From 363ba90c3c6a06213a10e35a3b62ead5e4b36be4 Mon Sep 17 00:00:00 2001
From: Stefan Reimer <stefan@zero-downtime.net>
Date: Wed, 3 Apr 2024 14:27:05 +0000
Subject: [PATCH] feat: KubeZero v1.28

---
 Dockerfile                                    |   4 +--
 abuilder                                      |   2 +-
 kubezero/aws-iam-authenticator/APKBUILD       |   4 +--
 kubezero/aws-neuron-driver/APKBUILD           |   3 ++
 kubezero/cri-o/APKBUILD                       |   8 +++---
 kubezero/cri-o/fix-test.patch                 |  24 ++++++++--------
 kubezero/cri-o/remove-systemd-files.patch     |   4 +--
 kubezero/cri-tools/APKBUILD                   |   4 +--
 kubezero/docker-registry/APKBUILD             |   4 +--
 kubezero/ecr-credential-provider/APKBUILD     |   4 +--
 kubezero/etcdhelper/APKBUILD                  |   2 +-
 kubezero/falcoctl/APKBUILD                    |   9 ++----
 kubezero/glibc/APKBUILD                       |   2 +-
 kubezero/kubernetes/APKBUILD                  |   4 +--
 kubezero/kubezero/APKBUILD                    |  13 +++++----
 kubezero/nvidia-container-toolkit/APKBUILD    |  26 ++++++------------
 .../lib/x86_64-linux-gnu/libpsx.so.2          |   1 +
 .../lib/x86_64-linux-gnu/libpsx.so.2.66       | Bin 0 -> 22592 bytes
 kubezero/nvidia-drivers/APKBUILD              |   5 ++--
 kubezero/nvidia-open-gpu/APKBUILD             |   5 +++-
 kubezero/zdt-base/APKBUILD                    |  13 +++++++--
 kubezero/zdt-base/cloudbender.start           |  10 +++++++
 kubezero/zdt-base/cloudbender.stop            |   0
 kubezero/zdt-base/common.sh                   |  12 ++------
 24 files changed, 86 insertions(+), 77 deletions(-)
 create mode 120000 kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2
 create mode 100644 kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2.66
 create mode 100644 kubezero/zdt-base/cloudbender.start
 create mode 100644 kubezero/zdt-base/cloudbender.stop

diff --git a/Dockerfile b/Dockerfile
index 5d8aefc..6a13c51 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,8 +21,8 @@ RUN     adduser -D $BUILDUSER && \
         echo "permit nopass :abuild" > /etc/doas.d/doas.conf && \
         install -d -g abuild -m 775 /var/cache/distfiles && \
         install -d -g abuild -m 775 /packages && \
-        echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subuid && \
-        echo -e "$BUILDUSER:1:999\n$BUILDUSER:1001:64535" > /etc/subgid && \
+        echo -e "$BUILDUSER:1001:64535" > /etc/subuid && \
+        echo -e "$BUILDUSER:1001:64535" > /etc/subgid && \
         echo "@kubezero https://cdn.zero-downtime.net/alpine/${ALPINE}/kubezero" >> /etc/apk/repositories && \
         wget -q -O /etc/apk/keys/stefan@zero-downtime.net-61bb6bfb.rsa.pub https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub
 
diff --git a/abuilder b/abuilder
index 48b115d..0f580bc 100755
--- a/abuilder
+++ b/abuilder
@@ -38,7 +38,7 @@ else
     # If checksum is OK, build package
     APKBUILD=$pkg abuild verify && rc=$? || rc=$?
     if [ $rc -eq 0 ]; then
-      CHOST=$TARGET_ARCH APKBUILD=$pkg abuild -r
+      APKBUILD=$pkg abuild -r
 
     else
       APKBUILD=$pkg abuild checksum
diff --git a/kubezero/aws-iam-authenticator/APKBUILD b/kubezero/aws-iam-authenticator/APKBUILD
index 868a25f..5577f6a 100644
--- a/kubezero/aws-iam-authenticator/APKBUILD
+++ b/kubezero/aws-iam-authenticator/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=aws-iam-authenticator
-pkgver=0.6.11
+pkgver=0.6.14
 pkgrel=0
 pkgdesc="AWS aws-iam-authenticator"
 url="https://github.com/kubernetes-sigs/aws-iam-authenticator"
@@ -20,5 +20,5 @@ package() {
 }
 
 sha512sums="
-6d78fbe95d6e36a7a3835b4df257e96fff3ab53fe4abd8ef525c24aebaf8727e2a6016107024bebe031b2e24295172190407ca892d1b3478329c62cdd9fe553f  aws-iam-authenticator-0.6.11.tar.gz
+26a6b394fbe767910f605a356032338a4ec254b81cd470796e3137e3595fef338bd213dee8d956c8d23e16f5508741e78664cd0f8b1acd97321d2fb5b7b723af  aws-iam-authenticator-0.6.14.tar.gz
 "
diff --git a/kubezero/aws-neuron-driver/APKBUILD b/kubezero/aws-neuron-driver/APKBUILD
index c804418..7e356fc 100644
--- a/kubezero/aws-neuron-driver/APKBUILD
+++ b/kubezero/aws-neuron-driver/APKBUILD
@@ -30,6 +30,9 @@ build() {
   # Hack running the build inside a container other uname -r returns host kernel
   KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
 
+  unset CFLAGS CPPFLAGS CXXFLAGS
+  unset LDFLAGS
+
   make KERNEL_SRC_DIR=/lib/modules/$KERNEL_VERSION/build
 }
 
diff --git a/kubezero/cri-o/APKBUILD b/kubezero/cri-o/APKBUILD
index 8160594..f8f62d9 100644
--- a/kubezero/cri-o/APKBUILD
+++ b/kubezero/cri-o/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: TBK <alpine@jjtc.eu>
 # Maintainer: ungleich <foss@ungleich.ch>
 pkgname=cri-o
-pkgver=1.27.1
+pkgver=1.28.4
 pkgrel=0
 pkgdesc="OCI-based implementation of Kubernetes Container Runtime Interface"
 url="https://github.com/cri-o/cri-o/"
@@ -103,13 +103,13 @@ package() {
 }
 
