build, pkg/nvidia: Bump NVIDIA Container Toolkit to 1.17.5

NVIDIA Container Toolkit 1.17.5 requires Go >= 1.22 [1], and starts using enable-cuda-compat hooks in the Container Device Interface specification generated by it [2]. For example: "hookName": "createContainer", "path": "/usr/bin/nvidia-cdi-hook", "args": [ "nvidia-cdi-hook", "enable-cuda-compat", "--host-driver-version=570.153.02" ] The new hook makes it possible to have containers with a /usr/local/cuda/compat/libcuda.so.* that's newer than the proprietary NVIDIA driver on the host operating system, so that applications can use a newer CUDA without having to update the driver [3]. Even though this sounds useful, the hook has been disabled until it's handled by the 'init-container' command and there's a clear way to test it. The src/go.sum file was updated with 'go mod tidy'. [1] NVIDIA Container Toolkit commit 5bdf14b1e7c24763 https://github.com/NVIDIA/nvidia-container-toolkit/commit/5bdf14b1e7c24763 https://github.com/NVIDIA/nvidia-container-toolkit/pull/941 https://github.com/NVIDIA/nvidia-container-toolkit/pull/950 [2] NVIDIA Container Toolkit commit 76040ff2ad63fb82 https://github.com/NVIDIA/nvidia-container-toolkit/commit/76040ff2ad63fb82 https://github.com/NVIDIA/nvidia-container-toolkit/pull/906 https://github.com/NVIDIA/nvidia-container-toolkit/pull/948 [3] https://docs.nvidia.com/deploy/cuda-compatibility/ https://github.com/containers/toolbox/pull/1662
build: Bump tags.cncf.io/container-device-interface to 0.8.1
2025-06-11 21:30:11 +02:00 · 2025-06-11 15:22:06 +02:00 · 2025-06-03 22:08:50 +02:00 · 2025-06-03 22:07:00 +02:00 · 2025-06-02 22:34:17 +02:00 · 2025-06-02 22:33:30 +02:00
67 changed files with 2615 additions and 1532 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -7,3 +7,5 @@
 /images/arch       @Foxboron
 /images/rhel       @debarshiray @olivergs
 /images/ubuntu     @Jmennius
+/src/pkg/utils/arch.go                    @Foxboron
+/src/pkg/utils/ubuntu.go                  @Jmennius
--- a/.github/workflows/ubuntu-images.yaml
+++ b/.github/workflows/ubuntu-images.yaml
@ -36,7 +36,8 @@ jobs:
  build-push-images:
    strategy:
      matrix:
-        release: ['16.04', '18.04', '20.04', '22.04', '23.10', '24.04']
+        release: ['18.04', '20.04', '22.04', '24.04', '24.10', '25.04']
+      fail-fast: false

    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/ubuntu-tests.yaml
+++ b/.github/workflows/ubuntu-tests.yaml
@ -1,5 +1,5 @@
 #
-# Copyright © 2023 – 2024 Red Hat, Inc.
+# Copyright © 2023 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -45,7 +45,7 @@ jobs:
            flatpak \
            gcc \
            go-md2man \
-            golang-1.20 \
+            golang-1.21 \
            meson \
            ninja-build \
            openssl \
@ -55,9 +55,12 @@ jobs:
            systemd \
            udisks2

-      - name: Set up PATH for Go 1.20
+      - name: Ensure that 'p11-kit server' is absent
+        run: sudo rm /usr/libexec/p11-kit/p11-kit-server
+
+      - name: Set up PATH for Go 1.21
        run: |
-          echo "PATH=/usr/lib/go-1.20/bin:$PATH" >> "$GITHUB_ENV"
+          echo "PATH=/usr/lib/go-1.21/bin:$PATH" >> "$GITHUB_ENV"

      - name: Checkout Bats
        uses: actions/checkout@v4
@ -129,7 +132,7 @@ jobs:
        working-directory: containers/toolbox/src

      - name: Set up build directory
-        run: meson setup --fatal-meson-warnings builddir
+        run: meson setup builddir
        working-directory: containers/toolbox

      - name: Build
@ -150,6 +153,7 @@ jobs:
            test/system/001-version.bats \
            test/system/002-help.bats \
            test/system/101-create.bats \
+            test/system/102-list.bats \
            test/system/103-container.bats \
            test/system/105-enter.bats \
            test/system/106-rm.bats \
@ -158,6 +162,8 @@ jobs:
            test/system/201-ipc.bats \
            test/system/203-network.bats \
            test/system/220-environment-variables.bats \
+            test/system/250-kerberos.bats \
+            test/system/270-rpm.bats \
            test/system/501-create.bats \
            test/system/505-enter.bats
        env:
--- a/.zuul.yaml
+++ b/.zuul.yaml
@ -81,6 +81,39 @@
    pre-run: playbooks/setup-env.yaml
    run: playbooks/system-test-runtime-environment-ubuntu.yaml

+- job:
+    name: system-test-fedora-42-commands-options
+    description: Run Toolbx's commands-options system tests in Fedora 42
+    timeout: 6300
+    nodeset:
+      nodes:
+        - name: fedora-42
+          label: cloud-fedora-42
+    pre-run: playbooks/setup-env.yaml
+    run: playbooks/system-test-commands-options.yaml
+
+- job:
+    name: system-test-fedora-42-runtime-environment-arch-fedora
+    description: Run Toolbx's (arch-fedora,runtime-environment) system tests in Fedora 42
+    timeout: 6300
+    nodeset:
+      nodes:
+        - name: fedora-42
+          label: cloud-fedora-42
+    pre-run: playbooks/setup-env.yaml
+    run: playbooks/system-test-runtime-environment-arch-fedora.yaml
+
+- job:
+    name: system-test-fedora-42-runtime-environment-ubuntu
+    description: Run Toolbx's (runtime-environment,ubuntu) system tests in Fedora 42
+    timeout: 6300
+    nodeset:
+      nodes:
+        - name: fedora-42
+          label: cloud-fedora-42
+    pre-run: playbooks/setup-env.yaml
+    run: playbooks/system-test-runtime-environment-ubuntu.yaml
+
 - job:
    name: system-test-fedora-41-commands-options
    description: Run Toolbx's commands-options system tests in Fedora 41
@ -93,59 +126,26 @@
    run: playbooks/system-test-commands-options.yaml

 - job:
-    name: system-test-fedora-41-runtime-environment
-    description: Run Toolbx's runtime-environment system tests in Fedora 41
+    name: system-test-fedora-41-runtime-environment-arch-fedora
+    description: Run Toolbx's (arch-fedora,runtime-environment) system tests in Fedora 41
    timeout: 6300
    nodeset:
      nodes:
        - name: fedora-41
          label: cloud-fedora-41
    pre-run: playbooks/setup-env.yaml
-    run: playbooks/system-test-runtime-environment.yaml
+    run: playbooks/system-test-runtime-environment-arch-fedora.yaml

 - job:
-    name: system-test-fedora-40-commands-options
-    description: Run Toolbx's commands-options system tests in Fedora 40
+    name: system-test-fedora-41-runtime-environment-ubuntu
+    description: Run Toolbx's (runtime-environment,ubuntu) system tests in Fedora 41
    timeout: 6300
    nodeset:
      nodes:
-        - name: fedora-40
-          label: cloud-fedora-40
+        - name: fedora-41
+          label: cloud-fedora-41
    pre-run: playbooks/setup-env.yaml
-    run: playbooks/system-test-commands-options.yaml
-
- job:
-    name: system-test-fedora-40-runtime-environment
-    description: Run Toolbx's runtime-environment system tests in Fedora 40
-    timeout: 6300
-    nodeset:
-      nodes:
-        - name: fedora-40
-          label: cloud-fedora-40
-    pre-run: playbooks/setup-env.yaml
-    run: playbooks/system-test-runtime-environment.yaml
-
- job:
-    name: system-test-fedora-39-commands-options
-    description: Run Toolbx's commands-options system tests in Fedora 39
-    timeout: 6300
-    nodeset:
-      nodes:
-        - name: fedora-39
-          label: cloud-fedora-39
-    pre-run: playbooks/setup-env.yaml
-    run: playbooks/system-test-commands-options.yaml
-
- job:
-    name: system-test-fedora-39-runtime-environment
-    description: Run Toolbx's runtime-environment system tests in Fedora 39
-    timeout: 6300
-    nodeset:
-      nodes:
-        - name: fedora-39
-          label: cloud-fedora-39
-    pre-run: playbooks/setup-env.yaml
-    run: playbooks/system-test-runtime-environment.yaml
+    run: playbooks/system-test-runtime-environment-ubuntu.yaml

 - project:
    periodic:
@ -153,12 +153,12 @@
        - system-test-fedora-rawhide-commands-options
        - system-test-fedora-rawhide-runtime-environment-arch-fedora
        - system-test-fedora-rawhide-runtime-environment-ubuntu
+        - system-test-fedora-42-commands-options
+        - system-test-fedora-42-runtime-environment-arch-fedora
+        - system-test-fedora-42-runtime-environment-ubuntu
        - system-test-fedora-41-commands-options
-        - system-test-fedora-41-runtime-environment
-        - system-test-fedora-40-commands-options
-        - system-test-fedora-40-runtime-environment
-        - system-test-fedora-39-commands-options
-        - system-test-fedora-39-runtime-environment
+        - system-test-fedora-41-runtime-environment-arch-fedora
+        - system-test-fedora-41-runtime-environment-ubuntu
    check:
      jobs:
        - unit-test
@ -167,12 +167,12 @@
        - system-test-fedora-rawhide-commands-options
        - system-test-fedora-rawhide-runtime-environment-arch-fedora
        - system-test-fedora-rawhide-runtime-environment-ubuntu
+        - system-test-fedora-42-commands-options
+        - system-test-fedora-42-runtime-environment-arch-fedora
+        - system-test-fedora-42-runtime-environment-ubuntu
        - system-test-fedora-41-commands-options
-        - system-test-fedora-41-runtime-environment
-        - system-test-fedora-40-commands-options
-        - system-test-fedora-40-runtime-environment
-        - system-test-fedora-39-commands-options
-        - system-test-fedora-39-runtime-environment
+        - system-test-fedora-41-runtime-environment-arch-fedora
+        - system-test-fedora-41-runtime-environment-ubuntu
    gate:
      jobs:
        - unit-test
@ -181,9 +181,9 @@
        - system-test-fedora-rawhide-commands-options
        - system-test-fedora-rawhide-runtime-environment-arch-fedora
        - system-test-fedora-rawhide-runtime-environment-ubuntu
+        - system-test-fedora-42-commands-options
+        - system-test-fedora-42-runtime-environment-arch-fedora
+        - system-test-fedora-42-runtime-environment-ubuntu
        - system-test-fedora-41-commands-options
-        - system-test-fedora-41-runtime-environment
-        - system-test-fedora-40-commands-options
-        - system-test-fedora-40-runtime-environment
-        - system-test-fedora-39-commands-options
-        - system-test-fedora-39-runtime-environment
+        - system-test-fedora-41-runtime-environment-arch-fedora
+        - system-test-fedora-41-runtime-environment-ubuntu
--- a/605
+++ b/605
@ -1,580 +1,71 @@
-Overview of changes in 0.0.99.6
-===============================
+0.1.2
+=====

-* Add all the iconv converter modules for glibc to the fedora-toolbox images
-* Add an extra space after the ⬢ in the PS1
-* Add cracklib-dicts to the fedora-toolbox images
-* Add logos to the Arch Linux and Fedora badges, and a badge for the Ubuntu
-  package
-* Add manual pages and pacman progress bars to the arch-toolbox image
-* Add toolbox image definitions for RHELs 8.8, 8.9, 9.2 and 9.3
-* Add translations for gawk to the fedora-toolbox images
-* Add ubuntu-toolbox image definitions for Ubuntu 24.04
-* Avoid running out of storage space when running the system tests on the CI
-* Bump the minimum github.com/briandowns/spinner version to 1.18.0
-* Depend on github.com/go-logfmt/logfmt version 0.5.0
-* Depend on github.com/NVIDIA/go-nvlib version 0.6.1
-* Depend on github.com/NVIDIA/nvidia-container-toolkit version 1.16.1
-* Don't unmarshal the 'podman ps' JSON twice
-* Don't use use auto dependencies for shell completion scripts
-* Drop one "o" and rename the project as "Toolbx"
-* Enable more tests on Ubuntu 22.04 by setting the SHELL environment variable
-* Enable the proprietary NVIDIA driver
-* Exclude the meson.build files when installing the system tests
-* Fix pacman cache removal in the arch-toolbox image
-* Let 'create' use an image without a name
-* Let the terminal know the active container on all host operating systems,
-  and not just Fedora Silverblue and Workstation
-* Limit the scope of temporary files used by the system tests
-* Optimize 'enter' and 'run' for both an already running container and a
-  container getting initialized
-* Optimize the CI on Fedora nodes
-* Optimize the resource limits tests
-* Preserve the Konsole and xterm versions
-* Require --assumeyes to pull an image when not connected to a terminal
-* Retain errors from toolbox(1) without --verbose when forwarding to host
-* Retain exit codes from toolbox(1) when forwarding to host
-* Show the entry point's debug logs & errors in 'enter' and 'run'
-* Support 64-bit LoongArch
-* Synchronize the documentation with the website
-* Unbreak Podman's downstream Fedora CI
-* Use Buildah and Podman to build and test the arch-toolbox and ubuntu-toolbox
-  images
-* Use the same linker flags as NVIDIA Container Toolkit, and '-z now' is
-  unsupported
-* Work around bug in pasta(1) networks in the system tests
+### Security fixes

+* Bumped the minimum github.com/briandowns/spinner version to 1.23.2 for
+  CVE-2022-29526 or GHSA-p782-xgp4-8hr8, and other bug fixes
+* Bumped the minimum github.com/NVIDIA/nvidia-container-toolkit version to
+  1.17.4 for CVE-2024-0134 or GHSA-7jm9-xpwx-v999, CVE-2024-0135 or
+  GHSA-9v84-cc9j-pxr6, CVE-2024-0136 or GHSA-vcfp-63cx-4h59, CVE-2024-0137 or
+  GHSA-frhw-w3wm-6cw4, and CVE-2025-23359 or GHSA-4hmh-pm5p-9j7j

-Overview of changes in 0.0.99.5
-===============================
+### Enhancements

-* Add psmisc to the fedora-toolbox images
-* Add several new system and unit tests, and make the existing ones stricter
-* Add workaround to support configuring the user's password on some Active
-  Directory set-ups
-* Be aware of security hardened mount points marked with 'nosuid,nodev,noexec'
-* Bump the minimum Bats version to 1.7.0 to simplify running a subset of the
-  system tests and fix various warnings
-* Bump the minimum Go requirement to 1.20
-* Bump the minimum github.com/docker/go-units version to 0.5.0
-* Bump the minimum golang.org/x/sys version to 0.1.0 for CVE-2022-29526 or
-  GHSA-p782-xgp4-8hr8
-* Bump the minimum golang.org/x/text version to 0.3.8 for CVE-2022-32149 or
-  GHSA-69ch-w2m2-3vjp
-* Bump the minimum gopkg.in/yaml.v3 version to 3.0.0 for CVE-2022-28948 or
-  GHSA-hp87-p4gw-j4gq
-* Deprecate the --monitor-host option of 'init-container'
-* Don't leak the NAME and VERSION environment variables into containers made
-  from the fedora-toolbox images
-* Drop golang.org/x/term as a dependency
-* Ensure that Toolbx containers start even if there aren't sufficient resources
-  for inotify(7)
-* Ensure that the fedora-toolbox images retain documentation and translations
-* Ensure that toolbox(1) can be built without using podman(1) and validating
-  subordinate IDs
-* Fix DNS queries in Toolbx containers made from images with systemd-resolved,
-  when running on hosts that don't use it
-* Handle space-separated input when asking for confirmation
-* Let the terminal know the active container also on Fedora Linux Asahi Remix
-* Offer built-in support for Arch Linux
-* Offer built-in support for Ubuntu
-* Preserve the host's environment variables for Bash's history facility inside
-  Toolbx containers
-* Rely on podman >= 1.6.4 always being present
-* Report the size of the image that will be downloaded from a registry
-* Show welcome message on Fedora Sericea
-* Support 64-bit RISC-V
-* Update fallback release to 38 for non-fedora hosts
-* Unbreak the line count checks with Bats >= 1.10.0
-* Unbreak the manual page checks with GNU roff >= 1.23
-* Various updates to the documentation and manuals
+* Added ubuntu-toolbox image definitions for Ubuntu 25.04
+* Gave access to the CA certificates from the host operating system — requires
+  new Toolbx images and 'p11-kit server' on the host.  Note that the UBI-based
+  images for RHEL haven't yet been updated, and this feature is currently
+  disabled for those containers.

+### Bug fixes

-Overview of changes in 0.0.99.4
-===============================
+* Optimized getting the runtime directory
+* Replaced links to the code repository with the website
+* Updated fallback release to 42 for non-fedora hosts

-* Add an --authfile option to 'create'
-* Add a --preserve-fds option to 'run'
-* Add a test that runs codespell
-* Add fedora-toolbox image definition for Fedoras 37, 38 and 39
-* Add several new system tests and make the existing ones stricter
-* Avoid unexpected DNF behaviour with reinstalling or swapping RPMs when
-  building the fedora-toolbox images
-* Be more strict when looking for a C compiler for building
-* Call 'systemd-tmpfiles --create' when installing
-* Check if subordinate ID ranges are present for also the UID, and not just
-  the username
-* Document the toolbox.conf configuration file
-* Don't create a nested pseudo-terminal device during 'run' if the standard
-  input and output streams are not connected to a terminal
-* Don't leak ID and VARIANT_ID into the shell
-* Don't unmarshal the 'podman images' JSON twice
-* Enable OpenGL and Vulkan for hardware with free drivers on the
-  fedora-toolbox images
-* Enable running non-nested display servers from a virtual terminal
-* Enforce all the default 'go vet' checks on all Go sources
-* Enforce gofmt on all Go sources
-* Ensure that the 'distro' option is valid, instead of silently falling back
-  to Fedora
-* Ensure that 'run' has the same container environment as 'enter'
-* Ensure that the fedora-toolbox images has all the locales known to glibc,
-  and not just C, POSIX and C.UTF-8
-* Exit 'run' with exit code of invoked command
-* Fix the titles of the manuals
-* Give precedence to /etc/os-release over /usr/lib/os-release in
-  /etc/profile.d/toolbox.sh
-* Hide the Fedora-specific welcome banner on non-Fedora containers
-* Improve the error messages if the 'distro' and 'release' options are invalid
-* Improve the error messages for mutually exclusive options
-* Improve the default image used for RHEL Toolbx containers to offer an
-  interactive command line experience similar to that on RHEL Workstation
-* Make /etc/profile.d/toolbox.sh compatible with Z shell again
-* Make sd_booted(3) work inside Toolbx containers
-* Preserve the host's XDG_SESSION_CLASS environment variable inside Toolbx
-  containers
-* Replace github.com/mattn/go-isatty and the deprecated
-  golang.org/x/crypto/ssh/terminal API with golang.org/x/term
-* Replace jwhois with whois in the fedora-toolbox images for Fedora >= 37
-* Replace the hand-written shell completion for Bash with ones generated by
-  Cobra that cover fish and Z shell too
-* Restore more documentation removed from the base Fedora images
-* Run unit tests with -Dmigration_path_for_coreos_toolbox on CentOS Stream 9 as
-  part of the CI
-* Silence warning when running the system tests with Bats >= 1.7.0
-* Support RHEL 9 Toolbx containers
-* Support subordinate user and group ID ranges on enterprise set-ups
-* Unbreak sorting and clearly identify copied images in 'list'
-* Update fallback release to 37 for non-fedora hosts
-* Update the Go dependencies with 'go get -u'
-* Various updates to the documentation and manuals
-* Work around Cobra 1.1.2's handling of usage functions
+### Dependencies

+* Added a new weak dependency on 'p11-kit server'
+* Bumped the minimum github.com/NVIDIA/go-nvlib version to 0.7.1
+* Bumped the minimum github.com/spf13/viper version to 1.20.1 to reduce the
+  number of indirect dependencies
+* Bumped the minimum github.com/stretchr/testify version to 1.10.0

-Overview of changes in 0.0.99.3
-===============================
+### Tests

-* Add bc and iproute to the fedora-toolbox images
-* Add fedora-toolbox image definition for Fedoras 35 and 36
-* Add support for configuration files
-* Add optional migration paths for coreos/toolbox users
-* Allow overriding the path to tmpfilesdir
-* Avoid RPM failures due to unexpected file owners
-* Bump minimum Meson version to 0.58.0
-* Ensure that binaries are run against their build-time ABI
-* Expose the host's entire / in the container at /run/host
-* Fix the PS1 on Z shell
-* Fix wrong use of regexp.MatchString
-* Give access to PC/SC smart card daemon
-* Make locate(1) opt-in by default
-* Make the test suite non-destructive
-* Mention that private images require 'podman login'
-* Remove misleading and redundant CMD from the fedora-toolbox images
-* Remove the deprecated com.github.debarshiray.toolbox label from the
-  fedora-toolbox images, and when creating a new container
-* Replace outdated logos with pixels
-* Show basic help when man(1) is not available
-* Show welcome message on Fedora Kinoite
-* Test ImageReferenceCanBeID and ParseRelease
-* Unbreak 'enter' if the shell had exited with 127
-* Various additions and improvements to the test suite
-* Various updates to the documentation and manuals
+* Added runtime environment tests for the Kerberos and RPM configuration
+* Added unit tests for utils.PathExists()
+* Enabled the commands and options tests for 'list' on Arch and Ubuntu 22.04
+* Enabled the system tests for 'create' and networking on Arch Linux
+* Isolated the storage directory from the host's XDG_CACHE_HOME or HOME —
+  bumped the minimum Linux kernel version to 6.6
+* Made the the commands and options tests for 'create' stricter
+* Optimized the runtime environment tests by avoiding a lot of disk I/O
+* Restored the generation and installation of the Bash completions on the CI
+  (regression from Fedora 41)


-Overview of changes in 0.0.99.2
-===============================
+0.1.1
+=====

-* Add nano-default-editor to the fedora-toolbox images
-* Add unit tests for pkg/shell
-* Connect Go unit tests to Meson & rename CI job
-* Decouple image caching from Zuul for the system tests
-* Don't assume that the user's GID is the same as the UID
-* Don't require /etc/machine-id in toolbox images
-* Drop ShellCheck on Shell Toolbox
-* Give access to systemd-resolved's Varlink socket
-* Optimize 'enter' and 'run' in the non-fallback case
-* Optimize the performance of 'list'
-* Properly separate builddir setup & build in the Ansible playbooks
-* Rename Dockerfile to Containerfile for the fedora-toolbox images
-* Show test execution time for the system tests
-* Support listing images without names
-* Unbreak 'create' on an unlocked OSTree deployment
-* Unbreak 'create' on CoreOS with read-only /boot
-* Update default release to 33 for non-Fedora hosts
-* Update the GitHub issue templates
-* Use a regular file, not a symbolic link, for the README.md in the
-  fedora-toolbox images
-* Fall back to $HOME when using a container if the current working directory
-  isn't present in it
-* Various updates to the Bash completion
-* Various updates to the manuals
+### Security fixes

+* Bumped the minimum github.com/NVIDIA/nvidia-container-toolkit version to
+  1.16.2 for CVE-2024-0132 or GHSA-mjjw-553x-87pq, and CVE-2024-0133 or
+  GHSA-f748-7hpg-88ch

