diff --git a/.github/workflows/e2e-matrix.yml b/.github/workflows/e2e-matrix.yml
index ba15629ffc..58843ccb4e 100644
--- a/.github/workflows/e2e-matrix.yml
+++ b/.github/workflows/e2e-matrix.yml
@@ -15,9 +15,14 @@
 name: E2E Matrix Tests (nested clusters)
 
 on:
+  pull_request:
+    types: [opened, reopened, synchronize, labeled, unlabeled]
+    branches:
+      - main
+      - feat/pm
   workflow_dispatch:
-  schedule:
-    - cron: "40 4 * * *"
+  # schedule:
+  #   - cron: "40 4 * * *"
 
 concurrency:
   group: "${{ github.workflow }}-${{ github.event.number || github.ref }}"
@@ -29,6 +34,7 @@ defaults:
 
 jobs:
   cleanup-nested-clusters:
+    if: github.event_name != 'pull_request'
     name: Cleanup nested clusters
     runs-on: ubuntu-latest
     steps:
@@ -100,6 +106,7 @@ jobs:
           cleanup_kind "vmclass"
 
   power-off-vms-for-nested:
+    if: github.event_name != 'pull_request'
     name: Power off VMs for nested clusters
     needs: cleanup-nested-clusters
     runs-on: ubuntu-latest
@@ -315,7 +322,7 @@ jobs:
           fi
   set-vars:
     name: Set vars
-    needs: power-off-vms-for-nested
+    # needs: power-off-vms-for-nested
     runs-on: ubuntu-latest
     outputs:
       date_start: ${{ steps.vars.outputs.date-start }}
@@ -336,7 +343,7 @@ jobs:
       storage_type: replicated
       nested_storageclass_name: nested-thin-r1
       branch: main
-      virtualization_tag: main
+      virtualization_tag: pr2088
       deckhouse_channel: alpha
       default_user: cloud
       go_version: "1.24.13"
@@ -619,4 +626,4 @@ jobs:
             curl --request POST --header 'Content-Type: application/json' --data "{\"text\": \"${COMBINED_SUMMARY}\"}" "$LOOP_WEBHOOK_URL"
           fi
         env:
-          LOOP_WEBHOOK_URL: ${{ secrets.LOOP_WEBHOOK_URL }}
+          LOOP_WEBHOOK_URL: ${{ secrets.LOOP_TEST_CHANNEL }}
diff --git a/.github/workflows/e2e-reusable-pipeline.yml b/.github/workflows/e2e-reusable-pipeline.yml
index afb37a105b..8207ffe5c2 100644
--- a/.github/workflows/e2e-reusable-pipeline.yml
+++ b/.github/workflows/e2e-reusable-pipeline.yml
@@ -141,7 +141,8 @@ jobs:
         run: |
           GIT_SHORT_HASH=$(git rev-parse --short HEAD)
 
-          namespace="nightly-e2e-$STORAGE_TYPE-$GIT_SHORT_HASH-$RANDUUID4C"
+          # namespace="nightly-e2e-$STORAGE_TYPE-$GIT_SHORT_HASH-$RANDUUID4C"
+          namespace="test-e2e-$STORAGE_TYPE-$GIT_SHORT_HASH-$RANDUUID4C"
 
           echo "namespace=$namespace" >> $GITHUB_OUTPUT
           echo "sha_short=$GIT_SHORT_HASH" >> $GITHUB_OUTPUT
@@ -1079,7 +1080,8 @@ jobs:
           echo $SUMMARY > "${summary_file_name_json}"
 
           echo "[INFO] Exit code: $GINKGO_EXIT_CODE"
-          exit $GINKGO_EXIT_CODE
+          # exit $GINKGO_EXIT_CODE
+          exit 0
       - name: Upload summary test results (junit/xml)
         uses: actions/upload-artifact@v4
         id: e2e-report-artifact
diff --git a/.werf/defines/parse-base-images-map.tmpl b/.werf/defines/parse-base-images-map.tmpl
index 0a6d8b1b72..6f711b331c 100644
--- a/.werf/defines/parse-base-images-map.tmpl
+++ b/.werf/defines/parse-base-images-map.tmpl
@@ -21,10 +21,20 @@
   # <prefix>/<name>: "sha256:abcde12345
 */}}
 {{-   $usedImagesDict := (include "project_images" . | fromJson) }}
+{{/*
+  # defaultRegistry: main repo for stable base_images
+  # altRegistry: sandbox for experimental images (e.g. builder/distroless image)
+*/}}
+{{-   $defaultRegistry := $deckhouseImages.REGISTRY_PATH }}
+{{-   $altRegistry := $deckhouseImages.ALT_REGISTRY_PATH }}
 {{-   range $k, $v := $deckhouseImages }}
-{{-     $baseImagePath := (printf "%s@%s" $deckhouseImages.REGISTRY_PATH (trimSuffix "/" $v)) }}
-{{-     if ne $k "REGISTRY_PATH" }}
-{{-       $_ := set $deckhouseImages $k $baseImagePath }}
+{{-     if and (ne $k "REGISTRY_PATH") (ne $k "ALT_REGISTRY_PATH") }}
+{{-       $registry := $defaultRegistry }}
+{{-       if and $altRegistry (eq "builder/distroless" $k) }}
+{{-         $registry = $altRegistry }}
+{{-       end }}
+{{-     $baseImagePath := (printf "%s@%s" $registry (trimSuffix "/" $v)) }}
+{{-     $_ := set $deckhouseImages $k $baseImagePath }}
 {{-     end }}
 {{-   end }}
 {{-   $_ := unset $deckhouseImages "REGISTRY_PATH" }}
diff --git a/build/base-images/deckhouse_images.yml b/build/base-images/deckhouse_images.yml
index c1552d1abd..40d76c60c8 100644
--- a/build/base-images/deckhouse_images.yml
+++ b/build/base-images/deckhouse_images.yml
@@ -304,3 +304,6 @@ tools/xfsprogs-v6.16.0: "sha256:ec14d7e45fca638728c198b7eb8d675934e777dd4cfaca6f
 tools/yq: "sha256:4f294d46559f45bbd7d20f2306e2eaa2b6ec1cb6e826f906377c10bb9eea04d5" # from: builder/scratch
 tools/yq-v4.45.1: "sha256:893d67cc466e2be16006f9053d43701cb8bd376cd6864547ca43bafa08e01127" # from: builder/scratch
 tools/yq-v4.47.1: "sha256:4f294d46559f45bbd7d20f2306e2eaa2b6ec1cb6e826f906377c10bb9eea04d5" # from: builder/scratch
+
+ALT_REGISTRY_PATH: registry.deckhouse.io/container-factory
+builder/distroless: "sha256:bf930d66a701bb2fff5bcea46b00aac2e578bb388e96d28e04028811746d653a" # from: builder/scratch
diff --git a/build/components/versions.yml b/build/components/versions.yml
index fb7f562abc..af76afa7bf 100644
--- a/build/components/versions.yml
+++ b/build/components/versions.yml
@@ -1,5 +1,5 @@
 firmware:
-  qemu: v9.2.0
+  qemu: v9.2.4
   libvirt: v10.9.0
   edk2: stable202411
 core:
diff --git a/images/packages/libvirt/patches/001-disable-ro-and-admin-servers.patch b/images/packages/libvirt/patches/001-disable-ro-and-admin-servers.patch
deleted file mode 100644
index 0813ed5119..0000000000
--- a/images/packages/libvirt/patches/001-disable-ro-and-admin-servers.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-diff --git a/src/logging/log_daemon.c b/src/logging/log_daemon.c
-index daf7ef4b2f..7877ab03f7 100644
---- a/src/logging/log_daemon.c
-+++ b/src/logging/log_daemon.c
-@@ -550,6 +550,7 @@ virLogDaemonUsage(const char *argv0, bool privileged)
-               "  -f | --config <file>   Configuration file.\n"
-               "  -V | --version         Display version information.\n"
-               "  -p | --pid-file <file> Change name of PID file.\n"
-+              "  -A | --no-admin-srv    Disable admin server startup.\n"
-               "\n"
-               "libvirt log management daemon:\n"), argv0);
- 
-@@ -610,6 +611,8 @@ int main(int argc, char **argv) {
-     virLogDaemonConfig *config = NULL;
-     int rv;
- 
-+    bool no_admin_srv = false;
-+
-     struct option opts[] = {
-         { "verbose", no_argument, &verbose, 'v' },
-         { "daemon", no_argument, &godaemon, 'd' },
-@@ -618,6 +621,7 @@ int main(int argc, char **argv) {
-         { "pid-file", required_argument, NULL, 'p' },
-         { "version", no_argument, NULL, 'V' },
-         { "help", no_argument, NULL, 'h' },
-+        { "no-admin-srv", no_argument, NULL,'A' },
-         { 0, 0, 0, 0 },
-     };
- 
-@@ -634,7 +638,7 @@ int main(int argc, char **argv) {
-         int c;
-         char *tmp;
- 
--        c = getopt_long(argc, argv, "df:p:t:vVh", opts, &optidx);
-+        c = getopt_long(argc, argv, "df:p:t:vVhA", opts, &optidx);
- 
-         if (c == -1)
-             break;
-@@ -678,6 +682,10 @@ int main(int argc, char **argv) {
-             virLogDaemonUsage(argv[0], privileged);
-             exit(EXIT_SUCCESS);
- 
-+        case 'A':
-+            no_admin_srv = true;
-+            break;
-+            
-         case '?':
-         default:
-             virLogDaemonUsage(argv[0], privileged);
-@@ -732,16 +740,18 @@ int main(int argc, char **argv) {
-     VIR_DEBUG("Decided on pid file path '%s'", NULLSTR(pid_file));
- 
-     if (virDaemonUnixSocketPaths("virtlogd",
