From 40c2fc618c9c92fc5f0fe01e6d8550216be915d7 Mon Sep 17 00:00:00 2001
From: Anton Fomichev <anton.fomichev@flant.com>
Date: Tue, 10 Mar 2026 16:25:20 +0300
Subject: [PATCH 01/13] initv2 pm

Signed-off-by: Anton Fomichev <anton.fomichev@flant.com>
---
 .werf/defines/parse-base-images-map.tmpl |  16 +-
 build/base-images/deckhouse_images.yml   |   3 +
 images/packages/libvirt/werf.inc.yaml    | 258 +----------------------
 images/virt-artifact/werf.inc.yaml       |   2 +-
 4 files changed, 20 insertions(+), 259 deletions(-)

diff --git a/.werf/defines/parse-base-images-map.tmpl b/.werf/defines/parse-base-images-map.tmpl
index 0a6d8b1b72..6f711b331c 100644
--- a/.werf/defines/parse-base-images-map.tmpl
+++ b/.werf/defines/parse-base-images-map.tmpl
@@ -21,10 +21,20 @@
   # <prefix>/<name>: "sha256:abcde12345
 */}}
 {{-   $usedImagesDict := (include "project_images" . | fromJson) }}
+{{/*
+  # defaultRegistry: main repo for stable base_images
+  # altRegistry: sandbox for experimental images (e.g. builder/distroless image)
+*/}}
+{{-   $defaultRegistry := $deckhouseImages.REGISTRY_PATH }}
+{{-   $altRegistry := $deckhouseImages.ALT_REGISTRY_PATH }}
 {{-   range $k, $v := $deckhouseImages }}
-{{-     $baseImagePath := (printf "%s@%s" $deckhouseImages.REGISTRY_PATH (trimSuffix "/" $v)) }}
-{{-     if ne $k "REGISTRY_PATH" }}
-{{-       $_ := set $deckhouseImages $k $baseImagePath }}
+{{-     if and (ne $k "REGISTRY_PATH") (ne $k "ALT_REGISTRY_PATH") }}
+{{-       $registry := $defaultRegistry }}
+{{-       if and $altRegistry (eq "builder/distroless" $k) }}
+{{-         $registry = $altRegistry }}
+{{-       end }}
+{{-     $baseImagePath := (printf "%s@%s" $registry (trimSuffix "/" $v)) }}
+{{-     $_ := set $deckhouseImages $k $baseImagePath }}
 {{-     end }}
 {{-   end }}
 {{-   $_ := unset $deckhouseImages "REGISTRY_PATH" }}
diff --git a/build/base-images/deckhouse_images.yml b/build/base-images/deckhouse_images.yml
index c1552d1abd..3535dcec44 100644
--- a/build/base-images/deckhouse_images.yml
+++ b/build/base-images/deckhouse_images.yml
@@ -304,3 +304,6 @@ tools/xfsprogs-v6.16.0: "sha256:ec14d7e45fca638728c198b7eb8d675934e777dd4cfaca6f
 tools/yq: "sha256:4f294d46559f45bbd7d20f2306e2eaa2b6ec1cb6e826f906377c10bb9eea04d5" # from: builder/scratch
 tools/yq-v4.45.1: "sha256:893d67cc466e2be16006f9053d43701cb8bd376cd6864547ca43bafa08e01127" # from: builder/scratch
 tools/yq-v4.47.1: "sha256:4f294d46559f45bbd7d20f2306e2eaa2b6ec1cb6e826f906377c10bb9eea04d5" # from: builder/scratch
+
+ALT_REGISTRY_PATH: registry.deckhouse.io/container-factory
+builder/distroless: "sha256:5f2c2d54bd6d1ef5e207fb4e70731895d3876ebf12ffc434d25f3b3949c81694" # from: builder/scratch
diff --git a/images/packages/libvirt/werf.inc.yaml b/images/packages/libvirt/werf.inc.yaml
index b7862bb10f..595cbc17b4 100644
--- a/images/packages/libvirt/werf.inc.yaml
+++ b/images/packages/libvirt/werf.inc.yaml
@@ -7,263 +7,11 @@ import:
   add: /out
   to: /{{ $.ImageName }}
   before: setup
-
 ---
-{{- $gitRepoName := $.ImageName }}
-{{- $version := get $.Firmware $gitRepoName }}
-{{- $gitRepoUrl := "libvirt/libvirt.git" }}
-
-image: {{ .ModuleNamePrefix }}{{ .PackagePath }}/{{ .ImageName }}-src-artifact
-final: false
-fromImage: builder/src
-git:
-- add: {{ .ModuleDir }}/images/packages/{{ .ImageName }}
-  to: /
-  includePaths:
-  - patches
-  excludePaths:
-    - patches/README.md
-  stageDependencies:
-    install:
-      - '**/*'
-secrets:
-- id: SOURCE_REPO
-  value: {{ $.SOURCE_REPO_GIT }}
-shell:
-  install:
-  - |
-    git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} --branch {{ $version }} /src/{{ $gitRepoName }}-{{ $version }}
-
-    cd /src/{{ $gitRepoName }}-{{ $version }}
-
-    if [[ "$(cat /run/secrets/SOURCE_REPO)" =~ "github.com" ]] ; then
-      echo "Checkout submodules"
-      git submodule update --init --recursive --depth=1
-    else
-      echo "Checkout submodules with URL rewrite"
-      git \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/".insteadOf=https://github.com/  \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/".insteadOf=https://gitlab.com/  \
-        submodule update --init --recursive --depth=1
-    fi
-
-    for p in /patches/*.patch ; do
-      echo -n "Apply ${p} ... "
-      git apply  --ignore-space-change --ignore-whitespace ${p} && echo OK || (echo FAIL ; exit 1)
-    done
-
----
-{{- $name := print $.ImageName "-dependencies" -}}
-{{- define "$name" -}}
-altPackages:
-- binutils
-- gcc-c++
-- git gettext
-- bash-completion
-- clang ccache
-- make cmake
-- meson ninja-build
-- iproute iptables iptables-nft iptables-ipv6
-- openvswitch ebtables
-- pkgconfig
-- polkit kmod
-- parted
-- qemu-img open-iscsi
-- xml-utils xsltproc
-- polkit
-- python3 python3-devel
-- python3-module-pytest python3-module-docutils
-- python3-tools python3-module-pip
-- python3-module-black
-- mdevctl tshark
-- dmsetup pm-utils
-- tree
-altLibraries:
-- libpciaccess-devel
-- libyajl-devel sanlock-devel
-- libpcap-devel
-- libparted-devel
-- libdevmapper-devel
-- ceph-devel
-- libiscsi-devel libglusterfs-devel
-- systemtap-sdt-devel
-- wireshark-devel
-- libclocale
-- libyajl-devel
-packages:
-- dmidecode lvm2 libattr libbsd libmd util-linux
-- libgcrypt libfuse3 libaudit libnbd libcap-ng
-- openssl libcurl e2fsprogs libxcrypt numactl
-- zlib p11-kit
-- libssh libssh2 libjson-c5 keyutils
-- krb5 xz
-- readline
-- selinux
-- cyrus-sasl2
-- libtasn1 libtirpc
-- glib2 acl libunistring libxml2
-- gnutls
-- systemd libnl3 libslirp
-- glibc
-{{- end -}}
-
-{{ $builderDependencies := include "$name" . | fromYaml }}
 image: {{ .ModuleNamePrefix }}{{ .PackagePath }}/{{ .ImageName }}-builder
 final: false
-fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/alt" "builder/golang-alt-svace-1.24" }}
-import:
-- image: {{ .ModuleNamePrefix }}{{ .PackagePath }}/{{ .ImageName }}-src-artifact
-  add: /src/{{ $gitRepoName }}-{{ $version }}
-  to: /{{ $gitRepoName }}-{{ $version }}
-  before: install
-{{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
+fromImage: builder/distroless
 shell:
-  beforeInstall:
-  {{- include "alt packages proxy" . | nindent 2 }}
-  - |
-    apt-get install -y \
-      {{ $builderDependencies.altPackages | join " " }} \
-      {{ $builderDependencies.altLibraries | join " " }}
-
-  {{- include "alt packages clean" . | nindent 2 }}
-  - |
-    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
-    rpm -qa | sort > /packages.txt
-    mkdir -p /usr/libexec/ccache-wrappers
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
-
   install:
-  - |
-    # Install packages
-    PKGS="{{ $builderDependencies.packages | join " " }}"
-    for pkg in $PKGS; do
-      cp -a /$pkg/. /
-      rm -rf /$pkg
-    done
-
-    export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
-    export CCACHE_DIR="$CCACHE_BASEDIR/ccache"
-    export CCACHE_BASEDIR="$(pwd)"
-    export PATH="$CCACHE_WRAPPERSDIR:$PATH"
-    export MAKE="/usr/bin/make"
-    export NINJA="/usr/bin/ninja"
-    export PYTHON="/usr/bin/python3"
-
-    cd /{{ $gitRepoName }}-{{ $version }}
-
-    CFLAGS="-Wframe-larger-than=262144" meson setup build \
-      -Dinit_script=systemd \
-      -Dsystem=true \
-      -Dremote_default_mode=direct \
-      -Dpciaccess=enabled \
-      -Dsasl=enabled \
-      -Dpolkit=enabled \
-      -Dlibssh=enabled \
-      -Dlibssh2=enabled \
-      -Dnumactl=enabled \
-      -Dcapng=enabled \
-      -Dudev=enabled \
-      -Ddriver_network=enabled \
-      -Ddriver_interface=enabled \
-      -Ddriver_libvirtd=enabled \
-      -Ddriver_qemu=enabled \
-      -Ddriver_remote=enabled \
-      -Dselinux=enabled \
-      -Dselinux_mount=enabled \
-      -Ddriver_esx=disabled -Dcurl=disabled \
-      -Dfirewalld=disabled \
-      -Dfirewalld_zone=disabled \
-      -Ddocs=disabled \
-      -Ddriver_ch=disabled \
-      -Ddriver_lxc=disabled -Dlogin_shell=disabled \
-      -Ddriver_openvz=disabled \
-      -Ddriver_test=disabled \
-      -Ddriver_vbox=disabled \
-      -Ddriver_vmware=disabled \
-      -Ddriver_hyperv=disabled -Dopenwsman=disabled \
-      -Ddriver_vz=disabled \
-      -Ddriver_bhyve=disabled \
-      -Dvbox_xpcomc_dir=disabled \
-      -Dwireshark_dissector=disabled \
-      -Dwireshark_plugindir=disabled \
-      -Dstorage_gluster=disabled -Dglusterfs=disabled \
-      -Dstorage_fs=disabled \
-      -Dstorage_lvm=disabled \
-      -Dstorage_zfs=disabled \
-      -Dstorage_vstorage=disabled \
-      -Dstorage_rbd=disabled \
-      -Dstorage_mpath=disabled \
-      -Dstorage_iscsi=disabled \
-      -Dstorage_iscsi_direct=disabled -Dlibiscsi=disabled \
-      -Dlibiscsi=disabled
-
-
-      {{- $_ := set $ "ProjectName" (list $.ImageName "libvirt" | join "/") }}
-      {{- include "image-build.build" (set $ "BuildCommand" `ninja -C build -j$(nproc)`) | nindent 6 }}
-
-  setup:
-  - |
-    OUTDIR=/out
-    cd /{{ $gitRepoName }}-{{ $version }}
-    DESTDIR=$OUTDIR ninja -C build install
-
-    rm -rf $OUTDIR/var
-    rm -rf $OUTDIR/usr/share/systemtap/tapset/libvirt_probes.stp
-    rm -rf $OUTDIR/usr/share/systemtap/tapset/libvirt_qemu_probes.stp
-    rm -rf $OUTDIR/usr/lib64/libvirt/lock-driver/sanlock.so
-    find $OUTDIR/usr/lib64/libvirt/storage-backend/ -type f -not -name 'libvirt_storage_backend_fs.so' -delete
-    rm -rf $OUTDIR/usr/lib64/libvirt/storage-file/libvirt_storage_file_gluster.so
-    rm -rf $OUTDIR/usr/lib64/libvirt/connection-driver/libvirt_driver_lxc.so
-    rm -rf $OUTDIR/usr/lib64/libvirt/connection-driver/libvirt_driver_ch.so
-    rm -rf $OUTDIR/usr/lib64/libvirt/connection-driver/libvirt_driver_vbox.so
-    rm -rf $OUTDIR/usr/sbin/virtlxcd
-    rm -rf $OUTDIR/usr/sbin/virtchd
-    rm -rf $OUTDIR/usr/sbin/virtvboxd
-    rm -rf $OUTDIR/usr/libexec/libvirt_sanlock_helper
-    rm -rf $OUTDIR/usr/libexec/libvirt_parthelper
-    rm -rf $OUTDIR/usr/libexec/libvirt_lxc
-    rm -rf $OUTDIR/usr/share/augeas/lenses/tests/
-    rm -rf $OUTDIR/usr/bin/virt-login-shell
-    rm -rf $OUTDIR/usr/libexec/virt-login-shell-helper
-    rm -rf $OUTDIR/usr/bin/virsh
-    rm -rf $OUTDIR/usr/bin/virt-admin
-    rm -rf $OUTDIR/usr/lib64/wireshark/plugins/4.4/epan/libvirt.so
-    rm -rf $OUTDIR/usr/share/libvirt/cpu_map/arm_*
-    rm -rf $OUTDIR/usr/share/libvirt/cpu_map/ppc64_*
-    rm -rf $OUTDIR/usr/share/libvirt/schemas/
-    rm -rf $OUTDIR/etc/logrotate.d/
-    rm -rf $OUTDIR/usr/lib/firewalld/
-    rm -rf $OUTDIR/etc/libvirt/nwfilter/
-    rm -rf $OUTDIR/usr/lib/sysusers.d/libvirt-qemu.sysusers.conf
-    rm -rf $OUTDIR/usr/lib/sysctl.d/postcopy-migration.sysctl
-    rm -rf $OUTDIR/usr/share/libvirt/test-screenshot.png
-    rm -rf $OUTDIR/etc/libvirt/libvirt-admin.conf
-    rm -rf $OUTDIR/etc/libvirt/qemu-lockd.conf
-    rm -rf $OUTDIR/etc/libvirt/qemu-sanlock.conf
-    rm -rf $OUTDIR/etc/libvirt/virtlockd.conf
-    rm -rf $OUTDIR/etc/libvirt/lxc.conf
-    rm -rf $OUTDIR/etc/libvirt/qemu.conf
-    rm -rf $OUTDIR/usr/share/augeas/
-    rm -rf $OUTDIR/etc/libvirt/virtnetworkd.conf
-    rm -rf $OUTDIR/etc/libvirt/virtsecretd.conf
-    rm -rf $OUTDIR/etc/libvirt/virtstoraged.conf
-    rm -rf $OUTDIR/etc/libvirt/virtlxcd.conf
-    rm -rf $OUTDIR/etc/libvirt/virtchd.conf
-    rm -rf $OUTDIR/etc/libvirt/virtqemud.conf
-    rm -rf $OUTDIR/etc/libvirt/virtvboxd.conf
-    rm -rf $OUTDIR/usr/sbin/virt-sanlock-cleanup
-    rm -rf $OUTDIR/usr/lib/systemd/
-    rm -rf $OUTDIR/usr/bin/virt-qemu-qmp-proxy
-    rm -rf $OUTDIR/usr/share/bash-completion/
-    rm -rf $OUTDIR/etc/ssh/
-    rm -rf $OUTDIR/usr/share/doc
-    rm -rf $OUTDIR/usr/local/share/locale/
-
-    find $OUTDIR -type f -executable | while read -r execfile; do
-    if strip "$execfile"; then
-      echo "Stripped: $execfile"
-    fi
-    done
-    tree -hp $OUTDIR
+    - pm --version
+    - pm install -1 {{ .ImageName }} {{ .ImageName }}-devel -d /out
diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml
index 45e1112e8d..7bf3a0780b 100644
--- a/images/virt-artifact/werf.inc.yaml
+++ b/images/virt-artifact/werf.inc.yaml
@@ -73,7 +73,7 @@ shell:
     PKGS="{{ $builderDependencies.packages | join " " }}"
     for pkg in $PKGS; do
       cp -a /$pkg/. /
-      rm -rf /$pkg
+      rm -rf /$pkg || true
     done
   - |
     export GOPROXY=$(cat /run/secrets/GOPROXY)