-Overview of changes in 0.0.99.1
-===============================
+### Bug fixes

-* Add deprecation notices to the POSIX shell implementation
-* Add test for the new --distro option
-* Drop the FGC namespace from the fedora-toolbox images
-* Fix miscellaneous issues pointed out by https://www.shellcheck.net/
-* Handle hosts with /etc/localtime as absolute symlink
-* Improve README.md
-* Improve the Zuul configuration
-* Mount /mnt only if it is available
-* Refactor the system tests, and use bats-assert and bats-support
-* Test that sudo doesn't require a password
-* Update the manuals
-
-
-Overview of changes in 0.0.99
-=============================
-
-* Add a --distro option to 'create', 'enter' and 'run'
-* Prevent setting VTE-specific PROMPT_COMMAND without VTE
-* Remove the --candidate-registry option from Bash completion and the manual
-  for 'create'
-* Remove the deprecated reset command
-* Support RHEL hosts by creating containers based on UBI
-* Try to avoid 'latest' tags, when looking at RepoTags
-* Update the labels used for filtering toolbox containers images
-* Update the range of supported Fedora releases
-
-
-Overview of changes in 0.0.98.1
-===============================
-
-* Pass the USER environment variable to the container
-* Make /etc/profile.d/toolbox.sh compatible with Z shell again
-* Update the manual to mention that the --image and --release options of
-  'create' can't be used together
-
-
-Overview of changes in 0.0.98
-=============================
-
-* Add nss-mdns to the fedora-toolbox images
-* Correctly check validity of container name
-* Don't leak all the os-release fields into the shell
-* Don't rely on XDG_RUNTIME_DIR when running as root
-* Give access to Avahi to resolve the .local mDNS domain
-* Make coredumpctl(1) 'dump' and 'debug' work inside toolbox containers
-* Make options --image and --release for 'create' mutually exclusive
-* Notify the terminal about the real UID of 'toolbox enter'
-* Remove periods at the end of flag descriptions
-* Set XDG_RUNTIME_DIR when creating the toolbox container
-* Unbreak 'enter' on hosts without a /etc/localtime
-* Unbreak the system tests on Fedora 33
-* Use the host's user namespace when running as root
-
-
-Overview of changes in 0.0.97
-=============================
-
-* Allow X11 clients to run as root
-* Color the output only when displaying on a terminal
-* Don't rely on user D-Bus to track time zone configuration
-* Enable running minikube on Silverblue
-* Expose the host's /boot inside the container at /run/host
-* Fix missing terminfo warning for Ubuntu containers
-* Make locate(1) work inside toolbox containers
-* Make pseudo-terminal devices be owned by the 'tty' group
-* Rework test to check if a toolbox container started successfully
-* Run a login shell when falling back to Bash during 'enter'
-
-
-Overview of changes in 0.0.96
-=============================
-
-* Don't break GNU Readline's ctrl-p shortcut
-* Enable system tests on Fedora 33
-* Fix containers with missing /media possibly due to a failed RPM transaction
-* Give access to the udev database
-* Unbreak X11 applications with GNOME 3.38
-* Update default release to 31 for non-Fedora hosts
-
-
-Overview of changes in 0.0.95
-=============================
-
-* Try to handle configuration files that're absolute symlinks when the entry
-  point sets up the container
-* Unbreak 'enter' on Fedora CoreOS
-* Unbreak 'sudo' inside toolbox containers with Podman 2.0.5
-* Warn if $TERM has no terminfo entry in the container
-
-
-Overview of changes in 0.0.94
-=============================
-
-* Add contribution guidelines
-* Add fedora-toolbox image definition for Fedora 34
-* Add more information to errors from creating symbolic links when setting up
-  the toolbox container in the entry point
-* Ensure binaries built on Fedora 33 run on Fedoras 32 & 31
-* Install the tests
-* Make it more obvious when falling back to /bin/bash
-* Document that sudo(8) should work without a password
-* Mount a tmpfs at /tmp to match the host
-* Update issue templates
-
-
-Overview of changes in 0.0.93
-=============================
-
-* Ensure reproducible builds by using the -trimpath build flag
-* Fix the test suite to work with the Go implementation
-* Make listing of containers and images more robust against changes in the JSON
-  returned by Podman
-* List out dependencies and installation instructions
-* Re-enable highlighting of running containers
-* Show the spinner only when connected to a terminal
-* Speed things up by caching the Podman version at runtime
-* Update hint after creating a container to use the new syntax
-* Use the correct verb format for string
-
-
-Overview of changes in 0.0.92
-=============================
-
-* Embed the version from Meson into the binary
-* Make it build on aarch64
-
-
-Overview of changes in 0.0.91
-=============================
-
-* Add gvfs-client to the fedora-toolbox images
-* Adjust for changes in JSON output from 'podman ps' and 'podman images' in
-  Podman 2.0
-* Lower the Go build requirements to make it easier to build on Fedora
-* Show an error if $PWD is missing inside the container
-
-
-Overview of changes in 0.0.90
-=============================
-
-* Rewrite Toolbox in Go
-* Remove support for toolbox containers created by Toolbox 0.0.9 and older
-* Add option --version to show current Toolbox version
-* Add options --log-level and --log-podman as possible future replacements for
-  --verbose and --very-verbose
-* Clean up the spinner when aborted by SIGINT (or ctrl+c) and such
-* Fix duplication in the output of the list command
-* Mark the reset command as deprecated (replaced by 'podman system reset')
-* Support specifying the name of a toolbox container as an argument to the
-  create and enter commands, in addition to the --container option
-
-
-Overview of changes in 0.0.18
-=============================
-
-* Check /usr/share/profile.d when bind mounting toolbox.sh
-* Mount /media only if it is available
-* Set up /media and /mnt to match the host
-* Unbreak 'enter' when SELinux is disabled
-
-
-Overview of changes in 0.0.17
-=============================
-
-* Add a --very-verbose or -vv option
-* Deprecate all toolbox containers that don't use a reflexive entry point
-* Ensure that 'run' has at least one argument for the command
-* Give access to the host's systemd journal
-* Wipe out the container's /sys/fs/selinux to not advertise SELinux
-
-
-Overview of changes in 0.0.16
-=============================
-
-* Add a reset command
-* Document requirements for distro support
-* Don't use a toolbox container until after it has been configured
-* Drop the coloured heading from 'list'
-* Miscellaneous fixes to Bash completion
-* Remove the hidden --sudo option and the /etc/sudoers.d snippet
-* Try to migrate to a supported OCI runtime if 'podman start' suggests so
-* Unbreak 'run' if container lacks files that are redirected to the host
-
-
-Overview of changes in 0.0.15
-=============================
-
-* Be forgiving of a missing /etc/profile.d/toolbox.sh in 'run'
-* Don't sanity check /etc/subgid and /etc/subuid when running as root
-* Install only flatpak-spawn, not the rest of flatpak-xdg-utils, in the images
-* Let the terminal know the active container only on some Fedora variants
-* Rely on 'podman system migrate' always being present
-* Simplify code by dropping compatibility with 'podman create' < 1.4.0
-* Switch to using /usr/lib/os-release instead of /etc/os-release
-* Unbreak 'create' on Silverblue
-* Update default release to 30 when running on non-fedora hosts
-
-
-Overview of changes in 0.0.14
-=============================
-
-* Adjust the grep match pattern to be more specific
-* Don't exit with a non-zero code from 'toolbox list -i'
-* Expose a few more host locations inside the container under /run/host
-* Give access to the system Flatpak directory
-* Give access to the system libvirt instance
-* Mount /run/media only if it is available
-* Preserve the host's ulimits when creating toolbox containers
-* Work around 'podman exec' resetting the terminal size to 80x24
-
-
-Overview of changes in 0.0.13
-=============================
-
-* Drop PackageKit-command-not-found from the images
-* Improve the help or usage output
-* Simplify code by taking advantage of 'podman create --userns=keep-id'
-* Simplify code by taking advantage of 'podman exec --workdir ...'
-* Tighten the Silverblue check for the welcome message
-
-
-Overview of changes in 0.0.12
-=============================
-
-* Create /run/.toolboxenv inside the toolbox container's entry point too
-* Don't use 'podman cp' to copy toolbox.sh to old containers
-* Drop the "immutable" term
-* Unbreak /etc/localtime & /etc/timezone if /run/host/monitor is absent
-
-
-Overview of changes in 0.0.11
-=============================
-
-* Allow Qt applications to work without QT_X11_NO_MITSHM
-* Check if /etc/subgid and /etc/subuid have entries for the user
-* Give access to the entire /dev from the host operating system
-* Keep /etc/host.conf, /etc/localtime and /etc/timezone synchronized with the
-  host
-* Notify the terminal about the current toolbox container in use
-* Prevent Podman from complaining about 'podman cp --pause=true ...'
-* Unbreak rendering & wrapping of commands typed at an interactive prompt
-* Unbreak setting up /home as a symbolic link
-
-
-Overview of changes in 0.0.10
-=============================
-
-* Add a run command
-* Create /run/.toolboxenv in 'toolbox enter' for identification
-* Drop the Buildah dependency and the user-specific customized image
-* Keep /etc/hosts and /etc/resolv.conf synchronized with the host
-* Migrate existing containers when Podman is updated
-* Retain the PS1 across su(1) and sudo(8)
-* Set the Kerberos credential cache type only if Kerberos is available
-* Support column(1) from bsdmainutils
-* Support 'sudo' as default sudo(8) group
-* Use a magenta hexagon instead of 🔹 in the PS1
-
-
-Overview of changes in 0.0.9
-============================
-
-* Add Bash completion
-* Allow connecting to Wayland displays other than "wayland-0"
-* Ask for confirmation before downloading the base image
-* Improve the onboarding experience
-* Make it available inside the toolbox container
-* Make 'toolbox enter' create or fall back to a container when possible
-* Set TOOLBOX_CONTAINER in the environment to identify as a toolbox
-* Set default release to 29 when running on non-fedora hosts
-* Show welcome texts on interactive shells
-
-
-Overview of changes in 0.0.8
-============================
-
-* Add label for tagging, not tied to the fedora-toolbox name
-* Add short variants for various options in 'create' and 'enter'
-* Ensure that names of toolbox containers don't have a colon
-* Enable Travis
-* Fix miscellaneous issues pointed out by https://www.shellcheck.net/
-* Give access to Kerberos if KCM credential caches are being used
-* Improve the onboarding experience
-* Reduce the sizes of the images by removing temporary files created by DNF
-* Use a lighter entry point than /bin/sh
-
-
-Overview of changes in 0.0.7
-============================
-
-* Add fedora-toolbox image definition for Fedora 31
-* Add flatpak-xdg-utils to Fedoras 29 and 30
-* Add manuals
-* Add rm and rmi commands
-* Be more informative when creating the working container
-* Clarify the error message if the toolbox container is not found
-* Don't create volumes in the image for bind mounts from the host
-* Fix miscellaneous issues pointed out by https://www.shellcheck.net/
-* Give access to /dev/bus for control transfers from USB devices
-* Give access to removable devices and other temporary mounts
-* Lots of Bash-isms removed for POSIX correctness
-* Make the --image flag override the base toolbox image, as documented
-* Make the spinner more efficient
-* Restore documentation removed from the base Fedora images
-
-
-Overview of changes in 0.0.6
-============================
-
-* Add a list command
-* Drop the "fedora" prefix and rename the project as just "toolbox"
-* Fix typos pointed out by https://www.shellcheck.net/
-* Lots of Bash-isms removed for POSIX correctness
-* Make --container and --image command-specific options
-* Make it work inside the toolbox container itself
-* Shorten the prefix for debug and error messages
-* Use the host's PID namespace for the toolbox container
-* Use the standard error output for error messages
-
-
-Overview of changes in 0.0.5
-============================
-
-* Give access to mounts under $HOME, and make autofs work
-* Show a spinner when creating the toolbox
-
-
-Overview of changes in 0.0.4
-============================
-
-* Avoid spooky root-like behaviour for non-root interactive shells
-* Give access to the FUSE kernel module
-* Improve the readability of the debug output
-* Set up $HOME and /home to match the host
-* Try to enter the same directory inside the toolbox
-
-
-Overview of changes in 0.0.3
-============================
-
-* Clean up the Buildah working containers on error
-* Unbreak creating the toolbox if the toolbox image already exists
-
-
-Overview of changes in 0.0.2
-============================
-
-* Allow an 'F' or 'f' prefix when specifying the release
-* Avoid a Bash-ism (ie. ==) and stick to POSIX (ie. =)
-* Fallback to /bin/bash if $SHELL doesn't exist in the toolbox container
-* Give access to the system D-Bus instance
-* Make shm_open work
-
-
-Overview of changes in 0.0.1
-============================
-
-* First preview release
+* Unbroke 'enter' if the NVIDIA Persistence Daemon is used (regression in
+  0.0.99.6)
+* Unbroke 'enter' if the proprietary NVIDIA driver is installed, but not used
+  (regression in 0.0.99.6)


 ----

-Copyright © 2018 – 2024 Red Hat, Inc.
+Copyright © 2024 Red Hat, Inc.
 All rights reserved.

 Copying and distribution of this file, with or without modification,
--- a/NEWS.old
+++ b/NEWS.old
@ -0,0 +1,594 @@
+Overview of changes in 0.1.0
+============================
+
+* Add ubuntu-toolbox image definitions for Ubuntu 24.10
+* Optimize the CI on stable Fedora nodes
+* Stop updating the ubuntu-toolbox images for Ubuntu 16.04 and 18.04
+* Stop using slirp4netns(1) in the system tests
+* Unbreak the downstream Fedora CI
+* Unbreak the ubuntu-toolbox image build for Ubuntu 24.04
+* Update fallback release to 40 for non-fedora hosts
+
+
+Overview of changes in 0.0.99.6
+===============================
+
+* Add all the iconv converter modules for glibc to the fedora-toolbox images
+* Add an extra space after the ⬢ in the PS1
+* Add cracklib-dicts to the fedora-toolbox images
+* Add logos to the Arch Linux and Fedora badges, and a badge for the Ubuntu
+  package
+* Add manual pages and pacman progress bars to the arch-toolbox image
+* Add toolbox image definitions for RHELs 8.8, 8.9, 9.2 and 9.3
+* Add translations for gawk to the fedora-toolbox images
+* Add ubuntu-toolbox image definitions for Ubuntu 24.04
+* Avoid running out of storage space when running the system tests on the CI
+* Bump the minimum github.com/briandowns/spinner version to 1.18.0
+* Depend on github.com/go-logfmt/logfmt version 0.5.0
+* Depend on github.com/NVIDIA/go-nvlib version 0.6.1
+* Depend on github.com/NVIDIA/nvidia-container-toolkit version 1.16.1
+* Don't unmarshal the 'podman ps' JSON twice
+* Don't use use auto dependencies for shell completion scripts
+* Drop one "o" and rename the project as "Toolbx"
+* Enable more tests on Ubuntu 22.04 by setting the SHELL environment variable
+* Enable the proprietary NVIDIA driver
+* Exclude the meson.build files when installing the system tests
+* Fix pacman cache removal in the arch-toolbox image
+* Let 'create' use an image without a name
+* Let the terminal know the active container on all host operating systems,
+  and not just Fedora Silverblue and Workstation
+* Limit the scope of temporary files used by the system tests
+* Optimize 'enter' and 'run' for both an already running container and a
+  container getting initialized
+* Optimize the CI on Fedora nodes
+* Optimize the resource limits tests
+* Preserve the Konsole and xterm versions
+* Require --assumeyes to pull an image when not connected to a terminal
+* Retain errors from toolbox(1) without --verbose when forwarding to host
+* Retain exit codes from toolbox(1) when forwarding to host
+* Show the entry point's debug logs & errors in 'enter' and 'run'
+* Support 64-bit LoongArch
+* Synchronize the documentation with the website
+* Unbreak Podman's downstream Fedora CI
+* Use Buildah and Podman to build and test the arch-toolbox and ubuntu-toolbox
+  images
+* Use the same linker flags as NVIDIA Container Toolkit, and '-z now' is
+  unsupported
+* Work around bug in pasta(1) networks in the system tests
+
+
+Overview of changes in 0.0.99.5
+===============================
+
+* Add psmisc to the fedora-toolbox images
+* Add several new system and unit tests, and make the existing ones stricter
+* Add workaround to support configuring the user's password on some Active
+  Directory set-ups
+* Be aware of security hardened mount points marked with 'nosuid,nodev,noexec'
+* Bump the minimum Bats version to 1.7.0 to simplify running a subset of the
+  system tests and fix various warnings
+* Bump the minimum Go requirement to 1.20
+* Bump the minimum github.com/docker/go-units version to 0.5.0
+* Bump the minimum golang.org/x/sys version to 0.1.0 for CVE-2022-29526 or
+  GHSA-p782-xgp4-8hr8
+* Bump the minimum golang.org/x/text version to 0.3.8 for CVE-2022-32149 or
+  GHSA-69ch-w2m2-3vjp
+* Bump the minimum gopkg.in/yaml.v3 version to 3.0.0 for CVE-2022-28948 or
+  GHSA-hp87-p4gw-j4gq
+* Deprecate the --monitor-host option of 'init-container'
+* Don't leak the NAME and VERSION environment variables into containers made
+  from the fedora-toolbox images
+* Drop golang.org/x/term as a dependency
+* Ensure that Toolbx containers start even if there aren't sufficient resources
+  for inotify(7)
+* Ensure that the fedora-toolbox images retain documentation and translations
+* Ensure that toolbox(1) can be built without using podman(1) and validating
+  subordinate IDs
+* Fix DNS queries in Toolbx containers made from images with systemd-resolved,
+  when running on hosts that don't use it
+* Handle space-separated input when asking for confirmation
+* Let the terminal know the active container also on Fedora Linux Asahi Remix
+* Offer built-in support for Arch Linux
+* Offer built-in support for Ubuntu
+* Preserve the host's environment variables for Bash's history facility inside
+  Toolbx containers
+* Rely on podman >= 1.6.4 always being present
+* Report the size of the image that will be downloaded from a registry
+* Show welcome message on Fedora Sericea
+* Support 64-bit RISC-V
+* Update fallback release to 38 for non-fedora hosts
+* Unbreak the line count checks with Bats >= 1.10.0
+* Unbreak the manual page checks with GNU roff >= 1.23
+* Various updates to the documentation and manuals
+
+
+Overview of changes in 0.0.99.4
+===============================
+
+* Add an --authfile option to 'create'
+* Add a --preserve-fds option to 'run'
+* Add a test that runs codespell
+* Add fedora-toolbox image definition for Fedoras 37, 38 and 39
+* Add several new system tests and make the existing ones stricter
+* Avoid unexpected DNF behaviour with reinstalling or swapping RPMs when
+  building the fedora-toolbox images
+* Be more strict when looking for a C compiler for building
+* Call 'systemd-tmpfiles --create' when installing
+* Check if subordinate ID ranges are present for also the UID, and not just
+  the username
+* Document the toolbox.conf configuration file
+* Don't create a nested pseudo-terminal device during 'run' if the standard
+  input and output streams are not connected to a terminal
+* Don't leak ID and VARIANT_ID into the shell
+* Don't unmarshal the 'podman images' JSON twice
+* Enable OpenGL and Vulkan for hardware with free drivers on the
+  fedora-toolbox images
+* Enable running non-nested display servers from a virtual terminal
+* Enforce all the default 'go vet' checks on all Go sources
+* Enforce gofmt on all Go sources
+* Ensure that the 'distro' option is valid, instead of silently falling back
+  to Fedora
+* Ensure that 'run' has the same container environment as 'enter'
+* Ensure that the fedora-toolbox images has all the locales known to glibc,
+  and not just C, POSIX and C.UTF-8
+* Exit 'run' with exit code of invoked command
+* Fix the titles of the manuals
+* Give precedence to /etc/os-release over /usr/lib/os-release in
+  /etc/profile.d/toolbox.sh
+* Hide the Fedora-specific welcome banner on non-Fedora containers
+* Improve the error messages if the 'distro' and 'release' options are invalid
+* Improve the error messages for mutually exclusive options
+* Improve the default image used for RHEL Toolbx containers to offer an
+  interactive command line experience similar to that on RHEL Workstation
+* Make /etc/profile.d/toolbox.sh compatible with Z shell again
+* Make sd_booted(3) work inside Toolbx containers
+* Preserve the host's XDG_SESSION_CLASS environment variable inside Toolbx
+  containers
+* Replace github.com/mattn/go-isatty and the deprecated
+  golang.org/x/crypto/ssh/terminal API with golang.org/x/term
+* Replace jwhois with whois in the fedora-toolbox images for Fedora >= 37
+* Replace the hand-written shell completion for Bash with ones generated by
+  Cobra that cover fish and Z shell too
+* Restore more documentation removed from the base Fedora images
+* Run unit tests with -Dmigration_path_for_coreos_toolbox on CentOS Stream 9 as
+  part of the CI
+* Silence warning when running the system tests with Bats >= 1.7.0
+* Support RHEL 9 Toolbx containers
+* Support subordinate user and group ID ranges on enterprise set-ups
+* Unbreak sorting and clearly identify copied images in 'list'
+* Update fallback release to 37 for non-fedora hosts
+* Update the Go dependencies with 'go get -u'
+* Various updates to the documentation and manuals
+* Work around Cobra 1.1.2's handling of usage functions
+
+
+Overview of changes in 0.0.99.3
+===============================
+
+* Add bc and iproute to the fedora-toolbox images
+* Add fedora-toolbox image definition for Fedoras 35 and 36
+* Add support for configuration files
+* Add optional migration paths for coreos/toolbox users
+* Allow overriding the path to tmpfilesdir
+* Avoid RPM failures due to unexpected file owners
+* Bump minimum Meson version to 0.58.0
+* Ensure that binaries are run against their build-time ABI
+* Expose the host's entire / in the container at /run/host
+* Fix the PS1 on Z shell
+* Fix wrong use of regexp.MatchString
+* Give access to PC/SC smart card daemon
+* Make locate(1) opt-in by default
+* Make the test suite non-destructive
+* Mention that private images require 'podman login'
+* Remove misleading and redundant CMD from the fedora-toolbox images
+* Remove the deprecated com.github.debarshiray.toolbox label from the
+  fedora-toolbox images, and when creating a new container
+* Replace outdated logos with pixels
+* Show basic help when man(1) is not available
+* Show welcome message on Fedora Kinoite
+* Test ImageReferenceCanBeID and ParseRelease
+* Unbreak 'enter' if the shell had exited with 127
+* Various additions and improvements to the test suite
+* Various updates to the documentation and manuals
+
+
+Overview of changes in 0.0.99.2
+===============================
+
+* Add nano-default-editor to the fedora-toolbox images
+* Add unit tests for pkg/shell
+* Connect Go unit tests to Meson & rename CI job
+* Decouple image caching from Zuul for the system tests
+* Don't assume that the user's GID is the same as the UID
+* Don't require /etc/machine-id in toolbox images
+* Drop ShellCheck on Shell Toolbox
+* Give access to systemd-resolved's Varlink socket
+* Optimize 'enter' and 'run' in the non-fallback case
+* Optimize the performance of 'list'
+* Properly separate builddir setup & build in the Ansible playbooks
+* Rename Dockerfile to Containerfile for the fedora-toolbox images
+* Show test execution time for the system tests
+* Support listing images without names
+* Unbreak 'create' on an unlocked OSTree deployment
+* Unbreak 'create' on CoreOS with read-only /boot
+* Update default release to 33 for non-Fedora hosts
+* Update the GitHub issue templates
+* Use a regular file, not a symbolic link, for the README.md in the
+  fedora-toolbox images
+* Fall back to $HOME when using a container if the current working directory
+  isn't present in it
+* Various updates to the Bash completion
+* Various updates to the manuals
+
+
+Overview of changes in 0.0.99.1
+===============================
+
+* Add deprecation notices to the POSIX shell implementation
+* Add test for the new --distro option
+* Drop the FGC namespace from the fedora-toolbox images
+* Fix miscellaneous issues pointed out by https://www.shellcheck.net/
+* Handle hosts with /etc/localtime as absolute symlink
+* Improve README.md
+* Improve the Zuul configuration
+* Mount /mnt only if it is available
+* Refactor the system tests, and use bats-assert and bats-support
+* Test that sudo doesn't require a password
+* Update the manuals
+
+
+Overview of changes in 0.0.99
+=============================
+
+* Add a --distro option to 'create', 'enter' and 'run'
+* Prevent setting VTE-specific PROMPT_COMMAND without VTE
+* Remove the --candidate-registry option from Bash completion and the manual
+  for 'create'
+* Remove the deprecated reset command
+* Support RHEL hosts by creating containers based on UBI
+* Try to avoid 'latest' tags, when looking at RepoTags
+* Update the labels used for filtering toolbox containers images
+* Update the range of supported Fedora releases
+
+
+Overview of changes in 0.0.98.1
+===============================
+
+* Pass the USER environment variable to the container
+* Make /etc/profile.d/toolbox.sh compatible with Z shell again
+* Update the manual to mention that the --image and --release options of
+  'create' can't be used together
+
+
+Overview of changes in 0.0.98
+=============================
+
+* Add nss-mdns to the fedora-toolbox images
+* Correctly check validity of container name
+* Don't leak all the os-release fields into the shell
+* Don't rely on XDG_RUNTIME_DIR when running as root
+* Give access to Avahi to resolve the .local mDNS domain
+* Make coredumpctl(1) 'dump' and 'debug' work inside toolbox containers
+* Make options --image and --release for 'create' mutually exclusive
+* Notify the terminal about the real UID of 'toolbox enter'
+* Remove periods at the end of flag descriptions
+* Set XDG_RUNTIME_DIR when creating the toolbox container
+* Unbreak 'enter' on hosts without a /etc/localtime
+* Unbreak the system tests on Fedora 33
+* Use the host's user namespace when running as root
+
+
+Overview of changes in 0.0.97
+=============================
+
+* Allow X11 clients to run as root
+* Color the output only when displaying on a terminal
+* Don't rely on user D-Bus to track time zone configuration
+* Enable running minikube on Silverblue
+* Expose the host's /boot inside the container at /run/host
+* Fix missing terminfo warning for Ubuntu containers
+* Make locate(1) work inside toolbox containers
+* Make pseudo-terminal devices be owned by the 'tty' group
+* Rework test to check if a toolbox container started successfully
+* Run a login shell when falling back to Bash during 'enter'
+
+
+Overview of changes in 0.0.96
+=============================
+
+* Don't break GNU Readline's ctrl-p shortcut
+* Enable system tests on Fedora 33
+* Fix containers with missing /media possibly due to a failed RPM transaction
+* Give access to the udev database
+* Unbreak X11 applications with GNOME 3.38
+* Update default release to 31 for non-Fedora hosts
+
+
+Overview of changes in 0.0.95
+=============================
+
+* Try to handle configuration files that're absolute symlinks when the entry
+  point sets up the container
+* Unbreak 'enter' on Fedora CoreOS
+* Unbreak 'sudo' inside toolbox containers with Podman 2.0.5
+* Warn if $TERM has no terminfo entry in the container
+
+
+Overview of changes in 0.0.94
+=============================
+
+* Add contribution guidelines
+* Add fedora-toolbox image definition for Fedora 34
+* Add more information to errors from creating symbolic links when setting up
+  the toolbox container in the entry point
+* Ensure binaries built on Fedora 33 run on Fedoras 32 & 31
+* Install the tests
+* Make it more obvious when falling back to /bin/bash
+* Document that sudo(8) should work without a password
+* Mount a tmpfs at /tmp to match the host
+* Update issue templates
+
+
+Overview of changes in 0.0.93
+=============================
+
+* Ensure reproducible builds by using the -trimpath build flag
+* Fix the test suite to work with the Go implementation
+* Make listing of containers and images more robust against changes in the JSON
+  returned by Podman
+* List out dependencies and installation instructions
+* Re-enable highlighting of running containers
+* Show the spinner only when connected to a terminal
+* Speed things up by caching the Podman version at runtime
+* Update hint after creating a container to use the new syntax
+* Use the correct verb format for string
+
+
+Overview of changes in 0.0.92
+=============================
+
+* Embed the version from Meson into the binary
+* Make it build on aarch64
+
+
+Overview of changes in 0.0.91
+=============================
+
+* Add gvfs-client to the fedora-toolbox images
+* Adjust for changes in JSON output from 'podman ps' and 'podman images' in
+  Podman 2.0
+* Lower the Go build requirements to make it easier to build on Fedora
+* Show an error if $PWD is missing inside the container
+
+
+Overview of changes in 0.0.90
+=============================
+
+* Rewrite Toolbox in Go
+* Remove support for toolbox containers created by Toolbox 0.0.9 and older
+* Add option --version to show current Toolbox version
+* Add options --log-level and --log-podman as possible future replacements for
+  --verbose and --very-verbose
+* Clean up the spinner when aborted by SIGINT (or ctrl+c) and such
+* Fix duplication in the output of the list command
+* Mark the reset command as deprecated (replaced by 'podman system reset')
+* Support specifying the name of a toolbox container as an argument to the
+  create and enter commands, in addition to the --container option
+
+
+Overview of changes in 0.0.18
+=============================
+
+* Check /usr/share/profile.d when bind mounting toolbox.sh
+* Mount /media only if it is available
+* Set up /media and /mnt to match the host
+* Unbreak 'enter' when SELinux is disabled
+
+
+Overview of changes in 0.0.17
+=============================
+
+* Add a --very-verbose or -vv option
+* Deprecate all toolbox containers that don't use a reflexive entry point
+* Ensure that 'run' has at least one argument for the command
+* Give access to the host's systemd journal
+* Wipe out the container's /sys/fs/selinux to not advertise SELinux
+
+
+Overview of changes in 0.0.16
+=============================
+
+* Add a reset command
+* Document requirements for distro support
+* Don't use a toolbox container until after it has been configured
+* Drop the coloured heading from 'list'
+* Miscellaneous fixes to Bash completion
+* Remove the hidden --sudo option and the /etc/sudoers.d snippet
+* Try to migrate to a supported OCI runtime if 'podman start' suggests so
+* Unbreak 'run' if container lacks files that are redirected to the host
+
+
+Overview of changes in 0.0.15
+=============================
+
+* Be forgiving of a missing /etc/profile.d/toolbox.sh in 'run'
+* Don't sanity check /etc/subgid and /etc/subuid when running as root
+* Install only flatpak-spawn, not the rest of flatpak-xdg-utils, in the images
+* Let the terminal know the active container only on some Fedora variants
+* Rely on 'podman system migrate' always being present
+* Simplify code by dropping compatibility with 'podman create' < 1.4.0
+* Switch to using /usr/lib/os-release instead of /etc/os-release
+* Unbreak 'create' on Silverblue
+* Update default release to 30 when running on non-fedora hosts
+
+
+Overview of changes in 0.0.14
+=============================
+
+* Adjust the grep match pattern to be more specific
+* Don't exit with a non-zero code from 'toolbox list -i'
+* Expose a few more host locations inside the container under /run/host
+* Give access to the system Flatpak directory
+* Give access to the system libvirt instance
+* Mount /run/media only if it is available
+* Preserve the host's ulimits when creating toolbox containers
+* Work around 'podman exec' resetting the terminal size to 80x24
+
+
+Overview of changes in 0.0.13
+=============================
+
+* Drop PackageKit-command-not-found from the images
+* Improve the help or usage output
+* Simplify code by taking advantage of 'podman create --userns=keep-id'
+* Simplify code by taking advantage of 'podman exec --workdir ...'
+* Tighten the Silverblue check for the welcome message
+
+
+Overview of changes in 0.0.12
+=============================
+
+* Create /run/.toolboxenv inside the toolbox container's entry point too
+* Don't use 'podman cp' to copy toolbox.sh to old containers
+* Drop the "immutable" term
+* Unbreak /etc/localtime & /etc/timezone if /run/host/monitor is absent
+
+
+Overview of changes in 0.0.11
+=============================
+
+* Allow Qt applications to work without QT_X11_NO_MITSHM
+* Check if /etc/subgid and /etc/subuid have entries for the user
+* Give access to the entire /dev from the host operating system
+* Keep /etc/host.conf, /etc/localtime and /etc/timezone synchronized with the
+  host
+* Notify the terminal about the current toolbox container in use
+* Prevent Podman from complaining about 'podman cp --pause=true ...'
+* Unbreak rendering & wrapping of commands typed at an interactive prompt
+* Unbreak setting up /home as a symbolic link
+
+
+Overview of changes in 0.0.10
+=============================
+
+* Add a run command
+* Create /run/.toolboxenv in 'toolbox enter' for identification
+* Drop the Buildah dependency and the user-specific customized image
+* Keep /etc/hosts and /etc/resolv.conf synchronized with the host
+* Migrate existing containers when Podman is updated
+* Retain the PS1 across su(1) and sudo(8)
+* Set the Kerberos credential cache type only if Kerberos is available
+* Support column(1) from bsdmainutils
+* Support 'sudo' as default sudo(8) group
+* Use a magenta hexagon instead of 🔹 in the PS1
+
+
+Overview of changes in 0.0.9
+============================
+
+* Add Bash completion
+* Allow connecting to Wayland displays other than "wayland-0"
+* Ask for confirmation before downloading the base image
+* Improve the onboarding experience
+* Make it available inside the toolbox container
+* Make 'toolbox enter' create or fall back to a container when possible
+* Set TOOLBOX_CONTAINER in the environment to identify as a toolbox
+* Set default release to 29 when running on non-fedora hosts
+* Show welcome texts on interactive shells
+
+
+Overview of changes in 0.0.8
+============================
+
+* Add label for tagging, not tied to the fedora-toolbox name
+* Add short variants for various options in 'create' and 'enter'
+* Ensure that names of toolbox containers don't have a colon
+* Enable Travis
+* Fix miscellaneous issues pointed out by https://www.shellcheck.net/
+* Give access to Kerberos if KCM credential caches are being used
+* Improve the onboarding experience
+* Reduce the sizes of the images by removing temporary files created by DNF
+* Use a lighter entry point than /bin/sh
+
+
+Overview of changes in 0.0.7
+============================
+
+* Add fedora-toolbox image definition for Fedora 31
+* Add flatpak-xdg-utils to Fedoras 29 and 30
+* Add manuals
+* Add rm and rmi commands
+* Be more informative when creating the working container
+* Clarify the error message if the toolbox container is not found
+* Don't create volumes in the image for bind mounts from the host
+* Fix miscellaneous issues pointed out by https://www.shellcheck.net/
+* Give access to /dev/bus for control transfers from USB devices
+* Give access to removable devices and other temporary mounts
+* Lots of Bash-isms removed for POSIX correctness
+* Make the --image flag override the base toolbox image, as documented
+* Make the spinner more efficient
+* Restore documentation removed from the base Fedora images
+
+
+Overview of changes in 0.0.6
+============================
+
+* Add a list command
+* Drop the "fedora" prefix and rename the project as just "toolbox"
+* Fix typos pointed out by https://www.shellcheck.net/
+* Lots of Bash-isms removed for POSIX correctness
+* Make --container and --image command-specific options
+* Make it work inside the toolbox container itself
+* Shorten the prefix for debug and error messages
+* Use the host's PID namespace for the toolbox container
+* Use the standard error output for error messages
+
+
+Overview of changes in 0.0.5
+============================
+
+* Give access to mounts under $HOME, and make autofs work
+* Show a spinner when creating the toolbox
+
+
+Overview of changes in 0.0.4
+============================
+
+* Avoid spooky root-like behaviour for non-root interactive shells
+* Give access to the FUSE kernel module
+* Improve the readability of the debug output
+* Set up $HOME and /home to match the host
+* Try to enter the same directory inside the toolbox
+
+
+Overview of changes in 0.0.3
+============================
+
+* Clean up the Buildah working containers on error
+* Unbreak creating the toolbox if the toolbox image already exists
+
+
+Overview of changes in 0.0.2
+============================
+
+* Allow an 'F' or 'f' prefix when specifying the release
+* Avoid a Bash-ism (ie. ==) and stick to POSIX (ie. =)
+* Fallback to /bin/bash if $SHELL doesn't exist in the toolbox container
+* Give access to the system D-Bus instance
+* Make shm_open work
+
+
+Overview of changes in 0.0.1
+============================
+
+* First preview release
+
+
+----
+
+Copyright © 2018 – 2024 Red Hat, Inc.
+All rights reserved.
+
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
--- a/images/arch/Containerfile
+++ b/images/arch/Containerfile
@ -23,3 +23,6 @@ RUN yes | pacman -Scc

