachinesnapshots/status
+      - virtualmachinesnapshots/finalizers
      - virtualmachinesnapshotcontents
      - virtualmachinesnapshotcontents/status
      - virtualmachinesnapshotcontents/finalizers
@@ -660,15 +661,18 @@ rules:
      - kubevirt.io
    resources:
      - virtualmachines/finalizers
+      - virtualmachineinstances/finalizers
    verbs:
      - update
  - apiGroups:
      - subresources.kubevirt.io
    resources:
+      - virtualmachines/stop
      - virtualmachineinstances/addvolume
      - virtualmachineinstances/removevolume
      - virtualmachineinstances/freeze
      - virtualmachineinstances/unfreeze
+      - virtualmachineinstances/reset
      - virtualmachineinstances/softreboot
      - virtualmachineinstances/sev/setupsession
      - virtualmachineinstances/sev/injectlaunchsecret
@@ -772,6 +776,14 @@ rules:
    verbs:
      - list
      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - create
+      - get
+      - delete
  - apiGroups:
      - kubevirt.io
    resources:
@@ -883,6 +895,7 @@ rules:
      - virtualmachineinstances/freeze
      - virtualmachineinstances/unfreeze
      - virtualmachineinstances/softreboot
+      - virtualmachineinstances/reset
      - virtualmachineinstances/sev/setupsession
      - virtualmachineinstances/sev/injectlaunchsecret
    verbs:
@@ -902,7 +915,6 @@ rules:
      - virtualmachines/restart
      - virtualmachines/addvolume
      - virtualmachines/removevolume
-      - virtualmachines/migrate
      - virtualmachines/memorydump
    verbs:
      - update
@@ -919,7 +931,6 @@ rules:
      - virtualmachineinstances
      - virtualmachineinstancepresets
      - virtualmachineinstancereplicasets
-      - virtualmachineinstancemigrations
    verbs:
      - get
      - delete
@@ -929,6 +940,14 @@ rules:
      - list
      - watch
      - deletecollection
+  - apiGroups:
+      - kubevirt.io
+    resources:
+      - virtualmachineinstancemigrations
+    verbs:
+      - get
+      - list
+      - watch
  - apiGroups:
      - snapshot.kubevirt.io
    resources:
@@ -1032,6 +1051,7 @@ rules:
      - virtualmachineinstances/freeze
      - virtualmachineinstances/unfreeze
      - virtualmachineinstances/softreboot
+      - virtualmachineinstances/reset
      - virtualmachineinstances/sev/setupsession
      - virtualmachineinstances/sev/injectlaunchsecret
    verbs:
@@ -1051,7 +1071,6 @@ rules:
      - virtualmachines/restart
      - virtualmachines/addvolume
      - virtualmachines/removevolume
-      - virtualmachines/migrate
      - virtualmachines/memorydump
    verbs:
      - update
@@ -1068,7 +1087,6 @@ rules:
      - virtualmachineinstances
      - virtualmachineinstancepresets
      - virtualmachineinstancereplicasets
-      - virtualmachineinstancemigrations
    verbs:
      - get
      - delete
@@ -1077,6 +1095,14 @@ rules:
      - patch
      - list
      - watch
+  - apiGroups:
+      - kubevirt.io
+    resources:
+      - virtualmachineinstancemigrations
+    verbs:
+      - get
+      - list
+      - watch
  - apiGroups:
      - snapshot.kubevirt.io
    resources:
@@ -1255,6 +1281,25 @@ rules:
      - get
      - list
      - watch
+  - apiGroups:
+      - subresources.kubevirt.io
+    resources:
+      - virtualmachines/migrate
+    verbs:
+      - update
+  - apiGroups:
+      - kubevirt.io
+    resources:
+      - virtualmachineinstancemigrations
+    verbs:
+      - get
+      - delete
+      - create
+      - update
+      - patch
+      - list
+      - watch
+      - deletecollection
  - apiGroups:
      - authentication.k8s.io
    resources:
@@ -1300,6 +1345,8 @@ spec:
    type: RollingUpdate
  template:
    metadata:
+      annotations:
+        openshift.io/required-scc: restricted-v2
      labels:
        kubevirt.io: virt-operator
        name: virt-operator
--- a/kubevirt-chart/values.yaml
+++ b/kubevirt-chart/values.yaml
@@ -1,6 +1,6 @@
 operator:
-  image: registry.suse.com/suse/sles/15.6/virt-operator
-  version: 1.4.0-150600.5.15.1
+  image: registry.suse.com/suse/sles/15.7/virt-operator
+  version: 1.5.2-150700.3.5.2
  replicas: 2
  pullPolicy: IfNotPresent
  affinity:
@@ -40,7 +40,7 @@ kubevirt:
  monitorAccount: ""
  monitorNamespace: ""