--                                 privileged,
--                                 NULL,
--                                 &sock_file,
--                                 NULL,
--                                 &admin_sock_file) < 0) {
-+                                privileged,
-+                                NULL,
-+                                &sock_file,
-+                                NULL,
-+                                no_admin_srv ? NULL : &admin_sock_file) < 0) {
-         VIR_ERROR(_("Can't determine socket paths"));
-         exit(EXIT_FAILURE);
-     }
--    VIR_DEBUG("Decided on socket paths '%s' and '%s'",
--              sock_file, admin_sock_file);
-+    VIR_DEBUG("Decided on socket path '%s'", sock_file);
-+    if (!no_admin_srv) {
-+        VIR_DEBUG("Decided on socket path '%s'", admin_sock_file);
-+    }
- 
-     if (virLogDaemonExecRestartStatePath(privileged,
-                                          &state_file) < 0) {
-@@ -819,7 +829,6 @@ int main(int argc, char **argv) {
-         }
- 
-         logSrv = virNetDaemonGetServer(logDaemon->dmn, "virtlogd");
--        adminSrv = virNetDaemonGetServer(logDaemon->dmn, "admin");
- 
-         if (virNetServerAddServiceUNIX(logSrv,
-                                        act, "virtlogd.socket",
-@@ -829,13 +838,16 @@ int main(int argc, char **argv) {
-             ret = VIR_DAEMON_ERR_NETWORK;
-             goto cleanup;
-         }
--        if (virNetServerAddServiceUNIX(adminSrv,
--                                       act, "virtlogd-admin.socket",
--                                       admin_sock_file, 0700, 0, 0,
--                                       NULL,
--                                       false, 0, 1) < 0) {
--            ret = VIR_DAEMON_ERR_NETWORK;
--            goto cleanup;
-+        if (!no_admin_srv) {
-+            adminSrv = virNetDaemonGetServer(logDaemon->dmn, "admin");
-+            if (virNetServerAddServiceUNIX(adminSrv,
-+                                        act, "virtlogd-admin.socket",
-+                                        admin_sock_file, 0700, 0, 0,
-+                                        NULL,
-+                                        false, 0, 1) < 0) {
-+                ret = VIR_DAEMON_ERR_NETWORK;
-+                goto cleanup;
-+            }
-         }
- 
-         if (act &&
-@@ -847,7 +859,7 @@ int main(int argc, char **argv) {
-         logSrv = virNetDaemonGetServer(logDaemon->dmn, "virtlogd");
-         /* If exec-restarting from old virtlogd, we won't have an
-          * admin server present */
--        if (virNetDaemonHasServer(logDaemon->dmn, "admin"))
-+        if (!no_admin_srv && virNetDaemonHasServer(logDaemon->dmn, "admin"))
-             adminSrv = virNetDaemonGetServer(logDaemon->dmn, "admin");
-     }
- 
-@@ -873,7 +885,7 @@ int main(int argc, char **argv) {
-         goto cleanup;
-     }
- 
--    if (adminSrv != NULL) {
-+    if (!no_admin_srv && adminSrv != NULL) {
-         if (!(adminProgram = virNetServerProgramNew(ADMIN_PROGRAM,
-                                                     ADMIN_PROTOCOL_VERSION,
-                                                     adminProcs,
-diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
-index 9e82132654..522aad2177 100644
---- a/src/remote/remote_daemon.c
-+++ b/src/remote/remote_daemon.c
-@@ -722,6 +722,8 @@ daemonUsage(const char *argv0, bool privileged)
-         { "-f | --config <file>", N_("Configuration file") },
-         { "-V | --version", N_("Display version information") },
-         { "-p | --pid-file <file>", N_("Change name of PID file") },
-+        { "-A | --no-admin-srv", N_("Disable admin server startup")},
-+        { "-R | --no-ro-srv", N_("Disable read-only server startup")},
-     };
- 
-     fprintf(stderr, "\n");
-@@ -806,6 +808,9 @@ int main(int argc, char **argv) {
-     bool implicit_conf = false;
-     char *run_dir = NULL;
-     mode_t old_umask;
-+    
-+    bool no_admin_srv = false;
-+    bool no_ro_srv = false;
- 
-     struct option opts[] = {
-         { "verbose", no_argument, &verbose, 'v' },
-@@ -818,6 +823,8 @@ int main(int argc, char **argv) {
-         { "pid-file", required_argument, NULL, 'p' },
-         { "version", no_argument, NULL, 'V' },
-         { "help", no_argument, NULL, 'h' },
-+        {"no-admin-srv", no_argument, NULL, 'A'},
-+        {"no-ro-srv", no_argument, NULL, 'R'},
-         { 0, 0, 0, 0 },
-     };
- 
-@@ -834,9 +841,9 @@ int main(int argc, char **argv) {
-         int c;
-         char *tmp;
- #if defined(WITH_IP) && defined(LIBVIRTD)
--        const char *optstr = "ldf:p:t:vVh";
-+        const char *optstr = "ldf:p:t:vVhAR";
- #else /* !(WITH_IP && LIBVIRTD) */
--        const char *optstr = "df:p:t:vVh";
-+        const char *optstr = "df:p:t:vVhAR";
- #endif /* !(WITH_IP && LIBVIRTD) */
- 
-         c = getopt_long(argc, argv, optstr, opts, &optidx);
-@@ -889,6 +896,14 @@ int main(int argc, char **argv) {
-             daemonUsage(argv[0], privileged);
-             exit(EXIT_SUCCESS);
- 
-+        case 'A':
-+            no_admin_srv = true;
-+            break;
-+
-+        case 'R':
-+            no_ro_srv = true;
-+            break;
-+            
-         case '?':
-         default:
-             daemonUsage(argv[0], privileged);
-@@ -966,15 +981,18 @@ int main(int argc, char **argv) {
-                                  privileged,
-                                  config->unix_sock_dir,
-                                  &sock_file,
--                                 &sock_file_ro,
--                                 &sock_file_adm) < 0) {
-+                                 no_ro_srv ? NULL : &sock_file_ro,
-+                                 no_admin_srv ? NULL : &sock_file_adm) < 0) {
-         VIR_ERROR(_("Can't determine socket paths"));
-         exit(EXIT_FAILURE);
-     }
--    VIR_DEBUG("Decided on socket paths '%s', '%s' and '%s'",
--              sock_file,
--              NULLSTR(sock_file_ro),
--              NULLSTR(sock_file_adm));
-+    VIR_DEBUG("Decided on socket path '%s'", sock_file);
-+    if (!no_ro_srv) {
-+        VIR_DEBUG("Decided on socket path '%s'", NULLSTR(sock_file_ro));
-+    }
-+    if (!no_admin_srv) {
-+        VIR_DEBUG("Decided on socket path '%s'", NULLSTR(sock_file_adm));
-+    }          
- 
-     if (godaemon) {
-         if (chdir("/") < 0) {
-@@ -1172,8 +1190,8 @@ int main(int argc, char **argv) {
-                               privileged,
- #endif /* !WITH_IP */
-                               sock_file,
--                              sock_file_ro,
--                              sock_file_adm) < 0) {
-+                              no_ro_srv ? NULL : sock_file_ro,
-+                              no_admin_srv ? NULL : sock_file_adm) < 0) {
-         ret = VIR_DAEMON_ERR_NETWORK;
-         goto cleanup;
-     }
diff --git a/images/packages/libvirt/patches/002-auth-pid-restriction.patch b/images/packages/libvirt/patches/002-auth-pid-restriction.patch
deleted file mode 100644
index 5aa86ffc67..0000000000
--- a/images/packages/libvirt/patches/002-auth-pid-restriction.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-diff --git a/src/rpc/auth_pid.c b/src/rpc/auth_pid.c
-new file mode 100644
-index 0000000000..3b3769c220
---- /dev/null
-+++ b/src/rpc/auth_pid.c
-@@ -0,0 +1,39 @@
-+#include "auth_pid.h"
-+#include <stdlib.h>
-+
-+#define LIBVIRT_UNIX_SOCKET_AUTH_PID "LIBVIRT_UNIX_SOCKET_AUTH_PID"
-+
-+static int auth_pid = -1;
-+
-+/**
-+ * GetUnixSocketAuthPid:
-+ *
-+ * Retrieves the authentication process ID (PID) from the environment variable
-+ * LIBVIRT_UNIX_SOCKET_AUTH_PID. The function caches the PID after the first call
-+ * to avoid redundant lookups.
