From 1cbb22f228ea5218632ed99090aade9a6fe2f8ae Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Wed, 5 Nov 2025 17:00:41 +0000
Subject: [PATCH 01/15] chore: update runc and ci

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 .buildkite/al2_pipeline.yml                 |  2 +-
 .buildkite/pipeline.yml                     |  2 +-
 .github/workflows/build.yaml                |  2 +-
 Makefile                                    |  2 +-
 examples/cmd/remote-snapshotter/go.mod      |  8 ++--
 examples/cmd/remote-snapshotter/go.sum      | 12 ++---
 go.mod                                      | 22 ++++-----
 go.sum                                      | 49 +++++++++++++--------
 internal/fsutil.go                          |  2 +-
 internal/vm/oci.go                          |  2 +-
 proto/events.pb.go                          |  2 +-
 proto/firecracker.pb.go                     |  2 +-
 proto/types.pb.go                           | 18 ++++----
 tools/docker/Dockerfile.integ-test          |  5 ++-
 tools/docker/Dockerfile.proto-builder       |  6 +--
 tools/docker/Dockerfile.runc-builder        |  4 +-
 tools/docker/Dockerfile.stargz-builder      |  2 +-
 tools/image-builder/Dockerfile.debian-image |  2 +-
 18 files changed, 80 insertions(+), 64 deletions(-)

diff --git a/.buildkite/al2_pipeline.yml b/.buildkite/al2_pipeline.yml
index ff8328ded..196d908e3 100644
--- a/.buildkite/al2_pipeline.yml
+++ b/.buildkite/al2_pipeline.yml
@@ -24,7 +24,7 @@ steps:
       FICD_DM_VOLUME_GROUP: "fcci-vg"
     command:
       - ./.buildkite/setup_al2.sh
-      - docker run --rm -v $PWD:/mnt debian:bullseye-slim rm -rf /mnt/tools/image-builder/rootfs
+      - docker run --rm -v $PWD:/mnt debian:trixie-slim rm -rf /mnt/tools/image-builder/rootfs
 
   - wait
 
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index 92977a38b..03c415576 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -22,7 +22,7 @@ steps:
       EXTRAGOARGS: "-race"
     command:
       - make test-images
-      - docker run --rm -v $PWD:/mnt debian:bullseye-slim rm -rf /mnt/tools/image-builder/rootfs
+      - docker run --rm -v $PWD:/mnt debian:trixie-slim rm -rf /mnt/tools/image-builder/rootfs
       - sudo install -d -o root -g buildkite-agent -m 775 "/local/artifacts/$BUILDKITE_BUILD_NUMBER"
       - cp tools/image-builder/rootfs.img "/local/artifacts/$BUILDKITE_BUILD_NUMBER/"
 
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 00eea33d7..beedf3138 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -14,7 +14,7 @@ jobs:
     strategy:
       matrix:
         os: ['ubuntu-22.04']
-        go: ['1.23', '1.24']
+        go: ['1.24', '1.25']
       # Build all variants regardless of failures
       fail-fast: false
 
diff --git a/Makefile b/Makefile
index 0a2e1c359..bbe16e9c6 100644
--- a/Makefile
+++ b/Makefile
@@ -29,7 +29,7 @@ SUBMODULES=_submodules
 UID:=$(shell id -u)
 GID:=$(shell id -g)
 
-FIRECRACKER_CONTAINERD_BUILDER_IMAGE?=golang:1.23-bullseye
+FIRECRACKER_CONTAINERD_BUILDER_IMAGE?=golang:1.24-trixie
 export FIRECRACKER_CONTAINERD_TEST_IMAGE?=localhost/firecracker-containerd-test
 export GO_CACHE_VOLUME_NAME?=gocache
 
diff --git a/examples/cmd/remote-snapshotter/go.mod b/examples/cmd/remote-snapshotter/go.mod
index a57bb1ebe..141a36b55 100644
--- a/examples/cmd/remote-snapshotter/go.mod
+++ b/examples/cmd/remote-snapshotter/go.mod
@@ -1,6 +1,6 @@
 module github.com/firecracker-microvm/firecracker-containerd/example/remote-snapshotter
 
-go 1.23.0
+go 1.24.0
 
 require (
 	github.com/containerd/containerd v1.7.27
@@ -34,15 +34,15 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/klauspost/compress v1.16.7 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/moby/sys/mountinfo v0.7.1 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/moby/sys/user v0.3.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/opencontainers/runtime-spec v1.1.0 // indirect
-	github.com/opencontainers/selinux v1.11.0 // indirect
+	github.com/opencontainers/runtime-spec v1.2.0 // indirect
+	github.com/opencontainers/selinux v1.12.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
diff --git a/examples/cmd/remote-snapshotter/go.sum b/examples/cmd/remote-snapshotter/go.sum
index 092fd30dc..016e3a2a8 100644
--- a/examples/cmd/remote-snapshotter/go.sum
+++ b/examples/cmd/remote-snapshotter/go.sum
@@ -636,8 +636,8 @@ github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2J
 github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
 github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
 github.com/moby/sys/mountinfo v0.6.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
-github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
-github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
+github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
+github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
 github.com/moby/sys/signal v0.6.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg=
@@ -714,15 +714,15 @@ github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.m
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg=
-github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
+github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
 github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
 github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
+github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
diff --git a/go.mod b/go.mod
index ea400af95..c7bf1bfa9 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/firecracker-microvm/firecracker-containerd
 