-hookImage: registry.rancher.com/rancher/kubectl:v1.30.10
+hookImage: registry.rancher.com/rancher/kubectl:v1.33.1
 hookRestartPolicy: OnFailure
 hookSecurityContext:
  seccompProfile:
--- a/kubevirt-dashboard-extension-chart/Chart.yaml
+++ b/kubevirt-dashboard-extension-chart/Chart.yaml
@@ -1,5 +1,5 @@
-#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.2
-#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.2-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.3
+#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.3-%RELEASE%
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/namespace: cattle-ui-plugin-system
@@ -12,10 +12,10 @@ annotations:
  catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
  catalog.cattle.io/kube-version: '>= v1.26.0-0'
 apiVersion: v2
-appVersion: 303.0.2+up1.3.2
+appVersion: 1.3.3
 description: 'SUSE Edge: KubeVirt extension for Rancher Dashboard'
 name: kubevirt-dashboard-extension
 type: application
-version: "%%CHART_MAJOR%%.0.2+up1.3.2"
+version: "%%CHART_MAJOR%%.0.4+up1.3.3"
 icon: >-
  https://raw.githubusercontent.com/cncf/artwork/master/projects/kubevirt/icon/color/kubevirt-icon-color.svg
--- a/kubevirt-dashboard-extension-chart/templates/cr.yaml
+++ b/kubevirt-dashboard-extension-chart/templates/cr.yaml
@@ -8,7 +8,7 @@ spec:
  plugin:
    name: {{ include "extension-server.fullname" . }}
    version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/kubevirt-dashboard-extension/303.0.2+up1.3.2
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/kubevirt-dashboard-extension/1.3.3
    noCache: {{ .Values.plugin.noCache }}
    noAuth: {{ .Values.plugin.noAuth }}
    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
--- a/metal3-chart/Chart.yaml
+++ b/metal3-chart/Chart.yaml
@@ -1,16 +1,16 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.12_up0.12.2
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.12_up0.12.2-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.19_up0.12.9
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.19_up0.12.9-%RELEASE%
 apiVersion: v2
-appVersion: 0.12.2
+appVersion: 0.12.9
 dependencies:
 - alias: metal3-baremetal-operator
  name: baremetal-operator
  repository: file://./charts/baremetal-operator
-  version: 0.9.4
+  version: 0.10.4
 - alias: metal3-ironic
  name: ironic
  repository: file://./charts/ironic
-  version: 0.11.2
+  version: 0.11.6
 - alias: metal3-mariadb
  condition: global.enable_mariadb
  name: mariadb
@@ -20,9 +20,9 @@ dependencies:
  condition: global.enable_metal3_media_server
  name: media
  repository: file://./charts/media
-  version: 0.6.5
+  version: 0.7.1
 description: A Helm chart that installs all of the dependencies needed for Metal3
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.12+up0.12.2"
+version: "%%CHART_MAJOR%%.0.19+up0.12.9"
--- a/metal3-chart/charts/baremetal-operator/Chart.yaml
+++ b/metal3-chart/charts/baremetal-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.9.1
+appVersion: 0.10.2
 description: A Helm chart for baremetal-operator, used by Metal3
 name: baremetal-operator
 type: application
-version: 0.9.4
+version: 0.10.4
--- a/metal3-chart/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml
+++ b/metal3-chart/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml
@@ -202,6 +202,11 @@ spec:
                description: Description is a human-entered text used to help identify
                  the host.
                type: string
+              disablePowerOff:
+                description: |-
+                  When set to true, power off of the node will be disabled,
+                  instead, a reboot will be used in place of power on/off
+                type: boolean
              externallyProvisioned:
                description: |-
                  ExternallyProvisioned means something else has provisioned the
--- a/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml
+++ b/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml
@@ -5,7 +5,6 @@
  {{- $ironicApiHost := print $ironicHost ":6385" }}
  {{- $ironicBootHost := print $ironicHost ":6180" }}
  {{- $ironicCacheHost := print $ironicHost ":6180" }}
-  {{- $deployArch := .Values.global.deployArchitecture }}