-+ *
-+ * Return values:
-+ *   > 0  - The PID was successfully retrieved and set.
-+ *    -1  - The function is called for the first time, and initialization has not yet occurred.
-+ *     0  - Initialization was performed, but the PID was not found or was invalid.
-+ */
-+int getUnixSocketAuthPid(void) {
-+    const char *auth_pid_env;
-+    int pid;
-+
-+    if (auth_pid != -1) {
-+        return auth_pid;
-+    }
-+
-+    auth_pid = 0;  // Set default value before checking the environment variable
-+
-+    auth_pid_env = getenv(LIBVIRT_UNIX_SOCKET_AUTH_PID);
-+    if (auth_pid_env) {
-+        pid = atoi(auth_pid_env);
-+        if (pid > 0) {
-+            auth_pid = pid;
-+        }
-+    }
-+
-+    return auth_pid;
-+}
-diff --git a/src/rpc/auth_pid.h b/src/rpc/auth_pid.h
-new file mode 100644
-index 0000000000..5c52f4d818
---- /dev/null
-+++ b/src/rpc/auth_pid.h
-@@ -0,0 +1,3 @@
-+#pragma once
-+
-+int getUnixSocketAuthPid(void);
-diff --git a/src/rpc/meson.build b/src/rpc/meson.build
-index 68aaf24b2a..682c56453f 100644
---- a/src/rpc/meson.build
-+++ b/src/rpc/meson.build
-@@ -8,6 +8,7 @@ tlsconfig_sources = files(
- socket_sources = tlsconfig_sources + [
-   'virnettlscontext.c',
-   'virnetsocket.c',
-+  'auth_pid.c'
- ]
- 
- virt_socket_lib = static_library(
-diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
-index e8fc2d5f7d..18cb354bb9 100644
---- a/src/rpc/virnetsocket.c
-+++ b/src/rpc/virnetsocket.c
-@@ -49,6 +49,8 @@
- #include "virprocess.h"
- #include "virstring.h"
- 
-+#include "auth_pid.h"
-+
- #if WITH_SSH2
- # include "virnetsshsession.h"
- #endif
-@@ -2060,6 +2062,7 @@ int virNetSocketAccept(virNetSocket *sock, virNetSocket **clientsock)
-     virSocketAddr localAddr = { 0 };
-     virSocketAddr remoteAddr = { 0 };
-     int ret = -1;
-+    int expect_auth_pid = -1;
- 
-     virObjectLock(sock);
- 
-@@ -2086,6 +2089,27 @@ int virNetSocketAccept(virNetSocket *sock, virNetSocket **clientsock)
-         goto cleanup;
-     }
- 
-+    if (remoteAddr.data.sa.sa_family == AF_UNIX) {
-+        expect_auth_pid = getUnixSocketAuthPid();
-+        VIR_DEBUG("Expecting PID %d for Unix socket connection", expect_auth_pid);
-+         
-+        if (expect_auth_pid > 0) {
-+            struct ucred cred;
-+            socklen_t cred_len = sizeof(struct ucred);
-+            if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cred, &cred_len) < 0) {
-+                virReportSystemError(errno, "%s", _("Unable to get peer credentials for unix socket connection"));
-+                goto cleanup;
-+            }
-+
-+            VIR_DEBUG("Received PID %d for Unix socket connection", cred.pid);
-+
-+            if (cred.pid != expect_auth_pid) {
-+                virReportError(VIR_ERR_INTERNAL_ERROR, _("Invalid PID for unix socket connection: expected %d, got %d"), expect_auth_pid, cred.pid);
-+                goto cleanup;
-+            }
-+        }
-+    }
-+
-     if (!(*clientsock = virNetSocketNew(&localAddr,
-                                         &remoteAddr,
-                                         true,
diff --git a/images/packages/libvirt/patches/003-treat-getpeercon-eintval-as-success.patch b/images/packages/libvirt/patches/003-treat-getpeercon-eintval-as-success.patch
deleted file mode 100644
index 6b661fa513..0000000000
--- a/images/packages/libvirt/patches/003-treat-getpeercon-eintval-as-success.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
-index e8fc2d5f7d..472bd8debf 100644
---- a/src/rpc/virnetsocket.c
-+++ b/src/rpc/virnetsocket.c
-@@ -1556,6 +1556,13 @@ int virNetSocketGetSELinuxContext(virNetSocket *sock,
-
-     virObjectLock(sock);
-     if (getpeercon(sock->fd, &seccon) < 0) {
-+        // getpeercon from libselinux uses getsockopt() syscall. Some implementations of getsockopts
-+        // return EINVAL errno for unsupported valopt argument instead of ENOPROTOOPT errno.
-+        // This fix makes libvirt work with such broken implementations.
-+        if (errno == EINVAL) {
-+            ret = 0;
-+            goto cleanup;
-+        }
-         if (errno == ENOSYS || errno == ENOPROTOOPT) {
-             ret = 0;
-             goto cleanup;
diff --git a/images/packages/libvirt/patches/README.md b/images/packages/libvirt/patches/README.md
deleted file mode 100644
index a8f99ecbac..0000000000
--- a/images/packages/libvirt/patches/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# Patches
-
-## 001-disable-ro-and-admin-servers.patch
-
-This patch introduces new flags to enhance the security and control of QEMU services:
-
-- Adds `--no-admin-srv` and `--no-ro-srv` flags to `virtqemud`.
-- Adds `--no-admin-srv` flag to `virtlogd`.
-
-These flags allow disabling the read-only and admin servers for `virtqemud` and the admin server for `virtlogd`, respectively, providing better control over the services and reducing potential attack surfaces.
-
-### Affected Sockets
-
-When all flags are set, the following sockets will be disabled:
-- `/var/run/libvirt/virtlogd-admin-sock`
-- `/var/run/libvirt/virtqemud-admin-sock`
-- `/var/run/libvirt/virtqemud-sock-ro`
-
-## 002-auth-pid-restriction.patch
-
-This patch introduces a new security feature for **virtqemud** by utilizing an environment variable to restrict socket connections:
-
-- The `LIBVIRT_UNIX_SOCKET_AUTH_PID` environment variable is used to specify the **process ID (PID)** that is allowed to connect to `virtqemud`.
-
-When this environment variable is set, `virtqemud` will **only accept socket connections from the specified PID**, improving security by ensuring that only the intended process can communicate with the daemon.
-
-### Affected Behavior
-
-- If the `LIBVIRT_UNIX_SOCKET_AUTH_PID` environment variable is set with a valid PID, `virtqemud` will check the PID of incoming connection attempts. Only the process with the specified PID will be allowed to communicate over the socket.
-- Any connection attempt from a different process will be rejected.
-- If the environment variable is **not set**, `virtqemud` will function as before, accepting all connections without PID-based restrictions.
-
-This feature enhances security by preventing unauthorized access to the socket and mitigating the risk of privilege escalation attacks. It provides a way to control access to the daemon based on the PID of the connecting process, without the need for additional command-line flags.
-
-## 003-treat-getpeercon-eintval-as-success.patch
-`getpeercon` from libselinux uses `getsockopt()` syscall. Some implementations of `getsockopts()` return `EINVAL` errno for unsupported valopt argument instead of `ENOPROTOOPT` errno. This fix makes libvirt work with such broken implementations.