 sha512sums="
-27fb79141dd60c1744df8761a4d43603256f7f06e32d2f9c76be62b95dcf62924c7501d0461efabb013ae397c16030b6a2b037eeaae7a5daec7c28943f71bc7e  cri-o-1.27.1.tar.gz
+8d27211a4baad86d5251faa396a23d78d2962de894124be851172d6e85fbf3c0da57ec08f70840c7d8526dc6daa93999485a8d92a1d2c33b374eff84b1e063ae  cri-o-1.28.4.tar.gz
 1f60719677295c9c5c615eb25d9159bde0af68a132eee67747f57fe76642d457c98c896c6189f85637d7b4ac24ba55fd9eaeb1699f43c3c5077b645f72a479fb  crio.conf
 e9149cc2ddd24328c5290d3aea895c01e2798e066897535384f615a556496acdd52a603a0f4ac3c4c70bd5c363592f23c8b4d1987bf738300112fc62e1def555  crio.initd
 1115228546a696eeebeb6d4b3e5c3152af0c99a2559097fc5829d8b416d979c457b4b1789e0120054babf57f585d3f63cbe49949d40417ae7aab613184bf4516  crio.logrotated
 0a567dfa431ab1e53f2a351689be8d588a60cc5fcdbda403ec4f8b6ab9b1c18ad425f6c47f9a5ab1491e3a61a269dc4efa6a59e91e7521fa2b6bb165074aa8e0  cni-plugins-path.patch
 f9577aa7b1c90c6809010e9e406e65092251b6e82f6a0adbc3633290aa35f2a21895e1a8b6ba4b6375dcad3e02629b49a34ab16387e1c36eeb32c8f4dac74706  makefile-fix-install.patch
-1c1bfa5feeb0c5ddc92271a5ef80edc38d56afa1574ffc124605d5bb227a407b55dd5268df6cebc6720768ac31245e08b7950e5ab2b7f14ba934c94f1e325f86  fix-test.patch
-78c150f87027de489289596371dce0465159ced0758776b445deb58990e099de9c654406183c9da3cc909878b24d28db62121b7056cd180a6f2820e79e165cc6  remove-systemd-files.patch
+b0fdaf2280968a69e05ef72288bbf6fc03787616c6b6fca1e4398f9849167f4773e5e6e72bf1738d1fff2a84e97aa00f23aabcd50898ba8ed130969f50363006  fix-test.patch
+ae7e4a43f18076f19f3ae37d7302bfdf7a3befadf33e46bc9b1b14d50b605e8ba0d06d479568c24e8bf68f17c80ae48798068b2a46c3bcab565a5d225779f30e  remove-systemd-files.patch
 79e1a7c6183ba56f55d923e9d738be945564494042bc011d31e9195f66c268d702ee5c86711d4b46618285fc1b10b59ea55c321390feca770cfc7de334e103bd  crictl.yaml
 "
diff --git a/kubezero/cri-o/fix-test.patch b/kubezero/cri-o/fix-test.patch
index 271773e..bf4f8ef 100644
--- a/kubezero/cri-o/fix-test.patch
+++ b/kubezero/cri-o/fix-test.patch
@@ -21,7 +21,7 @@ index 8beb6f06..80193413 100644
 +		skip "need systemd cgroup manager"
 +	fi
 +
- 	CONTAINER_CGROUP_MANAGER="systemd" CONTAINER_DROP_INFRA_CTR=false CONTAINER_MANAGE_NS_LIFECYCLE=false CONTAINER_CONMON_CGROUP="customcrioconmon.slice" start_crio
+ 	CONTAINER_CGROUP_MANAGER="systemd" CONTAINER_DROP_INFRA_CTR=false CONTAINER_CONMON_CGROUP="customcrioconmon.slice" start_crio
  
  	jq '	 .linux.cgroup_parent = "Burstablecriotest123.slice"' \
 @@ -77,6 +85,10 @@ EOF
@@ -48,20 +48,20 @@ index 04492172..abae521e 100755
  
  if [[ "${DEBUG_ARGS}" == "malformed-result" ]]; then
      cat <<-EOF
-diff --git a/test/helpers.bash b/test/helpers.bash
+diff --git a/test/common.sh b/test/common.sh
 index f7f8e1f2..45b7dd58 100644
---- a/test/helpers.bash
-+++ b/test/helpers.bash
-@@ -38,7 +38,7 @@ CONTAINER_UID_MAPPINGS=${CONTAINER_UID_MAPPINGS:-}
- CONTAINER_GID_MAPPINGS=${CONTAINER_GID_MAPPINGS:-}
- OVERRIDE_OPTIONS=${OVERRIDE_OPTIONS:-}
- # CNI path
--CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/opt/cni/bin}
-+CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/usr/libexec/cni}
+--- a/test/common.sh
++++ b/test/common.sh
+@@ -41,7 +41,7 @@ # CNI path
+ if command -v host-local >/dev/null; then
+     CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-$(dirname "$(readlink "$(command -v host-local)")")}
+ else
+-    CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/opt/cni/bin}
++    CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/usr/libexec/cni}
+ fi
  # Runtime
  CONTAINER_DEFAULT_RUNTIME=${CONTAINER_DEFAULT_RUNTIME:-runc}
- RUNTIME_BINARY_PATH=$(command -v "$CONTAINER_DEFAULT_RUNTIME")
-@@ -70,7 +70,7 @@ CHECKCRIU_BINARY=${CHECKCRIU_BINARY:-${CRIO_ROOT}/test/checkcriu/checkcriu}
+@@ -74,7 +74,7 @@ CHECKCRIU_BINARY=${CHECKCRIU_BINARY:-${CRIO_ROOT}/test/checkcriu/checkcriu}
  # The default log directory where all logs will go unless directly specified by the kubelet
  DEFAULT_LOG_PATH=${DEFAULT_LOG_PATH:-/var/log/crio/pods}
  # Cgroup manager to be used
diff --git a/kubezero/cri-o/remove-systemd-files.patch b/kubezero/cri-o/remove-systemd-files.patch
index 9f8e545..bf1a0ab 100644
--- a/kubezero/cri-o/remove-systemd-files.patch
+++ b/kubezero/cri-o/remove-systemd-files.patch
@@ -6,8 +6,8 @@ index 19f8052..135385c 100644
  	sed -i '/# INCLUDE/q' scripts/get
  	cat contrib/bundle/install-paths contrib/bundle/install >> scripts/get
  
--install: .gopathok install.bin install.man install.completions install.systemd install.config
-+install: .gopathok install.bin install.man install.completions install.config
+-install: install.bin install.man install.completions install.systemd install.config
++install: install.bin install.man install.completions install.config
  
  install.bin-nobuild:
  	install ${SELINUXOPT} -D -m 755 bin/crio $(BINDIR)/crio
diff --git a/kubezero/cri-tools/APKBUILD b/kubezero/cri-tools/APKBUILD
index 7b219fb..aa24db7 100644
--- a/kubezero/cri-tools/APKBUILD
+++ b/kubezero/cri-tools/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Francesco Colista <fcolista@alpinelinux.org>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=cri-tools
-pkgver=1.27.1
+pkgver=1.28.0
 pkgrel=0
 pkgdesc="CLI tool for Kubelet Container Runtime Interface (CRI)"
 url="https://github.com/kubernetes-sigs/cri-tools"
@@ -27,5 +27,5 @@ package() {
 }
 
 sha512sums="
-7e4349fa9a0a16d27fbde363a26978fe6e65a326d29b344f13cd2b43009f12f8cdf14fd9557ac29beb913d4258160e0fa4108d40378dd1216ff631922e40392e  cri-tools-1.27.1.tar.gz
+222d3785dc7e8485538b4745766494be02d359347eb1337c9dd04839e19269d768922ff04f07d1fb72291c3554ecf91b382307253a288c9376079135a625cc0c  cri-tools-1.28.0.tar.gz
 "
diff --git a/kubezero/docker-registry/APKBUILD b/kubezero/docker-registry/APKBUILD
index 18f7af4..6efde57 100644
--- a/kubezero/docker-registry/APKBUILD
+++ b/kubezero/docker-registry/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Christian Kampka <christian@kampka.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=docker-registry
-pkgver=2.8.2_git20230519
+pkgver=2.8.3
 pkgrel=0
 pkgdesc="An implementation of the Docker Registry HTTP API V2 for use with docker 1.6+"
 url="https://github.com/distribution/distribution"
@@ -57,7 +57,7 @@ package() {
 }
 