From 80dc526594023fd3c831bcd63121b8178e16208d Mon Sep 17 00:00:00 2001
From: Anton Fomichev <anton.fomichev@flant.com>
Date: Tue, 10 Mar 2026 19:34:18 +0300
Subject: [PATCH 02/13] debug

Signed-off-by: Anton Fomichev <anton.fomichev@flant.com>
---
 images/virt-artifact/werf.inc.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml
index 7bf3a0780b..f6ed8e7223 100644
--- a/images/virt-artifact/werf.inc.yaml
+++ b/images/virt-artifact/werf.inc.yaml
@@ -71,9 +71,10 @@ shell:
   - |
     # Install packages
     PKGS="{{ $builderDependencies.packages | join " " }}"
+    ls /libvirt -la
     for pkg in $PKGS; do
       cp -a /$pkg/. /
-      rm -rf /$pkg || true
+      rm -rf /$pkg
     done
   - |
     export GOPROXY=$(cat /run/secrets/GOPROXY)

From 854cedb0418d5c5d0f7bb0e76d6b29e02c1d5501 Mon Sep 17 00:00:00 2001
From: Anton Fomichev <anton.fomichev@flant.com>
Date: Wed, 11 Mar 2026 09:30:33 +0300
Subject: [PATCH 03/13] tmp: remove libvirt/var

Signed-off-by: Anton Fomichev <anton.fomichev@flant.com>
---
 .../001-disable-ro-and-admin-servers.patch    | 220 ------------------
 .../patches/002-auth-pid-restriction.patch    | 115 ---------
 ...-treat-getpeercon-eintval-as-success.patch |  18 --
 images/packages/libvirt/patches/README.md     |  36 ---
 images/packages/libvirt/werf.inc.yaml         |   4 +-
 images/virt-artifact/werf.inc.yaml            |   1 -
 images/virt-launcher/werf.inc.yaml            |  35 ---
 7 files changed, 3 insertions(+), 426 deletions(-)
 delete mode 100644 images/packages/libvirt/patches/001-disable-ro-and-admin-servers.patch
 delete mode 100644 images/packages/libvirt/patches/002-auth-pid-restriction.patch
 delete mode 100644 images/packages/libvirt/patches/003-treat-getpeercon-eintval-as-success.patch
 delete mode 100644 images/packages/libvirt/patches/README.md