 # Enable sudo permission for wheel users
 RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/toolbox
+
+# Enable the use of p11-kit-client.so to access CA certificates from the host
+RUN mkdir --parents /etc/pkcs11/modules
--- a/images/arch/extra-packages
+++ b/images/arch/extra-packages
@ -4,6 +4,7 @@ flatpak-xdg-utils
 git
 gnupg
 keyutils
+libp11-kit
 lsof
 man-db
 man-pages
--- a/images/ubuntu/18.04/Containerfile
+++ b/images/ubuntu/18.04/Containerfile
@ -33,6 +33,9 @@ RUN rm /extra-packages
 # Allow authentication with empty password, promptless
 RUN sed -i '/^auth.*pam_unix.so/s/nullok_secure/try_first_pass nullok/' /etc/pam.d/common-auth

+# Enable the use of p11-kit-client.so to access CA certificates from the host
+RUN mkdir --parents /etc/pkcs11/modules
+
 # Fix empty bind-mount to clear selinuxfs (see #337)
 RUN mkdir /usr/share/empty

--- a/images/ubuntu/18.04/extra-packages
+++ b/images/ubuntu/18.04/extra-packages
@ -2,6 +2,7 @@ curl
 git
 gnupg2
 keyutils
+p11-kit-modules
 tree
 unzip
 zip
--- a/images/ubuntu/20.04/Containerfile
+++ b/images/ubuntu/20.04/Containerfile
@ -35,6 +35,9 @@ RUN rm /extra-packages
 # Allow authentication with empty password, promptless
 RUN sed -i '/^auth.*pam_unix.so/s/nullok_secure/try_first_pass nullok/' /etc/pam.d/common-auth

+# Enable the use of p11-kit-client.so to access CA certificates from the host
+RUN mkdir --parents /etc/pkcs11/modules
+
 # Fix empty bind-mount to clear selinuxfs (see #337)
 RUN mkdir /usr/share/empty

--- a/images/ubuntu/20.04/extra-packages
+++ b/images/ubuntu/20.04/extra-packages
@ -2,6 +2,7 @@ curl
 git
 gnupg2
 keyutils
+p11-kit-modules
 tree
 unzip
 zip
--- a/images/ubuntu/22.04/Containerfile
+++ b/images/ubuntu/22.04/Containerfile
@ -32,6 +32,9 @@ RUN sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/local/sbin/unminimize && \
    rm -rd /var/lib/apt/lists/*
 RUN rm /extra-packages

+# Enable the use of p11-kit-client.so to access CA certificates from the host
+RUN mkdir --parents /etc/pkcs11/modules
+
 # Fix empty bind-mount to clear selinuxfs (see #337)
 RUN mkdir /usr/share/empty

--- a/images/ubuntu/22.04/extra-packages
+++ b/images/ubuntu/22.04/extra-packages
@ -2,6 +2,7 @@ curl
 git
 gnupg2
 keyutils
+p11-kit-modules
 tree
 unzip
 zip
--- a/images/ubuntu/24.04/Containerfile
+++ b/images/ubuntu/24.04/Containerfile
@ -21,9 +21,10 @@ RUN sed -Ei 's/^(hosts:.*)(\<files\>)\s*(.*)/\1\2 myhostname \3/' /etc/nsswitch.
 # Install ubuntu-minimal & ubuntu-standard
 # Install extra packages as well as libnss-myhostname
 COPY extra-packages /
-RUN sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/local/sbin/unminimize && \
-    apt-get update && \
-    yes | /usr/local/sbin/unminimize && \
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get -y install unminimize && \
+    sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/bin/unminimize && \
+    yes | /usr/bin/unminimize && \
    DEBIAN_FRONTEND=noninteractive apt-get -y install \
        ubuntu-minimal ubuntu-standard \
        libnss-myhostname \
@ -32,6 +33,9 @@ RUN sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/local/sbin/unminimize && \
    rm -rd /var/lib/apt/lists/*
 RUN rm /extra-packages

+# Enable the use of p11-kit-client.so to access CA certificates from the host
+RUN mkdir --parents /etc/pkcs11/modules
+
 # Fix empty bind-mount to clear selinuxfs (see #337)
 RUN mkdir /usr/share/empty

--- a/images/ubuntu/24.04/extra-packages
+++ b/images/ubuntu/24.04/extra-packages
@ -2,6 +2,7 @@ curl
 git
 gnupg2
 keyutils
+p11-kit-modules
 tree
 unzip
 zip
--- a/images/ubuntu/24.10/Containerfile
+++ b/images/ubuntu/24.10/Containerfile
@ -1,8 +1,8 @@
-FROM docker.io/library/ubuntu:23.10
+FROM docker.io/library/ubuntu:24.10

 LABEL com.github.containers.toolbox="true" \
      name="ubuntu-toolbox" \
-      version="23.10" \
+      version="24.10" \
      usage="This image is meant to be used with the toolbox command" \
      summary="Base image for creating Ubuntu Toolbx containers" \
      maintainer="Ievgen Popovych <jmennius@gmail.com>"
@ -11,19 +11,14 @@ LABEL com.github.containers.toolbox="true" \
 # Remove docker-gzip-indexes to help with "command-not-found"
 RUN rm /etc/apt/apt.conf.d/docker-gzip-indexes /etc/apt/apt.conf.d/docker-no-languages

-# Enable myhostname nss plugin for clean hostname resolution without patching
-# hosts (at least for sudo), add it right after 'files' entry. We expect that
-# this entry is not present yet. Do this early so that package postinst (which
-# adds it too late in the order) skips this step
-RUN sed -Ei 's/^(hosts:.*)(\<files\>)\s*(.*)/\1\2 myhostname \3/' /etc/nsswitch.conf
-
 # Restore documentation but do not upgrade all packages
 # Install ubuntu-minimal & ubuntu-standard
 # Install extra packages as well as libnss-myhostname
 COPY extra-packages /
-RUN sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/local/sbin/unminimize && \
-    apt-get update && \
-    yes | /usr/local/sbin/unminimize && \
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get -y install unminimize && \
+    sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/bin/unminimize && \
+    yes | /usr/bin/unminimize && \
    DEBIAN_FRONTEND=noninteractive apt-get -y install \
        ubuntu-minimal ubuntu-standard \
        libnss-myhostname \
@ -32,6 +27,9 @@ RUN sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/local/sbin/unminimize && \
    rm -rd /var/lib/apt/lists/*
 RUN rm /extra-packages

+# Enable the use of p11-kit-client.so to access CA certificates from the host
+RUN mkdir --parents /etc/pkcs11/modules
+
 # Fix empty bind-mount to clear selinuxfs (see #337)
 RUN mkdir /usr/share/empty

--- a/images/ubuntu/24.10/extra-packages
+++ b/images/ubuntu/24.10/extra-packages
@ -2,6 +2,7 @@ curl
 git
 gnupg2
 keyutils
+p11-kit-modules
 tree
 unzip
 zip
--- a/images/ubuntu/25.04/Containerfile
+++ b/images/ubuntu/25.04/Containerfile
@ -0,0 +1,44 @@
+FROM docker.io/library/ubuntu:25.04
+
+LABEL com.github.containers.toolbox="true" \
+      name="ubuntu-toolbox" \
+      version="25.04" \
+      usage="This image is meant to be used with the toolbox command" \
+      summary="Base image for creating Ubuntu Toolbx containers" \
+      maintainer="Ievgen Popovych <jmennius@gmail.com>"
+
+# Remove apt configuration optimized for containers
+# Remove docker-gzip-indexes to help with "command-not-found"
+RUN rm /etc/apt/apt.conf.d/docker-gzip-indexes /etc/apt/apt.conf.d/docker-no-languages
+
+# Restore documentation but do not upgrade all packages
+# Install ubuntu-minimal & ubuntu-standard
+# Install extra packages as well as libnss-myhostname
+COPY extra-packages /
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get -y install unminimize && \
+    sed -Ei '/apt-get (update|upgrade)/s/^/#/' /usr/bin/unminimize && \
+    yes | /usr/bin/unminimize && \
+    DEBIAN_FRONTEND=noninteractive apt-get -y install \
+        ubuntu-minimal ubuntu-standard \
+        libnss-myhostname \
+        flatpak-xdg-utils \
+        $(cat extra-packages | xargs) && \
+    rm -rd /var/lib/apt/lists/*
+RUN rm /extra-packages
+
+# Enable the use of p11-kit-client.so to access CA certificates from the host
+RUN mkdir --parents /etc/pkcs11/modules
+
+# Fix empty bind-mount to clear selinuxfs (see #337)
+RUN mkdir /usr/share/empty
+
+# Add flatpak-spawn to /usr/bin
+RUN ln -s /usr/libexec/flatpak-xdg-utils/flatpak-spawn /usr/bin/
+
+# Having anything in /home prevents toolbox from symlinking /var/home there,
+# and 'ubuntu' user with UID 1000 will most likely conflict with host user as well
+RUN userdel --remove ubuntu
+
+# Disable APT ESM hook which tries to enable some systemd services on each apt invocation
+RUN rm /etc/apt/apt.conf.d/20apt-esm-hook.conf
--- a/images/ubuntu/25.04/extra-packages
+++ b/images/ubuntu/25.04/extra-packages
@ -0,0 +1,9 @@
+curl
+git
+gnupg2
+keyutils
+p11-kit-modules
+tree
+unzip
+zip
+zsh
--- a/meson.build
+++ b/meson.build
@ -1,7 +1,7 @@
 project(
  'toolbox',
  'c',
-  version: '0.0.99.6',
+  version: '0.1.2',
  license: 'ASL 2.0',
  default_options: 'c_std=c99',
  meson_version: '>= 0.58.0',
@ -23,6 +23,27 @@ bats = find_program('bats', required: false)
 codespell = find_program('codespell', required: false)
 htpasswd = find_program('htpasswd', required: false)
 openssl = find_program('openssl', required: false)
+
+p11kit_server_works = false
+p11kit = find_program('p11-kit', required: false)
+if p11kit.found()
+  res = run_command(p11kit, 'server', check: false)
+  if res.returncode() == 0
+    error('Command \'p11-kit server\' was supposed to fail')
+  endif
+
+  res_stdout = res.stdout()
+  if res_stdout.contains('--name') and res_stdout.contains('--provider')
+    p11kit_server_works = true
+  else
+    warning('Command \'p11-kit server\' doesn\'t work')
+  endif
+endif
+
+if not p11kit_server_works
+  warning('Containers won\'t have access to the CA certificates from the host')
+endif
+
 podman = find_program('podman', required: false)
 shellcheck = find_program('shellcheck', required: false)
 skopeo = find_program('skopeo', required: false)
@ -73,6 +94,7 @@ if codespell.found()
      '--exclude-file', meson.project_source_root() / '.codespellexcludefile',
      '--skip', meson.project_build_root(),
      '--skip', meson.project_source_root() / '.git',
+      '--skip', meson.project_source_root() / 'src/go.sum',
      '--skip', meson.project_source_root() / 'test/system/libs/bats-assert',
      '--skip', meson.project_source_root() / 'test/system/libs/bats-support',
      meson.project_source_root(),
--- a/playbooks/dependencies-centos-9-stream.yaml
+++ b/playbooks/dependencies-centos-9-stream.yaml
@ -2,7 +2,6 @@
  become: yes
  package:
    name:
-      - bash-completion
      - flatpak-session-helper
      - gcc
      - golang
@ -10,10 +9,10 @@
      - meson
      - ninja-build
      - openssl
+      - pkgconfig(bash-completion)
      - podman
      - shadow-utils-subid-devel
      - skopeo
-      - slirp4netns
      - systemd
      - udisks2

@ -39,6 +38,13 @@
      - codespell
      - fish

+- name: Ensure that 'p11-kit server' is absent
+  become: yes
+  package:
+    name:
+      - p11-kit-server
+    state: absent
+
 - name: Download Go modules
  command: go mod download -x
  args:
@ -55,7 +61,7 @@
    chdir: '{{ zuul.project.src_dir }}'

 - name: Check versions of crucial packages
-  command: rpm -qa ShellCheck bats codespell *kernel* gcc *glibc* golang golang-github-cpuguy83-md2man shadow-utils-subid-devel podman conmon containernetworking-plugins containers-common container-selinux crun fuse-overlayfs flatpak-session-helper skopeo slirp4netns
+  command: rpm -qa ShellCheck bash bash-completion bats codespell *kernel* gcc *glibc* golang golang-github-cpuguy83-md2man shadow-utils-subid-devel podman conmon containernetworking-plugins containers-common container-selinux crun fuse-overlayfs flatpak-session-helper skopeo

 - name: Show podman versions
  command: podman version
--- a/playbooks/dependencies-fedora-restricted.yaml
+++ b/playbooks/dependencies-fedora-restricted.yaml
@ -1,5 +1,5 @@
 #
-# Copyright © 2023 – 2024 Red Hat, Inc.
+# Copyright © 2023 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -31,7 +31,6 @@
  package:
    name:
      - ShellCheck
-      - bash-completion
      - codespell
      - fish
      - flatpak-session-helper
@ -40,6 +39,7 @@
      - golang-github-cpuguy83-md2man
      - meson
      - ninja-build
+      - pkgconfig(bash-completion)
      - shadow-utils-subid-devel
      - systemd
      - udisks2
@ -47,6 +47,15 @@
    update_cache: "{{ true if zuul.attempts > 1 else false }}"
    use: "{{ 'dnf' if zuul.attempts > 1 else 'auto' }}"

+- name: Ensure that 'p11-kit server' is absent
+  become: yes
+  package:
+    name:
+      - p11-kit-server
+    state: absent
+    update_cache: "{{ true if zuul.attempts > 1 else false }}"
+    use: "{{ 'dnf' if zuul.attempts > 1 else 'auto' }}"
+
 - name: Ensure that podman(1) is absent
  become: yes
  package:
@ -81,4 +90,4 @@
    chdir: '{{ zuul.project.src_dir }}'

 - name: Check versions of crucial packages
-  command: rpm -qa ShellCheck codespell *kernel* gcc *glibc* shadow-utils-subid-devel golang golang-github-cpuguy83-md2man flatpak-session-helper
+  command: rpm -qa ShellCheck bash-completion codespell *kernel* gcc *glibc* shadow-utils-subid-devel golang golang-github-cpuguy83-md2man flatpak-session-helper
--- a/playbooks/dependencies-fedora.yaml
+++ b/playbooks/dependencies-fedora.yaml
@ -1,5 +1,5 @@
 #
-# Copyright © 2022 – 2024 Red Hat, Inc.
+# Copyright © 2022 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -20,7 +20,6 @@
    update_cache: "{{ true if zuul.attempts > 1 else false }}"
    name:
      - ShellCheck
-      - bash-completion
      - bats
      - codespell
      - fish
@ -32,14 +31,23 @@
      - meson
      - ninja-build
      - openssl
+      - pkgconfig(bash-completion)
      - podman
      - shadow-utils-subid-devel
      - skopeo
-      - slirp4netns
      - systemd
      - udisks2
    use: "{{ 'dnf' if zuul.attempts > 1 else 'auto' }}"

+- name: Ensure that 'p11-kit server' is absent
+  become: yes
+  package:
+    name:
+      - p11-kit-server
+    state: absent
+    update_cache: "{{ true if zuul.attempts > 1 else false }}"
+    use: "{{ 'dnf' if zuul.attempts > 1 else 'auto' }}"
+
 - name: Download Go modules
  command: go mod download -x
  args:
@ -56,7 +64,7 @@
    chdir: '{{ zuul.project.src_dir }}'

 - name: Check versions of crucial packages
-  command: rpm -qa ShellCheck bash bats codespell *kernel* gcc *glibc* shadow-utils-subid-devel golang golang-github-cpuguy83-md2man podman conmon containernetworking-plugins containers-common container-selinux crun fuse-overlayfs flatpak-session-helper skopeo slirp4netns
+  command: rpm -qa ShellCheck bash bash-completion bats codespell *kernel* gcc *glibc* shadow-utils-subid-devel golang golang-github-cpuguy83-md2man podman conmon containernetworking-plugins containers-common container-selinux crun fuse-overlayfs flatpak-session-helper skopeo

 - name: Show podman versions
  command: podman version
--- a/playbooks/setup-env-migration-path-for-coreos-toolbox.yaml
+++ b/playbooks/setup-env-migration-path-for-coreos-toolbox.yaml
@ -20,6 +20,6 @@
    - include_tasks: dependencies-centos-9-stream.yaml

    - name: Set up build directory
-      command: meson -Dmigration_path_for_coreos_toolbox=true --fatal-meson-warnings builddir
+      command: meson -Dmigration_path_for_coreos_toolbox=true builddir
      args:
        chdir: '{{ zuul.project.src_dir }}'
--- a/playbooks/setup-env-restricted.yaml
+++ b/playbooks/setup-env-restricted.yaml
@ -20,6 +20,6 @@
    - include_tasks: dependencies-fedora-restricted.yaml

    - name: Set up build directory
-      command: meson setup --fatal-meson-warnings builddir
+      command: meson setup builddir
      args:
        chdir: '{{ zuul.project.src_dir }}'
--- a/playbooks/setup-env.yaml
+++ b/playbooks/setup-env.yaml
@ -20,6 +20,6 @@
    - include_tasks: dependencies-fedora.yaml