-go 1.23.0
+go 1.24.0
 
 require (
 	github.com/awslabs/tc-redirect-tap v0.0.0-20211025175357-e30dfca224c2
@@ -19,9 +19,10 @@ require (
 	github.com/golang/protobuf v1.5.4
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/miekg/dns v1.1.62
+	github.com/moby/sys/user v0.3.0
 	github.com/opencontainers/image-spec v1.1.0
-	github.com/opencontainers/runc v1.1.14
-	github.com/opencontainers/runtime-spec v1.1.0
+	github.com/opencontainers/runc v1.2.8
+	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/pelletier/go-toml v1.9.5
 	github.com/shirou/gopsutil v2.18.12+incompatible
 	github.com/sirupsen/logrus v1.9.3
@@ -46,10 +47,10 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/cilium/ebpf v0.9.1 // indirect
+	github.com/cilium/ebpf v0.16.0 // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/cgroups/v3 v3.0.2 // indirect
-	github.com/containerd/console v1.0.3 // indirect
+	github.com/containerd/console v1.0.5 // indirect
 	github.com/containerd/errdefs v0.3.0 // indirect
 	github.com/containerd/go-cni v1.1.9 // indirect
 	github.com/containerd/imgcrypt v1.1.8 // indirect
@@ -59,6 +60,7 @@ require (
 	github.com/containers/ocicrypt v1.1.10 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cyphar/filepath-securejoin v0.5.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
@@ -98,25 +100,24 @@ require (
 	github.com/klauspost/cpuid/v2 v2.0.4 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mdlayher/socket v0.2.0 // indirect
-	github.com/mdlayher/vsock v1.1.1 // indirect
+	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/mdlayher/vsock v1.2.1 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/moby/sys/mountinfo v0.7.1 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/moby/sys/symlink v0.2.0 // indirect
-	github.com/moby/sys/user v0.3.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
-	github.com/opencontainers/selinux v1.11.0 // indirect
+	github.com/opencontainers/selinux v1.12.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -142,6 +143,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.27.0 // indirect
 	go.opentelemetry.io/otel/trace v1.27.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
 	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/oauth2 v0.27.0 // indirect
diff --git a/go.sum b/go.sum
index a03df89b6..5494c0072 100644
--- a/go.sum
+++ b/go.sum
@@ -121,8 +121,8 @@ github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmE
 github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc=
 github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
 github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
-github.com/cilium/ebpf v0.9.1 h1:64sn2K3UKw8NbP/blsixRpF3nXuyhz/VjRlRzvlBRu4=
-github.com/cilium/ebpf v0.9.1/go.mod h1:+OhNOIXx/Fnu1IE8bJz2dzOA+VSfyTfdNUVdlQnxUFY=
+github.com/cilium/ebpf v0.16.0 h1:+BiEnHL6Z7lXnlGUsXQPPAE7+kenAd4ES8MQ5min0Ok=
+github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
@@ -149,8 +149,8 @@ github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on
 github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
 github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw=
 github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
-github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw=
-github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
+github.com/containerd/console v1.0.5 h1:R0ymNeydRqH2DmakFNdmjR2k0t7UPuiOV/N/27/qqsc=
+github.com/containerd/console v1.0.5/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
 github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
 github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
@@ -272,6 +272,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
+github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48=
+github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
 github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
 github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=
@@ -320,8 +322,6 @@ github.com/firecracker-microvm/firecracker-go-sdk v0.22.1-0.20220427214706-47505
 github.com/firecracker-microvm/firecracker-go-sdk v0.22.1-0.20220427214706-47505a9cf951/go.mod h1:60W3x6ftClUbRKpqXl7XvrhM/Uv3tochNRq+RlZsd1M=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss=
-github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
@@ -387,6 +387,8 @@ github.com/go-openapi/validate v0.21.0 h1:+Wqk39yKOhfpLqNLEC0/eViCkzM5FVXVqrvt52
 github.com/go-openapi/validate v0.21.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg=
 github.com/go-ping/ping v0.0.0-20211130115550-779d1e919534 h1:dhy9OQKGBh4zVXbjwbxxHjRxMJtLXj3zfgpBYQaR4Q4=
 github.com/go-ping/ping v0.0.0-20211130115550-779d1e919534/go.mod h1:xIFjORFzTxqIV/tDVGO4eDy/bLuSyawEeojSm3GfRGk=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
+github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-stack/stack v1.8.1 h1:ntEHSVwIt7PNXNpgPmVfMrNhLtgjlmnZha2kOpuRiDw=
 github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4=
@@ -554,6 +556,10 @@ github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqx
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM=
+github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -609,10 +615,14 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/mdlayher/socket v0.2.0 h1:EY4YQd6hTAg2tcXF84p5DTHazShE50u5HeBzBaNgjkA=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.2.0/go.mod h1:QLlNPkFR88mRUNQIzRBMfXxwKal8H7u1h3bL1CV+f0E=
-github.com/mdlayher/vsock v1.1.1 h1:8lFuiXQnmICBrCIIA9PMgVSke6Fg6V4+r0v7r55k88I=
+github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
+github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
 github.com/mdlayher/vsock v1.1.1/go.mod h1:Y43jzcy7KM3QB+/FK15pfqGxDMCMzUXWegEfIbSM18U=
+github.com/mdlayher/vsock v1.2.1 h1:pC1mTJTvjo1r9n9fbm7S1j04rCgCzhCOS5DY0zqHlnQ=
+github.com/mdlayher/vsock v1.2.1/go.mod h1:NRfCibel++DgeMD8z/hP+PPTjlNJsdPOmxcnENvE+SE=
 github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
 github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
 github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
@@ -634,8 +644,8 @@ github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
 github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
-github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
-github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
+github.com/moby/sys/mountinfo v0.7.1 h1:/tTvQaSJRr2FshkhXiIpux6fQ2Zvc4j7tAhMTStAG2g=
+github.com/moby/sys/mountinfo v0.7.1/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
 github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
@@ -705,24 +715,24 @@ github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59P
 github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
-github.com/opencontainers/runc v1.1.14 h1:rgSuzbmgz5DUJjeSnw337TxDbRuqjs6iqQck/2weR6w=
-github.com/opencontainers/runc v1.1.14/go.mod h1:E4C2z+7BxR7GHXp0hAY53mek+x49X1LjPNeMTfRGvOA=
+github.com/opencontainers/runc v1.2.8 h1:RnEICeDReapbZ5lZEgHvj7E9Q3Eex9toYmaGBsbvU5Q=
+github.com/opencontainers/runc v1.2.8/go.mod h1:cC0YkmZcuvr+rtBZ6T7NBoVbMGNAdLa/21vIElJDOzI=
 github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg=
-github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
+github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
 github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
 github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
+github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
@@ -781,8 +791,8 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -967,6 +977,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
+golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1139,6 +1151,7 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
diff --git a/internal/fsutil.go b/internal/fsutil.go
index 46cc4b57f..99eed3d39 100644
--- a/internal/fsutil.go
+++ b/internal/fsutil.go
@@ -82,7 +82,7 @@ func CreateBlockDevice(ctx context.Context, t testing.TB) (string, func()) {
 	err = f.Truncate(32 * mib)
 	require.NoError(t, err)
 