 apiVersion: v1
 data:
@@ -21,9 +20,10 @@ data:
  RESTART_CONTAINER_CERTIFICATE_UPDATED: "false"
  {{- end }}
  CACHEURL: "{{ $protocol }}://{{ $ironicCacheHost }}/images"
-  DEPLOY_KERNEL_URL: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.kernel"
-  DEPLOY_RAMDISK_URL: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.initramfs"
-  DEPLOY_ARCHITECTURE: "{{ $deployArch }}"
+  {{- if .Values.baremetaloperator.externalHttpIPv6 }}
+  {{- $port := ternary .Values.global.vmediaTLSPort .Values.baremetaloperator.httpPort $enableVMediaTLS }}
+  IRONIC_EXTERNAL_URL_V6: "{{ $protocol }}://[{{ .Values.baremetaloperator.externalHttpIPv6 }}]:{{ $port }}"
+  {{- end }}
 kind: ConfigMap
 metadata:
  name: baremetal-operator-ironic
--- a/metal3-chart/charts/baremetal-operator/values.yaml
+++ b/metal3-chart/charts/baremetal-operator/values.yaml
@@ -28,7 +28,7 @@ images:
  baremetalOperator:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/baremetal-operator
    pullPolicy: IfNotPresent
-    tag: "0.9.1.1"
+    tag: "0.10.2.1"

 imagePullSecrets: []
 nameOverride: "manger"
@@ -84,3 +84,8 @@ affinity: {}

 baremetaloperator:
  httpPort: "6180"
+
+  # IPv6 used for accessing the Ironic HTTP server for BMCs with an IPv6 only address.
+  # It should not be used in conjunction with 'provisioningHostname' unless BMCs do not
+  # support hostnames.
+  externalHttpIPv6: ""
--- a/metal3-chart/charts/ironic/Chart.yaml
+++ b/metal3-chart/charts/ironic/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 29.0.4
 description: A Helm chart for Ironic, used by Metal3
 name: ironic
 type: application
-version: 0.11.2
+version: 0.11.6
--- a/metal3-chart/charts/ironic/templates/configmap.yaml
+++ b/metal3-chart/charts/ironic/templates/configmap.yaml
@@ -5,8 +5,6 @@ metadata:
  labels:
    {{- include "ironic.labels" . | nindent 4 }}
 data:
-  {{- $deployArch := .Values.global.deployArchitecture }}
-
  {{- if  ( .Values.global.enable_dnsmasq ) }}
  DNSMASQ_DNS_SERVER_ADDRESS: {{ .Values.global.dnsmasqDNSServer }}
  DNSMASQ_DEFAULT_ROUTER: {{ .Values.global.dnsmasqDefaultRouter }}
@@ -18,7 +16,6 @@ data:
  HTTP_PORT: "6180"
  PREDICTABLE_NIC_NAMES: "{{ .Values.global.predictableNicNames }}"
  IRONIC_EXTERNAL_HTTP_URL: {{ include "ironic.externalHttpUrl" . }}
-  DEPLOY_ARCHITECTURE: {{ $deployArch }}
  ENABLE_PXE_BOOT: "{{ .Values.global.enable_pxe_boot }}"
  {{- if .Values.global.provisioningInterface }}
  PROVISIONING_INTERFACE: {{ .Values.global.provisioningInterface }}
@@ -55,3 +52,6 @@ data:
  {{- else }}
  IRONIC_USE_MARIADB: "false"
  {{- end }}
+  {{- with .Values.ironicExtraEnv -}}
+  {{ toYaml . | nindent 2 }}
+  {{- end -}}
--- a/metal3-chart/charts/ironic/values.yaml
+++ b/metal3-chart/charts/ironic/values.yaml
@@ -64,11 +64,11 @@ images:
  ironic:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
    pullPolicy: IfNotPresent
-    tag: 29.0.4.1
+    tag: 29.0.4.4
  ironicIPADownloader:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
    pullPolicy: IfNotPresent
-    tag: 3.0.8
+    tag: 3.0.10

 nameOverride: ""
 fullnameOverride: ""
@@ -138,6 +138,8 @@ baremetaloperator:
 debug:
  ironicRamdiskSshKey: ""