 sha512sums="
-8ceb8b994085bc6522e8a203785bd670977117988d391023148a4153e3c150ad7c17fb98de863c4c2300714022444dc5141a75a2899b8b0f04cbbdc17794b5c7  docker-registry-2.8.2_git20230519.tar.gz
+8ceb8b994085bc6522e8a203785bd670977117988d391023148a4153e3c150ad7c17fb98de863c4c2300714022444dc5141a75a2899b8b0f04cbbdc17794b5c7  docker-registry-2.8.3.tar.gz
 96100a4de311afa19d293a3b8a63105e1fcdf49258aa8b1752befd389e6b4a2b1f70711341ea011b450d4468bd37dbd07a393ffab3b9aa1b2213cf0fdd915904  docker-registry.initd
 5a38f4d3f0ee5cd00c0a5ced744eb5b29b839da5921adea26c5de3eb88b6b2626a7ba29b1ab931e5f8fbfafbed8c94cb972a58737ec0c0a69cf515c32139e387  config-example.patch
 "
diff --git a/kubezero/ecr-credential-provider/APKBUILD b/kubezero/ecr-credential-provider/APKBUILD
index 9aaa0cc..e41121b 100644
--- a/kubezero/ecr-credential-provider/APKBUILD
+++ b/kubezero/ecr-credential-provider/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=ecr-credential-provider
-pkgver=1.27.1
+pkgver=1.28.1
 pkgrel=0
 pkgdesc="AWS Kubernetes ecr-credential-provider"
 url="https://github.com/kubernetes/cloud-provider-aws"
@@ -24,5 +24,5 @@ package() {
 }
 
 sha512sums="
-d7a28f4fb3cb2a1e7ee8d94405e3268608562af0ac509b51c32fcca19353eb68c87b023bd7dae1e84a76d9e856e4951cbc8a2260bab358d1eb492e47caedd29d  ecr-credential-provider-1.27.1.tar.gz
+b9adc389be9301dc4be36c6bf546f354b9f2895cbad13d28d074dbab77f9aecec8d5fd02590d21c2a4acc91b559371adfe9702898c7880d92aea6657b315a539  ecr-credential-provider-1.28.1.tar.gz
 "
diff --git a/kubezero/etcdhelper/APKBUILD b/kubezero/etcdhelper/APKBUILD
index f0bdf46..586a789 100644
--- a/kubezero/etcdhelper/APKBUILD
+++ b/kubezero/etcdhelper/APKBUILD
@@ -22,5 +22,5 @@ package() {
 }
 
 sha512sums="
-97abd4e5a0078112a048037512b041bcefb9e660131403e9c87bf5fc8b632eb17ab66d20a477a2ef4808f54ae29941d74bd61390143e5781058d7bbd4333dd78  etcdhelper-0.1.0.tar.gz
+d1f3d239899a2392d11c45ea49b3bfc18255c00933e677f02eab1f0f59a940722fb40de1842a8a4253aabf066508be028443adb8920e82673342ba50130556ca  etcdhelper-0.1.0.tar.gz
 "
diff --git a/kubezero/falcoctl/APKBUILD b/kubezero/falcoctl/APKBUILD
index 84b1619..3b2c4f5 100644
--- a/kubezero/falcoctl/APKBUILD
+++ b/kubezero/falcoctl/APKBUILD
@@ -1,14 +1,13 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=falcoctl
-pkgver=0.6.2
+pkgver=0.7.3
 pkgrel=0
 pkgdesc="The official CLI tool for working with Falco and its ecosystem components."
 url="https://github.com/falcosecurity/falcoctl"
 arch="x86_64 aarch64"
 license="AGPL-3.0"
-# requires go > 1.20, we only have 1.20 in 3.18 so hack
-makedepends="bash"
+makedepends="bash go"
 options="!check"
 
 
@@ -22,8 +21,6 @@ export GOMODCACHE="${GOMODCACHE:-"$srcdir/go"}"
 export GOBIN="$GOPATH/bin"
 
 build() {
-  # Hack until go 1.21 is stable
-  doas apk add go@edge-community
   make GOFLAGS="-buildmode=pie -v" GOLDFLAGS="-extldflags=-static -w -s" falcoctl
 
   # cleanup 444 files
@@ -36,5 +33,5 @@ package() {
 }
 
 sha512sums="
-e09f1e5e08e0f47d0c90ea2c93cf911ecef8179d821ed286cc7f8af78bd0db200f847d1c963c323f24eca9a854e161af36a444962330b55e696cb8e410fb5761  falcoctl-0.6.2.tar.gz
+61e539322c91125569c432ea1fc98c84b928795089829a062e6b5c74c7d1223cd71e557b7a8972ba7c6d1b534d1b87da254ee01e12c14038ced5a8f85a22a623  falcoctl-0.7.3.tar.gz
 "
diff --git a/kubezero/glibc/APKBUILD b/kubezero/glibc/APKBUILD
index 334b1a6..0584af5 100644
--- a/kubezero/glibc/APKBUILD
+++ b/kubezero/glibc/APKBUILD
@@ -15,7 +15,7 @@ triggers="$pkgname-bin.trigger=/lib:/usr/lib:/usr/glibc-compat/lib:/lib64"
 options="!check lib64"
 
 package() {
-  conflicts="libc6-compat"
+  conflicts="gcompat"
   mkdir -p "$pkgdir/lib" "$pkgdir/lib64" "$pkgdir/usr/glibc-compat/lib/locale" "$pkgdir"/usr/glibc-compat/lib64 "$pkgdir"/etc
   cp -a "$srcdir"/usr "$pkgdir"
   cp "$srcdir"/ld.so.conf "$pkgdir"/usr/glibc-compat/etc/ld.so.conf
diff --git a/kubezero/kubernetes/APKBUILD b/kubezero/kubernetes/APKBUILD
index 030d74d..a79a530 100644
--- a/kubezero/kubernetes/APKBUILD
+++ b/kubezero/kubernetes/APKBUILD
@@ -5,7 +5,7 @@
 # Contributor: Dave <dj.2dixx@gmail.com>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=kubernetes
-pkgver=1.27.8
+pkgver=1.28.8
 pkgrel=0
 pkgdesc="Container Cluster Manager"
 url="https://kubernetes.io/"
@@ -205,7 +205,7 @@ _do_zshcomp() {
 }
 
 sha512sums="
-ddc14d21ba470d24d115de67cdb801c742f04124101ff0e2741170971fdf6bcf0a75ef82807d63394dd8b06dc186a86cccf93a7aab4f9e49b922b981ce5ed8aa  kubernetes-1.27.8.tar.gz
+2bbc48394784b34712c6b419cd07971780410223e7015c5fe6ed2c25c4e9499e81c9ea1f4269d399fd7e908971f5b8e873595d2b67332f7b49f61a5411a2aed1  kubernetes-1.28.8.tar.gz
 5427c2e653504cfd5b0bcaf195d4734ee40947ddfebc9f155cd96dddccfc27692c29d94af4ac99f1018925b52995c593b584c5d7a82df2f185ebce1a9e463c40  make-e2e_node-run-over-distro-bins.patch
 94d07edfe7ca52b12e85dd9e29f4c9edcd144abc8d120fb71e2a0507f064afd4bac5dde30da7673a35bdd842b79a4770a03a1f3946bfae361c01dd4dc4903c64  make-test-cmd-run-over-hyperkube-based-kubectl.patch
 e690daff2adb1013c92124f32e71f8ed9a18c611ae6ae5fcb5ce9674768dbf9d911a05d7e4028488cda886e63b82e8ac0606d14389a05844c1b5538a33dd09d1  kube-apiserver.initd
diff --git a/kubezero/kubezero/APKBUILD b/kubezero/kubezero/APKBUILD
index 0b6dd9a..b5a356d 100644
--- a/kubezero/kubezero/APKBUILD
+++ b/kubezero/kubezero/APKBUILD
@@ -1,7 +1,10 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=kubezero
-pkgver=1.27
+pkgver=1.28.8
+_crio=1.28.4
+_ecr=1.28.1
+
 pkgrel=0
 pkgdesc="KubeZero release package"
 url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/kubezero"
@@ -11,11 +14,11 @@ depends="
         podman
         xz
         cri-tools
-        cri-o~$pkgver
+        cri-o~$_crio
         kubelet~$pkgver
         kubectl~$pkgver
-        ecr-credential-provider~$pkgver
-        aws-iam-authenticator~0.6.11
+        ecr-credential-provider~$_ecr
+        aws-iam-authenticator~0.6.14
         "
 options="!check"
 #install="$pkgname.post-install"
@@ -25,7 +28,7 @@ subpackages="
         "
 