-	out, err := exec.CommandContext(ctx, "mkfs.ext4", "-v", f.Name()).CombinedOutput()
+	out, err := exec.CommandContext(ctx, "/usr/sbin/mkfs.ext4", "-v", f.Name()).CombinedOutput()
 	require.NoErrorf(t, err, "failed to create ext img, command out:%s \n", string(out))
 
 	err = f.Close()
diff --git a/internal/vm/oci.go b/internal/vm/oci.go
index a23d3fbc3..632ec36e4 100644
--- a/internal/vm/oci.go
+++ b/internal/vm/oci.go
@@ -37,7 +37,7 @@ import (
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/oci"
 	"github.com/containerd/continuity/fs"
-	"github.com/opencontainers/runc/libcontainer/user"
+	"github.com/moby/sys/user"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )
 
diff --git a/proto/events.pb.go b/proto/events.pb.go
index e55cbc147..ceb56ebfa 100644
--- a/proto/events.pb.go
+++ b/proto/events.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.33.0
-// 	protoc        v3.12.4
+// 	protoc        v3.21.12
 // source: events.proto
 
 package proto
diff --git a/proto/firecracker.pb.go b/proto/firecracker.pb.go
index 4b80b3e83..0a194ddbd 100644
--- a/proto/firecracker.pb.go
+++ b/proto/firecracker.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.33.0
-// 	protoc        v3.12.4
+// 	protoc        v3.21.12
 // source: firecracker.proto
 
 package proto
diff --git a/proto/types.pb.go b/proto/types.pb.go
index 8a6f4f125..5aa2623cd 100644
--- a/proto/types.pb.go
+++ b/proto/types.pb.go
@@ -1,15 +1,15 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.33.0
-// 	protoc        v3.12.4
+// 	protoc        v3.21.12
 // source: types.proto
 
 package proto
 
 import (
-	any1 "github.com/golang/protobuf/ptypes/any"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	anypb "google.golang.org/protobuf/types/known/anypb"
 	reflect "reflect"
 	sync "sync"
 )
@@ -27,11 +27,11 @@ type ExtraData struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	JsonSpec    []byte    `protobuf:"bytes,1,opt,name=JsonSpec,proto3" json:"JsonSpec,omitempty"`
-	RuncOptions *any1.Any `protobuf:"bytes,2,opt,name=RuncOptions,proto3" json:"RuncOptions,omitempty"`
-	StdinPort   uint32    `protobuf:"varint,3,opt,name=StdinPort,proto3" json:"StdinPort,omitempty"`
-	StdoutPort  uint32    `protobuf:"varint,4,opt,name=StdoutPort,proto3" json:"StdoutPort,omitempty"`
-	StderrPort  uint32    `protobuf:"varint,5,opt,name=StderrPort,proto3" json:"StderrPort,omitempty"`
+	JsonSpec    []byte     `protobuf:"bytes,1,opt,name=JsonSpec,proto3" json:"JsonSpec,omitempty"`
+	RuncOptions *anypb.Any `protobuf:"bytes,2,opt,name=RuncOptions,proto3" json:"RuncOptions,omitempty"`
+	StdinPort   uint32     `protobuf:"varint,3,opt,name=StdinPort,proto3" json:"StdinPort,omitempty"`
+	StdoutPort  uint32     `protobuf:"varint,4,opt,name=StdoutPort,proto3" json:"StdoutPort,omitempty"`
+	StderrPort  uint32     `protobuf:"varint,5,opt,name=StderrPort,proto3" json:"StderrPort,omitempty"`
 }
 
 func (x *ExtraData) Reset() {
@@ -73,7 +73,7 @@ func (x *ExtraData) GetJsonSpec() []byte {
 	return nil
 }
 
-func (x *ExtraData) GetRuncOptions() *any1.Any {
+func (x *ExtraData) GetRuncOptions() *anypb.Any {
 	if x != nil {
 		return x.RuncOptions
 	}
@@ -1110,7 +1110,7 @@ var file_types_proto_goTypes = []interface{}{
 	(*FirecrackerTokenBucket)(nil),          // 9: FirecrackerTokenBucket
 	(*FirecrackerBalloonDevice)(nil),        // 10: FirecrackerBalloonDevice
 	(*CNIConfiguration_CNIArg)(nil),         // 11: CNIConfiguration.CNIArg
-	(*any1.Any)(nil),                        // 12: google.protobuf.Any
+	(*anypb.Any)(nil),                       // 12: google.protobuf.Any
 }
 var file_types_proto_depIdxs = []int32{
 	12, // 0: ExtraData.RuncOptions:type_name -> google.protobuf.Any
diff --git a/tools/docker/Dockerfile.integ-test b/tools/docker/Dockerfile.integ-test
index bb1f7eca3..1da7348e1 100644
--- a/tools/docker/Dockerfile.integ-test
+++ b/tools/docker/Dockerfile.integ-test
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:experimental
 # Test image that starts up containerd and the devmapper snapshotter. The default CMD will drop to a bash shell. Overrides
 # to CMD will be provided appended to /bin/bash -c
-FROM public.ecr.aws/docker/library/golang:1.23-bullseye
+FROM public.ecr.aws/docker/library/golang:1.24-trixie
 ENV PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/go/bin"
 ENV INSTALLROOT="/usr/local"
 ENV DEBIAN_FRONTEND="noninteractive"
@@ -21,7 +21,8 @@ RUN apt-get update && apt-get install --yes --no-install-recommends \
   libseccomp-dev \
   tcpdump \
   iproute2 \
-  rng-tools # used for rngtest
+  rng-tools # used for rngtest \
+  e2fsprogs # for mkfs.ext4
 
 RUN mkdir -p \
   /var/run/firecracker-containerd \
diff --git a/tools/docker/Dockerfile.proto-builder b/tools/docker/Dockerfile.proto-builder
index 2903930f8..cc35855dd 100644
--- a/tools/docker/Dockerfile.proto-builder
+++ b/tools/docker/Dockerfile.proto-builder
@@ -11,11 +11,11 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 
-FROM public.ecr.aws/docker/library/golang:1.23-bullseye
+FROM public.ecr.aws/docker/library/golang:1.24-trixie
 
 RUN apt-get update && apt-get install --yes --no-install-recommends \
-	libprotobuf-dev=3.12.4-1+deb11u1 \
-	protobuf-compiler=3.12.4-1+deb11u1 \
+	libprotobuf-dev=3.21.12-11 \
+	protobuf-compiler=3.21.12-11 \
 	&& go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.33 \
 	&& go install github.com/containerd/ttrpc/cmd/protoc-gen-go-ttrpc@v1.2.3 \
 	&& mkdir /protobuf
diff --git a/tools/docker/Dockerfile.runc-builder b/tools/docker/Dockerfile.runc-builder
index a559c4992..77e9ce84d 100644
--- a/tools/docker/Dockerfile.runc-builder
+++ b/tools/docker/Dockerfile.runc-builder
@@ -11,7 +11,7 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 
-FROM public.ecr.aws/docker/library/golang:1.23-bullseye
+FROM public.ecr.aws/docker/library/golang:1.24-trixie
 
 RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get -y install libseccomp-dev pkg-config
+    DEBIAN_FRONTEND=noninteractive apt-get -y install libseccomp-dev pkg-config e2fsprogs
diff --git a/tools/docker/Dockerfile.stargz-builder b/tools/docker/Dockerfile.stargz-builder
index 2578afed4..a63690025 100644
--- a/tools/docker/Dockerfile.stargz-builder
+++ b/tools/docker/Dockerfile.stargz-builder
@@ -11,4 +11,4 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 
-FROM public.ecr.aws/docker/library/golang:1.23-bullseye
+FROM public.ecr.aws/docker/library/golang:1.24-trixie
diff --git a/tools/image-builder/Dockerfile.debian-image b/tools/image-builder/Dockerfile.debian-image
index c48e9d9cd..d0ab62a64 100644
--- a/tools/image-builder/Dockerfile.debian-image
+++ b/tools/image-builder/Dockerfile.debian-image
@@ -11,7 +11,7 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 
-FROM public.ecr.aws/docker/library/debian:bullseye-slim
+FROM public.ecr.aws/docker/library/debian:trixie-slim
 
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get -y install \

From d343776d0fe7d438a0c1f01adc143d74defa7aa2 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Thu, 13 Nov 2025 16:24:42 +0000
Subject: [PATCH 02/15] restart ci

Signed-off-by: Justin Alvarez <alvajus@amazon.com>

From fc035cd635fe595d5c1599065e7cf632920bcc94 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Thu, 13 Nov 2025 19:10:33 +0000
Subject: [PATCH 03/15] explicitly set path when executing containerd service

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 tools/docker/entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/docker/entrypoint.sh b/tools/docker/entrypoint.sh
index 77db62128..32e180e95 100755
--- a/tools/docker/entrypoint.sh
+++ b/tools/docker/entrypoint.sh
@@ -66,7 +66,7 @@ EOF
 
 touch ${FICD_CONTAINERD_OUTFILE}
 chmod a+rw ${FICD_CONTAINERD_OUTFILE}
-/usr/local/bin/containerd --log-level debug &>> ${FICD_CONTAINERD_OUTFILE} &
+PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/go/bin" /usr/local/bin/containerd --log-level debug &>> ${FICD_CONTAINERD_OUTFILE} &
 
 /usr/local/bin/http-address-resolver &>> ${FICD_LOG_DIR}/http-address-resolver.out &
 /usr/local/bin/demux-snapshotter &>> ${FICD_LOG_DIR}/demux-snapshotter.out &

From 399d4a8fdb19a92ad9ed89fccc887e7cd7dd405b Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Thu, 13 Nov 2025 19:10:39 +0000
Subject: [PATCH 04/15] bump versions

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 tools/docker/Dockerfile.integ-test | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/docker/Dockerfile.integ-test b/tools/docker/Dockerfile.integ-test
index 1da7348e1..3a5f10c93 100644
--- a/tools/docker/Dockerfile.integ-test
+++ b/tools/docker/Dockerfile.integ-test
@@ -32,14 +32,14 @@ RUN mkdir -p \
   /etc/cni/net.d
 
 # Install containerd to have runc shim.
-ENV CTRD_VERSION="1.7.16"
+ENV CTRD_VERSION="1.7.29"
 RUN ARCH=`go env GOARCH` && \
 	wget --quiet -O- https://github.com/containerd/containerd/releases/download/v$CTRD_VERSION/containerd-$CTRD_VERSION-linux-${ARCH}.tar.gz | tar zxf - -C /tmp/ && \
   install -D -o root -g root -m755 -t /usr/local/bin /tmp/bin/containerd-shim-runc-v2 && \
   rm -rf /tmp/bin
 
 # Install critest.
-ENV CRITEST_VERSION="1.23.0"
+ENV CRITEST_VERSION="1.34.0"
 RUN ARCH=`go env GOARCH` && \
   wget --quiet -O- https://github.com/kubernetes-sigs/cri-tools/releases/download/v$CRITEST_VERSION/critest-v$CRITEST_VERSION-linux-${ARCH}.tar.gz | tar zxf - -C /tmp/ && \
   install -D -o root -g root -m755 -t /usr/local/bin /tmp/critest && \

From 067a0f5963c3a2ab904a8561988f48a9ee7c1ca6 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Fri, 14 Nov 2025 16:01:22 +0000
Subject: [PATCH 05/15] fix package installation

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 tools/docker/Dockerfile.integ-test | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tools/docker/Dockerfile.integ-test b/tools/docker/Dockerfile.integ-test
index 3a5f10c93..42abc4e51 100644
--- a/tools/docker/Dockerfile.integ-test
+++ b/tools/docker/Dockerfile.integ-test
@@ -10,6 +10,8 @@ ARG FIRECRACKER_TARGET=x86_64-unknown-linux-musl
 ENV FICD_LOG_DIR="/var/log/firecracker-containerd-test"
 ENV FICD_CONTAINERD_OUTFILE="${FICD_LOG_DIR}/containerd.out"
 
+# rng-tools: for rngtest
+# e2fsprogs: for mkfs.ext4
 RUN apt-get update && apt-get install --yes --no-install-recommends \
   build-essential \
   ca-certificates \
@@ -21,8 +23,8 @@ RUN apt-get update && apt-get install --yes --no-install-recommends \
   libseccomp-dev \
   tcpdump \
   iproute2 \
-  rng-tools # used for rngtest \
-  e2fsprogs # for mkfs.ext4
+  rng-tools \
+  e2fsprogs
 
 RUN mkdir -p \
   /var/run/firecracker-containerd \

From ddce5a8cd01e8587e8a3ccb3bb6ce3979a5ab646 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Fri, 14 Nov 2025 16:25:36 +0000
Subject: [PATCH 06/15] downgrade to bookworm since it still comes with
 mkfs.ext4

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 Makefile                               | 2 +-
 tools/docker/Dockerfile.integ-test     | 2 +-
 tools/docker/Dockerfile.proto-builder  | 2 +-
 tools/docker/Dockerfile.runc-builder   | 2 +-
 tools/docker/Dockerfile.stargz-builder | 2 +-
 tools/docker/entrypoint.sh             | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index bbe16e9c6..66be6e6e5 100644
--- a/Makefile
+++ b/Makefile
@@ -29,7 +29,7 @@ SUBMODULES=_submodules
 UID:=$(shell id -u)
 GID:=$(shell id -g)
 
