CCv0: Merge from main -- August 1st

Conflicts:
	src/runtime/pkg/katautils/config.go
	src/runtime/virtcontainers/container.go
	src/runtime/virtcontainers/hypervisor.go
	src/runtime/virtcontainers/qemu_arch_base.go
	src/runtime/virtcontainers/sandbox.go
	tests/integration/kubernetes/gha-run.sh
	tests/integration/kubernetes/setup.sh
	tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml
	tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
	tools/packaging/kata-deploy/scripts/kata-deploy.sh
	tools/packaging/kernel/kata_config_version
	versions.yaml

Fixes: #7433

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>

tools/packaging/guest-image/build_image.sh

@@ -21,24 +21,15 @@ readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)"
 
 export GOPATH=${GOPATH:-${HOME}/go}
 
-final_image_name="kata-containers"
-final_initrd_name="kata-containers-initrd"
-image_initrd_extension=".img"
-
 arch_target="$(uname -m)"
-final_image_name="kata-containers"
-final_initrd_name="kata-containers-initrd"
+final_artifact_name="kata-containers"
 image_initrd_extension=".img"
 
 build_initrd() {
 	info "Build initrd"
-	info "initrd os: $initrd_distro"
-	info "initrd os version: $initrd_os_version"
-	local rootfs_build_dest="${builddir}/initrd-image"
-	export DISTRO="$initrd_distro"
-	export OS_VERSION="${initrd_os_version}"
-	export USE_DOCKER=1
-	export AGENT_INIT="yes"
+	info "initrd os: $os_name"
+	info "initrd os version: $os_version"
+
 	# ROOTFS_BUILD_DEST is a Make variable
 	# SNP will also use the SEV guest module
 	if [[ "${AA_KBC:-}" == "offline_sev_kbc" || "${AA_KBC:-}" == "online_sev_kbc" ]]; then
@@ -46,40 +37,49 @@ build_initrd() {
 		kernel_version="$(get_from_kata_deps "assets.kernel.sev.version")"
 		kernel_version=${kernel_version#v}
 		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version}-${config_version}/lib/modules/${kernel_version}"
-		sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" KERNEL_MODULES_DIR="${module_dir}"
+		sudo -E PATH="$PATH" make rootfs AGENT_INIT=yes USE_DOCKER=1 ROOTFS_BUILD_DEST="${builddir}/initrd-image" KERNEL_MODULES_DIR="${module_dir}"
 	else
-		sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}"
+		sudo -E PATH="$PATH" make rootfs AGENT_INIT=yes USE_DOCKER=1 ROOTFS_BUILD_DEST="${builddir}/intrd-image"
 	fi
 
 	if [ -n "${INCLUDE_ROOTFS:-}" ]; then
-		sudo cp -RL --preserve=mode "${INCLUDE_ROOTFS}/." "${rootfs_build_dest}/${initrd_distro}_rootfs/"
+		sudo cp -RL --preserve=mode "${INCLUDE_ROOTFS}/." "${builddir}/initrd-image/${initrd_distro}_rootfs/"
 	fi
-	sudo -E PATH="$PATH" make initrd ROOTFS_BUILD_DEST="${rootfs_build_dest}"
-	mv "kata-containers-initrd.img" "${install_dir}/${initrd_name}"
+
+	sudo -E PATH="$PATH" make initrd \
+		DISTRO="$os_name" \
+		DEBUG="${DEBUG:-}" \
+		OS_VERSION="${os_version}" \
+		ROOTFS_BUILD_DEST="${builddir}/initrd-image" \
+		USE_DOCKER=1 \
+		AGENT_INIT="yes"
+	mv "kata-containers-initrd.img" "${install_dir}/${artifact_name}"
 	(
 		cd "${install_dir}"
-		ln -sf "${initrd_name}" "${final_initrd_name}${image_initrd_extension}"
+		ln -sf "${artifact_name}" "${final_artifact_name}${image_initrd_extension}"
 	)
 }
 
 build_image() {
+	set -x
 	info "Build image"
-	info "image os: $img_distro"
-	info "image os version: $img_os_version"
+	info "image os: $os_name"
+	info "image os version: $os_version"
 	sudo -E PATH="${PATH}" make image \
-		DISTRO="${img_distro}" \
+		DISTRO="${os_name}" \
 		DEBUG="${DEBUG:-}" \
 		USE_DOCKER="1" \
-		IMG_OS_VERSION="${img_os_version}" \
+		IMG_OS_VERSION="${os_version}" \
 		ROOTFS_BUILD_DEST="${builddir}/rootfs-image"
-	mv -f "kata-containers.img" "${install_dir}/${image_name}"
+	mv -f "kata-containers.img" "${install_dir}/${artifact_name}"
 	if [ -e "root_hash.txt" ]; then
-		[ -z "${root_hash_suffix}" ] && root_hash_suffix=vanilla
-		mv "${repo_root_dir}/tools/osbuilder/root_hash.txt" "${repo_root_dir}/tools/osbuilder/root_hash_${root_hash_suffix}.txt"
+		root_hash_suffix=${image_initrd_suffix}
+		[ -z "${image_initrd_suffix}" ] && root_hash_suffix=vanilla
+		mv root_hash.txt root_hash_${root_hash_suffix}.txt
 	fi
 	(
 		cd "${install_dir}"
-		ln -sf "${image_name}" "${final_image_name}${image_initrd_extension}"
+		ln -sf "${artifact_name}" "${final_artifact_name}${image_initrd_extension}"
 	)
 }
 
@@ -93,6 +93,8 @@ Usage:
 ${script_name} [options]
 