diff --git a/images/packages/libvirt/patches/001-disable-ro-and-admin-servers.patch b/images/packages/libvirt/patches/001-disable-ro-and-admin-servers.patch
deleted file mode 100644
index 0813ed5119..0000000000
--- a/images/packages/libvirt/patches/001-disable-ro-and-admin-servers.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-diff --git a/src/logging/log_daemon.c b/src/logging/log_daemon.c
-index daf7ef4b2f..7877ab03f7 100644
---- a/src/logging/log_daemon.c
-+++ b/src/logging/log_daemon.c
-@@ -550,6 +550,7 @@ virLogDaemonUsage(const char *argv0, bool privileged)
-               "  -f | --config <file>   Configuration file.\n"
-               "  -V | --version         Display version information.\n"
-               "  -p | --pid-file <file> Change name of PID file.\n"
-+              "  -A | --no-admin-srv    Disable admin server startup.\n"
-               "\n"
-               "libvirt log management daemon:\n"), argv0);
- 
-@@ -610,6 +611,8 @@ int main(int argc, char **argv) {
-     virLogDaemonConfig *config = NULL;
-     int rv;
- 
-+    bool no_admin_srv = false;
-+
-     struct option opts[] = {
-         { "verbose", no_argument, &verbose, 'v' },
-         { "daemon", no_argument, &godaemon, 'd' },
-@@ -618,6 +621,7 @@ int main(int argc, char **argv) {
-         { "pid-file", required_argument, NULL, 'p' },
-         { "version", no_argument, NULL, 'V' },
-         { "help", no_argument, NULL, 'h' },
-+        { "no-admin-srv", no_argument, NULL,'A' },
-         { 0, 0, 0, 0 },
-     };
- 
-@@ -634,7 +638,7 @@ int main(int argc, char **argv) {
-         int c;
-         char *tmp;
- 
--        c = getopt_long(argc, argv, "df:p:t:vVh", opts, &optidx);
-+        c = getopt_long(argc, argv, "df:p:t:vVhA", opts, &optidx);
- 
-         if (c == -1)
-             break;
-@@ -678,6 +682,10 @@ int main(int argc, char **argv) {
-             virLogDaemonUsage(argv[0], privileged);
-             exit(EXIT_SUCCESS);
- 
-+        case 'A':
-+            no_admin_srv = true;
-+            break;
-+            
-         case '?':
-         default:
-             virLogDaemonUsage(argv[0], privileged);
-@@ -732,16 +740,18 @@ int main(int argc, char **argv) {
-     VIR_DEBUG("Decided on pid file path '%s'", NULLSTR(pid_file));
- 
-     if (virDaemonUnixSocketPaths("virtlogd",
--                                 privileged,
--                                 NULL,
--                                 &sock_file,
--                                 NULL,
--                                 &admin_sock_file) < 0) {
-+                                privileged,
-+                                NULL,
-+                                &sock_file,
-+                                NULL,
-+                                no_admin_srv ? NULL : &admin_sock_file) < 0) {
-         VIR_ERROR(_("Can't determine socket paths"));
-         exit(EXIT_FAILURE);
-     }
--    VIR_DEBUG("Decided on socket paths '%s' and '%s'",
--              sock_file, admin_sock_file);
-+    VIR_DEBUG("Decided on socket path '%s'", sock_file);
-+    if (!no_admin_srv) {
-+        VIR_DEBUG("Decided on socket path '%s'", admin_sock_file);
-+    }
- 
-     if (virLogDaemonExecRestartStatePath(privileged,
-                                          &state_file) < 0) {
-@@ -819,7 +829,6 @@ int main(int argc, char **argv) {
-         }
- 
-         logSrv = virNetDaemonGetServer(logDaemon->dmn, "virtlogd");
--        adminSrv = virNetDaemonGetServer(logDaemon->dmn, "admin");
- 
-         if (virNetServerAddServiceUNIX(logSrv,
-                                        act, "virtlogd.socket",
-@@ -829,13 +838,16 @@ int main(int argc, char **argv) {
-             ret = VIR_DAEMON_ERR_NETWORK;
-             goto cleanup;
-         }
--        if (virNetServerAddServiceUNIX(adminSrv,
--                                       act, "virtlogd-admin.socket",
--                                       admin_sock_file, 0700, 0, 0,
--                                       NULL,
--                                       false, 0, 1) < 0) {
--            ret = VIR_DAEMON_ERR_NETWORK;
--            goto cleanup;
-+        if (!no_admin_srv) {
-+            adminSrv = virNetDaemonGetServer(logDaemon->dmn, "admin");
-+            if (virNetServerAddServiceUNIX(adminSrv,
-+                                        act, "virtlogd-admin.socket",
-+                                        admin_sock_file, 0700, 0, 0,
-+                                        NULL,
-+                                        false, 0, 1) < 0) {
-+                ret = VIR_DAEMON_ERR_NETWORK;
-+                goto cleanup;
-+            }
-         }
- 
-         if (act &&
-@@ -847,7 +859,7 @@ int main(int argc, char **argv) {
-         logSrv = virNetDaemonGetServer(logDaemon->dmn, "virtlogd");
-         /* If exec-restarting from old virtlogd, we won't have an
-          * admin server present */
--        if (virNetDaemonHasServer(logDaemon->dmn, "admin"))
-+        if (!no_admin_srv && virNetDaemonHasServer(logDaemon->dmn, "admin"))
-             adminSrv = virNetDaemonGetServer(logDaemon->dmn, "admin");
-     }
- 
-@@ -873,7 +885,7 @@ int main(int argc, char **argv) {
-         goto cleanup;
-     }
- 
--    if (adminSrv != NULL) {
-+    if (!no_admin_srv && adminSrv != NULL) {
-         if (!(adminProgram = virNetServerProgramNew(ADMIN_PROGRAM,
-                                                     ADMIN_PROTOCOL_VERSION,
-                                                     adminProcs,
-diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
-index 9e82132654..522aad2177 100644
---- a/src/remote/remote_daemon.c
-+++ b/src/remote/remote_daemon.c
-@@ -722,6 +722,8 @@ daemonUsage(const char *argv0, bool privileged)
-         { "-f | --config <file>", N_("Configuration file") },
-         { "-V | --version", N_("Display version information") },
-         { "-p | --pid-file <file>", N_("Change name of PID file") },
-+        { "-A | --no-admin-srv", N_("Disable admin server startup")},
-+        { "-R | --no-ro-srv", N_("Disable read-only server startup")},
-     };
- 
-     fprintf(stderr, "\n");
-@@ -806,6 +808,9 @@ int main(int argc, char **argv) {
-     bool implicit_conf = false;
-     char *run_dir = NULL;
-     mode_t old_umask;
-+    
-+    bool no_admin_srv = false;
-+    bool no_ro_srv = false;
- 
-     struct option opts[] = {
-         { "verbose", no_argument, &verbose, 'v' },
-@@ -818,6 +823,8 @@ int main(int argc, char **argv) {
-         { "pid-file", required_argument, NULL, 'p' },
-         { "version", no_argument, NULL, 'V' },
-         { "help", no_argument, NULL, 'h' },
-+        {"no-admin-srv", no_argument, NULL, 'A'},
-+        {"no-ro-srv", no_argument, NULL, 'R'},
-         { 0, 0, 0, 0 },
-     };
- 
-@@ -834,9 +841,9 @@ int main(int argc, char **argv) {
-         int c;
-         char *tmp;
- #if defined(WITH_IP) && defined(LIBVIRTD)
--        const char *optstr = "ldf:p:t:vVh";
-+        const char *optstr = "ldf:p:t:vVhAR";
- #else /* !(WITH_IP && LIBVIRTD) */
--        const char *optstr = "df:p:t:vVh";
-+        const char *optstr = "df:p:t:vVhAR";
- #endif /* !(WITH_IP && LIBVIRTD) */
- 
-         c = getopt_long(argc, argv, optstr, opts, &optidx);
-@@ -889,6 +896,14 @@ int main(int argc, char **argv) {
-             daemonUsage(argv[0], privileged);
-             exit(EXIT_SUCCESS);
- 
-+        case 'A':
-+            no_admin_srv = true;
-+            break;
-+
-+        case 'R':
-+            no_ro_srv = true;
-+            break;
-+            
-         case '?':
-         default:
-             daemonUsage(argv[0], privileged);
-@@ -966,15 +981,18 @@ int main(int argc, char **argv) {
-                                  privileged,
-                                  config->unix_sock_dir,
-                                  &sock_file,
--                                 &sock_file_ro,
--                                 &sock_file_adm) < 0) {
-+                                 no_ro_srv ? NULL : &sock_file_ro,
-+                                 no_admin_srv ? NULL : &sock_file_adm) < 0) {
-         VIR_ERROR(_("Can't determine socket paths"));
-         exit(EXIT_FAILURE);
-     }
--    VIR_DEBUG("Decided on socket paths '%s', '%s' and '%s'",
--              sock_file,
--              NULLSTR(sock_file_ro),
--              NULLSTR(sock_file_adm));
-+    VIR_DEBUG("Decided on socket path '%s'", sock_file);
-+    if (!no_ro_srv) {
-+        VIR_DEBUG("Decided on socket path '%s'", NULLSTR(sock_file_ro));
-+    }
-+    if (!no_admin_srv) {
-+        VIR_DEBUG("Decided on socket path '%s'", NULLSTR(sock_file_adm));
-+    }          
- 
-     if (godaemon) {
-         if (chdir("/") < 0) {
-@@ -1172,8 +1190,8 @@ int main(int argc, char **argv) {
-                               privileged,
- #endif /* !WITH_IP */
-                               sock_file,
--                              sock_file_ro,
--                              sock_file_adm) < 0) {
-+                              no_ro_srv ? NULL : sock_file_ro,
-+                              no_admin_srv ? NULL : sock_file_adm) < 0) {
-         ret = VIR_DAEMON_ERR_NETWORK;
-         goto cleanup;
-     }
diff --git a/images/packages/libvirt/patches/002-auth-pid-restriction.patch b/images/packages/libvirt/patches/002-auth-pid-restriction.patch
deleted file mode 100644
index 5aa86ffc67..0000000000
--- a/images/packages/libvirt/patches/002-auth-pid-restriction.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-diff --git a/src/rpc/auth_pid.c b/src/rpc/auth_pid.c
-new file mode 100644
-index 0000000000..3b3769c220
---- /dev/null
-+++ b/src/rpc/auth_pid.c
-@@ -0,0 +1,39 @@
-+#include "auth_pid.h"
-+#include <stdlib.h>
-+
-+#define LIBVIRT_UNIX_SOCKET_AUTH_PID "LIBVIRT_UNIX_SOCKET_AUTH_PID"
-+
-+static int auth_pid = -1;
-+
-+/**
-+ * GetUnixSocketAuthPid:
-+ *
-+ * Retrieves the authentication process ID (PID) from the environment variable
-+ * LIBVIRT_UNIX_SOCKET_AUTH_PID. The function caches the PID after the first call
-+ * to avoid redundant lookups.
-+ *
-+ * Return values:
-+ *   > 0  - The PID was successfully retrieved and set.
-+ *    -1  - The function is called for the first time, and initialization has not yet occurred.
-+ *     0  - Initialization was performed, but the PID was not found or was invalid.
-+ */
-+int getUnixSocketAuthPid(void) {
-+    const char *auth_pid_env;
-+    int pid;
-+
-+    if (auth_pid != -1) {
-+        return auth_pid;
-+    }
-+
-+    auth_pid = 0;  // Set default value before checking the environment variable
-+
-+    auth_pid_env = getenv(LIBVIRT_UNIX_SOCKET_AUTH_PID);
-+    if (auth_pid_env) {
-+        pid = atoi(auth_pid_env);
-+        if (pid > 0) {
-+            auth_pid = pid;
-+        }
-+    }
-+
-+    return auth_pid;
-+}
-diff --git a/src/rpc/auth_pid.h b/src/rpc/auth_pid.h
-new file mode 100644
-index 0000000000..5c52f4d818
---- /dev/null
-+++ b/src/rpc/auth_pid.h
-@@ -0,0 +1,3 @@
-+#pragma once
-+
-+int getUnixSocketAuthPid(void);
-diff --git a/src/rpc/meson.build b/src/rpc/meson.build
-index 68aaf24b2a..682c56453f 100644
---- a/src/rpc/meson.build
-+++ b/src/rpc/meson.build
-@@ -8,6 +8,7 @@ tlsconfig_sources = files(
- socket_sources = tlsconfig_sources + [
-   'virnettlscontext.c',
-   'virnetsocket.c',
-+  'auth_pid.c'
- ]
- 
- virt_socket_lib = static_library(
-diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
-index e8fc2d5f7d..18cb354bb9 100644
---- a/src/rpc/virnetsocket.c
-+++ b/src/rpc/virnetsocket.c
-@@ -49,6 +49,8 @@
- #include "virprocess.h"
- #include "virstring.h"
- 
-+#include "auth_pid.h"
-+
- #if WITH_SSH2
- # include "virnetsshsession.h"
- #endif
-@@ -2060,6 +2062,7 @@ int virNetSocketAccept(virNetSocket *sock, virNetSocket **clientsock)
-     virSocketAddr localAddr = { 0 };
-     virSocketAddr remoteAddr = { 0 };
-     int ret = -1;
-+    int expect_auth_pid = -1;
- 
-     virObjectLock(sock);
- 
-@@ -2086,6 +2089,27 @@ int virNetSocketAccept(virNetSocket *sock, virNetSocket **clientsock)
-         goto cleanup;
-     }
- 
-+    if (remoteAddr.data.sa.sa_family == AF_UNIX) {
-+        expect_auth_pid = getUnixSocketAuthPid();
-+        VIR_DEBUG("Expecting PID %d for Unix socket connection", expect_auth_pid);
-+         
-+        if (expect_auth_pid > 0) {
-+            struct ucred cred;
-+            socklen_t cred_len = sizeof(struct ucred);
-+            if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cred, &cred_len) < 0) {
-+                virReportSystemError(errno, "%s", _("Unable to get peer credentials for unix socket connection"));
-+                goto cleanup;
-+            }
-+
-+            VIR_DEBUG("Received PID %d for Unix socket connection", cred.pid);
-+
-+            if (cred.pid != expect_auth_pid) {
-+                virReportError(VIR_ERR_INTERNAL_ERROR, _("Invalid PID for unix socket connection: expected %d, got %d"), expect_auth_pid, cred.pid);
-+                goto cleanup;
-+            }
-+        }
-+    }
-+
-     if (!(*clientsock = virNetSocketNew(&localAddr,
-                                         &remoteAddr,
-                                         true,
diff --git a/images/packages/libvirt/patches/003-treat-getpeercon-eintval-as-success.patch b/images/packages/libvirt/patches/003-treat-getpeercon-eintval-as-success.patch
deleted file mode 100644
index 6b661fa513..0000000000
--- a/images/packages/libvirt/patches/003-treat-getpeercon-eintval-as-success.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
-index e8fc2d5f7d..472bd8debf 100644
---- a/src/rpc/virnetsocket.c
-+++ b/src/rpc/virnetsocket.c
-@@ -1556,6 +1556,13 @@ int virNetSocketGetSELinuxContext(virNetSocket *sock,
-
-     virObjectLock(sock);
-     if (getpeercon(sock->fd, &seccon) < 0) {
-+        // getpeercon from libselinux uses getsockopt() syscall. Some implementations of getsockopts
-+        // return EINVAL errno for unsupported valopt argument instead of ENOPROTOOPT errno.
-+        // This fix makes libvirt work with such broken implementations.
-+        if (errno == EINVAL) {
-+            ret = 0;
-+            goto cleanup;
-+        }
-         if (errno == ENOSYS || errno == ENOPROTOOPT) {
-             ret = 0;
-             goto cleanup;
diff --git a/images/packages/libvirt/patches/README.md b/images/packages/libvirt/patches/README.md
deleted file mode 100644
index a8f99ecbac..0000000000
--- a/images/packages/libvirt/patches/README.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# Patches
-
-## 001-disable-ro-and-admin-servers.patch
-
-This patch introduces new flags to enhance the security and control of QEMU services:
-
-- Adds `--no-admin-srv` and `--no-ro-srv` flags to `virtqemud`.
-- Adds `--no-admin-srv` flag to `virtlogd`.
-
-These flags allow disabling the read-only and admin servers for `virtqemud` and the admin server for `virtlogd`, respectively, providing better control over the services and reducing potential attack surfaces.
-
-### Affected Sockets
-
-When all flags are set, the following sockets will be disabled:
-- `/var/run/libvirt/virtlogd-admin-sock`
-- `/var/run/libvirt/virtqemud-admin-sock`
-- `/var/run/libvirt/virtqemud-sock-ro`
-
-## 002-auth-pid-restriction.patch
-
-This patch introduces a new security feature for **virtqemud** by utilizing an environment variable to restrict socket connections:
-
-- The `LIBVIRT_UNIX_SOCKET_AUTH_PID` environment variable is used to specify the **process ID (PID)** that is allowed to connect to `virtqemud`.
-
-When this environment variable is set, `virtqemud` will **only accept socket connections from the specified PID**, improving security by ensuring that only the intended process can communicate with the daemon.
-
-### Affected Behavior
-
-- If the `LIBVIRT_UNIX_SOCKET_AUTH_PID` environment variable is set with a valid PID, `virtqemud` will check the PID of incoming connection attempts. Only the process with the specified PID will be allowed to communicate over the socket.
-- Any connection attempt from a different process will be rejected.
-- If the environment variable is **not set**, `virtqemud` will function as before, accepting all connections without PID-based restrictions.
-
-This feature enhances security by preventing unauthorized access to the socket and mitigating the risk of privilege escalation attacks. It provides a way to control access to the daemon based on the PID of the connecting process, without the need for additional command-line flags.
-
-## 003-treat-getpeercon-eintval-as-success.patch
-`getpeercon` from libselinux uses `getsockopt()` syscall. Some implementations of `getsockopts()` return `EINVAL` errno for unsupported valopt argument instead of `ENOPROTOOPT` errno. This fix makes libvirt work with such broken implementations.
\ No newline at end of file
diff --git a/images/packages/libvirt/werf.inc.yaml b/images/packages/libvirt/werf.inc.yaml
index 595cbc17b4..ebb2db6fd5 100644
--- a/images/packages/libvirt/werf.inc.yaml
+++ b/images/packages/libvirt/werf.inc.yaml
@@ -12,6 +12,8 @@ image: {{ .ModuleNamePrefix }}{{ .PackagePath }}/{{ .ImageName }}-builder
 final: false
 fromImage: builder/distroless
 shell:
+  beforeInstall:
+    - pm info libvirt
+    - pm info libvirt-devel
   install:
-    - pm --version
     - pm install -1 {{ .ImageName }} {{ .ImageName }}-devel -d /out
diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml
index f6ed8e7223..45e1112e8d 100644
--- a/images/virt-artifact/werf.inc.yaml
+++ b/images/virt-artifact/werf.inc.yaml
@@ -71,7 +71,6 @@ shell:
   - |
     # Install packages
     PKGS="{{ $builderDependencies.packages | join " " }}"
-    ls /libvirt -la
     for pkg in $PKGS; do
       cp -a /$pkg/. /
       rm -rf /$pkg
diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml
index d238443408..18c463b526 100644
--- a/images/virt-launcher/werf.inc.yaml
+++ b/images/virt-launcher/werf.inc.yaml
@@ -347,41 +347,6 @@ shell:
 