-FIRECRACKER_CONTAINERD_BUILDER_IMAGE?=golang:1.24-trixie
+FIRECRACKER_CONTAINERD_BUILDER_IMAGE?=golang:1.24-bookworm
 export FIRECRACKER_CONTAINERD_TEST_IMAGE?=localhost/firecracker-containerd-test
 export GO_CACHE_VOLUME_NAME?=gocache
 
diff --git a/tools/docker/Dockerfile.integ-test b/tools/docker/Dockerfile.integ-test
index 42abc4e51..e5bd75dab 100644
--- a/tools/docker/Dockerfile.integ-test
+++ b/tools/docker/Dockerfile.integ-test
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:experimental
 # Test image that starts up containerd and the devmapper snapshotter. The default CMD will drop to a bash shell. Overrides
 # to CMD will be provided appended to /bin/bash -c
-FROM public.ecr.aws/docker/library/golang:1.24-trixie
+FROM public.ecr.aws/docker/library/golang:1.24-bookworm
 ENV PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/go/bin"
 ENV INSTALLROOT="/usr/local"
 ENV DEBIAN_FRONTEND="noninteractive"
diff --git a/tools/docker/Dockerfile.proto-builder b/tools/docker/Dockerfile.proto-builder
index cc35855dd..346831bde 100644
--- a/tools/docker/Dockerfile.proto-builder
+++ b/tools/docker/Dockerfile.proto-builder
@@ -11,7 +11,7 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 
-FROM public.ecr.aws/docker/library/golang:1.24-trixie
+FROM public.ecr.aws/docker/library/golang:1.24-bookworm
 
 RUN apt-get update && apt-get install --yes --no-install-recommends \
 	libprotobuf-dev=3.21.12-11 \
diff --git a/tools/docker/Dockerfile.runc-builder b/tools/docker/Dockerfile.runc-builder
index 77e9ce84d..6bb49e2a9 100644
--- a/tools/docker/Dockerfile.runc-builder
+++ b/tools/docker/Dockerfile.runc-builder
@@ -11,7 +11,7 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 
-FROM public.ecr.aws/docker/library/golang:1.24-trixie
+FROM public.ecr.aws/docker/library/golang:1.24-bookworm
 
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get -y install libseccomp-dev pkg-config e2fsprogs
diff --git a/tools/docker/Dockerfile.stargz-builder b/tools/docker/Dockerfile.stargz-builder
index a63690025..dcb7665d9 100644
--- a/tools/docker/Dockerfile.stargz-builder
+++ b/tools/docker/Dockerfile.stargz-builder
@@ -11,4 +11,4 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 
-FROM public.ecr.aws/docker/library/golang:1.24-trixie
+FROM public.ecr.aws/docker/library/golang:1.24-bookworm
diff --git a/tools/docker/entrypoint.sh b/tools/docker/entrypoint.sh
index 32e180e95..77db62128 100755
--- a/tools/docker/entrypoint.sh
+++ b/tools/docker/entrypoint.sh
@@ -66,7 +66,7 @@ EOF
 
 touch ${FICD_CONTAINERD_OUTFILE}
 chmod a+rw ${FICD_CONTAINERD_OUTFILE}
-PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/usr/local/go/bin" /usr/local/bin/containerd --log-level debug &>> ${FICD_CONTAINERD_OUTFILE} &
+/usr/local/bin/containerd --log-level debug &>> ${FICD_CONTAINERD_OUTFILE} &
 
 /usr/local/bin/http-address-resolver &>> ${FICD_LOG_DIR}/http-address-resolver.out &
 /usr/local/bin/demux-snapshotter &>> ${FICD_LOG_DIR}/demux-snapshotter.out &

From d472487f3c2078bd83a8b9493bdb3374fead3ed6 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Fri, 14 Nov 2025 16:32:12 +0000
Subject: [PATCH 07/15] more trixie => bookworm and fix protobuf version

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 .buildkite/al2_pipeline.yml                 | 2 +-
 .buildkite/pipeline.yml                     | 2 +-
 tools/docker/Dockerfile.proto-builder       | 4 ++--
 tools/image-builder/Dockerfile.debian-image | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.buildkite/al2_pipeline.yml b/.buildkite/al2_pipeline.yml
index 196d908e3..c45209095 100644
--- a/.buildkite/al2_pipeline.yml
+++ b/.buildkite/al2_pipeline.yml
@@ -24,7 +24,7 @@ steps:
       FICD_DM_VOLUME_GROUP: "fcci-vg"
     command:
       - ./.buildkite/setup_al2.sh
-      - docker run --rm -v $PWD:/mnt debian:trixie-slim rm -rf /mnt/tools/image-builder/rootfs
+      - docker run --rm -v $PWD:/mnt debian:bookworm-slim rm -rf /mnt/tools/image-builder/rootfs
 
   - wait
 
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index 03c415576..c68ce28c9 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -22,7 +22,7 @@ steps:
       EXTRAGOARGS: "-race"
     command:
       - make test-images
-      - docker run --rm -v $PWD:/mnt debian:trixie-slim rm -rf /mnt/tools/image-builder/rootfs
+      - docker run --rm -v $PWD:/mnt debian:bookworm-slim rm -rf /mnt/tools/image-builder/rootfs
       - sudo install -d -o root -g buildkite-agent -m 775 "/local/artifacts/$BUILDKITE_BUILD_NUMBER"
       - cp tools/image-builder/rootfs.img "/local/artifacts/$BUILDKITE_BUILD_NUMBER/"
 
diff --git a/tools/docker/Dockerfile.proto-builder b/tools/docker/Dockerfile.proto-builder
index 346831bde..407c48371 100644
--- a/tools/docker/Dockerfile.proto-builder
+++ b/tools/docker/Dockerfile.proto-builder
@@ -14,8 +14,8 @@
 FROM public.ecr.aws/docker/library/golang:1.24-bookworm
 
 RUN apt-get update && apt-get install --yes --no-install-recommends \
-	libprotobuf-dev=3.21.12-11 \
-	protobuf-compiler=3.21.12-11 \
+	libprotobuf-dev=3.21.12-3 \
+	protobuf-compiler=3.21.12-3 \
 	&& go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.33 \
 	&& go install github.com/containerd/ttrpc/cmd/protoc-gen-go-ttrpc@v1.2.3 \
 	&& mkdir /protobuf
diff --git a/tools/image-builder/Dockerfile.debian-image b/tools/image-builder/Dockerfile.debian-image
index d0ab62a64..d8100ce48 100644
--- a/tools/image-builder/Dockerfile.debian-image
+++ b/tools/image-builder/Dockerfile.debian-image
@@ -11,7 +11,7 @@
 # express or implied. See the License for the specific language governing
 # permissions and limitations under the License.
 