 IMAGES="
-       quay.io/cilium/cilium:v1.14.4
+       quay.io/cilium/cilium:v1.15.3
        ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3
        "
 
diff --git a/kubezero/nvidia-container-toolkit/APKBUILD b/kubezero/nvidia-container-toolkit/APKBUILD
index a5c6763..e707423 100644
--- a/kubezero/nvidia-container-toolkit/APKBUILD
+++ b/kubezero/nvidia-container-toolkit/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=nvidia-container-toolkit
-pkgver=1.13.5
+pkgver=1.14.6
 pkgrel=0
 pkgdesc="NVIDIA Container toolkit incl. cri hooks"
 url="https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/overview.html"
@@ -12,14 +12,12 @@ depends="glibc-bin nvidia-drivers"
 options="!check !tracedeps"
 
 _nv_ver="$pkgver"-1
-_libcap=2.25-2
-_libseccomp=2.3.3-4
+_libcap=2.44-1
 
-source="https://nvidia.github.io/libnvidia-container/stable/debian10/amd64/libnvidia-container1_"$_nv_ver"_amd64.deb
-        https://nvidia.github.io/libnvidia-container/stable/debian10/amd64/libnvidia-container-tools_"$_nv_ver"_amd64.deb
-        https://nvidia.github.io/libnvidia-container/stable/debian10/amd64/nvidia-container-toolkit_"$_nv_ver"_amd64.deb
+source="https://nvidia.github.io/libnvidia-container/stable/deb/amd64/libnvidia-container1_"$_nv_ver"_amd64.deb
+        https://nvidia.github.io/libnvidia-container/stable/deb/amd64/libnvidia-container-tools_"$_nv_ver"_amd64.deb
+        https://nvidia.github.io/libnvidia-container/stable/deb/amd64/nvidia-container-toolkit_"$_nv_ver"_amd64.deb
 	http://deb.debian.org/debian/pool/main/libc/libcap2/libcap2_"$_libcap"_amd64.deb
-	http://deb.debian.org/debian/pool/main/libs/libseccomp/libseccomp2_"$_libseccomp"_amd64.deb
 	config.toml
 	oci-nvidia-hook.json
 	"
@@ -52,11 +50,6 @@ package() {
   mv lib/x86_64-linux-gnu/libcap.so.* "$pkgdir"/usr/glibc-compat/lib
   rm -rf control.tar.xz data.tar.xz debian-binary usr
 
-  # libseccomp
-  ar -x "$srcdir"/libseccomp2_"$_libseccomp"_amd64.deb && tar xfJ data.tar.xz
-  mv usr/lib/x86_64-linux-gnu/libseccomp.so.* "$pkgdir"/usr/glibc-compat/lib
-  rm -rf control.tar.xz data.tar.xz debian-binary usr
-
   # Now lets patch the elf binaries to fix library paths and order
   doas apk add patchelf@edge-community
   patchelf --remove-rpath "$pkgdir"/usr/bin/nvidia-container-cli
@@ -68,11 +61,10 @@ package() {
 }
 