+ironicExtraEnv: {}
+
 tlscerts:
  cacert: ""
  key: ""
--- a/metal3-chart/charts/media/Chart.yaml
+++ b/metal3-chart/charts/media/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 1.16.0
+appVersion: 1.21.0
 description: A Helm chart for Media, used by Metal3
 name: media
 type: application
-version: 0.6.5
+version: 0.7.1
--- a/metal3-chart/charts/media/templates/deployment.yaml
+++ b/metal3-chart/charts/media/templates/deployment.yaml
@@ -34,13 +34,9 @@ spec:
      {{- end }}
      containers:
        - name: {{ .Chart.Name }}
-          command:
-          - /usr/sbin/httpd
-          args:
-          - -DFOREGROUND
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: http
--- a/metal3-chart/charts/media/values.yaml
+++ b/metal3-chart/charts/media/values.yaml
@@ -22,9 +22,9 @@ global:
 replicaCount: 1

 image:
-  repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
+  repository: registry.suse.com/suse/nginx
  pullPolicy: IfNotPresent
-  tag: 29.0.4.1
+  tag: 1.21

 imagePullSecrets: []
 nameOverride: ""
@@ -42,8 +42,8 @@ serviceAccount:
 podAnnotations: {}

 podSecurityContext:
-  runAsUser: 10475
-  fsGroup: 10475
+  runAsUser: 499
+  fsGroup: 486

 securityContext:
  allowPrivilegeEscalation: false
@@ -102,11 +102,16 @@ volumes:
  - name: assets
    persistentVolumeClaim:
      claimName: media
+  - name: run
+    emptyDir:
+      sizeLimit: 10Mi

 # volume mounts
 volumeMounts:
  - mountPath: /srv/www/htdocs
    name: assets
+  - mountPath: /run
+    name: run

 # media volume settings
 mediaVolume:
--- a/metal3-chart/values.yaml
+++ b/metal3-chart/values.yaml
@@ -72,9 +72,6 @@ global:
  # Name for the MariaDB service
  databaseServiceName: metal3-mariadb

-  # Architecture for deployed nodes (either x86_64 or arm64)
-  deployArchitecture: x86_64
-
  # In a multi-node cluster use the node selector to ensure the pods
  # all run on the same host where the dnsmasqDNSServer and provisioningIP
  # and /opt/media exist. Uncomment the nodeSelector and update the
@@ -92,8 +89,6 @@ metal3-media:
  # available to the Ironic deployment services.
  mediaVolume:
    hostPath: /opt/media
-  image:
-    repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic"

 #
 # ironic service
--- a/metallb-chart/Chart.yaml
+++ b/metallb-chart/Chart.yaml
@@ -1,17 +1,17 @@
-#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.0_up0.14.9
-#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.0_up0.14.9-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.1_up0.15.2
+#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.1_up0.15.2-%RELEASE%
 apiVersion: v2
-appVersion: v0.14.9
+appVersion: v0.15.2
 dependencies:
 - condition: crds.enabled
  name: crds
  repository: file://./charts/crds
-  version: 0.14.9
+  version: 0.15.2
 - alias: metallb-frr-k8s
  condition: frrk8s.enabled
  name: frr-k8s
  repository: file://./charts/frr-k8s
-  version: 0.0.16
+  version: 0.0.20
 description: A network load-balancer implementation for Kubernetes using standard
  routing protocols
 home: https://metallb.universe.tf
@@ -21,4 +21,4 @@ name: metallb
 sources:
 - https://github.com/metallb/metallb
 type: application
-version: "%%CHART_MAJOR%%.0.0+up0.14.9"
+version: "%%CHART_MAJOR%%.0.1+up0.15.2"
--- a/metallb-chart/README.md
+++ b/metallb-chart/README.md
@@ -1,6 +1,6 @@
 # metallb