-FROM public.ecr.aws/docker/library/debian:trixie-slim
+FROM public.ecr.aws/docker/library/debian:bookworm-slim
 
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get -y install \

From 4e6492899a705db4d9474e9ba7a653888e14d370 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Fri, 14 Nov 2025 16:55:38 +0000
Subject: [PATCH 08/15] silence ginkgo warning

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 runtime/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/runtime/Makefile b/runtime/Makefile
index 47777018f..25477e06b 100644
--- a/runtime/Makefile
+++ b/runtime/Makefile
@@ -159,7 +159,7 @@ critest:
 		--env FICD_DM_POOL=$(FICD_DM_POOL) \
 		--env GOPROXY=direct \
 		--env GOSUMDB=off \
-      	--env ACK_GINKGO_DEPRECATIONS=1.16.5 \
+      	--env ACK_GINKGO_DEPRECATIONS=2.25.0 \
 		--workdir="/src/runtime" \
 		$(FIRECRACKER_CONTAINERD_TEST_IMAGE):$(DOCKER_IMAGE_TAG) \
 		"sleep 1 && critest -ginkgo.noColor -runtime-endpoint unix:///run/firecracker-containerd/containerd.sock | \

From e1aed08430508dd350f9c260a646e14589b39ba5 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Fri, 14 Nov 2025 19:33:15 +0000
Subject: [PATCH 09/15] use new ginkgo syntax

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 runtime/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/runtime/Makefile b/runtime/Makefile
index 25477e06b..46453b1ca 100644
--- a/runtime/Makefile
+++ b/runtime/Makefile
@@ -159,10 +159,9 @@ critest:
 		--env FICD_DM_POOL=$(FICD_DM_POOL) \
 		--env GOPROXY=direct \
 		--env GOSUMDB=off \
-      	--env ACK_GINKGO_DEPRECATIONS=2.25.0 \
 		--workdir="/src/runtime" \
 		$(FIRECRACKER_CONTAINERD_TEST_IMAGE):$(DOCKER_IMAGE_TAG) \
-		"sleep 1 && critest -ginkgo.noColor -runtime-endpoint unix:///run/firecracker-containerd/containerd.sock | \
+		"sleep 1 && critest -ginkgo.no-color -runtime-endpoint unix:///run/firecracker-containerd/containerd.sock | \
 		./critest/critest_diff.sh"
 
 clean:

From 13026960d2a2474db6a21e7990782a134a9539c9 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Fri, 14 Nov 2025 19:50:26 +0000
Subject: [PATCH 10/15] update expected failures for new base image (new debian
 version)

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 tools/critest/expected_critest_output.out | 155 ++++++++++++----------
 1 file changed, 88 insertions(+), 67 deletions(-)