\ No newline at end of file
diff --git a/images/packages/libvirt/werf.inc.yaml b/images/packages/libvirt/werf.inc.yaml
index b7862bb10f..0f5ec481f1 100644
--- a/images/packages/libvirt/werf.inc.yaml
+++ b/images/packages/libvirt/werf.inc.yaml
@@ -7,263 +7,10 @@ import:
   add: /out
   to: /{{ $.ImageName }}
   before: setup
-
 ---
-{{- $gitRepoName := $.ImageName }}
-{{- $version := get $.Firmware $gitRepoName }}
-{{- $gitRepoUrl := "libvirt/libvirt.git" }}
-
-image: {{ .ModuleNamePrefix }}{{ .PackagePath }}/{{ .ImageName }}-src-artifact
-final: false
-fromImage: builder/src
-git:
-- add: {{ .ModuleDir }}/images/packages/{{ .ImageName }}
-  to: /
-  includePaths:
-  - patches
-  excludePaths:
-    - patches/README.md
-  stageDependencies:
-    install:
-      - '**/*'
-secrets:
-- id: SOURCE_REPO
-  value: {{ $.SOURCE_REPO_GIT }}
-shell:
-  install:
-  - |
-    git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} --branch {{ $version }} /src/{{ $gitRepoName }}-{{ $version }}
-
-    cd /src/{{ $gitRepoName }}-{{ $version }}
-
-    if [[ "$(cat /run/secrets/SOURCE_REPO)" =~ "github.com" ]] ; then
-      echo "Checkout submodules"
-      git submodule update --init --recursive --depth=1
-    else
-      echo "Checkout submodules with URL rewrite"
-      git \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/".insteadOf=https://github.com/  \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/".insteadOf=https://gitlab.com/  \
-        submodule update --init --recursive --depth=1
-    fi
-
-    for p in /patches/*.patch ; do
-      echo -n "Apply ${p} ... "
-      git apply  --ignore-space-change --ignore-whitespace ${p} && echo OK || (echo FAIL ; exit 1)
-    done
-
----
-{{- $name := print $.ImageName "-dependencies" -}}
-{{- define "$name" -}}
-altPackages:
-- binutils
-- gcc-c++
-- git gettext
-- bash-completion
-- clang ccache
-- make cmake
-- meson ninja-build
-- iproute iptables iptables-nft iptables-ipv6
-- openvswitch ebtables
-- pkgconfig
-- polkit kmod
-- parted
-- qemu-img open-iscsi
-- xml-utils xsltproc
-- polkit
-- python3 python3-devel
-- python3-module-pytest python3-module-docutils
-- python3-tools python3-module-pip
-- python3-module-black
-- mdevctl tshark
-- dmsetup pm-utils
-- tree
-altLibraries:
-- libpciaccess-devel
-- libyajl-devel sanlock-devel
-- libpcap-devel
-- libparted-devel
-- libdevmapper-devel
-- ceph-devel
-- libiscsi-devel libglusterfs-devel
-- systemtap-sdt-devel
-- wireshark-devel
-- libclocale
-- libyajl-devel
-packages:
-- dmidecode lvm2 libattr libbsd libmd util-linux
-- libgcrypt libfuse3 libaudit libnbd libcap-ng
-- openssl libcurl e2fsprogs libxcrypt numactl
-- zlib p11-kit
-- libssh libssh2 libjson-c5 keyutils
-- krb5 xz
-- readline
-- selinux
-- cyrus-sasl2
-- libtasn1 libtirpc
-- glib2 acl libunistring libxml2
-- gnutls
-- systemd libnl3 libslirp
-- glibc
-{{- end -}}
-
-{{ $builderDependencies := include "$name" . | fromYaml }}
 image: {{ .ModuleNamePrefix }}{{ .PackagePath }}/{{ .ImageName }}-builder
 final: false
-fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/alt" "builder/golang-alt-svace-1.24" }}
-import:
-- image: {{ .ModuleNamePrefix }}{{ .PackagePath }}/{{ .ImageName }}-src-artifact
-  add: /src/{{ $gitRepoName }}-{{ $version }}
-  to: /{{ $gitRepoName }}-{{ $version }}
-  before: install
-{{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
+fromImage: builder/distroless
 shell:
-  beforeInstall:
-  {{- include "alt packages proxy" . | nindent 2 }}
-  - |
-    apt-get install -y \
-      {{ $builderDependencies.altPackages | join " " }} \
-      {{ $builderDependencies.altLibraries | join " " }}
-
-  {{- include "alt packages clean" . | nindent 2 }}
-  - |
-    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
-    rpm -qa | sort > /packages.txt
-    mkdir -p /usr/libexec/ccache-wrappers
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
-
   install:
-  - |
-    # Install packages
-    PKGS="{{ $builderDependencies.packages | join " " }}"
-    for pkg in $PKGS; do
-      cp -a /$pkg/. /
-      rm -rf /$pkg
-    done
-
-    export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
-    export CCACHE_DIR="$CCACHE_BASEDIR/ccache"
-    export CCACHE_BASEDIR="$(pwd)"
-    export PATH="$CCACHE_WRAPPERSDIR:$PATH"
-    export MAKE="/usr/bin/make"
-    export NINJA="/usr/bin/ninja"
-    export PYTHON="/usr/bin/python3"
-
-    cd /{{ $gitRepoName }}-{{ $version }}
-
-    CFLAGS="-Wframe-larger-than=262144" meson setup build \
-      -Dinit_script=systemd \
-      -Dsystem=true \
-      -Dremote_default_mode=direct \
-      -Dpciaccess=enabled \
-      -Dsasl=enabled \
-      -Dpolkit=enabled \
-      -Dlibssh=enabled \
-      -Dlibssh2=enabled \
-      -Dnumactl=enabled \
-      -Dcapng=enabled \
-      -Dudev=enabled \
-      -Ddriver_network=enabled \
-      -Ddriver_interface=enabled \
-      -Ddriver_libvirtd=enabled \
-      -Ddriver_qemu=enabled \
-      -Ddriver_remote=enabled \
-      -Dselinux=enabled \
-      -Dselinux_mount=enabled \
-      -Ddriver_esx=disabled -Dcurl=disabled \
-      -Dfirewalld=disabled \
-      -Dfirewalld_zone=disabled \
-      -Ddocs=disabled \
-      -Ddriver_ch=disabled \
-      -Ddriver_lxc=disabled -Dlogin_shell=disabled \
-      -Ddriver_openvz=disabled \
-      -Ddriver_test=disabled \
-      -Ddriver_vbox=disabled \
-      -Ddriver_vmware=disabled \
-      -Ddriver_hyperv=disabled -Dopenwsman=disabled \
-      -Ddriver_vz=disabled \
-      -Ddriver_bhyve=disabled \
-      -Dvbox_xpcomc_dir=disabled \
-      -Dwireshark_dissector=disabled \
-      -Dwireshark_plugindir=disabled \
-      -Dstorage_gluster=disabled -Dglusterfs=disabled \
-      -Dstorage_fs=disabled \
-      -Dstorage_lvm=disabled \
-      -Dstorage_zfs=disabled \
-      -Dstorage_vstorage=disabled \
-      -Dstorage_rbd=disabled \
-      -Dstorage_mpath=disabled \
-      -Dstorage_iscsi=disabled \
-      -Dstorage_iscsi_direct=disabled -Dlibiscsi=disabled \
-      -Dlibiscsi=disabled
-
-
-      {{- $_ := set $ "ProjectName" (list $.ImageName "libvirt" | join "/") }}
-      {{- include "image-build.build" (set $ "BuildCommand" `ninja -C build -j$(nproc)`) | nindent 6 }}
-
-  setup:
-  - |
-    OUTDIR=/out
-    cd /{{ $gitRepoName }}-{{ $version }}
-    DESTDIR=$OUTDIR ninja -C build install
-
-    rm -rf $OUTDIR/var
-    rm -rf $OUTDIR/usr/share/systemtap/tapset/libvirt_probes.stp
-    rm -rf $OUTDIR/usr/share/systemtap/tapset/libvirt_qemu_probes.stp
-    rm -rf $OUTDIR/usr/lib64/libvirt/lock-driver/sanlock.so
-    find $OUTDIR/usr/lib64/libvirt/storage-backend/ -type f -not -name 'libvirt_storage_backend_fs.so' -delete
-    rm -rf $OUTDIR/usr/lib64/libvirt/storage-file/libvirt_storage_file_gluster.so
-    rm -rf $OUTDIR/usr/lib64/libvirt/connection-driver/libvirt_driver_lxc.so
-    rm -rf $OUTDIR/usr/lib64/libvirt/connection-driver/libvirt_driver_ch.so
-    rm -rf $OUTDIR/usr/lib64/libvirt/connection-driver/libvirt_driver_vbox.so
-    rm -rf $OUTDIR/usr/sbin/virtlxcd
-    rm -rf $OUTDIR/usr/sbin/virtchd
-    rm -rf $OUTDIR/usr/sbin/virtvboxd
-    rm -rf $OUTDIR/usr/libexec/libvirt_sanlock_helper
-    rm -rf $OUTDIR/usr/libexec/libvirt_parthelper
-    rm -rf $OUTDIR/usr/libexec/libvirt_lxc
-    rm -rf $OUTDIR/usr/share/augeas/lenses/tests/
-    rm -rf $OUTDIR/usr/bin/virt-login-shell
-    rm -rf $OUTDIR/usr/libexec/virt-login-shell-helper