    - name: Set up build directory
-      command: meson setup --fatal-meson-warnings builddir
+      command: meson setup builddir
      args:
        chdir: '{{ zuul.project.src_dir }}'
--- a/playbooks/system-test-commands-options.yaml
+++ b/playbooks/system-test-commands-options.yaml
@ -22,7 +22,6 @@
    - name: Run the commands-options system tests
      command: bats --filter-tags commands-options ./test/system
      environment:
-        PODMAN: '/usr/bin/podman'
        TMPDIR: '/var/tmp'
        TOOLBX: '/usr/local/bin/toolbox'
        TOOLBX_TEST_SYSTEM_TAGS: 'arch-fedora,commands-options,custom-image,ubuntu'
--- a/playbooks/system-test-runtime-environment-arch-fedora.yaml
+++ b/playbooks/system-test-runtime-environment-arch-fedora.yaml
@ -22,7 +22,6 @@
    - name: Run the (arch-fedora,runtime-environment) system tests
      command: bats --filter-tags arch-fedora,runtime-environment ./test/system
      environment:
-        PODMAN: '/usr/bin/podman'
        TMPDIR: '/var/tmp'
        TOOLBX: '/usr/local/bin/toolbox'
        TOOLBX_TEST_SYSTEM_TAGS: 'arch-fedora,runtime-environment'
--- a/playbooks/system-test-runtime-environment-ubuntu.yaml
+++ b/playbooks/system-test-runtime-environment-ubuntu.yaml
@ -22,7 +22,6 @@
    - name: Run the (runtime-environment,ubuntu) system tests
      command: bats --filter-tags runtime-environment,ubuntu ./test/system
      environment:
-        PODMAN: '/usr/bin/podman'
        TMPDIR: '/var/tmp'
        TOOLBX: '/usr/local/bin/toolbox'
        TOOLBX_TEST_SYSTEM_TAGS: 'runtime-environment,ubuntu'
--- a/playbooks/system-test-runtime-environment.yaml
+++ b/playbooks/system-test-runtime-environment.yaml
@ -1,30 +0,0 @@
-#
-# Copyright © 2021 – 2024 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
---
- hosts: all
-  tasks:
-    - include_tasks: build.yaml
-
-    - name: Run the runtime-environment system tests
-      command: bats --filter-tags runtime-environment ./test/system
-      environment:
-        PODMAN: '/usr/bin/podman'
-        TMPDIR: '/var/tmp'
-        TOOLBX: '/usr/local/bin/toolbox'
-        TOOLBX_TEST_SYSTEM_TAGS: 'arch-fedora,runtime-environment,ubuntu'
-      args:
-        chdir: '{{ zuul.project.src_dir }}'
--- a/src/cmd/create.go
+++ b/src/cmd/create.go
@ -484,10 +484,9 @@ func createContainer(container, image, release, authFile string, showCommandToEn
 		logrus.Debugf("%s", arg)
 	}

-	s := spinner.New(spinner.CharSets[9], 500*time.Millisecond)
-	if logLevel := logrus.GetLevel(); logLevel < logrus.DebugLevel && term.IsTerminal(os.Stdout) {
+	s := spinner.New(spinner.CharSets[9], 500*time.Millisecond, spinner.WithWriterFile(os.Stdout))
+	if logLevel := logrus.GetLevel(); logLevel < logrus.DebugLevel {
 		s.Prefix = fmt.Sprintf("Creating container %s: ", container)
-		s.Writer = os.Stdout
 		s.Start()
 		defer s.Stop()
 	}
@ -734,10 +733,9 @@ func pullImage(image, release, authFile string) (bool, error) {

 	logrus.Debugf("Pulling image %s", imageFull)

-	if logLevel := logrus.GetLevel(); logLevel < logrus.DebugLevel && term.IsTerminal(os.Stdout) {
-		s := spinner.New(spinner.CharSets[9], 500*time.Millisecond)
+	if logLevel := logrus.GetLevel(); logLevel < logrus.DebugLevel {
+		s := spinner.New(spinner.CharSets[9], 500*time.Millisecond, spinner.WithWriterFile(os.Stdout))
 		s.Prefix = fmt.Sprintf("Pulling %s: ", imageFull)
-		s.Writer = os.Stdout
 		s.Start()
 		defer s.Stop()
 	}
--- a/src/cmd/initContainer.go
+++ b/src/cmd/initContainer.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2019 – 2024 Red Hat Inc.
+ * Copyright © 2019 – 2025 Red Hat Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -179,10 +179,10 @@ func initContainer(cmd *cobra.Command, args []string) error {

 	if toolbxFailEntryPoint, ok := getFailEntryPoint(); ok {
 		var builder strings.Builder
-		fmt.Fprintf(&builder, "TOOLBX_FAIL_ENTRY_POINT is set")
+		builder.WriteString("TOOLBX_FAIL_ENTRY_POINT is set")
 		if toolbxFailEntryPoint > 1 {
-			fmt.Fprintf(&builder, "\n")
-			fmt.Fprintf(&builder, "This environment variable should only be set when testing.")
+			builder.WriteString("\n")
+			builder.WriteString("This environment variable should only be set when testing.")
 		}

 		errMsg := builder.String()
@ -286,7 +286,7 @@ func initContainer(cmd *cobra.Command, args []string) error {
 			logrus.Debugf("Loading Container Device Interface for NVIDIA: file %s not found",
 				cdiFileForNvidia)
 		} else {
-			logrus.Debugf("Loading Container Device Interface for NVIDIA: failed: %s", err)
+			logrus.Debugf("Loading Container Device Interface for NVIDIA failed: %s", err)
 			return errors.New("failed to load Container Device Interface for NVIDIA")
 		}
 	}
@ -297,42 +297,16 @@ func initContainer(cmd *cobra.Command, args []string) error {
 		}
 	}

-	if utils.PathExists("/etc/krb5.conf.d") && !utils.PathExists("/etc/krb5.conf.d/kcm_default_ccache") {
-		logrus.Debug("Setting KCM as the default Kerberos credential cache")
-
-		kcmConfigString := `# Written by Toolbx
-# https://github.com/containers/toolbox
-#
-# # To disable the KCM credential cache, comment out the following lines.
-
-[libdefaults]
-    default_ccache_name = KCM:
-`
-
-		kcmConfigBytes := []byte(kcmConfigString)
-		if err := ioutil.WriteFile("/etc/krb5.conf.d/kcm_default_ccache",
-			kcmConfigBytes,
-			0644); err != nil {
-			return errors.New("failed to set KCM as the default Kerberos credential cache")
-		}
+	if err := configureKerberos(); err != nil {
+		return err
 	}

-	if utils.PathExists("/usr/lib/rpm/macros.d") {
-		logrus.Debug("Configuring RPM to ignore bind mounts")
+	if err := configurePKCS11(targetUser); err != nil {
+		return err
+	}

-		var builder strings.Builder
-		fmt.Fprintf(&builder, "# Written by Toolbx\n")
-		fmt.Fprintf(&builder, "# https://github.com/containers/toolbox\n")
-		fmt.Fprintf(&builder, "\n")
-		fmt.Fprintf(&builder, "%%_netsharedpath /dev:/media:/mnt:/proc:/sys:/tmp:/var/lib/flatpak:/var/lib/libvirt\n")
-
-		rpmConfigString := builder.String()
-		rpmConfigBytes := []byte(rpmConfigString)
-		if err := ioutil.WriteFile("/usr/lib/rpm/macros.d/macros.toolbox",
-			rpmConfigBytes,
-			0644); err != nil {
-			return fmt.Errorf("failed to configure RPM to ignore bind mounts: %w", err)
-		}
+	if err := configureRPM(); err != nil {
+		return err
 	}

 	logrus.Debug("Setting up daily ticker")
@ -362,7 +336,8 @@ func initContainer(cmd *cobra.Command, args []string) error {

 		if err := watcherForHost.Add("/run/host/etc"); err != nil {
 			if errors.Is(err, unix.ENOMEM) || errors.Is(err, unix.ENOSPC) {
-				logrus.Debugf("Setting up watches for file system events: failed to add path: %s", err)
+				logrus.Debugf("Setting up watches for file system events: failed to add path: %s",
+					err)
 			} else {
 				return fmt.Errorf("failed to add path: %w", err)
 			}
@ -371,14 +346,12 @@ func initContainer(cmd *cobra.Command, args []string) error {

 	logrus.Debug("Finished initializing container")

-	toolboxRuntimeDirectory, err := utils.GetRuntimeDirectory(targetUser)
+	pid := os.Getpid()
+	initializedStamp, err := utils.GetInitializedStamp(pid, targetUser)
 	if err != nil {
 		return err
 	}

-	pid := os.Getpid()
-	initializedStamp := fmt.Sprintf("%s/container-initialized-%d", toolboxRuntimeDirectory, pid)
-
 	logrus.Debugf("Creating initialization stamp %s", initializedStamp)

 	initializedStampFile, err := os.Create(initializedStamp)
@ -566,6 +539,113 @@ func applyCDISpecForNvidiaHookUpdateLDCache(hookArgs []string) error {
 	return nil
 }

+func configureKerberos() error {
+	const logPrefix = "Configuring Kerberos to use KCM as the default credential cache"
+	logrus.Debugf("%s", logPrefix)
+
+	if path := "/etc/krb5.conf.d"; !utils.PathExists(path) {
+		logrus.Debugf("%s: directory %s not found", logPrefix, path)
+		logrus.Debugf("%s: skipping", logPrefix)
+		return nil
+	}
+
+	if path := "/etc/krb5.conf.d/kcm_default_ccache"; utils.PathExists(path) {
+		logrus.Debugf("%s: file %s already exists", logPrefix, path)
+		logrus.Debugf("%s: skipping", logPrefix)
+		return nil
+	}
+
+	var builder strings.Builder
+	builder.WriteString("# Written by Toolbx\n")
+	builder.WriteString("# https://containertoolbx.org/\n")
+	builder.WriteString("#\n")
+	builder.WriteString("# # To disable the KCM credential cache, comment out the following lines.\n")
+	builder.WriteString("\n")
+	builder.WriteString("[libdefaults]\n")
+	builder.WriteString("    default_ccache_name = KCM:\n")
+
+	kcmConfigString := builder.String()
+	kcmConfigBytes := []byte(kcmConfigString)
+	if err := ioutil.WriteFile("/etc/krb5.conf.d/kcm_default_ccache", kcmConfigBytes, 0644); err != nil {
+		return errors.New("failed to configure Kerberos to use KCM as the default credential cache")
+	}
+
+	return nil
+}
+
+func configurePKCS11(targetUser *user.User) error {
+	const logPrefix = "Configuring PKCS #11 to read from the host"
+	logrus.Debugf("%s", logPrefix)
+
+	if path := "/etc/pkcs11/modules"; !utils.PathExists(path) {
+		logrus.Debugf("%s: directory %s not found", logPrefix, path)
+		logrus.Debugf("%s: skipping", logPrefix)
+		return nil
+	}
+
+	if ok, err := utils.IsP11KitClientPresent(); err != nil {
+		logrus.Debugf("%s: %s", logPrefix, err)
+
+		if !ok {
+			logrus.Debugf("%s: p11-kit-client.so not found", logPrefix)
+			logrus.Debugf("%s: skipping", logPrefix)
+			return nil
+		}
+	} else {
+		if !ok {
+			logrus.Debugf("%s: p11-kit-client.so not found", logPrefix)
+			logrus.Debugf("%s: skipping", logPrefix)
+			return nil
+		}
+	}
+
+	if path, err := utils.GetP11KitServerSocket(targetUser); err != nil {
+		return err
+	} else if !utils.PathExists(path) {
+		logrus.Debugf("%s: socket %s not found", logPrefix, path)
+		logrus.Debugf("%s: skipping", logPrefix)
+		return nil
+	}
+
+	var builder strings.Builder
+	builder.WriteString("# Written by Toolbx\n")
+	builder.WriteString("# https://containertoolbx.org/\n")
+	builder.WriteString("\n")
+	builder.WriteString("module: p11-kit-client.so\n")
+
+	pkcs11ConfigString := builder.String()
+	pkcs11ConfigBytes := []byte(pkcs11ConfigString)
+	if err := renameio.WriteFile("/etc/pkcs11/modules/p11-kit-trust.module",
+		pkcs11ConfigBytes,
+		0644); err != nil {
+		return fmt.Errorf("failed to configure PKCS #11 to read from the host: %w", err)
+	}
+
+	return nil
+}
+
+func configureRPM() error {
+	if !utils.PathExists("/usr/lib/rpm/macros.d") {
+		return nil
+	}
+
+	logrus.Debug("Configuring RPM to ignore bind mounts")
+
+	var builder strings.Builder
+	builder.WriteString("# Written by Toolbx\n")
+	builder.WriteString("# https://containertoolbx.org/\n")
+	builder.WriteString("\n")
+	builder.WriteString("%_netsharedpath /dev:/media:/mnt:/proc:/sys:/tmp:/var/lib/flatpak:/var/lib/libvirt\n")
+
+	rpmConfigString := builder.String()
+	rpmConfigBytes := []byte(rpmConfigString)
+	if err := ioutil.WriteFile("/usr/lib/rpm/macros.d/macros.toolbox", rpmConfigBytes, 0644); err != nil {
+		return fmt.Errorf("failed to configure RPM to ignore bind mounts: %w", err)
+	}
+
+	return nil
+}
+
 func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShell string, homeLink bool) error {
 	if homeLink {
 		if err := redirectPath("/home", "/var/home", true); err != nil {
@ -627,7 +707,7 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe
 	var stderr strings.Builder
 	if err := shell.Run("passwd", nil, nil, &stderr, "--delete", "root"); err != nil {
 		errString := stderr.String()
-		logrus.Debugf("Removing password for user root: failed: %s", errString)
+		logrus.Debugf("Removing password for user root failed: %s", errString)
 		return fmt.Errorf("failed to remove password for root: %w", err)
 	}

@ -735,7 +815,8 @@ func ldConfig(configFileBase string, dirs []string) error {
 			dirConfigBytes := []byte(dirConfigString)
 			configFile := filepath.Join("/etc/ld.so.conf.d", configFileBase)
 			if err := renameio.WriteFile(configFile, dirConfigBytes, 0644); err != nil {
-				logrus.Debugf("Updating dynamic linker cache: failed to update configuration: %s", err)
+				logrus.Debugf("Updating dynamic linker cache: failed to update configuration: %s",
+					err)
 				return errors.New("failed to update dynamic linker cache configuration")
 			}
 		}
@ -745,7 +826,7 @@ func ldConfig(configFileBase string, dirs []string) error {
 	}

 	if err := shell.Run("ldconfig", nil, nil, nil, args...); err != nil {
-		logrus.Debugf("Updating dynamic linker cache: failed: %s", err)
+		logrus.Debugf("Updating dynamic linker cache failed: %s", err)
 		return errors.New("failed to update dynamic linker cache")
 	}

@ -786,7 +867,7 @@ func mountBind(containerPath, source, flags string) error {
 		if err := os.MkdirAll(containerPath, 0755); err != nil {
 			return fmt.Errorf("failed to create directory %s: %w", containerPath, err)
 		}
-	} else if fileMode.IsRegular() {
+	} else if fileMode.IsRegular() || fileMode&os.ModeSocket != 0 {
 		logrus.Debugf("Creating regular file %s", containerPath)

 		containerPathDir := filepath.Dir(containerPath)
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2019 – 2024 Red Hat Inc.
+ * Copyright © 2019 – 2025 Red Hat Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -263,25 +263,34 @@ func migrate(cmd *cobra.Command, args []string) error {

 	migrateLock := toolboxRuntimeDirectory + "/migrate.lock"

-	migrateLockFile, err := os.Create(migrateLock)
+	migrateLockFile, err := utils.Flock(migrateLock, syscall.LOCK_EX)
 	if err != nil {
-		logrus.Debugf("Migrating to newer Podman: failed to create migration lock file %s: %s", migrateLock, err)
-		return errors.New("failed to create migration lock file")
+		logrus.Debugf("Migrating to newer Podman: %s", err)
+
+		var errFlock *utils.FlockError
+
+		if errors.As(err, &errFlock) {
+			if errors.Is(err, utils.ErrFlockAcquire) {
+				err = utils.ErrFlockAcquire
+			} else if errors.Is(err, utils.ErrFlockCreate) {
+				err = utils.ErrFlockCreate
+			} else {
+				panicMsg := fmt.Sprintf("unexpected %T: %s", err, err)
+				panic(panicMsg)
+			}
+		}
+
+		return err
 	}

 	defer migrateLockFile.Close()

-	migrateLockFD := migrateLockFile.Fd()
-	migrateLockFDInt := int(migrateLockFD)
-	if err := syscall.Flock(migrateLockFDInt, syscall.LOCK_EX); err != nil {
-		logrus.Debugf("Migrating to newer Podman: failed to acquire migration lock on %s: %s", migrateLock, err)
-		return errors.New("failed to acquire migration lock")
-	}
-
 	stampBytes, err := ioutil.ReadFile(stampPath)
 	if err != nil {
-		if !os.IsNotExist(err) {
-			logrus.Debugf("Migrating to newer Podman: failed to read migration stamp file %s: %s", stampPath, err)
+		if !errors.Is(err, os.ErrNotExist) {
+			logrus.Debugf("Migrating to newer Podman: failed to read migration stamp file %s: %s",
+				stampPath,
+				err)
 			return errors.New("failed to read migration stamp file")
 		}
 	} else {
@ -291,9 +300,7 @@ func migrate(cmd *cobra.Command, args []string) error {
 			logrus.Debugf("Old Podman version is %s", podmanVersionOld)

 			if podmanVersion == podmanVersionOld {
-				logrus.Debugf("Migration not needed: Podman version %s is unchanged",
-					podmanVersion)
-
+				logrus.Debugf("Migration not needed: Podman version %s is unchanged", podmanVersion)
 				return nil
 			}

--- a/src/cmd/rootMigrationPath.go
+++ b/src/cmd/rootMigrationPath.go
@ -1,5 +1,5 @@
 //
-// Copyright © 2021 – 2024 Red Hat Inc.
+// Copyright © 2021 – 2025 Red Hat Inc.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -21,7 +21,6 @@ package cmd

 import (
 	"errors"
-	"fmt"
 	"os"
 	"strings"

@ -32,9 +31,9 @@ import (
 func preRunIsCoreOSBug() error {
 	if containerType := os.Getenv("container"); containerType == "" {
 		var builder strings.Builder
-		fmt.Fprintf(&builder, "/run/.containerenv found on what looks like the host\n")
-		fmt.Fprintf(&builder, "If this is the host, then remove /run/.containerenv and try again.\n")
-		fmt.Fprintf(&builder, "Otherwise, contact your system administrator or file a bug.")
+		builder.WriteString("/run/.containerenv found on what looks like the host\n")
+		builder.WriteString("If this is the host, then remove /run/.containerenv and try again.\n")
+		builder.WriteString("Otherwise, contact your system administrator or file a bug.")

 		errMsg := builder.String()
 		return errors.New(errMsg)
--- a/src/cmd/run.go
+++ b/src/cmd/run.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2019 – 2024 Red Hat Inc.
+ * Copyright © 2019 – 2025 Red Hat Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -27,6 +27,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"syscall"
 	"time"

 	"github.com/containers/toolbox/pkg/nvidia"
@ -271,8 +272,8 @@ func runCommand(container string,
 	if err != nil {
 		if errors.Is(err, nvidia.ErrNVMLDriverLibraryVersionMismatch) {
 			var builder strings.Builder
-			fmt.Fprintf(&builder, "the proprietary NVIDIA driver's kernel and user space don't match\n")
-			fmt.Fprintf(&builder, "Check the host operating system and systemd journal.")
+			builder.WriteString("the proprietary NVIDIA driver's kernel and user space don't match\n")
+			builder.WriteString("Check the host operating system and systemd journal.")

 			errMsg := builder.String()
 			return errors.New(errMsg)
@ -283,6 +284,11 @@ func runCommand(container string,
 		cdiEnviron = append(cdiEnviron, cdiSpecForNvidia.ContainerEdits.Env...)
 	}

+	p11KitServerEnviron, err := startP11KitServer()
+	if err != nil {
+		return err
+	}
+
 	startContainerTimestamp := time.Unix(-1, 0)

 	if entryPointPID <= 0 {
@ -335,10 +341,11 @@ func runCommand(container string,

 	logrus.Debugf("Container %s is initialized", container)

+	environ := append(cdiEnviron, p11KitServerEnviron...)
 	if err := runCommandWithFallbacks(container,
 		preserveFDs,
 		command,
-		cdiEnviron,
+		environ,
 		emitEscapeSequence,
 		fallbackToBash); err != nil {
 		return err
@ -592,13 +599,11 @@ func constructExecArgs(container, preserveFDs string,
 }

 func ensureContainerIsInitialized(container string, entryPointPID int, timestamp time.Time) error {
-	toolboxRuntimeDirectory, err := utils.GetRuntimeDirectory(currentUser)
+	initializedStamp, err := utils.GetInitializedStamp(entryPointPID, currentUser)
 	if err != nil {
 		return err
 	}

-	initializedStampBase := fmt.Sprintf("container-initialized-%d", entryPointPID)
-	initializedStamp := filepath.Join(toolboxRuntimeDirectory, initializedStampBase)
 	logrus.Debugf("Checking if initialization stamp %s exists", initializedStamp)

 	shouldUsePolling := isUsePollingSet()
@ -629,7 +634,9 @@ func ensureContainerIsInitialized(container string, entryPointPID int, timestamp
 		var err error
 		watcherForStamp, err = fsnotify.NewWatcher()
 		if err != nil {
-			if errors.Is(err, unix.EMFILE) || errors.Is(err, unix.ENFILE) || errors.Is(err, unix.ENOMEM) {
+			if errors.Is(err, unix.EMFILE) ||
+				errors.Is(err, unix.ENFILE) ||
+				errors.Is(err, unix.ENOMEM) {
 				logrus.Debugf("Setting up watches for file system events: failed to create Watcher: %s",
 					err)
 				logrus.Debug("Using polling instead")
@ -646,9 +653,15 @@ func ensureContainerIsInitialized(container string, entryPointPID int, timestamp
 	if watcherForStamp != nil {
 		defer watcherForStamp.Close()

+		toolboxRuntimeDirectory, err := utils.GetRuntimeDirectory(currentUser)
+		if err != nil {
+			return err
+		}
+
 		if err := watcherForStamp.Add(toolboxRuntimeDirectory); err != nil {
 			if errors.Is(err, unix.ENOMEM) || errors.Is(err, unix.ENOSPC) {
-				logrus.Debugf("Setting up watches for file system events: failed to add path: %s", err)
+				logrus.Debugf("Setting up watches for file system events: failed to add path: %s",
+					err)
 				logrus.Debug("Using polling instead")
 				fallbackToPolling = true
 			} else {
@ -736,7 +749,9 @@ func ensureContainerIsInitialized(container string, entryPointPID int, timestamp
 	// code should not be reached
 }

-func followEntryPointLogsAsync(ctx context.Context, container string, since time.Time) (<-chan string, <-chan error) {
+func followEntryPointLogsAsync(ctx context.Context, container string, since time.Time) (
+	<-chan string, <-chan error,
+) {
 	reader, writer := io.Pipe()
 	retValCh := make(chan string)
 	errCh := make(chan error)
@ -923,7 +938,9 @@ func showEntryPointLog(line string) error {
 				var err error
 				logLevel, err = logrus.ParseLevel(valueString)
 				if err != nil {
-					logrus.Debugf("Parsing entry point log-level %s failed: %s", valueString, err)
+					logrus.Debugf("Parsing entry point log-level %s failed: %s",
+						valueString,
+						err)
 					logLevel = logrus.DebugLevel
 				}
 			case "msg":
@ -1023,6 +1040,68 @@ func startContainer(container string) error {
 	return nil
 }

+func startP11KitServer() ([]string, error) {
+	serverSocket, err := utils.GetP11KitServerSocket(currentUser)
+	if err != nil {
+		return nil, err
+	}
+
+	const logPrefix = "Starting 'p11-kit server'"
+	logrus.Debugf("%s with socket %s", logPrefix, serverSocket)
+
+	serverSocketLock, err := utils.GetP11KitServerSocketLock(currentUser)
+	if err != nil {
+		return nil, err
+	}
+
+	serverSocketLockFile, err := utils.Flock(serverSocketLock, syscall.LOCK_EX)
+	if err != nil {
+		logrus.Debugf("%s: %s", logPrefix, err)
+
+		var errFlock *utils.FlockError
+
+		if errors.As(err, &errFlock) {
+			if errors.Is(err, utils.ErrFlockAcquire) {
+				err = utils.ErrFlockAcquire
+			} else if errors.Is(err, utils.ErrFlockCreate) {
+				err = utils.ErrFlockCreate
+			} else {
+				panicMsg := fmt.Sprintf("unexpected %T: %s", err, err)
+				panic(panicMsg)
+			}
+		}
+
+		return nil, err
+	}
+
+	defer serverSocketLockFile.Close()
+
+	serverSocketAddress := fmt.Sprintf("P11_KIT_SERVER_ADDRESS=unix:path=%s", serverSocket)
+	serverEnviron := []string{
+		serverSocketAddress,
+	}
+
+	if utils.PathExists(serverSocket) {
+		logrus.Debugf("%s: socket %s already exists", logPrefix, serverSocket)
+		logrus.Debugf("%s: skipping", logPrefix)
+		return serverEnviron, nil
+	}
+
+	serverArgs := []string{
+		"server",
+		"--name", serverSocket,
+		"--provider", "p11-kit-trust.so",
+		"pkcs11:model=p11-kit-trust?write-protected=yes",
+	}
+
+	if err := shell.Run("p11-kit", nil, nil, nil, serverArgs...); err != nil {
+		logrus.Debugf("%s failed: %s", logPrefix, err)
+		return nil, nil
+	}
+
+	return serverEnviron, nil
+}
+
 func (err *entryPointError) Error() string {
 	return err.msg
 }
--- a/src/cmd/utils.go
+++ b/src/cmd/utils.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2020 – 2024 Red Hat Inc.
+ * Copyright © 2020 – 2025 Red Hat Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -343,9 +343,9 @@ func getCDIFileForNvidia(targetUser *user.User) (string, error) {

 func getUsageForCommonCommands() string {
 	var builder strings.Builder
-	fmt.Fprintf(&builder, "create    Create a new Toolbx container\n")
-	fmt.Fprintf(&builder, "enter     Enter an existing Toolbx container\n")
-	fmt.Fprintf(&builder, "list      List all existing Toolbx containers and images\n")
+	builder.WriteString("create    Create a new Toolbx container\n")
+	builder.WriteString("enter     Enter an existing Toolbx container\n")
+	builder.WriteString("list      List all existing Toolbx containers and images\n")

 	usage := builder.String()
 	return usage
@ -475,7 +475,7 @@ func showManual(manual string) error {
 			fmt.Printf("%s", usage)

 			fmt.Printf("\n")
-			fmt.Printf("Go to https://github.com/containers/toolbox for further information.\n")
+			fmt.Printf("Go to https://containertoolbx.org/ for further information.\n")
 			return nil
 		}