 Options:
+ --osname=${os_name}
+ --osversion=${os_version}
  --imagetype=${image_type}
  --prefix=${prefix}
  --destdir=${destdir}
@@ -108,46 +110,25 @@ main() {
 	prefix="/opt/kata"
 	image_suffix=""
 	image_initrd_suffix=""
-	root_hash_suffix=""
 	builddir="${PWD}"
 	while getopts "h-:" opt; do
 		case "$opt" in
 		-)
 			case "${OPTARG}" in
+			osname=*)
+				os_name=${OPTARG#*=}
+				;;
+			osversion=*)
+				os_version=${OPTARG#*=}
+				;;
 			imagetype=image)
 				image_type=image
-				#image information
-				img_distro=$(get_from_kata_deps "assets.image.architecture.${arch_target}.name")
-				img_os_version=$(get_from_kata_deps "assets.image.architecture.${arch_target}.version")
-				image_name="kata-${img_distro}-${img_os_version}.${image_type}"
 				;;
 			imagetype=initrd)
 				image_type=initrd
-				#initrd information
-				initrd_distro=$(get_from_kata_deps "assets.initrd.architecture.${arch_target}.name")
-				initrd_os_version=$(get_from_kata_deps "assets.initrd.architecture.${arch_target}.version")
-				initrd_name="kata-${initrd_distro}-${initrd_os_version}.${image_type}"
 				;;
 			image_initrd_suffix=*)
 				image_initrd_suffix=${OPTARG#*=}
-				if [ "${image_initrd_suffix}" == "sev" ]; then
-					initrd_distro=$(get_from_kata_deps "assets.initrd.architecture.${arch_target}.sev.name")
-					initrd_os_version=$(get_from_kata_deps "assets.initrd.architecture.${arch_target}.sev.version")
-					initrd_name="kata-${initrd_distro}-${initrd_os_version}-${image_initrd_suffix}.${image_type}"
-					final_initrd_name="${final_initrd_name}-${image_initrd_suffix}"
-				elif [ "${image_initrd_suffix}" == "tdx" ]; then
-					img_distro=$(get_from_kata_deps "assets.image.architecture.${arch_target}.name")
-					img_os_version=$(get_from_kata_deps "assets.image.architecture.${arch_target}.version")
-					image_name="kata-${img_distro}-${img_os_version}-${image_initrd_suffix}.${image_type}"
-					final_image_name="${final_image_name}-${image_initrd_suffix}"
-
-					initrd_distro=$(get_from_kata_deps "assets.initrd.architecture.${arch_target}.name")
-					initrd_os_version=$(get_from_kata_deps "assets.initrd.architecture.${arch_target}.version")
-					initrd_name="kata-${initrd_distro}-${initrd_os_version}-${image_initrd_suffix}.${image_type}"
-					final_initrd_name="${final_initrd_name}-${image_initrd_suffix}"
-				elif [ -n "${image_initrd_suffix}" ]; then
-					die "Invalid image_initrd_suffix ${image_initrd_suffix}"
-				fi
 				;;
 			root_hash_suffix=*)
 				root_hash_suffix=${OPTARG#*=}
@@ -179,7 +160,16 @@ main() {
 
 	echo "build ${image_type}"
 
+	if [ "${image_type}" = "initrd" ]; then
+		final_artifact_name+="-initrd"
+	fi
 
+	if [ -n "${image_initrd_suffix}" ]; then
+		artifact_name="kata-${os_name}-${os_version}-${image_initrd_suffix}.${image_type}"
+		final_artifact_name+="-${image_initrd_suffix}"
+	else
+		artifact_name="kata-${os_name}-${os_version}.${image_type}"
+	fi
 
 	install_dir="${destdir}/${prefix}/share/kata-containers/"
 	readonly install_dir

tools/packaging/kata-debug/Dockerfile

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+FROM ubuntu:22.04
+
+COPY debug.sh /usr/bin/debug.sh
+
+RUN \
+apt-get update && \
+apt-get install -y --no-install-recommends tree && \
+apt-get clean && \
+rm -rf /var/lib/apt/lists/
+
+CMD ["/usr/bin/debug.sh"]

tools/packaging/kata-debug/README.md

@@ -0,0 +1,28 @@
+# kata-debug
+
+`kata-debug` is a tool that is used as part of the Kata Containers CI to gather
+information from the node, in order to help debugging issues with Kata
+Containers.
+
+As one can imagine, this can be expanded and used outside of the CI context,
+and any contribution back to the script is very much welcome.
+
+The resulting container is stored at the [Kata Containers `quay.io`
+space](https://quay.io/repository/kata-containers/kata-debug) and can
+be used as shown below:
+```sh
+kubectl debug $NODE_NAME -it --image=quay.io/kata-containers/kata-debug:latest
+```
+
+## Building and publishing
+The project can be built and publish by calling the following command from the
+Kata Containers top directory:
+```sh
+make build-and-publish-kata-debug
+```
+
+Users can specify the following environment variables to the build:
+* `KATA_DEBUG_REGISTRY` - The container registry to be used
+                          default: `quay.io/kata-containers/kata-debug`
+- `KATA_DEBUG_TAG`      - A tag to the be used for the image
+                          default: `$(git rev-parse HEAD)-$(uname -a)`

tools/packaging/kata-debug/debug.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+# Copyright (c) 2023 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+echo "Let's gather Kata Containers debug information"
+echo ""
+echo "::group::Check Kata Containers logs"
+chroot /host /bin/bash -c "sudo journalctl -xe -t kata | tee"
+echo "::endgroup::"
+echo ""
+echo "::group::Checking the loaded kernel modules"
+chroot /host /bin/bash -c "sudo lsmod"
+echo "::endgroup::"
+echo ""
+echo "::group::Check Kata Containers deployed binaries"
+tree /host/opt/kata /host/usr/local/bin
+echo "::endgroup::"
+echo ""
+echo "::group:: Check node's dmesg"
+chroot /host /bin/bash -c "sudo dmesg"
+echo "::endgroup::"

tools/packaging/kata-debug/kata-debug-build-and-upload-payload.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+#
+# Copyright 2023 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+[ -z "${DEBUG}" ] || set -x
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o errtrace
+
+KATA_DEBUG_DIR="`dirname ${0}`"
+
+REGISTRY="${1:-"quay.io/kata-containers/kata-debug"}"
+TAG="${2:-}"
+
+arch=$(uname -m)
+[ "$arch" = "x86_64" ] && arch="amd64"
+IMAGE_TAG="${REGISTRY}:$(git rev-parse HEAD)-${arch}"
+
+pushd ${KATA_DEBUG_DIR}
+
+echo "Building the image"
+docker build --tag ${IMAGE_TAG} .
+
+echo "Pushing the image to the registry"
+docker push ${IMAGE_TAG}
+
+if [ -n "${TAG}" ]; then
+	ADDITIONAL_TAG="${REGISTRY}:${TAG}"
+
+	echo "Building the ${ADDITIONAL_TAG} image"
+
+	docker build --tag ${ADDITIONAL_TAG} .
+
+	echo "Pushing the image ${ADDITIONAL_TAG} to the registry"
+	docker push ${ADDITIONAL_TAG}
+fi
+
+popd

tools/packaging/kata-deploy/Dockerfile

@@ -28,3 +28,4 @@ tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \
 rm -f ${WORKDIR}/${KATA_ARTIFACTS}
 
