Merge pull request 'Update metal3 components to latest' (#317 ) from nbelouin/Factory:metal3-update into main

Reviewed-on: #317 Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org> Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
Update metal3 chart
2025-12-12 08:19:45 +01:00 · 2025-12-11 14:59:47 +01:00 · 2025-12-11 14:59:46 +01:00 · 2025-12-11 14:59:46 +01:00 · 2025-12-11 12:39:25 +01:00 · 2025-12-11 12:21:46 +01:00
299 changed files with 8339 additions and 35322 deletions
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,39 +1,170 @@
 [submodule "obs-service-set_version"]
 	path = obs-service-set_version
 	url = https://src.opensuse.org/SLFO-pool/obs-service-set_version.git
 [submodule "cri-tools"]
 	path = cri-tools
 	url = https://src.opensuse.org/pool/cri-tools.git
 [submodule "fakeroot"]
 	path = fakeroot
 	url = https://src.opensuse.org/pool/fakeroot.git
 [submodule "crudini"]
 	path = crudini
 	url = https://src.opensuse.org/pool/crudini.git
-[submodule "autoconf"]
+[submodule "cni-plugins"]
-	path = autoconf
+	path = cni-plugins
-	url = https://src.opensuse.org/SLFO-pool/autoconf.git
+	url = https://src.opensuse.org/pool/cni-plugins
-[submodule "python-pydantic"]
+[submodule "python-kubernetes"]
-	path = python-pydantic
+	path = python-kubernetes
-	url = https://src.opensuse.org/SLFO-pool/python-pydantic
+	url = https://src.opensuse.org/pool/python-kubernetes
-[submodule "python-pydantic-core"]
+	branch = leap-16.0
-	path = python-pydantic-core
+[submodule "python-durationpy"]
-	url = https://src.opensuse.org/SLFO-pool/python-pydantic-core
+	path = python-durationpy
-[submodule "python-inline-snapshot"]
+	url = https://src.opensuse.org/pool/python-durationpy
-	path = python-inline-snapshot
+	branch = leap-16.0
-	url = https://src.opensuse.org/SLFO-pool/python-inline-snapshot
+[submodule "python-recommonmark"]
-[submodule "python-executing"]
+	path = python-recommonmark
-	path = python-executing
+	url = https://src.opensuse.org/pool/python-recommonmark
-	url = https://src.opensuse.org/SLFO-pool/python-executing
+	branch = leap-16.0
-[submodule "python-typing-inspection"]
+[submodule "python-iniparse"]
-	path = python-typing-inspection
+	path = python-iniparse
-	url = https://src.opensuse.org/SLFO-pool/python-typing-inspection
+	url = https://src.opensuse.org/pool/python-iniparse
-[submodule "python-annotated-types"]
+	branch = leap-16.0
-	path = python-annotated-types
+[submodule "python-commonmark"]
-	url = https://src.opensuse.org/SLFO-pool/python-annotated-types
+	path = python-commonmark
-[submodule "python-typing_extensions"]
+	url = https://src.opensuse.org/pool/python-commonmark
-	path = python-typing_extensions
+	branch = leap-16.0
-	url = https://src.opensuse.org/SLFO-pool/python-typing_extensions
+[submodule "cni"]
-[submodule "python-flit-core"]
+	path = cni
-	path = python-flit-core
+	url = https://src.opensuse.org/pool/cni
-	url = https://src.opensuse.org/SLFO-pool/python-flit-core
+[submodule "python-tenacity"]
 	path = python-tenacity
 	url = https://src.opensuse.org/pool/python-tenacity
 [submodule "python-pint"]
 	path = python-pint
 	url = https://src.opensuse.org/pool/python-pint
 	branch = leap-16.0
 [submodule "python-flexcache"]
 	path = python-flexcache
 	url = https://src.opensuse.org/pool/python-flexcache
 	branch = leap-16.0
 [submodule "python-flexparser"]
 	path = python-flexparser
 	url = https://src.opensuse.org/pool/python-flexparser
 	branch = leap-16.0
 [submodule "python-uncertainties"]
 	path = python-uncertainties
 	url = https://src.opensuse.org/pool/python-uncertainties
 	branch = leap-16.0
 [submodule "python-dogpile.cache"]
 	path = python-dogpile.cache
 	url = https://src.opensuse.org/pool/python-dogpile.cache
 	branch = leap-16.0
 [submodule "python-pytest-mpl"]
 	path = python-pytest-mpl
 	url = https://src.opensuse.org/pool/python-pytest-mpl
 	branch = leap-16.0
 [submodule "python-zeroconf"]
 	path = python-zeroconf
 	url = https://src.opensuse.org/pool/python-zeroconf
 	branch = leap-16.0
 [submodule "python-ifaddr"]
 	path = python-ifaddr
 	url = https://src.opensuse.org/pool/python-ifaddr
 	branch = leap-16.0
 [submodule "python-yappi"]
 	path = python-yappi
 	url = https://src.opensuse.org/pool/python-yappi
 [submodule "python-routes"]
 	path = python-routes
 	url = https://src.opensuse.org/pool/python-routes
 	branch = leap-16.0
 [submodule "python-repoze.lru"]
 	path = python-repoze.lru
 	url = https://src.opensuse.org/pool/python-repoze.lru
 	branch = leap-16.0
 [submodule "ipxe"]
 	path = ipxe
 	url = https://src.opensuse.org/pool/ipxe
 	branch = leap-16.0
 [submodule "python-setproctitle"]
 	path = python-setproctitle
 	url = https://src.opensuse.org/pool/python-setproctitle
 	branch = leap-16.0
 [submodule "python-requests-kerberos"]
 	path = python-requests-kerberos
 	url = https://src.opensuse.org/pool/python-requests-kerberos
 	branch = leap-16.0
 [submodule "python-pecan"]
 	path = python-pecan
 	url = https://src.opensuse.org/pool/python-pecan
 	branch = leap-16.0
 [submodule "python-pycdlib"]
 	path = python-pycdlib
 	url = https://src.opensuse.org/pool/python-pycdlib
 [submodule "python-cliff"]
 	path = python-cliff
 	url = https://src.opensuse.org/pool/python-cliff
 [submodule "python-autopage"]
 	path = python-autopage
 	url = https://src.opensuse.org/pool/python-autopage
 [submodule "python-cmd2"]
 	path = python-cmd2
 	url = https://src.opensuse.org/pool/python-cmd2
 	branch = leap-16.0
 [submodule "uwsgi"]
 	path = uwsgi
 	url = https://src.opensuse.org/pool/uwsgi
 	branch = leap-16.0
 [submodule "python-requestsexceptions"]
 	path = python-requestsexceptions
 	url = https://src.opensuse.org/pool/python-requestsexceptions
 [submodule "python-python-memcached"]
 	path = python-python-memcached
 	url = https://src.opensuse.org/pool/python-python-memcached
 [submodule "python-kombu"]
 	path = python-kombu
 	url = https://src.opensuse.org/pool/python-kombu
 [submodule "python-amqp"]
 	path = python-amqp
 	url = https://src.opensuse.org/pool/python-amqp
 	branch = leap-16.0
 [submodule "python-statsd"]
 	path = python-statsd
 	url = https://src.opensuse.org/pool/python-statsd
 [submodule "python-warlock"]
 	path = python-warlock
 	url = https://src.opensuse.org/pool/python-warlock
 [submodule "python-case"]
 	path = python-case
 	url = https://src.opensuse.org/pool/python-case
 	branch = leap-16.0
 [submodule "python-vine"]
 	path = python-vine
 	url = https://src.opensuse.org/pool/python-vine
 	branch = leap-16.0
 [submodule "python-Pyro5"]
 	path = python-Pyro5
 	url = https://src.opensuse.org/pool/python-Pyro5
 	branch = leap-16.0
 [submodule "python-pre-commit"]
 	path = python-pre-commit
 	url = https://src.opensuse.org/pool/python-pre-commit
 [submodule "python-serpent"]
 	path = python-serpent
 	url = https://src.opensuse.org/pool/python-serpent
 	branch = leap-16.0
 [submodule "python-google-cloud-monitoring"]
 	path = python-google-cloud-monitoring
 	url = https://src.opensuse.org/pool/python-google-cloud-monitoring
 [submodule "python-google-cloud-pubsub"]
 	path = python-google-cloud-pubsub
 	url = https://src.opensuse.org/pool/python-google-cloud-pubsub
 [submodule "python-cfgv"]
 	path = python-cfgv
 	url = https://src.opensuse.org/pool/python-cfgv
 [submodule "python-identify"]
 	path = python-identify
 	url = https://src.opensuse.org/pool/python-identify
 [submodule "python-pandas"]
 	path = python-pandas
 	url = https://src.opensuse.org/pool/python-pandas
 [submodule "python-grpc-google-iam-v1"]
 	path = python-grpc-google-iam-v1
 	url = https://src.opensuse.org/pool/python-grpc-google-iam-v1
 [submodule "python-editdistance"]
 	path = python-editdistance
 	url = https://src.opensuse.org/pool/python-editdistance
--- a/131
+++ b/131
@@ -1,8 +1,11 @@
-Prefer: -libqpid-proton10 -python311-urllib3_1
+Prefer: -libqpid-proton10 -python313-urllib3_1
 Prefer: -cargo1.58 -cargo1.57 cargo1.89
 Prefer: chrony-pool-suse
 Prefer: -postgresql17-devel-mini
 BuildFlags: excludebuild:python-pandas:test-py313
 Macros:
 %__python3 /usr/bin/python3.11
 %registry_url %(echo %{vendor} | cut -d '/' -f 3 | sed 's/build/registry/')
 :Macros
@@ -46,76 +49,43 @@ Macros:
 :Macros
 %endif
 # Missing deps for testsuite
 BuildFlags: excludebuild:autoconf:el
 BuildFlags: excludebuild:autoconf:testsuite
 # Missing deps for python packages related to suse-edge-components-versions
 BuildFlags: excludebuild:python-pydantic:test
 BuildFlags: excludebuild:python-pydantic-core:test
 BuildFlags: excludebuild:python-inline-snapshot:test
 BuildFlags: excludebuild:python-executing:test
 BuildFlags: excludebuild:python-annotated-types:test
 BuildFlags: excludebuild:python-typing-inspection:test
 BuildFlags: excludebuild:python-typing_extensions:test
 # Only build manifest embedding images here
 %if "%_repository" == "test_manifest_images"
 BuildFlags: onlybuild:edge-image-builder-image
 BuildFlags: onlybuild:release-manifest-image
  # Exclude the images selected by the following section
  # as the standard repository is a dependency
  %ifarch aarch64
    BuildFlags: excludebuild:baremetal-operator-image
    BuildFlags: excludebuild:endpoint-copier-operator-image
    BuildFlags: excludebuild:ironic-image
    BuildFlags: excludebuild:ironic-ipa-downloader-image
    BuildFlags: excludebuild:kiwi-builder-image
    BuildFlags: excludebuild:kubectl-image
    BuildFlags: excludebuild:kube-rbac-proxy-image
    BuildFlags: excludebuild:metallb-controller-image
    BuildFlags: excludebuild:metallb-speaker-image
  %endif
 %else
-# Only a subset of stack is arm64 ready
+# Only a subset of stack is arm64 ready exclude what is not ready
  %ifarch aarch64
-    BuildFlags: onlybuild:autoconf
+    # Akri
-    BuildFlags: onlybuild:baremetal-operator
+    BuildFlags: excludebuild:akri
-    BuildFlags: onlybuild:baremetal-operator-image
+    BuildFlags: excludebuild:akri-agent-image
-    BuildFlags: onlybuild:ca-certificates-suse
+    BuildFlags: excludebuild:akri-controller-image
-    BuildFlags: onlybuild:container-build-checks
+    BuildFlags: excludebuild:akri-debug-echo-discovery-handler-image
-    BuildFlags: onlybuild:crudini
+    BuildFlags: excludebuild:akri-onvif-discovery-handler-image
-    BuildFlags: onlybuild:edge-build-checks
+    BuildFlags: excludebuild:akri-opcua-discovery-handler-image
-    BuildFlags: onlybuild:edge-image-builder
+    BuildFlags: excludebuild:akri-udev-discovery-handler-image
-    BuildFlags: onlybuild:edge-image-builder-image
+    BuildFlags: excludebuild:akri-webhook-configuration-image
-    BuildFlags: onlybuild:endpoint-copier-operator
+    BuildFlags: excludebuild:cri-tools
-    BuildFlags: onlybuild:endpoint-copier-operator-image
+
-    BuildFlags: onlybuild:fakeroot
+    # FRR
-    BuildFlags: onlybuild:hauler
+    BuildFlags: excludebuild:frr-image
-    BuildFlags: onlybuild:ipcalc
+    BuildFlags: excludebuild:frr-k8s
-    BuildFlags: onlybuild:ironic-image
+    BuildFlags: excludebuild:frr-k8s-image
-    BuildFlags: onlybuild:ironic-ipa-downloader-image
+    
-    BuildFlags: onlybuild:ironic-ipa-ramdisk
+    # Upgrade controller
-    BuildFlags: onlybuild:kubectl
+    BuildFlags: excludebuild:release-manifest-image
-    BuildFlags: onlybuild:kubectl-image
+    BuildFlags: excludebuild:upgrade-controller
-    BuildFlags: onlybuild:kube-rbac-proxy
+    BuildFlags: excludebuild:upgrade-controller-image 
    BuildFlags: onlybuild:kube-rbac-proxy-image
    BuildFlags: onlybuild:metallb
    BuildFlags: onlybuild:metallb-controller-image
    BuildFlags: onlybuild:metallb-speaker-image
    BuildFlags: onlybuild:nm-configurator
    BuildFlags: onlybuild:shim-noarch
  %endif
 %endif
 %if "%_repository" == "images" || "%_repository" == "test_manifest_images"
    Prefer: container:sles15-image
    Type: docker
    Repotype: none
    Patterntype: none
    BuildEngine: podman
-    Prefer: sles-release
+    Prefer: SLES-release
-    BuildFlags: dockerarg:SLE_VERSION=15.7
+    BuildFlags: dockerarg:SLE_VERSION=16.0
    # Publish multi-arch container images only once all archs have been built
    PublishFlags: archsync
@@ -130,45 +100,6 @@ BuildFlags: onlybuild:release-manifest-image
 %endif
 %if "%_repository" == "images_16.0"
    Prefer: container:sles15-image
    Type: docker
    BuildEngine: podman
    Repotype: none
    Patterntype: none
    BuildFlags: dockerarg:SLE_VERSION=16.0
    BuildFlags: onlybuild:kiwi-builder-image
    Substitute: system-packages:podman podman buildah createrepo_c release-compare skopeo umoci
    # Publish multi-arch container images only once all archs have been built
    PublishFlags: archsync
    # Exclude the images selected by the aarch64 section
    %ifarch aarch64
      BuildFlags: excludebuild:baremetal-operator-image
      BuildFlags: excludebuild:edge-image-builder-image
      BuildFlags: excludebuild:endpoint-copier-operator-image
      BuildFlags: excludebuild:ironic-image
      BuildFlags: excludebuild:ironic-ipa-downloader-image
      BuildFlags: excludebuild:kubectl-image
      BuildFlags: excludebuild:kube-rbac-proxy-image
      BuildFlags: excludebuild:metallb-controller-image
      BuildFlags: excludebuild:metallb-speaker-image
    %endif
 %else
    %if "%{sub %{reverse %_project} 1 7}" != "%{reverse :ToTest}" && "%{sub %{reverse %_project} 1 9}" != "%{reverse :Snapshot}"
      BuildFlags: excludebuild:kiwi-builder-image
    %else
      %ifarch aarch64
        BuildFlags: onlybuild:kiwi-builder-image
      %endif
    %endif
 %endif
 %if "%_repository" == "charts" || "%_repository" == "phantomcharts" || "%_repository" == "releasecharts"
    Type: helm
    Repotype: helm
@@ -185,12 +116,16 @@ BuildFlags: onlybuild:release-manifest-image
    # ironic-ipa-ramdisk are noarch packages that need to be availble to both archs
    ExportFilter: ^ironic-ipa-ramdisk-.*\.noarch\.rpm$ aarch64 x86_64
    ExportFilter: ^grub2-.*-efi-.*\.noarch\.rpm$ aarch64 x86_64
 %endif
 %if "%_repository" != "standard"
    BuildFlags: excludebuild:grub-aggregate 
 %endif
 # Enable reproducible builds
 # https://en.opensuse.org/openSUSE:Reproducible_Builds\#With_OBS
 Macros:
-%source_date_epoch_from_changelog Y
+%source_date_epoch_from_changelog N
 %clamp_mtime_to_source_date_epoch Y
 %use_source_date_epoch_as_buildtime Y
 %_buildhost reproducible
--- a/18
+++ b/18
@@ -34,20 +34,15 @@
    <arch>x86_64</arch>
  </repository>
 {%- endif %}
-{%- for repository in ["images", "images_16.0", "test_manifest_images"] %}
+{%- for repository in ["images", "test_manifest_images"] %}
  <repository name="{{ repository }}">
    {%- if release_project is defined and repository != "test_manifest_images" %}
    <releasetarget project="{{ release_project }}" repository="images" trigger="manual"/>
    {%- endif %}
    <path project="SUSE:Registry" repository="standard"/>
-    {%- if repository == "images_16.0" %}
+    <path project="{{ ironic_base }}:Factory" repository="16.0"/>
-      <path project="SUSE:CA" repository="16.0"/>
+    <path project="SUSE:CA" repository="openSUSE_Tumbleweed"/>
-      <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
+    <path project="{{ project }}" repository="standard"/>
      <path project="SUSE:SLFO:Main:Build" repository="standard"/>
    {%- else %}
      <path project="SUSE:CA" repository="SLE_15_SP7"/>
      <path project="{{ project }}" repository="standard"/>
    {%- endif %}
    <arch>x86_64</arch>
    <arch>aarch64</arch>
  </repository>
@@ -56,8 +51,9 @@
    {%- if release_project is defined and not for_release %}
    <releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/>
    {%- endif %}
-    <path project="{{ ironic_base }}:2025.1" repository="15.7"/>
+    <path project="{{ ironic_base }}:Factory" repository="16.0"/>
-    <path project="SUSE:SLE-15-SP7:Update" repository="standard"/>
+    <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
    <path project="SUSE:SLFO:1.2" repository="standard"/>
    <arch>x86_64</arch>
    <arch>aarch64</arch>
  </repository>
--- a/akri-dashboard-extension-chart/Chart.yaml
+++ b/akri-dashboard-extension-chart/Chart.yaml
@@ -1,5 +1,5 @@
-#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.1
+#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.2
-#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.1-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.2-%RELEASE%
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/namespace: cattle-ui-plugin-system
@@ -12,10 +12,10 @@ annotations:
  catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
  catalog.cattle.io/kube-version: '>= v1.26.0-0'
 apiVersion: v2
-appVersion: 304.0.3+up1.3.1
+appVersion: 1.3.2
 description: 'SUSE Edge: Akri extension for Rancher Dashboard'
 name: akri-dashboard-extension
 type: application
-version: "%%CHART_MAJOR%%.0.3+up1.3.1"
+version: "%%CHART_MAJOR%%.0.4+up1.3.2"
 icon: >-
  https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg
--- a/akri-dashboard-extension-chart/templates/cr.yaml
+++ b/akri-dashboard-extension-chart/templates/cr.yaml
@@ -8,7 +8,7 @@ spec:
  plugin:
    name: {{ include "extension-server.fullname" . }}
    version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/304.0.3+up1.3.1
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.3.2
    noCache: {{ .Values.plugin.noCache }}
    noAuth: {{ .Values.plugin.noAuth }}
    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
--- a/1
+++ b/1
--- a/baremetal-operator-image/Dockerfile
+++ b/baremetal-operator-image/Dockerfile
@@ -1,12 +1,12 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1
+#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.0
-#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.0-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
-RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator inotify-tools procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
+RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator python3-watchdog procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
--- a/baremetal-operator-image/bmo-run
+++ b/baremetal-operator-image/bmo-run
@@ -3,10 +3,11 @@ export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPD
 export IRONIC_CACERT_FILE=${IRONIC_CACERT_FILE:-"/opt/metal3/certs/ca/tls.crt"}
 if [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
-    # shellcheck disable=SC2034
+     watchmedo shell-command \
-    inotifywait -m -e delete_self "${IRONIC_CACERT_FILE}" | while read -r file event; do
+            --patterns="$(basename "${IRONIC_CACERT_FILE}")" \
-        kill $(pgrep baremetal-opera)
+            --ignore-directories \
-    done &
+            --command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -TERM baremetal-opera; fi' \
            "$(dirname "${IRONIC_CACERT_FILE}")" &
 fi
 exec /usr/bin/baremetal-operator $@
--- a/baremetal-operator/0001-Enable-exhaustive-linter.patch
+++ b/baremetal-operator/0001-Enable-exhaustive-linter.patch
@@ -1,163 +0,0 @@
 From f8c1ba1696fd8555e8e94246ec5afa38536fa8bd Mon Sep 17 00:00:00 2001
 From: erjavaskivuori <erja.vaskivuori@est.tech>
 Date: Thu, 5 Jun 2025 09:49:47 +0000
 Subject: [PATCH 1/5] Enable exhaustive linter
 Enable exhaustive linter to check exhaustiveness of switch statements of enum-like
 constants.