-    rm -rf $OUTDIR/usr/bin/virsh
-    rm -rf $OUTDIR/usr/bin/virt-admin
-    rm -rf $OUTDIR/usr/lib64/wireshark/plugins/4.4/epan/libvirt.so
-    rm -rf $OUTDIR/usr/share/libvirt/cpu_map/arm_*
-    rm -rf $OUTDIR/usr/share/libvirt/cpu_map/ppc64_*
-    rm -rf $OUTDIR/usr/share/libvirt/schemas/
-    rm -rf $OUTDIR/etc/logrotate.d/
-    rm -rf $OUTDIR/usr/lib/firewalld/
-    rm -rf $OUTDIR/etc/libvirt/nwfilter/
-    rm -rf $OUTDIR/usr/lib/sysusers.d/libvirt-qemu.sysusers.conf
-    rm -rf $OUTDIR/usr/lib/sysctl.d/postcopy-migration.sysctl
-    rm -rf $OUTDIR/usr/share/libvirt/test-screenshot.png
-    rm -rf $OUTDIR/etc/libvirt/libvirt-admin.conf
-    rm -rf $OUTDIR/etc/libvirt/qemu-lockd.conf
-    rm -rf $OUTDIR/etc/libvirt/qemu-sanlock.conf
-    rm -rf $OUTDIR/etc/libvirt/virtlockd.conf
-    rm -rf $OUTDIR/etc/libvirt/lxc.conf
-    rm -rf $OUTDIR/etc/libvirt/qemu.conf
-    rm -rf $OUTDIR/usr/share/augeas/
-    rm -rf $OUTDIR/etc/libvirt/virtnetworkd.conf
-    rm -rf $OUTDIR/etc/libvirt/virtsecretd.conf
-    rm -rf $OUTDIR/etc/libvirt/virtstoraged.conf
-    rm -rf $OUTDIR/etc/libvirt/virtlxcd.conf
-    rm -rf $OUTDIR/etc/libvirt/virtchd.conf
-    rm -rf $OUTDIR/etc/libvirt/virtqemud.conf
-    rm -rf $OUTDIR/etc/libvirt/virtvboxd.conf
-    rm -rf $OUTDIR/usr/sbin/virt-sanlock-cleanup
-    rm -rf $OUTDIR/usr/lib/systemd/
-    rm -rf $OUTDIR/usr/bin/virt-qemu-qmp-proxy
-    rm -rf $OUTDIR/usr/share/bash-completion/
-    rm -rf $OUTDIR/etc/ssh/
-    rm -rf $OUTDIR/usr/share/doc
-    rm -rf $OUTDIR/usr/local/share/locale/
-
-    find $OUTDIR -type f -executable | while read -r execfile; do
-    if strip "$execfile"; then
-      echo "Stripped: $execfile"
-    fi
-    done
-    tree -hp $OUTDIR
+    - pm install -1 {{ .ImageName }} {{ .ImageName }}-devel -d /out
diff --git a/images/qemu/install-qemu.sh b/images/qemu/install-qemu.sh
deleted file mode 100755
index 4a8b18b926..0000000000
--- a/images/qemu/install-qemu.sh
+++ /dev/null
@@ -1,256 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2024 Flant JSC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-usage() {
-    cat <<EOF
-    Usage: $0 [OPTIONS]
-    Options:
-    
-    Set the source base directory:      -s, --src-base PATH (example: /mysourcedir)
-    Set the build base directory:       -b, --build-dir FOLDER (example: mybuildfolder)
-    Set the destination base directory: -d, --dest-base PATH (example: /mydestdir)
-    Show this help message and exit:    -h, --help
-EOF
-    exit 0
-}
-
-parse_args() {
-    while [[ $# -gt 0 ]]; do
-    case "$1" in
-        -s|--src-base)
-            if [[ -n "$2" && "$2" != "-"* ]]; then
-                SRC_BASE="$2"
-                shift 2
-            else
-                echo "Error: Option '$1' requires a non-empty argument."
-                usage
-            fi
-            ;;
-        -d|--dest-base)
-            if [[ -n "$2" && "$2" != "-"* ]]; then
-                DEST_BASE="$2"
-                shift 2
-            else
-                echo "Error: Option '$1' requires a non-empty argument."
-                usage
-            fi
-            ;;
-        -b|--build-dir)
-            if [[ -n "$2" && "$2" != "-"* ]]; then
-                BUILD_DIR="$2"
-                shift 2
-            else
-                echo "Error: Option '$1' requires a non-empty argument."
-                usage
-            fi
-            ;;
-        -v|--version-num)
-            if [[ -n "$2" && "$2" != "-"* ]]; then
-                VERSION_NUM="$2"
-                shift 2
-            else
-                echo "Error: Option '$1' requires a non-empty argument."
-                usage
-            fi
-            ;;
-        -h|--help)
-            usage
-            ;;
-        *)
-            echo "Error: Unknown option '$1'"
-            usage
-            ;;
-        esac
-    done
-
-    if [ -n $BUILD_BASE ]; then
-        SRC_BUILD="$SRC_BASE/$BUILD_DIR"
-    else
-        SRC_BUILD="$SRC_BASE"
-    fi
-}
-
-parse_args $@
-
-if [ -z $VERSION_NUM ]; then
-    echo "Error: Option '--version-num' is missed but required"
-    usage
-    exit 1
-fi
-# List of files and destinations of qemu
-# Commented lines - binary for additional features. 
-# 
-# The specific format of the list, 'SOURCE_FILE to DESTINATION', 
-# is due to the output of the installation scripts. To make it easier to add them to this list.
-FILE_LIST=$(cat <<EOF
-$SRC_BUILD/trace/trace-events-all to /usr/share/qemu
-$SRC_BUILD/ui-opengl.so to /usr/lib64/qemu
-$SRC_BUILD/ui-egl-headless.so to /usr/lib64/qemu
-$SRC_BUILD/ui-dbus.so to /usr/lib64/qemu
-$SRC_BUILD/hw-display-virtio-gpu.so to /usr/lib64/qemu
-$SRC_BUILD/hw-display-virtio-gpu-pci.so to /usr/lib64/qemu
-$SRC_BUILD/hw-display-virtio-vga.so to /usr/lib64/qemu
-$SRC_BUILD/hw-usb-redirect.so to /usr/lib64/qemu
-$SRC_BUILD/hw-usb-host.so to /usr/lib64/qemu
-$SRC_BUILD/hw-s390x-virtio-gpu-ccw.so to /usr/lib64/qemu
-$SRC_BUILD/audio-pa.so to /usr/lib64/qemu
-$SRC_BUILD/audio-pipewire.so to /usr/lib64/qemu
-$SRC_BUILD/audio-dbus.so to /usr/lib64/qemu
-$SRC_BUILD/block-blkio.so to /usr/lib64/qemu
-$SRC_BUILD/block-curl.so to /usr/lib64/qemu
-$SRC_BUILD/block-rbd.so to /usr/lib64/qemu
-$SRC_BUILD/accel-qtest-x86_64.so to /usr/lib64/qemu
-$SRC_BUILD/accel-tcg-x86_64.so to /usr/lib64/qemu
-$SRC_BUILD/qemu-system-x86_64 to /usr/bin
-# $SRC_BUILD/qemu-system-i386 to /usr/bin
-$SRC_BUILD/qga/qemu-ga to /usr/bin
-$SRC_BUILD/qemu-keymap to /usr/bin
-$SRC_BUILD/qemu-img to /usr/bin
-$SRC_BUILD/qemu-io to /usr/bin
-$SRC_BUILD/qemu-nbd to /usr/bin
-$SRC_BUILD/storage-daemon/qemu-storage-daemon to /usr/bin
-$SRC_BUILD/contrib/elf2dmp/elf2dmp to /usr/bin
-$SRC_BUILD/qemu-edid to /usr/bin
-$SRC_BUILD/contrib/vhost-user-gpu/vhost-user-gpu to /usr/libexec
-$SRC_BUILD/qemu-bridge-helper to /usr/libexec
-$SRC_BUILD/qemu-pr-helper to /usr/bin
-$SRC_BUILD/qemu-vmsr-helper to /usr/bin
-$SRC_BUILD/pc-bios/edk2-i386-code.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/edk2-i386-secure-code.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/edk2-i386-vars.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/edk2-x86_64-code.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/edk2-x86_64-secure-code.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/keymaps/en-gb to /usr/share/qemu/keymaps
-$SRC_BUILD/pc-bios/keymaps/en-us to /usr/share/qemu/keymaps
-$SRC_BUILD/pc-bios/keymaps/ru to /usr/share/qemu/keymaps
-$SRC_BASE/include/qemu/qemu-plugin.h to /usr/include
-$SRC_BASE/ui/icons/qemu_16x16.png to /usr/share/icons/hicolor/16x16/apps
-$SRC_BASE/ui/icons/qemu_24x24.png to /usr/share/icons/hicolor/24x24/apps
-$SRC_BASE/ui/icons/qemu_32x32.png to /usr/share/icons/hicolor/32x32/apps
-$SRC_BASE/ui/icons/qemu_48x48.png to /usr/share/icons/hicolor/48x48/apps
-$SRC_BASE/ui/icons/qemu_64x64.png to /usr/share/icons/hicolor/64x64/apps
-$SRC_BASE/ui/icons/qemu_128x128.png to /usr/share/icons/hicolor/128x128/apps
-$SRC_BASE/ui/icons/qemu_256x256.png to /usr/share/icons/hicolor/256x256/apps
-$SRC_BASE/ui/icons/qemu_512x512.png to /usr/share/icons/hicolor/512x512/apps
-$SRC_BASE/ui/icons/qemu_32x32.bmp to /usr/share/icons/hicolor/32x32/apps
-$SRC_BASE/ui/icons/qemu.svg to /usr/share/icons/hicolor/scalable/apps
-# $SRC_BASE/ui/qemu.desktop to /usr/share/applications
-$SRC_BUILD/contrib/vhost-user-gpu/50-qemu-gpu.json to /usr/share/qemu/vhost-user