diff --git a/tools/critest/expected_critest_output.out b/tools/critest/expected_critest_output.out
index 75cf933ac..7c16bf0c1 100644
--- a/tools/critest/expected_critest_output.out
+++ b/tools/critest/expected_critest_output.out
@@ -1,67 +1,88 @@
-[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN 
-[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp localhost/profile on the container 
-[Fail] [k8s.io] Container runtime should support adding volume and device [BeforeEach] runtime should support starting container with volume [Conformance] 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support that ReadOnlyRootfs is false 
-[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support running PodSandbox [Conformance] 
-[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostIpc is false 
-[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support ContainerPID 
-[Fail] [k8s.io] Security Context bucket [It] runtime should return error if RunAsGroup is set without RunAsUser 
-[Fail] [k8s.io] Security Context NoNewPrivs [BeforeEach] should allow privilege escalation when false 
-[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support set hostname [Conformance] 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support dropping ALL capabilities 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support dropping capability 
-[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] runtime should support setting hostname with docker/default seccomp profile and SYS_ADMIN 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support ReadonlyPaths 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support MaskedPaths 
-[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support removing PodSandbox [Conformance] 
-[Fail] [k8s.io] Container Mount Propagation runtime should support mount propagation [BeforeEach] mount with 'rshared' should support propagation from host to container and vice versa 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support that ReadOnlyRootfs is true 
-[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUserName 
-[Fail] [k8s.io] Container runtime should support log [BeforeEach] runtime should support starting container with log [Conformance] 
-[Fail] [k8s.io] Container Mount Propagation runtime should support mount propagation [BeforeEach] mount with 'rslave' should support propagation from host to container 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support Privileged is true 
-[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostNetwork is true 
-[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not support a custom seccomp profile without using localhost/ as a prefix 
-[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should ignore a seccomp profile that blocks setting hostname when privileged 
-[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support exec with tty=false and stdin=false [Conformance] 
-[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [BeforeEach] should support network 
-[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support stopping container [Conformance] 
-[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [BeforeEach] should support container exec 
-[Fail] [k8s.io] Security Context NoNewPrivs [BeforeEach] should not allow privilege escalation when true 
-[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support execSync [Conformance] 
-[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support execSync with timeout [Conformance] 
-[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support attach [Conformance] 
-[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support starting container [Conformance] 
-[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not block setting host name with unconfined seccomp and SYS_ADMIN 
-[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support unsafe sysctls 
-[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support stopping PodSandbox [Conformance] 
-[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support exec with tty=true and stdin=true [Conformance] 
-[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] runtime should block sethostname with docker/default seccomp profile and no extra caps 
-[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] should support seccomp docker/default on the container 
-[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support DNS config [Conformance] 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUser 
-[Fail] [k8s.io] Container runtime should support log [BeforeEach] runtime should support reopening container log [Conformance] 
-[Fail] [k8s.io] Container runtime should support adding volume and device [BeforeEach] runtime should support starting container with volume when host path is a symlink [Conformance] 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support adding capability 
-[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [BeforeEach] should support container log 
-[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance] 
-[Fail] [k8s.io] Container Mount Propagation runtime should support mount propagation [BeforeEach] mount with 'rprivate' should not support propagation 
-[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support creating container [Conformance] 
-[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support removing running container [Conformance] 
-[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support PodPID 
-[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support listing container stats [Conformance] 
-[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance] 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsGroup 
-[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp unconfined on the container 
-[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support safe sysctls 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support adding ALL capabilities 
-[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp default which is unconfined on the container 
-[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support removing stopped container [Conformance] 
-[Fail] [k8s.io] Security Context bucket [It] runtime should support Privileged is false 
-[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostIpc is true 
-[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostNetwork is false 
-[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward in host network 
-[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with only container port [Conformance] 
-[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support removing created container [Conformance] 
\ No newline at end of file
+[Fail] [k8s.io] AppArmor [BeforeEach] runtime should prefer
+[Fail] [k8s.io] AppArmor [BeforeEach] runtime should suppor
+[Fail] [k8s.io] Container Mount Propagation runtime should
+[Fail] [k8s.io] Container Mount Propagation runtime should support mount propagation [BeforeEach] mount with 'rshared' should support propagation from host to container and vice versa
+[Fail] [k8s.io] Container Mount Propagation runtime should support mount propagation [BeforeEach] mount with 'rslave' should support propagation from host to container
+[Fail] [k8s.io] Container Mount Propagation runtime should support mount propagation [BeforeEach] mount with 'rprivate' should not support propagation
+[Fail] [k8s.io] Container Mount Readonly runtime should sup
+[Fail] [k8s.io] Container OOM runtime should output OOMKill
+[Fail] [k8s.io] Container runtime should support adding vol
+[Fail] [k8s.io] Container runtime should support adding volume and device [BeforeEach] runtime should support starting container with volume [Conformance]
+[Fail] [k8s.io] Container runtime should support adding volume and device [BeforeEach] runtime should support starting container with volume when host path is a symlink [Conformance]
+[Fail] [k8s.io] Container runtime should support basic oper
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support creating container [Conformance]
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support execSync [Conformance]
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support execSync with timeout [Conformance]
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support listing container stats [Conformance]
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support removing created container [Conformance]
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support removing running container [Conformance]
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support removing stopped container [Conformance]
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support starting container [Conformance]
+[Fail] [k8s.io] Container runtime should support basic operations on container [BeforeEach] runtime should support stopping container [Conformance]
+[Fail] [k8s.io] Container runtime should support log [Befor
+[Fail] [k8s.io] Container runtime should support log [BeforeEach] runtime should support reopening container log [Conformance]
+[Fail] [k8s.io] Container runtime should support log [BeforeEach] runtime should support starting container with log [Conformance]
+[Fail] [k8s.io] Idempotence StopContainer [It] should not r
+[Fail] [k8s.io] Idempotence StopPodSandbox [It] should not
+[Fail] [k8s.io] Multiple Containers [Conformance] when runn
+[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [BeforeEach] should support container exec
+[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [BeforeEach] should support container log
+[Fail] [k8s.io] Multiple Containers [Conformance] when running multiple containers in a pod [BeforeEach] should support network
+[Fail] [k8s.io] Networking runtime should support networkin
+[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support DNS config [Conformance]
+[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with host port and container port [Conformance]
+[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support port mapping with only container port [Conformance]
+[Fail] [k8s.io] Networking runtime should support networking [It] runtime should support set hostname [Conformance]
+[Fail] [k8s.io] PodSandbox runtime should support basic ope
+[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support removing PodSandbox [Conformance]
+[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support running PodSandbox [Conformance]
+[Fail] [k8s.io] PodSandbox runtime should support basic operations on PodSandbox [It] runtime should support stopping PodSandbox [Conformance]
+[Fail] [k8s.io] PodSandbox runtime should support sysctls [
+[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support safe sysctls
+[Fail] [k8s.io] PodSandbox runtime should support sysctls [It] should support unsafe sysctls
+[Fail] [k8s.io] Security Context NamespaceOption [It] runti
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support ContainerPID
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostIpc is false
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostIpc is true
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostNetwork is false
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostNetwork is true
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support HostPID
+[Fail] [k8s.io] Security Context NamespaceOption [It] runtime should support PodPID
+[Fail] [k8s.io] Security Context NoNewPrivs [BeforeEach] sh
+[Fail] [k8s.io] Security Context NoNewPrivs [BeforeEach] should allow privilege escalation when false
+[Fail] [k8s.io] Security Context NoNewPrivs [BeforeEach] should not allow privilege escalation when true
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] ru
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should ignore a seccomp profile that blocks setting hostname when privileged
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not block setting host name with unconfined seccomp and SYS_ADMIN
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should not support a custom seccomp profile without using localhost/ as a prefix
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] runtime should support an seccomp profile that blocks setting hostname with SYS_ADMIN
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] sh
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp default which is unconfined on the container
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp localhost/profile on the container
+[Fail] [k8s.io] Security Context SeccompProfilePath [It] should support seccomp unconfined on the container
+[Fail] [k8s.io] Security Context SeccompProfilePath docker/de
+[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] runtime should block sethostname with docker/default seccomp profile and no extra caps
+[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] runtime should support setting hostname with docker/default seccomp profile and SYS_ADMIN
+[Fail] [k8s.io] Security Context SeccompProfilePath docker/default [It] should support seccomp docker/default on the container
+[Fail] [k8s.io] Security Context bucket [It] runtime should
+[Fail] [k8s.io] Security Context bucket [It] runtime should return error if RunAsGroup is set without RunAsUser
+[Fail] [k8s.io] Security Context bucket [It] runtime should support MaskedPaths
+[Fail] [k8s.io] Security Context bucket [It] runtime should support Privileged is false
+[Fail] [k8s.io] Security Context bucket [It] runtime should support Privileged is true
+[Fail] [k8s.io] Security Context bucket [It] runtime should support ReadonlyPaths
+[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsGroup
+[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUser
+[Fail] [k8s.io] Security Context bucket [It] runtime should support RunAsUserName
+[Fail] [k8s.io] Security Context bucket [It] runtime should support SupplementalGroups
+[Fail] [k8s.io] Security Context bucket [It] runtime should support adding ALL capabilities
+[Fail] [k8s.io] Security Context bucket [It] runtime should support adding capability
+[Fail] [k8s.io] Security Context bucket [It] runtime should support dropping ALL capabilities
+[Fail] [k8s.io] Security Context bucket [It] runtime should support dropping capability
+[Fail] [k8s.io] Security Context bucket [It] runtime should support that ReadOnlyRootfs is false
+[Fail] [k8s.io] Security Context bucket [It] runtime should support that ReadOnlyRootfs is true
+[Fail] [k8s.io] Streaming runtime should support streaming
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support attach [Conformance]
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support exec with tty=false and stdin=false [Conformance]
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support exec with tty=true and stdin=true [Conformance]
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward [Conformance]
+[Fail] [k8s.io] Streaming runtime should support streaming interfaces [It] runtime should support portforward in host network

From da9e0df39d4ecc234b57cf5ac6a2d89fd4b4aa44 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Mon, 17 Nov 2025 18:37:38 +0000
Subject: [PATCH 11/15] remove the CRI conformance tests

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 .buildkite/pipeline.yml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index c68ce28c9..8a437436b 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -128,15 +128,3 @@ steps:
     command:
       - make -C examples integ-test TEST_POOL=build_${BUILDKITE_BUILD_NUMBER}_example
     timeout_in_minutes: 10
-
-  - label: ":rotating_light: cri conformance tests"
-    agents:
-      queue: "${BUILDKITE_AGENT_META_DATA_QUEUE:-default}"
-      distro: "${BUILDKITE_AGENT_META_DATA_DISTRO}"
-      hostname: "${BUILDKITE_AGENT_META_DATA_HOSTNAME}"
-    env:
-      DOCKER_IMAGE_TAG: "$BUILDKITE_BUILD_NUMBER"
-      FICD_DM_VOLUME_GROUP: fcci-vg
-    command:
-      - make -C runtime critest FICD_DM_POOL=build_${BUILDKITE_BUILD_NUMBER}_critest
-    timeout_in_minutes: 10