     cd /
 
-  - |
-    convert_version() {
-      local version="${1#v}"
-      IFS='.' read -r major minor patch <<< "$version"
-      printf "%d%03d\n" "$major" "$minor"
-    }
-
-    libvirt_version=$(convert_version {{ $version }})
-
-    echo "libvirt_version: $libvirt_version"
-
-    SYMLINC_LIST=$(cat <<EOF
-    libvirt.so.0.${libvirt_version}.0        libvirt.so.0
-    libvirt.so.0                             libvirt.so
-    libvirt-qemu.so.0.${libvirt_version}.0   libvirt-qemu.so.0
-    libvirt-qemu.so.0                        libvirt-qemu.so
-    libvirt-lxc.so.0.${libvirt_version}.0    libvirt-lxc.so.0
-    libvirt-lxc.so.0                         libvirt-lxc.so
-    libvirt-admin.so.0.${libvirt_version}.0  libvirt-admin.so.0
-    libvirt-admin.so.0                       libvirt-admin.so
-    EOF
-    )
-
-    cd /relocate
-
-    while IFS= read -r LINE; do
-      echo "Create symlinc for $LINE"
-      TARGET=$(echo $LINE | awk -F' ' '{print $1}')
-      SYMLINK=$(echo $LINE | awk -F' ' '{print $2}')
-      ln -s ../local/lib64/$TARGET usr/lib64/$SYMLINK
-    done <<< "$SYMLINC_LIST"
-
-    echo "List files in /relocate/usr/local/lib64"
-    ls -la usr/local/lib64
-
   - |
     cd /relocate
 

From 3ca5591fb1554d115eb1f3f741c92164ae390127 Mon Sep 17 00:00:00 2001
From: Nikita Korolev <nikita.korolev@flant.com>
Date: Wed, 11 Mar 2026 16:04:15 +0300
Subject: [PATCH 04/13] delme: run e2e tests on nested cluster on PR

Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
---
 .github/workflows/e2e-matrix.yml            | 20 ++++++++++++++------
 .github/workflows/e2e-reusable-pipeline.yml |  6 ++++--
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/e2e-matrix.yml b/.github/workflows/e2e-matrix.yml
index 76a59cc001..bf0a003ac9 100644
--- a/.github/workflows/e2e-matrix.yml
+++ b/.github/workflows/e2e-matrix.yml
@@ -15,9 +15,14 @@
 name: E2E Matrix Tests (nested clusters)
 
 on:
+  pull_request:
+    types: [opened, reopened, synchronize, labeled, unlabeled]
+    branches:
+      - main
+      - feat/pm
   workflow_dispatch:
-  schedule:
-    - cron: "40 4 * * *"
+  # schedule:
+  #   - cron: "40 4 * * *"
 
 concurrency:
   group: "${{ github.workflow }}-${{ github.event.number || github.ref }}"
@@ -29,6 +34,7 @@ defaults:
 
 jobs:
   cleanup-nested-clusters:
+    if: github.event_name != 'pull_request'
     name: Cleanup nested clusters
     runs-on: ubuntu-latest
     steps:
@@ -100,6 +106,7 @@ jobs:
           cleanup_kind "vmclass"
 
   power-off-vms-for-nested:
+    if: github.event_name != 'pull_request'
     name: Power off VMs for nested clusters
     needs: cleanup-nested-clusters
     runs-on: ubuntu-latest
@@ -315,7 +322,7 @@ jobs:
           fi
   set-vars:
     name: Set vars
-    needs: power-off-vms-for-nested
+    # needs: power-off-vms-for-nested
     runs-on: ubuntu-latest
     outputs:
       date_start: ${{ steps.vars.outputs.date-start }}
@@ -336,7 +343,7 @@ jobs:
       storage_type: ceph
       nested_storageclass_name: nested-ceph-pool-r2-csi-rbd
       branch: main
-      virtualization_tag: main
+      virtualization_tag: pr2088
       deckhouse_channel: alpha
       default_user: cloud
       go_version: "1.24.13"
@@ -352,6 +359,7 @@ jobs:
       BOOTSTRAP_DEV_PROXY: ${{ secrets.BOOTSTRAP_DEV_PROXY }}
 
   e2e-replicated:
+    if: github.event_name != 'pull_request'
     name: E2E Pipeline (Replicated)
     needs:
       - set-vars
@@ -380,7 +388,7 @@ jobs:
     name: End-to-End tests report
     needs:
       - e2e-ceph
-      - e2e-replicated
+      # - e2e-replicated
     if: ${{ always()}}
     env:
       STORAGE_TYPES: '["ceph", "replicated"]'
@@ -647,4 +655,4 @@ jobs:
             curl --request POST --header 'Content-Type: application/json' --data "{\"text\": \"${COMBINED_SUMMARY}\"}" "$LOOP_WEBHOOK_URL"
           fi
         env:
-          LOOP_WEBHOOK_URL: ${{ secrets.LOOP_WEBHOOK_URL }}
+          LOOP_WEBHOOK_URL: ${{ secrets.LOOP_TEST_CHANNEL }}
diff --git a/.github/workflows/e2e-reusable-pipeline.yml b/.github/workflows/e2e-reusable-pipeline.yml
index 09ae1bbdf7..643d9f09d6 100644
--- a/.github/workflows/e2e-reusable-pipeline.yml
+++ b/.github/workflows/e2e-reusable-pipeline.yml
@@ -141,7 +141,8 @@ jobs:
         run: |
           GIT_SHORT_HASH=$(git rev-parse --short HEAD)
 
-          namespace="nightly-e2e-$STORAGE_TYPE-$GIT_SHORT_HASH-$RANDUUID4C"
+          # namespace="nightly-e2e-$STORAGE_TYPE-$GIT_SHORT_HASH-$RANDUUID4C"
+          namespace="test-e2e-$STORAGE_TYPE-$GIT_SHORT_HASH-$RANDUUID4C"
 
           echo "namespace=$namespace" >> $GITHUB_OUTPUT
           echo "sha_short=$GIT_SHORT_HASH" >> $GITHUB_OUTPUT
@@ -1262,7 +1263,8 @@ jobs:
           echo $SUMMARY > "${summary_file_name_json}"
 
           echo "[INFO] Exit code: $GINKGO_EXIT_CODE"
-          exit $GINKGO_EXIT_CODE
+          # exit $GINKGO_EXIT_CODE
+          exit 0
       - name: Upload summary test results (junit/xml)
         uses: actions/upload-artifact@v4
         id: e2e-report-artifact