-$SRC_BASE/pc-bios/bios.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/bios-256k.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/bios-microvm.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/qboot.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-cirrus.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-stdvga.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-vmware.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-qxl.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-virtio.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-ramfb.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-bochs-display.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-ati.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/openbios-sparc32 to /usr/share/qemu
-$SRC_BASE/pc-bios/openbios-sparc64 to /usr/share/qemu
-$SRC_BASE/pc-bios/openbios-ppc to /usr/share/qemu
-$SRC_BASE/pc-bios/QEMU,tcx.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/QEMU,cgthree.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-e1000.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-eepro100.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-ne2k_pci.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-pcnet.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-rtl8139.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-virtio.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-e1000.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-eepro100.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-ne2k_pci.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-pcnet.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-rtl8139.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-virtio.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-e1000e.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-vmxnet3.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/qemu-nsis.bmp to /usr/share/qemu
-$SRC_BASE/pc-bios/multiboot.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/multiboot_dma.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/linuxboot.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/linuxboot_dma.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/kvmvapic.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/pvh.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/s390-ccw.img to /usr/share/qemu
-$SRC_BASE/pc-bios/slof.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/skiboot.lid to /usr/share/qemu
-$SRC_BASE/pc-bios/palcode-clipper to /usr/share/qemu
-$SRC_BASE/pc-bios/u-boot.e500 to /usr/share/qemu
-$SRC_BASE/pc-bios/u-boot-sam460-20100605.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/qemu_vga.ndrv to /usr/share/qemu
-$SRC_BASE/pc-bios/edk2-licenses.txt to /usr/share/qemu
-$SRC_BASE/pc-bios/hppa-firmware.img to /usr/share/qemu
-$SRC_BASE/pc-bios/hppa-firmware64.img to /usr/share/qemu
-$SRC_BASE/pc-bios/npcm7xx_bootrom.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vof.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vof-nvram.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/bamboo.dtb to /usr/share/qemu
-$SRC_BASE/pc-bios/canyonlands.dtb to /usr/share/qemu
-$SRC_BASE/pc-bios/petalogix-s3adsp1800.dtb to /usr/share/qemu
-$SRC_BASE/pc-bios/petalogix-ml605.dtb to /usr/share/qemu
-$SRC_BUILD/pc-bios/descriptors/50-edk2-i386-secure.json to /usr/share/qemu/firmware
-$SRC_BUILD/pc-bios/descriptors/50-edk2-x86_64-secure.json to /usr/share/qemu/firmware
-$SRC_BUILD/pc-bios/descriptors/60-edk2-i386.json to /usr/share/qemu/firmware
-$SRC_BUILD/pc-bios/descriptors/60-edk2-x86_64.json to /usr/share/qemu/firmware
-EOF
-)
-
-copy_file() {
-    local SOURCE_PATH="$1"
-    local dest_dir="$2"
-
-    # Ensure the source file exists
-    if [ ! -e "$SOURCE_PATH" ]; then
-        echo "Error: Source file not found: $SOURCE_PATH"
-        return
-    fi
-
-    # Create destination directory if it does not exist
-    mkdir -p "$DEST_BASE$dest_dir"
-
-    # Copy the file
-    # install -s "$SOURCE_PATH" "$DEST_BASE$dest_dir"
-    if ! [[ "$SOURCE_PATH" =~ \.(txt|log|sh|service|conf|xml|target|socket|bin|json|img|png|fd|dtb|rom) ]];then
-        strip "$SOURCE_PATH"
-    fi
-    cp -p "$SOURCE_PATH" "$DEST_BASE$dest_dir"
-    echo "Copied $SOURCE_PATH to $DEST_BASE$dest_dir"
-}
-
-main() {
-    # Read the list and process each line
-    while IFS= read -r LINE; do
-        # Skip empty lines and comments
-        [[ -z "$LINE" ]] && continue
-        [[ "$LINE" =~ ^\# ]] && continue
-
-        # Handle file copying
-        if [[ "$LINE" =~ ^(.+?)\ to\ (.+)$ ]]; then
-            SOURCE_FILE="${BASH_REMATCH[1]}"
-            DEST_DIR="${BASH_REMATCH[2]}"
-            copy_file "$SOURCE_FILE" "$DEST_DIR"
-        else
-            echo "Invalid line: $LINE"
-        fi
-
-    done <<< "$FILE_LIST"
-}
-
-main
\ No newline at end of file
diff --git a/images/qemu/patches/001-revert-scsi-disk-serial-truncate.patch b/images/qemu/patches/001-revert-scsi-disk-serial-truncate.patch
deleted file mode 100644
index 83373beff8..0000000000
--- a/images/qemu/patches/001-revert-scsi-disk-serial-truncate.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
-index 7f13b05..655815c 100644
---- a/hw/scsi/scsi-disk.c
-+++ b/hw/scsi/scsi-disk.c
-@@ -2563,20 +2563,9 @@ static void scsi_realize(SCSIDevice *dev, Error **errp)
-     if (!s->vendor) {
-         s->vendor = g_strdup("QEMU");
-     }
--    if (s->serial && strlen(s->serial) > MAX_SERIAL_LEN) {
--        error_setg(errp, "The serial number can't be longer than %d characters",
--                   MAX_SERIAL_LEN);
--        return;
--    }
-     if (!s->device_id) {
-         if (s->serial) {
--            if (strlen(s->serial) > MAX_SERIAL_LEN_FOR_DEVID) {
--                error_setg(errp, "The serial number can't be longer than %d "
--                           "characters when it is also used as the default for "
--                           "device_id", MAX_SERIAL_LEN_FOR_DEVID);
--                return;
--            }
--            s->device_id = g_strdup(s->serial);
-+	    s->device_id = g_strdup_printf("%.20s", s->serial);
-         } else {
-             const char *str = blk_name(s->qdev.conf.blk);
-             if (str && *str) {
diff --git a/images/qemu/patches/README.md b/images/qemu/patches/README.md
deleted file mode 100644
index 62a774b403..0000000000
--- a/images/qemu/patches/README.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# Patches
-
-## 001-revert-scsi-disk-serial-truncate.patch
-
-This patch reverts the commit that introduced strict length enforcement for the SCSI disk `serial` property.
-
-### Background
-
-Before the reverted commit, scsi-disk accepted serial numbers of arbitrary length, but the value seen by the guest was silently truncated to 36 characters. While this limitation was arbitrary, it ensured compatibility with existing guest behavior. The change to enforce strict length validation introduced potential compatibility issues, making it impossible to upgrade to newer QEMU versions seamlessly.### Why This Revert Is Necessary
-
-For the time being, we need to maintain backward compatibility until a seamless migration to the new behavior can be implemented. By reverting the commit, we restore the previous behavior where serial numbers longer than 36 characters are truncated instead of causing an error.