 sha512sums="
-903155c63c7af83dbd431ba3e5bc0d8ca74cce38996bf944b80520b5838f9765bbc0cbe201122d8ccc21cbd01dd4c4e47d2b451bdab7fadc99a8d75b941fda67  libnvidia-container1_1.13.5-1_amd64.deb
-2d4cbbdd80db2730b1ed9db8d4b36c5212ce5361350dcdfbc5795dac887136cecd40c13843e61350bad12b103cd1550030c76de35a2cbbca2a6df3850b6b68ca  libnvidia-container-tools_1.13.5-1_amd64.deb
-8614c2b436dab3886df6a2328b3753c27704dd3a78f0abe5c333c57fb4ee8deebb6fc03051931b3794bf152d947b721c160acf6614e5145b39bb7162d1ef45d8  nvidia-container-toolkit_1.13.5-1_amd64.deb
-694a3ec64ef3056d5874ff03b889b868c294bccb16506468fdf1c289fe3aaadc2da25a5934de653af9633a5d993d2bb21491d84b3b2e2529e6b31d92c78a2228  libcap2_2.25-2_amd64.deb
-5a4eaa96e6e774948889909d618a8ed44a82f649cbba11622dc7b4478098bea006995d5a5a60ca026a57b76ad866d1e2c6caebd154a26eb6bd7e15291b558057  libseccomp2_2.3.3-4_amd64.deb
+ac73361c10498cdb15e6facbc78867c576fe7a79e6e41e85eed57a24f49d35ec4d21663777549e30b62601e463a0a62e28a219daae13cf20fa9ac7b64bbc9daa  libnvidia-container1_1.14.6-1_amd64.deb
+08697b2133f198b056b6b5aade64574ee1e40ddbeaa5d73aa7b42642c6ac67a99ad8cc4a24465ef226a5596ddfed30fcf790ffe57d351c433869486269ba3ea3  libnvidia-container-tools_1.14.6-1_amd64.deb
+bc8aaae2f6c7f93d307a3c11fe77db2b0a4dbc59b4c4ab46d4d655ee522edc6d0b2882b08034aaf5b007d889d661e368d28a379c53605c7da788660b4eba86f4  nvidia-container-toolkit_1.14.6-1_amd64.deb
+cc9109cdcf51dc40db732e10ac3eda7e4ac73299ad51d2ec619d7f4cff3f0311be0937530d2175e5486c393bc9e91c709072094fad510573785739afaad831f1  libcap2_2.44-1_amd64.deb
 040ac2e3f58549dc09e5bce0d694e4be2f6aae736014bf0ee90042646562d5f1ef1f5990eb9f2c2a2fdf504587b82f4aa0eb99d04c5d3e407670e4012e3edd4e  config.toml
 0f150ea59b2372bf3ef60e657142b19f46500d1c70cb179d37ce117d6b03e86427dbf356873affb7639e082a07f852a922ae3aea4a8f8885640e43675c4e4add  oci-nvidia-hook.json
 "
diff --git a/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2 b/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2
new file mode 120000
index 0000000..019a2e2
--- /dev/null
+++ b/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2
@@ -0,0 +1 @@
+libpsx.so.2.66
\ No newline at end of file
diff --git a/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2.66 b/kubezero/nvidia-container-toolkit/lib/x86_64-linux-gnu/libpsx.so.2.66
new file mode 100644
index 0000000000000000000000000000000000000000..89d3e121f6b77a1c51e55dd36f8d2d510425ff8b
GIT binary patch
literal 22592
zcmeHPdw5jUwLh6;AO@Hjl}LEWh=WCekN}B^I+BD0&fr8N0wRdRB$*)tlZP{BAgE|G
z337TEj4k!j-g--0%ja#i7Zok#T8#z?R`0!tZ|j3v#516PRuQQ(_qX=hdvX$){?q=|
zFPm>>?e*Jht-bczkF)m<XYQ)<&b4G@NFrrQS4+f|U2Y&{yrAuRo&hP7N~B@<9xIKJ
zhJepvm{DG45R@9J!P1{*b37B2^iGr;z(6{V%L(e>Jo!d?>5}6-qeM`NE0Ug-ik$R?
z<YeC|nmgLy1vTrj`pUTc0D6i7fF!6{kBVe3E0*M&`_pa;08%#B7kU&ff|hW-C0tL?
z6VwnSK}9^tNBTU><2{hNNC`<$lBHDhky20j;T4Si4t?5yB|(MW_0SWpbCJJGME@<|
z^`(o;E*=*_d2?CYMxq8Po_Fmcsk!#XqNByD^xtLeKJoS^z4r{c?N24-0F@WwLwe-j
zoE?*-iBj7z!e-!8jL$`{etF@--`<}0a_0D(U%qfw?JM{^^z*6Lt#O`wytV0<GtQUZ
zyb)q&O}#+*5bIaIC=Gri`r~Z!6c1-V3kLHWkh96Zng)M4jr}nQz}f7ap9Zf>gC9s^
z|LrvRdujZPrLq5d8k{=tZ2sHP!Dqu`Y5dXB*jbv!Pg<|eX8*c0_+x48pjyd^&%pF_
z8au}zc(!`W)A;|hH29u0_CJIC#DUI$KbS`TiZr;A#?Ob+;FdJ~^++1|jcMw=FAY8w
zcAWSOO#huGKL3>l_rt*1;=eeJ{9MRS99Sv%KcumfpT<sC8u`1?-gD1l|5JwBQ_szD
zT;@R*pW)JeTHugs4I&NYc-u4s$mRHGj<<06OE`WB$G35OBFFCrJy#kfm8~!U@f?^b
z<hlLBXeT8P$GfH*{0IDD@fgR&{$e|qmwdjJjm=HIsN#<(KA+_CEUfm`2O@!$p{Npw
zEUcarZf*)J^w)+1M%md*e08mUUoh0<4~K3GNWn-TAl3Q9;pRH2MQMlx{Pn)Zm=b99
zg_=T23W^58L8&F$>hsqrA^5O5u+CJbL|X!Np<oCm0+C2_MDhh%p&SjZ3^cYV>!Jac
z_t)3+TuY?6uF)S|O%jGdv<=OwTkWfBSnUh?L*bP5y5^?({=T4YUmYA(0@BKW(h{mq
z$%5_kq+esuywxc&qkXZaeqeJ`T_7dFDqZV01;Eg$4@8wnb6?Y$92$XOrgXuwwxLC#
zm1yv)#ul_r#8&i)ug;GO!={p0)88vw8$uYG0<Gv0^g_59-4tCHrH+d-gflbEOfjsl
zjrdzqmGh{<8`$6)kU^g{HN$3|pZYe{kkz4ZSc=v)1nPb3LV<9-6jd<VB2sW|B!t-e
ze8HATs7VP@pBdE#6kjyZ6b&h%H6djkB%;m6XqAG^ErF)uSrWR94K)lqf4vl}3pYmt
zup0>nnjmhn2d`QKbu^ZJ^<mcD0EQJCyXbftT|QqbUVbIm99b=eL$!7J(dPVO%Atvr
zpCQfjdMf7lX5`PzpVgP|gH51WxDTF@UqtiM!v1A&nhBc4@>YCj;vaGJp%M!o%?3Aw
zAwxN8*cggZL(2FzbTWVr{5M3p2+szwFH}Z{&XJ^{(&Zd`{Qd{9VhoYyaDHScG=g^U
z*K$6><g=tDoZrdhGo^aY$HtI7i_{FBlGuNX{ql~B4ZMc$uLa)1acPB7E^xtj`wX0x
zGrmMJV4n#WYa<oxH{r9Gr1ABZ3C}a(2TeHZ8eXQG@b8)APnd9e7K(Jrgck@9bj2+O