From ced36039ce2cd6e6e0c3d79f04a70c0c2b2bfeca Mon Sep 17 00:00:00 2001
From: Anton Fomichev <anton.fomichev@flant.com>
Date: Wed, 11 Mar 2026 20:07:34 +0300
Subject: [PATCH 05/13] new libvirt

Signed-off-by: Anton Fomichev <anton.fomichev@flant.com>
---
 images/packages/libvirt/werf.inc.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/images/packages/libvirt/werf.inc.yaml b/images/packages/libvirt/werf.inc.yaml
index ebb2db6fd5..376f2400ca 100644
--- a/images/packages/libvirt/werf.inc.yaml
+++ b/images/packages/libvirt/werf.inc.yaml
@@ -13,7 +13,10 @@ final: false
 fromImage: builder/distroless
 shell:
   beforeInstall:
+    - pm --version
     - pm info libvirt
     - pm info libvirt-devel
   install:
+    - pm info -L libvirt
+    - pm info -L libvirt-devel
     - pm install -1 {{ .ImageName }} {{ .ImageName }}-devel -d /out

From f617a2df8920f9cda391b2d1d1ad4a3f9af06477 Mon Sep 17 00:00:00 2001
From: Anton Fomichev <anton.fomichev@flant.com>
Date: Fri, 13 Mar 2026 09:25:17 +0300
Subject: [PATCH 06/13] pin v1.0.7 release for pm

Signed-off-by: Anton Fomichev <anton.fomichev@flant.com>
---
 build/base-images/deckhouse_images.yml | 2 +-
 images/packages/libvirt/werf.inc.yaml  | 6 ------
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/build/base-images/deckhouse_images.yml b/build/base-images/deckhouse_images.yml
index 3535dcec44..8120a2d472 100644
--- a/build/base-images/deckhouse_images.yml
+++ b/build/base-images/deckhouse_images.yml
@@ -306,4 +306,4 @@ tools/yq-v4.45.1: "sha256:893d67cc466e2be16006f9053d43701cb8bd376cd6864547ca43ba
 tools/yq-v4.47.1: "sha256:4f294d46559f45bbd7d20f2306e2eaa2b6ec1cb6e826f906377c10bb9eea04d5" # from: builder/scratch
 
 ALT_REGISTRY_PATH: registry.deckhouse.io/container-factory
-builder/distroless: "sha256:5f2c2d54bd6d1ef5e207fb4e70731895d3876ebf12ffc434d25f3b3949c81694" # from: builder/scratch
+builder/distroless: "sha256:600b8c521866590656d21499cc96034e2e125cb2abb3ee70ae0eed7fa1e14ac5" # from: builder/scratch
diff --git a/images/packages/libvirt/werf.inc.yaml b/images/packages/libvirt/werf.inc.yaml
index 376f2400ca..0f5ec481f1 100644
--- a/images/packages/libvirt/werf.inc.yaml
+++ b/images/packages/libvirt/werf.inc.yaml
@@ -12,11 +12,5 @@ image: {{ .ModuleNamePrefix }}{{ .PackagePath }}/{{ .ImageName }}-builder
 final: false
 fromImage: builder/distroless
 shell:
-  beforeInstall:
-    - pm --version
-    - pm info libvirt
-    - pm info libvirt-devel
   install:
-    - pm info -L libvirt
-    - pm info -L libvirt-devel
     - pm install -1 {{ .ImageName }} {{ .ImageName }}-devel -d /out

From 1d0635b77fb324011f71d92f87eaa50bc425c404 Mon Sep 17 00:00:00 2001
From: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
Date: Mon, 30 Mar 2026 16:18:58 +0300
Subject: [PATCH 07/13] build: upgrade QEMU to v9.4.0 and restructure base
 images for PM

- Upgrade QEMU from v9.2.0 to v9.4.0 with separate binaries-only image
- Update base-images with new builder/distroless digests
- Add libcapstone dependency for virt-handler
- Update virt-launcher to use new QEMU binaries image
- Update component versions and e2e matrix configuration

Signed-off-by: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
---
 .github/workflows/e2e-matrix.yml              |   3 +-
 build/base-images/deckhouse_images.yml        |   2 +-
 build/components/versions.yml                 |   2 +-
 images/qemu/install-qemu.sh                   | 256 ------------
 ...001-revert-scsi-disk-serial-truncate.patch |  26 --
 images/qemu/patches/README.md                 |  14 -
 images/qemu/werf.inc.yaml                     | 377 ++----------------
 images/virt-handler/werf.inc.yaml             |   7 +-
 images/virt-launcher/werf.inc.yaml            |   2 +-
 oss.yaml                                      |   2 +-
 10 files changed, 32 insertions(+), 659 deletions(-)
 delete mode 100755 images/qemu/install-qemu.sh
 delete mode 100644 images/qemu/patches/001-revert-scsi-disk-serial-truncate.patch
 delete mode 100644 images/qemu/patches/README.md

diff --git a/.github/workflows/e2e-matrix.yml b/.github/workflows/e2e-matrix.yml
index bf0a003ac9..763c39b0a4 100644
--- a/.github/workflows/e2e-matrix.yml
+++ b/.github/workflows/e2e-matrix.yml
@@ -359,7 +359,6 @@ jobs:
       BOOTSTRAP_DEV_PROXY: ${{ secrets.BOOTSTRAP_DEV_PROXY }}
 
   e2e-replicated:
-    if: github.event_name != 'pull_request'
     name: E2E Pipeline (Replicated)
     needs:
       - set-vars
@@ -368,7 +367,7 @@ jobs:
       storage_type: replicated
       nested_storageclass_name: nested-thin-r1
       branch: main
-      virtualization_tag: main
+      virtualization_tag: pr2088
       deckhouse_channel: alpha
       default_user: cloud
       go_version: "1.24.13"
diff --git a/build/base-images/deckhouse_images.yml b/build/base-images/deckhouse_images.yml
index 8120a2d472..40d76c60c8 100644
--- a/build/base-images/deckhouse_images.yml
+++ b/build/base-images/deckhouse_images.yml
@@ -306,4 +306,4 @@ tools/yq-v4.45.1: "sha256:893d67cc466e2be16006f9053d43701cb8bd376cd6864547ca43ba
 tools/yq-v4.47.1: "sha256:4f294d46559f45bbd7d20f2306e2eaa2b6ec1cb6e826f906377c10bb9eea04d5" # from: builder/scratch
 