-![Version: 0.14.9](https://img.shields.io/badge/Version-0.14.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.14.9](https://img.shields.io/badge/AppVersion-v0.14.9-informational?style=flat-square)
+![Version: 0.15.2](https://img.shields.io/badge/Version-0.15.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.15.2](https://img.shields.io/badge/AppVersion-v0.15.2-informational?style=flat-square)

 A network load-balancer implementation for Kubernetes using standard routing protocols

@@ -16,8 +16,8 @@ Kubernetes: `>= 1.19.0-0`

 | Repository | Name | Version |
 |------------|------|---------|
-|  | crds | 0.14.9 |
-| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.16 |
+|  | crds | 0.15.2 |
+| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.20 |

 ## Values

@@ -99,7 +99,7 @@ Kubernetes: `>= 1.19.0-0`
 | prometheus.rbacPrometheus | bool | `true` |  |
 | prometheus.rbacProxy.pullPolicy | string | `nil` |  |
 | prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` |  |
-| prometheus.rbacProxy.tag | string | `"v0.18.0"` |  |
+| prometheus.rbacProxy.tag | string | `"v0.19.1"` |  |
 | prometheus.scrapeAnnotations | bool | `false` |  |
 | prometheus.serviceAccount | string | `""` |  |
 | prometheus.serviceMonitor.controller.additionalLabels | object | `{}` |  |
@@ -122,7 +122,7 @@ Kubernetes: `>= 1.19.0-0`
 | speaker.frr.enabled | bool | `true` |  |
 | speaker.frr.image.pullPolicy | string | `nil` |  |
 | speaker.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` |  |
-| speaker.frr.image.tag | string | `"8.5.6"` |  |
+| speaker.frr.image.tag | string | `"10.2.1"` |  |
 | speaker.frr.metricsPort | int | `7473` |  |
 | speaker.frr.resources | object | `{}` |  |
 | speaker.frrMetrics.resources | object | `{}` |  |
--- a/metallb-chart/charts/crds/Chart.yaml
+++ b/metallb-chart/charts/crds/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.14.9
+appVersion: v0.15.2
 description: MetalLB CRDs
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -7,4 +7,4 @@ name: crds
 sources:
 - https://github.com/metallb/metallb
 type: application
-version: 0.14.9
+version: 0.15.2
--- a/metallb-chart/charts/crds/templates/crds.yaml
+++ b/metallb-chart/charts/crds/templates/crds.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: bfdprofiles.metallb.io
 spec:
  group: metallb.io
@@ -123,7 +123,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: bgpadvertisements.metallb.io
 spec:
  group: metallb.io
@@ -329,7 +329,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: bgppeers.metallb.io
 spec:
  conversion:
@@ -526,7 +526,15 @@ spec:
                      rule: duration(self).getMilliseconds() % 1000 == 0
                disableMP:
                  default: false
-                  description: To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions.
+                  description: |-
+                    To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions.
+                    Deprecated: DisableMP is deprecated in favor of dualStackAddressFamily.
+                  type: boolean
+                dualStackAddressFamily:
+                  default: false
+                  description: |-
+                    To set if we want to enable the neighbor not only for the ipfamily related to its session,
+                    but also the other one. This allows to advertise/receive IPv4 prefixes over IPv6 sessions and vice versa.
                  type: boolean
                dynamicASN:
                  description: |-
@@ -555,6 +563,14 @@ spec:
                holdTime:
                  description: Requested BGP hold time, per RFC4271.
                  type: string
+                interface:
+                  description: |-
+                    Interface is the node interface over which the unnumbered BGP peering will
+                    be established. No API validation takes place as that string value
+                    represents an interface name on the host and if user provides an invalid
+                    value, only the actual BGP session will not be established.
+                    Address and Interface are mutually exclusive and one of them must be specified.
+                  type: string
                keepaliveTime:
                  description: Requested BGP keepalive time, per RFC4271.
                  type: string
@@ -649,7 +665,7 @@ spec:
                  default: 179
                  description: Port to dial when establishing the session.
                  maximum: 16384
-                  minimum: 0
+                  minimum: 1
                  type: integer
                routerID:
                  description: BGP router ID to advertise to the peer
@@ -664,7 +680,6 @@ spec:
                  type: string
              required:
                - myASN
-                - peerAddress
              type: object
            status:
              description: BGPPeerStatus defines the observed state of Peer.
@@ -679,7 +694,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: communities.metallb.io
 spec:
  group: metallb.io
@@ -744,7 +759,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: ipaddresspools.metallb.io