 Signed-off-by: erjavaskivuori <erja.vaskivuori@est.tech>
 (cherry picked from commit a5a81b8717c9e6642ae626ea97933e3615fe11c0)
 ---
 .golangci.yaml                                |  4 ++-
 .../metal3.io/v1alpha1/baremetalhost_types.go |  1 +
 .../metal3.io/baremetalhost_controller.go     |  2 ++
 .../metal3.io/host_state_machine.go           |  4 +++
 pkg/provisioner/ironic/ironic.go              | 26 +++++++++----------
 5 files changed, 22 insertions(+), 15 deletions(-)
 diff --git a/.golangci.yaml b/.golangci.yaml
 index 58e54b31..c758b93c 100644
 --- a/.golangci.yaml
 +++ b/.golangci.yaml
@@ -21,7 +21,7 @@ linters:
   - errchkjson
   #- errname
   #- errorlint
 -  #- exhaustive
 +  - exhaustive
   - exptostd
   - fatcontext
   #- forbidigo
@@ -78,6 +78,8 @@ linters:
   # Run with --fast=false for more extensive checks
   fast: true
 linters-settings:
 +  exhaustive:
 +    default-signifies-exhaustive: true
   gosec:
     severity: medium
     confidence: medium
 diff --git a/apis/metal3.io/v1alpha1/baremetalhost_types.go b/apis/metal3.io/v1alpha1/baremetalhost_types.go
 index ba1b4333..426a7a89 100644
 --- a/apis/metal3.io/v1alpha1/baremetalhost_types.go
 +++ b/apis/metal3.io/v1alpha1/baremetalhost_types.go
@@ -1113,6 +1113,7 @@ func (host *BareMetalHost) OperationMetricForState(operation ProvisioningState)
 		metric = &history.Provision
 	case StateDeprovisioning:
 		metric = &history.Deprovision
 +	default:
 	}
 	return
 }
 diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
 index 33310bf7..1998627e 100644
 --- a/internal/controller/metal3.io/baremetalhost_controller.go
 +++ b/internal/controller/metal3.io/baremetalhost_controller.go
@@ -586,6 +586,7 @@ func getCurrentImage(host *metal3api.BareMetalHost) *metal3api.Image {
 		if host.Spec.Image != nil && host.Spec.Image.URL != "" {
 			return host.Spec.Image.DeepCopy()
 		}
 +	default:
 	}
 	return nil
 }
@@ -816,6 +817,7 @@ func (r *BareMetalHostReconciler) registerHost(prov provisioner.Provisioner, inf
 		if info.host.Spec.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
 			preprovImgFormats = nil
 		}
 +	default:
 	}
 	preprovImg, err := r.getPreprovImage(info, preprovImgFormats)
 diff --git a/internal/controller/metal3.io/host_state_machine.go b/internal/controller/metal3.io/host_state_machine.go
 index 8b382553..6d88591b 100644
 --- a/internal/controller/metal3.io/host_state_machine.go
 +++ b/internal/controller/metal3.io/host_state_machine.go
@@ -107,6 +107,7 @@ func (hsm *hostStateMachine) updateHostStateFrom(initialState metal3api.Provisio
 			if actionRes := hsm.ensureCapacity(info, hsm.NextState); actionRes != nil {
 				return actionRes
 			}
 +		default:
 		}
 		info.log.Info("changing provisioning state",
@@ -137,6 +138,7 @@ func (hsm *hostStateMachine) updateHostStateFrom(initialState metal3api.Provisio
 				info.log.Info("saving boot mode",
 					"new mode", hsm.Host.Status.Provisioning.BootMode)
 			}
 +		default:
 		}
 	}
@@ -163,6 +165,7 @@ func (hsm *hostStateMachine) checkDelayedHost(info *reconcileInfo) actionResult
 		if actionRes := hsm.ensureCapacity(info, info.host.Status.Provisioning.State); actionRes != nil {
 			return actionRes
 		}
 +	default:
 	}
 	return nil
@@ -299,6 +302,7 @@ func (hsm *hostStateMachine) checkDetachedHost(info *reconcileInfo) (result acti
 		switch info.host.Status.Provisioning.State {
 		case metal3api.StateProvisioned, metal3api.StateExternallyProvisioned, metal3api.StateReady, metal3api.StateAvailable:
 			return hsm.Reconciler.detachHost(hsm.Provisioner, info)
 +		default:
 		}
 	}
 	if info.host.Status.ErrorType == metal3api.DetachError {
 diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
 index 9a4b4589..4c4923ad 100644
 --- a/pkg/provisioner/ironic/ironic.go
 +++ b/pkg/provisioner/ironic/ironic.go
@@ -335,21 +335,17 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
 		return result, err
 	}
 +	if data.State == metal3api.StateProvisioning && data.CurrentImage.IsLiveISO() {
 +		// Live ISO doesn't need pre-provisioning image
 +		return result, nil
 +	}
 +
 +	if data.State == metal3api.StateDeprovisioning && data.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
 +		// No need for pre-provisioning image if cleaning disabled
 +		return result, nil
 +	}
 +
 	switch data.State {
 -	case metal3api.StateProvisioning,
 -		metal3api.StateDeprovisioning:
 -		if data.State == metal3api.StateProvisioning {
 -			if data.CurrentImage.IsLiveISO() {
 -				// Live ISO doesn't need pre-provisioning image
 -				return result, nil
 -			}
 -		} else {
 -			if data.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
 -				// No need for pre-provisioning image if cleaning disabled
 -				return result, nil
 -			}
 -		}
 -		fallthrough
 	case metal3api.StateInspecting,
 		metal3api.StatePreparing:
 		if deployImageInfo == nil {
@@ -360,6 +356,7 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
 			}
 			return result, err
 		}
 +	default:
 	}
 	return result, nil
@@ -1724,6 +1721,7 @@ func (p *ironicProvisioner) loadBusyHosts() (hosts map[string]struct{}, err erro
 			if !strings.Contains(node.BootInterface, "virtual-media") {
 				hosts[node.Name] = struct{}{}
 			}
 +		default:
 		}
 	}
 -- 
 2.50.1
--- a/baremetal-operator/0002-Stop-requiring-DEPLOY_KERNEL-RAMDISK.patch
+++ b/baremetal-operator/0002-Stop-requiring-DEPLOY_KERNEL-RAMDISK.patch
@@ -1,91 +0,0 @@
 From 509ba92a8ed7303a418c5277f7544db2765c3802 Mon Sep 17 00:00:00 2001
 From: Dmitry Tantsur <dtantsur@protonmail.com>
 Date: Wed, 2 Jul 2025 17:33:46 +0200
 Subject: [PATCH 2/5] Stop requiring DEPLOY_KERNEL/RAMDISK
 Ironic has global configuration that allows specifying them, even
 depending on the architecture. Our ironic-image supports that when
 IPA downloader is used (and should start supporting explicit variables
 too).
 Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
 (cherry picked from commit 0f1ef6cbeb8815f19d853ba5eab1e70c7d85e2ec)
 ---
 pkg/provisioner/ironic/factory.go      |  6 ++----
 pkg/provisioner/ironic/factory_test.go |  9 ++-------
 pkg/provisioner/ironic/ironic.go       | 10 +++-------
 3 files changed, 7 insertions(+), 18 deletions(-)
 diff --git a/pkg/provisioner/ironic/factory.go b/pkg/provisioner/ironic/factory.go
 index 19571eb0..15f636b3 100644
 --- a/pkg/provisioner/ironic/factory.go
 +++ b/pkg/provisioner/ironic/factory.go
@@ -114,10 +114,8 @@ func loadConfigFromEnv(havePreprovImgBuilder bool) (ironicConfig, error) {
 	c.deployRamdiskURL = os.Getenv("DEPLOY_RAMDISK_URL")
 	c.deployISOURL = os.Getenv("DEPLOY_ISO_URL")
 	if !havePreprovImgBuilder {
 -		if c.deployISOURL == "" &&
 -			(c.deployKernelURL == "" || c.deployRamdiskURL == "") {
 -			return c, errors.New("either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set")
 -		}
 +		// NOTE(dtantsur): with a PreprovisioningImage controller, it makes sense to set only the kernel.
 +		// Without it, either both or neither must be set.
 		if (c.deployKernelURL == "" && c.deployRamdiskURL != "") ||
 			(c.deployKernelURL != "" && c.deployRamdiskURL == "") {
 			return c, errors.New("DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together")
 diff --git a/pkg/provisioner/ironic/factory_test.go b/pkg/provisioner/ironic/factory_test.go
 index db47d8b2..0d32eccb 100644
 --- a/pkg/provisioner/ironic/factory_test.go
 +++ b/pkg/provisioner/ironic/factory_test.go
@@ -98,24 +98,19 @@ func TestLoadConfigFromEnv(t *testing.T) {
 				ramdiskURL: "http://ramdisk",
 			},
 		},
 -		{
 -			name:          "no deploy info",
 -			env:           EnvFixture{},
 -			expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
 -		},
 		{
 			name: "only kernel",
 			env: EnvFixture{
 				kernelURL: "http://kernel",
 			},
 -			expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
 +			expectedError: "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
 		},
 		{
 			name: "only ramdisk",
 			env: EnvFixture{
 				ramdiskURL: "http://ramdisk",
 			},
 -			expectedError:         "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
 +			expectedError:         "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
 			expectedImgBuildError: "DEPLOY_RAMDISK_URL requires DEPLOY_KERNEL_URL to be set also",
 		},
 		{
 diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
 index 4c4923ad..48db865a 100644
 --- a/pkg/provisioner/ironic/ironic.go
 +++ b/pkg/provisioner/ironic/ironic.go
@@ -348,14 +348,10 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
 	switch data.State {
 	case metal3api.StateInspecting,
 		metal3api.StatePreparing:
 -		if deployImageInfo == nil {
 -			if p.config.havePreprovImgBuilder {
 -				result, err = transientError(provisioner.ErrNeedsPreprovisioningImage)
 -			} else {
 -				result, err = operationFailed("no preprovisioning image available")
 -			}
 -			return result, err
 +		if deployImageInfo == nil && p.config.havePreprovImgBuilder {
 +			result, err = transientError(provisioner.ErrNeedsPreprovisioningImage)
 		}
 +		return result, err
 	default:
 	}
 -- 
 2.50.1
--- a/baremetal-operator/0003-Remove-DEPLOY_KERNEL_URL-from-deployment-scripts-for.patch
+++ b/baremetal-operator/0003-Remove-DEPLOY_KERNEL_URL-from-deployment-scripts-for.patch
@@ -1,49 +0,0 @@
 From ea10df866f0fc491cac15ba5005f3b820e1ccecb Mon Sep 17 00:00:00 2001
 From: Dmitry Tantsur <dtantsur@protonmail.com>
 Date: Wed, 2 Jul 2025 17:55:48 +0200
 Subject: [PATCH 3/5] Remove DEPLOY_KERNEL_URL from deployment scripts for main
 Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
 (cherry picked from commit ddcf3d915819b6344f79fbcec3e28250b217a597)
 ---
 config/default/ironic.env      | 2 --
 config/overlays/e2e/ironic.env | 2 --
 config/render/capm3.yaml       | 2 --
 3 files changed, 6 deletions(-)
 diff --git a/config/default/ironic.env b/config/default/ironic.env
 index e72cb3c3..3fe36d25 100644
 --- a/config/default/ironic.env
 +++ b/config/default/ironic.env
@@ -1,7 +1,5 @@
 HTTP_PORT=6180
 PROVISIONING_INTERFACE=eth2
 DHCP_RANGE=172.22.0.10,172.22.0.100
 -DEPLOY_KERNEL_URL=http://172.22.0.2:6180/images/ironic-python-agent.kernel
 -DEPLOY_RAMDISK_URL=http://172.22.0.2:6180/images/ironic-python-agent.initramfs
 IRONIC_ENDPOINT=http://172.22.0.2:6385/v1/
 CACHEURL=http://172.22.0.1/images
 diff --git a/config/overlays/e2e/ironic.env b/config/overlays/e2e/ironic.env
 index 44147ae0..6f200720 100644
 --- a/config/overlays/e2e/ironic.env
 +++ b/config/overlays/e2e/ironic.env
@@ -1,3 +1 @@
 -DEPLOY_KERNEL_URL=http://192.168.222.1:6180/images/ironic-python-agent.kernel
 -DEPLOY_RAMDISK_URL=http://192.168.222.1:6180/images/ironic-python-agent.initramfs
 IRONIC_ENDPOINT=https://192.168.222.1:6385/v1/
 diff --git a/config/render/capm3.yaml b/config/render/capm3.yaml
 index 42283193..7568288f 100644
 --- a/config/render/capm3.yaml
 +++ b/config/render/capm3.yaml
@@ -2510,8 +2510,6 @@ subjects:
 apiVersion: v1
 data:
   CACHEURL: http://172.22.0.1/images
 -  DEPLOY_KERNEL_URL: http://172.22.0.2:6180/images/ironic-python-agent.kernel
 -  DEPLOY_RAMDISK_URL: http://172.22.0.2:6180/images/ironic-python-agent.initramfs
   DHCP_RANGE: 172.22.0.10,172.22.0.100
   HTTP_PORT: "6180"
   IRONIC_ENDPOINT: http://172.22.0.2:6385/v1/
 -- 
 2.50.1
--- a/baremetal-operator/0004-Refactor-setting-various-Ironic-properties.patch
+++ b/baremetal-operator/0004-Refactor-setting-various-Ironic-properties.patch
@@ -1,422 +0,0 @@
 From b2e8a1a42c95a3338c9c83a4781ba4744da5ff6a Mon Sep 17 00:00:00 2001
 From: Dmitry Tantsur <dtantsur@protonmail.com>
 Date: Tue, 24 Jun 2025 18:53:42 +0200
 Subject: [PATCH 4/5] Refactor setting various Ironic properties
 Currently, Ironic instance_info and properties fields are populated at
 random either in most states or before deployment. While potentially
 convenient, it makes it very hard to reason about the code.
 Now, the logic is split into two parts:
 1. configureNode (renamed from configureImages) writes fields that are
   considered properties of the node itself: CPU architecture, deploy
   images, capabilities, etc.
 2. getInstanceUpdateOpts (merge of getImageUpdateOptsForNode and
   getUpdateOptsForNode) writes fields that are required for deployment
   and thus are properties of instance. This includes images, checksums,
   runtime capabilities. As an exception, root device hints fall under
   this category and thus are now set in instance_info, not properties.
 Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
 (cherry picked from commit 0c70cba38c926c474f4fa129a7e99ef9827d6ce9)
 ---
 .../metal3.io/baremetalhost_controller.go     |  2 +-
 pkg/provisioner/ironic/ironic.go              | 49 +++++-------
 pkg/provisioner/ironic/provision_test.go      | 27 +++----
 pkg/provisioner/ironic/register.go            |  3 +-
 pkg/provisioner/ironic/register_test.go       | 78 +------------------
 pkg/provisioner/provisioner.go                |  2 +-
 6 files changed, 40 insertions(+), 121 deletions(-)
 diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
 index 1998627e..0d0c9562 100644
 --- a/internal/controller/metal3.io/baremetalhost_controller.go
 +++ b/internal/controller/metal3.io/baremetalhost_controller.go
@@ -848,6 +848,7 @@ func (r *BareMetalHostReconciler) registerHost(prov provisioner.Provisioner, inf
 			PreprovisioningNetworkData: preprovisioningNetworkData,
 			HasCustomDeploy:            hasCustomDeploy(info.host),
 			DisablePowerOff:            info.host.Spec.DisablePowerOff,
 +			CPUArchitecture:            getHostArchitecture(info.host),
 		},
 		credsChanged,
 		info.host.Status.ErrorType == metal3api.RegistrationError)
@@ -1271,7 +1272,6 @@ func (r *BareMetalHostReconciler) actionProvisioning(prov provisioner.Provisione
 		BootMode:        info.host.Status.Provisioning.BootMode,
 		HardwareProfile: hwProf,
 		RootDeviceHints: info.host.Status.Provisioning.RootDeviceHints.DeepCopy(),
 -		CPUArchitecture: getHostArchitecture(info.host),
 	}, forceReboot)
 	if err != nil {
 		return actionError{errors.Wrap(err, "failed to provision")}
 diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
 index 48db865a..b8e6d72b 100644
 --- a/pkg/provisioner/ironic/ironic.go
 +++ b/pkg/provisioner/ironic/ironic.go
@@ -311,20 +311,24 @@ func (p *ironicProvisioner) createPXEEnabledNodePort(uuid, macAddress string) er
 	return nil
 }
 -func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
 +func (p *ironicProvisioner) configureNode(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
 	updater := clients.UpdateOptsBuilder(p.log)
 	deployImageInfo := setDeployImage(p.config, bmcAccess, data.PreprovisioningImage)
 	updater.SetDriverInfoOpts(deployImageInfo, ironicNode)
 -	// NOTE(dtantsur): It is risky to update image information for active nodes since it may affect the ability to clean up.