--- a/src/go.mod
+++ b/src/go.mod
@ -1,52 +1,53 @@
 module github.com/containers/toolbox

-go 1.20
+go 1.22.0

 require (
 	github.com/HarryMichal/go-version v1.0.1
-	github.com/NVIDIA/go-nvlib v0.6.1
-	github.com/NVIDIA/go-nvml v0.12.4-0
-	github.com/NVIDIA/nvidia-container-toolkit v1.16.1
+	github.com/NVIDIA/go-nvlib v0.7.1
+	github.com/NVIDIA/go-nvml v0.12.4-1
+	github.com/NVIDIA/nvidia-container-toolkit v1.17.5
 	github.com/acobaugh/osrelease v0.1.0
-	github.com/briandowns/spinner v1.18.0
+	github.com/briandowns/spinner v1.23.2
 	github.com/docker/go-units v0.5.0
-	github.com/fsnotify/fsnotify v1.7.0
+	github.com/fsnotify/fsnotify v1.8.0
 	github.com/go-logfmt/logfmt v0.5.0
 	github.com/godbus/dbus/v5 v5.0.6
 	github.com/google/renameio/v2 v2.0.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.3.0
-	github.com/spf13/viper v1.10.1
-	github.com/stretchr/testify v1.9.0
-	golang.org/x/sys v0.22.0
-	tags.cncf.io/container-device-interface v0.8.0
+	github.com/spf13/viper v1.20.1
+	github.com/stretchr/testify v1.10.0
+	golang.org/x/sys v0.29.0
+	tags.cncf.io/container-device-interface v0.8.1
 	tags.cncf.io/container-device-interface/specs-go v0.8.0
 )

 require (
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fatih/color v1.13.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/fatih/color v1.14.1 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/magiconair/properties v1.8.5 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
-	github.com/mitchellh/mapstructure v1.4.3 // indirect
-	github.com/opencontainers/runtime-spec v1.2.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/opencontainers/runtime-spec v1.2.1 // indirect
 	github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
-	github.com/spf13/cast v1.4.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/text v0.3.8 // indirect
-	gopkg.in/ini.v1 v1.66.2 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	golang.org/x/mod v0.20.0 // indirect
+	golang.org/x/term v0.1.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
--- a/src/go.sum
+++ b/src/go.sum
@ -51,12 +51,12 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/HarryMichal/go-version v1.0.1 h1:Vgk1dPyHckkoUu0AED900+yO43+uwDuiNPsdpYe63KE=
 github.com/HarryMichal/go-version v1.0.1/go.mod h1:UNoJ+GvCcmwu0F9Mu1u5y56lP5rWksgkiwLlGx3r+Pk=
-github.com/NVIDIA/go-nvlib v0.6.1 h1:0/5FvaKvDJoJeJ+LFlh+NDQMxMlVw9wOXrOVrGXttfE=
-github.com/NVIDIA/go-nvlib v0.6.1/go.mod h1:9UrsLGx/q1OrENygXjOuM5Ey5KCtiZhbvBlbUIxtGWY=
-github.com/NVIDIA/go-nvml v0.12.4-0 h1:4tkbB3pT1O77JGr0gQ6uD8FrsUPqP1A/EOEm2wI1TUg=
-github.com/NVIDIA/go-nvml v0.12.4-0/go.mod h1:8Llmj+1Rr+9VGGwZuRer5N/aCjxGuR5nPb/9ebBiIEQ=
-github.com/NVIDIA/nvidia-container-toolkit v1.16.1 h1:PkY6RqYD1wIt1izCvYZ7kr7IitxK8e9+k/prO6b3vD0=
-github.com/NVIDIA/nvidia-container-toolkit v1.16.1/go.mod h1:jJXYvHEdqqpDcRXvolaiFCBsgLxvCwmJWSBZM3zQPY8=
+github.com/NVIDIA/go-nvlib v0.7.1 h1:7HHPZxoCjSLm1NgaRRjuhI8ffMCpc5Vgpg5yxQYUff8=
+github.com/NVIDIA/go-nvlib v0.7.1/go.mod h1:2Kh2kYSP5IJ8EKf0/SYDzHiQKb9EJkwOf2LQzu6pXzY=
+github.com/NVIDIA/go-nvml v0.12.4-1 h1:WKUvqshhWSNTfm47ETRhv0A0zJyr1ncCuHiXwoTrBEc=
+github.com/NVIDIA/go-nvml v0.12.4-1/go.mod h1:8Llmj+1Rr+9VGGwZuRer5N/aCjxGuR5nPb/9ebBiIEQ=
+github.com/NVIDIA/nvidia-container-toolkit v1.17.5 h1:aIE12dFRAG4xAp00vHoh9O1JL8onuldwMrX/GNSZy9Q=
+github.com/NVIDIA/nvidia-container-toolkit v1.17.5/go.mod h1:UQcbm+GRu+Dwmeyqtwq2HDa57Xq82zzQsmUusidtndM=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/acobaugh/osrelease v0.1.0 h1:Yb59HQDGGNhCj4suHaFQQfBps5wyoKLSSX/J/+UifRE=
 github.com/acobaugh/osrelease v0.1.0/go.mod h1:4bFEs0MtgHNHBrmHCt67gNisnabCRAlzdVasCEGHTWY=
@ -76,8 +76,8 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
-github.com/briandowns/spinner v1.18.0 h1:SJs0maNOs4FqhBwiJ3Gr7Z1D39/rukIVGQvpNZVHVcM=
-github.com/briandowns/spinner v1.18.0/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ=
+github.com/briandowns/spinner v1.23.2 h1:Zc6ecUnI+YzLmJniCfDNaMbW0Wid1d5+qcTq4L2FW8w=
+github.com/briandowns/spinner v1.23.2/go.mod h1:LaZeM4wm2Ywy6vO571mvhQNRcWfRUnXOs0RcKV0wYKM=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
@ -103,8 +103,9 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@ -120,11 +121,14 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
-github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
+github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
+github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@ -136,6 +140,8 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
 github.com/go-logfmt/logfmt v0.5.0 h1:TrB8swr/68K7m9CcGut2g3UOihhbcbiMAYiuTXdEih4=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro=
 github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@ -187,6 +193,8 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@ -222,6 +230,7 @@ github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/
 github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
@ -243,7 +252,6 @@ github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY=
@ -272,26 +280,29 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
-github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
+github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
@ -301,7 +312,6 @@ github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrk
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.4.3 h1:OVowDSCllw/YjdLkam3/sm7wEtOy59d8ndGgCcyj8cs=
 github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@ -312,22 +322,23 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
-github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
+github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
+github.com/opencontainers/selinux v1.9.1 h1:b4VPEF3O5JLZgdTDBmGepaaIbAo0GqoF6EBRq5f/g3Y=
 github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
-github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@ -349,27 +360,33 @@ github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
+github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
+github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
+github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
-github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
-github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA=
+github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
+github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
 github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
+github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.3.0 h1:R7cSvGu+Vv+qX0gW5R/85dx2kmmJT5z5NM8ifdYjdn0=
 github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4=
-github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM=
-github.com/spf13/viper v1.10.1 h1:nuJZuYpG7gTj/XqiUwg8bA0cp1+M2mC3J4g5luUYBKk=
-github.com/spf13/viper v1.10.1/go.mod h1:IGlFPqhNAPKRxohIzWpI5QEy4kuI7tcl5WvR+8qy1rU=
+github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
+github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
@ -378,16 +395,18 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
+github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
@ -409,7 +428,11 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
+go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
+go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@ -457,8 +480,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
+golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -595,9 +618,12 @@ golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
+golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -607,8 +633,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -818,8 +844,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/ini.v1 v1.66.2 h1:XfR1dOYubytKy4Shzc2LHrrGhU0lDCfDGG1yLPmpgsI=
 gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@ -845,7 +871,7 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
-tags.cncf.io/container-device-interface v0.8.0 h1:8bCFo/g9WODjWx3m6EYl3GfUG31eKJbaggyBDxEldRc=
-tags.cncf.io/container-device-interface v0.8.0/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
+tags.cncf.io/container-device-interface v0.8.1 h1:c0jN4Mt6781jD67NdPajmZlD1qrqQyov/Xfoab37lj0=
+tags.cncf.io/container-device-interface v0.8.1/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
 tags.cncf.io/container-device-interface/specs-go v0.8.0 h1:QYGFzGxvYK/ZLMrjhvY0RjpUavIn4KcmRmVP/JjdBTA=
 tags.cncf.io/container-device-interface/specs-go v0.8.0/go.mod h1:BhJIkjjPh4qpys+qm4DAYtUyryaTDg9zris+AczXyws=
--- a/src/meson.build
+++ b/src/meson.build
@ -31,7 +31,10 @@ sources = files(
  'pkg/term/term.go',
  'pkg/term/term_test.go',
  'pkg/utils/libsubid-wrappers.c',
+  'pkg/utils/arch.go',
  'pkg/utils/errors.go',
+  'pkg/utils/fedora.go',
+  'pkg/utils/rhel.go',
  'pkg/utils/utils.go',
  'pkg/utils/utils_cgo.go',
  'pkg/utils/utils_test.go',
--- a/src/pkg/nvidia/nvidia.go
+++ b/src/pkg/nvidia/nvidia.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2024 Red Hat Inc.
+ * Copyright © 2024 – 2025 Red Hat Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -68,7 +68,10 @@ func GenerateCDISpec() (*specs.Spec, error) {
 			logrus.Debugf("Generating Container Device Interface for NVIDIA: failed to initialize NVML: %s",
 				err)

-			if err == nvml.ERROR_LIB_RM_VERSION_MISMATCH {
+			if err == nvml.ERROR_DRIVER_NOT_LOADED {
+				logrus.Debug("Generating Container Device Interface for NVIDIA: skipping")
+				return nil, ErrPlatformUnsupported
+			} else if err == nvml.ERROR_LIB_RM_VERSION_MISMATCH {
 				return nil, ErrNVMLDriverLibraryVersionMismatch
 			} else {
 				return nil, errors.New("failed to initialize NVIDIA Management Library")
@ -96,7 +99,10 @@ func GenerateCDISpec() (*specs.Spec, error) {
 		return nil, ErrPlatformUnsupported
 	}

-	cdi, err := nvcdi.New(nvcdi.WithInfoLib(info), nvcdi.WithLogger(logger), nvcdi.WithNvmlLib(nvmLib))
+	cdi, err := nvcdi.New(nvcdi.WithDisabledHook(nvcdi.HookEnableCudaCompat),
+		nvcdi.WithInfoLib(info),
+		nvcdi.WithLogger(logger),
+		nvcdi.WithNvmlLib(nvmLib))
 	if err != nil {
 		logrus.Debugf("Generating Container Device Interface for NVIDIA: failed to create library: %s", err)
 		return nil, errors.New("failed to create Container Device Interface library for NVIDIA")
--- a/src/pkg/utils/arch.go
+++ b/src/pkg/utils/arch.go
@ -0,0 +1,39 @@
+/*
+ * Copyright © 2023 – 2025 Red Hat Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package utils
+
+func getDefaultReleaseArch() (string, error) {
+	return "latest", nil
+}
+
+func getFullyQualifiedImageArch(image, release string) string {
+	imageFull := "quay.io/toolbx/" + image
+	return imageFull
+}
+
+func getP11KitClientPathsArch() []string {
+	paths := []string{"/usr/lib/pkcs11/p11-kit-client.so"}
+	return paths
+}
+
+func parseReleaseArch(release string) (string, error) {
+	if release != "latest" && release != "rolling" && release != "" {
+		return "", &ParseReleaseError{"The release must be 'latest'."}
+	}
+
+	return "latest", nil
+}
--- a/src/pkg/utils/errors.go
+++ b/src/pkg/utils/errors.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2022 – 2024 Red Hat Inc.
+ * Copyright © 2022 – 2025 Red Hat Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -31,6 +31,12 @@ type DistroError struct {
 	Err    error
 }

+type FlockError struct {
+	Path      string
+	Errs      []error
+	errSuffix string
+}
+
 type ImageError struct {
 	Image string
 	Err   error
@ -58,6 +64,25 @@ func (err *DistroError) Unwrap() error {
 	return err.Err
 }

+func (err *FlockError) Error() string {
+	if err.Errs == nil || len(err.Errs) != 2 {
+		panicMsg := fmt.Sprintf("invalid %T", err)
+		panic(panicMsg)
+	}
+
+	errSuffix := " "
+	if err.errSuffix != "" {
+		errSuffix = fmt.Sprintf(" %s ", err.errSuffix)
+	}
+
+	errMsg := fmt.Sprintf("%s%s%s: %s", err.Errs[0], errSuffix, err.Path, err.Errs[1])
+	return errMsg
+}
+
+func (err *FlockError) Unwrap() []error {
+	return err.Errs
+}
+
 func (err *ImageError) Error() string {
 	errMsg := fmt.Sprintf("%s: %s", err.Image, err.Err)
 	return errMsg
--- a/src/pkg/utils/fedora.go
+++ b/src/pkg/utils/fedora.go
@ -0,0 +1,61 @@
+/*
+ * Copyright © 2021 – 2025 Red Hat Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package utils
+
+import (
+	"strconv"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+)
+
+func getDefaultReleaseFedora() (string, error) {
+	release, err := getHostVersionID()
+	if err != nil {
+		return "", err
+	}
+
+	return release, nil
+}
+
+func getFullyQualifiedImageFedora(image, release string) string {
+	imageFull := "registry.fedoraproject.org/" + image
+	return imageFull
+}
+
+func getP11KitClientPathsFedora() []string {
+	paths := []string{"/usr/lib64/pkcs11/p11-kit-client.so"}
+	return paths
+}
+
+func parseReleaseFedora(release string) (string, error) {
+	if strings.HasPrefix(release, "F") || strings.HasPrefix(release, "f") {
+		release = release[1:]
+	}
+
+	releaseN, err := strconv.Atoi(release)
+	if err != nil {
+		logrus.Debugf("Parsing release %s as an integer failed: %s", release, err)
+		return "", &ParseReleaseError{"The release must be a positive integer."}
+	}
+
+	if releaseN <= 0 {
+		return "", &ParseReleaseError{"The release must be a positive integer."}
+	}
+
+	return release, nil
+}
--- a/src/pkg/utils/rhel.go
+++ b/src/pkg/utils/rhel.go
@ -0,0 +1,69 @@
+/*
+ * Copyright © 2021 – 2025 Red Hat Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package utils
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+)
+
+func getDefaultReleaseRHEL() (string, error) {
+	release, err := getHostVersionID()
+	if err != nil {
+		return "", err
+	}
+
+	return release, nil
+}
+
+func getFullyQualifiedImageRHEL(image, release string) string {
+	i := strings.IndexRune(release, '.')
+	if i == -1 {
+		panicMsg := fmt.Sprintf("release %s not in '<major>.<minor>' format", release)
+		panic(panicMsg)
+	}
+
+	releaseMajor := release[:i]
+	imageFull := "registry.access.redhat.com/ubi" + releaseMajor + "/" + image
+	return imageFull
+}
+
+func getP11KitClientPathsRHEL() []string {
+	paths := []string{"/usr/lib64/pkcs11/p11-kit-client.so"}
+	return paths
+}
+
+func parseReleaseRHEL(release string) (string, error) {
+	if i := strings.IndexRune(release, '.'); i == -1 {
+		return "", &ParseReleaseError{"The release must be in the '<major>.<minor>' format."}
+	}
+
+	releaseN, err := strconv.ParseFloat(release, 32)
+	if err != nil {
+		logrus.Debugf("Parsing release %s as a float failed: %s", release, err)
+		return "", &ParseReleaseError{"The release must be in the '<major>.<minor>' format."}
+	}
+
+	if releaseN <= 0 {
+		return "", &ParseReleaseError{"The release must be a positive number."}
+	}
+
+	return release, nil
+}
--- a/src/pkg/utils/ubuntu.go
+++ b/src/pkg/utils/ubuntu.go
@ -0,0 +1,91 @@
+/*
+ * Copyright © 2023 – 2025 Red Hat Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package utils
+
+import (
+	"strconv"
+	"strings"
+	"unicode/utf8"
+
+	"github.com/sirupsen/logrus"
+)
+
+func getDefaultReleaseUbuntu() (string, error) {
+	release, err := getHostVersionID()
+	if err != nil {
+		return "", err
+	}
+
+	return release, nil
+}
+
+func getFullyQualifiedImageUbuntu(image, release string) string {
+	imageFull := "quay.io/toolbx/" + image
+	return imageFull
+}
+
+func getP11KitClientPathsUbuntu() []string {
+	paths := []string{
+		"/usr/lib/aarch64-linux-gnu/pkcs11/p11-kit-client.so",
+		"/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so",
+	}
+
+	return paths
+}
+
+func parseReleaseUbuntu(release string) (string, error) {
+	releaseParts := strings.Split(release, ".")
+	if len(releaseParts) != 2 {
+		return "", &ParseReleaseError{"The release must be in the 'YY.MM' format."}
+	}
+
+	releaseYear, err := strconv.Atoi(releaseParts[0])
+	if err != nil {
+		logrus.Debugf("Parsing release year %s as an integer failed: %s", releaseParts[0], err)
+		return "", &ParseReleaseError{"The release must be in the 'YY.MM' format."}
+	}
+
+	if releaseYear < 4 {
+		return "", &ParseReleaseError{"The release year must be 4 or more."}
+	}
+
+	releaseYearLen := utf8.RuneCountInString(releaseParts[0])
+	if releaseYearLen > 2 {
+		return "", &ParseReleaseError{"The release year cannot have more than two digits."}
+	} else if releaseYear < 10 && releaseYearLen == 2 {
+		return "", &ParseReleaseError{"The release year cannot have a leading zero."}
+	}
+
+	releaseMonth, err := strconv.Atoi(releaseParts[1])
+	if err != nil {
+		logrus.Debugf("Parsing release month %s as an integer failed: %s", releaseParts[1], err)
+		return "", &ParseReleaseError{"The release must be in the 'YY.MM' format."}
+	}
+
+	if releaseMonth < 1 {
+		return "", &ParseReleaseError{"The release month must be between 01 and 12."}
+	} else if releaseMonth > 12 {
+		return "", &ParseReleaseError{"The release month must be between 01 and 12."}
+	}
+
+	releaseMonthLen := utf8.RuneCountInString(releaseParts[1])
+	if releaseMonthLen != 2 {
+		return "", &ParseReleaseError{"The release month must have two digits."}
+	}
+
+	return release, nil
+}
--- a/src/pkg/utils/utils.go
+++ b/src/pkg/utils/utils.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2019 – 2024 Red Hat Inc.
+ * Copyright © 2019 – 2025 Red Hat Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -28,7 +28,6 @@ import (
 	"strings"
 	"syscall"
 	"time"
-	"unicode/utf8"

 	"github.com/acobaugh/osrelease"
 	"github.com/containers/toolbox/pkg/shell"
@ -41,6 +40,7 @@ import (

 type GetDefaultReleaseFunc func() (string, error)
 type GetFullyQualifiedImageFunc func(string, string) string
+type GetP11KitClientPathsFunc func() []string
 type ParseReleaseFunc func(string) (string, error)

 type Distro struct {
@ -49,6 +49,7 @@ type Distro struct {
 	ReleaseRequired        bool
 	GetDefaultRelease      GetDefaultReleaseFunc
 	GetFullyQualifiedImage GetFullyQualifiedImageFunc
+	GetP11KitClientPaths   GetP11KitClientPathsFunc
 	ParseRelease           ParseReleaseFunc
 }

@ -64,7 +65,7 @@ const (
 	containerNamePrefixFallback = "fedora-toolbox"
 	distroFallback              = "fedora"
 	idTruncLength               = 12
-	releaseFallback             = "38"
+	releaseFallback             = "42"
 )

 const (
@ -116,6 +117,8 @@ var (

 	releaseDefault string

+	runtimeDirectories map[string]string
+
 	supportedDistros = map[string]Distro{
 		"arch": {
 			"arch-toolbox",
@ -123,6 +126,7 @@ var (
 			false,
 			getDefaultReleaseArch,
 			getFullyQualifiedImageArch,
+			getP11KitClientPathsArch,
 			parseReleaseArch,
 		},
 		"fedora": {
@ -131,6 +135,7 @@ var (
 			true,
 			getDefaultReleaseFedora,
 			getFullyQualifiedImageFedora,
+			getP11KitClientPathsFedora,
 			parseReleaseFedora,
 		},
 		"rhel": {
@ -139,6 +144,7 @@ var (
 			true,
 			getDefaultReleaseRHEL,
 			getFullyQualifiedImageRHEL,
+			getP11KitClientPathsRHEL,
 			parseReleaseRHEL,
 		},
 		"ubuntu": {
@ -147,6 +153,7 @@ var (
 			true,
 			getDefaultReleaseUbuntu,
 			getFullyQualifiedImageUbuntu,
+			getP11KitClientPathsUbuntu,
 			parseReleaseUbuntu,
 		},
 	}
@ -163,6 +170,10 @@ var (

 	ErrDistroWithoutRelease = errors.New("non-default distribution must specify release")

+	ErrFlockAcquire = errors.New("failed to acquire lock")
+
+	ErrFlockCreate = errors.New("failed to create lock file")
+
 	ErrImageWithoutBasename = errors.New("image does not have a basename")
 )

@ -171,7 +182,7 @@ func init() {
 	distroDefault = distroFallback
 	releaseDefault = releaseFallback

-	hostID, err := GetHostID()
+	hostID, err := getHostID()
 	if err == nil {
 		if distroObj, supportedDistro := supportedDistros[hostID]; supportedDistro {
 			release, err := getDefaultReleaseForDistro(hostID)
@ -226,6 +237,23 @@ func EnsureXdgRuntimeDirIsSet(uid int) {
 	}
 }

+func Flock(path string, how int) (*os.File, error) {
+	file, err := os.Create(path)
+	if err != nil {
+		errs := []error{ErrFlockCreate, err}
+		return nil, &FlockError{Path: path, Errs: errs}
+	}
+
+	fd := file.Fd()
+	fdInt := int(fd)
+	if err := syscall.Flock(fdInt, how); err != nil {
+		errs := []error{ErrFlockAcquire, err}
+		return nil, &FlockError{Path: path, Errs: errs, errSuffix: "on"}
+	}
+
+	return file, nil
+}
+
 func ForwardToHost() (int, error) {
 	envOptions := GetEnvOptionsForPreservedVariables()
 	toolboxPath := os.Getenv("TOOLBOX_PATH")
@ -326,37 +354,6 @@ func getDefaultReleaseForDistro(distro string) (string, error) {
 	return release, nil
 }

-func getDefaultReleaseArch() (string, error) {
-	return "latest", nil
-}
-
-func getDefaultReleaseFedora() (string, error) {
-	release, err := getHostVersionID()
-	if err != nil {
-		return "", err
-	}
-
-	return release, nil
-}
-
-func getDefaultReleaseRHEL() (string, error) {
-	release, err := getHostVersionID()
-	if err != nil {
-		return "", err
-	}
-
-	return release, nil
-}
-
-func getDefaultReleaseUbuntu() (string, error) {
-	release, err := getHostVersionID()
-	if err != nil {
-		return "", err
-	}
-
-	return release, nil
-}
-
 func GetEnvOptionsForPreservedVariables() []string {
 	logrus.Debug("Creating list of environment variables to forward")

@ -417,33 +414,6 @@ func GetFullyQualifiedImageFromDistros(image, release string) (string, error) {
 	return "", fmt.Errorf("failed to resolve image %s", image)
 }

-func getFullyQualifiedImageArch(image, release string) string {
-	imageFull := "quay.io/toolbx/" + image
-	return imageFull
-}
-
-func getFullyQualifiedImageFedora(image, release string) string {
-	imageFull := "registry.fedoraproject.org/" + image
-	return imageFull
-}
-
-func getFullyQualifiedImageRHEL(image, release string) string {
-	i := strings.IndexRune(release, '.')
-	if i == -1 {
-		panicMsg := fmt.Sprintf("release %s not in '<major>.<minor>' format", release)
-		panic(panicMsg)
-	}
-
-	releaseMajor := release[:i]
-	imageFull := "registry.access.redhat.com/ubi" + releaseMajor + "/" + image
-	return imageFull
-}
-
-func getFullyQualifiedImageUbuntu(image, release string) string {
-	imageFull := "quay.io/toolbx/" + image
-	return imageFull
-}
-
 // GetGroupForSudo returns the name of the sudoers group.
 //
 // Some distros call it 'sudo' (eg. Ubuntu) and some call it 'wheel' (eg. Fedora).
@ -462,11 +432,11 @@ func GetGroupForSudo() (string, error) {
 	return "", errors.New("group for sudo not found")
 }