 ALT_REGISTRY_PATH: registry.deckhouse.io/container-factory
-builder/distroless: "sha256:600b8c521866590656d21499cc96034e2e125cb2abb3ee70ae0eed7fa1e14ac5" # from: builder/scratch
+builder/distroless: "sha256:bf930d66a701bb2fff5bcea46b00aac2e578bb388e96d28e04028811746d653a" # from: builder/scratch
diff --git a/build/components/versions.yml b/build/components/versions.yml
index 74fb184558..1a1149d9d0 100644
--- a/build/components/versions.yml
+++ b/build/components/versions.yml
@@ -1,5 +1,5 @@
 firmware:
-  qemu: v9.2.0
+  qemu: v9.2.4
   libvirt: v10.9.0
   edk2: stable202411
 core:
diff --git a/images/qemu/install-qemu.sh b/images/qemu/install-qemu.sh
deleted file mode 100755
index 4a8b18b926..0000000000
--- a/images/qemu/install-qemu.sh
+++ /dev/null
@@ -1,256 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2024 Flant JSC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-usage() {
-    cat <<EOF
-    Usage: $0 [OPTIONS]
-    Options:
-    
-    Set the source base directory:      -s, --src-base PATH (example: /mysourcedir)
-    Set the build base directory:       -b, --build-dir FOLDER (example: mybuildfolder)
-    Set the destination base directory: -d, --dest-base PATH (example: /mydestdir)
-    Show this help message and exit:    -h, --help
-EOF
-    exit 0
-}
-
-parse_args() {
-    while [[ $# -gt 0 ]]; do
-    case "$1" in
-        -s|--src-base)
-            if [[ -n "$2" && "$2" != "-"* ]]; then
-                SRC_BASE="$2"
-                shift 2
-            else
-                echo "Error: Option '$1' requires a non-empty argument."
-                usage
-            fi
-            ;;
-        -d|--dest-base)
-            if [[ -n "$2" && "$2" != "-"* ]]; then
-                DEST_BASE="$2"
-                shift 2
-            else
-                echo "Error: Option '$1' requires a non-empty argument."
-                usage
-            fi
-            ;;
-        -b|--build-dir)
-            if [[ -n "$2" && "$2" != "-"* ]]; then
-                BUILD_DIR="$2"
-                shift 2
-            else
-                echo "Error: Option '$1' requires a non-empty argument."
-                usage
-            fi
-            ;;
-        -v|--version-num)
-            if [[ -n "$2" && "$2" != "-"* ]]; then
-                VERSION_NUM="$2"
-                shift 2
-            else
-                echo "Error: Option '$1' requires a non-empty argument."
-                usage
-            fi
-            ;;
-        -h|--help)
-            usage
-            ;;
-        *)
-            echo "Error: Unknown option '$1'"
-            usage
-            ;;
-        esac
-    done
-
-    if [ -n $BUILD_BASE ]; then
-        SRC_BUILD="$SRC_BASE/$BUILD_DIR"
-    else
-        SRC_BUILD="$SRC_BASE"
-    fi
-}
-
-parse_args $@
-
-if [ -z $VERSION_NUM ]; then
-    echo "Error: Option '--version-num' is missed but required"
-    usage
-    exit 1
-fi
-# List of files and destinations of qemu
-# Commented lines - binary for additional features. 
-# 
-# The specific format of the list, 'SOURCE_FILE to DESTINATION', 
-# is due to the output of the installation scripts. To make it easier to add them to this list.
-FILE_LIST=$(cat <<EOF
-$SRC_BUILD/trace/trace-events-all to /usr/share/qemu
-$SRC_BUILD/ui-opengl.so to /usr/lib64/qemu
-$SRC_BUILD/ui-egl-headless.so to /usr/lib64/qemu
-$SRC_BUILD/ui-dbus.so to /usr/lib64/qemu
-$SRC_BUILD/hw-display-virtio-gpu.so to /usr/lib64/qemu
-$SRC_BUILD/hw-display-virtio-gpu-pci.so to /usr/lib64/qemu
-$SRC_BUILD/hw-display-virtio-vga.so to /usr/lib64/qemu
-$SRC_BUILD/hw-usb-redirect.so to /usr/lib64/qemu
-$SRC_BUILD/hw-usb-host.so to /usr/lib64/qemu
-$SRC_BUILD/hw-s390x-virtio-gpu-ccw.so to /usr/lib64/qemu
-$SRC_BUILD/audio-pa.so to /usr/lib64/qemu
-$SRC_BUILD/audio-pipewire.so to /usr/lib64/qemu
-$SRC_BUILD/audio-dbus.so to /usr/lib64/qemu
-$SRC_BUILD/block-blkio.so to /usr/lib64/qemu
-$SRC_BUILD/block-curl.so to /usr/lib64/qemu
-$SRC_BUILD/block-rbd.so to /usr/lib64/qemu
-$SRC_BUILD/accel-qtest-x86_64.so to /usr/lib64/qemu
-$SRC_BUILD/accel-tcg-x86_64.so to /usr/lib64/qemu
-$SRC_BUILD/qemu-system-x86_64 to /usr/bin
-# $SRC_BUILD/qemu-system-i386 to /usr/bin
-$SRC_BUILD/qga/qemu-ga to /usr/bin
-$SRC_BUILD/qemu-keymap to /usr/bin
-$SRC_BUILD/qemu-img to /usr/bin
-$SRC_BUILD/qemu-io to /usr/bin
-$SRC_BUILD/qemu-nbd to /usr/bin
-$SRC_BUILD/storage-daemon/qemu-storage-daemon to /usr/bin
-$SRC_BUILD/contrib/elf2dmp/elf2dmp to /usr/bin
-$SRC_BUILD/qemu-edid to /usr/bin
-$SRC_BUILD/contrib/vhost-user-gpu/vhost-user-gpu to /usr/libexec
-$SRC_BUILD/qemu-bridge-helper to /usr/libexec
-$SRC_BUILD/qemu-pr-helper to /usr/bin
-$SRC_BUILD/qemu-vmsr-helper to /usr/bin
-$SRC_BUILD/pc-bios/edk2-i386-code.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/edk2-i386-secure-code.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/edk2-i386-vars.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/edk2-x86_64-code.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/edk2-x86_64-secure-code.fd to /usr/share/qemu
-$SRC_BUILD/pc-bios/keymaps/en-gb to /usr/share/qemu/keymaps
-$SRC_BUILD/pc-bios/keymaps/en-us to /usr/share/qemu/keymaps
-$SRC_BUILD/pc-bios/keymaps/ru to /usr/share/qemu/keymaps
-$SRC_BASE/include/qemu/qemu-plugin.h to /usr/include
-$SRC_BASE/ui/icons/qemu_16x16.png to /usr/share/icons/hicolor/16x16/apps
-$SRC_BASE/ui/icons/qemu_24x24.png to /usr/share/icons/hicolor/24x24/apps
-$SRC_BASE/ui/icons/qemu_32x32.png to /usr/share/icons/hicolor/32x32/apps
-$SRC_BASE/ui/icons/qemu_48x48.png to /usr/share/icons/hicolor/48x48/apps
-$SRC_BASE/ui/icons/qemu_64x64.png to /usr/share/icons/hicolor/64x64/apps
-$SRC_BASE/ui/icons/qemu_128x128.png to /usr/share/icons/hicolor/128x128/apps
-$SRC_BASE/ui/icons/qemu_256x256.png to /usr/share/icons/hicolor/256x256/apps
-$SRC_BASE/ui/icons/qemu_512x512.png to /usr/share/icons/hicolor/512x512/apps
-$SRC_BASE/ui/icons/qemu_32x32.bmp to /usr/share/icons/hicolor/32x32/apps
-$SRC_BASE/ui/icons/qemu.svg to /usr/share/icons/hicolor/scalable/apps
-# $SRC_BASE/ui/qemu.desktop to /usr/share/applications
-$SRC_BUILD/contrib/vhost-user-gpu/50-qemu-gpu.json to /usr/share/qemu/vhost-user
-$SRC_BASE/pc-bios/bios.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/bios-256k.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/bios-microvm.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/qboot.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-cirrus.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-stdvga.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-vmware.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-qxl.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-virtio.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-ramfb.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-bochs-display.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vgabios-ati.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/openbios-sparc32 to /usr/share/qemu
-$SRC_BASE/pc-bios/openbios-sparc64 to /usr/share/qemu
-$SRC_BASE/pc-bios/openbios-ppc to /usr/share/qemu
-$SRC_BASE/pc-bios/QEMU,tcx.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/QEMU,cgthree.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-e1000.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-eepro100.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-ne2k_pci.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-pcnet.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-rtl8139.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/pxe-virtio.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-e1000.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-eepro100.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-ne2k_pci.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-pcnet.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-rtl8139.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-virtio.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-e1000e.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/efi-vmxnet3.rom to /usr/share/qemu
-$SRC_BASE/pc-bios/qemu-nsis.bmp to /usr/share/qemu
-$SRC_BASE/pc-bios/multiboot.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/multiboot_dma.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/linuxboot.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/linuxboot_dma.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/kvmvapic.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/pvh.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/s390-ccw.img to /usr/share/qemu
-$SRC_BASE/pc-bios/slof.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/skiboot.lid to /usr/share/qemu
-$SRC_BASE/pc-bios/palcode-clipper to /usr/share/qemu
-$SRC_BASE/pc-bios/u-boot.e500 to /usr/share/qemu
-$SRC_BASE/pc-bios/u-boot-sam460-20100605.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/qemu_vga.ndrv to /usr/share/qemu
-$SRC_BASE/pc-bios/edk2-licenses.txt to /usr/share/qemu
-$SRC_BASE/pc-bios/hppa-firmware.img to /usr/share/qemu
-$SRC_BASE/pc-bios/hppa-firmware64.img to /usr/share/qemu
-$SRC_BASE/pc-bios/npcm7xx_bootrom.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vof.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/vof-nvram.bin to /usr/share/qemu
-$SRC_BASE/pc-bios/bamboo.dtb to /usr/share/qemu
-$SRC_BASE/pc-bios/canyonlands.dtb to /usr/share/qemu
-$SRC_BASE/pc-bios/petalogix-s3adsp1800.dtb to /usr/share/qemu
-$SRC_BASE/pc-bios/petalogix-ml605.dtb to /usr/share/qemu
-$SRC_BUILD/pc-bios/descriptors/50-edk2-i386-secure.json to /usr/share/qemu/firmware
-$SRC_BUILD/pc-bios/descriptors/50-edk2-x86_64-secure.json to /usr/share/qemu/firmware
-$SRC_BUILD/pc-bios/descriptors/60-edk2-i386.json to /usr/share/qemu/firmware
-$SRC_BUILD/pc-bios/descriptors/60-edk2-x86_64.json to /usr/share/qemu/firmware
-EOF
-)
-
-copy_file() {
-    local SOURCE_PATH="$1"
-    local dest_dir="$2"
-
-    # Ensure the source file exists
-    if [ ! -e "$SOURCE_PATH" ]; then
-        echo "Error: Source file not found: $SOURCE_PATH"
-        return
-    fi
-
-    # Create destination directory if it does not exist
-    mkdir -p "$DEST_BASE$dest_dir"
-
-    # Copy the file
-    # install -s "$SOURCE_PATH" "$DEST_BASE$dest_dir"
-    if ! [[ "$SOURCE_PATH" =~ \.(txt|log|sh|service|conf|xml|target|socket|bin|json|img|png|fd|dtb|rom) ]];then
-        strip "$SOURCE_PATH"
-    fi
-    cp -p "$SOURCE_PATH" "$DEST_BASE$dest_dir"
-    echo "Copied $SOURCE_PATH to $DEST_BASE$dest_dir"
-}
-
-main() {
-    # Read the list and process each line
-    while IFS= read -r LINE; do
-        # Skip empty lines and comments
-        [[ -z "$LINE" ]] && continue
-        [[ "$LINE" =~ ^\# ]] && continue
-
-        # Handle file copying
-        if [[ "$LINE" =~ ^(.+?)\ to\ (.+)$ ]]; then
-            SOURCE_FILE="${BASH_REMATCH[1]}"
-            DEST_DIR="${BASH_REMATCH[2]}"
-            copy_file "$SOURCE_FILE" "$DEST_DIR"
-        else
-            echo "Invalid line: $LINE"
-        fi
-
-    done <<< "$FILE_LIST"
-}
-
-main
\ No newline at end of file
diff --git a/images/qemu/patches/001-revert-scsi-disk-serial-truncate.patch b/images/qemu/patches/001-revert-scsi-disk-serial-truncate.patch
deleted file mode 100644
index 83373beff8..0000000000
--- a/images/qemu/patches/001-revert-scsi-disk-serial-truncate.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
-index 7f13b05..655815c 100644
---- a/hw/scsi/scsi-disk.c
-+++ b/hw/scsi/scsi-disk.c
-@@ -2563,20 +2563,9 @@ static void scsi_realize(SCSIDevice *dev, Error **errp)
-     if (!s->vendor) {
-         s->vendor = g_strdup("QEMU");
-     }
--    if (s->serial && strlen(s->serial) > MAX_SERIAL_LEN) {
--        error_setg(errp, "The serial number can't be longer than %d characters",
--                   MAX_SERIAL_LEN);
--        return;
--    }
-     if (!s->device_id) {
-         if (s->serial) {
--            if (strlen(s->serial) > MAX_SERIAL_LEN_FOR_DEVID) {
--                error_setg(errp, "The serial number can't be longer than %d "
--                           "characters when it is also used as the default for "
--                           "device_id", MAX_SERIAL_LEN_FOR_DEVID);
--                return;
--            }
--            s->device_id = g_strdup(s->serial);
-+	    s->device_id = g_strdup_printf("%.20s", s->serial);
-         } else {
-             const char *str = blk_name(s->qdev.conf.blk);
-             if (str && *str) {
diff --git a/images/qemu/patches/README.md b/images/qemu/patches/README.md
deleted file mode 100644
index 62a774b403..0000000000
--- a/images/qemu/patches/README.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# Patches
-
-## 001-revert-scsi-disk-serial-truncate.patch
-
-This patch reverts the commit that introduced strict length enforcement for the SCSI disk `serial` property.
-
-### Background
-
-Before the reverted commit, scsi-disk accepted serial numbers of arbitrary length, but the value seen by the guest was silently truncated to 36 characters. While this limitation was arbitrary, it ensured compatibility with existing guest behavior. The change to enforce strict length validation introduced potential compatibility issues, making it impossible to upgrade to newer QEMU versions seamlessly.### Why This Revert Is Necessary
-