 -	if (data.CurrentImage != nil || data.HasCustomDeploy) && ironicNode.ProvisionState != string(nodes.Active) {
 -		p.getImageUpdateOptsForNode(ironicNode, data.CurrentImage, data.BootMode, data.HasCustomDeploy, updater)
 -	}
 	updater.SetTopLevelOpt("automated_clean",
 		data.AutomatedCleaningMode != metal3api.CleaningModeDisabled,
 		ironicNode.AutomatedClean)
 +	opts := clients.UpdateOptsData{
 +		"capabilities": buildCapabilitiesValue(ironicNode, data.BootMode),
 +	}
 +	if data.CPUArchitecture != "" {
 +		opts["cpu_arch"] = data.CPUArchitecture
 +	}
 +	updater.SetPropertiesOpts(opts, ironicNode)
 +
 	_, success, result, err := p.tryUpdateNode(ironicNode, updater)
 	if !success {
 		return result, err
@@ -656,40 +660,29 @@ func (p *ironicProvisioner) setCustomDeployUpdateOptsForNode(ironicNode *nodes.N
 		SetTopLevelOpt("deploy_interface", "custom-agent", ironicNode.DeployInterface)
 }
 -func (p *ironicProvisioner) getImageUpdateOptsForNode(ironicNode *nodes.Node, imageData *metal3api.Image, bootMode metal3api.BootMode, hasCustomDeploy bool, updater *clients.NodeUpdater) {
 +func (p *ironicProvisioner) getInstanceUpdateOpts(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
 +	updater := clients.UpdateOptsBuilder(p.log)
 +
 +	hasCustomDeploy := data.CustomDeploy != nil && data.CustomDeploy.Method != ""
 +
 	// instance_uuid
 	updater.SetTopLevelOpt("instance_uuid", string(p.objectMeta.UID), ironicNode.InstanceUUID)
 	updater.SetInstanceInfoOpts(clients.UpdateOptsData{
 -		"capabilities": buildInstanceInfoCapabilities(bootMode),
 +		"capabilities": buildInstanceInfoCapabilities(data.BootMode),
 +		"root_device":  devicehints.MakeHintMap(data.RootDeviceHints),
 	}, ironicNode)
 	if hasCustomDeploy {
 		// Custom deploy process
 -		p.setCustomDeployUpdateOptsForNode(ironicNode, imageData, updater)
 -	} else if imageData.IsLiveISO() {
 +		p.setCustomDeployUpdateOptsForNode(ironicNode, &data.Image, updater)
 +	} else if data.Image.IsLiveISO() {
 		// Set live-iso format options
 -		p.setLiveIsoUpdateOptsForNode(ironicNode, imageData, updater)
 +		p.setLiveIsoUpdateOptsForNode(ironicNode, &data.Image, updater)
 	} else {
 		// Set deploy_interface direct options when not booting a live-iso
 -		p.setDirectDeployUpdateOptsForNode(ironicNode, imageData, updater)
 +		p.setDirectDeployUpdateOptsForNode(ironicNode, &data.Image, updater)
 	}
 -}
 -
 -func (p *ironicProvisioner) getUpdateOptsForNode(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
 -	updater := clients.UpdateOptsBuilder(p.log)
 -
 -	hasCustomDeploy := data.CustomDeploy != nil && data.CustomDeploy.Method != ""
 -	p.getImageUpdateOptsForNode(ironicNode, &data.Image, data.BootMode, hasCustomDeploy, updater)
 -
 -	opts := clients.UpdateOptsData{
 -		"root_device":  devicehints.MakeHintMap(data.RootDeviceHints),
 -		"capabilities": buildCapabilitiesValue(ironicNode, data.BootMode),
 -	}
 -	if data.CPUArchitecture != "" {
 -		opts["cpu_arch"] = data.CPUArchitecture
 -	}
 -	updater.SetPropertiesOpts(opts, ironicNode)
 	return updater
 }
@@ -792,7 +785,7 @@ func (p *ironicProvisioner) setUpForProvisioning(ironicNode *nodes.Node, data pr
 	p.log.Info("starting provisioning", "node properties", ironicNode.Properties)
 	ironicNode, success, result, err := p.tryUpdateNode(ironicNode,
 -		p.getUpdateOptsForNode(ironicNode, data))
 +		p.getInstanceUpdateOpts(ironicNode, data))
 	if !success {
 		return result, err
 	}
 diff --git a/pkg/provisioner/ironic/provision_test.go b/pkg/provisioner/ironic/provision_test.go
 index 72ee57b7..40c714e9 100644
 --- a/pkg/provisioner/ironic/provision_test.go
 +++ b/pkg/provisioner/ironic/provision_test.go
@@ -713,7 +713,7 @@ func TestGetUpdateOptsForNodeWithRootHints(t *testing.T) {
 		BootMode:        metal3api.DefaultBootMode,
 		RootDeviceHints: host.Status.Provisioning.RootDeviceHints,
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
@@ -723,7 +723,7 @@ func TestGetUpdateOptsForNodeWithRootHints(t *testing.T) {
 		Value interface{}       // the value being passed to ironic (or value associated with the key)
 	}{
 		{
 -			Path:  "/properties/root_device",
 +			Path:  "/instance_info/root_device",
 			Value: "userdefined_devicename",
 			Map: map[string]string{
 				"name":                 "s== userd_devicename",
@@ -807,7 +807,7 @@ func TestGetUpdateOptsForNodeVirtual(t *testing.T) {
 		BootMode:        metal3api.DefaultBootMode,
 		HardwareProfile: hwProf,
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
@@ -903,9 +903,8 @@ func TestGetUpdateOptsForNodeDell(t *testing.T) {
 		Image:           *host.Spec.Image,
 		BootMode:        metal3api.DefaultBootMode,
 		HardwareProfile: hwProf,
 -		CPUArchitecture: "x86_64",
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
@@ -930,10 +929,6 @@ func TestGetUpdateOptsForNodeDell(t *testing.T) {
 			Path:  "/instance_uuid",
 			Value: "27720611-e5d1-45d3-ba3a-222dcfaa4ca2",
 		},
 -		{
 -			Path:  "/properties/cpu_arch",
 -			Value: "x86_64",
 -		},
 	}
 	for _, e := range expected {
@@ -971,7 +966,7 @@ func TestGetUpdateOptsForNodeLiveIso(t *testing.T) {
 		Image:    *host.Spec.Image,
 		BootMode: metal3api.DefaultBootMode,
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
@@ -1038,7 +1033,7 @@ func TestGetUpdateOptsForNodeImageToLiveIso(t *testing.T) {
 		Image:    *host.Spec.Image,
 		BootMode: metal3api.DefaultBootMode,
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
@@ -1116,7 +1111,7 @@ func TestGetUpdateOptsForNodeLiveIsoToImage(t *testing.T) {
 		Image:    *host.Spec.Image,
 		BootMode: metal3api.DefaultBootMode,
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
@@ -1188,7 +1183,7 @@ func TestGetUpdateOptsForNodeCustomDeploy(t *testing.T) {
 		BootMode:     metal3api.DefaultBootMode,
 		CustomDeploy: host.Spec.CustomDeploy,
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
@@ -1245,7 +1240,7 @@ func TestGetUpdateOptsForNodeCustomDeployWithImage(t *testing.T) {
 		BootMode:     metal3api.DefaultBootMode,
 		CustomDeploy: host.Spec.CustomDeploy,
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
@@ -1312,7 +1307,7 @@ func TestGetUpdateOptsForNodeImageToCustomDeploy(t *testing.T) {
 		BootMode:     metal3api.DefaultBootMode,
 		CustomDeploy: host.Spec.CustomDeploy,
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
@@ -1405,7 +1400,7 @@ func TestGetUpdateOptsForNodeSecureBoot(t *testing.T) {
 		BootMode:        metal3api.UEFISecureBoot,
 		HardwareProfile: hwProf,
 	}
 -	patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
 +	patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
 	t.Logf("patches: %v", patches)
 diff --git a/pkg/provisioner/ironic/register.go b/pkg/provisioner/ironic/register.go
 index 390e463f..9a600189 100644
 --- a/pkg/provisioner/ironic/register.go
 +++ b/pkg/provisioner/ironic/register.go
@@ -220,7 +220,7 @@ func (p *ironicProvisioner) Register(data provisioner.ManagementAccessData, cred
 		fallthrough
 	default:
 -		result, err = p.configureImages(data, ironicNode, bmcAccess)
 +		result, err = p.configureNode(data, ironicNode, bmcAccess)
 		return result, provID, err
 	}
 }
@@ -246,6 +246,7 @@ func (p *ironicProvisioner) enrollNode(data provisioner.ManagementAccessData, bm
 		DisablePowerOff:     &data.DisablePowerOff,
 		Properties: map[string]interface{}{
 			"capabilities": buildCapabilitiesValue(nil, data.BootMode),
 +			"cpu_arch":     data.CPUArchitecture,
 		},
 	}
 diff --git a/pkg/provisioner/ironic/register_test.go b/pkg/provisioner/ironic/register_test.go
 index e6c302b5..8e524dad 100644
 --- a/pkg/provisioner/ironic/register_test.go
 +++ b/pkg/provisioner/ironic/register_test.go
@@ -72,7 +72,7 @@ func TestRegisterMACOptional(t *testing.T) {
 	assert.Equal(t, "", result.ErrorMessage)
 }
 -func TestRegisterCreateNodeNoImage(t *testing.T) {
 +func TestRegisterCreateNode(t *testing.T) {
 	// Create a host without a bootMACAddress and with a BMC that
 	// does not require one.
 	host := makeHost()
@@ -146,79 +146,6 @@ func TestRegisterCreateNodeOldInspection(t *testing.T) {
 	assert.Equal(t, "inspector", createdNode.InspectInterface)
 }
 -func TestRegisterCreateWithImage(t *testing.T) {
 -	// Create a host with Image specified in the Spec
 -	host := makeHost()
 -	host.Status.Provisioning.ID = "" // so we don't lookup by uuid
 -	host.Spec.Image.URL = "theimagefoo"
 -	host.Spec.Image.Checksum = "thechecksumxyz"
 -	host.Spec.Image.ChecksumType = "auto"
 -
 -	var createdNode *nodes.Node
 -
 -	createCallback := func(node nodes.Node) {
 -		createdNode = &node
 -	}
 -
 -	ironic := testserver.NewIronic(t).WithDrivers().CreateNodes(createCallback).NoNode(host.Namespace + nameSeparator + host.Name).NoNode(host.Name)
 -	ironic.AddDefaultResponse("/v1/nodes/node-0", "PATCH", http.StatusOK, "{}")
 -	ironic.Start()
 -	defer ironic.Stop()
 -
 -	auth := clients.AuthConfig{Type: clients.NoAuth}
 -	prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, nullEventPublisher, ironic.Endpoint(), auth)
 -	if err != nil {
 -		t.Fatalf("could not create provisioner: %s", err)
 -	}
 -
 -	result, provID, err := prov.Register(provisioner.ManagementAccessData{CurrentImage: host.Spec.Image.DeepCopy()}, false, false)
 -	if err != nil {
 -		t.Fatalf("error from Register: %s", err)
 -	}
 -	assert.Equal(t, "", result.ErrorMessage)
 -	assert.Equal(t, createdNode.UUID, provID)
 -	assert.Equal(t, "", createdNode.DeployInterface)
 -	updates, _ := ironic.GetLastRequestFor("/v1/nodes/node-0", http.MethodPatch)
 -	assert.Contains(t, updates, "/instance_info/image_source")
 -	assert.Contains(t, updates, host.Spec.Image.URL)
 -	assert.Contains(t, updates, "/instance_info/image_checksum")
 -	assert.Contains(t, updates, host.Spec.Image.Checksum)
 -}
 -
 -func TestRegisterCreateWithLiveIso(t *testing.T) {
 -	// Create a host with Image specified in the Spec
 -	host := makeHostLiveIso()
 -	host.Status.Provisioning.ID = "" // so we don't lookup by uuid
 -
 -	var createdNode *nodes.Node
 -
 -	createCallback := func(node nodes.Node) {
 -		createdNode = &node
 -	}
 -
 -	ironic := testserver.NewIronic(t).WithDrivers().CreateNodes(createCallback).NoNode(host.Namespace + nameSeparator + host.Name).NoNode(host.Name)
 -	ironic.AddDefaultResponse("/v1/nodes/node-0", "PATCH", http.StatusOK, "{}")
 -	ironic.Start()
 -	defer ironic.Stop()
 -
 -	auth := clients.AuthConfig{Type: clients.NoAuth}
 -	prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, nullEventPublisher, ironic.Endpoint(), auth)
 -	if err != nil {
 -		t.Fatalf("could not create provisioner: %s", err)
 -	}
 -
 -	result, provID, err := prov.Register(provisioner.ManagementAccessData{CurrentImage: host.Spec.Image.DeepCopy()}, false, false)
 -	if err != nil {
 -		t.Fatalf("error from Register: %s", err)
 -	}
 -	assert.Equal(t, "", result.ErrorMessage)
 -	assert.Equal(t, createdNode.UUID, provID)
 -	assert.Equal(t, "ramdisk", createdNode.DeployInterface)
 -	updates, _ := ironic.GetLastRequestFor("/v1/nodes/node-0", http.MethodPatch)
 -	assert.Contains(t, updates, "/instance_info/boot_iso")
 -	assert.Contains(t, updates, host.Spec.Image.URL)
 -}
 -
 func TestRegisterExistingNode(t *testing.T) {
 	// Create a host without a bootMACAddress and with a BMC that
 	// does not require one.
@@ -342,6 +269,7 @@ func TestRegisterExistingNodeContinue(t *testing.T) {
 					"test_password":  "******", // ironic returns a placeholder
 					"test_port":      "42",
 				},
 +				Properties: map[string]interface{}{"capabilities": ""},
 			}).NodeUpdate(nodes.Node{
 				UUID: "uuid",
 			})
@@ -521,6 +449,7 @@ func TestRegisterExistingSteadyStateNoUpdate(t *testing.T) {
 				DeployInterface: imageType.DeployInterface,
 				InstanceInfo:    imageType.InstanceInfo,
 				DriverInfo:      imageType.DriverInfo,
 +				Properties:      map[string]interface{}{"capabilities": ""},
 			}).NodeUpdate(nodes.Node{
 				UUID: "uuid",
 			})
@@ -577,6 +506,7 @@ func TestRegisterExistingNodeWaiting(t *testing.T) {
 					"test_password":  "******", // ironic returns a placeholder
 					"test_port":      "42",
 				},
 +				Properties: map[string]interface{}{"capabilities": ""},
 			}
 			ironic := testserver.NewIronic(t).CreateNodes(createCallback).Node(node).NodeUpdate(nodes.Node{
 				UUID: "uuid",
 diff --git a/pkg/provisioner/provisioner.go b/pkg/provisioner/provisioner.go
 index faddd0fd..e2018e63 100644
 --- a/pkg/provisioner/provisioner.go
 +++ b/pkg/provisioner/provisioner.go
@@ -82,6 +82,7 @@ type ManagementAccessData struct {
 	PreprovisioningNetworkData string
 	HasCustomDeploy            bool
 	DisablePowerOff            bool
 +	CPUArchitecture            string
 }
 type AdoptData struct {
@@ -122,7 +123,6 @@ type ProvisionData struct {
 	HardwareProfile profile.Profile
 	RootDeviceHints *metal3api.RootDeviceHints
 	CustomDeploy    *metal3api.CustomDeploy
 -	CPUArchitecture string
 }
 type HTTPHeaders []map[string]string
 -- 
 2.50.1
--- a/baremetal-operator/0005-Provide-inline-docs-for-node-configuration-calls.patch
+++ b/baremetal-operator/0005-Provide-inline-docs-for-node-configuration-calls.patch
@@ -1,46 +0,0 @@
 From 5419f8d95306efed8667936156d8081c21e068ed Mon Sep 17 00:00:00 2001
 From: Dmitry Tantsur <dtantsur@protonmail.com>
 Date: Wed, 9 Jul 2025 14:02:23 +0200
 Subject: [PATCH 5/5] Provide inline docs for node configuration calls
 Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
 (cherry picked from commit 778d9342747aefc8079f1ccaa6a14f83b26f28ff)
 ---
 pkg/provisioner/ironic/ironic.go | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
 index b8e6d72b..166d929c 100644
 --- a/pkg/provisioner/ironic/ironic.go
 +++ b/pkg/provisioner/ironic/ironic.go
@@ -311,6 +311,10 @@ func (p *ironicProvisioner) createPXEEnabledNodePort(uuid, macAddress string) er
 	return nil
 }
 +// configureNode configures Node properties that are not related to any specific provisioning phase.
 +// It populates the AutomatedClean field, as well as capabilities and architecture in Properties.
 +// It also calls setDeployImage to populate IPA parameters in DriverInfo and
 +// checks if the required PreprovisioningImage is provided and ready.
 func (p *ironicProvisioner) configureNode(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
 	updater := clients.UpdateOptsBuilder(p.log)
@@ -426,6 +430,8 @@ func setExternalURL(p *ironicProvisioner, driverInfo map[string]interface{}) map
 	return driverInfo
 }
 +// setDeployImage configures the IPA ramdisk parameters in the Node's DriverInfo.
 +// It can use either the provided PreprovisioningImage or the global configuration from ironicConfig.
 func setDeployImage(config ironicConfig, accessDetails bmc.AccessDetails, hostImage *provisioner.PreprovisioningImage) clients.UpdateOptsData {
 	deployImageInfo := clients.UpdateOptsData{
 		deployKernelKey:  nil,
@@ -660,6 +666,7 @@ func (p *ironicProvisioner) setCustomDeployUpdateOptsForNode(ironicNode *nodes.N
 		SetTopLevelOpt("deploy_interface", "custom-agent", ironicNode.DeployInterface)
 }
 +// getInstanceUpdateOpts constructs InstanceInfo options required to provision a Node in Ironic.
 func (p *ironicProvisioner) getInstanceUpdateOpts(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
 	updater := clients.UpdateOptsBuilder(p.log)
 -- 
 2.50.1
--- a/baremetal-operator/_service
+++ b/baremetal-operator/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/metal3-io/baremetal-operator</param>
    <param name="scm">git</param>
-    <param name="revision">v0.10.2</param>
+    <param name="revision">v0.11.2</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
--- a/baremetal-operator/baremetal-operator.spec
+++ b/baremetal-operator/baremetal-operator.spec
@@ -17,19 +17,13 @@
 Name:           baremetal-operator
-Version:        0.10.2
+Version:        0.11.2
 Release:        0
 Summary:        Implements a Kubernetes API for managing bare metal hosts
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/baremetal-operator
 Source:         baremetal-operator-%{version}.tar
 Source1:        vendor.tar.gz
 # Patches related to multi-architecture support, upstream PRs #2506 #2559 #2537
 Patch0:		0001-Enable-exhaustive-linter.patch
 Patch1:		0002-Stop-requiring-DEPLOY_KERNEL-RAMDISK.patch
 Patch2:		0003-Remove-DEPLOY_KERNEL_URL-from-deployment-scripts-for.patch
 Patch3:		0004-Refactor-setting-various-Ironic-properties.patch
 Patch4:		0005-Provide-inline-docs-for-node-configuration-calls.patch
 BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
--- a/1
+++ b/1
--- a/1
+++ b/1
--- a/2
+++ b/2
--- a/2
+++ b/2
--- a/edge-image-builder-image/Dockerfile
+++ b/edge-image-builder-image/Dockerfile
@@ -1,5 +1,5 @@
-#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.0-rc0
+#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.1
-#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.0-rc0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.1-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION
 MAINTAINER SUSE LLC (https://www.suse.com/)
@@ -7,18 +7,18 @@ MAINTAINER SUSE LLC (https://www.suse.com/)
 COPY artifacts.yaml artifacts.yaml
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins; zypper -n clean; rm -rf /var/log/*
+RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86 qemu-uefi-aarch64 cni-plugins pigz zstd cpio && zypper -n clean && rm -rf /var/log/*
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.application.edge-image-builder
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE edge-image-builder Container Image"
 LABEL org.opencontainers.image.description="edge-image-builder based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="1.3.0-rc0"
+LABEL org.opencontainers.image.version="1.3.1"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.3.0-rc0-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.3.1-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -32,8 +32,7 @@ LABEL com.suse.release-stage="released"
 # and also expects the boot kernel to be a portable executable (PE), not ELF.
 RUN mkdir -p /usr/share/edk2/aarch64 && \
  cp /usr/share/qemu/aavmf-aarch64-code.bin /usr/share/edk2/aarch64/QEMU_EFI-pflash.raw && \
-  cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw && \
+  cp /usr/share/qemu/aavmf-aarch64-vars.bin /usr/share/edk2/aarch64/vars-template-pflash.raw
  mv /boot/vmlinux* /boot/backup-vmlinux
 ENTRYPOINT ["/usr/bin/eib"]
--- a/edge-image-builder-image/artifacts.yaml
+++ b/edge-image-builder-image/artifacts.yaml
@@ -1,7 +1,7 @@
 metallb:
  chart: metallb
  repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
-  version: "%%CHART_MAJOR%%.0.0+up0.14.9"
+  version: "%%CHART_MAJOR%%.0.1+up0.15.2"
 endpoint-copier-operator:
  chart: endpoint-copier-operator
  repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
--- a/edge-image-builder/_service
+++ b/edge-image-builder/_service
@@ -3,11 +3,11 @@
    <param name="url">https://github.com/suse-edge/edge-image-builder.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="revision">v1.3.0-rc0</param>
+    <param name="revision">v1.3.1</param>
    <!-- Uncomment and set this For Pre-Release Version -->
-    <param name="version">1.3.0~rc0</param>
+    <!-- <param name="version">1.3.1</param> -->
    <!-- Uncomment and this for regular version -->
-    <!-- <param name="versionformat">%h</param> -->
+    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">v(\d+).(\d+).(\d+)</param>
    <param name="versionrewrite-replacement">\1.\2.\3</param>
    <param name="changesgenerate">enable</param>
--- a/edge-image-builder/edge-image-builder.spec
+++ b/edge-image-builder/edge-image-builder.spec
@@ -17,7 +17,7 @@
 Name:           edge-image-builder
-Version:        1.3.0~rc0
+Version:        1.3.1
 Release:        0
 Summary:        Edge Image Builder
 License:        Apache-2.0
@@ -52,7 +52,7 @@ Requires: ca-certificates-suse
 Tool for creating and configuring a set of images to automate the deployment of Edge environments
 %prep
-%autosetup -a1 -n edge-image-builder-%{version}
+%autosetup -a1 -n edge-image-builder-%{version} -p1
 %build
 tar -xf %{SOURCE1}
--- a/1
+++ b/1
--- a/frr-image/Dockerfile
+++ b/frr-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: MIT
-#!BuildTag: %%IMG_PREFIX%%frr:8.5.6
+#!BuildTag: %%IMG_PREFIX%%frr:10.2.1
-#!BuildTag: %%IMG_PREFIX%%frr:8.5.6-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%frr:10.2.1-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -14,11 +14,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="FRR Container Image"
 LABEL org.opencontainers.image.description="frr based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="8.5.6"
+LABEL org.opencontainers.image.version="10.2.1"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:8.5.6-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:10.2.1-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/frr-k8s/_service
+++ b/frr-k8s/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/metallb/frr-k8s</param>
    <param name="scm">git</param>
-    <param name="revision">v0.0.16</param>
+    <param name="revision">v0.0.20</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
@@ -18,4 +18,4 @@
  <service name="go_modules">
  </service>
  <service mode="buildtime" name="set_version" />
-</services>
+</services>
--- a/frr-k8s/frr-k8s.spec
+++ b/frr-k8s/frr-k8s.spec
@@ -17,14 +17,14 @@
 Name:           frr-k8s
-Version:        0.0.16
+Version:        0.0.20
-Release:        0.0.16
+Release:        0.0.20
 Summary:        A kubernetes based daemonset that exposes a subset of the FRR API in a kubernetes compliant manner.
 License:        Apache-2.0
 URL:            https://github.com/metallb/frr-k8s
 Source:         frr-k8s-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
@@ -63,4 +63,4 @@ install -D -m0755 frr-k8s %{buildroot}/frr-k8s
 /frr-metrics
 /frr-k8s
-%changelog
+%changelog
--- a/grub-aggregate/_aggregate
+++ b/grub-aggregate/_aggregate
@@ -0,0 +1,7 @@
 <aggregatelist>
  <aggregate project="SUSE:SLFO:1.2" >
    <binary>grub2-x86_64-efi</binary>
    <binary>grub2-arm64-efi</binary>
    <repository target="standard" source="standard" />
  </aggregate>
 </aggregatelist>
--- a/ib-sriov-cni-image/Dockerfile
+++ b/ib-sriov-cni-image/Dockerfile
@@ -0,0 +1,33 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%ib-sriov-cni:v%%ib-sriov-cni_version%%
 #!BuildTag: %%IMG_PREFIX%%ib-sriov-cni:v%%ib-sriov-cni_version%%-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ib-sriov-cni gawk which; \
    zypper -n clean; \
    rm -rf /var/log/*
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.application.ib-sriov-cni
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE ib-sriov-cni Container Image"
 LABEL org.opencontainers.image.description="ib-sriov-cni based on the SLE Base Container Image."