zGZaKDy@WKFa4gZO)MCOjQ>Y}hns9cm;$>|noG<yTWTOeEx<%?T;i*`oaH|PNN2by?
z6P}YoaqcnU!%X-N6F%I8?=s;SSgF))!fh#3lJ=Q!y9wWK!o^so;<rq=`8j^jgtG$+
zx22nK^FHK+2|wRd?<o^b=b}{N{Z26!&w47$HsKefgfah2_$U*eXTtf>n3XzB_!yJ?
zWD`Etgcq1_u~(tu5)(e&BwuF2FErt@37=rXYfQM)gfB7S7n$%CCVZj^Z!qCv383N@
z6Yes}x0>)tCcMprUt+>Hn()acyvu}NYQndg@XJj2HWNO@gg<P;`BsdT?l9r`Ciz_^
zoNv)grGweQ2n<GGFam=S7>vMR1O_887=ghE3`Sru0)r9wSBrq${z<m1S^sA?uE;vO
z6-#oz+`cEfC)Lbk(PdXlQgYH%eA_3KAxC@zl_w4+ktR(fp01J-`x!rmc)CJLbTj@u
z;_2!rv4inB#M2d7VjJTv#M2d0qKomT-Qel!DAC6F&xxn&j6@6Lj}T8+MTr%R|B!gP
zB1+US{vG1!YA8|0_yfe#l~AI9@qZ+qu7VOy#y?LyT>&K=jNeT>UHv2^#y?IxUHK$V
zoB=TD*TmCRPvRise?dH5@g(*${wKuK6;7g?@joD*u5J=L82^3Z>B=Utjq&#oPggaG
zF2>(RJYCTw+87@po~~vREsS49JY5+kRxrMnc)FrV)G&T2@pLtlC}aEr;^|5zQNZ~5
z#M4zw!pZmw;>Q#3VEh%tUr4;f_!-1cApXR+)c(tecM^Y)@e_%sE0)B5#*ZPMu2vG=
zj6aWfx>8B(V0;eobd{3W#&`?ybcK@WV*Kf=z|+-9qK)yN6aPKpTNr<Yc)CJKtYG|y
z#M9MDqK5JB5KmVoi896?AfB#D5(SJW`@t^oEXi?q1{{#%R>I}dQ%WwT!*3~%>2OZ+
zpnXCc3HERb`B$hgUi3#Im!6T;6Y_J%X3Ni=%9Jzq%CDSJM#4ax8^}%`4B97D_UZrC
ze&Ojh_peYa#ilHh+uf@uE2|$V!)49g1V+CJQP%76wb!~He8zIrovNSo6Khe({kcKb
z#<yYy^;$QREZOR{)&Za-cm7Gaz^GqVKajPtdi6KSB+%H2WjzLd!!t`D_$(>v6hCV9
zJUQN)S9nrZd-U}f0{SV!)%Rs}jss2m{*{uXmFT}j3Ak@4cxoo8Wy$K2Y*~FvR>vO(
zx~vDWdJqFo-v@o8hGTzACWFCz`-Bd14-1O4=mz=jPaa0~^|F>ViMmx*J6u}<6n4w%
zU*z~Bt~LgKp#K@ZYenaynP`ljN%gBo;8$T%55lhIJ_XO@_!bw1q41=BKS1>Budx=%
zr5y~lckG9;puO2(;owLzr)_a{K}S}t-@*inH@O_(k=f#M8kwKE3Xrj%YmGty1rNE(
zjDkm8HOR<nE{#hR>~yVQf+Ln1{L`)$L$Jfu#tL$;M}hs^@l<X<cTycA)544t#Taql
z$%yq{5d8>i+c-E@cmTt088W@rxABcNG*5rzbTSECJ@zaux%zUjvStLZUY=q^G?pXZ
zy@z7FY<Z7<6cVN`p!FYJ9d|Fg0_vL)V#dXY>!JW^?jM)3aDGUp<GC6QhIo++wL|Ms
zEbRI&taiQDHBg~tLcf&8%tK7fy&hia8(H}Rl*0#!Jzp^Rj3FSaZVw7NPue%%k3z3@
zo>$GC4W#`{hP~r|NnWeKsItyvm_@l$*5*58b;K0LXDYW-3%puIUaxf)AgaNuT60-x
zmeT6g<~zOWh!Kpp+B-Heiwh>R=boDTE!yT)-&i24&lh&<&D6y9J$XHSLo{eV-d)&T
zRd@hh|1g9xyB-ChRQO`A^*Nr0KFkz$C#J##JtraeBVJZj_+sIKqnr6W?6n4je)rMG
zx(W{@ZpCa)#iP_c1I4ktN^L|VGF6=~Vqxe!sSItuGyAkMx(ie8GvI8#VQuLW>r(kb
z%%t{DoZ2l2&O%q7dWUPItSYW-efKHqMdUO<r9HBSQhO&wzf!YW$(A<aef%jx)^h)k
zk)m!!+>e1&b#~i3H&SD}_3OWeA@v1#a4-IIAeMj{vaI%yFH5}f6?tCuWBm>ap}Jar
zb~jV%ol^!X>ABEFu{x&)@pUd+UVd|;0#K0Ja}jUPNKu4#rIrYRiFQ)IC5z_5HLo_}
za*)DquV%dj8T~Ql&I?PHCTIoa>*FGf)jVS?-h_H?kmKWTh4*rNH5&r@Bdk#$=zBoF
zvi=%H81zYHLf`nrx_4af{ECV-UK~sGTJJ)hb}h6Ptz{t|e*#|6`iJ$kB(VWySl?uA
zPPW|nsWMwutB~ndZjsf=a{Tr@Jpz-Yy!#}mW_^MwAC<K!a_L*KeX=_3=Y$yQvFAv2
zsN74zg!53JN$S|D!NjuVi5QHq=L{<w#ZCKw9{uGKO#9UMqIhJ}Lm=+<z&^#pkH2G5
zSoLizfFJ0)K(*Xo0PZ}XTuh-d^#?r%j_XvPX1$9<x?@Lst+yhF6@g7|!=pO*K<hi|
z+sYPV_uGgV)%O|xu9=GeR9<H#XuEqFnNdbj+>Clgpq_U31q8=F>9yt{Ly27Y0gCzp
z@C7)Ucjb#b>bIB-a(tSKdQji;Q{H%80iH5jq1f*!!^id4<U+jYbGE*@XTnQat;EE+
zpGEPw{-2;n&lAso^%xEF*q89@_7$12;|QdTih8Y0_@<<PjWVD);PvHj%M*_|3J>u0
znRu-VYtC`1#DP3|u+o*MKk)@=-QjZL$@LYa5Z48AJnV8(Ti*a6WB%sJ8kDd{C-okE
zHq`_;TdzXJwC+=r`quqPSof*b7?d>S%9msIlk_OUs4o3eSkT`>)ndGt-{_6IKgMJz
zUtGS(8=vMv#LE|Y)Nj~>dNP*Rej&^QfCqK_W|zYo-|3=l6^-d)nDwfkqZ5tieh|D?
zv;=<ur&1ZMp=TB^^iV6}<KLM{OYs>*Mju7Z#fAkVPoILkmYWMz48{w(__+A;uQdLW
zP%*~eXUK`!m_TzpXkDI+MKD`GLguO2<-L`zN_sx%y^tt8;8jl=ow5%sulYd|hKo;v
zw!8m>tSWhIJvYYVdeqzQ-at5w$J>yhM15p|6;fSA6kS1~>FbK~&=nLtqaVs|Dfjj0
zD_{&W-!p>@3`OobmK)MzdOnxmNF6}~T7CTnS$zrPn9RuPRW24<w#Gk0aX(AH=yy^L
zSi(DK>p|NyFGiHZqweYJtjP#Cy8H_o?D6r7;DO!>El+$Qx)j?AC`$TvAX?E@6jJwW
zWbyhuRk{(Sh#$uMNyJ0Hi3j3VP%U>El+bhIs5ATKb<yY4f3vBKtsjNR(HW5fcqub?
ztndIfcGHk&4=-7}%H>u6j19;btX}#e;N|KIo!xg`ZR*G*tbQl-_Rb%ZVI%yNs&485
z_+$8eHT=ekaaSSS{|QwIHy#IVcmF$}Ol5p({p8~>_8Ar4Nrf~HBFIppac~+%q+bhX
zXsLMTL^7GU5f2r_=N$(s_&o}Yu>K!%`claEt*@#6rhV}~W^#*b8&Pah8C5sA9%lGX
z7tL)iw#z#h-Q?N@+HV*bE1Vqf;4^cfYYEvg^ebI5m1MJ_vCy@GN@)K?>roknkxDRU
zO0rpXimS$pk_NBpb+ynQqm_2*Z76F$HN<{z7LM$dntONw8Tgy}LRDwd-r0mc#nSq3
zY=*nvqVQfxVTn)r1b=j<=y<_aYDGm*tHL&Cv{yY$b9b_SKEhV1O&iAwK8=0cYaM|s
zJYs5A1WoUzp29e-QIAo;A7gVD>!aL$DycXswef#JB~_h&vUhHV8vL*ue$<d3Prw2>
z@DgaddnY6_l)PY9s{S7yC;X>`$Bv-u>X7TTs`#d)kA!=qeh27x7G8U&9g7iLt1<5O
zLEbdzjD4W~>M?S@=nk4JarYls*m^Vx5uU1#;=WC1zU49B#u<7k|NaX7cK0{<n?C&O
zwVptRP5|VS4%d6FmysH|T1qa)i_SA@x`Ea7g8l?=z)M6m_bkBG=(3I-P?6P}UD-#k
zp>@xzex+}PJ#Xo>b0I>{E_+9Wj#Su?WP7wlczo3u6tg^2RxPCQ0Gy+h;{8vPNmx~G
zs#d?P)@FN38y(8=>Ua!W#jo`1QFE2HsIt7bs*D`1>O2tZ@@VTFT2Ve)qrbw8e1+%S