-For the time being, we need to maintain backward compatibility until a seamless migration to the new behavior can be implemented. By reverting the commit, we restore the previous behavior where serial numbers longer than 36 characters are truncated instead of causing an error.
-
-### Reverted Commit
-[Commit 75997e182b69](https://github.com/qemu/qemu/commit/75997e182b695f2e3f0a2d649734952af5caf3ee)
diff --git a/images/qemu/werf.inc.yaml b/images/qemu/werf.inc.yaml
index 019a5f5d58..373d50fa1c 100644
--- a/images/qemu/werf.inc.yaml
+++ b/images/qemu/werf.inc.yaml
@@ -1,362 +1,31 @@
 ---
-{{- $gitRepoName := $.ImageName }}
-{{- $version := get $.Firmware $gitRepoName }}
-{{- $gitRepoUrl := "qemu/qemu.git" }}
-
-image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
+image: {{ .ModuleNamePrefix }}{{ .ImageName }}
+final: false
+fromImage: builder/scratch
+import:
+# Full QEMU package with all runtime dependencies (for cdi-importer, etc.)
+- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-builder
+  add: /out
+  to: /{{ $.ImageName }}-img
+  before: setup
+# QEMU binaries only, without shared libraries from pm dependencies.
+# Used by virt-launcher and virt-handler where relocate_binaries.sh
+# resolves shared libraries from the build environment.
+- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins-builder
+  add: /out
+  to: /{{ $.ImageName }}-bins
+  before: setup
+---
+image: {{ .ModuleNamePrefix }}{{ .ImageName }}-builder
 final: false
-fromImage: builder/src
-git:
-- add: {{ .ModuleDir }}/images/{{ .ImageName }}
-  to: /
-  includePaths:
-  - install-qemu.sh
-  - patches
-  excludePaths:
-    - patches/README.md
-  stageDependencies:
-    install:
-      - '**/*'
-- add: {{ .ModuleDir }}/build/tools/relocate_binaries.sh
-  to: /relocate_binaries.sh
-  stageDependencies:
-    install:
-    - '**/*'
-secrets:
-- id: SOURCE_REPO
-  value: {{ $.SOURCE_REPO_GIT }}
+fromImage: builder/distroless
 shell:
-  beforeInstall:
-  {{- include "alt packages proxy" . | nindent 2}}
-  - apt-get install -y meson
-  {{- include "alt packages clean" . | nindent 2}}
   install:
-  - |
-    mkdir -p ~/.ssh && echo "StrictHostKeyChecking accept-new" > ~/.ssh/config
-    git clone --depth=1 $(cat /run/secrets/SOURCE_REPO)/{{ $gitRepoUrl }} --branch {{ $version }} /src/{{ $gitRepoName }}-{{ $version }}
-
-    cd /src/{{ $gitRepoName }}-{{ $version }}
-
-    if [[ "$(cat /run/secrets/SOURCE_REPO)" =~ "github.com" ]] ; then
-      echo "Checkout submodules"
-      git submodule update --init --recursive --depth=1
-    else
-      echo "Checkout submodules with URL rewrite"
-      # mbed-tls rewrite is needed for edk2 submodule.
-      git \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/qemu-project/seabios.git".insteadOf=https://gitlab.com/qemu-project/seabios.git/ \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/mbed-tls/".insteadOf=https://github.com/ARMmbed/ \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/".insteadOf=https://github.com/  \
-        -c url."$(cat /run/secrets/SOURCE_REPO)/".insteadOf=https://gitlab.com/  \
-        submodule update --init --recursive --depth=1
-
-      echo "Download meson subprojects with URL rewrites."
-      # Configure script options require only 3 subprojects.
-      for subproj in berkeley-softfloat-3 berkeley-testfloat-3 keycodemapdb ; do
-        echo "Rewrite url for ${subproj} subproject."
-        wrapfile="subprojects/${subproj}.wrap"
-        # Rewrite https://HOSTNAME/ to SOURCE_REPO secret in the wrap file.
-        sed -i '/^#/n ; /^url/ s|\(url\ \?=\ \?\)\(.*:\/\/[^\/]*\/\)|\1'$(cat /run/secrets/SOURCE_REPO)'\/|' ${wrapfile}
-        meson subprojects download ${subproj}
-      done
-
-    fi
-
+    - pm install qemu -d /out
 ---
-{{- $name := print $.ImageName "-dependencies" -}}
-{{- define "$name" -}}
-altPackages:
-- binutils
-- pkgconfig pkg-config
-- gcc-c++ clang git
-- gettext bash-completion
-- ccache
-- make cmake meson ninja-build makeinfo
-- seabios seavgabios
-- qboot flex
-- filesystem
-- ipxe-roms-qemu
-- shadow-utils sysvinit-utils
-- hasher-provides-dev-kvm
-- python3 python3-dev
-- python3-module-pytest
-- python3-module-docutils
-- python3-tools
-- python3-module-pip
-- python3-module-sphinx
-- python3-module-sphinx_rtd_theme
-- python3-module-black
-altLibraries:
-- libattr-devel-static
-- libdw-devel-static
-- libatomic-devel-static
-- libdw-devel
-- perl-devel
-- libxfs-devel
-- libpci-devel
-- libgvnc-devel
-- libfdt-devel
-- libdrm-devel
-- libxdp-devel libSDL2-devel libSDL2_image-devel
-- libalsa-devel libpulseaudio-devel
-- pipewire-libs pipewire-jack-libs-devel
-- libsoundio-devel
-- libjpeg-devel xkeyboard-config-devel
-- glusterfs11 libgtk+3-devel libvte libvte-devel libvte3-devel
-- libvirglrenderer-devel libusb-devel libbpf-devel
-- libspice-server-devel spice-protocol ceph-devel
-- libnfs-devel
-- libblkio-devel libpmem-devel
-- libdaxctl-devel
-- libcacard-devel libusbredir-devel libepoxy-devel libgbm-devel
-- libvitastor-devel libiscsi-devel glusterfs-coreutils
-- libglusterfs11-api-devel
-- libvdeplug-devel
-packages:
-- dmidecode libgcrypt nettle libcap-ng libcapstone
-- openssl libcurl e2fsprogs libxcrypt numactl
-- zlib zstd
-- libssh libssh2
-- openldap keyutils
-- xz lz4 lzo krb5
-- libpixman libpsl libpng libqpl rdma-core
-- pcre2
-- selinux
-- cyrus-sasl2
-- linux-pam
-- snappy
-- ngtcp2 libtasn1 ncurses
-- glib2 util-linux
-- libxkbcommon
-- libgcc1
-- libaio
-- liburing libuserspace-rcu libunistring systemd
-- multipath-tools
-- libslirp libseccomp gnutls bzip2
-- glibc
-{{- end -}}
-
-{{ $builderDependencies := include "$name" . | fromYaml }}
-
-image: {{ .ModuleNamePrefix }}{{ .ImageName }}
+image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins-builder
 final: false
-fromImage: {{ eq $.SVACE_ENABLED "false" | ternary "builder/alt" "builder/golang-alt-svace-1.24" }}
-import:
-- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
-  add: /src/{{ $gitRepoName }}-{{ $version }}
-  to: /{{ $gitRepoName }}-{{ $version }}
-  before: install
-- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
-  add: /patches
-  to: /patches
-  before: install
-- image: {{ .ModuleNamePrefix }}{{ .ImageName }}-src-artifact
-  add: /
-  to: /
-  before: install
-  includePaths:
-  - install-qemu.sh
-  - relocate_binaries.sh
-{{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
-secrets:
-- id: SOURCE_REPO
-  value: {{ $.SOURCE_REPO_GIT }}
+fromImage: builder/distroless
 shell:
-  beforeInstall:
-  {{- include "alt packages proxy" . | nindent 2 }}
-  - |
-    apt-get install -y \
-      {{ $builderDependencies.altPackages | join " " }} \
-      {{ $builderDependencies.altLibraries | join " " }}
-
-  {{- include "alt packages clean" . | nindent 2 }}
-  - |
-    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
-    rpm -qa | sort > /packages.txt
-
-    mkdir -p /usr/libexec/ccache-wrappers
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
-
   install:
-  - |
-    # Install packages
-    PKGS="{{ $builderDependencies.packages | join " " }}"
-    for pkg in $PKGS; do
-      cp -a /$pkg/. /
-      rm -rf /$pkg
-    done
-
-    export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
-    export CCACHE_DIR="$CCACHE_BASEDIR/ccache"
-    export CCACHE_BASEDIR="$(pwd)"
-    export PATH="$CCACHE_WRAPPERSDIR:$PATH"
-    export MAKE="/usr/bin/make"
-    export NINJA="/usr/bin/ninja"
-    export PYTHON="/usr/bin/python3"
-
-    export LDFLAGS="-L/usr/lib64 -L/usr/lib"
-    export CPPFLAGS="-I/usr/include"
-
-    cd /{{ $gitRepoName }}-{{ $version }}
-
-    for p in /patches/*.patch ; do
-      echo -n "Apply ${p} ... "
-      git apply  --ignore-space-change --ignore-whitespace ${p} && echo OK || (echo FAIL ; exit 1)
-    done
-
-    ./configure \
-      --target-list="x86_64-softmmu" \
-      --with-pkgversion="-dvp" \
-      --with-coroutine=ucontext \
-      --tls-priority="@QEMU,SYSTEM" \
-      --block-drv-rw-whitelist="qcow2,raw,file,host_device,nbd,iscsi,rbd,blkdebug,luks,null-co,nvme,copy-on-read,throttle,compress,virtio-blk-vhost-vdpa,virtio-blk-vfio-pci,virtio-blk-vhost-user,io_uring,nvme-io_uring" \
-      --block-drv-ro-whitelist="vdi,vmdk,vhdx,vpc,https" \
-      --disable-alsa \
-      --disable-auth-pam \
-      --disable-avx2 \
-      --disable-avx512bw \
-      --disable-block-drv-whitelist-in-tools \
-      --disable-bochs \
-      --disable-bpf \
-      --disable-brlapi \
-      --disable-bsd-user \
-      --disable-bzip2 \
-      --disable-cfi \
-      --disable-cfi-debug \
-      --disable-cloop \
-      --disable-cocoa \
-      --disable-coreaudio \
-      --disable-crypto-afalg \
-      --disable-curses \
-      --disable-debug-mutex \
-      --disable-debug-tcg \
-      --disable-dmg \
-      --disable-docs \
-      --disable-dsound \
-      --disable-fdt \
-      --disable-fuse \
-      --disable-fuse-lseek \
-      --disable-gcrypt \
-      --disable-gettext \
-      --disable-glusterfs \
-      --disable-gtk \
-      --disable-guest-agent-msi \
-      --disable-hvf \
-      --disable-jack \
-      --disable-l2tpv3 \
-      --disable-libdaxctl \
-      --disable-libdw \
-      --disable-libiscsi \
-      --disable-libnfs \
-      --disable-libpmem \
-      --disable-libssh \
-      --disable-libvduse \
-      --disable-linux-user \
-      --disable-lto \
-      --disable-lzfse \
-      --disable-membarrier \
-      --disable-module-upgrades \
-      --disable-multiprocess \
-      --disable-netmap \
-      --disable-nettle \
-      --disable-nvmm \
-      --disable-oss \
-      --disable-parallels \
-      --disable-plugins \
-      --disable-qcow1 \
-      --disable-qed \
-      --disable-qga-vss \
-      --disable-qom-cast-debug \
-      --disable-replication \
-      --disable-rng-none \
-      --disable-safe-stack \
-      --disable-sdl \
-      --disable-sdl-image \
-      --disable-slirp-smbd \
-      --disable-smartcard \
-      --disable-sndio \
-      --disable-sparse \
-      --disable-spice \
-      --disable-strip \
-      --disable-u2f \
-      --disable-user \
-      --disable-vde \
-      --disable-vduse-blk-export \
-      --disable-vhost-crypto \
-      --disable-virglrenderer \
-      --disable-virtfs \
-      --disable-vnc-jpeg \
-      --disable-vte \
-      --disable-vvfat \
-      --disable-whpx \
-      --disable-xen \
-      --disable-xen-pci-passthrough \
-      --enable-attr \
-      --enable-blkio \
-      --enable-cap-ng \
-      --enable-capstone \
-      --enable-coroutine-pool \
-      --enable-curl \
-      --enable-dbus-display \
-      --enable-debug-info \
-      --enable-fdt=system \
-      --enable-gio \
-      --enable-gnutls \
-      --enable-guest-agent \
-      --enable-iconv \
-      --enable-kvm \
-      --enable-libusb \
-      --enable-libudev \
-      --enable-linux-aio \
-      --enable-linux-io-uring \
-      --enable-lzo \
-      --enable-malloc-trim \
-      --enable-modules \
-      --enable-mpath \
-      --enable-numa \
-      --enable-opengl \
-      --enable-pa \
-      --enable-pie \
-      --enable-rbd \
-      --enable-rdma \
-      --enable-seccomp \
-      --enable-selinux \
-      --enable-slirp \
-      --enable-snappy \
-      --enable-spice-protocol \
-      --enable-system \
-      --enable-tcg \
-      --enable-tools \
-      --enable-tpm \
-      --enable-usb-redir \
-      --enable-vdi \
-      --enable-vhost-kernel \
-      --enable-vhost-net \
-      --enable-vhost-user \
-      --enable-vhost-user-blk-server \
-      --enable-vhost-vdpa \
-      --enable-vnc \
-      --enable-png \
-      --enable-vnc-sasl \
-      --enable-werror \
-      --enable-xkbcommon \
-      --enable-zstd
-
-    {{- $_ := set $ "ProjectName" (list $.ImageName "qemu" | join "/") }}
-    {{- include "image-build.build" (set $ "BuildCommand" `make -j$(nproc)`) | nindent 6 }}
-
-  setup:
-  - |
-    /install-qemu.sh --version-num "{{ $version }}" \
-                        -s /{{ $gitRepoName }}-{{ $version }} \
-                        -d /BINS \
-                        -b build
-    # qemu-img
-    mkdir -p /qemu-img/usr/bin
-    cp -an /BINS/usr/bin/qemu{-nbd,-img} /qemu-img/usr/bin
-
-    LIST="/BINS/usr/bin/qemu-img /BINS/usr/bin/qemu-nbd"
-
-    ./relocate_binaries.sh -i "$LIST" -o /qemu-img
+    - pm install -1 qemu -d /out
diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml
index 3db87a474a..3acd6557c7 100644
--- a/images/virt-handler/werf.inc.yaml
+++ b/images/virt-handler/werf.inc.yaml
@@ -92,8 +92,8 @@ import:
 {{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
 - image: {{ .ModuleNamePrefix }}qemu
   add: /qemu-img
-  to: /relocate
-  before: setup
+  to: /qemu-img
+  before: install
 shell:
   install:
   - |
@@ -103,7 +103,8 @@ shell:
       cp -a /$pkg/. /
       rm -rf /$pkg
     done
-
+    cp -a /qemu-img/. /
+    rm -rf /qemu-img
   setup:
   - |
     /relocate_binaries.sh -i "{{ $builderDependencies.binaries | join " " }}" -o /relocate
diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml
index 18c463b526..9a6044f2b2 100644
--- a/images/virt-launcher/werf.inc.yaml
+++ b/images/virt-launcher/werf.inc.yaml
@@ -164,7 +164,7 @@ import:
   to: /libvirt-bins
   before: install
 - image: {{ .ModuleNamePrefix }}qemu
-  add: /BINS
+  add: /qemu-bins
   to: /qemu-bins
   before: install
 