From 141a6a9d95689c885cffd7d8f39845aab6cd88f4 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Mon, 17 Nov 2025 18:55:13 +0000
Subject: [PATCH 12/15] bump containerd dependency

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 examples/cmd/remote-snapshotter/go.mod | 10 +++---
 examples/cmd/remote-snapshotter/go.sum | 20 ++++++------
 go.mod                                 | 22 ++++++-------
 go.sum                                 | 44 +++++++++++++-------------
 4 files changed, 48 insertions(+), 48 deletions(-)

diff --git a/examples/cmd/remote-snapshotter/go.mod b/examples/cmd/remote-snapshotter/go.mod
index 141a36b55..8cf8cbbe7 100644
--- a/examples/cmd/remote-snapshotter/go.mod
+++ b/examples/cmd/remote-snapshotter/go.mod
@@ -3,7 +3,7 @@ module github.com/firecracker-microvm/firecracker-containerd/example/remote-snap
 go 1.24.0
 
 require (
-	github.com/containerd/containerd v1.7.27
+	github.com/containerd/containerd v1.7.29
 	github.com/containerd/stargz-snapshotter v0.11.3
 	github.com/firecracker-microvm/firecracker-containerd v0.0.0-20220430002346-5f6efb9fdce8
 )
@@ -50,10 +50,10 @@ require (
 	go.opentelemetry.io/otel v1.27.0 // indirect
 	go.opentelemetry.io/otel/metric v1.27.0 // indirect
 	go.opentelemetry.io/otel/trace v1.27.0 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
 	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect
 	google.golang.org/grpc v1.64.1 // indirect
diff --git a/examples/cmd/remote-snapshotter/go.sum b/examples/cmd/remote-snapshotter/go.sum
index 016e3a2a8..ffaf1dd24 100644
--- a/examples/cmd/remote-snapshotter/go.sum
+++ b/examples/cmd/remote-snapshotter/go.sum
@@ -202,8 +202,8 @@ github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTV
 github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c=
 github.com/containerd/containerd v1.5.8/go.mod h1:YdFSv5bTFLpG2HIYmfqDpSYYTDX+mc5qtSuYx1YUb/s=
 github.com/containerd/containerd v1.6.1/go.mod h1:1nJz5xCZPusx6jJU8Frfct988y0NpumIq9ODB0kLtoE=
-github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII=
-github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0=
+github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
+github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
 github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
 github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -1048,8 +1048,8 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1074,8 +1074,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1175,8 +1175,8 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1190,8 +1190,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
diff --git a/go.mod b/go.mod
index c7bf1bfa9..008597f9a 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.24.0
 
 require (
 	github.com/awslabs/tc-redirect-tap v0.0.0-20211025175357-e30dfca224c2
-	github.com/containerd/containerd v1.7.27
+	github.com/containerd/containerd v1.7.29
 	github.com/containerd/containerd/api v1.8.0
 	github.com/containerd/continuity v0.4.4
 	github.com/containerd/fifo v1.1.0
@@ -29,8 +29,8 @@ require (
 	github.com/stretchr/testify v1.9.0
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	go.uber.org/goleak v1.1.12
-	golang.org/x/sync v0.12.0
-	golang.org/x/sys v0.31.0
+	golang.org/x/sync v0.16.0
+	golang.org/x/sys v0.34.0
 	google.golang.org/grpc v1.64.1
 	google.golang.org/protobuf v1.35.2
 )
@@ -142,15 +142,15 @@ require (
 	go.opentelemetry.io/otel v1.27.0 // indirect
 	go.opentelemetry.io/otel/metric v1.27.0 // indirect
 	go.opentelemetry.io/otel/trace v1.27.0 // indirect
-	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/crypto v0.40.0 // indirect
 	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
-	golang.org/x/mod v0.18.0 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
-	golang.org/x/tools v0.22.0 // indirect
+	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/term v0.33.0 // indirect
+	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
+	golang.org/x/tools v0.34.0 // indirect
 	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
diff --git a/go.sum b/go.sum
index 5494c0072..a8f2b7487 100644
--- a/go.sum
+++ b/go.sum
@@ -164,8 +164,8 @@ github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo
 github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI=
 github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
 github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
-github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII=
-github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0=
+github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
+github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
 github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
 github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
 github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
@@ -965,8 +965,8 @@ golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
+golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1003,8 +1003,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
-golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
+golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1048,15 +1048,15 @@ golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1070,8 +1070,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1155,16 +1155,16 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
+golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1177,15 +1177,15 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
-golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1231,8 +1231,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
-golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
+golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
+golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

From b3467ba526a3244a0c7a43e41d4f4458447005dd Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Tue, 18 Nov 2025 15:26:48 +0000
Subject: [PATCH 13/15] try to mitigate test cleanup failures

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 tools/thinpool.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/thinpool.sh b/tools/thinpool.sh
index 172ad16e0..523b32657 100755
--- a/tools/thinpool.sh
+++ b/tools/thinpool.sh
@@ -97,7 +97,7 @@ else
         sudo dmsetup remove \
          "${dm_device}" \
          "${dm_device}_tdata" "${dm_device}_tmeta" || true
-        sudo lvremove -f "$dm_device"
+        sudo lvremove -f "$dm_device" || true
     }
 
     pool_reset() {

From b3c8567a223fec54f31cf4d4bcc6284fdf273ee2 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Thu, 20 Nov 2025 00:05:37 +0000
Subject: [PATCH 14/15] update runc submodule

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 _submodules/runc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_submodules/runc b/_submodules/runc
index 84113eef6..eeb7e6024 160000
--- a/_submodules/runc
+++ b/_submodules/runc
@@ -1 +1 @@
-Subproject commit 84113eef6fc27af1b01b3181f31bbaf708715301
+Subproject commit eeb7e6024f9ee43876301b1d23c353384fa6dcdd

From 12698d8fc2d81f4dd50051dfb79bbfe8d3561658 Mon Sep 17 00:00:00 2001
From: Justin Alvarez <alvajus@amazon.com>
Date: Thu, 20 Nov 2025 01:12:13 +0000
Subject: [PATCH 15/15] undo mitigation

Signed-off-by: Justin Alvarez <alvajus@amazon.com>
---
 tools/thinpool.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/thinpool.sh b/tools/thinpool.sh
index 523b32657..172ad16e0 100755
--- a/tools/thinpool.sh
+++ b/tools/thinpool.sh
@@ -97,7 +97,7 @@ else
         sudo dmsetup remove \
          "${dm_device}" \
          "${dm_device}_tdata" "${dm_device}_tmeta" || true
-        sudo lvremove -f "$dm_device" || true
+        sudo lvremove -f "$dm_device"
     }
 
     pool_reset() {