-// GetHostID returns the ID from the os-release files
+// getHostID returns the ID from the os-release files
 //
 // Examples:
 // - host is Fedora, returned string is 'fedora'
-func GetHostID() (string, error) {
+func getHostID() (string, error) {
 	osRelease, err := osrelease.Read()
 	if err != nil {
 		return "", err
@ -475,19 +445,6 @@ func GetHostID() (string, error) {
 	return osRelease["ID"], nil
 }

-// GetHostVariantID returns the VARIANT_ID from the os-release files
-//
-// Examples:
-// - host is Fedora Workstation, returned string is 'workstation'
-func GetHostVariantID() (string, error) {
-	osRelease, err := osrelease.Read()
-	if err != nil {
-		return "", err
-	}
-
-	return osRelease["VARIANT_ID"], nil
-}
-
 // getHostVersionID returns the VERSION_ID from the os-release files
 //
 // Examples:
@ -501,6 +458,17 @@ func getHostVersionID() (string, error) {
 	return osRelease["VERSION_ID"], nil
 }

+func GetInitializedStamp(entryPointPID int, targetUser *user.User) (string, error) {
+	toolbxRuntimeDirectory, err := GetRuntimeDirectory(targetUser)
+	if err != nil {
+		return "", err
+	}
+
+	initializedStampBase := fmt.Sprintf("container-initialized-%d", entryPointPID)
+	initializedStamp := filepath.Join(toolbxRuntimeDirectory, initializedStampBase)
+	return initializedStamp, nil
+}
+
 // GetMountPoint returns the mount point of a target.
 func GetMountPoint(target string) (string, error) {
 	var stdout strings.Builder
@ -535,7 +503,35 @@ func GetMountOptions(target string) (string, error) {
 	return mountOptions, nil
 }

+func GetP11KitServerSocket(targetUser *user.User) (string, error) {
+	toolbxRuntimeDirectory, err := GetRuntimeDirectory(targetUser)
+	if err != nil {
+		return "", err
+	}
+
+	p11KitServerSocket := filepath.Join(toolbxRuntimeDirectory, "pkcs11")
+	return p11KitServerSocket, nil
+}
+
+func GetP11KitServerSocketLock(targetUser *user.User) (string, error) {
+	toolbxRuntimeDirectory, err := GetRuntimeDirectory(targetUser)
+	if err != nil {
+		return "", err
+	}
+
+	p11KitServerSocketLock := filepath.Join(toolbxRuntimeDirectory, "pkcs11.lock")
+	return p11KitServerSocketLock, nil
+}
+
 func GetRuntimeDirectory(targetUser *user.User) (string, error) {
+	if runtimeDirectories == nil {
+		runtimeDirectories = make(map[string]string)
+	}
+
+	if toolboxRuntimeDirectory, ok := runtimeDirectories[targetUser.Uid]; ok {
+		return toolboxRuntimeDirectory, nil
+	}
+
 	gid, err := strconv.Atoi(targetUser.Gid)
 	if err != nil {
 		return "", fmt.Errorf("failed to convert group ID to integer: %w", err)
@ -568,6 +564,7 @@ func GetRuntimeDirectory(targetUser *user.User) (string, error) {
 		return "", wrappedErr
 	}

+	runtimeDirectories[targetUser.Uid] = toolboxRuntimeDirectory
 	return toolboxRuntimeDirectory, nil
 }

@ -659,6 +656,39 @@ func ImageReferenceHasDomain(image string) bool {
 	return true
 }

+func IsP11KitClientPresent() (bool, error) {
+	var p11KitClientPaths []string
+	var supportedDistro bool
+
+	hostID, err := getHostID()
+	if err == nil {
+		distroObj, ok := supportedDistros[hostID]
+		supportedDistro = ok
+		if supportedDistro {
+			p11KitClientPaths = distroObj.GetP11KitClientPaths()
+		}
+	}
+
+	if !supportedDistro {
+		if err == nil {
+			err = fmt.Errorf("failed to find %s in the list of supported distributions", hostID)
+		}
+
+		for _, distroObj := range supportedDistros {
+			paths := distroObj.GetP11KitClientPaths()
+			p11KitClientPaths = append(p11KitClientPaths, paths...)
+		}
+	}
+
+	for _, path := range p11KitClientPaths {
+		if PathExists(path) {
+			return true, err
+		}
+	}
+
+	return false, err
+}
+
 func SetUpConfiguration() error {
 	logrus.Debug("Setting up configuration")

@ -686,7 +716,7 @@ func SetUpConfiguration() error {
 			var errConfigFileNotFound viper.ConfigFileNotFoundError
 			var errConfigParse viper.ConfigParseError

-			if errors.As(err, &errConfigFileNotFound) || os.IsNotExist(err) {
+			if errors.As(err, &errConfigFileNotFound) || errors.Is(err, os.ErrNotExist) {
 				logrus.Debugf("Setting up configuration: file %s not found", configFile)
 				continue
 			} else if errors.As(err, &errConfigParse) {
@ -734,96 +764,9 @@ func parseRelease(distro, release string) (string, error) {
 	return release, err
 }

-func parseReleaseArch(release string) (string, error) {
-	if release != "latest" && release != "rolling" && release != "" {
-		return "", &ParseReleaseError{"The release must be 'latest'."}
-	}
-
-	return "latest", nil
-}
-
-func parseReleaseFedora(release string) (string, error) {
-	if strings.HasPrefix(release, "F") || strings.HasPrefix(release, "f") {
-		release = release[1:]
-	}
-
-	releaseN, err := strconv.Atoi(release)
-	if err != nil {
-		logrus.Debugf("Parsing release %s as an integer failed: %s", release, err)
-		return "", &ParseReleaseError{"The release must be a positive integer."}
-	}
-
-	if releaseN <= 0 {
-		return "", &ParseReleaseError{"The release must be a positive integer."}
-	}
-
-	return release, nil
-}
-
-func parseReleaseRHEL(release string) (string, error) {
-	if i := strings.IndexRune(release, '.'); i == -1 {
-		return "", &ParseReleaseError{"The release must be in the '<major>.<minor>' format."}
-	}
-
-	releaseN, err := strconv.ParseFloat(release, 32)
-	if err != nil {
-		logrus.Debugf("Parsing release %s as a float failed: %s", release, err)
-		return "", &ParseReleaseError{"The release must be in the '<major>.<minor>' format."}
-	}
-
-	if releaseN <= 0 {
-		return "", &ParseReleaseError{"The release must be a positive number."}
-	}
-
-	return release, nil
-}
-
-func parseReleaseUbuntu(release string) (string, error) {
-	releaseParts := strings.Split(release, ".")
-	if len(releaseParts) != 2 {
-		return "", &ParseReleaseError{"The release must be in the 'YY.MM' format."}
-	}
-
-	releaseYear, err := strconv.Atoi(releaseParts[0])
-	if err != nil {
-		logrus.Debugf("Parsing release year %s as an integer failed: %s", releaseParts[0], err)
-		return "", &ParseReleaseError{"The release must be in the 'YY.MM' format."}
-	}
-
-	if releaseYear < 4 {
-		return "", &ParseReleaseError{"The release year must be 4 or more."}
-	}
-
-	releaseYearLen := utf8.RuneCountInString(releaseParts[0])
-	if releaseYearLen > 2 {
-		return "", &ParseReleaseError{"The release year cannot have more than two digits."}
-	} else if releaseYear < 10 && releaseYearLen == 2 {
-		return "", &ParseReleaseError{"The release year cannot have a leading zero."}
-	}
-
-	releaseMonth, err := strconv.Atoi(releaseParts[1])
-	if err != nil {
-		logrus.Debugf("Parsing release month %s as an integer failed: %s", releaseParts[1], err)
-		return "", &ParseReleaseError{"The release must be in the 'YY.MM' format."}
-	}
-
-	if releaseMonth < 1 {
-		return "", &ParseReleaseError{"The release month must be between 01 and 12."}
-	} else if releaseMonth > 12 {
-		return "", &ParseReleaseError{"The release month must be between 01 and 12."}
-	}
-
-	releaseMonthLen := utf8.RuneCountInString(releaseParts[1])
-	if releaseMonthLen != 2 {
-		return "", &ParseReleaseError{"The release month must have two digits."}
-	}
-
-	return release, nil
-}
-
 // PathExists wraps around os.Stat providing a nice interface for checking an existence of a path.
 func PathExists(path string) bool {
-	if _, err := os.Stat(path); !os.IsNotExist(err) {
+	if _, err := os.Stat(path); !errors.Is(err, os.ErrNotExist) {
 		return true
 	}

--- a/src/pkg/utils/utils_test.go
+++ b/src/pkg/utils/utils_test.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2021 – 2024 Red Hat Inc.
+ * Copyright © 2021 – 2025 Red Hat Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -17,6 +17,7 @@
 package utils

 import (
+	"os"
 	"testing"

 	"github.com/stretchr/testify/assert"
@ -361,3 +362,14 @@ func TestParseRelease(t *testing.T) {
 		})
 	}
 }
+
+func TestPathExists(t *testing.T) {
+	path, err := os.Executable()
+	assert.NoError(t, err)
+	exists := PathExists(path)
+	assert.True(t, exists)
+
+	path = "/does/not/exist"
+	exists = PathExists(path)
+	assert.False(t, exists)
+}
--- a/test/system/002-help.bats
+++ b/test/system/002-help.bats
@ -1,6 +1,6 @@
 # shellcheck shell=bats
 #
-# Copyright © 2020 – 2024 Red Hat, Inc.
+# Copyright © 2020 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -21,13 +21,16 @@ load 'libs/bats-support/load'
 load 'libs/bats-assert/load'
 load 'libs/helpers.bash'

-setup() {
+setup_file() {
  bats_require_minimum_version 1.10.0
  _setup_environment
  cleanup_all
+  pushd "$HOME" || return 1
+  create_default_container
 }

-teardown() {
+teardown_file() {
+  popd || return 1
  cleanup_all
 }

@ -73,7 +76,7 @@ teardown() {
  assert_line --index 3 "create    Create a new Toolbx container"
  assert_line --index 4 "enter     Enter an existing Toolbx container"
  assert_line --index 5 "list      List all existing Toolbx containers and images"
-  assert_line --index 7 "Go to https://github.com/containers/toolbox for further information."
+  assert_line --index 7 "Go to https://containertoolbx.org/ for further information."
  assert [ ${#lines[@]} -eq 8 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]
 }
@ -106,7 +109,7 @@ teardown() {
  assert_line --index 3 "create    Create a new Toolbx container"
  assert_line --index 4 "enter     Enter an existing Toolbx container"
  assert_line --index 5 "list      List all existing Toolbx containers and images"
-  assert_line --index 7 "Go to https://github.com/containers/toolbox for further information."
+  assert_line --index 7 "Go to https://containertoolbx.org/ for further information."
  assert [ ${#lines[@]} -eq 8 ]

  # shellcheck disable=SC2154
@ -125,8 +128,6 @@ teardown() {
 }

@test "help: Try unknown command (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox foo

  assert_failure
@ -149,8 +150,6 @@ teardown() {
 }

@test "help: Try unknown flag (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox --foo

  assert_failure
@ -173,8 +172,6 @@ teardown() {
 }

@test "help: Try 'create' with unknown flag (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox create --foo

  assert_failure
@ -197,8 +194,6 @@ teardown() {
 }

@test "help: Try 'enter' with unknown flag (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox enter --foo

  assert_failure
@ -221,8 +216,6 @@ teardown() {
 }

@test "help: Try 'help' with unknown flag (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox help --foo

  assert_failure
@ -245,8 +238,6 @@ teardown() {
 }

@test "help: Try 'init-container' with unknown flag (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox init-container --foo

  assert_failure
@ -269,8 +260,6 @@ teardown() {
 }

@test "help: Try 'list' with unknown flag (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox list --foo

  assert_failure
@ -293,8 +282,6 @@ teardown() {
 }

@test "help: Try 'rm' with unknown flag (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox rm --foo

  assert_failure
@ -317,8 +304,6 @@ teardown() {
 }

@test "help: Try 'rmi' with unknown flag (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox rmi --foo

  assert_failure
@ -341,8 +326,6 @@ teardown() {
 }

@test "help: Try 'run' with unknown flag (forwarded to host)" {
-  create_default_container
-
  run -1 --keep-empty-lines --separate-stderr "$TOOLBX" run toolbox run --foo

  assert_failure
--- a/test/system/101-create.bats
+++ b/test/system/101-create.bats
--- a/test/system/102-list.bats
+++ b/test/system/102-list.bats
@ -373,8 +373,11 @@ teardown() {
  local default_image
  default_image="$(get_default_image)"

+  local system_id
+  system_id="$(get_system_id)"
+
  local default_container
-  default_container="$(get_system_id)-toolbox-$(get_system_version)"
+  default_container="$system_id-toolbox-$(get_system_version)"

  # Pull the two images
  pull_default_image
@ -393,8 +396,17 @@ teardown() {
  run --keep-empty-lines --separate-stderr "$TOOLBX" list --images

  assert_success
-  assert_line --index 1 --partial "registry.fedoraproject.org/fedora-toolbox:34"
-  assert_line --index 2 --partial "$default_image"
+
+  if [ "$system_id" = "fedora" ]; then
+    assert_line --index 1 --partial "registry.fedoraproject.org/fedora-toolbox:34"
+    assert_line --index 2 --partial "$default_image"
+  elif [ "$system_id" = "arch" ] || [ "$system_id" = "ubuntu" ]; then
+    assert_line --index 1 --partial "$default_image"
+    assert_line --index 2 --partial "registry.fedoraproject.org/fedora-toolbox:34"
+  else
+    fail "Define output for $system_id"
+  fi
+
  assert [ ${#lines[@]} -eq 3 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

@ -402,9 +414,19 @@ teardown() {
  run --keep-empty-lines --separate-stderr "$TOOLBX" list --containers

  assert_success
-  assert_line --index 1 --partial "$default_container"
-  assert_line --index 2 --partial "non-default-one"
-  assert_line --index 3 --partial "non-default-two"
+
+  if [ "$system_id" = "arch" ] || [ "$system_id" = "fedora" ]; then
+    assert_line --index 1 --partial "$default_container"
+    assert_line --index 2 --partial "non-default-one"
+    assert_line --index 3 --partial "non-default-two"
+  elif [ "$system_id" = "ubuntu" ]; then
+    assert_line --index 1 --partial "non-default-one"
+    assert_line --index 2 --partial "non-default-two"
+    assert_line --index 3 --partial "$default_container"
+  else
+    fail "Define output for $system_id"
+  fi
+
  assert [ ${#lines[@]} -eq 4 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

@ -412,11 +434,29 @@ teardown() {
  run --keep-empty-lines --separate-stderr "$TOOLBX" list

  assert_success
-  assert_line --index 1 --partial "registry.fedoraproject.org/fedora-toolbox:34"
-  assert_line --index 2 --partial "$default_image"
-  assert_line --index 5 --partial "$default_container"
-  assert_line --index 6 --partial "non-default-one"
-  assert_line --index 7 --partial "non-default-two"
+
+  if [ "$system_id" = "fedora" ]; then
+    assert_line --index 1 --partial "registry.fedoraproject.org/fedora-toolbox:34"
+    assert_line --index 2 --partial "$default_image"
+  elif [ "$system_id" = "arch" ] || [ "$system_id" = "ubuntu" ]; then
+    assert_line --index 1 --partial "$default_image"
+    assert_line --index 2 --partial "registry.fedoraproject.org/fedora-toolbox:34"
+  else
+    fail "Define output for $system_id"
+  fi
+
+  if [ "$system_id" = "arch" ] || [ "$system_id" = "fedora" ]; then
+    assert_line --index 5 --partial "$default_container"
+    assert_line --index 6 --partial "non-default-one"
+    assert_line --index 7 --partial "non-default-two"
+  elif [ "$system_id" = "ubuntu" ]; then
+    assert_line --index 5 --partial "non-default-one"
+    assert_line --index 6 --partial "non-default-two"
+    assert_line --index 7 --partial "$default_container"
+  else
+    fail "Define output for $system_id"
+  fi
+
  assert [ ${#lines[@]} -eq 8 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]
 }
@ -425,6 +465,9 @@ teardown() {
  local default_image
  default_image="$(get_default_image)"

+  local system_id
+  system_id="$(get_system_id)"
+
  pull_default_image
  pull_distro_image fedora 34
  build_image_without_name >/dev/null
@ -437,8 +480,17 @@ teardown() {

  assert_success
  assert_line --index 1 --partial "<none>"
-  assert_line --index 2 --partial "registry.fedoraproject.org/fedora-toolbox:34"
-  assert_line --index 3 --partial "$default_image"
+
+  if [ "$system_id" = "fedora" ]; then
+    assert_line --index 2 --partial "registry.fedoraproject.org/fedora-toolbox:34"
+    assert_line --index 3 --partial "$default_image"
+  elif [ "$system_id" = "arch" ] || [ "$system_id" = "ubuntu" ]; then
+    assert_line --index 2 --partial "$default_image"
+    assert_line --index 3 --partial "registry.fedoraproject.org/fedora-toolbox:34"
+  else
+    fail "Define output for $system_id"
+  fi
+
  assert [ ${#lines[@]} -eq 4 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]
 }
@ -447,6 +499,9 @@ teardown() {
  local default_image
  default_image="$(get_default_image)"

+  local system_id
+  system_id="$(get_system_id)"
+
  pull_default_image
  pull_distro_image fedora 34
  build_image_without_name >/dev/null
@ -455,8 +510,17 @@ teardown() {

  assert_success
  assert_line --index 1 --partial "<none>"
-  assert_line --index 2 --partial "registry.fedoraproject.org/fedora-toolbox:34"
-  assert_line --index 3 --partial "$default_image"
+
+  if [ "$system_id" = "fedora" ]; then
+    assert_line --index 2 --partial "registry.fedoraproject.org/fedora-toolbox:34"
+    assert_line --index 3 --partial "$default_image"
+  elif [ "$system_id" = "arch" ] || [ "$system_id" = "ubuntu" ]; then
+    assert_line --index 2 --partial "$default_image"
+    assert_line --index 3 --partial "registry.fedoraproject.org/fedora-toolbox:34"
+  else
+    fail "Define output for $system_id"
+  fi
+
  assert [ ${#lines[@]} -eq 4 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]
 }
@ -471,7 +535,7 @@ teardown() {
  num_of_images="$(list_images)"
  assert_equal "$num_of_images" 1

-  $PODMAN create --name busybox-container "$busybox_image"
+  podman create --name busybox-container "$busybox_image"

  local num_of_containers
  num_of_containers="$(list_containers)"
@ -494,7 +558,7 @@ teardown() {
  num_of_images="$(list_images)"
  assert_equal "$num_of_images" 1

-  $PODMAN create --name busybox-container "$busybox_image"
+  podman create --name busybox-container "$busybox_image"

  local num_of_containers
  num_of_containers="$(list_containers)"
@ -517,7 +581,7 @@ teardown() {
  num_of_images="$(list_images)"
  assert_equal "$num_of_images" 1

-  $PODMAN create --name busybox-container "$busybox_image"
+  podman create --name busybox-container "$busybox_image"

  local num_of_containers
  num_of_containers="$(list_containers)"
--- a/test/system/103-container.bats
+++ b/test/system/103-container.bats
@ -50,16 +50,16 @@ teardown() {
 }

@test "container(Fedora Rawhide): Containers with supported versions start without issues" {
+  if ! is_fedora_rawhide; then
+    skip "This test is only for Fedora Rawhide"
+  fi
+
  local system_id
  system_id="$(get_system_id)"

  local system_version
  system_version="$(get_system_version)"

-  if ! is_fedora_rawhide; then
-    skip "This test is only for Fedora Rawhide"
-  fi
-
  create_distro_container "$system_id" "$system_version" latest
  run container_started latest
  assert_success
--- a/test/system/104-run.bats
+++ b/test/system/104-run.bats
@ -842,11 +842,11 @@ teardown() {

  local container="ancient"

-  run "$PODMAN" create --name "$container" "$default_image" true
+  run podman create --name "$container" "$default_image" true

  assert_success

-  run $PODMAN ps --all
+  run podman ps --all

  assert_success
  assert_output --regexp "Created[[:blank:]]+$container"
--- a/test/system/203-network.bats
+++ b/test/system/203-network.bats
@ -1,6 +1,6 @@
 # shellcheck shell=bats
 #
-# Copyright © 2023 – 2024 Red Hat, Inc.
+# Copyright © 2023 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -33,14 +33,30 @@ print(addr)'
 readonly RESOLVER_SH='resolvectl --legend false --no-pager --type "$0" query "$1" \
                      | cut --delimiter " " --fields 4'

-setup() {
+setup_file() {
  bats_require_minimum_version 1.10.0
  _setup_environment
  cleanup_all
  pushd "$HOME" || return 1
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "arch" >/dev/null 2>/dev/null; then
+    create_distro_container arch latest arch-toolbox-latest
+  fi
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "fedora" >/dev/null 2>/dev/null; then
+    create_default_container
+    create_distro_container fedora 34 fedora-toolbox-34
+    create_distro_container rhel 8.10 rhel-toolbox-8.10
+  fi
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "ubuntu" >/dev/null 2>/dev/null; then
+    create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
+    create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
+    create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
+  fi
 }

-teardown() {
+teardown_file() {
  popd || return 1
  cleanup_all
 }
@ -50,8 +66,6 @@ teardown() {
  local ns_host
  ns_host=$(readlink /proc/$$/ns/net)

-  create_default_container
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run sh -c 'readlink /proc/$$/ns/net'

  assert_success
@ -64,12 +78,16 @@ teardown() {

 # bats test_tags=arch-fedora
@test "network: /etc/resolv.conf inside the default container" {
-  create_default_container
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run readlink /etc/resolv.conf

  assert_success
-  assert_line --index 0 "/run/host/etc/resolv.conf"
+
+  if [ "${lines[0]}" = "/run/host/run/systemd/resolve/stub-resolv.conf" ]; then
+    skip "host has absolute symlink"
+  else
+    assert_line --index 0 "/run/host/etc/resolv.conf"
+  fi
+
  assert [ ${#lines[@]} -eq 1 ]

  # shellcheck disable=SC2154
@ -78,12 +96,16 @@ teardown() {

 # bats test_tags=arch-fedora
@test "network: /etc/resolv.conf inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro arch readlink /etc/resolv.conf

  assert_success
-  assert_line --index 0 "/run/host/etc/resolv.conf"
+
+  if [ "${lines[0]}" = "/run/host/run/systemd/resolve/stub-resolv.conf" ]; then
+    skip "host has absolute symlink"
+  else
+    assert_line --index 0 "/run/host/etc/resolv.conf"
+  fi
+
  assert [ ${#lines[@]} -eq 1 ]

  # shellcheck disable=SC2154
@ -92,12 +114,16 @@ teardown() {

 # bats test_tags=arch-fedora
@test "network: /etc/resolv.conf inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro fedora --release 34 readlink /etc/resolv.conf

  assert_success
-  assert_line --index 0 "/run/host/etc/resolv.conf"
+
+  if [ "${lines[0]}" = "/run/host/run/systemd/resolve/stub-resolv.conf" ]; then
+    skip "host has absolute symlink"
+  else
+    assert_line --index 0 "/run/host/etc/resolv.conf"
+  fi
+
  assert [ ${#lines[@]} -eq 1 ]

  # shellcheck disable=SC2154
@ -106,12 +132,16 @@ teardown() {

 # bats test_tags=arch-fedora
@test "network: /etc/resolv.conf inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro rhel --release 8.10 readlink /etc/resolv.conf

  assert_success
-  assert_line --index 0 "/run/host/etc/resolv.conf"
+
+  if [ "${lines[0]}" = "/run/host/run/systemd/resolve/stub-resolv.conf" ]; then
+    skip "host has absolute symlink"
+  else
+    assert_line --index 0 "/run/host/etc/resolv.conf"
+  fi
+
  assert [ ${#lines[@]} -eq 1 ]

  # shellcheck disable=SC2154
@ -120,12 +150,16 @@ teardown() {

 # bats test_tags=ubuntu
@test "network: /etc/resolv.conf inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 16.04 readlink /etc/resolv.conf

  assert_success
-  assert_line --index 0 "/run/host/etc/resolv.conf"
+
+  if [ "${lines[0]}" = "/run/host/run/systemd/resolve/stub-resolv.conf" ]; then
+    skip "host has absolute symlink"
+  else
+    assert_line --index 0 "/run/host/etc/resolv.conf"
+  fi
+
  assert [ ${#lines[@]} -eq 1 ]

  # shellcheck disable=SC2154
@ -134,12 +168,16 @@ teardown() {

 # bats test_tags=ubuntu
@test "network: /etc/resolv.conf inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 18.04 readlink /etc/resolv.conf

  assert_success
-  assert_line --index 0 "/run/host/etc/resolv.conf"
+
+  if [ "${lines[0]}" = "/run/host/run/systemd/resolve/stub-resolv.conf" ]; then
+    skip "host has absolute symlink"
+  else
+    assert_line --index 0 "/run/host/etc/resolv.conf"
+  fi
+
  assert [ ${#lines[@]} -eq 1 ]

  # shellcheck disable=SC2154
@ -148,12 +186,16 @@ teardown() {

 # bats test_tags=ubuntu
@test "network: /etc/resolv.conf inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 20.04 readlink /etc/resolv.conf

  assert_success
-  assert_line --index 0 "/run/host/etc/resolv.conf"
+
+  if [ "${lines[0]}" = "/run/host/run/systemd/resolve/stub-resolv.conf" ]; then
+    skip "host has absolute symlink"
+  else
+    assert_line --index 0 "/run/host/etc/resolv.conf"
+  fi
+
  assert [ ${#lines[@]} -eq 1 ]