zC^$gfxE8Yr=3<Za%@<jNtJG+U2L|gn7-IfAjd-EqquDTVFGW1`KTuO3{W>U4&Q}A&
zcFo>V1P7`LKRsH^HoR|=4SLdgO6SU6HCc&X$+rKf+x}GdIjBOv7j;#lJi9961v+D|
z_TcHDjrEi^vF6>0<|XwAs;JVgt*p}KmeDr;R|Hm5o31R{i}rc6A@+_(sU{<mYY@p6
zL=qGe0g)U+3SLBzg0<xnIE;<ukI4I>uu|3eslDTSa9dvok;F*0<t@V~r}?l~e+cu6
z?JyFzVE5Y>FOPPoqwpj(XtLhIY$vI4`cCBOkU-6vjMG@hMKB0Y$8k?P7qbcwTI)H0
z67zU{aEH3UsYhX;*ZL&?KWKQ~jzdQ+fwigVf(I~=G0NY>|4dOc^%4pKno$GV?k<Ij
z#oqB_EbDAN7V{qsZg-EP!q}0-?X+c8t(##WagT8VtuSo11JVz(mVB(Ap;i=qf!m(W
zld(}$$Gb3-SOaI7mx-m+Ds9>s+z;)hq4Eq3Jb1PY7la<IT4M3mMjV3$j6|vPMSI8R
zkVqE21_URLM?q-6lY0m^jLD*>z%mm!gM1(PWYJIYjRRGTG56wI&w)>LiXrp6X(<(T
zUNj6Q<3%$-^w;4gX5nwqT$(R)*$gC?9em&ERZn38$)ybrWr9~LlRc$xDHmvR4S9*3
z7PE;n+Jmq|Gh{!T7gQ)~UYDb=n^&6qB>dLbve>?iAmEJs29E2`(7~M^UdxXnTzlwh
zg`KnZLWB-jBc4PCZQKrm#?Q|Yt<Xkjfb>gX5a+JZh^~G*0d34g2bg59bO9_U-of5l
zzx7Bm*#*0f^54@|t$Y_<@)mZll2&D`vaHHnm8Jg-5(rg^>HJN8m}OR3R}D!jE?JKn
zva)%zgz>{p!P)Ie%i1c8y9+S~)xY7%z8)8Z=;p=LA-_i(sjaUVR2{zuh58e)hn{WU
zlTF8^)cI4Ng60^l*hLLG`d(idt&eoRx%V7qyq$>pk$8gRIDY7aeigY%JFw{(X&!ZN
zRpFuXXPsy`tv1=guIh}WM}5x|Uz<Ve<+UWuPSo~}p-}Lur{~A7a(dOzj8S&!hx$u8
zHfI@os!P9#_EhZ6x|prdCjrinS6+-g*fq)BG^W|k7AMKbSYsV*E6Hd-fa95-A(!rp
zeb)YbhFo|085)lIO=zJ<?PXp*380+S1^=o$4=K0s@dr1iT%+Fc)hSQ=-VFT#)K?u3
zTQjOlKZ+dkXcI6f6c{tMr17Hd$YZsV?NzU0P;R9Wfd};dk7?c~^?jh&+r2`t=8*B+
z$VC(*LLVAI6dipRMkfF~`XPF*6dC<4z|}ZRW5GYJ-vcYgHfkdoio3rik(()xy6RJ<
ztAO<N8E!ew!DVvc$wUR=xPKV&H7=VIBhexnYcv3Q5QM=r7=ghE3`Sru0)r9wSB^le
ziC#l;D$P#u!jTg%7dadJP4!{Clq4y5#p;Sl;d-aPaK_A8MaAxAV5Xksvph$lSK9)R
zRGh}^X-@V^7JKWe@0Bdn6ODxxXMHFb3`C;&IsL2XXCF2V>F5=bbFIHg3Dmo9N8Rgl
zB<Ccal@>OHqE5UM74b*bNs(G<I=z55o!;r2Ue{P34mAa&zDBnABhi4<A6Xe|3^XZG
zNtzUOLS1PHIHL{z2)yT(oNM45T)%<<L}c2G{Nm#LoErj&6@<N^I=l-Oa0bz0C*IFO
zbMT^9s5V9~nK?sEfEw8gXZbnR&5?i^aY8^b`Aqfu*C2GPBZ86U#w&7ioJb9d(h|L5
z`gFW<7KrArY;Il|4&>K0H!@&)FcuE4tMj*z*7Q{D(U0sMG`vRUYz#CuN7ga#(BL)3
zD4vey6wjI-uAhd;#9F7dmK0Abo@KmDmN7Q-O1eU#E&Is#lgZaW4;@S<zX9F(=VWpu
zHkMz2(qBTA50gpy!{--&NhaHfKa@<;Uu`=+N+!EOUpt&kx^PW!2>Y-lpbN3TY6IN^
zO218zg`MspPz9UtS-2(ILYr~W4xE;@g4W}<VmSVyumyA$=pIn|p@Lbs!r20P2-m_-
zgVMeKYoPQWDkx>#wm`~gb!3bkJ~X=vez<_qL9gV!WO6_1lWdN;w!HcFVQaJ7q}gMx
zylkdxB2cDZ33~8@WD@(xRLVo{W_-3H4)_})cE>hHyQS4eGGw<EpQllVslv-FOLJ`5
z<v7$yILt{~@fnAh#o!C+Zm^Ww^4c@!*}5|`>oam}dBDoKJhfpTK4HXmEvQs!b66s_
zY-+<nd|m@irvk|`*XCGb%e%(ryw;X&nPYP-v1QlT94k;ncXm&sPdp@do6WI_>f4Z6
zZgaM0Rocodzsj*W%X?7mUYn!hWn1>VVKoB~@32Zjm}eEXY<XCvO`dD3xydG%+sY)|
z0ZC!lei;4Dd|_?6j@opc&1rcaErQo*(fnZxMdQf-ZP1~y(TKbe2d0B2SY)9>a{D0n
zGUUSj<;eCNAy<O36ObE;F;)U9RoEPHOO-8e6SZ?gmTa5cZoSUdonbkdW1C#b8UqnD
zrhJ$e;!`mW@-Qx2xbA%xk1cO=W`)fe&+^zNZ?aa}3N{QWx0SRHoo72}$-El<R8np$
zD7Q_9Ooc5^7=tYbK6k)g3C49U@|38KE?||w*!$3szs~|aUPlGh0ec&UR8k%Dsg4q=
z1N9E5qmsr^3qA*7?+{Kb>^<tV_PEb&mdw3p_j%s1%$=FGjh4l>F3SSjR!g;Q8yeqc
zu{;iNF2E3IIRNU5g_wsmxTM4Rh{j@G4K*GiD5$WNRM^TqGzq4n=nlv&f!stx&H+&t
zr#{gNn_OwDAqA3ugv-~GeBYcvN3Bmyh-;|fNaV-6klzaX>|JptfBlFd)%Rs?&Wc+%
z4QU@rax{0cvLwlgdoLRSJW>CQ1D*$bxBv&~U<3vuFc^Ws2>jC`Al|1J@6Xetl@h(<
zPf4uFQ#hYmi=C`k8etG=IR29krO^gSy|+J>^I~r{hV$b6ecFpr66If>Nj4MD_I#jp
z<4kEI7ofXmN_pHL+-S3OJLmc1N22{7B@RpSEe4OrF-uN7TPTVBCwmxyr~hI>=>%_>
zz;)hm;V13aDB<pyB~jmnoELKVFEp$@BCfciXM8KShpXv+<#=2&K8u&*e{?Wjw1b=f
zrxEe{WCINrI}Kzmr;9laa=M1o4V*r}>2^+^;&d;kZ*Y2;)03PIxkzH^0!}aCw3ySm
zoG#`x$mtqRH*op@r`tJwiqpNEzQO5XPET?=gl&FscH;CBPK!C6%jsfHgPgA6bOWak
zaJrq-r#Riq=^LCL=G18QKk&W6(48KOM(Aufy*^MITRA<ye(i13aW?c7&*BHgl}#}!
z$BA=BK9j-!4i9bjw0I`G7I<NM!O%%1_ILH!Qt^zU%V!n^YG)P~`vWDlmlw>c^#=>;
zO9ORvmzT^aD8AfZUpupeTR_!E9(k`u%8xeS^sM-6rTnI5C6JH0@@r!u98&T7H;ilW
zM;oO4`gKjwb&Up9B1Q>6r}txgD2oKbep2AMmarn_vtRwmM;51Pu=uGJeB;-GLJ(@M
z_bYx9!LJRqNcn*VUohft4EP%AVN7s_37<a_@vk#9MIJTz8}S=K`G%R=Xq0(`pD;o=
z{b2>C?bRlPvHw7?rBrF18j6pFBXqW=Bq;5l&518pDTvk?9HE<qzF02>mARx?H^h1*
z3`|Cbd=UC#Jr%TtFT7N520lVxtaEgpB-=t?tj~gq^%x>7kqvXAvmmW~LSL+Rf+}2C
z_%GxHtwK4irGgjhsi1WBqBPKd1H~DMmkE8bz6&bWcTxYq_S55pY*%oD;&~ycc)pN6
zoi7LKHvprUi07H)1VhQmzEjU3gEQ(9d7^drnDw1bLZR+tB=!6>xW3=(p>q|bCVb5L
zCnhpj5>)tWpnd)eeC+^z>0&O)>2SJ?G9^*3fYu{pu3zjQ1QpL!AwO{Zw{v~`|1%?%
z^`}S4xG4$01+1Zr@}mFK{f?<HG0^`X4$vR?JDg7oMNS9$|MLO*`}jZ-v|xaO@L!ny
z4KlPh%jAIgoh0%5oCD<rFX-=}XE*7K{aB6HFev1>`PBFocn=C_?27uuK0^HdDc$o>
z63q~LB93(LMj}FA?9b$DNlTJ;aeagP?)ZBd1!jF|1(&QbsHl&lDgOn302z`I^*dJ>
zCD~lRKnx56mYkdl@+L9^Tx3N;f1VKJbf9b^jeZTUf7Sqf5k~>{Yr6nJJGlNS6GqvA
G_5VMp4ixSH