 LABEL org.opencontainers.image.version="%%ib-sriov-cni_version%%"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ib-sriov-cni:%%ib-sriov-cni_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"
 LABEL com.suse.release-stage="released"
 # endlabelprefix
 COPY --from=base /installroot /
 ENTRYPOINT ["/entrypoint.sh"]
--- a/ib-sriov-cni-image/_service
+++ b/ib-sriov-cni-image/_service
@@ -0,0 +1,19 @@
 <services>
  <service name="kiwi_metainfo_helper" mode="buildtime"/>
  <service name="docker_label_helper" mode="buildtime"/>
  <service name="replace_using_package_version" mode="buildtime">
    <param name="file">Dockerfile</param>
    <param name="regex">%%ib-sriov-cni_version%%</param>
    <param name="package">ib-sriov-cni</param>
    <param name="parse-version">patch</param>
  </service>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">Dockerfile</param>
    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
    <param name="var">IMG_PREFIX</param>
    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
    <param name="var">IMG_REPO</param>
    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
    <param name="var">SUPPORT_LEVEL</param>
  </service>
 </services>
--- a/ib-sriov-cni/_service
+++ b/ib-sriov-cni/_service
@@ -0,0 +1,25 @@
 <services>
 <service name="obs_scm">
    <param name="url">https://github.com/k8snetworkplumbingwg/ib-sriov-cni</param>
    <param name="scm">git</param>
    <param name="revision">v1.3.0</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
    <param name="changesauthor">antonio.alarcon@suse.com</param>
    <param name="match-tag">v*</param>
    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
    <param name="without-version">yes</param>
    <param name="versionrewrite-replacement">\1</param>
  </service>
  <service mode="buildtime" name="tar">
    <param name="obsinfo">ib-sriov-cni.obsinfo</param>
  </service>
  <service name="go_modules" />
  <service mode="buildtime" name="set_version" />
  <service name="replace_using_env" mode="buildtime">
    <param name="file">ib-sriov-cni.spec</param>
    <param name="var">SOURCE_COMMIT</param>
    <param name="eval">SOURCE_COMMIT=$(grep commit ib-sriov-cni.obsinfo | cut -d" " -f2)</param>
  </service>
 </services>
--- a/ib-sriov-cni/ib-sriov-cni.spec
+++ b/ib-sriov-cni/ib-sriov-cni.spec
@@ -0,0 +1,64 @@
 #
 # spec file for package ib-sriov-cni
 #
 # Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 Name:           ib-sriov-cni
 Version:        0
 Release:        0
 Summary:        Implements a Kubernetes CNI plugin operator for Infiniband SRIOV VFs
 License:        Apache-2.0
 URL:            https://github.com/k8snetworkplumbingwg/ib-sriov-cni
 Source:         %{name}-%{version}.tar
 Source1:        vendor.tar.gz
 BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 %description
 Network Interface Cards (NICs) with SR-IOV capabilities are managed through physical functions (PFs) and virtual functions (VFs).
 A PF is used by the host and usually represents a single NIC port. VF configurations are applied through the PF.
 The SR-IOV CNI allows each VF to be treated as a separate network interface, assigned to a container, and configured with its own
 MAC, VLAN, IP and more.
 Infiniband SR-IOV CNI plugin works with Infiniband SR-IOV device plugin for VF allocation in Kubernetes. A CNI metaplugin such as Multus
 gets the allocated VF's deviceID(PCI address) and is responsible for invoking the Infiniband SR-IOV CNI plugin with that deviceID.
 %prep
 %autosetup -a1 -n %{name}-%{version} -p1
 %build
 # CGO is disabled by default in upstream Makefile:
 %define cgoenabled "0"
 # go build constrain (aka tag) "no_openssl" is set by default in upstream Makefile
 %define gotags "no_openssl"
 %define buildtime %(date +%%Y-%%m-%%dT%%H:%%M:%%S%%z)
 %define buildcommit %%SOURCE_COMMIT%%
 %define buildldflags "-X main.version=%{version} -X main.commit=%{buildcommit}% -X main.date=%{buildtime}%"
 CGO_ENABLED=%{cgoenabled} go build -mod=vendor -buildmode=pie -tags %{gotags} -ldflags %{buildldflags} -o ib-sriov cmd/ib-sriov-cni/main.go
 %install
 install -D -m0755 ib-sriov %{buildroot}%{_bindir}/ib-sriov
 install -D -m0755 images/entrypoint.sh %{buildroot}/entrypoint.sh
 %files
 %license LICENSE
 %doc README.md
 %{_bindir}/ib-sriov
 /entrypoint.sh
 %changelog
--- a/1
+++ b/1
--- a/ironic-image/Dockerfile
+++ b/ironic-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.3
+#!BuildTag: %%IMG_PREFIX%%ironic:32.0.0.0
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.3-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:32.0.0.0-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -17,13 +17,19 @@ RUN /bin/prepare-efi.sh
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends \
    python3-devel python3 python3-pip \
    python313-sushy \
    python3-watchdog python313-ironicclient \
    git curl sles-release tar gzip vim gawk \
    dnsmasq dosfstools apache2 ipcalc ipmitool iproute2 \
    bind-utils procps qemu-tools sqlite3 util-linux xorriso \
    tftp ipxe-bootimgs crudini \
    openstack-ironic
 #!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "x86_64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
+      zypper --installroot /installroot --non-interactive install --no-recommends syslinux  ; \
    fi
 #!ArchExclusiveLine: aarch64
 RUN if [ "$(uname -m)" = "aarch64" ];then \
      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
    fi
 # DATABASE
@@ -41,8 +47,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="29.0.4.3"
+LABEL org.opencontainers.image.version="29.0.4.4"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.3-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -53,8 +59,8 @@ LABEL com.suse.release-stage="released"
 COPY --from=base /installroot /
-RUN set -euo pipefail; ln -s /usr/bin/python3.11 /usr/local/bin/python3; \
+RUN set -euo pipefail; ln -s /usr/bin/python3.13 /usr/local/bin/python3; \
-    ln -s /usr/bin/pydoc3.11 /usr/local/bin/pydoc
+    ln -s /usr/bin/pydoc3.13 /usr/local/bin/pydoc
 ENV GRUB_DIR=/tftpboot/boot/grub
@@ -75,7 +81,7 @@ RUN cp /bin/ironic-readiness /bin/ironic-liveness
 COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 \
     ironic-config/ipxe_config.template ironic-config/dnsmasq.conf.j2 \
-     /tmp/
+     /templates/
 # IRONIC #
 RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
@@ -99,8 +105,8 @@ RUN rm /etc/ironic/ironic.conf.d/010-ironic.conf
 # Custom httpd config, removes all but the bare minimum needed modules
 COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
-COPY ironic-config/apache2-vmedia.conf.j2 /tmp/httpd-vmedia.conf.j2
+COPY ironic-config/apache2-vmedia.conf.j2 /templates/httpd-vmedia.conf.j2
-COPY ironic-config/apache2-ipxe.conf.j2 /tmp/httpd-ipxe.conf.j2
+COPY ironic-config/apache2-ipxe.conf.j2 /templates/httpd-ipxe.conf.j2
 # configure non-root user and set relevant permissions
 RUN configure-nonroot.sh && rm -f /bin/configure-nonroot.sh
--- a/ironic-image/ironic-config/apache2-ipxe.conf.j2
+++ b/ironic-image/ironic-config/apache2-ipxe.conf.j2
@@ -11,26 +11,17 @@ Listen [::]:{{ env.IPXE_TLS_PORT }}
    SSLCertificateFile {{ env.IPXE_CERT_FILE }}
    SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
    DocumentRoot "/shared/html"
    <Directory "/shared/html">
-        Order Allow,Deny
+        Options Indexes FollowSymLinks
-        Allow from all
+        Require all granted
    </Directory>
-    <Directory "/shared/html/(redfish|ilo|images)/">
+    <Directory ~ "/shared/html/(redfish|ilo|images)/">
-        Order Deny,Allow
+        Require all denied
        Deny from all
    </Directory>
    <Location ~ "^/.*">
        SSLRequireSSL
    </Location>
 </VirtualHost>
 <Location ~ "^/grub.*/">
    SSLRequireSSL
 </Location>
 <Location ~ "^/pxelinux.cfg/">
    SSLRequireSSL
 </Location>
 <Location ~ "^/.*\.conf/">
    SSLRequireSSL
 </Location>
 <Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
    SSLRequireSSL
 </Location>
--- a/ironic-image/ironic-config/apache2-vmedia.conf.j2
+++ b/ironic-image/ironic-config/apache2-vmedia.conf.j2
@@ -11,18 +11,29 @@ Listen [::]:{{ env.VMEDIA_TLS_PORT }}
    SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
    SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
-    <Directory "/shared/html/">
+    {% if "IRONIC_VMEDIA_TLS_12_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_12_CIPHERS %}
-        Options Indexes FollowSymLinks
+    SSLCipherSuite {{ env.IRONIC_VMEDIA_TLS_12_CIPHERS }}
-        AllowOverride None
+    {% endif %}
-        Require all granted
+    {% if "IRONIC_VMEDIA_TLS_13_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_13_CIPHERS %}
    SSLCipherSuite TLSv1.3 {{ env.IRONIC_VMEDIA_TLS_13_CIPHERS }}
    {% endif %}
    {% if "IRONIC_VMEDIA_CURVES" in env and env.IRONIC_VMEDIA_CURVES %}
    SSLOpenSSLConfCmd Curves {{ env.IRONIC_VMEDIA_CURVES }}
    {% endif %}
    {% if env.IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER | lower == "true" %}
    SSLHonorCipherOrder on
    {% endif %}
    <Directory ~ "/shared/html">
        Require all denied
    </Directory>
    <Directory ~ "/shared/html/(redfish|ilo)/">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    <Location ~ "^/.*">
        SSLRequireSSL
    </Location>
 </VirtualHost>
 <Location ~ "^/(redfish|ilo)/">
    SSLRequireSSL
 </Location>
--- a/ironic-image/ironic-config/dnsmasq.conf.j2
+++ b/ironic-image/ironic-config/dnsmasq.conf.j2
@@ -11,14 +11,8 @@ port={{ env.DNS_PORT }}
 {%- if env.DHCP_RANGE | length %}
 log-dhcp
 dhcp-range={{ env.DHCP_RANGE }}
 # It can be used when setting DNS or GW variables.
 {%- if env["GATEWAY_IP"] is undefined %}
 # Disable default router(s)
 dhcp-option=3
 {% else %}
 dhcp-option=option{% if ":" in env["GATEWAY_IP"] %}6{% endif %}:router,{{ env["GATEWAY_IP"] }}
 {% endif %}
 {%- if env["DNS_IP"] is undefined %}
 # Disable DNS over provisioning network
 dhcp-option=6
@@ -26,31 +20,31 @@ dhcp-option=6
 dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["DNS_IP"] }}
 {% endif %}
 {# Network boot options for IPv4 and IPv6 #}
 {%- if env.IPV == "4" or env.IPV is undefined %}
 # IPv4 Configuration:
 dhcp-match=ipxe,175
-# Client is already running iPXE; move to next stage of chainloading
+
-{%- if env.IPXE_TLS_SETUP == "true"  %}
+{# Set the router or disable it. Setting router is IPv4 specific, in v6 there #}
-# iPXE with (U)EFI
+{# are router advertisements that do the same thing. #}
-dhcp-boot=tag:efi,tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/snponly.efi
+{%- if env["GATEWAY_IP"] is undefined %}
-# iPXE with BIOS
+# Disable default router(s)
-dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/undionly.kpxe
+dhcp-option=3
 {% else %}
-dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
+dhcp-option=option:router,{{ env["GATEWAY_IP"] }}
 {% endif %}
 # Note: Need to test EFI booting
 dhcp-match=set:efi,option:client-arch,7
 dhcp-match=set:efi,option:client-arch,9
 dhcp-match=set:efi,option:client-arch,11
-# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
+# Client is (i)PXE booting on EFI machine
-{%- if env.IPXE_TLS_SETUP == "true"  %}
+dhcp-boot=tag:efi,/snponly.efi,{{ env.IRONIC_IP }}
-dhcp-boot=tag:efi,tag:ipxe,snponly.efi
+# Client is running (i)PXE on BIOS machine
 dhcp-boot=tag:!efi,/undionly.kpxe,{{ env.IRONIC_IP }}
 {%- if env.IPXE_TLS_SETUP != "true" %}
 dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
 {% endif %}
 dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
 # Client is running PXE over BIOS; send BIOS version of iPXE chainloader
 dhcp-boot=/undionly.kpxe,{{ env.IRONIC_IP }}
 {% endif %}
 {% if env.IPV == "6" %}
@@ -60,22 +54,12 @@ ra-param={{ env.PROVISIONING_INTERFACE }},0,0
 dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient
 dhcp-userclass=set:ipxe6,iPXE
-dhcp-option=tag:pxe6,option6:bootfile-url,{{ env.IRONIC_TFTP_URL }}/snponly.efi
+# Client is (i)PXE booting on EFI machine
 dhcp-option=tag:efi,option6:bootfile-url,{{ env.IRONIC_URL_HOST }}/snponly.efi
 # Client is running (i)PXE on BIOS machine
 dhcp-option=tag:!efi,option6:bootfile-url,{{ env.IRONIC_URL_HOST }}/undionly.kpxe
 {%- if env.IPXE_TLS_SETUP != "true" %}
 dhcp-option=tag:ipxe6,option6:bootfile-url,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
 # It can be used when setting DNS or GW variables.
 {%- if env["GATEWAY_IP"] is undefined %}
 # Disable default router(s)
 dhcp-option=3
 {% else %}
 dhcp-option=3,{{ env["GATEWAY_IP"] }}
 {% endif %}
 {%- if env["DNS_IP"] is undefined %}
 # Disable DNS over provisioning network
 dhcp-option=6
 {% else %}
 dhcp-option=6,{{ env["DNS_IP"] }}
 {% endif %}
 {% endif %}
 {% endif %}
--- a/ironic-image/ironic-config/httpd-ironic-api.conf.j2
+++ b/ironic-image/ironic-config/httpd-ironic-api.conf.j2
@@ -29,6 +29,20 @@ Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
 {% endif %}
 {% endif %}
    DocumentRoot "/shared/html"
    <Directory "/shared/html">
        Require all denied
    </Directory>
    <Directory "/shared/html/images">
        Require all granted
    </Directory>
    # Exclude /images from proxying
    ProxyPass        "/images" !
    ProxyPassReverse "/images" !
    {% if env.IRONIC_PRIVATE_PORT == "unix" %}
    ProxyPass "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
    ProxyPassReverse "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
@@ -51,6 +65,7 @@ Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
    SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
 {% endif %}
    <Location />
         {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
            AuthType Basic
@@ -67,4 +82,9 @@ Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
    <Location ~ "^/(v1/)?(lookup|heartbeat|continue_inspection)" >
        Require all granted
    </Location>
    <Location ~ "^/images(/.*)?$">
        Require all granted
    </Location>
 </VirtualHost>
--- a/ironic-image/ironic-config/httpd-modules.conf
+++ b/ironic-image/ironic-config/httpd-modules.conf
@@ -8,8 +8,6 @@ LoadModule authz_core_module /usr/lib64/apache2/mod_authz_core.so
 LoadModule ssl_module /usr/lib64/apache2/mod_ssl.so
 LoadModule env_module /usr/lib64/apache2/mod_env.so
 LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so
 LoadModule proxy_ajp_module /usr/lib64/apache2/mod_proxy_ajp.so
 LoadModule proxy_balancer_module /usr/lib64/apache2/mod_proxy_balancer.so
 LoadModule proxy_http_module /usr/lib64/apache2/mod_proxy_http.so
 LoadModule slotmem_shm_module /usr/lib64/apache2/mod_slotmem_shm.so
 LoadModule headers_module /usr/lib64/apache2/mod_headers.so
--- a/ironic-image/ironic-config/httpd.conf.j2
+++ b/ironic-image/ironic-config/httpd.conf.j2
@@ -22,18 +22,43 @@ Group ironic-suse
 DocumentRoot "/shared/html"
 <Directory "/shared/html">
 {%- if env.IPXE_TLS_SETUP | lower == "true" %}
    Options Indexes FollowSymLinks
    Require all denied
 {%- else %}
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
 {%- endif %}
 </Directory>
-{%- if env.HTTPD_SERVE_NODE_IMAGES | lower == "true" %}
+<Directory ~ "/shared/html/(redfish|ilo)/">
 {%- if env.IRONIC_VMEDIA_TLS_SETUP | lower == "true" %}
    Require all denied
 {%- else %}
    Require all granted
 {%- endif %}
 </Directory>
 {%- set serve_img = env.HTTPD_SERVE_NODE_IMAGES | lower %}
 {%- set image_tls = env.IRONIC_TLS_SETUP | lower %}
 <Directory "/shared/html/images">
    Options Indexes FollowSymLinks
    AllowOverride None
 {%- if serve_img == "true" and image_tls != "true" %}
    Require all granted
 {%- else %}
    Require all denied
 {%- endif %}
    <FilesMatch "^ironic.*">
 {%- if env.IPXE_TLS_SETUP | lower == "true" %}
        Require all denied
 {%- else %}
        Require all granted
 {%- endif %}
    </FilesMatch>
 </Directory>
-{% endif %}
+
 <IfModule dir_module>
    DirectoryIndex index.html
@@ -70,7 +95,7 @@ AddDefaultCharset UTF-8
    MIMEMagicFile conf/magic
 </IfModule>
-PidFile /var/tmp/httpd.pid
+PidFile {{ env.IRONIC_TMP_DATA_DIR }}/httpd.pid
 # EnableSendfile directive could speed up deployments but it could also cause
 # issues depending on the underlying file system, to learn more:
--- a/ironic-image/ironic-config/ironic.conf.j2
+++ b/ironic-image/ironic-config/ironic.conf.j2
@@ -4,19 +4,19 @@ debug = true
 default_deploy_interface = direct
 default_inspect_interface = agent
 default_network_interface = noop
-enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
+enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc
-enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media,redfish-https
+enabled_boot_interfaces = ipxe,pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,redfish-https
 enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
 enabled_firmware_interfaces = no-firmware,fake,redfish
 # NOTE(dtantsur): when changing this, make sure to update the driver
 # dependencies in Dockerfile.
-enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
+enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management
-enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
+enabled_inspect_interfaces = agent,irmc,fake,redfish
-enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
+enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,noop
 enabled_network_interfaces = noop
-enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
+enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish
-enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
+enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish
-enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
+enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,fake
 {% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
 rpc_transport = json-rpc
 {% else %}
@@ -33,7 +33,6 @@ my_ipv6 = {{ env.IRONIC_IPV6 }}
 {% endif %}
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
 tempdir = {{ env.IRONIC_TMP_DATA_DIR }}
 # If a path to a certificate is defined, use that first for webserver
 {% if env.WEBSERVER_CACERT_FILE %}
@@ -48,6 +47,10 @@ isolinux_bin = /usr/share/syslinux/isolinux.bin
 # the ESP provided in [conductor]bootloader.
 grub_config_path = EFI/BOOT/grub.cfg
 # NOTE(hroyrh): updating the default temp directory to fix device cross links
 # errors when hard linking
 tempdir = /shared/tmp
 [agent]
 deploy_logs_collect = always
 deploy_logs_local_path = /shared/log/ironic/deploy
@@ -86,11 +89,6 @@ network_data_schema = /etc/ironic/network-data-schema-empty.json
 automated_clean = {{ env.IRONIC_AUTOMATED_CLEAN }}
 # NOTE(dtantsur): keep aligned with [pxe]boot_retry_timeout below.
 deploy_callback_timeout = 4800
 send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # NOTE(TheJulia): Do not lower this value below 120 seconds.
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 send_sensor_data_interval = 160
 bootloader_by_arch = {{ env.BOOTLOADER_BY_ARCH }}
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
@@ -112,6 +110,9 @@ deploy_ramdisk_by_arch = {{ env.DEPLOY_RAMDISK_BY_ARCH }}
 {% if env.DISABLE_DEEP_IMAGE_INSPECTION | lower == "true" %}
 disable_deep_image_inspection = True
 {% endif %}
 # Allowed path for file:// links: ipa-downloader uses /shared/html/images,
 # while the bootloader configuration above refers to /templates.
 file_url_allowed_paths = /shared/html/images,/templates
 [database]
 {% if env.IRONIC_USE_MARIADB | lower == "true" %}
@@ -131,6 +132,7 @@ erase_devices_priority = 0
 http_root = /shared/html/
 http_url = {% if env.VMEDIA_TLS_PORT %}{{ env.IRONIC_HTTPS_VMEDIA_URL }}{% else %}{{ env.IRONIC_HTTP_URL }}{% endif %}
 fast_track = {{ env.IRONIC_FAST_TRACK }}
 iso_master_path = /shared/html/master_iso_images
 {% if env.IRONIC_BOOT_ISO_SOURCE %}
 ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
 {% endif %}
@@ -194,6 +196,7 @@ cipher_suite_versions = 3,17
 auth_strategy = http_basic
 http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
 host_ip = {{ env.IRONIC_HOST_IP }}
 port = {{ env.IRONIC_JSON_RPC_PORT }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true
 cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -204,6 +207,26 @@ insecure = {{ env.IRONIC_INSECURE }}
 [nova]
 send_power_notifications = false
 # Sections (oslo_messaging_notifications, sensor_data, metrics) required for sensor data collection using ironic-prometheus-exporter (IPE):
 {% if env.SEND_SENSOR_DATA | lower == "true" %}
 [oslo_messaging_notifications]
 driver = prometheus_exporter
 location = /shared/ironic_prometheus_exporter
 transport_url = fake://
 [sensor_data]
 send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # NOTE(TheJulia): Do not lower this value below 120 seconds.