 spec:
  group: metallb.io
@@ -941,6 +956,28 @@ spec:
              type: object
            status:
              description: IPAddressPoolStatus defines the observed state of IPAddressPool.
+              properties:
+                assignedIPv4:
+                  description: AssignedIPv4 is the number of assigned IPv4 addresses.
+                  format: int64
+                  type: integer
+                assignedIPv6:
+                  description: AssignedIPv6 is the number of assigned IPv6 addresses.
+                  format: int64
+                  type: integer
+                availableIPv4:
+                  description: AvailableIPv4 is the number of available IPv4 addresses.
+                  format: int64
+                  type: integer
+                availableIPv6:
+                  description: AvailableIPv6 is the number of available IPv6 addresses.
+                  format: int64
+                  type: integer
+              required:
+                - assignedIPv4
+                - assignedIPv6
+                - availableIPv4
+                - availableIPv6
              type: object
          required:
            - spec
@@ -954,7 +991,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: l2advertisements.metallb.io
 spec:
  group: metallb.io
@@ -1134,7 +1171,92 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
+  name: servicebgpstatuses.metallb.io
+spec:
+  group: metallb.io
+  names:
+    kind: ServiceBGPStatus
+    listKind: ServiceBGPStatusList
+    plural: servicebgpstatuses
+    singular: servicebgpstatus
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .status.node
+          name: Node
+          type: string
+        - jsonPath: .status.serviceName
+          name: Service Name
+          type: string
+        - jsonPath: .status.serviceNamespace
+          name: Service Namespace
+          type: string
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description: ServiceBGPStatus exposes the BGP peers a service is configured to be advertised to, per relevant node.
+          properties:
+            apiVersion:
+              description: |-
+                APIVersion defines the versioned schema of this representation of an object.
+                Servers should convert recognized schemas to the latest internal value, and
+                may reject unrecognized values.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+              type: string
+            kind:
+              description: |-
+                Kind is a string value representing the REST resource this object represents.
+                Servers may infer this from the endpoint the client submits requests to.
+                Cannot be updated.
+                In CamelCase.
+                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ServiceBGPStatusSpec defines the desired state of ServiceBGPStatus.
+              type: object
+            status:
+              description: MetalLBServiceBGPStatus defines the observed state of ServiceBGPStatus.
+              properties:
+                node:
+                  description: Node indicates the node announcing the service.
+                  type: string
+                  x-kubernetes-validations:
+                    - message: Value is immutable
+                      rule: self == oldSelf
+                peers:
+                  description: |-
+                    Peers indicate the BGP peers for which the service is configured to be advertised to.
+                    The service being actually advertised to a given peer depends on the session state and is not indicated here.
+                  items:
+                    type: string
+                  type: array
+                serviceName:
+                  description: ServiceName indicates the service this status represents.
+                  type: string
+                  x-kubernetes-validations:
+                    - message: Value is immutable
+                      rule: self == oldSelf
+                serviceNamespace:
+                  description: ServiceNamespace indicates the namespace of the service.
+                  type: string
+                  x-kubernetes-validations:
+                    - message: Value is immutable
+                      rule: self == oldSelf
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: servicel2statuses.metallb.io
 spec:
  group: metallb.io
--- a/metallb-chart/charts/frr-k8s/Chart.yaml
+++ b/metallb-chart/charts/frr-k8s/Chart.yaml
@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: v0.0.16
+appVersion: v0.0.20
 dependencies:
 - condition: crds.enabled
  name: crds
  repository: file://./charts/crds
-  version: 0.0.16
+  version: 0.0.20
 description: A cloud native wrapper of FRR
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -13,4 +13,4 @@ name: frr-k8s
 sources:
 - https://github.com/metallb/frr-k8s
 type: application
-version: 0.0.16
+version: 0.0.20
--- a/metallb-chart/charts/frr-k8s/README.md
+++ b/metallb-chart/charts/frr-k8s/README.md
@@ -1,6 +1,6 @@
 # frr-k8s