 COPY scripts ${DESTINATION}/scripts
+COPY runtimeclasses ${DESTINATION}/runtimeclasses

tools/packaging/kata-deploy/kata-cleanup/base/kata-cleanup.yaml

@@ -13,7 +13,7 @@ spec:
         labels:
           name: kubelet-kata-cleanup
     spec:
-      serviceAccountName: kata-label-node
+      serviceAccountName: kata-deploy-sa
       nodeSelector:
           katacontainers.io/kata-runtime: cleanup
       containers:
@@ -26,6 +26,16 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        - name: DEBUG
+          value: "false"
+        - name: SHIMS
+          value: "clh dragonball fc qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx qemu"
+        - name: DEFAULT_SHIM
+          value: "qemu"
+        - name: CREATE_RUNTIMECLASSES
+          value: "false"
+        - name: CREATE_DEFAULT_RUNTIMECLASS
+          value: "false"
         securityContext:
           privileged: true
         volumeMounts:

tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml

@@ -13,7 +13,7 @@ spec:
         labels:
           name: kata-deploy
     spec:
-      serviceAccountName: kata-label-node
+      serviceAccountName: kata-deploy-sa
       containers:
       - name: kube-kata
         image: quay.io/kata-containers/kata-deploy-cc:v0
@@ -28,8 +28,16 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
-        - name: CONFIGURE_CC
-          value: "yes"
+        - name: DEBUG
+          value: "false"
+        - name: SHIMS
+          value: "clh dragonball fc qemu qemu-nvidia-gpu qemu-sev qemu-snp qemu-tdx"
+        - name: DEFAULT_SHIM
+          value: "qemu"
+        - name: CREATE_RUNTIMECLASSES
+          value: "false"
+        - name: CREATE_DEFAULT_RUNTIMECLASS
+          value: "false"
         securityContext:
           privileged: true
         volumeMounts:

tools/packaging/kata-deploy/kata-rbac/base/kata-rbac.yaml

@@ -2,28 +2,30 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: kata-label-node
+  name: kata-deploy-sa
   namespace: kube-system
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: node-labeler
+  name: kata-deploy-role
 rules:
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["get", "patch"]
+- apiGroups: ["node.k8s.io"]
+  resources: ["runtimeclasses"]
+  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: kata-label-node-rb
+  name: kata-deploy-rb
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: node-labeler
+  name: kata-deploy-role
 subjects:
 - kind: ServiceAccount
-  name: kata-label-node
+  name: kata-deploy-sa
   namespace: kube-system
-

tools/packaging/kata-deploy/local-build/Makefile

@@ -18,9 +18,9 @@ EXTRA_TARBALL=\
 	ovmf-tarball \
 	qemu-snp-experimental-tarball \
 	qemu-tdx-experimental-tarball \
-	cc-tdx-td-shim-tarball \
-	cc-sev-rootfs-initrd-tarball \
-	cc-tdx-rootfs-image-tarball
+	rootfs-initrd-sev-tarball \
+	rootfs-image-tdx-tarball \
+	cc-tdx-td-shim-tarball
 endif
 
 define BUILD
@@ -78,9 +78,6 @@ firecracker-tarball:
 kernel-dragonball-experimental-tarball:
 	${MAKE} $@-build
 
-kernel-experimental-tarball:
-	${MAKE} $@-build
-
 kernel-nvidia-gpu-tarball:
 	${MAKE} $@-build
 
@@ -142,7 +139,7 @@ virtiofsd-tarball:
 	${MAKE} $@-build
 
 merge-builds:
-	$(MK_DIR)/kata-deploy-merge-builds.sh build
+	$(MK_DIR)/kata-deploy-merge-builds.sh build "$(MK_DIR)/../../../../versions.yaml"
 
 install-tarball:
 	tar -xf ./kata-static.tar.xz -C /
@@ -168,15 +165,9 @@ cc-rootfs-image-tarball:
 cc-rootfs-initrd-tarball:
 	${MAKE} $@-build
 
-cc-sev-rootfs-initrd-tarball: kernel-sev-tarball
-	${MAKE} $@-build
-
 cc-se-image-tarball: kernel-tarball cc-rootfs-initrd-tarball
 	${MAKE} $@-build
 
-cc-tdx-rootfs-image-tarball:
-	${MAKE} $@-build
-
 cc-tdx-td-shim-tarball:
 	${MAKE} $@-build
 

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -223,68 +223,12 @@ install_cached_cc_shim_v2() {
 
 #Install cc capable guest image
 install_cc_image() {
-	export AA_KBC="${1:-offline_fs_kbc}"
-	image_type="${2:-image}"
-	image_initrd_suffix="${3:-""}"
-	root_hash_suffix="${4:-""}"
-	tee="${5:-""}"
+	export AA_KBC="${AA_KBC:-offline_fs_kbc}"
 	export KATA_BUILD_CC=yes
-	export MEASURED_ROOTFS=${MEASURED_ROOTFS}
+	export MEASURED_ROOTFS=yes
+	variant="${1:-}"
 