  # shellcheck disable=SC2154
@ -178,8 +220,6 @@ teardown() {
    skip "DNS not working on host"
  fi

-  create_default_container
-
  if ! $ipv4_skip; then
    run --keep-empty-lines --separate-stderr "$TOOLBX" run python3 -c "$RESOLVER_PYTHON3" A k.root-servers.net

@ -217,8 +257,6 @@ teardown() {
    skip "DNS not working on host"
  fi

-  create_distro_container arch latest arch-toolbox-latest
-
  if ! $ipv4_skip; then
    run --keep-empty-lines --separate-stderr "$TOOLBX" run \
      --distro arch \
@ -260,8 +298,6 @@ teardown() {
    skip "DNS not working on host"
  fi

-  create_distro_container fedora 34 fedora-toolbox-34
-
  if ! $ipv4_skip; then
    run --keep-empty-lines --separate-stderr "$TOOLBX" run \
      --distro fedora \
@ -305,8 +341,6 @@ teardown() {
    skip "DNS not working on host"
  fi

-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  if ! $ipv4_skip; then
    run --keep-empty-lines --separate-stderr "$TOOLBX" run \
      --distro rhel \
@ -350,8 +384,6 @@ teardown() {
    skip "DNS not working on host"
  fi

-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  if ! $ipv4_skip; then
    run --keep-empty-lines --separate-stderr "$TOOLBX" run \
      --distro ubuntu \
@ -395,8 +427,6 @@ teardown() {
    skip "DNS not working on host"
  fi

-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  if ! $ipv4_skip; then
    run --keep-empty-lines --separate-stderr "$TOOLBX" run \
      --distro ubuntu \
@ -440,8 +470,6 @@ teardown() {
    skip "DNS not working on host"
  fi

-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  if ! $ipv4_skip; then
    run --keep-empty-lines --separate-stderr "$TOOLBX" run \
      --distro ubuntu \
@ -469,8 +497,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "network: ping(8) inside the default container" {
-  create_default_container
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run ping -c 2 f.root-servers.net

  if [ "$status" -eq 1 ]; then
@ -486,8 +512,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "network: ping(8) inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro arch ping -c 2 f.root-servers.net

  if [ "$status" -eq 1 ]; then
@ -503,8 +527,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "network: ping(8) inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro fedora --release 34 ping -c 2 f.root-servers.net

  if [ "$status" -eq 1 ]; then
@ -520,8 +542,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "network: ping(8) inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro rhel --release 8.10 ping -c 2 f.root-servers.net

  if [ "$status" -eq 1 ]; then
@ -537,8 +557,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "network: ping(8) inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  run -2 --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 16.04 ping -c 2 f.root-servers.net

  assert_failure
@ -552,8 +570,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "network: ping(8) inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 18.04 ping -c 2 f.root-servers.net

  if [ "$status" -eq 1 ]; then
@ -569,8 +585,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "network: ping(8) inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 20.04 ping -c 2 f.root-servers.net

  if [ "$status" -eq 1 ]; then
--- a/test/system/206-user.bats
+++ b/test/system/206-user.bats
@ -1,6 +1,6 @@
 # shellcheck shell=bats
 #
-# Copyright © 2023 – 2024 Red Hat, Inc.
+# Copyright © 2023 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -21,14 +21,30 @@ load 'libs/bats-support/load'
 load 'libs/bats-assert/load'
 load 'libs/helpers'

-setup() {
+setup_file() {
  bats_require_minimum_version 1.10.0
  _setup_environment
  cleanup_all
  pushd "$HOME" || return 1
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "arch" >/dev/null 2>/dev/null; then
+    create_distro_container arch latest arch-toolbox-latest
+  fi
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "fedora" >/dev/null 2>/dev/null; then
+    create_default_container
+    create_distro_container fedora 34 fedora-toolbox-34
+    create_distro_container rhel 8.10 rhel-toolbox-8.10
+  fi
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "ubuntu" >/dev/null 2>/dev/null; then
+    create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
+    create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
+    create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
+  fi
 }

-teardown() {
+teardown_file() {
  popd || return 1
  cleanup_all
 }
@ -38,8 +54,6 @@ teardown() {
  local ns_host
  ns_host=$(readlink /proc/$$/ns/user)

-  create_default_container
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run sh -c 'readlink /proc/$$/ns/user'

  assert_success
@ -56,13 +70,12 @@ teardown() {
  local default_container
  default_container="$(get_system_id)-toolbox-$(get_system_version)"

-  create_default_container
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount "$default_container")"
+  container_root_file_system="$(podman unshare podman mount "$default_container")"

  "$TOOLBX" run true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount "$default_container"
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount "$default_container"

  assert_success
  assert_line --regexp '^root::.+$'
@ -74,13 +87,12 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: root in shadow(5) inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount arch-toolbox-latest)"
+  container_root_file_system="$(podman unshare podman mount arch-toolbox-latest)"

  "$TOOLBX" run --distro arch true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount arch-toolbox-latest
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount arch-toolbox-latest

  assert_success
  assert_line --regexp '^root::.+$'
@ -92,13 +104,12 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: root in shadow(5) inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount fedora-toolbox-34)"
+  container_root_file_system="$(podman unshare podman mount fedora-toolbox-34)"

  "$TOOLBX" run --distro fedora --release 34 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount fedora-toolbox-34
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount fedora-toolbox-34

  assert_success
  assert_line --regexp '^root::.+$'
@ -110,13 +121,12 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: root in shadow(5) inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount rhel-toolbox-8.10)"
+  container_root_file_system="$(podman unshare podman mount rhel-toolbox-8.10)"

  "$TOOLBX" run --distro rhel --release 8.10 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount rhel-toolbox-8.10
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount rhel-toolbox-8.10

  assert_success
  assert_line --regexp '^root::.+$'
@ -128,13 +138,12 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: root in shadow(5) inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-16.04)"
+  container_root_file_system="$(podman unshare podman mount ubuntu-toolbox-16.04)"

  "$TOOLBX" run --distro ubuntu --release 16.04 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-16.04
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount ubuntu-toolbox-16.04

  assert_success
  assert_line --regexp '^root::.+$'
@ -146,13 +155,12 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: root in shadow(5) inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-18.04)"
+  container_root_file_system="$(podman unshare podman mount ubuntu-toolbox-18.04)"

  "$TOOLBX" run --distro ubuntu --release 18.04 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-18.04
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount ubuntu-toolbox-18.04

  assert_success
  assert_line --regexp '^root::.+$'
@ -164,13 +172,12 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: root in shadow(5) inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-20.04)"
+  container_root_file_system="$(podman unshare podman mount ubuntu-toolbox-20.04)"

  "$TOOLBX" run --distro ubuntu --release 20.04 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-20.04
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount ubuntu-toolbox-20.04

  assert_success
  assert_line --regexp '^root::.+$'
@ -188,8 +195,6 @@ teardown() {
  local user_id_real
  user_id_real="$(id --real --user)"

-  create_default_container
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run cat /etc/passwd

  assert_success
@ -208,8 +213,6 @@ teardown() {
  local user_id_real
  user_id_real="$(id --real --user)"

-  create_distro_container arch latest arch-toolbox-latest
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro arch cat /etc/passwd

  assert_success
@ -228,8 +231,6 @@ teardown() {
  local user_id_real
  user_id_real="$(id --real --user)"

-  create_distro_container fedora 34 fedora-toolbox-34
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro fedora --release 34 cat /etc/passwd

  assert_success
@ -248,8 +249,6 @@ teardown() {
  local user_id_real
  user_id_real="$(id --real --user)"

-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro rhel --release 8.10 cat /etc/passwd

  assert_success
@ -268,8 +267,6 @@ teardown() {
  local user_id_real
  user_id_real="$(id --real --user)"

-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 16.04 cat /etc/passwd

  assert_success
@ -288,8 +285,6 @@ teardown() {
  local user_id_real
  user_id_real="$(id --real --user)"

-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 18.04 cat /etc/passwd

  assert_success
@ -308,8 +303,6 @@ teardown() {
  local user_id_real
  user_id_real="$(id --real --user)"

-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 20.04 cat /etc/passwd

  assert_success
@ -325,13 +318,12 @@ teardown() {
  local default_container
  default_container="$(get_system_id)-toolbox-$(get_system_version)"

-  create_default_container
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount "$default_container")"
+  container_root_file_system="$(podman unshare podman mount "$default_container")"

  "$TOOLBX" run true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount "$default_container"
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount "$default_container"

  assert_success
  refute_line --regexp "^$USER:.*$"
@ -343,13 +335,12 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: $USER in shadow(5) inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount arch-toolbox-latest)"
+  container_root_file_system="$(podman unshare podman mount arch-toolbox-latest)"

  "$TOOLBX" run --distro arch true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount arch-toolbox-latest
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount arch-toolbox-latest

  assert_success
  refute_line --regexp "^$USER:.*$"
@ -361,13 +352,12 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: $USER in shadow(5) inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount fedora-toolbox-34)"
+  container_root_file_system="$(podman unshare podman mount fedora-toolbox-34)"

  "$TOOLBX" run --distro fedora --release 34 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount fedora-toolbox-34
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount fedora-toolbox-34

  assert_success
  refute_line --regexp "^$USER:.*$"
@ -379,13 +369,12 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: $USER in shadow(5) inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount rhel-toolbox-8.10)"
+  container_root_file_system="$(podman unshare podman mount rhel-toolbox-8.10)"

  "$TOOLBX" run --distro rhel --release 8.10 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount rhel-toolbox-8.10
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount rhel-toolbox-8.10

  assert_success
  refute_line --regexp "^$USER:.*$"
@ -397,13 +386,12 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: $USER in shadow(5) inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-16.04)"
+  container_root_file_system="$(podman unshare podman mount ubuntu-toolbox-16.04)"

  "$TOOLBX" run --distro ubuntu --release 16.04 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-16.04
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount ubuntu-toolbox-16.04

  assert_success
  refute_line --regexp "^$USER:.*$"
@ -415,13 +403,12 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: $USER in shadow(5) inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-18.04)"
+  container_root_file_system="$(podman unshare podman mount ubuntu-toolbox-18.04)"

  "$TOOLBX" run --distro ubuntu --release 18.04 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-18.04
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount ubuntu-toolbox-18.04

  assert_success
  refute_line --regexp "^$USER:.*$"
@ -433,13 +420,12 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: $USER in shadow(5) inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-  container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-20.04)"
+  container_root_file_system="$(podman unshare podman mount ubuntu-toolbox-20.04)"

  "$TOOLBX" run --distro ubuntu --release 20.04 true

-  run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow"
-  "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-20.04
+  run --keep-empty-lines --separate-stderr podman unshare cat "$container_root_file_system/etc/shadow"
+  podman unshare podman unmount ubuntu-toolbox-20.04

  assert_success
  refute_line --regexp "^$USER:.*$"
@ -451,8 +437,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: $USER in group(5) inside the default container" {
-  create_default_container
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run cat /etc/group

  assert_success
@ -466,8 +450,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: $USER in group(5) inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro arch cat /etc/group

  assert_success
@ -481,8 +463,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: $USER in group(5) inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro fedora --release 34 cat /etc/group

  assert_success
@ -496,8 +476,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: $USER in group(5) inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro rhel --release 8.10 cat /etc/group

  assert_success
@ -511,8 +489,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: $USER in group(5) inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 16.04 cat /etc/group

  assert_success
@ -526,8 +502,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: $USER in group(5) inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 18.04 cat /etc/group

  assert_success
@ -541,8 +515,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: $USER in group(5) inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 20.04 cat /etc/group

  assert_success
@ -556,8 +528,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: id(1) for $USER inside the default container" {
-  create_default_container
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run id

  assert_success
@ -580,8 +550,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: id(1) for $USER inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro arch id

  assert_success
@ -604,8 +572,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: id(1) for $USER inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro fedora --release 34 id

  assert_success
@ -628,8 +594,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "user: id(1) for $USER inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro rhel --release 8.10 id

  assert_success
@ -652,8 +616,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: id(1) for $USER inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 16.04 id

  assert_success
@ -676,8 +638,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: id(1) for $USER inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 18.04 id

  assert_success
@ -700,8 +660,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "user: id(1) for $USER inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 20.04 id

  assert_success
--- a/test/system/211-dbus.bats
+++ b/test/system/211-dbus.bats
@ -1,6 +1,6 @@
 # shellcheck shell=bats
 #
-# Copyright © 2023 – 2024 Red Hat, Inc.
+# Copyright © 2023 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -21,14 +21,30 @@ load 'libs/bats-support/load'
 load 'libs/bats-assert/load'
 load 'libs/helpers'

-setup() {
+setup_file() {
  bats_require_minimum_version 1.10.0
  _setup_environment
  cleanup_all
  pushd "$HOME" || return 1
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "arch" >/dev/null 2>/dev/null; then
+    create_distro_container arch latest arch-toolbox-latest
+  fi
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "fedora" >/dev/null 2>/dev/null; then
+    create_default_container
+    create_distro_container fedora 34 fedora-toolbox-34
+    create_distro_container rhel 8.10 rhel-toolbox-8.10
+  fi
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "ubuntu" >/dev/null 2>/dev/null; then
+    create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
+    create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
+    create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
+  fi
 }

-teardown() {
+teardown_file() {
  popd || return 1
  cleanup_all
 }
@ -42,8 +58,6 @@ teardown() {
                         --object-path /org/freedesktop/DBus \
                         --method org.freedesktop.DBus.Peer.Ping)"

-  create_default_container
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run gdbus call \
                                                           --session \
                                                           --dest org.freedesktop.DBus \
@ -67,8 +81,6 @@ teardown() {
                         --object-path /org/freedesktop/DBus \
                         --method org.freedesktop.DBus.Peer.Ping)"

-  create_distro_container arch latest arch-toolbox-latest
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro arch \
    gdbus call \
@ -94,8 +106,6 @@ teardown() {
                         --object-path /org/freedesktop/DBus \
                         --method org.freedesktop.DBus.Peer.Ping)"

-  create_distro_container fedora 34 fedora-toolbox-34
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro fedora \
    --release 34 \
@ -122,8 +132,6 @@ teardown() {
                         --object-path /org/freedesktop/DBus \
                         --method org.freedesktop.DBus.Peer.Ping)"

-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro rhel \
    --release 8.10 \
@ -145,8 +153,6 @@ teardown() {
@test "dbus: session bus inside Ubuntu 16.04" {
  busctl --user call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.Peer Ping

-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro ubuntu \
    --release 16.04 \
@ -165,8 +171,6 @@ teardown() {
@test "dbus: session bus inside Ubuntu 18.04" {
  busctl --user call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.Peer Ping

-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro ubuntu \
    --release 18.04 \
@ -185,8 +189,6 @@ teardown() {
@test "dbus: session bus inside Ubuntu 20.04" {
  busctl --user call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.Peer Ping

-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro ubuntu \
    --release 20.04 \
@ -212,8 +214,6 @@ teardown() {
                         org.freedesktop.systemd1.Manager \
                         Version)"

-  create_default_container
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run gdbus call \
                                                           --system \
                                                           --dest org.freedesktop.systemd1 \
@ -241,8 +241,6 @@ teardown() {
                         org.freedesktop.systemd1.Manager \
                         Version)"

-  create_distro_container arch latest arch-toolbox-latest
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro arch \
    gdbus call \
@ -272,8 +270,6 @@ teardown() {
                         org.freedesktop.systemd1.Manager \
                         Version)"

-  create_distro_container fedora 34 fedora-toolbox-34
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro fedora \
    --release 34 \
@ -304,8 +300,6 @@ teardown() {
                         org.freedesktop.systemd1.Manager \
                         Version)"

-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro rhel \
    --release 8.10 \
@ -334,8 +328,6 @@ teardown() {
                         org.freedesktop.systemd1.Manager \
                         Version)"

-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro ubuntu \
    --release 16.04 \
@ -362,8 +354,6 @@ teardown() {
                         org.freedesktop.systemd1.Manager \
                         Version)"

-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro ubuntu \
    --release 18.04 \
@ -390,8 +380,6 @@ teardown() {
                         org.freedesktop.systemd1.Manager \
                         Version)"

-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
    --distro ubuntu \
    --release 20.04 \
--- a/test/system/220-environment-variables.bats
+++ b/test/system/220-environment-variables.bats
@ -1,6 +1,6 @@
 # shellcheck shell=bats
 #
-# Copyright © 2023 – 2024 Red Hat, Inc.
+# Copyright © 2023 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -21,22 +21,36 @@ load 'libs/bats-support/load'
 load 'libs/bats-assert/load'
 load 'libs/helpers'

-setup() {
+setup_file() {
  bats_require_minimum_version 1.10.0
  _setup_environment
  cleanup_all
  pushd "$HOME" || return 1
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "arch" >/dev/null 2>/dev/null; then
+    create_distro_container arch latest arch-toolbox-latest
+  fi
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "fedora" >/dev/null 2>/dev/null; then
+    create_default_container
+    create_distro_container fedora 34 fedora-toolbox-34
+    create_distro_container rhel 8.10 rhel-toolbox-8.10
+  fi
+
+  if echo "$TOOLBX_TEST_SYSTEM_TAGS" | grep "ubuntu" >/dev/null 2>/dev/null; then
+    create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
+    create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
+    create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
+  fi
 }

-teardown() {
+teardown_file() {
  popd || return 1
  cleanup_all
 }

 # bats test_tags=arch-fedora
@test "environment variables: HISTFILESIZE inside the default container" {
-  create_default_container
-
  if [ "$HISTFILESIZE" = "" ]; then
    # shellcheck disable=SC2030
    HISTFILESIZE=1001
@ -59,8 +73,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: HISTFILESIZE inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-
  # shellcheck disable=SC2031
  if [ "$HISTFILESIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -84,8 +96,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: HISTFILESIZE inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-
  # shellcheck disable=SC2031
  if [ "$HISTFILESIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -109,8 +119,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: HISTFILESIZE inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  # shellcheck disable=SC2031
  if [ "$HISTFILESIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -134,8 +142,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: HISTFILESIZE inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  # shellcheck disable=SC2031
  if [ "$HISTFILESIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -160,8 +166,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: HISTFILESIZE inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  # shellcheck disable=SC2031
  if [ "$HISTFILESIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -186,8 +190,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: HISTFILESIZE inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  # shellcheck disable=SC2031
  if [ "$HISTFILESIZE" = "" ]; then
    HISTFILESIZE=1001
@ -213,8 +215,6 @@ teardown() {
@test "environment variables: HISTSIZE inside the default container" {
  skip "https://pagure.io/setup/pull-request/48"

-  create_default_container
-
  if [ "$HISTSIZE" = "" ]; then
    # shellcheck disable=SC2030
    HISTSIZE=1001
@ -237,8 +237,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: HISTSIZE inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-
  # shellcheck disable=SC2031
  if [ "$HISTSIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -264,8 +262,6 @@ teardown() {
@test "environment variables: HISTSIZE inside Fedora 34" {
  skip "https://pagure.io/setup/pull-request/48"

-  create_distro_container fedora 34 fedora-toolbox-34
-
  # shellcheck disable=SC2031
  if [ "$HISTSIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -291,8 +287,6 @@ teardown() {
@test "environment variables: HISTSIZE inside RHEL 8.10" {
  skip "https://pagure.io/setup/pull-request/48"

-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  # shellcheck disable=SC2031
  if [ "$HISTSIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -316,8 +310,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: HISTSIZE inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  # shellcheck disable=SC2031
  if [ "$HISTSIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -341,8 +333,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: HISTSIZE inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  # shellcheck disable=SC2031
  if [ "$HISTSIZE" = "" ]; then
    # shellcheck disable=SC2030
@ -366,8 +356,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: HISTSIZE inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  # shellcheck disable=SC2031
  if [ "$HISTSIZE" = "" ]; then
    HISTSIZE=1001
@ -390,8 +378,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: HOSTNAME inside the default container" {
-  create_default_container
-
  # shellcheck disable=SC2016
  run --keep-empty-lines --separate-stderr "$TOOLBX" run bash -c 'echo "$HOSTNAME"'

@ -403,8 +389,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: HOSTNAME inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-
  # shellcheck disable=SC2016
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro arch bash -c 'echo "$HOSTNAME"'

@ -416,8 +400,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: HOSTNAME inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-
  # shellcheck disable=SC2016
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro fedora --release 34 bash -c 'echo "$HOSTNAME"'

@ -429,8 +411,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: HOSTNAME inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  # shellcheck disable=SC2016
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro rhel --release 8.10 bash -c 'echo "$HOSTNAME"'

@ -442,8 +422,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: HOSTNAME inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  # shellcheck disable=SC2016
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 16.04 bash -c 'echo "$HOSTNAME"'

@ -455,8 +433,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: HOSTNAME inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  # shellcheck disable=SC2016
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 18.04 bash -c 'echo "$HOSTNAME"'

@ -468,8 +444,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: HOSTNAME inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  # shellcheck disable=SC2016
  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 20.04 bash -c 'echo "$HOSTNAME"'

@ -481,8 +455,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: KONSOLE_VERSION inside the default container" {
-  create_default_container
-
  if [ "$KONSOLE_VERSION" = "" ]; then
    # shellcheck disable=SC2030
    export KONSOLE_VERSION=230804
@ -501,8 +473,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: KONSOLE_VERSION inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-
  # shellcheck disable=SC2031
  if [ "$KONSOLE_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -522,8 +492,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: KONSOLE_VERSION inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-
  # shellcheck disable=SC2031
  if [ "$KONSOLE_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -543,8 +511,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: KONSOLE_VERSION inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  # shellcheck disable=SC2031
  if [ "$KONSOLE_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -564,8 +530,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: KONSOLE_VERSION inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  # shellcheck disable=SC2031
  if [ "$KONSOLE_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -585,8 +549,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: KONSOLE_VERSION inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  # shellcheck disable=SC2031
  if [ "$KONSOLE_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -606,8 +568,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: KONSOLE_VERSION inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  # shellcheck disable=SC2031
  if [ "$KONSOLE_VERSION" = "" ]; then
    export KONSOLE_VERSION=230804
@ -626,8 +586,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: XTERM_VERSION inside the default container" {
-  create_default_container
-
  if [ "$XTERM_VERSION" = "" ]; then
    # shellcheck disable=SC2030
    export XTERM_VERSION="XTerm(385)"
@ -646,8 +604,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: XTERM_VERSION inside Arch Linux" {
-  create_distro_container arch latest arch-toolbox-latest
-
  # shellcheck disable=SC2031
  if [ "$XTERM_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -667,8 +623,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: XTERM_VERSION inside Fedora 34" {
-  create_distro_container fedora 34 fedora-toolbox-34
-
  # shellcheck disable=SC2031
  if [ "$XTERM_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -688,8 +642,6 @@ teardown() {

 # bats test_tags=arch-fedora
@test "environment variables: XTERM_VERSION inside RHEL 8.10" {
-  create_distro_container rhel 8.10 rhel-toolbox-8.10
-
  # shellcheck disable=SC2031
  if [ "$XTERM_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -709,8 +661,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: XTERM_VERSION inside Ubuntu 16.04" {
-  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
-
  # shellcheck disable=SC2031
  if [ "$XTERM_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -730,8 +680,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: XTERM_VERSION inside Ubuntu 18.04" {
-  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
-
  # shellcheck disable=SC2031
  if [ "$XTERM_VERSION" = "" ]; then
    # shellcheck disable=SC2030
@ -751,8 +699,6 @@ teardown() {

 # bats test_tags=ubuntu
@test "environment variables: XTERM_VERSION inside Ubuntu 20.04" {
-  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
-
  # shellcheck disable=SC2031
  if [ "$XTERM_VERSION" = "" ]; then
    export XTERM_VERSION="XTerm(385)"
--- a/test/system/230-cdi.bats
+++ b/test/system/230-cdi.bats
@ -161,7 +161,7 @@ teardown() {
  assert [ ${#lines[@]} -eq 1 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

-  "$PODMAN" stop "$default_container"
+  podman stop "$default_container"

  run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /run/toolbox.1

@ -241,7 +241,7 @@ teardown() {
  assert [ ${#lines[@]} -eq 1 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

-  "$PODMAN" stop "$default_container"
+  podman stop "$default_container"

  run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /opt/bin/toolbox

@ -321,7 +321,7 @@ teardown() {
  assert [ ${#lines[@]} -eq 1 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

-  "$PODMAN" stop "$default_container"
+  podman stop "$default_container"

  run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /usr/bin/toolbox.1

@ -453,7 +453,7 @@ teardown() {
  assert [ ${#lines[@]} -eq 1 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

-  "$PODMAN" stop "$default_container"
+  podman stop "$default_container"

  run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /run/toolbox.1

@ -559,7 +559,7 @@ teardown() {
  assert [ ${#lines[@]} -eq 1 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

-  "$PODMAN" stop "$default_container"
+  podman stop "$default_container"

  run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /run/toolbox.1

@ -639,7 +639,7 @@ teardown() {
  assert [ ${#lines[@]} -eq 1 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

-  "$PODMAN" stop "$default_container"
+  podman stop "$default_container"

  run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /opt/bin/toolbox

@ -719,7 +719,7 @@ teardown() {
  assert [ ${#lines[@]} -eq 1 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

-  "$PODMAN" stop "$default_container"
+  podman stop "$default_container"

  run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /usr/bin/toolbox.1

@ -851,7 +851,7 @@ teardown() {
  assert [ ${#lines[@]} -eq 1 ]
  assert [ ${#stderr_lines[@]} -eq 0 ]