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 interval = 160
 # Additional sensor_data options can be configured via OS_ environment variables:
 # https://docs.openstack.org/ironic/latest/configuration/config.html#sensor-data
 [metrics]
 backend = collector
 {% endif %}
 [pxe]
 # NOTE(dtantsur): keep this value at least 3x lower than
 # [conductor]deploy_callback_timeout so that at least some retries happen.
@@ -221,19 +244,22 @@ enable_netboot_fallback = true
 # Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
 {% if env.IPXE_TLS_SETUP | lower == "true" %}
-ipxe_config_template = /tmp/ipxe_config.template
+ipxe_config_template = /templates/ipxe_config.template
 {% endif %}
 [redfish]
 use_swift = false
 kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
-
+{% if env.BMC_TLS_ENABLED == "true" %}
-[ilo]
+# idrac uses the same options as the redfish driver
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
+verify_ca = {{ env.BMC_CACERT_FILE }}
-use_web_server_for_images = true
+{% endif %}
 [irmc]
 kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 {% if env.BMC_TLS_ENABLED == "true" %}
 verify_ca = {{ env.BMC_CACERT_FILE }}
 {% endif %}
 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}
@@ -243,3 +269,8 @@ endpoint_override = {{ env.IRONIC_BASE_URL }}
 cert_file = {{ env.IRONIC_CERT_FILE }}
 key_file = {{ env.IRONIC_KEY_FILE }}
 {% endif %}
 [oci]
 {% if env.IRONIC_OCI_AUTH_CONFIG is defined %}
 authentication_config = {{ env.IRONIC_OCI_AUTH_CONFIG }}
 {% endif %}
--- a/ironic-image/scripts/auth-common.sh
+++ b/ironic-image/scripts/auth-common.sh
@@ -40,6 +40,10 @@ fi
 IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
 if [[ -z "${IRONIC_OCI_AUTH_CONFIG:-}" ]] && [[ -f "/auth/oci.json" ]]; then
    export IRONIC_OCI_AUTH_CONFIG="/auth/oci.json"
 fi
 configure_json_rpc_auth()
 {
    if [[ "${IRONIC_EXPOSE_JSON_RPC}" != "true" ]]; then
--- a/ironic-image/scripts/configure-ironic.sh
+++ b/ironic-image/scripts/configure-ironic.sh
@@ -18,8 +18,6 @@ export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_I
 # shellcheck disable=SC1091
 . /bin/auth-common.sh
 export HTTP_PORT=${HTTP_PORT:-80}
 if [[ "${IRONIC_USE_MARIADB}" == true ]]; then
    if [[ -z "${MARIADB_PASSWORD:-}" ]]; then
        echo "FATAL: IRONIC_USE_MARIADB requires password, mount a secret under /auth/mariadb"
@@ -130,6 +128,8 @@ echo 'Options set from Environment variables'
 env | grep "^OS_" || true
 mkdir -p /shared/html
 mkdir -p /shared/tmp
 mkdir -p /shared/ironic_prometheus_exporter
 if [[ -f /proc/sys/crypto/fips_enabled ]]; then
    ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
--- a/ironic-image/scripts/ironic-common.sh
+++ b/ironic-image/scripts/ironic-common.sh
@@ -25,6 +25,11 @@ export IRONIC_GEN_CERT_DIR="${CUSTOM_DATA_DIR}/auto_gen_certs"
 export IRONIC_TMP_DATA_DIR="${CUSTOM_DATA_DIR}/tmp"
 export PROBE_CONF_DIR="${CUSTOM_CONFIG_DIR}/probes"
 export HTTP_PORT=${HTTP_PORT:-80}
 # NOTE(elfosardo): the default port for json_rpc in ironic is 8089, but
 # we need to use a different port to avoid conflicts with other services
 export IRONIC_JSON_RPC_PORT=${IRONIC_JSON_RPC_PORT:-6189}
 mkdir -p "${IRONIC_CONF_DIR}" "${PROBE_CONF_DIR}" "${HTTPD_CONF_DIR}" \
    "${HTTPD_CONF_DIR_D}" "${DNSMASQ_CONF_DIR}" "${DNSMASQ_TEMP_DIR}" \
    "${IRONIC_DB_DIR}" "${IRONIC_GEN_CERT_DIR}" "${DNSMASQ_DATA_DIR}" \
@@ -262,7 +267,7 @@ wait_for_interface_or_ip()
 render_j2_config()
 {
-    python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
+    python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
 }
 run_ironic_dbsync()
--- a/ironic-image/scripts/rundnsmasq
+++ b/ironic-image/scripts/rundnsmasq
@@ -7,7 +7,6 @@ set -eux
 # shellcheck disable=SC1091
 . /bin/tls-common.sh
 export HTTP_PORT=${HTTP_PORT:-80}
 DNSMASQ_EXCEPT_INTERFACE=${DNSMASQ_EXCEPT_INTERFACE:-lo}
 export DNS_PORT=${DNS_PORT:-0}
@@ -36,7 +35,7 @@ fi
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory
 # where we can't write
-python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/tmp/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
+python3.13 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/templates/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
 for iface in $(echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
    sed -i -e "/^interface=.*/ a\except-interface=${iface}" "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
--- a/ironic-image/scripts/runhttpd
+++ b/ironic-image/scripts/runhttpd
@@ -5,7 +5,6 @@
 . /bin/ironic-common.sh
 . /bin/auth-common.sh
 export HTTP_PORT=${HTTP_PORT:-80}
 export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
@@ -36,7 +35,7 @@ fi
 export INSPECTOR_EXTRA_ARGS
 # Copy files to shared mount
-render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe
+render_j2_config /templates/inspector.ipxe.j2 /shared/html/inspector.ipxe
 # cp -r /etc/httpd/* "${HTTPD_DIR}"
 if [[ -f "${HTTPD_CONF_DIR}/httpd.conf" ]]; then
    mv "${HTTPD_CONF_DIR}/httpd.conf" "${HTTPD_CONF_DIR}/httpd.conf.example"
@@ -48,7 +47,7 @@ render_j2_config "/etc/httpd/conf/httpd.conf.j2" \
 if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
    if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
-        render_j2_config "/tmp/httpd-ironic-api.conf.j2" \
+        render_j2_config "/templates/httpd-ironic-api.conf.j2" \
            "${HTTPD_CONF_DIR_D}/ironic.conf"
    fi
 else
@@ -59,7 +58,7 @@ write_htpasswd_files
 # Render httpd TLS configuration for /shared/html/<redifsh;ilo>
 if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
-    render_j2_config "/tmp/httpd-vmedia.conf.j2" \
+    render_j2_config "/templates/httpd-vmedia.conf.j2" \
        "${HTTPD_CONF_DIR_D}/vmedia.conf"
 fi
@@ -67,7 +66,7 @@ fi
 if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
    mkdir -p /shared/html/custom-ipxe
    chmod 0777 /shared/html/custom-ipxe
-    render_j2_config "/tmp/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
+    render_j2_config "/templates/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
    cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
       "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
       "/shared/html/custom-ipxe"
--- a/ironic-image/scripts/runironic
+++ b/ironic-image/scripts/runironic
@@ -15,4 +15,13 @@ configure_restart_on_certificate_update "${IRONIC_TLS_SETUP}" ironic "${IRONIC_C
 configure_ironic_auth
 if [[ -d "${BMC_CACERTS_PATH}" ]]; then
    # shellcheck disable=SC2034
    watchmedo shell-command \
        --patterns="*" \
        --ignore-directories \
        --command='cat "${BMC_CACERTS_PATH}"/* > "${BMC_CACERT_FILE}"' \
        "${BMC_CACERTS_PATH}" &
 fi
 exec /usr/bin/ironic --config-dir "${IRONIC_CONF_DIR}"
--- a/ironic-image/scripts/runironic-exporter
+++ b/ironic-image/scripts/runironic-exporter
@@ -0,0 +1,20 @@
 #!/usr/bin/bash
 # Set dummy provisioning IP to avoid interface detection issues (not needed to run IPE to service `/metrics`)
 export PROVISIONING_IP="127.0.0.1"
 # Set to true since running this script implies sensor data metrics are needed
 # ironic-prometheus-exporter (IPE) needs to read from oslo_messaging_notifications.location (i.e content under /shared) where Ironic writes to
 export SEND_SENSOR_DATA=true
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh
 # shellcheck disable=SC1091
 . /bin/ironic-common.sh
 FLASK_RUN_HOST=${FLASK_RUN_HOST:-0.0.0.0}
 FLASK_RUN_PORT=${FLASK_RUN_PORT:-9608}
 export IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
 exec gunicorn -b "${FLASK_RUN_HOST}:${FLASK_RUN_PORT}" -w 4 \
    ironic_prometheus_exporter.app.wsgi:application
--- a/ironic-image/scripts/runlogwatch.sh
+++ b/ironic-image/scripts/runlogwatch.sh
@@ -1,17 +1,32 @@
 #!/usr/bin/bash
 # Ramdisk logs path
-LOG_DIR="/shared/log/ironic/deploy"
+export LOG_DIR="/shared/log/ironic/deploy"
 mkdir -p "${LOG_DIR}"
-# shellcheck disable=SC2034
+# Function to process log files
-python3.11 -m pyinotify --raw-format -e IN_CLOSE_WRITE -v "${LOG_DIR}" |
+process_log_file() {
-    while read -r event dir mask maskname filename filepath pathname wd; do
+    local FILEPATH="$1"
-        #NOTE(elfosardo): a pyinotify event looks like this:
+    # shellcheck disable=SC2155
-        # <Event dir=False mask=0x8 maskname=IN_CLOSE_WRITE name=mylogs.gzip path=/shared/log/ironic/deploy pathname=/shared/log/ironic/deploy/mylogs.gzip wd=1 >
+    local FILENAME=$(basename "${FILEPATH}")
-        FILENAME=$(echo "${filename}" | cut -d'=' -f2-)
+
-        echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
+    echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
-        tar -xOzvvf "${LOG_DIR}/${FILENAME}" | sed -e "s/^/${FILENAME}: /"
+    tar -tzf "${FILEPATH}" | while read -r entry; do
-        rm -f "${LOG_DIR}/${FILENAME}"
+        echo "${FILENAME}: **** Entry: ${entry} ****"
        tar -xOzf "${FILEPATH}" "${entry}" | sed -e "s/^/${FILENAME}: /"
        echo
    done
    rm -f "${FILEPATH}"
 }
 # Export the function so watchmedo can use it
 export -f process_log_file
 # Use watchmedo to monitor for file close events
 # shellcheck disable=SC2016
 watchmedo shell-command \
    --patterns="*" \
    --ignore-directories \
    --command='if [[ "${watch_event_type}" == "closed" ]]; then process_log_file "${watch_src_path}"; fi' \
    "${LOG_DIR}"
--- a/ironic-image/scripts/tls-common.sh
+++ b/ironic-image/scripts/tls-common.sh
@@ -1,13 +1,14 @@
 #!/bin/bash
 export IRONIC_CERT_FILE=/certs/ironic/tls.crt
 export IRONIC_KEY_FILE=/certs/ironic/tls.key
 export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
 export IRONIC_INSECURE=${IRONIC_INSECURE:-false}
 export IRONIC_SSL_PROTOCOL=${IRONIC_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IPXE_SSL_PROTOCOL=${IPXE_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IRONIC_VMEDIA_SSL_PROTOCOL=${IRONIC_VMEDIA_SSL_PROTOCOL:-"ALL"}
 # Node image storage is using the same cert and port as the API
 export IRONIC_CERT_FILE=/certs/ironic/tls.crt
 export IRONIC_KEY_FILE=/certs/ironic/tls.key
 export IRONIC_VMEDIA_CERT_FILE=/certs/vmedia/tls.crt
 export IRONIC_VMEDIA_KEY_FILE=/certs/vmedia/tls.key
@@ -16,15 +17,15 @@ export IPXE_KEY_FILE=/certs/ipxe/tls.key
 export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
 # By default every cert has to be signed with Ironic's
 # CA otherwise node image and IPA verification would fail
 export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
 export BMC_CACERTS_PATH=/certs/ca/bmc
 export BMC_CACERT_FILE=/conf/bmc-tls.pem
 export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
 export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
 mkdir -p /certs/ironic
 mkdir -p /certs/ca/ironic
 mkdir -p /certs/ipxe
 mkdir -p /certs/vmedia
 if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
    echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
    exit 1
@@ -69,6 +70,7 @@ if [[ -f "$IRONIC_CERT_FILE" ]] || [[ -f "$IRONIC_CACERT_FILE" ]]; then
    export IRONIC_TLS_SETUP="true"
    export IRONIC_SCHEME="https"
    if [[ ! -f "$IRONIC_CACERT_FILE" ]]; then
        mkdir -p "$(dirname "${IRONIC_CACERT_FILE}")"
        copy_atomic "$IRONIC_CERT_FILE" "$IRONIC_CACERT_FILE"
    fi
 else
@@ -105,11 +107,23 @@ configure_restart_on_certificate_update()
    if [[ "${enabled}" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
        if [[ "${service}" == httpd ]]; then
            # shellcheck disable=SC2034
            signal="WINCH"
        fi
-        python3 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${cert_file}" |
+
-            while read -r; do
+        # Use watchmedo to monitor certificate file deletion
-                pkill "-${signal}" "${service}"
+        # shellcheck disable=SC2016
-            done &
+        watchmedo shell-command \
            --patterns="$(basename "${cert_file}")" \
            --ignore-directories \
            --command='if [[ "${watch_event_type}" == "deleted" ]]; then pkill -'"${signal}"' '"${service}"'; fi' \
            "$(dirname "${cert_file}")" &
    fi
 }
 if [ -d "${BMC_CACERTS_PATH}" ]; then
    export BMC_TLS_ENABLED="true"
    cat "${BMC_CACERTS_PATH}"/* > "${BMC_CACERT_FILE}"
 else
    export BMC_TLS_ENABLED="false"
 fi
--- a/ironic-ipa-downloader-image/Dockerfile
+++ b/ironic-ipa-downloader-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.9
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.10
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.9-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils
 RUN cp /usr/bin/getopt /installroot/
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -18,11 +16,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.9"
+LABEL org.opencontainers.image.version="3.0.10"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.9-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/
--- a/ironic-ipa-downloader-image/Dockerfile.aarch64
+++ b/ironic-ipa-downloader-image/Dockerfile.aarch64
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.9
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.10
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.9-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.10-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils
 RUN cp /usr/bin/getopt /installroot/
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -18,11 +16,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.9"
+LABEL org.opencontainers.image.version="3.0.10"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.9-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/
--- a/ironic-ipa-downloader-image/Dockerfile.x86_64
+++ b/ironic-ipa-downloader-image/Dockerfile.x86_64
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.9
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.10
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.9-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.10-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -9,8 +9,6 @@ COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
 RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 tar gawk curl xz zstd shadow cpio findutils
 RUN cp /usr/bin/getopt /installroot/
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -18,11 +16,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.9"
+LABEL org.opencontainers.image.version="3.0.10"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.9-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.10-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -32,7 +30,6 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/
--- a/ironic-ipa-ramdisk/config.sh
+++ b/ironic-ipa-ramdisk/config.sh
@@ -16,7 +16,7 @@ baseSetupBuildDay
 #==========================================
 # remove unneded kernel files
 #------------------------------------------
-suseStripKernel
+#suseStripKernel
 baseStripLocales en_US.utf-8 C.utf8
 #======================================
--- a/ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi
+++ b/ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi
@@ -28,68 +28,6 @@
      <source path="dir:///.build.binaries"/>
    </repository>
    <drivers>
        <file name="crypto/*"/>
        <file name="drivers/acpi/*"/>
        <file name="drivers/acpi/dock.ko"/>
        <file name="drivers/ata/*"/>
        <file name="drivers/block/brd.ko"/>
        <file name="drivers/block/cciss.ko"/>
        <file name="drivers/block/loop.ko"/>
        <file name="drivers/block/virtio_blk.ko"/>
        <file name="drivers/cdrom/*"/>
        <file name="drivers/char/hw_random/virtio-rng.ko"/>
        <file name="drivers/char/lp.ko"/>
        <file name="drivers/char/ipmi/*"/>
        <file name="drivers/firmware/iscsi_ibft.ko"/>
        <file name="drivers/firmware/edd.ko"/>
        <file name="drivers/gpu/drm/*"/>
        <file name="drivers/hid/*"/>
        <file name="drivers/hv/*"/>
        <file name="drivers/hwmon/*"/>
        <file name="drivers/ide/*"/>
        <file name="drivers/input/keyboard/*"/>
        <file name="drivers/input/mouse/*"/>
        <file name="drivers/md/*"/>
        <file name="drivers/message/fusion/*"/>
        <file name="drivers/misc/hpilo.ko"/>
        <file name="drivers/net/*"/>
        <file name="drivers/parport/*"/>
        <file name="drivers/scsi/*"/>
        <file name="drivers/staging/hv/*"/>
        <file name="drivers/target/*"/>
        <file name="drivers/thermal/*"/>
        <file name="drivers/usb/*"/>
        <file name="drivers/virtio/*"/>
        <file name="fs/binfmt_aout.ko"/>
        <file name="fs/binfmt_misc.ko"/>
        <file name="fs/overlayfs/*"/>
        <file name="fs/btrfs/*"/>
        <file name="fs/exportfs/*"/>
        <file name="fs/ext4/*"/>
        <file name="fs/fat/*"/>
        <file name="fs/fuse/*"/>
        <file name="fs/hfs/*"/>
        <file name="fs/jbd2/*"/>
        <file name="fs/nfs/*"/>
        <file name="fs/mbcache.ko"/>
        <file name="fs/nls/nls_cp437.ko"/>
        <file name="fs/nls/nls_iso8859-1.ko"/>
        <file name="fs/nls/nls_utf8.ko"/>
        <file name="fs/quota_v1.ko"/>
        <file name="fs/quota_v2.ko"/>
        <file name="fs/squashfs/*"/>
        <file name="fs/udf/*"/>
        <file name="fs/vfat/*"/>
        <file name="fs/xfs/*"/>
        <file name="fs/isofs/*"/>
        <file name="lib/crc-t10dif.ko"/>
        <file name="lib/crc16.ko"/>
        <file name="lib/libcrc32c.ko"/>
        <file name="lib/zlib_deflate/zlib_deflate.ko"/>
        <file name="net/packet/*"/>
    </drivers>
    <packages type="delete">
        <package name="gpg2"/>
        <package name="libcairo2"/>
@@ -138,6 +76,7 @@
        <package name="grub2-i386-pc" arch="x86_64"/>
        <package name="grub2-x86_64-efi" arch="x86_64"/>
        <package name="grub2"/>
        <package name="gettext-runtime"/>
        <package name="iproute2"/>
        <package name="iputils"/>
        <package name="kernel-default"/>
@@ -149,6 +88,7 @@
        <package name="timezone"/>
        <package name="which"/>
        <!-- ironic-python-agent specific -->
        <package name="chrony"/>
        <package name="dmidecode"/>
        <package name="efibootmgr"/>
        <package name="gptfdisk"/>
@@ -157,15 +97,14 @@
        <package name="ipmitool"/>
        <package name="iputils"/>
        <package name="kbd"/>
        <package name="krb5"/>
        <package name="lshw"/>
        <package name="lvm2"/>
        <package name="net-tools"/>
        <package name="ntp"/>
        <package name="open-iscsi"/>
        <package name="openstack-ironic-python-agent"/>
        <package name="parted"/>
        <package name="psmisc"/>
        <package name="python311-proliantutils"/>
        <package name="qemu-tools"/>
        <package name="timezone"/>
        <package name="which"/>
--- a/ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec
+++ b/ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec
@@ -19,7 +19,7 @@
 Name:           ironic-ipa-ramdisk
-Version:        3.0.7
+Version:        3.0.8
 Release:        0
 Summary:        Kernel and ramdisk image for OpenStack Ironic
 License:        SUSE-EULA
@@ -29,12 +29,12 @@ Source0:        config.sh
 Source10:       ironic-ipa-ramdisk.kiwi
 Source20:       root
 #!BuildIgnore:  systemd-mini
 BuildRequires: systemd
 BuildRequires:  -post-build-checks
 BuildRequires:  bash
 BuildRequires:  kiwi
 BuildRequires:  kiwi-tools
 BuildRequires:  zypper
 BuildArch:      noarch
 BuildRequires:  checkmedia
 BuildRequires:  acl
@@ -55,7 +55,6 @@ BuildRequires:  grub2-x86_64-efi
 %ifarch aarch64
 BuildRequires:  grub2-arm64-efi
 %endif
 BuildRequires:  haveged
 BuildRequires:  hdparm
 BuildRequires:  hwinfo
 BuildRequires:  ipmitool
@@ -65,7 +64,7 @@ BuildRequires:  kernel-default
 BuildRequires:  kernel-firmware-all
 BuildRequires:  lvm2
 BuildRequires:  net-tools
-BuildRequires:  ntp
+BuildRequires:  chrony
 BuildRequires:  open-iscsi
 BuildRequires:  openssh
 BuildRequires:  openstack-ironic-python-agent
@@ -77,7 +76,6 @@ BuildRequires:  pkgconfig
 BuildRequires:  Mesa-gallium
 BuildRequires:  plymouth
 BuildRequires:  plymouth-scripts
 BuildRequires:  python311-proliantutils
 BuildRequires:  psmisc
 BuildRequires:  qemu-tools
 BuildRequires:  sg3_utils
@@ -105,6 +103,9 @@ BuildRequires:  lshw
 BuildRequires:  kbd
 BuildRequires:  dmidecode
 BuildRequires:  efibootmgr
 BuildRequires:  glibc-locale
 BuildRequires:  krb5
 BuildRequires:  gettext-runtime
 %ifarch x86_64
 BuildRequires:  syslinux
 %endif
@@ -113,10 +114,9 @@ BuildRequires:  syslinux
 Kernel and ramdisk image for use with Metal3
 %package %{_arch}
 BuildArch:      noarch
 Summary:        Kernel and ramdisk image for Metal3
 Group:          System/Management
 Provides:       openstack-ironic-python-agent = %{version}
 Obsoletes:      openstack-ironic-python-agent < %{version}
 %description %{_arch}
 Kernel and ramdisk image for use with Metal3
--- a/kiwi-builder-image/Dockerfile
+++ b/kiwi-builder-image/Dockerfile
@@ -1,8 +1,8 @@
-#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.12.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.29.1-%RELEASE%
-#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.12.0
+#!BuildTag: %%IMG_PREFIX%%kiwi-builder:10.2.29.1
 # Base image version, should match the tag above
-ARG KIWIVERSION="10.2.12"
+ARG KIWIVERSION="10.2.29"
 FROM registry.suse.com/bci/kiwi:${KIWIVERSION}
 ARG KIWIVERSION
@@ -33,4 +33,6 @@ RUN mkdir -p /micro-sdk/defs
 ADD SL-Micro.kiwi /micro-sdk/defs
 ADD SL-Micro.kiwi.4096 /micro-sdk/defs
 ADD config.sh /micro-sdk/defs
 ADD disk.sh /micro-sdk/defs
 ADD editbootinstall_rpi.sh /micro-sdk/defs
 ADD editbootinstall_pine64.sh /micro-sdk/defs
--- a/kiwi-builder-image/README.build.md
+++ b/kiwi-builder-image/README.build.md
@@ -0,0 +1,28 @@
 The following files are coming from _upstream_ https://build.opensuse.org/package/show/SUSE:SLFO:Products:SL-Micro:6.2/SL-Micro :
 * SL-Micro.kiwi
 * disk.sh
 * config.sh
 * editbootinstall_pine64.sh
 * editbootinstall_rpi.sh
 Those can be downloaded as:
 ```
 curl -LO https://src.suse.de/products/SL-Micro/raw/branch/6.2/SL-Micro/SL-Micro.kiwi
 ```
 The SL-Micro.kiwi file needs to be modified to append a few packages on the bootstrap stanza to be able to generate images with no SSL errors:
 ```
     <packages type="bootstrap">
         <package name="filesystem"/>
 +        <package name="coreutils"/>
 +        <package name="ca-certificates"/>
 +        <package name="ca-certificates-mozilla"/>
     </packages>
 ```
 The SL-Micro.kiwi.4096 file needs to be modified to modify the `target_blocksize="4096"` where appropiate.