-	local jenkins="${jenkins_url}/job/kata-containers-2.0-rootfs-image-cc-$(uname -m)/${cached_artifacts_path}"
-	local component="rootfs-image"
-	local root_hash_vanilla="root_hash_vanilla.txt"
-	local root_hash_tdx=""
-	local initramfs_last_commit=""
-	if [ -n "${tee}" ]; then
-		if [ "${tee}" == "tdx" ]; then
-			jenkins="${jenkins_url}/job/kata-containers-2.0-rootfs-image-${tee}-cc-$(uname -m)/${cached_artifacts_path}"
-			component="${tee}-rootfs-image"
-			root_hash_vanilla=""
-			root_hash_tdx="root_hash_${tee}.txt"
-		fi
-		if [ "${tee}" == "sev" ]; then
-			jenkins="${jenkins_url}/job/kata-containers-2.0-rootfs-initrd-${tee}-cc-$(uname -m)/${cached_artifacts_path}"
-			component="${tee}-rootfs-initrd"
-			root_hash_vanilla=""
-			initramfs_last_commit="$(get_initramfs_image_name)"
-		fi
-	fi
-
-	local osbuilder_last_commit="$(echo $(get_last_modification "${repo_root_dir}/tools/osbuilder") | sed s/-dirty//)"
-	local guest_image_last_commit="$(get_last_modification "${repo_root_dir}/tools/packaging/guest-image")"
-	local agent_last_commit="$(get_last_modification "${repo_root_dir}/src/agent")"
-	local libs_last_commit="$(get_last_modification "${repo_root_dir}/src/libs")"
-	local attestation_agent_version="$(get_from_kata_deps "externals.attestation-agent.version")"
-	local gperf_version="$(get_from_kata_deps "externals.gperf.version")"
-	local libseccomp_version="$(get_from_kata_deps "externals.libseccomp.version")"
-	local pause_version="$(get_from_kata_deps "externals.pause.version")"
-	local rust_version="$(get_from_kata_deps "languages.rust.meta.newest-version")"
-
-	install_cached_tarball_component \
-		"${component}" \
-		"${jenkins}" \
-		"${osbuilder_last_commit}-${guest_image_last_commit}-${initramfs_last_commit}-${agent_last_commit}-${libs_last_commit}-${attestation_agent_version}-${gperf_version}-${libseccomp_version}-${pause_version}-${rust_version}-${image_type}-${AA_KBC}" \
-		"" \
-		"${final_tarball_name}" \
-		"${final_tarball_path}" \
-		"${root_hash_vanilla}" \
-		"${root_hash_tdx}" \
-		&& return 0
-
-	info "Create CC image configured with AA_KBC=${AA_KBC}"
-	"${rootfs_builder}" \
-		--imagetype="${image_type}" \
-		--prefix="${prefix}" \
-		--destdir="${destdir}" \
-		--image_initrd_suffix="${image_initrd_suffix}" \
-		--root_hash_suffix="${root_hash_suffix}"
-}
-
-install_cc_sev_image() {
-	AA_KBC="online_sev_kbc"
-	image_type="initrd"
-	install_cc_image "${AA_KBC}" "${image_type}" "sev" "" "sev"
+	install_image "${variant}"
 }
 
 install_cc_se_image() {
@@ -292,12 +236,11 @@ install_cc_se_image() {
 	"${se_image_builder}" --destdir="${destdir}"
 }
 
-install_cc_tdx_image() {
-	AA_KBC="cc_kbc_tdx"
-	image_type="image"
-	image_suffix="tdx"
-	root_hash_suffix="tdx"
-	install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" "${root_hash_suffix}" "tdx"
+install_image_tdx() {
+	export AA_KBC="cc_kbc_tdx"
+
+	info "Install CC image configured with AA_KBC=${AA_KBC}"
+	install_cc_image "tdx"
 }
 
 #Install all components that are not assets
@@ -358,9 +301,14 @@ install_cc_tdx_td_shim() {
 
 #Install guest image
 install_image() {
-	local image_type="${1:-"image"}"
-	local initrd_suffix="${2:-""}"
-	local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-${image_type}-$(uname -m)/${cached_artifacts_path}"
+	local variant="${1:-}"
+
+	image_type="image"
+	if [ -n "${variant}" ]; then
+		image_type+="-${variant}"
+	fi
+
+	local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-${image_type}-${ARCH}/${cached_artifacts_path}"
 	local component="rootfs-${image_type}"
 
 	local osbuilder_last_commit="$(get_last_modification "${repo_root_dir}/tools/osbuilder")"
@@ -370,30 +318,58 @@ install_image() {
 	local gperf_version="$(get_from_kata_deps "externals.gperf.version")"
 	local libseccomp_version="$(get_from_kata_deps "externals.libseccomp.version")"
 	local rust_version="$(get_from_kata_deps "languages.rust.meta.newest-version")"
+	local attestation_agent_version="$(get_from_kata_deps "externals.attestation-agent.version")"
+	local pause_version="$(get_from_kata_deps "externals.pause.version")"
+	local root_hash_vanilla=""
+	local root_hash_tdx=""
+
+	local version_checker="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}"
+	if [ -n "${variant}" ]; then
+		jenkins="${jenkins_url}/job/kata-containers-2.0-rootfs-image-${variant}-cc-$(uname -m)/${cached_artifacts_path}"
+		component="${variant}-rootfs-image"
+		root_hash_tdx="root_hash_${variant}.txt"
+		initramfs_last_commit=""
+		version=_checker="${osbuilder_last_commit}-${guest_image_last_commit}-${initramfs_last_commit}-${agent_last_commit}-${libs_last_commit}-${attestation_agent_version}-${gperf_version}-${libseccomp_version}-${pause_version}-${rust_version}-${image_type}-${AA_KBC}"
+	fi
+
 
 	install_cached_tarball_component \
 		"${component}" \
 		"${jenkins}" \
-		"${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-image" \
+		"${version_checker}" \
 		"" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
+		"${root_hash_vanilla}" \
+		"${root_hash_tdx}" \
 		&& return 0
 
 	info "Create image"
-	"${rootfs_builder}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${initrd_suffix}"
-}
 
-#Install guest image for tdx
-install_image_tdx() {
-	install_image "image-tdx" "tdx"
+	if [ -n "${variant}" ]; then
+		os_name="$(get_from_kata_deps "assets.image.architecture.${ARCH}.${variant}.name")"
+		os_version="$(get_from_kata_deps "assets.image.architecture.${ARCH}.${variant}.version")"
+	else
+		os_name="$(get_from_kata_deps "assets.image.architecture.${ARCH}.name")"
+		os_version="$(get_from_kata_deps "assets.image.architecture.${ARCH}.version")"
+	fi
+
+	"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
 }
 