diff --git a/oss.yaml b/oss.yaml
index 2a9c3da167..cc341182de 100644
--- a/oss.yaml
+++ b/oss.yaml
@@ -14,7 +14,7 @@
   link: https://gitlab.com/qemu-project/qemu
   description: QEMU is a generic and open source machine & userspace emulator andvirtualizer.
   license: GNU General Public License, version 2
-  version: v9.2.0
+  version: v9.2.4
   id: qemu
 - name: Libvirt
   link: https://gitlab.com/libvirt/libvirt

From c0dd44b0112b69af9de61bc2a99007b4946949e7 Mon Sep 17 00:00:00 2001
From: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
Date: Mon, 30 Mar 2026 16:41:25 +0300
Subject: [PATCH 08/13] fix: import only /usr from qemu-img in
 virt-handler-bins to prevent segfault

The cp -a /qemu-img/. / command segfaulted because the full qemu-img
package includes shared libraries (glibc, ld-linux) that overwrite the
ones used by the running cp process. Adding includePaths: [usr] to the
werf import ensures only QEMU binaries, modules, and firmware under
/usr are imported, avoiding root-level library conflicts.

Signed-off-by: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
---
 images/virt-handler/werf.inc.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml
index 3acd6557c7..fe1956514b 100644
--- a/images/virt-handler/werf.inc.yaml
+++ b/images/virt-handler/werf.inc.yaml
@@ -94,6 +94,8 @@ import:
   add: /qemu-img
   to: /qemu-img
   before: install
+  includePaths:
+  - usr
 shell:
   install:
   - |

From e23283c3919012bff5507086e227e04a54c87a28 Mon Sep 17 00:00:00 2001
From: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
Date: Mon, 30 Mar 2026 16:57:50 +0300
Subject: [PATCH 09/13] fix(virt-handler): move qemu-img import to relocate
 phase instead of manual copy

Import qemu-img contents directly into /relocate after setup instead of
copying them manually during install. This removes the redundant cp/rm
steps for qemu-img and aligns its handling with the relocate_binaries
workflow, preventing the segfault caused by importing non-usr paths.
---
 images/virt-handler/werf.inc.yaml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml
index fe1956514b..6c3aaaa517 100644
--- a/images/virt-handler/werf.inc.yaml
+++ b/images/virt-handler/werf.inc.yaml
@@ -92,10 +92,8 @@ import:
 {{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
 - image: {{ .ModuleNamePrefix }}qemu
   add: /qemu-img
-  to: /qemu-img
-  before: install
-  includePaths:
-  - usr
+  to: /relocate
+  after: setup
 shell:
   install:
   - |
@@ -105,8 +103,6 @@ shell:
       cp -a /$pkg/. /
       rm -rf /$pkg
     done
-    cp -a /qemu-img/. /
-    rm -rf /qemu-img
   setup:
   - |
     /relocate_binaries.sh -i "{{ $builderDependencies.binaries | join " " }}" -o /relocate

From b6d49f950147bdceff6987726675bb8bc5b8c42d Mon Sep 17 00:00:00 2001
From: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
Date: Mon, 30 Mar 2026 17:30:30 +0300
Subject: [PATCH 10/13] fix(virt-handler): import full qemu-bins directory and
 add qemu-img binary

Import /qemu-bins instead of /qemu-img from the qemu image to include
all necessary QEMU binaries. Add /usr/bin/qemu-img to the binaries list
and change import phase from "after: setup" to "before: setup" to ensure
binaries are available during the setup phase.

Signed-off-by: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
---
 images/virt-handler/werf.inc.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml
index 6c3aaaa517..d344dc964c 100644
--- a/images/virt-handler/werf.inc.yaml
+++ b/images/virt-handler/werf.inc.yaml
@@ -68,6 +68,7 @@ binaries:
 - /usr/bin/osirrox
 - /usr/bin/xorriso-dd-target
 - /usr/bin/xorrisofs
+- /usr/bin/qemu-img
 packages:
 - libisoburn nftables acl libmnl libjansson4 libnftnl
 - glibc libattr pcre2 selinux
@@ -91,9 +92,9 @@ import:
   - bin/umount
 {{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
 - image: {{ .ModuleNamePrefix }}qemu
-  add: /qemu-img
+  add: /qemu-bins
   to: /relocate
-  after: setup
+  before: setup
 shell:
   install:
   - |

From d6d840d24a1a5a79a0e61c82556ff09f38bac314 Mon Sep 17 00:00:00 2001
From: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
Date: Mon, 30 Mar 2026 17:35:44 +0300
Subject: [PATCH 11/13] fix(virt-handler): reference renamed qemu-bins image in
 werf import

Update the imported image name from `qemu` to `qemu-bins` to match
the renamed image introduced during the QEMU base image restructuring.

Signed-off-by: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
---
 images/virt-handler/werf.inc.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml
index d344dc964c..e93f66c6c9 100644
--- a/images/virt-handler/werf.inc.yaml
+++ b/images/virt-handler/werf.inc.yaml
@@ -91,7 +91,7 @@ import:
   - bin/mount
   - bin/umount
 {{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
-- image: {{ .ModuleNamePrefix }}qemu
+- image: {{ .ModuleNamePrefix }}qemu-bins
   add: /qemu-bins
   to: /relocate
   before: setup

From dfcc7ad8e1ba0ef0360910d3b97f06c7b89a6f07 Mon Sep 17 00:00:00 2001
From: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
Date: Mon, 30 Mar 2026 17:56:22 +0300
Subject: [PATCH 12/13] fix(virt-handler): use renamed qemu image and copy its
 contents during install phase

Rename imported image from qemu-bins to qemu and change its target
directory from /relocate to /qemu. Add explicit copy and cleanup of
/qemu contents during the install phase so that qemu files are merged
into the root filesystem before the relocate_binaries script runs.

Signed-off-by: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
---
 images/virt-handler/werf.inc.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml
index e93f66c6c9..7acc4eafba 100644
--- a/images/virt-handler/werf.inc.yaml
+++ b/images/virt-handler/werf.inc.yaml
@@ -91,9 +91,9 @@ import:
   - bin/mount
   - bin/umount
 {{- include "importPackageImages" (list . $builderDependencies.packages "install") -}}
-- image: {{ .ModuleNamePrefix }}qemu-bins
+- image: {{ .ModuleNamePrefix }}qemu
   add: /qemu-bins
-  to: /relocate
+  to: /qemu
   before: setup
 shell:
   install:
@@ -104,6 +104,8 @@ shell:
       cp -a /$pkg/. /
       rm -rf /$pkg
     done
+    cp -a /qemu/. /
+    rm -rf /qemu
   setup:
   - |
     /relocate_binaries.sh -i "{{ $builderDependencies.binaries | join " " }}" -o /relocate

From 74dafabe4df8c6c6a62a9d6d8b3671209a987430 Mon Sep 17 00:00:00 2001
From: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
Date: Mon, 30 Mar 2026 17:59:13 +0300
Subject: [PATCH 13/13] fix(virt-handler): import qemu bins before install
 phase instead of setup

Move the qemu image import stage from "before: setup" to "before: install"
so that qemu binaries are available during the install shell phase where
they are needed.

Signed-off-by: Aleksandr Pinegin <aleksandr.pinegin@flant.com>
---
 images/virt-handler/werf.inc.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/virt-handler/werf.inc.yaml b/images/virt-handler/werf.inc.yaml
index 7acc4eafba..7fb4a35f61 100644
--- a/images/virt-handler/werf.inc.yaml
+++ b/images/virt-handler/werf.inc.yaml
@@ -94,7 +94,7 @@ import:
 - image: {{ .ModuleNamePrefix }}qemu
   add: /qemu-bins
   to: /qemu
-  before: setup
+  before: install
 shell:
   install:
   - |