-  "$PODMAN" stop "$default_container"
+  podman stop "$default_container"

  run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /run/toolbox.1

--- a/test/system/250-kerberos.bats
+++ b/test/system/250-kerberos.bats
@ -0,0 +1,228 @@
+# shellcheck shell=bats
+#
+# Copyright © 2025 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# bats file_tags=runtime-environment
+
+load 'libs/bats-support/load'
+load 'libs/bats-assert/load'
+load 'libs/helpers'
+
+setup() {
+  bats_require_minimum_version 1.10.0
+  _setup_environment
+  cleanup_all
+  pushd "$HOME" || return 1
+}
+
+teardown() {
+  popd || return 1
+  cleanup_all
+}
+
+# bats test_tags=arch-fedora
+@test "kerberos: Smoke test" {
+  local kerberos_skip=false
+
+  local system_id
+  system_id="$(get_system_id)"
+
+  if [ "$system_id" != "fedora" ]; then
+    kerberos_skip=true
+  fi
+
+  create_default_container
+
+  if $kerberos_skip; then
+    run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /etc/krb5.conf.d
+
+    assert_failure
+    assert [ ${#lines[@]} -eq 0 ]
+    # shellcheck disable=SC2154
+    assert [ ${#stderr_lines[@]} -eq 0 ]
+
+    run --keep-empty-lines --separate-stderr "$TOOLBX" run test -e /etc/krb5.conf.d/kcm_default_ccache
+
+    assert_failure
+    assert [ ${#lines[@]} -eq 0 ]
+    assert [ ${#stderr_lines[@]} -eq 0 ]
+  else
+    run --keep-empty-lines --separate-stderr "$TOOLBX" run cat /etc/krb5.conf.d/kcm_default_ccache
+
+    assert_success
+    assert_line --index 0 "# Written by Toolbx"
+    assert_line --index 1 "# https://containertoolbx.org/"
+    assert_line --index 2 "#"
+    assert_line --index 3 "# # To disable the KCM credential cache, comment out the following lines."
+    assert_line --index 4 ""
+    assert_line --index 5 "[libdefaults]"
+    assert_line --index 6 "    default_ccache_name = KCM:"
+    assert [ ${#lines[@]} -eq 7 ]
+    assert [ ${#stderr_lines[@]} -eq 0 ]
+
+    run --keep-empty-lines --separate-stderr "$TOOLBX" run stat \
+                                                             --format "%A %U:%G" \
+                                                             /etc/krb5.conf.d/kcm_default_ccache
+
+    assert_success
+    assert_line --index 0 "-rw-r--r-- root:root"
+    assert [ ${#lines[@]} -eq 1 ]
+    assert [ ${#stderr_lines[@]} -eq 0 ]
+  fi
+}
+
+# bats test_tags=arch-fedora
+@test "kerberos: Smoke test with Arch Linux" {
+  create_distro_container arch latest arch-toolbox-latest
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro arch test -e /etc/krb5.conf.d
+
+  assert_failure
+  assert [ ${#lines[@]} -eq 0 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro arch test -e /etc/krb5.conf.d/kcm_default_ccache
+
+  assert_failure
+  assert [ ${#lines[@]} -eq 0 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+}
+
+# bats test_tags=arch-fedora
+@test "kerberos: Smoke test with Fedora 34" {
+  create_distro_container fedora 34 fedora-toolbox-34
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro fedora \
+    --release 34 \
+    cat /etc/krb5.conf.d/kcm_default_ccache
+
+  assert_success
+  assert_line --index 0 "# Written by Toolbx"
+  assert_line --index 1 "# https://containertoolbx.org/"
+  assert_line --index 2 "#"
+  assert_line --index 3 "# # To disable the KCM credential cache, comment out the following lines."
+  assert_line --index 4 ""
+  assert_line --index 5 "[libdefaults]"
+  assert_line --index 6 "    default_ccache_name = KCM:"
+  assert [ ${#lines[@]} -eq 7 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro fedora \
+    --release 34 \
+    stat \
+      --format "%A %U:%G" \
+      /etc/krb5.conf.d/kcm_default_ccache
+
+  assert_success
+  assert_line --index 0 "-rw-r--r-- root:root"
+  assert [ ${#lines[@]} -eq 1 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+}
+
+# bats test_tags=arch-fedora
+@test "kerberos: Smoke test with RHEL 8.10" {
+  create_distro_container rhel 8.10 rhel-toolbox-8.10
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro rhel \
+    --release 8.10 \
+    cat /etc/krb5.conf.d/kcm_default_ccache
+
+  assert_success
+  assert_line --index 0 "# Written by Toolbx"
+  assert_line --index 1 "# https://containertoolbx.org/"
+  assert_line --index 2 "#"
+  assert_line --index 3 "# # To disable the KCM credential cache, comment out the following lines."
+  assert_line --index 4 ""
+  assert_line --index 5 "[libdefaults]"
+  assert_line --index 6 "    default_ccache_name = KCM:"
+  assert [ ${#lines[@]} -eq 7 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro rhel \
+    --release 8.10 \
+    stat \
+      --format "%A %U:%G" \
+      /etc/krb5.conf.d/kcm_default_ccache
+
+  assert_success
+  assert_line --index 0 "-rw-r--r-- root:root"
+  assert [ ${#lines[@]} -eq 1 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+}
+
+# bats test_tags=ubuntu
+@test "kerberos: Smoke test with Ubuntu 16.04" {
+  create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 16.04 test -e /etc/krb5.conf.d
+
+  assert_failure
+  assert [ ${#lines[@]} -eq 0 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro ubuntu \
+    --release 16.04 \
+    test -e /etc/krb5.conf.d/kcm_default_ccache
+
+  assert_failure
+  assert [ ${#lines[@]} -eq 0 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+}
+
+# bats test_tags=ubuntu
+@test "kerberos: Smoke test with Ubuntu 18.04" {
+  create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 18.04 test -e /etc/krb5.conf.d
+
+  assert_failure
+  assert [ ${#lines[@]} -eq 0 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro ubuntu \
+    --release 18.04 \
+    test -e /etc/krb5.conf.d/kcm_default_ccache
+
+  assert_failure
+  assert [ ${#lines[@]} -eq 0 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+}
+
+# bats test_tags=ubuntu
+@test "kerberos: Smoke test with Ubuntu 20.04" {
+  create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro ubuntu --release 20.04 test -e /etc/krb5.conf.d
+
+  assert_failure
+  assert [ ${#lines[@]} -eq 0 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro ubuntu \
+    --release 20.04 \
+    test -e /etc/krb5.conf.d/kcm_default_ccache
+
+  assert_failure
+  assert [ ${#lines[@]} -eq 0 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+}
--- a/test/system/270-rpm.bats
+++ b/test/system/270-rpm.bats
@ -0,0 +1,148 @@
+# shellcheck shell=bats
+#
+# Copyright © 2025 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# bats file_tags=runtime-environment
+
+load 'libs/bats-support/load'
+load 'libs/bats-assert/load'
+load 'libs/helpers'
+
+setup() {
+  bats_require_minimum_version 1.10.0
+  _setup_environment
+  cleanup_all
+  pushd "$HOME" || return 1
+}
+
+teardown() {
+  popd || return 1
+  cleanup_all
+}
+
+# bats test_tags=arch-fedora
+@test "rpm: %_netsharedpath inside the default container" {
+  local system_id
+  system_id="$(get_system_id)"
+
+  if [ "$system_id" != "fedora" ]; then
+    skip "doesn't use RPM"
+  fi
+
+  create_default_container
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run rpm --eval %_netsharedpath
+
+  assert_success
+  assert_line --index 0 "/dev:/media:/mnt:/proc:/sys:/tmp:/var/lib/flatpak:/var/lib/libvirt"
+  assert [ ${#lines[@]} -eq 1 ]
+
+  # shellcheck disable=SC2154
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run cat /usr/lib/rpm/macros.d/macros.toolbox
+
+  assert_success
+  assert_line --index 0 "# Written by Toolbx"
+  assert_line --index 1 "# https://containertoolbx.org/"
+  assert_line --index 2 ""
+  assert_line --index 3 "%_netsharedpath /dev:/media:/mnt:/proc:/sys:/tmp:/var/lib/flatpak:/var/lib/libvirt"
+  assert [ ${#lines[@]} -eq 4 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run stat \
+                                                           --format "%A %U:%G" \
+                                                           /usr/lib/rpm/macros.d/macros.toolbox
+
+  assert_success
+  assert_line --index 0 "-rw-r--r-- root:root"
+  assert [ ${#lines[@]} -eq 1 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+}
+
+# bats test_tags=arch-fedora
+@test "rpm: %_netsharedpath inside Fedora 34" {
+  create_distro_container fedora 34 fedora-toolbox-34
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro fedora --release 34 rpm --eval %_netsharedpath
+
+  assert_success
+  assert_line --index 0 "/dev:/media:/mnt:/proc:/sys:/tmp:/var/lib/flatpak:/var/lib/libvirt"
+  assert [ ${#lines[@]} -eq 1 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro fedora \
+    --release 34 \
+    cat /usr/lib/rpm/macros.d/macros.toolbox
+
+  assert_success
+  assert_line --index 0 "# Written by Toolbx"
+  assert_line --index 1 "# https://containertoolbx.org/"
+  assert_line --index 2 ""
+  assert_line --index 3 "%_netsharedpath /dev:/media:/mnt:/proc:/sys:/tmp:/var/lib/flatpak:/var/lib/libvirt"
+  assert [ ${#lines[@]} -eq 4 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro fedora \
+    --release 34 \
+    stat \
+      --format "%A %U:%G" \
+      /usr/lib/rpm/macros.d/macros.toolbox
+
+  assert_success
+  assert_line --index 0 "-rw-r--r-- root:root"
+  assert [ ${#lines[@]} -eq 1 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+}
+
+# bats test_tags=arch-fedora
+@test "rpm: %_netsharedpath inside RHEL 8.10" {
+  create_distro_container rhel 8.10 rhel-toolbox-8.10
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run --distro rhel --release 8.10 rpm --eval %_netsharedpath
+
+  assert_success
+  assert_line --index 0 "/dev:/media:/mnt:/proc:/sys:/tmp:/var/lib/flatpak:/var/lib/libvirt"
+  assert [ ${#lines[@]} -eq 1 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro rhel \
+    --release 8.10 \
+    cat /usr/lib/rpm/macros.d/macros.toolbox
+
+  assert_success
+  assert_line --index 0 "# Written by Toolbx"
+  assert_line --index 1 "# https://containertoolbx.org/"
+  assert_line --index 2 ""
+  assert_line --index 3 "%_netsharedpath /dev:/media:/mnt:/proc:/sys:/tmp:/var/lib/flatpak:/var/lib/libvirt"
+  assert [ ${#lines[@]} -eq 4 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+
+  run --keep-empty-lines --separate-stderr "$TOOLBX" run \
+    --distro rhel \
+    --release 8.10 \
+    stat \
+      --format "%A %U:%G" \
+      /usr/lib/rpm/macros.d/macros.toolbox
+
+  assert_success
+  assert_line --index 0 "-rw-r--r-- root:root"
+  assert [ ${#lines[@]} -eq 1 ]
+  assert [ ${#stderr_lines[@]} -eq 0 ]
+}
--- a/test/system/501-create.bats
+++ b/test/system/501-create.bats
@ -25,9 +25,11 @@ setup() {
  bats_require_minimum_version 1.8.0
  _setup_environment
  cleanup_all
+  pushd "$HOME" || return 1
 }

 teardown() {
+  popd || return 1
  cleanup_all
 }

--- a/test/system/504-run.bats
+++ b/test/system/504-run.bats
@ -25,9 +25,11 @@ setup() {
  bats_require_minimum_version 1.8.0
  _setup_environment
  cleanup_all
+  pushd "$HOME" || return 1
 }

 teardown() {
+  popd || return 1
  cleanup_all
 }

--- a/test/system/505-enter.bats
+++ b/test/system/505-enter.bats
@ -25,9 +25,11 @@ setup() {
  bats_require_minimum_version 1.8.0
  _setup_environment
  cleanup_all
+  pushd "$HOME" || return 1
 }

 teardown() {
+  popd || return 1
  cleanup_all
 }

--- a/test/system/README.md
+++ b/test/system/README.md
@ -38,10 +38,10 @@ and to speed up the cases.
 By default the test suite uses the system versions of `podman`, `skopeo` and
 `toolbox`.

-If you have a `podman`, `skopeo` or `toolbox` installed in a nonstandard
-location then you can use the `PODMAN`, `SKOPEO` and `TOOLBX` environmental
-variables to set the path to the binaries. So the command to invoke the test
-suite could look something like this: `PODMAN=/usr/libexec/podman TOOLBX=./toolbox bats ./test/system/`.
+If you have `toolbox` installed in a nonstandard location then you can use the
+`TOOLBX` environmental variable to set the path to the binary. So the command
+to invoke the test suite could look something like this:
+`TOOLBX=./toolbox bats ./test/system/`.

 It's recommended to set the [TMPDIR](https://systemd.io/TEMPORARY_DIRECTORIES/)
 environment variable to `/var/tmp` when running the tests.  Otherwise, the
@ -90,6 +90,6 @@ Examples:
 Example pull of the `fedora-toolbox:34` image:

 ```bash
-$PODMAN login --username user --password user "$DOCKER_REG_URI"
-$PODMAN pull "$DOCKER_REG_URI/fedora-toolbox:34"
+podman login --username user --password user "$DOCKER_REG_URI"
+podman pull "$DOCKER_REG_URI/fedora-toolbox:34"
 ```
--- a/test/system/libs/helpers.bash
+++ b/test/system/libs/helpers.bash
@ -4,25 +4,20 @@ load 'libs/bats-support/load'
 load 'libs/bats-assert/load'

 # Helpful globals
-readonly TEMP_BASE_DIR="${XDG_CACHE_HOME:-$HOME/.cache}/toolbx"
-readonly TEMP_STORAGE_DIR="${TEMP_BASE_DIR}/system-test-storage"
-
 readonly IMAGE_CACHE_DIR="${BATS_SUITE_TMPDIR}/image-cache"
-readonly ROOTLESS_PODMAN_STORE_DIR="${TEMP_STORAGE_DIR}/storage"
-readonly ROOTLESS_PODMAN_RUNROOT_DIR="${TEMP_STORAGE_DIR}/runroot"
-readonly PODMAN_STORE_CONFIG_FILE="${TEMP_STORAGE_DIR}/storage.conf"
-readonly DOCKER_REG_ROOT="${TEMP_STORAGE_DIR}/docker-registry-root"
+readonly ROOTLESS_PODMAN_STORE_DIR="${BATS_SUITE_TMPDIR}/storage"
+readonly ROOTLESS_PODMAN_RUNROOT_DIR="${BATS_SUITE_TMPDIR}/runroot"
+readonly PODMAN_STORE_CONFIG_FILE="${BATS_SUITE_TMPDIR}/storage.conf"
+readonly DOCKER_REG_ROOT="${BATS_SUITE_TMPDIR}/docker-registry-root"
 readonly DOCKER_REG_CERTS_DIR="${BATS_SUITE_TMPDIR}/certs"
 readonly DOCKER_REG_AUTH_DIR="${BATS_SUITE_TMPDIR}/auth"
 readonly DOCKER_REG_URI="localhost:50000"
 readonly DOCKER_REG_NAME="docker-registry"

 # Podman and Toolbx commands to run
-readonly PODMAN="${PODMAN:-$(command -v podman)}"
 readonly TOOLBX="${TOOLBX:-$(command -v toolbox)}"
 readonly TOOLBX_TEST_SYSTEM_TAGS_ALL="arch-fedora,commands-options,custom-image,runtime-environment,ubuntu"
 readonly TOOLBX_TEST_SYSTEM_TAGS="${TOOLBX_TEST_SYSTEM_TAGS:-$TOOLBX_TEST_SYSTEM_TAGS_ALL}"
-readonly SKOPEO="${SKOPEO:-$(command -v skopeo)}"

 # Images
 declare -Ag IMAGES=([arch]="quay.io/toolbx/arch-toolbox" \
@ -34,8 +29,8 @@ declare -Ag IMAGES=([arch]="quay.io/toolbx/arch-toolbox" \


 function cleanup_all() {
-  "$PODMAN" rm --all --force >/dev/null
-  "$PODMAN" rmi --all --force >/dev/null
+  podman rm --all --force >/dev/null
+  podman rmi --all --force >/dev/null
 }


@ -45,23 +40,12 @@ function _setup_environment() {
 }

 function _setup_containers_storage() {
-  mkdir -p "${TEMP_STORAGE_DIR}"
  # Set up a storage config file for PODMAN
  echo -e "[storage]\n  driver = \"overlay\"\n  rootless_storage_path = \"${ROOTLESS_PODMAN_STORE_DIR}\"\n  runroot = \"${ROOTLESS_PODMAN_RUNROOT_DIR}\"\n" > "${PODMAN_STORE_CONFIG_FILE}"
  export CONTAINERS_STORAGE_CONF="${PODMAN_STORE_CONFIG_FILE}"
 }


-function _clean_temporary_storage() {
-  "$PODMAN" system reset --force >/dev/null
-
-  rm --force --recursive "${ROOTLESS_PODMAN_STORE_DIR}"
-  rm --force --recursive "${ROOTLESS_PODMAN_RUNROOT_DIR}"
-  rm --force --recursive "${PODMAN_STORE_CONFIG_FILE}"
-  rm --force --recursive "${TEMP_STORAGE_DIR}"
-}
-
-
 # Pulls an image using Podman and saves it to a image dir using Skopeo
 #
 # Parameters
@ -110,7 +94,7 @@ function _pull_and_cache_distro_image() {
  local -i ret_val

  for ((j = 0; j < num_of_retries; j++)); do
-    error_message="$( ("$SKOPEO" copy --dest-compress \
+    error_message="$( (skopeo copy --dest-compress \
                          "docker://${image}" \
                          "dir:${IMAGE_CACHE_DIR}/${image_archive}" >/dev/null) 2>&1)"
    ret_val="$?"
@ -136,12 +120,6 @@ function _pull_and_cache_distro_image() {
 }


-# Removes the folder with cached images
-function _clean_cached_images() {
-  rm --force --recursive "${IMAGE_CACHE_DIR}"
-}
-
-
 # Prepares a locally hosted image registry
 #
 # The registry is set up with Podman set to an alternative root. It won't
@ -183,11 +161,11 @@ function _setup_docker_registry() {
  assert_success

  # Pull Docker registry image
-  run "$PODMAN" --root "${DOCKER_REG_ROOT}" pull "${IMAGES[docker-reg]}"
+  run podman --root "${DOCKER_REG_ROOT}" pull "${IMAGES[docker-reg]}"
  assert_success

  # Create a Docker registry
-  run "$PODMAN" --root "${DOCKER_REG_ROOT}" run \
+  run podman --root "${DOCKER_REG_ROOT}" run \
    --detach \
    --env REGISTRY_AUTH=htpasswd \
    --env REGISTRY_AUTH_HTPASSWD_PATH="/auth/htpasswd" \
@ -195,7 +173,6 @@ function _setup_docker_registry() {
    --env REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
    --env REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
    --name "${DOCKER_REG_NAME}" \
-    --network slirp4netns \
    --privileged \
    --publish 50000:5000 \
    --rm \
@ -204,20 +181,20 @@ function _setup_docker_registry() {
    "${IMAGES[docker-reg]}"
  assert_success

-  run "$PODMAN" login \
-    --authfile "${TEMP_BASE_DIR}/authfile.json" \
+  run podman login \
+    --authfile "${BATS_SUITE_TMPDIR}/authfile.json" \
    --username user \
    --password user \
    "${DOCKER_REG_URI}"
  assert_success

  # Add fedora-toolbox:34 image to the registry
-  run "$SKOPEO" copy --dest-authfile "${TEMP_BASE_DIR}/authfile.json" \
+  run skopeo copy --dest-authfile "${BATS_SUITE_TMPDIR}/authfile.json" \
    dir:"${IMAGE_CACHE_DIR}"/fedora-toolbox-34 \
    docker://"${DOCKER_REG_URI}"/fedora-toolbox:34
  assert_success

-  run rm "${TEMP_BASE_DIR}/authfile.json"
+  run rm "${BATS_SUITE_TMPDIR}/authfile.json"
  assert_success
 }

@ -225,13 +202,13 @@ function _setup_docker_registry() {
 # Stop, removes and cleans after a locally hosted Docker registry
 function _clean_docker_registry() {
  # Stop Docker registry container
-  if "$PODMAN" --root "$DOCKER_REG_ROOT" container exists "$DOCKER_REG_NAME"; then
-    "$PODMAN" --root "${DOCKER_REG_ROOT}" stop --time 0 "${DOCKER_REG_NAME}"
+  if podman --root "$DOCKER_REG_ROOT" container exists "$DOCKER_REG_NAME"; then
+    podman --root "${DOCKER_REG_ROOT}" stop --time 0 "${DOCKER_REG_NAME}"
  fi

  # Clean up Podman's registry root state
-  "$PODMAN" --root "${DOCKER_REG_ROOT}" rm --all --force
-  "$PODMAN" --root "${DOCKER_REG_ROOT}" rmi --all --force
+  podman --root "${DOCKER_REG_ROOT}" rm --all --force
+  podman --root "${DOCKER_REG_ROOT}" rmi --all --force
  # Remove Docker registry dir
  rm --force --recursive "${DOCKER_REG_ROOT}"
  # Remove dir with created registry certificates
@ -242,7 +219,7 @@ function _clean_docker_registry() {
 function build_image_without_name() {
  echo -e "FROM scratch\n\nLABEL com.github.containers.toolbox=\"true\"" > "$BATS_TEST_TMPDIR"/Containerfile

-  run "$PODMAN" build "$BATS_TEST_TMPDIR"
+  run podman build "$BATS_TEST_TMPDIR"

  assert_success
  assert_line --index 0 --partial "FROM scratch"
@ -332,12 +309,12 @@ function pull_distro_image() {
  fi

  # No need to copy if the image is already available in Podman
-  if "$PODMAN" image exists "${image}"; then
+  if podman image exists "${image}"; then
    return 0
  fi

  # https://github.com/containers/skopeo/issues/547 for the options for containers-storage
-  run "$SKOPEO" copy "dir:${IMAGE_CACHE_DIR}/${image_archive}" "containers-storage:[overlay@$ROOTLESS_PODMAN_STORE_DIR+$ROOTLESS_PODMAN_STORE_DIR]${image}"
+  run skopeo copy "dir:${IMAGE_CACHE_DIR}/${image_archive}" "containers-storage:[overlay@$ROOTLESS_PODMAN_STORE_DIR+$ROOTLESS_PODMAN_STORE_DIR]${image}"

  # shellcheck disable=SC2154
  if [ "$status" -ne 0 ]; then
@ -369,7 +346,7 @@ function pull_default_image_and_copy() {
  image="${IMAGES[$distro]}:$version"

  # https://github.com/containers/skopeo/issues/547 for the options for containers-storage
-  run "$SKOPEO" copy \
+  run skopeo copy \
      "containers-storage:[overlay@$ROOTLESS_PODMAN_STORE_DIR+$ROOTLESS_PODMAN_STORE_DIR]$image" \
      "containers-storage:[overlay@$ROOTLESS_PODMAN_STORE_DIR+$ROOTLESS_PODMAN_STORE_DIR]$image-copy"

@ -432,7 +409,7 @@ function start_container() {
  local container_name
  container_name="$1"

-  "$PODMAN" start "$container_name" >/dev/null \
+  podman start "$container_name" >/dev/null \
    || fail "Podman couldn't start the container '$container_name'"
 }

@ -459,11 +436,11 @@ function container_started() {
  local num_of_retries=5

  for ((j = 0; j < num_of_retries; j++)); do
-    run --separate-stderr "$PODMAN" logs "$container_name"
+    run --separate-stderr podman logs "$container_name"

    # shellcheck disable=SC2154
    if [ "$status" -ne 0 ]; then
-      fail "Failed to invoke '$PODMAN logs'"
+      fail "Failed to invoke 'podman logs'"
      ret_val="$status"
      break
    fi
@ -496,26 +473,26 @@ function stop_container() {
  container_name="$1"

  # Make sure the container is running before trying to stop it
-  "$PODMAN" start "$container_name" >/dev/null \
+  podman start "$container_name" >/dev/null \
    || fail "Podman couldn't start the container '$container_name'"
-  "$PODMAN" stop "$container_name" >/dev/null \
+  podman stop "$container_name" >/dev/null \
    || fail "Podman couldn't stop the container '$container_name'"
 }


 # Returns the name of the latest created container
 function get_latest_container_name() {
-  "$PODMAN" ps --latest --format "{{ .Names }}"
+  podman ps --latest --format "{{ .Names }}"
 }


 function list_images() {
-  "$PODMAN" images --all --format "{{.ID}}" | wc --lines
+  podman images --all --format "{{.ID}}" | wc --lines
 }


 function list_containers() {
-  "$PODMAN" ps --all --quiet | wc --lines
+  podman ps --all --quiet | wc --lines
 }


@ -563,7 +540,10 @@ function get_system_version() (
  # shellcheck disable=SC1090
  . "$os_release"

-  echo "$VERSION_ID"
+  local system_version="$VERSION_ID"
+  [ "$ID" = "arch" ] && system_version="latest"
+
+  echo "$system_version"
 )


--- a/test/system/meson.build
+++ b/test/system/meson.build
@ -16,6 +16,8 @@ test_system = files(
  '211-dbus.bats',
  '220-environment-variables.bats',
  '230-cdi.bats',
+  '250-kerberos.bats',
+  '270-rpm.bats',
  '501-create.bats',
  '504-run.bats',
  '505-enter.bats',
--- a/test/system/setup_suite.bash
+++ b/test/system/setup_suite.bash
@ -1,6 +1,6 @@
 # shellcheck shell=bash
 #
-# Copyright © 2021 – 2024 Red Hat, Inc.
+# Copyright © 2021 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -85,6 +85,5 @@ teardown_suite() {
    _clean_docker_registry
  fi

-  _clean_cached_images
-  _clean_temporary_storage
+  podman system reset --force >/dev/null
 }