 #Install guest initrd
 install_initrd() {
-	local initrd_type="${1:-"initrd"}"
-	local initrd_suffix="${2:-""}"
-	local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-${initrd_type}-$(uname -m)/${cached_artifacts_path}"
+	local variant="${1:-}"
+
+	initrd_type="initrd"
+	if [ -n "${variant}" ]; then
+		initrd_type+="-${variant}"
+	fi
+
+	local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-${initrd_type}-${ARCH}/${cached_artifacts_path}"
+	if [ -n "${variant}" ]; then
+		jenkins="${jenkins_url}/job/kata-containers-2.0-rootfs-initrd-${variant}-cc-$(uname -m)/${cached_artifacts_path}"
+	fi
 	local component="rootfs-${initrd_type}"
 
 	local osbuilder_last_commit="$(get_last_modification "${repo_root_dir}/tools/osbuilder")"
@@ -403,23 +379,56 @@ install_initrd() {
 	local gperf_version="$(get_from_kata_deps "externals.gperf.version")"
 	local libseccomp_version="$(get_from_kata_deps "externals.libseccomp.version")"
 	local rust_version="$(get_from_kata_deps "languages.rust.meta.newest-version")"
+	local attestation_agent_version="$(get_from_kata_deps "externals.attestation-agent.version")"
+	local pause_version="$(get_from_kata_deps "externals.pause.version")"
+	local root_hash_vanilla=""
+	local root_hash_tdx=""
+
+	[[ "${ARCH}" == "aarch64" && "${CROSS_BUILD}" == "true" ]] && echo "warning: Don't cross build initrd for aarch64 as it's too slow" && exit 0
+
+	local version_checker="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}"
+	if [ -n "${variant}" ]; then
+		initramfs_last_commit="$(get_initramfs_image_name)"
+		version_checker="${osbuilder_last_commit}-${guest_image_last_commit}-${initramfs_last_commit}-${agent_last_commit}-${libs_last_commit}-${attestation_agent_version}-${gperf_version}-${libseccomp_version}-${pause_version}-${rust_version}-${initrd_type}-${AA_KBC}"
+	fi
 
 	install_cached_tarball_component \
 		"${component}" \
 		"${jenkins}" \
-		"${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}" \
+		"${version_checker}" \
 		"" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
+		"${root_hash_vanilla}" \
+		"${root_hash_tdx}" \
 		&& return 0
 
 	info "Create initrd"
-	"${rootfs_builder}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${initrd_suffix}"
+
+	if [ -n "${variant}" ]; then
+		os_name="$(get_from_kata_deps "assets.initrd.architecture.${ARCH}.${variant}.name")"
+		os_version="$(get_from_kata_deps "assets.initrd.architecture.${ARCH}.${variant}.version")"
+	else
+		os_name="$(get_from_kata_deps "assets.initrd.architecture.${ARCH}.name")"
+		os_version="$(get_from_kata_deps "assets.initrd.architecture.${ARCH}.version")"
+	fi
+
+	"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
+}
+
+#Install Mariner guest initrd
+install_initrd_mariner() {
+	install_initrd "mariner"
 }
 
 #Install guest initrd for sev
 install_initrd_sev() {
-	install_initrd "initrd-sev" "sev"
+	export AA_KBC="online_sev_kbc"
+	export KATA_BUILD_CC="yes"
+	export MEASURED_ROOTFS="no"
+
+	info "Install CC initrd configured with AA_KBC=${AA_KBC}"
+	install_initrd "sev"
 }
 
 #Install kernel component helper
@@ -437,7 +446,7 @@ install_cached_kernel_tarball_component() {
 	install_cached_tarball_component \
 		"${kernel_name}" \
 		"${url}" \
-		"${kernel_version}-${kernel_kata_config_version}" \
+		"${kernel_version}-${kernel_kata_config_version}-$(get_last_modification $(dirname $kernel_builder))" \
 		"$(get_kernel_image_name)" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
@@ -451,7 +460,7 @@ install_cached_kernel_tarball_component() {
 	install_cached_tarball_component \
 		"${kernel_name}" \
 		"${jenkins_url}/job/kata-containers-main-${kernel_name}-$(uname -m)/${cached_artifacts_path}" \
-		"${kernel_version}-${kernel_kata_config_version}" \
+		"${kernel_version}-${kernel_kata_config_version}-$(get_last_modification $(dirname $kernel_builder))" \
 		"$(get_kernel_image_name)" \
 		"kata-static-kernel-sev-modules.tar.xz" \
 		"${workdir}/kata-static-kernel-sev-modules.tar.xz" \
@@ -468,7 +477,7 @@ install_cached_kernel_tarball_component() {
 install_cc_initrd() {
 	export AA_KBC="${AA_KBC:-offline_fs_kbc}"
 	info "Create CC initrd configured with AA_KBC=${AA_KBC}"
-	"${rootfs_builder}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}"
+	install_initrd
 }
 
 #Install kernel asset
@@ -544,14 +553,6 @@ install_kernel_nvidia_gpu_tdx_experimental() {
 		"-x tdx -g nvidia -u ${kernel_url} -H deb"
 }
 
-#Install experimental kernel asset
-install_kernel_experimental() {
-	install_kernel_helper \
-		"assets.kernel-experimental.version" \
-		"kernel-experimental" \
-		"-f -b experimental"
-}
-
 #Install experimental TDX kernel asset
 install_kernel_tdx_experimental() {
 	local kernel_url="$(get_from_kata_deps assets.kernel-tdx-experimental.url)"
@@ -862,19 +863,14 @@ handle_build() {
 	cc)
 		install_cc_image
 		install_cc_shimv2
-		install_cc_sev_image
 		;;
 
 	cc-rootfs-image) install_cc_image ;;
 
 	cc-rootfs-initrd) install_cc_initrd ;;
 
-	cc-sev-rootfs-initrd) install_cc_sev_image ;;
-
 	cc-se-image) install_cc_se_image ;;
 
-	cc-tdx-rootfs-image) install_cc_tdx_image ;;
-
 	cc-shim-v2) install_cc_shimv2 ;;
 
 	cc-tdx-td-shim) install_cc_tdx_td_shim ;;
@@ -889,8 +885,6 @@ handle_build() {
 
 	kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;
 
-	kernel-experimental) install_kernel_experimental ;;
-
 	kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;
 
 	kernel-nvidia-gpu-snp) install_kernel_nvidia_gpu_snp;;

tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh

@@ -11,7 +11,10 @@ set -o pipefail
 set -o errtrace
 
 kata_build_dir=${1:-build}
+kata_versions_yaml_file=${2:-""}
+
 tar_path="${PWD}/kata-static.tar.xz"
+kata_versions_yaml_file_path="${PWD}/${kata_versions_yaml_file}"
 
 pushd "${kata_build_dir}"
 tarball_content_dir="${PWD}/kata-tarball-content"
@@ -24,6 +27,15 @@ do
 	tar -xvf "${c}" -C "${tarball_content_dir}"
 done
 