-
-### Reverted Commit
-[Commit 75997e182b69](https://github.com/qemu/qemu/commit/75997e182b695f2e3f0a2d649734952af5caf3ee)
diff --git a/images/qemu/werf.inc.yaml b/images/qemu/werf.inc.yaml
index 019a5f5d58..373d50fa1c 100644
--- a/images/qemu/werf.inc.yaml
+++ b/images/qemu/werf.inc.yaml
@@ -1,362 +1,31 @@
 ---
-{{- $gitRepoName := $.ImageName }}
-{{- $version := get $.Firmware $gitRepoName }}
-{{- $gitRepoUrl := "qemu/qemu.git" }}
-
-image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
+image: {{ .ModuleNamePrefix }}{{ .ImageName }}
+final: false
+fromImage: builder/scratch
+import:
+# Full QEMU package with all runtime dependencies (for cdi-importer, etc.)
+- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-builder
+  add: /out
+  to: /{{ $.ImageName }}-img
+  before: setup
+# QEMU binaries only, without shared libraries from pm dependencies.
+# Used by virt-launcher and virt-handler where relocate_binaries.sh
+# resolves shared libraries from the build environment.
+- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins-builder
+  add: /out
+  to: /{{ $.ImageName }}-bins
+  before: setup
+---
+image: {{ .ModuleNamePrefix }}{{ .ImageName }}-builder
 final: false
-fromImage: builder/src
-git:
-- add: {{ .ModuleDir }}/images/{{ .ImageName }}
-  to: /
-  includePaths:
-  - install-qemu.sh
-  - patches
-  excludePaths:
-    - patches/README.md
-  stageDependencies:
-    install:
-      - '**/*'
-- add: {{ .ModuleDir }}/build/tools/relocate_binaries.sh
-  to: /relocate_binaries.sh
-  stageDependencies:
-    install:
-    - '**/*'
-secrets:
-- id: SOURCE_REPO
-  value: {{ $.SOURCE_REPO_GIT }}
+fromImage: builder/distroless
 shell:
-  beforeInstall:
-  {{- include "alt packages proxy" . | nindent 2}}
-  - apt-get install -y meson
-  {{- include "alt packages clean" . | nindent 2}}
   install:
-  - |
-    mkdir -p ~/.ssh && echo "StrictHostKeyChecking accept-new" > ~/.ssh/config
-    git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} --branch {{ $version }} /src/{{ $gitRepoName }}-{{ $version }}
-
-    cd /src/{{ $gitRepoName }}-{{ $version }}
-
-    if [[ "$(cat /run/secrets/SOURCE_REPO)" =~ "github.com" ]] ; then
-      echo "Checkout submodules"
-      git submodule update --init --recursive --depth=1
-    else
-      echo "Checkout submodules with URL rewrite"
-      # mbed-tls rewrite is needed for edk2 submodule.
-      git \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/qemu-project/seabios.git".insteadOf=https://gitlab.com/qemu-project/seabios.git/ \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/mbed-tls/".insteadOf=https://github.com/ARMmbed/ \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/".insteadOf=https://github.com/  \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/".insteadOf=https://gitlab.com/  \
-        submodule update --init --recursive --depth=1
-
-      echo "Download meson subprojects with URL rewrites."
-      # Configure script options require only 3 subprojects.
-      for subproj in berkeley-softfloat-3 berkeley-testfloat-3 keycodemapdb ; do
-        echo "Rewrite url for ${subproj} subproject."
-        wrapfile="subprojects/${subproj}.wrap"
-        # Rewrite https://HOSTNAME/ to SOURCE_REPO secret in the wrap file.
-        sed -i '/^#/n ; /^url/ s|\(url\ \?=\ \?\)\(.*:\/\/[^\/]*\/\)|\1'$(cat /run/secrets/SOURCE_REPO)'\/|' ${wrapfile}
-        meson subprojects download ${subproj}
-      done
-
-    fi
-
+    - pm install qemu -d /out
 ---
-{{- $name := print $.ImageName "-dependencies" -}}
-{{- define "$name" -}}
-altPackages:
-- binutils
-- pkgconfig pkg-config
-- gcc-c++ clang git
-- gettext bash-completion
-- ccache
-- make cmake meson ninja-build makeinfo
-- seabios seavgabios
-- qboot flex
-- filesystem
-- ipxe-roms-qemu
-- shadow-utils sysvinit-utils
-- hasher-provides-dev-kvm
-- python3 python3-dev
-- python3-module-pytest
-- python3-module-docutils
-- python3-tools
-- python3-module-pip
-- python3-module-sphinx
-- python3-module-sphinx_rtd_theme
-- python3-module-black
-altLibraries:
-- libattr-devel-static
-- libdw-devel-static
-- libatomic-devel-static
-- libdw-devel
-- perl-devel
-- libxfs-devel
-- libpci-devel
-- libgvnc-devel
-- libfdt-devel
-- libdrm-devel
-- libxdp-devel libSDL2-devel libSDL2_image-devel
-- libalsa-devel libpulseaudio-devel
-- pipewire-libs pipewire-jack-libs-devel
-- libsoundio-devel
-- libjpeg-devel xkeyboard-config-devel
-- glusterfs11 libgtk+3-devel libvte libvte-devel libvte3-devel
-- libvirglrenderer-devel libusb-devel libbpf-devel
-- libspice-server-devel spice-protocol ceph-devel
-- libnfs-devel
-- libblkio-devel libpmem-devel
-- libdaxctl-devel
-- libcacard-devel libusbredir-devel libepoxy-devel libgbm-devel
-- libvitastor-devel libiscsi-devel glusterfs-coreutils
-- libglusterfs11-api-devel
-- libvdeplug-devel
-packages:
-- dmidecode libgcrypt nettle libcap-ng libcapstone
-- openssl libcurl e2fsprogs libxcrypt numactl
-- zlib zstd
-- libssh libssh2
-- openldap keyutils
-- xz lz4 lzo krb5
-- libpixman libpsl libpng libqpl rdma-core
-- pcre2
-- selinux
-- cyrus-sasl2
-- linux-pam
-- snappy
-- ngtcp2 libtasn1 ncurses
-- glib2 util-linux
-- libxkbcommon
-- libgcc1
-- libaio
-- liburing libuserspace-rcu libunistring systemd
-- multipath-tools
-- libslirp libseccomp gnutls bzip2
-- glibc
-{{- end -}}
-
-{{ $builderDependencies := include "$name" . | fromYaml }}
-
-image: {{ .ModuleNamePrefix }}{{ .ImageName }}
+image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins-builder
 final: false
-fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/alt" "builder/golang-alt-svace-1.24" }}
-import:
-- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
-  add: /src/{{ $gitRepoName }}-{{ $version }}
-  to: /{{ $gitRepoName }}-{{ $version }}
-  before: install
-- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
-  add: /patches
-  to: /patches
-  before: install
-- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
-  add: /
-  to: /
-  before: install
-  includePaths:
-  - install-qemu.sh
-  - relocate_binaries.sh
-{{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
-secrets:
-- id: SOURCE_REPO
-  value: {{ $.SOURCE_REPO_GIT }}
+fromImage: builder/distroless
 shell:
-  beforeInstall:
-  {{- include "alt packages proxy" . | nindent 2 }}
-  - |
-    apt-get install -y \
-      {{ $builderDependencies.altPackages | join " " }} \
-      {{ $builderDependencies.altLibraries | join " " }}
-
-  {{- include "alt packages clean" . | nindent 2 }}
-  - |
-    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
-    rpm -qa | sort > /packages.txt
-
-    mkdir -p /usr/libexec/ccache-wrappers
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
-
   install:
-  - |
-    # Install packages
-    PKGS="{{ $builderDependencies.packages | join " " }}"
-    for pkg in $PKGS; do
-      cp -a /$pkg/. /
-      rm -rf /$pkg
-    done
-
-    export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
-    export CCACHE_DIR="$CCACHE_BASEDIR/ccache"
-    export CCACHE_BASEDIR="$(pwd)"
-    export PATH="$CCACHE_WRAPPERSDIR:$PATH"
-    export MAKE="/usr/bin/make"
-    export NINJA="/usr/bin/ninja"
-    export PYTHON="/usr/bin/python3"
-
-    export LDFLAGS="-L/usr/lib64 -L/usr/lib"
-    export CPPFLAGS="-I/usr/include"
-
-    cd /{{ $gitRepoName }}-{{ $version }}
-
-    for p in /patches/*.patch ; do
-      echo -n "Apply ${p} ... "
-      git apply  --ignore-space-change --ignore-whitespace ${p} && echo OK || (echo FAIL ; exit 1)
-    done
-