 All the other files are used verbatim.
--- a/kiwi-builder-image/SL-Micro.kiwi
+++ b/kiwi-builder-image/SL-Micro.kiwi
@@ -30,16 +30,13 @@
        <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64" description="Raw disk for aarch64 - uEFI" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-rt" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
-        <profile name="aarch64-rt-rpi" description="Raw disk for aarch64 with RT kernel on Raspberry Pi" arch="aarch64">
+        <profile name="aarch64-rt-encrypted" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-rt-self_install" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
@@ -60,6 +57,15 @@
        <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="rpi-self_install" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-encrypted" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
@@ -89,6 +95,15 @@
        </profile>
        <profile name="ppc64le-4096ss-self_install" description="Raw disk for PPc64 - 4096 sector size" arch="ppc64le">
            <requires profile="bootloader"/>
        </profile> 
       	<profile name="aarch64-64kb" description="Build 64K page size aarch64 images" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
       	<profile name="aarch64-64kb-encrypted" description="Build 64K page size aarch64 images" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
       	<profile name="aarch64-64kb-self_install" description="Build 64K page size aarch64 images" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <!-- Images (flavor + platform) -->
        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
@@ -154,18 +169,10 @@
            <requires profile="full"/>
            <requires profile="aarch64"/>
        </profile>
        <profile name="Default-RPi" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
            <requires profile="full"/>
            <requires profile="rpi"/>
        </profile>
        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64"/>
        </profile>
        <profile name="Base-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="rpi"/>
        </profile>
        <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt"/>
@@ -179,10 +186,6 @@
            <requires profile="container-host"/>
            <requires profile="aarch64-rt"/>
        </profile>
        <profile name="Base-RT-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-rt-rpi"/>
        </profile>
        <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-rt-self_install"/>
@@ -277,10 +280,42 @@
            <requires profile="ppc64le-4096ss-self_install"/>
            <requires profile="self_install"/>
        </profile>
 	<profile name="Default-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="full"/>
            <requires profile="aarch64-64kb-self_install"/>
        </profile>
 	<profile name="Base-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-64kb-self_install"/>
        </profile>
 	<profile name="Default-64kb" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="full"/>
            <requires profile="aarch64-64kb"/>
        </profile>
 	<profile name="Base-64kb" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-64kb"/>
        </profile>
 	<profile name="Default-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="full"/>
            <requires profile="aarch64-64kb-encrypted"/>
        </profile>
 	<profile name="Base-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-64kb-encrypted"/>
        </profile>
 	<profile name="RaspberryPi-SelfInstall" description="SL Micro for Rapsberry Pi" arch="aarch64">
            <requires profile="full"/>
            <requires profile="rpi-self_install"/>
        </profile>
 	<profile name="RaspberryPi" description="SL Micro for Raspberry Pi" arch="aarch64">
            <requires profile="full"/>
            <requires profile="rpi"/>
        </profile>
    </profiles>
    <preferences profiles="x86-encrypted,x86-rt-encrypted">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -291,7 +326,8 @@
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -323,7 +359,7 @@
        </type>
    </preferences>
    <preferences profiles="x86,x86-rt">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -334,7 +370,8 @@
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -359,7 +396,7 @@
    </preferences>
    <preferences profiles="x86-self_install,x86-rt-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -374,7 +411,8 @@
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -397,9 +435,8 @@
            </systemdisk>
        </type>
    </preferences>
-
+    <preferences profiles="aarch64,aarch64-rt,aarch64-64kb">
-    <preferences profiles="rpi,aarch64-rt-rpi">
+        <version>6.2</version>
        <version>6.1</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -414,11 +451,96 @@
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
            disk_start_sector="8192"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
            efipartsize="512"
            kernelcmdline="security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
            disk_start_sector="8192"
            luks_version="luks2"
            luks="1234"
 	    luks_randomize="false"
 	    luks_pbkdf="pbkdf2"
        >
            <luksformat>
                <option name="--cipher" value="aes-xts-plain64"/>
            </luksformat>
            <bootloader name="grub2" console="gfxterm" use_disk_password="true" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="rpi">
        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
            efipartsize="512"
            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            efipartsize="128"
            editbootinstall="editbootinstall_rpi.sh"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
@@ -438,9 +560,8 @@
            </systemdisk>
        </type>
    </preferences>
-
+    <preferences profiles="aarch64-self_install,aarch64-rt-self_install,aarch64-64kb-self_install">
-    <preferences profiles="aarch64,aarch64-rt">
+        <version>6.2</version>
        <version>6.1</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -450,19 +571,20 @@
            image="oem"
            initrd_system="dracut"
            installiso="true"
            installpxe="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            efipartsize="128"
            btrfs_root_is_readonly_snapshot="true"
-            btrfs_quota_groups="false"
+            btrfs_quota_groups="true"
-            disk_start_sector="4096"
+            disk_start_sector="8192"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
@@ -478,8 +600,8 @@
            </systemdisk>
        </type>
    </preferences>
-    <preferences profiles="aarch64-self_install,aarch64-rt-self_install">
+    <preferences profiles="rpi-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -494,13 +616,14 @@
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
-            efipartsize="128"
+            efipartsize="512"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            editbootinstall="editbootinstall_rpi.sh"
            btrfs_quota_groups="true"
            disk_start_sector="4096"
        >
@@ -520,7 +643,7 @@
    </preferences>
    <preferences profiles="s390-kvm">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -558,7 +681,7 @@
    <preferences profiles="s390-dasd">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -596,7 +719,7 @@
    <preferences profiles="s390-fba">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -631,7 +754,7 @@
    </preferences>
    <preferences profiles="s390-fcp">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -670,7 +793,7 @@
    </preferences>
    <preferences profiles="x86-vmware">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -681,6 +804,7 @@
            filesystem="btrfs"
            format="vmdk"
            firmware="uefi"
            efipartsize="512"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -701,11 +825,11 @@
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">24</size>
-            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
+            <machine memory="1024" HWversion="17" guestOS="suse-64"/>
        </type>
    </preferences>
    <preferences profiles="x86-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -716,7 +840,8 @@
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -740,9 +865,9 @@
            <size unit="G">32</size>
        </type>
    </preferences>
-
+ 
    <preferences profiles="aarch64-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -753,8 +878,8 @@
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
-            efipartsize="128"
+            efipartsize="512"     
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -765,7 +890,7 @@
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
@@ -777,7 +902,7 @@
    </preferences>
    <preferences profiles="ppc64le-512ss">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -788,7 +913,7 @@
            image="oem"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -800,7 +925,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -810,7 +935,7 @@
        </type>
    </preferences>
    <preferences profiles="ppc64le-4096ss">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -824,7 +949,7 @@
            target_blocksize="4096"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -836,7 +961,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -847,7 +972,7 @@
    </preferences>
    <preferences profiles="ppc64le-512ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -860,7 +985,7 @@
            installpxe="true"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -877,7 +1002,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -887,7 +1012,7 @@
        </type>
    </preferences>
    <preferences profiles="ppc64le-4096ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -903,7 +1028,7 @@
            target_blocksize="4096"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -920,7 +1045,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -936,20 +1061,17 @@
    </repository>
    <packages type="image" profiles="full">
-        <namedCollection name="base_transactional"/>
+        <namedCollection name="transactional_base"/>
-        <package name="patterns-base-transactional"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="salt_minion"/>
 	<package name="patterns-base-salt_minion"/>
        <namedCollection name="kvm_host"/>
-	<package name="patterns-base-kvm_host"/>
+	<package name="patterns-micro-kvm_host"/>
 	<package name="lzop"/>
        <namedCollection name="container_runtime_podman"/>
-        <package name="patterns-container-runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/> 
        <namedCollection name="cockpit"/>
-        <package name="patterns-base-cockpit"/>
+        <package name="patterns-cockpit"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
        <package name="policycoreutils-python-utils"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -959,7 +1081,7 @@
 	<package name="libpwquality-tools"/>
    </packages>
-    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
+    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted,aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
        <!-- full disk encryption stuff -->
        <package name="device-mapper"/>
        <package name="cryptsetup"/>
@@ -972,13 +1094,12 @@
    </packages>
    <packages type="image" profiles="container-host">
-        <namedCollection name="base_transactional"/>
+        <namedCollection name="transactional_base"/>
-        <package name="patterns-base-transactional"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="container_runtime_podman"/>
        <package name="patterns-container-runtime_podman"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
        <package name="policycoreutils-python-utils"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1002,16 +1123,16 @@
 	<package name="jeos-firstboot"/>
    </packages>
-    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
+    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow,ppc64le-512ss,ppc64le-4096ss,s390-dasd,s390-fcp">
        <package name="cloud-init"/>
        <package name="cloud-init-config-suse"/>
    </packages>
    <packages type="image">
-        <namedCollection name="base_transactional"/>
+        <namedCollection name="transactional_base"/>
-        <package name="patterns-base-transactional"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="hardware"/>
-        <package name="patterns-base-hardware"/>
+        <package name="patterns-micro-hardware"/>
        <package name="grub2"/>
        <package name="glibc-locale-base"/>
        <package name="ca-certificates"/>
@@ -1030,9 +1151,10 @@
        <package name="NetworkManager"/>
        <package name="NetworkManager-branding-SLE"/>
 	<package name="ModemManager"/>
-	<!-- FIXME does not build without control file which is obsolete
+	<!-- FIXME does not build without control file which is obsolete 
 	<package name="live-add-yast-repos"/> -->
 	<package name="parted"/> <!-- seems missing to deploy the image -->
 	<package name="iptables"/> <!-- needed by RKE2 -->
    </packages>
    <packages type="image" profiles="bootloader">
@@ -1049,14 +1171,18 @@
 	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
    </packages>
    <!-- rpi kernel-default-base does not provide all necessary drivers -->
-    <packages type="image" profiles="rpi,aarch64-self_install,x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,x86,x86-encrypted,aarch64-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
        <package name="kernel-default"/>
        <package name="kernel-firmware-all"/>
    </packages>
-    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64-64kb,aarch64-64kb-encrypted,aarch64-64kb-self_install">
        <package name="kernel-64kb"/>
        <package name="kernel-firmware-all"/>
    </packages>
    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
        <package name="kernel-rt"/>
        <package name="kernel-firmware-all"/>
-	<!-- FIXME intentionally removed from ALP code stream
+	<!-- FIXME intentionally removed from ALP code stream 
        <package name="cpuset"/> -->
    </packages>
    <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba,s390-fcp">
@@ -1068,17 +1194,18 @@
    <packages type="image" profiles="s390-fcp">
        <package name="multipath-tools"/>
    </packages>
-    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64,aarch64-qcow,rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <!-- "oem" images uses kiwi for partition/fs resize (-repart) and SelfInstall images in addition for deployment (-dump). -->
    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,aarch64,aarch64-encrypted,aarch64-64kb-encrypted,rpi,rpi-self_install,aarch64-self_install,aarch64-64kb,aarch64-64kb-self_install,aarch64-rt,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="dracut-kiwi-oem-dump"/>
    </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="rpi,rpi-self_install">
        <package name="raspberrypi-firmware" arch="aarch64"/>
        <package name="raspberrypi-firmware-config" arch="aarch64"/>
        <package name="raspberrypi-firmware-dt" arch="aarch64"/>
        <package name="u-boot-rpiarm64" arch="aarch64"/>
    </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,aarch64-rt,aarch64-64kb,aarch64-rt-self_install,aarch64-encrypted,aarch64-rt-encrypted,aarchte-64kb-encrypted">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="bcm43xx-firmware"/>
        <package name="wireless-regdb"/>
@@ -1086,6 +1213,7 @@
        <package name="wpa_supplicant"/>
        <package name="grub2-arm64-efi"/>
    </packages>
    <!-- NOTE(edge): Added coreutils, ca-certificates and ca-certificates-mozilla to prevent SSL errors when building the images -->
    <packages type="bootstrap">
        <package name="filesystem"/>
        <package name="coreutils"/>
@@ -1102,14 +1230,15 @@
    <packages type="image" profiles="x86-qcow,aarch64-qcow">
        <package name="qemu-guest-agent"/>
    </packages>
-
+    
    <!-- jsc#PED-8599 -->
-    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096">
+    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096,Base-64kb-encrypted,Default-64kb-encrypted">
        <package name="usbguard"/>
    </packages>
    <!-- jsc#PED-8788 -->
-    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
        <package name="stalld"/>
    </packages>
 </image>
--- a/kiwi-builder-image/SL-Micro.kiwi.4096
+++ b/kiwi-builder-image/SL-Micro.kiwi.4096
@@ -30,16 +30,13 @@
        <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64" description="Raw disk for aarch64 - uEFI" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-rt" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
-        <profile name="aarch64-rt-rpi" description="Raw disk for aarch64 with RT kernel on Raspberry Pi" arch="aarch64">
+        <profile name="aarch64-rt-encrypted" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-rt-self_install" description="Raw disk for aarch64 with RT kernel" arch="aarch64">
@@ -60,6 +57,15 @@
        <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="rpi-self_install" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-encrypted" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
@@ -89,6 +95,15 @@
        </profile>
        <profile name="ppc64le-4096ss-self_install" description="Raw disk for PPc64 - 4096 sector size" arch="ppc64le">
            <requires profile="bootloader"/>
        </profile> 
       	<profile name="aarch64-64kb" description="Build 64K page size aarch64 images" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
       	<profile name="aarch64-64kb-encrypted" description="Build 64K page size aarch64 images" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
       	<profile name="aarch64-64kb-self_install" description="Build 64K page size aarch64 images" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <!-- Images (flavor + platform) -->
        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
@@ -154,18 +169,10 @@
            <requires profile="full"/>
            <requires profile="aarch64"/>
        </profile>
        <profile name="Default-RPi" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
            <requires profile="full"/>
            <requires profile="rpi"/>
        </profile>
        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64"/>
        </profile>
        <profile name="Base-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="rpi"/>
        </profile>
        <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt"/>
@@ -179,10 +186,6 @@
            <requires profile="container-host"/>
            <requires profile="aarch64-rt"/>
        </profile>
        <profile name="Base-RT-RPi" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-rt-rpi"/>
        </profile>
        <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-rt-self_install"/>
@@ -277,21 +280,55 @@
            <requires profile="ppc64le-4096ss-self_install"/>
            <requires profile="self_install"/>
        </profile>
 	<profile name="Default-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="full"/>
            <requires profile="aarch64-64kb-self_install"/>
        </profile>
 	<profile name="Base-64kb-SelfInstall" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-64kb-self_install"/>
        </profile>
 	<profile name="Default-64kb" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="full"/>
            <requires profile="aarch64-64kb"/>
        </profile>
 	<profile name="Base-64kb" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-64kb"/>
        </profile>
 	<profile name="Default-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="full"/>
            <requires profile="aarch64-64kb-encrypted"/>
        </profile>
 	<profile name="Base-64kb-encrypted" description="SL Micro with 64K page size images" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-64kb-encrypted"/>
        </profile>
 	<profile name="RaspberryPi-SelfInstall" description="SL Micro for Rapsberry Pi" arch="aarch64">
            <requires profile="full"/>
            <requires profile="rpi-self_install"/>
        </profile>
 	<profile name="RaspberryPi" description="SL Micro for Raspberry Pi" arch="aarch64">
            <requires profile="full"/>
            <requires profile="rpi"/>
        </profile>
    </profiles>
    <preferences profiles="x86-encrypted,x86-rt-encrypted">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -301,9 +338,8 @@
            luks_version="luks2"
            luks="1234"
 	    luks_randomize="false"
-	    luks_pbkdf="pbkdf2"
+			luks_pbkdf="pbkdf2"
            target_blocksize="4096"
            efipartsize="200"
        >
            <luksformat>
                <option name="--cipher" value="aes-xts-plain64"/>
@@ -325,18 +361,20 @@
        </type>
    </preferences>
    <preferences profiles="x86,x86-rt">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -344,7 +382,6 @@
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            target_blocksize="4096"
            efipartsize="200"
        >
    	    <bootloader name="grub2" console="gfxterm" timeout="3"/>
            <systemdisk>
@@ -363,12 +400,13 @@
    </preferences>
    <preferences profiles="x86-self_install,x86-rt-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
@@ -378,7 +416,8 @@
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -386,7 +425,6 @@
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            target_blocksize="4096"
            efipartsize="200"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
@@ -403,9 +441,97 @@
            </systemdisk>
        </type>
    </preferences>
-
+    <preferences profiles="aarch64,aarch64-rt,aarch64-64kb">
-    <preferences profiles="rpi,aarch64-rt-rpi">
+        <version>6.2</version>
-        <version>6.1</version>
+        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
            efipartsize="512"
            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
            disk_start_sector="8192"
            target_blocksize="4096"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
            efipartsize="512"
            kernelcmdline="security=selinux selinux=1 rd.kiwi.oem.luks.reencrypt rd.kiwi.oem.luks.reencrypt_randompass quiet systemd.show_status=1"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
            disk_start_sector="8192"
            luks_version="luks2"
            luks="1234"
 	    luks_randomize="false"
 	    luks_pbkdf="pbkdf2"
            target_blocksize="4096"
        >
            <luksformat>
                <option name="--cipher" value="aes-xts-plain64"/>
            </luksformat>
            <bootloader name="grub2" console="gfxterm" use_disk_password="true" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="rpi">
        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -420,11 +546,11 @@
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            efipartsize="128"
            editbootinstall="editbootinstall_rpi.sh"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
@@ -444,31 +570,33 @@
            </systemdisk>
        </type>
    </preferences>
-
+    <preferences profiles="aarch64-self_install,aarch64-rt-self_install,aarch64-64kb-self_install">
-    <preferences profiles="aarch64,aarch64-rt">
+        <version>6.2</version>
        <version>6.1</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <!--  NOTE: Added 4096 support here -->
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            installpxe="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            efipartsize="512"
            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            efipartsize="128"
            btrfs_root_is_readonly_snapshot="true"
-            btrfs_quota_groups="false"
+            btrfs_quota_groups="true"
-            disk_start_sector="4096"
+            disk_start_sector="8192"
            target_blocksize="4096"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
@@ -484,8 +612,8 @@
            </systemdisk>
        </type>
    </preferences>
-    <preferences profiles="aarch64-self_install,aarch64-rt-self_install">
+    <preferences profiles="rpi-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -500,13 +628,14 @@
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
-            efipartsize="128"
+            efipartsize="512"
-            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0"