+pushd ${tarball_content_dir}
+	shim="containerd-shim-kata-v2"
+	shim_path=$(find . -name ${shim} | sort | head -1)
+	prefix=${shim_path%"bin/${shim}"}
+
+	echo "$(git describe)" > ${prefix}/VERSION
+	[[ -n "${kata_versions_yaml_file}" ]] && cp ${kata_versions_yaml_file_path} ${prefix}/
+popd
+
 echo "create ${tar_path}"
 (cd "${tarball_content_dir}"; tar cvfJ "${tar_path}" .)
 rm -rf "${tarball_content_dir}"

tools/packaging/kata-deploy/runtimeclasses/kata-clh.yaml

@@ -0,0 +1,13 @@
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-clh
+handler: kata-clh
+overhead:
+    podFixed:
+        memory: "130Mi"
+        cpu: "250m"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"

tools/packaging/kata-deploy/runtimeclasses/kata-dragonball.yaml

@@ -0,0 +1,13 @@
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-dragonball
+handler: kata-dragonball
+overhead:
+    podFixed:
+        memory: "130Mi"
+        cpu: "250m"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"

tools/packaging/kata-deploy/runtimeclasses/kata-fc.yaml

@@ -0,0 +1,13 @@
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-fc
+handler: kata-fc
+overhead:
+    podFixed:
+        memory: "130Mi"
+        cpu: "250m"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"

tools/packaging/kata-deploy/runtimeclasses/kata-qemu-nvidia-gpu.yaml

@@ -0,0 +1,13 @@
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu-nvidia-gpu
+handler: kata-qemu-nvidia-gpu
+overhead:
+    podFixed:
+        memory: "160Mi"
+        cpu: "250m"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"

tools/packaging/kata-deploy/runtimeclasses/kata-qemu-sev.yaml

@@ -0,0 +1,13 @@
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu-sev
+handler: kata-qemu-sev
+overhead:
+    podFixed:
+        memory: "2048Mi"
+        cpu: "1.0"
+scheduling:
+    nodeSelector:
+        katacontainers.io/kata-runtime: "true"

tools/packaging/kata-deploy/runtimeclasses/kata-qemu-snp.yaml

@@ -0,0 +1,13 @@
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu-snp
+handler: kata-qemu-snp
+overhead:
+    podFixed:
+        memory: "2048Mi"
+        cpu: "1.0"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"

tools/packaging/kata-deploy/runtimeclasses/kata-qemu-tdx.yaml

@@ -0,0 +1,13 @@
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu-tdx
+handler: kata-qemu-tdx
+overhead:
+    podFixed:
+        memory: "2048Mi"
+        cpu: "1.0"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"

tools/packaging/kata-deploy/runtimeclasses/kata-qemu.yaml

@@ -0,0 +1,13 @@
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu
+handler: kata-qemu
+overhead:
+    podFixed:
+        memory: "160Mi"
+        cpu: "250m"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"

tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml

@@ -1,58 +1,6 @@
 ---
 kind: RuntimeClass
 apiVersion: node.k8s.io/v1
-metadata:
-    name: kata-qemu
-handler: kata-qemu
-overhead:
-    podFixed:
-        memory: "160Mi"
-        cpu: "250m"
-scheduling:
-  nodeSelector:
-    katacontainers.io/kata-runtime: "true"
----
-kind: RuntimeClass
-apiVersion: node.k8s.io/v1
-metadata:
-    name: kata-qemu-sev
-handler: kata-qemu-sev
-overhead:
-    podFixed:
-        memory: "2048Mi"
-        cpu: "1.0"
-scheduling:
-    nodeSelector:
-        katacontainers.io/kata-runtime: "true"
----
-kind: RuntimeClass
-apiVersion: node.k8s.io/v1
-metadata:
-    name: kata-qemu-tdx
-handler: kata-qemu-tdx
-overhead:
-    podFixed:
-        memory: "2048Mi"
-        cpu: "1.0"
-scheduling:
-  nodeSelector:
-    katacontainers.io/kata-runtime: "true"
----
-kind: RuntimeClass
-apiVersion: node.k8s.io/v1
-metadata:
-    name: kata-qemu-snp
-handler: kata-qemu-snp
-overhead:
-    podFixed:
-        memory: "2048Mi"
-        cpu: "1.0"
-scheduling:
-  nodeSelector:
-    katacontainers.io/kata-runtime: "true"
----
-kind: RuntimeClass
-apiVersion: node.k8s.io/v1
 metadata:
     name: kata-clh
 handler: kata-clh
@@ -66,19 +14,6 @@ scheduling:
 ---
 kind: RuntimeClass
 apiVersion: node.k8s.io/v1
-metadata:
-    name: kata-fc
-handler: kata-fc
-overhead:
-    podFixed:
-        memory: "130Mi"
-        cpu: "250m"
-scheduling:
-  nodeSelector:
-    katacontainers.io/kata-runtime: "true"
----
-kind: RuntimeClass
-apiVersion: node.k8s.io/v1
 metadata:
     name: kata-dragonball
 handler: kata-dragonball
@@ -92,6 +27,19 @@ scheduling:
 ---
 kind: RuntimeClass
 apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-fc
+handler: kata-fc
+overhead:
+    podFixed:
+        memory: "130Mi"
+        cpu: "250m"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
 metadata:
     name: kata-qemu-nvidia-gpu
 handler: kata-qemu-nvidia-gpu
@@ -102,3 +50,55 @@ overhead:
 scheduling:
   nodeSelector:
     katacontainers.io/kata-runtime: "true"
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu-sev
+handler: kata-qemu-sev
+overhead:
+    podFixed:
+        memory: "2048Mi"
+        cpu: "1.0"
+scheduling:
+    nodeSelector:
+        katacontainers.io/kata-runtime: "true"
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu-snp
+handler: kata-qemu-snp
+overhead:
+    podFixed:
+        memory: "2048Mi"
+        cpu: "1.0"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu-tdx
+handler: kata-qemu-tdx
+overhead:
+    podFixed:
+        memory: "2048Mi"
+        cpu: "1.0"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu
+handler: kata-qemu
+overhead:
+    podFixed:
+        memory: "160Mi"
+        cpu: "250m"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"

tools/packaging/kata-deploy/scripts/kata-deploy.sh

@@ -10,47 +10,13 @@ set -o nounset
 
 crio_drop_in_conf_dir="/etc/crio/crio.conf.d/"
 crio_drop_in_conf_file="${crio_drop_in_conf_dir}/99-kata-deploy"
+crio_drop_in_conf_file_debug="${crio_drop_in_conf_dir}/100-debug"
 containerd_conf_file="/etc/containerd/config.toml"
 containerd_conf_file_backup="${containerd_conf_file}.bak"
 