-    ./configure \
-      --target-list="x86_64-softmmu" \
-      --with-pkgversion="-dvp" \
-      --with-coroutine=ucontext \
-      --tls-priority="@QEMU,SYSTEM" \
-      --block-drv-rw-whitelist="qcow2,raw,file,host_device,nbd,iscsi,rbd,blkdebug,luks,null-co,nvme,copy-on-read,throttle,compress,virtio-blk-vhost-vdpa,virtio-blk-vfio-pci,virtio-blk-vhost-user,io_uring,nvme-io_uring" \
-      --block-drv-ro-whitelist="vdi,vmdk,vhdx,vpc,https" \
-      --disable-alsa \
-      --disable-auth-pam \
-      --disable-avx2 \
-      --disable-avx512bw \
-      --disable-block-drv-whitelist-in-tools \
-      --disable-bochs \
-      --disable-bpf \
-      --disable-brlapi \
-      --disable-bsd-user \
-      --disable-bzip2 \
-      --disable-cfi \
-      --disable-cfi-debug \
-      --disable-cloop \
-      --disable-cocoa \
-      --disable-coreaudio \
-      --disable-crypto-afalg \
-      --disable-curses \
-      --disable-debug-mutex \
-      --disable-debug-tcg \
-      --disable-dmg \
-      --disable-docs \
-      --disable-dsound \
-      --disable-fdt \
-      --disable-fuse \
-      --disable-fuse-lseek \
-      --disable-gcrypt \
-      --disable-gettext \
-      --disable-glusterfs \
-      --disable-gtk \
-      --disable-guest-agent-msi \
-      --disable-hvf \
-      --disable-jack \
-      --disable-l2tpv3 \
-      --disable-libdaxctl \
-      --disable-libdw \
-      --disable-libiscsi \
-      --disable-libnfs \
-      --disable-libpmem \
-      --disable-libssh \
-      --disable-libvduse \
-      --disable-linux-user \
-      --disable-lto \
-      --disable-lzfse \
-      --disable-membarrier \
-      --disable-module-upgrades \
-      --disable-multiprocess \
-      --disable-netmap \
-      --disable-nettle \
-      --disable-nvmm \
-      --disable-oss \
-      --disable-parallels \
-      --disable-plugins \
-      --disable-qcow1 \
-      --disable-qed \
-      --disable-qga-vss \
-      --disable-qom-cast-debug \
-      --disable-replication \
-      --disable-rng-none \
-      --disable-safe-stack \
-      --disable-sdl \
-      --disable-sdl-image \
-      --disable-slirp-smbd \
-      --disable-smartcard \
-      --disable-sndio \
-      --disable-sparse \
-      --disable-spice \
-      --disable-strip \
-      --disable-u2f \
-      --disable-user \
-      --disable-vde \
-      --disable-vduse-blk-export \
-      --disable-vhost-crypto \
-      --disable-virglrenderer \
-      --disable-virtfs \
-      --disable-vnc-jpeg \
-      --disable-vte \
-      --disable-vvfat \
-      --disable-whpx \
-      --disable-xen \
-      --disable-xen-pci-passthrough \
-      --enable-attr \
-      --enable-blkio \
-      --enable-cap-ng \
-      --enable-capstone \
-      --enable-coroutine-pool \
-      --enable-curl \
-      --enable-dbus-display \
-      --enable-debug-info \
-      --enable-fdt=system \
-      --enable-gio \
-      --enable-gnutls \
-      --enable-guest-agent \
-      --enable-iconv \
-      --enable-kvm \
-      --enable-libusb \
-      --enable-libudev \
-      --enable-linux-aio \
-      --enable-linux-io-uring \
-      --enable-lzo \
-      --enable-malloc-trim \
-      --enable-modules \
-      --enable-mpath \
-      --enable-numa \
-      --enable-opengl \
-      --enable-pa \
-      --enable-pie \
-      --enable-rbd \
-      --enable-rdma \
-      --enable-seccomp \
-      --enable-selinux \
-      --enable-slirp \
-      --enable-snappy \
-      --enable-spice-protocol \
-      --enable-system \
-      --enable-tcg \
-      --enable-tools \
-      --enable-tpm \
-      --enable-usb-redir \
-      --enable-vdi \
-      --enable-vhost-kernel \
-      --enable-vhost-net \
-      --enable-vhost-user \
-      --enable-vhost-user-blk-server \
-      --enable-vhost-vdpa \
-      --enable-vnc \
-      --enable-png \
-      --enable-vnc-sasl \
-      --enable-werror \
-      --enable-xkbcommon \
-      --enable-zstd
-
-    {{- $_ := set $ "ProjectName" (list $.ImageName "qemu" | join "/") }}
-    {{- include "image-build.build" (set $ "BuildCommand" `make -j$(nproc)`) | nindent 6 }}
-
-  setup:
-  - |
-    /install-qemu.sh --version-num "{{ $version }}" \
-                        -s /{{ $gitRepoName }}-{{ $version }} \
-                        -d /BINS \
-                        -b build
-    # qemu-img
-    mkdir -p /qemu-img/usr/bin
-    cp -an /BINS/usr/bin/qemu{-nbd,-img} /qemu-img/usr/bin
-
-    LIST="/BINS/usr/bin/qemu-img /BINS/usr/bin/qemu-nbd"
-
-    ./relocate_binaries.sh -i "$LIST" -o /qemu-img
+    - pm install -1 qemu -d /out
diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml
index 3db87a474a..7fb4a35f61 100644
--- a/images/virt-handler/werf.inc.yaml
+++ b/images/virt-handler/werf.inc.yaml
@@ -68,6 +68,7 @@ binaries:
 - /usr/bin/osirrox
 - /usr/bin/xorriso-dd-target
 - /usr/bin/xorrisofs
+- /usr/bin/qemu-img
 packages:
 - libisoburn nftables acl libmnl libjansson4 libnftnl
 - glibc libattr pcre2 selinux
@@ -91,9 +92,9 @@ import:
   - bin/umount
 {{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
 - image: {{ .ModuleNamePrefix }}qemu
-  add: /qemu-img
-  to: /relocate
-  before: setup
+  add: /qemu-bins
+  to: /qemu
+  before: install
 shell:
   install:
   - |
@@ -103,7 +104,8 @@ shell:
       cp -a /$pkg/. /
       rm -rf /$pkg
     done
-
+    cp -a /qemu/. /
+    rm -rf /qemu
   setup:
   - |
     /relocate_binaries.sh -i "{{ $builderDependencies.binaries | join " " }}" -o /relocate
diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml
index d238443408..9a6044f2b2 100644
--- a/images/virt-launcher/werf.inc.yaml
+++ b/images/virt-launcher/werf.inc.yaml
@@ -164,7 +164,7 @@ import:
   to: /libvirt-bins
   before: install
 - image: {{ .ModuleNamePrefix }}qemu
-  add: /BINS
+  add: /qemu-bins
   to: /qemu-bins
   before: install
 
@@ -347,41 +347,6 @@ shell:
 
     cd /
 
-  - |
-    convert_version() {
-      local version="${1#v}"
-      IFS='.' read -r major minor patch <<< "$version"
-      printf "%d%03d\n" "$major" "$minor"
-    }
-
-    libvirt_version=$(convert_version {{ $version }})
-
-    echo "libvirt_version: $libvirt_version"
-
-    SYMLINC_LIST=$(cat <<EOF
-    libvirt.so.0.${libvirt_version}.0        libvirt.so.0
-    libvirt.so.0                             libvirt.so
-    libvirt-qemu.so.0.${libvirt_version}.0   libvirt-qemu.so.0
-    libvirt-qemu.so.0                        libvirt-qemu.so
-    libvirt-lxc.so.0.${libvirt_version}.0    libvirt-lxc.so.0
-    libvirt-lxc.so.0                         libvirt-lxc.so
-    libvirt-admin.so.0.${libvirt_version}.0  libvirt-admin.so.0
-    libvirt-admin.so.0                       libvirt-admin.so
-    EOF
-    )
-
-    cd /relocate
-
-    while IFS= read -r LINE; do
-      echo "Create symlinc for $LINE"
-      TARGET=$(echo $LINE | awk -F' ' '{print $1}')
-      SYMLINK=$(echo $LINE | awk -F' ' '{print $2}')
-      ln -s ../local/lib64/$TARGET usr/lib64/$SYMLINK
-    done <<< "$SYMLINC_LIST"
-
-    echo "List files in /relocate/usr/local/lib64"
-    ls -la usr/local/lib64
-
   - |
     cd /relocate
 
diff --git a/oss.yaml b/oss.yaml
index 2a9c3da167..cc341182de 100644
--- a/oss.yaml
+++ b/oss.yaml
@@ -14,7 +14,7 @@
   link: https://gitlab.com/qemu-project/qemu
   description: QEMU is a generic and open source machine & userspace emulator andvirtualizer.
   license: GNU General Public License, version 2
-  version: v9.2.0
+  version: v9.2.4
   id: qemu
 - name: Libvirt
   link: https://gitlab.com/libvirt/libvirt