-![Version: 0.0.16](https://img.shields.io/badge/Version-0.0.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.16](https://img.shields.io/badge/AppVersion-v0.0.16-informational?style=flat-square)
+![Version: 0.0.20](https://img.shields.io/badge/Version-0.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.20](https://img.shields.io/badge/AppVersion-v0.0.20-informational?style=flat-square)

 A cloud native wrapper of FRR

@@ -16,7 +16,7 @@ Kubernetes: `>= 1.19.0-0`

 | Repository | Name | Version |
 |------------|------|---------|
-|  | crds | 0.0.16 |
+|  | crds | 0.0.20 |

 ## Values

@@ -30,7 +30,7 @@ Kubernetes: `>= 1.19.0-0`
 | frrk8s.frr.acceptIncomingBGPConnections | bool | `false` |  |
 | frrk8s.frr.image.pullPolicy | string | `nil` |  |
 | frrk8s.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` |  |
-| frrk8s.frr.image.tag | string | `"8.5.6"` |  |
+| frrk8s.frr.image.tag | string | `"10.2.1"` |  |
 | frrk8s.frr.metricsBindAddress | string | `"127.0.0.1"` |  |
 | frrk8s.frr.metricsPort | int | `7573` |  |
 | frrk8s.frr.resources | object | `{}` |  |
@@ -78,7 +78,7 @@ Kubernetes: `>= 1.19.0-0`
 | prometheus.rbacPrometheus | bool | `false` |  |
 | prometheus.rbacProxy.pullPolicy | string | `nil` |  |
 | prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` |  |
-| prometheus.rbacProxy.tag | string | `"v0.18.0"` |  |
+| prometheus.rbacProxy.tag | string | `"v0.19.1"` |  |
 | prometheus.scrapeAnnotations | bool | `false` |  |
 | prometheus.secureMetricsPort | int | `9140` |  |
 | prometheus.serviceAccount | string | `""` |  |
--- a/metallb-chart/charts/frr-k8s/charts/crds/Chart.yaml
+++ b/metallb-chart/charts/frr-k8s/charts/crds/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.0.16
+appVersion: v0.0.20
 description: FRR K8s CRDs
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -7,4 +7,4 @@ name: crds
 sources:
 - https://github.com/metallb/frr-k8s
 type: application
-version: 0.0.16
+version: 0.0.20
--- a/metallb-chart/charts/frr-k8s/values.yaml
+++ b/metallb-chart/charts/frr-k8s/values.yaml
@@ -98,7 +98,7 @@ frrk8s:
  tolerateMaster: true
  image:
    repository: "registry.opensuse.org/isv/suse/edge/metallb/images/frr-k8s"
-    tag: "v0.0.16"
+    tag: "v0.0.20"
    pullPolicy: IfNotPresent
  ## @param controller.updateStrategy.type FRR-K8s controller daemonset strategy type
  ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
@@ -161,7 +161,7 @@ frrk8s:
  frr:
    image:
      repository: "registry.opensuse.org/isv/suse/edge/metallb/images/frr"
-      tag: "8.5.6"
+      tag: "10.2.1"
      pullPolicy: IfNotPresent
    metricsBindAddress: 127.0.0.1
    metricsPort: 7573
--- a/metallb-chart/templates/rbac.yaml
+++ b/metallb-chart/templates/rbac.yaml
@@ -110,6 +110,9 @@ rules:
 - apiGroups: ["metallb.io"]
  resources: ["communities"]
  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["servicebgpstatuses","servicebgpstatuses/status"]
+  verbs: ["*"]
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -138,6 +141,9 @@ rules:
 - apiGroups: ["metallb.io"]
  resources: ["ipaddresspools"]
  verbs: ["get", "list", "watch"]
+- apiGroups: ["metallb.io"]
+  resources: ["ipaddresspools/status"]
+  verbs: ["update"]
 - apiGroups: ["metallb.io"]
  resources: ["bgppeers"]
  verbs: ["get", "list"]
--- a/Show More
+++ b/Show More