-shims_x86_64=(
-	"fc"
-	"qemu"
-	"qemu-nvidia-gpu"
-	"qemu-tdx"
-	"qemu-sev"
-	"qemu-snp"
-	"clh"
-	"dragonball"
-)
+IFS=' ' read -a shims <<< "$SHIMS"
 
-# THOSE ARE NOT YET ON MAIN, PLEASE, MOVE THEM TO THE UPPDER LIST WHENEVER THEY MAKE THEIR WAY IN.
-shims_x86_64+=(
-	"remote"
-	"clh-tdx"
-)
-
-shims_s390x=(
-	"qemu"
-)
-
-
-# THOSE ARE NOT YET ON MAIN, PLEASE, MOVE THEM TO THE UPPDER LIST WHENEVER THEY MAKE THEIR WAY IN.
-shims_s390x+=(
-	"remote"
-	"qemu-se"
-)
-
-arch=$(uname -m)
-if [[ "${arch}" == "x86_64" ]]; then
-	shims=(${shims_x86_64[@]})
-elif [[ "${arch}" == "s390x" ]]; then
-	shims=(${shims_s390x[@]})
-else
-	die "${arch} is a not supported architecture"
-fi
-
-default_shim="qemu"
+default_shim="$DEFAULT_SHIM"
 
 # If we fail for any reason a message will be displayed
 die() {
@@ -63,6 +29,41 @@ function print_usage() {
 	echo "Usage: $0 [install/cleanup/reset]"
 }
 
+function create_runtimeclasses() {
+	echo "Creating the runtime classes"
+
+	for shim in "${shims[@]}"; do
+		echo "Creating the kata-${shim} runtime class"
+		kubectl apply -f /opt/kata-artifacts/runtimeclasses/kata-${shim}.yaml
+	done
+
+	if [[ "${CREATE_DEFAULT_RUNTIMECLASS}" == "true" ]]; then
+		echo "Creating the kata runtime class for the default shim (an alias for kata-${default_shim})"
+		cp /opt/kata-artifacts/runtimeclasses/kata-${default_shim}.yaml /tmp/kata.yaml
+		sed -i -e 's/kata-'${default_shim}'/kata/g' /tmp/kata.yaml
+		kubectl apply -f /tmp/kata.yaml
+		rm -f /tmp/kata.yaml
+	fi
+}
+
+function delete_runtimeclasses() {
+	echo "Deleting the runtime classes"
+
+	for shim in "${shims[@]}"; do
+		echo "Deleting the kata-${shim} runtime class"
+		kubectl delete -f /opt/kata-artifacts/runtimeclasses/kata-${shim}.yaml
+	done
+
+
+	if [[ "${CREATE_DEFAULT_RUNTIMECLASS}" == "true" ]]; then
+		echo "Deleting the kata runtime class for the default shim (an alias for kata-${default_shim})"
+		cp /opt/kata-artifacts/runtimeclasses/kata-${default_shim}.yaml /tmp/kata.yaml
+		sed -i -e 's/kata-'${default_shim}'/kata/g' /tmp/kata.yaml
+		kubectl delete -f /tmp/kata.yaml
+		rm -f /tmp/kata.yaml
+	fi
+}
+
 function get_container_runtime() {
 
 	local runtime=$(kubectl get node $NODE_NAME -o jsonpath='{.status.nodeInfo.containerRuntimeVersion}')
@@ -91,6 +92,16 @@ function install_artifacts() {
 	[ -d /opt/kata/runtime-rs/bin ] && \
 		chmod +x /opt/kata/runtime-rs/bin/*
 
+	# Allow enabling debug for Kata Containers
+	if [[ "${DEBUG}" == "true" ]]; then
+		config_path="/opt/kata/share/defaults/kata-containers/"
+		for shim in "${shims[@]}"; do
+			sed -i -e 's/^#\(enable_debug\).*=.*$/\1 = true/g' "${config_path}/configuration-${shim}.toml"
+			sed -i -e 's/^#\(debug_console_enabled\).*=.*$/\1 = true/g' "${config_path}/configuration-${shim}.toml"
+			sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.log=debug initcall_debug"/g' "${config_path}/configuration-${shim}.toml"
+		done
+	fi
+
 	# Allow Mariner to use custom configuration.
 	if [ "${HOST_OS:-}" == "cbl-mariner" ]; then
 		config_path="/opt/kata/share/defaults/kata-containers/configuration-clh.toml"
@@ -99,6 +110,10 @@ function install_artifacts() {
 		sed -i -E "s|(valid_hypervisor_paths) = .+|\1 = [\"${clh_path}\"]|" "${config_path}"
 		sed -i -E "s|(path) = \".+/cloud-hypervisor\"|\1 = \"${clh_path}\"|" "${config_path}"
 	fi
+
+	if [[ "${CREATE_RUNTIMECLASSES}" == "true" ]]; then
+		create_runtimeclasses
+	fi
 }
 
 function wait_till_node_is_ready() {
@@ -198,6 +213,10 @@ function cleanup_different_shims_base() {
 
 	rm "${default_shim_file}" || true
 	restore_shim "${default_shim_file}"
+
+	if [[ "${CREATE_RUNTIMECLASSES}" == "true" ]]; then
+		delete_runtimeclasses
+	fi
 }
 
 function configure_crio_runtime() {
@@ -238,6 +257,14 @@ function configure_crio() {
 	for shim in "${shims[@]}"; do
 		configure_crio_runtime $shim
 	done
+
+
+	if [ "${DEBUG}" == "true" ]; then
+		cat <<EOF | tee -a $crio_drop_in_conf_file_debug
+[crio]
+log_level = "debug"
+EOF
+	fi
 }
 