+            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            editbootinstall="editbootinstall_rpi.sh"
            btrfs_quota_groups="true"
            disk_start_sector="4096"
        >
@@ -526,7 +655,7 @@
    </preferences>
    <preferences profiles="s390-kvm">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -564,7 +693,7 @@
    <preferences profiles="s390-dasd">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -602,7 +731,7 @@
    <preferences profiles="s390-fba">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -637,7 +766,7 @@
    </preferences>
    <preferences profiles="s390-fcp">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -676,7 +805,7 @@
    </preferences>
    <preferences profiles="x86-vmware">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -687,6 +816,7 @@
            filesystem="btrfs"
            format="vmdk"
            firmware="uefi"
            efipartsize="512"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -707,11 +837,11 @@
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">24</size>
-            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
+            <machine memory="1024" HWversion="17" guestOS="suse-64"/>
        </type>
    </preferences>
    <preferences profiles="x86-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -722,15 +852,14 @@
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            efipartsize="512"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            target_blocksize="4096"
            efipartsize="200"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
@@ -748,9 +877,9 @@
            <size unit="G">32</size>
        </type>
    </preferences>
-
+ 
    <preferences profiles="aarch64-qcow">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -761,8 +890,8 @@
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
-            efipartsize="128"
+            efipartsize="512"     
-            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=qemu"
+            kernelcmdline="security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -773,7 +902,7 @@
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
@@ -785,7 +914,7 @@
    </preferences>
    <preferences profiles="ppc64le-512ss">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -796,7 +925,7 @@
            image="oem"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -808,7 +937,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -818,7 +947,7 @@
        </type>
    </preferences>
    <preferences profiles="ppc64le-4096ss">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -832,7 +961,7 @@
            target_blocksize="4096"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -844,7 +973,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -855,7 +984,7 @@
    </preferences>
    <preferences profiles="ppc64le-512ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -868,7 +997,7 @@
            installpxe="true"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -885,7 +1014,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -895,7 +1024,7 @@
        </type>
    </preferences>
    <preferences profiles="ppc64le-4096ss-self_install">
-        <version>6.1</version>
+        <version>6.2</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
@@ -911,7 +1040,7 @@
            target_blocksize="4096"
            filesystem="btrfs"
            firmware="ofw"
-            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 net.ifnames=0 ignition.platform.id=metal"
+            kernelcmdline="console=hvc0,115200 security=selinux selinux=1 quiet systemd.show_status=1 ignition.platform.id=metal"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
@@ -928,7 +1057,7 @@
                <volume name="home"/>
                <volume name="root"/>
 		<!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
-                <volume name="opt"/>
+ 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/powerpc-ieee1275"/>
                <volume name="boot/writable"/>
@@ -944,20 +1073,17 @@
    </repository>
    <packages type="image" profiles="full">
-        <namedCollection name="base_transactional"/>
+        <namedCollection name="transactional_base"/>
-        <package name="patterns-base-transactional"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="salt_minion"/>
 	<package name="patterns-base-salt_minion"/>
        <namedCollection name="kvm_host"/>
-	<package name="patterns-base-kvm_host"/>
+	<package name="patterns-micro-kvm_host"/>
 	<package name="lzop"/>
        <namedCollection name="container_runtime_podman"/>
-        <package name="patterns-container-runtime_podman"/>
+        <package name="patterns-container-runtime_podman"/> 
        <namedCollection name="cockpit"/>
-        <package name="patterns-base-cockpit"/>
+        <package name="patterns-cockpit"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
        <package name="policycoreutils-python-utils"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -967,7 +1093,7 @@
 	<package name="libpwquality-tools"/>
    </packages>
-    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
+    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted,aarch64-encrypted,aarch64-rt-encrypted,aarch64-64kb-encrypted">
        <!-- full disk encryption stuff -->
        <package name="device-mapper"/>
        <package name="cryptsetup"/>
@@ -980,13 +1106,12 @@
    </packages>
    <packages type="image" profiles="container-host">
-        <namedCollection name="base_transactional"/>
+        <namedCollection name="transactional_base"/>
-        <package name="patterns-base-transactional"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="container_runtime_podman"/>
        <package name="patterns-container-runtime_podman"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
        <package name="policycoreutils-python-utils"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
@@ -1010,16 +1135,16 @@
 	<package name="jeos-firstboot"/>
    </packages>
-    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
+    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow,ppc64le-512ss,ppc64le-4096ss,s390-dasd,s390-fcp">
        <package name="cloud-init"/>
        <package name="cloud-init-config-suse"/>
    </packages>
    <packages type="image">
-        <namedCollection name="base_transactional"/>
+        <namedCollection name="transactional_base"/>
-        <package name="patterns-base-transactional"/>
+        <package name="patterns-base-transactional_base"/>
        <namedCollection name="hardware"/>
-        <package name="patterns-base-hardware"/>
+        <package name="patterns-micro-hardware"/>
        <package name="grub2"/>
        <package name="glibc-locale-base"/>
        <package name="ca-certificates"/>
@@ -1038,9 +1163,10 @@
        <package name="NetworkManager"/>
        <package name="NetworkManager-branding-SLE"/>
 	<package name="ModemManager"/>
-	<!-- FIXME does not build without control file which is obsolete
+	<!-- FIXME does not build without control file which is obsolete 
 	<package name="live-add-yast-repos"/> -->
 	<package name="parted"/> <!-- seems missing to deploy the image -->
 	<package name="iptables"/> <!-- needed by RKE2 -->
    </packages>
    <packages type="image" profiles="bootloader">
@@ -1057,14 +1183,18 @@
 	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
    </packages>
    <!-- rpi kernel-default-base does not provide all necessary drivers -->
-    <packages type="image" profiles="rpi,aarch64-self_install,x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,x86,x86-encrypted,aarch64-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba,s390-fcp,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
        <package name="kernel-default"/>
        <package name="kernel-firmware-all"/>
    </packages>
-    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64-64kb,aarch64-64kb-encrypted,aarch64-64kb-self_install">
        <package name="kernel-64kb"/>
        <package name="kernel-firmware-all"/>
    </packages>
    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
        <package name="kernel-rt"/>
        <package name="kernel-firmware-all"/>
-	<!-- FIXME intentionally removed from ALP code stream
+	<!-- FIXME intentionally removed from ALP code stream 
        <package name="cpuset"/> -->
    </packages>
    <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba,s390-fcp">
@@ -1076,17 +1206,18 @@
    <packages type="image" profiles="s390-fcp">
        <package name="multipath-tools"/>
    </packages>
-    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64,aarch64-qcow,rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
+    <!-- "oem" images uses kiwi for partition/fs resize (-repart) and SelfInstall images in addition for deployment (-dump). -->
    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,aarch64,aarch64-encrypted,aarch64-64kb-encrypted,rpi,rpi-self_install,aarch64-self_install,aarch64-64kb,aarch64-64kb-self_install,aarch64-rt,aarch64-rt-self_install,ppc64le-512ss,ppc64le-4096ss,ppc64le-512ss-self_install,ppc64le-4096ss-self_install">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="dracut-kiwi-oem-dump"/>
    </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-rpi,aarch64-rt-self_install">
+    <packages type="image" profiles="rpi,rpi-self_install">
        <package name="raspberrypi-firmware" arch="aarch64"/>
        <package name="raspberrypi-firmware-config" arch="aarch64"/>
        <package name="raspberrypi-firmware-dt" arch="aarch64"/>
        <package name="u-boot-rpiarm64" arch="aarch64"/>
    </packages>
-    <packages type="image" profiles="rpi,aarch64-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="aarch64,rpi,rpi-self_install,aarch64-self_install,aarch64-rt,aarch64-64kb,aarch64-rt-self_install,aarch64-encrypted,aarch64-rt-encrypted,aarchte-64kb-encrypted">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="bcm43xx-firmware"/>
        <package name="wireless-regdb"/>
@@ -1094,6 +1225,7 @@
        <package name="wpa_supplicant"/>
        <package name="grub2-arm64-efi"/>
    </packages>
    <!-- NOTE(edge): Added coreutils, ca-certificates and ca-certificates-mozilla to prevent SSL errors when building the images -->
    <packages type="bootstrap">
        <package name="filesystem"/>
        <package name="coreutils"/>
@@ -1110,14 +1242,15 @@
    <packages type="image" profiles="x86-qcow,aarch64-qcow">
        <package name="qemu-guest-agent"/>
    </packages>
-
+    
    <!-- jsc#PED-8599 -->
-    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096">
+    <packages type="image" profiles="Base,Base-encrypted,Base-RT,Base-RT-encrypted,Base-fba,Base-dasd,Base-fcp,Base-512,Base-4096,Default,Default-encrypted,Default-fba,Default-dasd,Default-fcp,Default-512,Default-4096,Base-64kb-encrypted,Default-64kb-encrypted">
        <package name="usbguard"/>
    </packages>
    <!-- jsc#PED-8788 -->
-    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-self_install">
+    <packages type="image" profiles="Base-RT,Base-RT-encrypted,x86-rt-encrypted,x86-rt,x86-rt-self_install,aarch64-rt,aarch64-rt-encrypted,aarch64-rt-self_install">
        <package name="stalld"/>
    </packages>
 </image>
--- a/kiwi-builder-image/build-image.sh
+++ b/kiwi-builder-image/build-image.sh
@@ -28,7 +28,7 @@ LARGEBLOCK=false
 usage(){
  cat <<-EOF
  =====================================
-  SUSE Linux Micro 6.1 Kiwi SDK Builder
+  SUSE Linux Micro 6.2 Kiwi SDK Builder
  =====================================
  Usage: ${0} [-p <profile>] [-b]
@@ -36,13 +36,12 @@ usage(){
  Profile Options (-p):
  * Default: RAW Disk Image with default packages (incl. Podman & KVM)
  * Default-SelfInstall: SelfInstall ISO with default packages
  * Default-RPi: RAW Disk Image for Raspberry Pi (aarch64 only with MBR)
  * Base: RAW Disk Image with reduced package set (no KVM)
  * Base-SelfInstall: SelfInstall ISO with reduced packages
  * Base-RT: RAW Disk Image with reduced packages and kernel-rt
  * Base-RT-SelfInstall: SelfInstall ISO with reduced packages and kernel-rt
-  * Base-RT-RPi: RAW Disk image for Raspberry Pi with kernel-rt (aarch64 only with MBR)
+  * RaspberryPi: RAW Disk Image for Raspberry Pi with default packages (aarch64 only with MBR)
-  * Base-RPi: RAW Disk Image for Raspberry Pi with reduced packages (aarch64 only with MBR)
+  * RaspberryPi-SelfInstall: SelfInstall ISO for Raspberry Pi with default packages (aarch64 only with MBR)
  4096 Blocksize (-b): If specified, use a 4096 blocksize (rather than 512) when generating the image.
@@ -83,14 +82,34 @@ if $LARGEBLOCK; then
  mv /micro-sdk/defs/SL-Micro.kiwi.4096 /micro-sdk/defs/SL-Micro.kiwi
 fi
 # Create temporary directory that supports seclabel
 dir=$(mktemp -d)
 mkdir -p /tmp/output/tmp-dir
 mount -t tmpfs $dir /tmp/output/tmp-dir
 # Build the image
-kiwi-ng --debug --profile $PROFILE system build \
+kiwi-ng --temp-dir /tmp/output/tmp-dir --debug --profile $PROFILE \
-    --description /micro-sdk/defs --target-dir /tmp/output --ignore-repos-used-for-build $REPOS
+    system build --description /micro-sdk/defs --target-dir /tmp/output \
    --ignore-repos-used-for-build $REPOS
 # Print output
 RESULT=$?
 if [ $RESULT -eq 0 ]; then
  echo -e "\n\nINFO: Image build successful, generated images are available in the 'output' directory."
  # The -n flag is being used to avoid the \n at the end of the line
  echo -n "INFO: Generating sha256 checksum file... " && {
  # This returns the iso or raw image from the kiwi.result.json file, preferring iso
  FILE_PATH=$(python3 -c 'import json, sys; data = json.load(sys.stdin); iso = data.get("installation_image", {}).get("filename"); raw = data.get("disk_image", {}).get("filename"); print(iso if iso else raw)' < /tmp/output/kiwi.result.json)
  # Generate the checksum if the file path was successfully extracted
  if [ -n "$FILE_PATH" ]; then
    # The sed trims the full path to just the filename (e.g., "sum filename")
    sha256sum "$FILE_PATH" | sed -E 's/\s+.*\/([^/]+)$/  \1/' > "$FILE_PATH.sha256" && echo "done"
  else
    # Or fail if it is not there
    echo "ERROR: Neither ISO nor RAW file path found in JSON."
  fi
  # Catch-all just in case something fails inside the block
  } || echo "ERROR: Command failed during processing."
 else
  echo -e "\n\nERROR: Failed to build the image, please see above logs."
 fi
--- a/kiwi-builder-image/config.sh
+++ b/kiwi-builder-image/config.sh
@@ -188,7 +188,6 @@ cat >/etc/fstab.script <<"EOF"
 #!/bin/sh
 set -eux
 /usr/sbin/setup-fstab-for-overlayfs
 # If /var is on a different partition than /...
 if [ "$(findmnt -snT / -o SOURCE)" != "$(findmnt -snT /var -o SOURCE)" ]; then
 	# ... set options for autoexpanding /var
--- a/kiwi-builder-image/disk.sh
+++ b/kiwi-builder-image/disk.sh
@@ -0,0 +1,24 @@
 #!/bin/bash
 # Copyright (c) 2025 SUSE LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 # 
 # The above copyright notice and this permission notice shall be included in
 # all copies or substantial portions of the Software.
 # 
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 set -euxo pipefail
 /usr/libexec/setup-etc-subvol
--- a/kiwi-builder-image/editbootinstall_pine64.sh
+++ b/kiwi-builder-image/editbootinstall_pine64.sh
@@ -0,0 +1,40 @@
 #!/bin/bash
 set -euxo pipefail
 diskname=$1
 devname="$2"
 loopname="${devname%*p?}"
 loopdev=/dev/${loopname#/dev/mapper/*}
 #==========================================
 # The GPT spans the first 33 sectors, but we need to write our
 # at sector 16. Shrink the GPT to only span 5 sectors
 # (16 partitions) to give us some space.
 #------------------------------------------
 # echo -e 'x\ns\n16\nw\ny' > gdisk.tmp
 # Shrink GPT does not work anymore, so let's use legacy MBR for now
 cat > gdisk.tmp <<-'EOF'
 		x
 		r
 		g
 		t
 		1
 		c
 		w
 		y
 	EOF
 dd if=$loopdev of=mbrid.bin bs=1 skip=440 count=4
 gdisk $loopdev < gdisk.tmp
 dd of=$loopdev if=mbrid.bin bs=1 seek=440 count=4
 rm -f mbrid.bin
 rm -f gdisk.tmp
 #==========================================
 # Installing All-in-one U-Boot/SPL
 #------------------------------------------
 echo "Installing All-in-one U-Boot/SPL..."
 if ! dd if=boot/u-boot-sunxi-with-spl.bin of=$diskname bs=1024 seek=8 conv=notrunc; then
 	echo "Couldn't install SPL on $diskname"
 	exit 1
 fi
--- a/kiwi-builder-image/editbootinstall_rpi.sh
+++ b/kiwi-builder-image/editbootinstall_rpi.sh
@@ -3,12 +3,9 @@ set -euxo pipefail
 diskname=$1
 devname="$2"
 loopname="${devname%*p?}"
 loopdev=/dev/${loopname#/dev/*}
 if [ ! -f $loopdev ]; then loopdev=/dev/${loopdev#/dev/mapper/}; fi
 #==========================================
 # copy Raspberry Pi firmware to EFI partition
 #------------------------------------------
--- a/kube-rbac-proxy/_service
+++ b/kube-rbac-proxy/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/brancz/kube-rbac-proxy</param>
    <param name="scm">git</param>
-    <param name="revision">v0.18.1</param>
+    <param name="revision">v0.19.1</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
--- a/kube-rbac-proxy/kube-rbac-proxy.spec
+++ b/kube-rbac-proxy/kube-rbac-proxy.spec
@@ -17,14 +17,14 @@
 Name:           kube-rbac-proxy
-Version:        0.18.1
+Version:        0.19.1
-Release:        0.18.1
+Release:        0.19.1
 Summary:        The kube-rbac-proxy is a small HTTP proxy for a single upstream
 License:        Apache-2.0
 URL:            https://github.com/brancz/kube-rbac-proxy
 Source:         kube-rbac-proxy-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.23
+BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
--- a/kubectl-image/Dockerfile
+++ b/kubectl-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.33.4
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.34.2
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.33.4-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.34.2-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -15,11 +15,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE kubectl image"
 LABEL org.opencontainers.image.description="kubectl on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="1.33.4"
+LABEL org.opencontainers.image.version="1.34.2"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.33.4-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.34.2-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/kubectl/kubectl.spec
+++ b/kubectl/kubectl.spec
@@ -1,7 +1,7 @@
 %global debug_package %{nil}
 Name: kubectl
-Version: 1.33.4
+Version: 1.34.2
 Release: 0
 Summary: Command-line utility for interacting with a Kubernetes cluster
--- a/kubectl/kubectl_1.33.4.orig.tar.gz
+++ b/kubectl/kubectl_1.33.4.orig.tar.gz
--- a/kubectl/kubectl_1.34.2.orig.tar.gz
+++ b/kubectl/kubectl_1.34.2.orig.tar.gz
--- a/kubevirt-dashboard-extension-chart/Chart.yaml
+++ b/kubevirt-dashboard-extension-chart/Chart.yaml
@@ -1,5 +1,5 @@
-#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.2
+#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.3
-#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.2-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.4_up1.3.3-%RELEASE%
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/namespace: cattle-ui-plugin-system
@@ -12,10 +12,10 @@ annotations:
  catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
  catalog.cattle.io/kube-version: '>= v1.26.0-0'
 apiVersion: v2
-appVersion: 304.0.3+up1.3.2
+appVersion: 1.3.3
 description: 'SUSE Edge: KubeVirt extension for Rancher Dashboard'
 name: kubevirt-dashboard-extension
 type: application
-version: "%%CHART_MAJOR%%.0.3+up1.3.2"
+version: "%%CHART_MAJOR%%.0.4+up1.3.3"
 icon: >-
  https://raw.githubusercontent.com/cncf/artwork/master/projects/kubevirt/icon/color/kubevirt-icon-color.svg
--- a/kubevirt-dashboard-extension-chart/templates/cr.yaml
+++ b/kubevirt-dashboard-extension-chart/templates/cr.yaml
@@ -8,7 +8,7 @@ spec:
  plugin:
    name: {{ include "extension-server.fullname" . }}
    version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/kubevirt-dashboard-extension/304.0.3+up1.3.2
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/kubevirt-dashboard-extension/1.3.3
    noCache: {{ .Values.plugin.noCache }}
    noAuth: {{ .Values.plugin.noAuth }}
    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
--- a/metal3-chart/Chart.yaml
+++ b/metal3-chart/Chart.yaml
@@ -1,28 +1,28 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.16_up0.12.6
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.20_up0.13.0
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.16_up0.12.6-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.20_up0.13.0-%RELEASE%
 apiVersion: v2
-appVersion: 0.12.6
+appVersion: 0.13.0
 dependencies:
 - alias: metal3-baremetal-operator
  name: baremetal-operator
  repository: file://./charts/baremetal-operator
-  version: 0.10.4
+  version: 0.11.2
 - alias: metal3-ironic
  name: ironic
  repository: file://./charts/ironic
-  version: 0.11.4
+  version: 0.12.0
 - alias: metal3-mariadb
  condition: global.enable_mariadb
  name: mariadb
  repository: file://./charts/mariadb
-  version: 0.6.1
+  version: 0.6.2
 - alias: metal3-media
  condition: global.enable_metal3_media_server
  name: media
  repository: file://./charts/media
-  version: 0.6.6
+  version: 0.7.1
 description: A Helm chart that installs all of the dependencies needed for Metal3
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.16+up0.12.6"
+version: "%%CHART_MAJOR%%.0.20+up0.13.0"
--- a/metal3-chart/charts/baremetal-operator/Chart.yaml
+++ b/metal3-chart/charts/baremetal-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.10.2
+appVersion: 0.11.2
 description: A Helm chart for baremetal-operator, used by Metal3
 name: baremetal-operator
 type: application
-version: 0.10.4
+version: 0.11.2
--- a/metal3-chart/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml
+++ b/metal3-chart/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml
@@ -291,6 +291,15 @@ spec:
                required:
                - url
                type: object
              inspectionMode:
                description: |-
                  Specifies the mode for host inspection.
                  "disabled" - no inspection will be performed
                  "agent" - normal agent-based inspection will run
                enum:
                - disabled
                - agent
                type: string
              metaData:
                description: |-
                  MetaData holds the reference to the Secret containing host metadata
@@ -578,9 +587,8 @@ spec:
                      description: Required. The taint key to be applied to a node.
                      type: string
                    timeAdded:
-                      description: |-
+                      description: TimeAdded represents the time at which the taint
-                        TimeAdded represents the time at which the taint was added.
+                        was added.
                        It is only written for NoExecute taints.
                      format: date-time
                      type: string
                    value:
@@ -710,6 +718,19 @@ spec:
                            if one is present.  If both IPv4 and IPv6 addresses are present in a
                            dual-stack environment, two nics will be output, one with each IP.
                          type: string
                        lldp:
                          description: LLDP data for this interface
                          properties:
                            portID:
                              description: The switch port ID from LLDP
                              type: string
                            switchID:
                              description: The switch chassis ID from LLDP
                              type: string
                            switchSystemName:
                              description: The switch system name from LLDP
                              type: string
                          type: object
                        mac:
                          description: The device MAC address
                          pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}'
--- a/metal3-chart/charts/baremetal-operator/crds/customresource-hardwaredata.yaml
+++ b/metal3-chart/charts/baremetal-operator/crds/customresource-hardwaredata.yaml
@@ -99,6 +99,19 @@ spec:
                            if one is present.  If both IPv4 and IPv6 addresses are present in a
                            dual-stack environment, two nics will be output, one with each IP.
                          type: string
                        lldp:
                          description: LLDP data for this interface
                          properties:
                            portID:
                              description: The switch port ID from LLDP
                              type: string
                            switchID:
                              description: The switch chassis ID from LLDP
                              type: string
                            switchSystemName:
                              description: The switch system name from LLDP
                              type: string
                          type: object
                        mac:
                          description: The device MAC address
                          pattern: '[0-9a-fA-F]{2}(:[0-9a-fA-F]{2}){5}'
--- a/metal3-chart/charts/baremetal-operator/values.yaml
+++ b/metal3-chart/charts/baremetal-operator/values.yaml
@@ -28,7 +28,7 @@ images:
  baremetalOperator:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/baremetal-operator
    pullPolicy: IfNotPresent
-    tag: "0.10.2.1"
+    tag: "0.11.2.0"
 imagePullSecrets: []
 nameOverride: "manger"
--- a/metal3-chart/charts/ironic/Chart.yaml
+++ b/metal3-chart/charts/ironic/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 29.0.4
+appVersion: 32.0.0
 description: A Helm chart for Ironic, used by Metal3
 name: ironic
 type: application
-version: 0.11.4
+version: 0.12.0
--- a/metal3-chart/charts/ironic/templates/configmap.yaml
+++ b/metal3-chart/charts/ironic/templates/configmap.yaml
@@ -52,3 +52,6 @@ data:
  {{- else }}
  IRONIC_USE_MARIADB: "false"
  {{- end }}
  {{- with .Values.ironicExtraEnv -}}
  {{ toYaml . | nindent 2 }}
  {{- end -}}
--- a/metal3-chart/charts/ironic/templates/deployment.yaml
+++ b/metal3-chart/charts/ironic/templates/deployment.yaml
@@ -160,12 +160,7 @@ spec:
        image: {{ .Values.images.ironic.repository }}:{{ .Values.images.ironic.tag }}
        imagePullPolicy: {{ .Values.images.ironic.pullPolicy }}
        securityContext:
-          {{- toYaml .Values.securityContext | nindent 10 }}
+          {{- merge .Values.securityContext .Values.dnsmasqSecurityContext | toYaml | nindent 10 }}
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
            - NET_RAW
        command:
        - /bin/rundnsmasq
        envFrom:
--- a/metal3-chart/charts/ironic/values.yaml
+++ b/metal3-chart/charts/ironic/values.yaml
@@ -64,11 +64,11 @@ images:
  ironic:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
    pullPolicy: IfNotPresent
-    tag: 29.0.4.3
+    tag: 32.0.0.0
  ironicIPADownloader:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
    pullPolicy: IfNotPresent
-    tag: 3.0.9
+    tag: 3.0.10
 nameOverride: ""
 fullnameOverride: ""
@@ -97,6 +97,12 @@ securityContext:
    type: RuntimeDefault
  runAsNonRoot: true
 dnsmasqSecurityContext:
  capabilities:
    add:
    - NET_ADMIN
    - NET_RAW
 service:
  type: LoadBalancer
  annotations: {}
@@ -138,6 +144,8 @@ baremetaloperator:
 debug:
  ironicRamdiskSshKey: ""
 ironicExtraEnv: {}
 tlscerts:
  cacert: ""
  key: ""
--- a/metal3-chart/charts/mariadb/Chart.yaml
+++ b/metal3-chart/charts/mariadb/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: "10.11"
+appVersion: "11.8"
 description: A Helm chart for MariaDB, used by Metal3
 name: mariadb
 type: application
-version: 0.6.1
+version: 0.6.2
--- a/metal3-chart/charts/mariadb/values.yaml
+++ b/metal3-chart/charts/mariadb/values.yaml
@@ -14,7 +14,7 @@ service:
 image:
  repository: registry.suse.com/suse/mariadb
  pullPolicy: IfNotPresent
-  tag: 10.11
+  tag: 11.8
 nameOverride: ""
 fullnameOverride: ""
--- a/metal3-chart/charts/media/Chart.yaml
+++ b/metal3-chart/charts/media/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 1.16.0
+appVersion: 1.21.0
 description: A Helm chart for Media, used by Metal3
 name: media
 type: application
-version: 0.6.6
+version: 0.7.1
--- a/metal3-chart/charts/media/templates/deployment.yaml
+++ b/metal3-chart/charts/media/templates/deployment.yaml
@@ -34,13 +34,9 @@ spec:
      {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          command:
          - /usr/sbin/httpd
          args:
          - -DFOREGROUND
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: http
--- a/metal3-chart/charts/media/values.yaml
+++ b/metal3-chart/charts/media/values.yaml
@@ -22,9 +22,9 @@ global:
 replicaCount: 1
 image:
-  repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
+  repository: registry.suse.com/suse/nginx
  pullPolicy: IfNotPresent
-  tag: 29.0.4.2
+  tag: 1.21
 imagePullSecrets: []
 nameOverride: ""
@@ -42,8 +42,8 @@ serviceAccount:
 podAnnotations: {}
 podSecurityContext:
-  runAsUser: 10475
+  runAsUser: 499
-  fsGroup: 10475
+  fsGroup: 486
 securityContext:
  allowPrivilegeEscalation: false
@@ -102,11 +102,16 @@ volumes:
  - name: assets
    persistentVolumeClaim:
      claimName: media
  - name: run
    emptyDir:
      sizeLimit: 10Mi
 # volume mounts
 volumeMounts:
  - mountPath: /srv/www/htdocs
    name: assets
  - mountPath: /run
    name: run
 # media volume settings
 mediaVolume:
--- a/metal3-chart/values.yaml
+++ b/metal3-chart/values.yaml
@@ -89,8 +89,6 @@ metal3-media:
  # available to the Ironic deployment services.
  mediaVolume:
    hostPath: /opt/media
  image:
    repository: "%%IMG_REPO%%/%%IMG_PREFIX%%ironic"
 #
 # ironic service
--- a/metallb-chart/Chart.yaml
+++ b/metallb-chart/Chart.yaml
@@ -1,17 +1,17 @@
-#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.0_up0.14.9
+#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.1_up0.15.2
-#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.0_up0.14.9-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metallb:%%CHART_MAJOR%%.0.1_up0.15.2-%RELEASE%
 apiVersion: v2
-appVersion: v0.14.9
+appVersion: v0.15.2
 dependencies:
 - condition: crds.enabled
  name: crds
  repository: file://./charts/crds
-  version: 0.14.9
+  version: 0.15.2
 - alias: metallb-frr-k8s
  condition: frrk8s.enabled
  name: frr-k8s
  repository: file://./charts/frr-k8s
-  version: 0.0.16
+  version: 0.0.20
 description: A network load-balancer implementation for Kubernetes using standard
  routing protocols
 home: https://metallb.universe.tf
@@ -21,4 +21,4 @@ name: metallb
 sources:
 - https://github.com/metallb/metallb
 type: application
-version: "%%CHART_MAJOR%%.0.0+up0.14.9"
+version: "%%CHART_MAJOR%%.0.1+up0.15.2"
--- a/metallb-chart/README.md
+++ b/metallb-chart/README.md
@@ -1,6 +1,6 @@
 # metallb
-![Version: 0.14.9](https://img.shields.io/badge/Version-0.14.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.14.9](https://img.shields.io/badge/AppVersion-v0.14.9-informational?style=flat-square)
+![Version: 0.15.2](https://img.shields.io/badge/Version-0.15.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.15.2](https://img.shields.io/badge/AppVersion-v0.15.2-informational?style=flat-square)
 A network load-balancer implementation for Kubernetes using standard routing protocols
@@ -16,8 +16,8 @@ Kubernetes: `>= 1.19.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
-|  | crds | 0.14.9 |
+|  | crds | 0.15.2 |
-| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.16 |
+| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.20 |
 ## Values
@@ -99,7 +99,7 @@ Kubernetes: `>= 1.19.0-0`
 | prometheus.rbacPrometheus | bool | `true` |  |
 | prometheus.rbacProxy.pullPolicy | string | `nil` |  |
 | prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` |  |
-| prometheus.rbacProxy.tag | string | `"v0.18.0"` |  |
+| prometheus.rbacProxy.tag | string | `"v0.19.1"` |  |
 | prometheus.scrapeAnnotations | bool | `false` |  |
 | prometheus.serviceAccount | string | `""` |  |
 | prometheus.serviceMonitor.controller.additionalLabels | object | `{}` |  |
@@ -122,7 +122,7 @@ Kubernetes: `>= 1.19.0-0`
 | speaker.frr.enabled | bool | `true` |  |
 | speaker.frr.image.pullPolicy | string | `nil` |  |
 | speaker.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` |  |
-| speaker.frr.image.tag | string | `"8.5.6"` |  |
+| speaker.frr.image.tag | string | `"10.2.1"` |  |
 | speaker.frr.metricsPort | int | `7473` |  |
 | speaker.frr.resources | object | `{}` |  |
 | speaker.frrMetrics.resources | object | `{}` |  |
--- a/metallb-chart/charts/crds/Chart.yaml
+++ b/metallb-chart/charts/crds/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.14.9
+appVersion: v0.15.2
 description: MetalLB CRDs
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -7,4 +7,4 @@ name: crds
 sources:
 - https://github.com/metallb/metallb
 type: application
-version: 0.14.9
+version: 0.15.2
--- a/metallb-chart/charts/crds/templates/crds.yaml
+++ b/metallb-chart/charts/crds/templates/crds.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: bfdprofiles.metallb.io
 spec:
  group: metallb.io
@@ -123,7 +123,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: bgpadvertisements.metallb.io
 spec:
  group: metallb.io
@@ -329,7 +329,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: bgppeers.metallb.io
 spec:
  conversion:
@@ -526,7 +526,15 @@ spec:
                      rule: duration(self).getMilliseconds() % 1000 == 0
                disableMP:
                  default: false
-                  description: To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions.
+                  description: |-
                    To set if we want to disable MP BGP that will separate IPv4 and IPv6 route exchanges into distinct BGP sessions.
                    Deprecated: DisableMP is deprecated in favor of dualStackAddressFamily.
                  type: boolean
                dualStackAddressFamily:
                  default: false
                  description: |-
                    To set if we want to enable the neighbor not only for the ipfamily related to its session,
                    but also the other one. This allows to advertise/receive IPv4 prefixes over IPv6 sessions and vice versa.
                  type: boolean
                dynamicASN:
                  description: |-
@@ -555,6 +563,14 @@ spec:
                holdTime:
                  description: Requested BGP hold time, per RFC4271.
                  type: string
                interface:
                  description: |-
                    Interface is the node interface over which the unnumbered BGP peering will
                    be established. No API validation takes place as that string value
                    represents an interface name on the host and if user provides an invalid
                    value, only the actual BGP session will not be established.
                    Address and Interface are mutually exclusive and one of them must be specified.
                  type: string
                keepaliveTime:
                  description: Requested BGP keepalive time, per RFC4271.
                  type: string
@@ -649,7 +665,7 @@ spec:
                  default: 179
                  description: Port to dial when establishing the session.
                  maximum: 16384
-                  minimum: 0
+                  minimum: 1
                  type: integer
                routerID:
                  description: BGP router ID to advertise to the peer
@@ -664,7 +680,6 @@ spec:
                  type: string
              required:
                - myASN
                - peerAddress
              type: object
            status:
              description: BGPPeerStatus defines the observed state of Peer.
@@ -679,7 +694,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: communities.metallb.io
 spec:
  group: metallb.io
@@ -744,7 +759,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: ipaddresspools.metallb.io
 spec:
  group: metallb.io
@@ -941,6 +956,28 @@ spec:
              type: object
            status:
              description: IPAddressPoolStatus defines the observed state of IPAddressPool.
              properties:
                assignedIPv4:
                  description: AssignedIPv4 is the number of assigned IPv4 addresses.
                  format: int64
                  type: integer
                assignedIPv6:
                  description: AssignedIPv6 is the number of assigned IPv6 addresses.
                  format: int64
                  type: integer
                availableIPv4:
                  description: AvailableIPv4 is the number of available IPv4 addresses.
                  format: int64
                  type: integer
                availableIPv6:
                  description: AvailableIPv6 is the number of available IPv6 addresses.
                  format: int64
                  type: integer
              required:
                - assignedIPv4
                - assignedIPv6
                - availableIPv4
                - availableIPv6
              type: object
          required:
            - spec
@@ -954,7 +991,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: l2advertisements.metallb.io
 spec:
  group: metallb.io
@@ -1134,7 +1171,92 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
-    controller-gen.kubebuilder.io/version: v0.16.3
+    controller-gen.kubebuilder.io/version: v0.17.2
  name: servicebgpstatuses.metallb.io
 spec:
  group: metallb.io
  names:
    kind: ServiceBGPStatus
    listKind: ServiceBGPStatusList
    plural: servicebgpstatuses
    singular: servicebgpstatus
  scope: Namespaced
  versions:
    - additionalPrinterColumns:
        - jsonPath: .status.node
          name: Node
          type: string
        - jsonPath: .status.serviceName
          name: Service Name
          type: string
        - jsonPath: .status.serviceNamespace
          name: Service Namespace
          type: string
      name: v1beta1
      schema:
        openAPIV3Schema:
          description: ServiceBGPStatus exposes the BGP peers a service is configured to be advertised to, per relevant node.
          properties:
            apiVersion:
              description: |-
                APIVersion defines the versioned schema of this representation of an object.
                Servers should convert recognized schemas to the latest internal value, and
                may reject unrecognized values.
                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
              type: string
            kind:
              description: |-
                Kind is a string value representing the REST resource this object represents.
                Servers may infer this from the endpoint the client submits requests to.
                Cannot be updated.
                In CamelCase.
                More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
              type: string
            metadata:
              type: object
            spec:
              description: ServiceBGPStatusSpec defines the desired state of ServiceBGPStatus.
              type: object
            status:
              description: MetalLBServiceBGPStatus defines the observed state of ServiceBGPStatus.
              properties:
                node:
                  description: Node indicates the node announcing the service.
                  type: string
                  x-kubernetes-validations:
                    - message: Value is immutable
                      rule: self == oldSelf
                peers:
                  description: |-
                    Peers indicate the BGP peers for which the service is configured to be advertised to.
                    The service being actually advertised to a given peer depends on the session state and is not indicated here.
                  items:
                    type: string
                  type: array
                serviceName:
                  description: ServiceName indicates the service this status represents.
                  type: string
                  x-kubernetes-validations:
                    - message: Value is immutable
                      rule: self == oldSelf
                serviceNamespace:
                  description: ServiceNamespace indicates the namespace of the service.
                  type: string
                  x-kubernetes-validations:
                    - message: Value is immutable
                      rule: self == oldSelf
              type: object
          type: object
      served: true
      storage: true
      subresources:
        status: {}
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.17.2
  name: servicel2statuses.metallb.io
 spec:
  group: metallb.io
--- a/metallb-chart/charts/frr-k8s/Chart.yaml
+++ b/metallb-chart/charts/frr-k8s/Chart.yaml
@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: v0.0.16
+appVersion: v0.0.20
 dependencies:
 - condition: crds.enabled
  name: crds
  repository: file://./charts/crds
-  version: 0.0.16
+  version: 0.0.20
 description: A cloud native wrapper of FRR
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -13,4 +13,4 @@ name: frr-k8s
 sources:
 - https://github.com/metallb/frr-k8s
 type: application
-version: 0.0.16
+version: 0.0.20
--- a/metallb-chart/charts/frr-k8s/README.md
+++ b/metallb-chart/charts/frr-k8s/README.md
@@ -1,6 +1,6 @@
 # frr-k8s
-![Version: 0.0.16](https://img.shields.io/badge/Version-0.0.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.16](https://img.shields.io/badge/AppVersion-v0.0.16-informational?style=flat-square)
+![Version: 0.0.20](https://img.shields.io/badge/Version-0.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.20](https://img.shields.io/badge/AppVersion-v0.0.20-informational?style=flat-square)
 A cloud native wrapper of FRR
@@ -16,7 +16,7 @@ Kubernetes: `>= 1.19.0-0`
 | Repository | Name | Version |
 |------------|------|---------|
-|  | crds | 0.0.16 |
+|  | crds | 0.0.20 |
 ## Values
@@ -30,7 +30,7 @@ Kubernetes: `>= 1.19.0-0`
 | frrk8s.frr.acceptIncomingBGPConnections | bool | `false` |  |
 | frrk8s.frr.image.pullPolicy | string | `nil` |  |
 | frrk8s.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` |  |
-| frrk8s.frr.image.tag | string | `"8.5.6"` |  |
+| frrk8s.frr.image.tag | string | `"10.2.1"` |  |
 | frrk8s.frr.metricsBindAddress | string | `"127.0.0.1"` |  |
 | frrk8s.frr.metricsPort | int | `7573` |  |
 | frrk8s.frr.resources | object | `{}` |  |
@@ -78,7 +78,7 @@ Kubernetes: `>= 1.19.0-0`
 | prometheus.rbacPrometheus | bool | `false` |  |
 | prometheus.rbacProxy.pullPolicy | string | `nil` |  |
 | prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` |  |
-| prometheus.rbacProxy.tag | string | `"v0.18.0"` |  |
+| prometheus.rbacProxy.tag | string | `"v0.19.1"` |  |
 | prometheus.scrapeAnnotations | bool | `false` |  |
 | prometheus.secureMetricsPort | int | `9140` |  |
 | prometheus.serviceAccount | string | `""` |  |
--- a/metallb-chart/charts/frr-k8s/charts/crds/Chart.yaml
+++ b/metallb-chart/charts/frr-k8s/charts/crds/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v0.0.16
+appVersion: v0.0.20
 description: FRR K8s CRDs
 home: https://metallb.universe.tf
 icon: https://metallb.universe.tf/images/logo/metallb-white.png
@@ -7,4 +7,4 @@ name: crds
 sources:
 - https://github.com/metallb/frr-k8s
 type: application
-version: 0.0.16
+version: 0.0.20
--- a/metallb-chart/charts/frr-k8s/values.yaml
+++ b/metallb-chart/charts/frr-k8s/values.yaml
@@ -98,7 +98,7 @@ frrk8s:
  tolerateMaster: true
  image:
    repository: "registry.opensuse.org/isv/suse/edge/metallb/images/frr-k8s"
-    tag: "v0.0.16"
+    tag: "v0.0.20"
    pullPolicy: IfNotPresent
  ## @param controller.updateStrategy.type FRR-K8s controller daemonset strategy type
  ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
@@ -161,7 +161,7 @@ frrk8s:
  frr:
    image:
      repository: "registry.opensuse.org/isv/suse/edge/metallb/images/frr"
-      tag: "8.5.6"
+      tag: "10.2.1"
      pullPolicy: IfNotPresent
    metricsBindAddress: 127.0.0.1
    metricsPort: 7573
--- a/metallb-chart/templates/rbac.yaml
+++ b/metallb-chart/templates/rbac.yaml
@@ -110,6 +110,9 @@ rules:
 - apiGroups: ["metallb.io"]
  resources: ["communities"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
  resources: ["servicebgpstatuses","servicebgpstatuses/status"]
  verbs: ["*"]
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -138,6 +141,9 @@ rules:
 - apiGroups: ["metallb.io"]
  resources: ["ipaddresspools"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["metallb.io"]
  resources: ["ipaddresspools/status"]
  verbs: ["update"]
 - apiGroups: ["metallb.io"]
  resources: ["bgppeers"]
  verbs: ["get", "list"]
--- a/metallb-chart/values.yaml
+++ b/metallb-chart/values.yaml
@@ -59,7 +59,7 @@ prometheus:
  # the image to be used for the kuberbacproxy container
  rbacProxy:
    repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy"
-    tag: "0.18.1"
+    tag: "0.19.1"
    pullPolicy: IfNotPresent
  # Prometheus Operator PodMonitors
@@ -201,7 +201,7 @@ controller:
  # webhookMode: enabled
  image:
    repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller"
-    tag: "v0.14.9"
+    tag: "v0.15.2"
    pullPolicy: IfNotPresent
  ## @param controller.updateStrategy.type Metallb controller deployment strategy type.
  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
@@ -282,7 +282,7 @@ speaker:
  image:
    repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker"
-    tag: "v0.14.9"
+    tag: "v0.15.2"
    pullPolicy: IfNotPresent
  ## @param speaker.updateStrategy.type Speaker daemonset strategy type
  ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
@@ -346,7 +346,7 @@ speaker:
    enabled: false
    image:
      repository: "%%IMG_REPO%%/%%IMG_PREFIX%%frr"
-      tag: "8.5.6"
+      tag: "10.2.1"
      pullPolicy: IfNotPresent
    metricsPort: 7473
    resources: {}
--- a/metallb/_service
+++ b/metallb/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/metallb/metallb</param>
    <param name="scm">git</param>
-    <param name="revision">v0.14.9</param>
+    <param name="revision">v0.15.2</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
@@ -18,4 +18,4 @@
  <service name="go_modules">
  </service>
  <service mode="buildtime" name="set_version" />
-</services>
+</services>
--- a/metallb/metallb.spec
+++ b/metallb/metallb.spec
@@ -17,14 +17,14 @@
 Name:           metallb
-Version:        0.14.9
+Version:        0.15.2
-Release:        0.14.9
+Release:        0.15.2
 Summary:        Load Balancer for bare metal Kubernetes clusters
 License:        Apache-2.0
 URL:            https://github.com/metallb/metallb
 Source:         %{name}-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.24
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
--- a/Show More
+++ b/Show More