 function configure_containerd_runtime() {
@@ -277,6 +304,18 @@ EOF
     ConfigPath = "${config_path}"
 EOF
 	fi
+
+	if [ "${DEBUG}" == "true" ]; then
+		if grep -q "\[debug\]" $containerd_conf_file; then
+			sed -i 's/level.*/level = \"debug\"/' $containerd_conf_file
+		else
+			cat <<EOF | tee -a "$containerd_conf_file"
+[debug]
+  level = "debug"
+EOF
+		fi
+
+	fi
 }
 
 function configure_containerd() {
@@ -319,6 +358,9 @@ function cleanup_cri_runtime() {
 
 function cleanup_crio() {
 	rm $crio_drop_in_conf_file
+	if [[ "${DEBUG}" == "true" ]]; then
+		rm $crio_drop_in_conf_file_debug
+	fi
 }
 
 function cleanup_containerd() {
@@ -340,6 +382,14 @@ function reset_runtime() {
 }
 
 function main() {
+	echo "Environment variables passed to this script"
+	echo "* NODE_NAME: ${NODE_NAME}"
+	echo "* DEBUG: ${DEBUG}"
+	echo "* SHIMS: ${SHIMS}"
+	echo "* DEFAULT_SHIM: ${DEFAULT_SHIM}"
+	echo "* CREATE_RUNTIMECLASSES: ${CREATE_RUNTIMECLASSES}"
+	echo "* CREATE_DEFAULT_RUNTIMECLASS: ${CREATE_DEFAULT_RUNTIMECLASS}"
+
 	# script requires that user is root
 	euid=$(id -u)
 	if [[ $euid -ne 0 ]]; then

tools/packaging/kernel/build-kernel.sh

@@ -502,7 +502,7 @@ install_kata() {
 		install --mode 0644 -D "vmlinux" "${install_path}/${vmlinux}"
 	fi
 
-	install --mode 0644 -D ./.config "${install_path}/config-${kernel_version}"
+	install --mode 0644 -D ./.config "${install_path}/config-${kernel_version}-${config_version}${suffix}"
 
 	ln -sf "${vmlinuz}" "${install_path}/vmlinuz${suffix}.container"
 	ln -sf "${vmlinux}" "${install_path}/vmlinux${suffix}.container"

tools/packaging/kernel/configs/fragments/whitelist.conf

@@ -1,5 +1,7 @@
 # configuration options which may dropped in newer kernels
 # without generating an error in fragment merging
+CONFIG_ARCH_RANDOM
+CONFIG_ARM64_CRYPTO
 CONFIG_NF_NAT_IPV4
 CONFIG_NF_NAT_NEEDED
 CONFIG_NF_NAT_PROTO_DCCP
@@ -7,6 +9,7 @@ CONFIG_NF_NAT_PROTO_GRE
 CONFIG_NF_NAT_PROTO_SCTP
 CONFIG_NF_NAT_PROTO_UDPLITE
 CONFIG_REFCOUNT_FULL
+CONFIG_MEMCG_SWAP
 CONFIG_MEMCG_SWAP_ENABLED
 CONFIG_HAVE_NET_DSA
 CONFIG_NF_LOG_COMMON

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-109cc+
+111

tools/packaging/release/release-notes.sh

@@ -135,6 +135,25 @@ ${image_info}
 ### Default Initrd Guest OS:
 ${initrd_info}
 
+## Kata Containers builder images
+The majority of the components of the project were built using containers.  In order to do a step towards
+build reproducibility we publish those container images, and when those are used combined with the version
+of the projects listed as part of the "versions.yaml" file, users can get as close to the environment we
+used to build the release artefacts.
+* Kernel (on all its different flavours): $(get_kernel_image_name)
+* OVMF (on all its diferent flavours): $(get_ovmf_image_name)
+* QEMU (on all its different flavurs): $(get_qemu_image_name)
+* shim-v2: $(get_shim_v2_image_name)
+* virtiofsd: $(get_virtiofsd_image_name)
+
+The users who want to rebuild the tarballs using exactly the same images can simply use the following environment
+variables:
+* `KERNEL_CONTAINER_BUILDER`
+* `OVMF_CONTAINER_BUILDER`
+* `QEMU_CONTAINER_BUILDER`
+* `SHIM_V2_CONTAINER_BUILDER`
+* `VIRTIOFSD_CONTAINER_BUILDER`
+
 ## Kata Linux Containers Kernel
 Kata Containers ${runtime_version} suggest to use the Linux kernel [${kernel_version}][kernel]
 See the kernel suggested [Guest Kernel patches][kernel-patches]

tools/packaging/static-build/cache_components_main.sh

@@ -33,6 +33,8 @@ cache_kernel_artifacts() {
 	local kernel_tarball_name="kata-static-${KERNEL_FLAVOUR}.tar.xz"
 	local current_kernel_image="$(get_kernel_image_name)"
 	local current_kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
+	# Changes to tools/packaging/kernel are covered by the kata_config_version check
+	local kernel_last_commit="$(get_last_modification ${repo_root_dir}/tools/packaging/static-build/kernel)"
 	local kernel_modules_tarball_path="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kata-static-kernel-sev-modules.tar.xz"
 
 	# The ${vendor}-gpu kernels are based on an already existing entry, and does not require
@@ -59,13 +61,14 @@ cache_kernel_artifacts() {
 			;;
 	esac
 
-	create_cache_asset "${kernel_tarball_name}" "${current_kernel_version}-${current_kernel_kata_config_version}" "${current_kernel_image}"
+	local current_component_version="${current_kernel_version}-${current_kernel_kata_config_version}-${kernel_last_commit}"
+	create_cache_asset "${kernel_tarball_name}" "${current_component_version}" "${current_kernel_image}"
 	if [[ "${KERNEL_FLAVOUR}" == "kernel-sev" ]]; then
 		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${current_kernel_version#v}-${current_kernel_kata_config_version}/lib/modules/${current_kernel_version#v}"
 		if [ ! -f "${kernel_modules_tarball_path}" ]; then
 			tar cvfJ "${kernel_modules_tarball_path}" "${module_dir}/kernel/drivers/virt/coco/efi_secret/"
 		fi
-		create_cache_asset "kata-static-kernel-sev-modules.tar.xz" "${current_kernel_version}-${current_kernel_kata_config_version}" "${current_kernel_image}"
+		create_cache_asset "kata-static-kernel-sev-modules.tar.xz" "${current_component_version}" "${current_kernel_image}"
 	fi
 }