literal 0
HcmV?d00001

diff --git a/kubezero/nvidia-drivers/APKBUILD b/kubezero/nvidia-drivers/APKBUILD
index 0217f1f..41fdeca 100644
--- a/kubezero/nvidia-drivers/APKBUILD
+++ b/kubezero/nvidia-drivers/APKBUILD
@@ -1,8 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=nvidia-drivers
-#pkgver=535.54.03
-pkgver=525.125.06
+pkgver=550.54.14
 pkgrel=0
 pkgdesc="NVIDIA Driver"
 url="https://www.nvidia.com/download/index.aspx"
@@ -56,5 +55,5 @@ package() {
 }
 
 sha512sums="
-a5f13b633d111d9dc928e8522cd916a2b756fccbf2dc532649762a3f9bdc5503bd57c9c698da8205c49e82720b45789413a1afc26be77d741f823b49ae2f333d  NVIDIA-Linux-x86_64-525.125.06.run
+65fe0a3498e1b46368cfc7995fea720e4ba6373b0a74f4fc6280fbf75b2697948adf5b52b7d068b8df5ddbd347df7c0361db7e1a1fdc0d9fcfc6f478888936be  NVIDIA-Linux-x86_64-550.54.14.run
 "
diff --git a/kubezero/nvidia-open-gpu/APKBUILD b/kubezero/nvidia-open-gpu/APKBUILD
index 0912888..b5966a8 100644
--- a/kubezero/nvidia-open-gpu/APKBUILD
+++ b/kubezero/nvidia-open-gpu/APKBUILD
@@ -26,7 +26,10 @@ build() {
   # Hack running the build inside a container other uname -r returns host kernel
   KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
 
-  make KERNEL_UNAME=$KERNEL_VERSION || bash
+  unset CFLAGS CPPFLAGS CXXFLAGS
+  unset LDFLAGS
+
+  make KERNEL_UNAME=$KERNEL_VERSION
 }
 
 package() {
diff --git a/kubezero/zdt-base/APKBUILD b/kubezero/zdt-base/APKBUILD
index 31bf074..d61b9e8 100644
--- a/kubezero/zdt-base/APKBUILD
+++ b/kubezero/zdt-base/APKBUILD
@@ -24,6 +24,8 @@ source="
         syslog-ng.conf
         syslog-ng.logrotate.conf
         syslog-ng.apparmor
+        cloudbender.stop
+        cloudbender.start
         dhcpcd-mtu.hook
         monitrc
         monit_alert.sh.aws
@@ -58,9 +60,14 @@ package() {
   # early init script to eg. mount var, cannot use any network !
   install -Dm755 "$srcdir/cloudbender-early.init" "$pkgdir/etc/init.d/cloudbender-early"
 
-  # various tasks during boot
+  # various tasks during first boot
   install -Dm755 "$srcdir/cloudbender.init" "$pkgdir/etc/init.d/cloudbender"
 
+  # local boot & shutdown
+  install -Dm755 "$srcdir/cloudbender.start" "$pkgdir/etc/local.d/cloudbender.start"
+  install -Dm755 "$srcdir/cloudbender.stop" "$pkgdir/etc/local.d/cloudbender.stop"
+
+
   # syslog-ng configs, json all into messages
   install -Dm644 "$srcdir"/syslog-ng.conf "$pkgdir"/lib/zdt/syslog-ng.conf
   install -Dm644 "$srcdir"/syslog-ng.logrotate.conf "$pkgdir"/lib/zdt/syslog-ng.logrotate.conf
@@ -104,7 +111,7 @@ nocloud() {
 }
 
 sha512sums="
-c73970604c225199596f932fee3093d0cc9364f90b12f5490eac17643d12e65b4f662aae994ad9e3ebdbd4ee691e41a068fc988513377d6def0697fcd76285e2  common.sh
+c1808572d074e1a91e0efc3c31462f6035159338843e51fbccca5102b2923506ce60ba9e1ef00b2fbb134da7a33f55af364e1bff15c272eb7f4ebc6035f33887  common.sh
 cf8b75a81bb35e853761d21b15b5b109f15350c54daaf66d2912541a20f758c3ca237d58932e5608d2d3867fe15a07ebd694fd1c313a8290d15afc2b27a575dd  boot.sh
 eb7d5b6f92f500dbaba04a915cdd8d66e90456ca86bed86b3a9243f0c25577a9aa42c2ba28c3cad9dda6e6f2d14363411d78eff35656c7c60a6a8646f43dcba5  cloudbender-early.init
 cac71c605324ad8e60b72f54b8c39ee0924205fcd1f072af9df92b0e8216bcde887ffec677eb2f0eacce3df430f31d5b5609e997d85f14389ee099fbde3c478f  cloudbender.init
@@ -115,6 +122,8 @@ cac71c605324ad8e60b72f54b8c39ee0924205fcd1f072af9df92b0e8216bcde887ffec677eb2f0e
 b86dec8c059642309b2f583191457b7fac7264b75dc5f4a06ad641de6b76589c0571b8b72b51519516ba7e68a128fe2da29b4a2a6dc77c252204675c51b2d128  syslog-ng.conf
 484bdcf001b71ce5feed26935db437c613c059790b99f3f5a3e788b129f3e22ba096843585309993446a88c0ab5d60fd0fa530ef3cfb6de1fd34ffc828172329  syslog-ng.logrotate.conf
 e86eed7dd2f4507b04050b869927b471e8de26bc7d97e7064850478323380a0580a92de302509901ea531d6e3fa79afcbf24997ef13cd0496bb3ee719ad674ee  syslog-ng.apparmor
+cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e  cloudbender.stop
+b93cec571afe5128ab4d7c3998b3dc48753897f37169a111f606a48d1982e6ffce52a4ac9568a6a062f621148fb652049b84926a40a62d89be3786e6836261e6  cloudbender.start
 f8c052c7ec12c71937c7b8bc05d8374c588f345e303b30eda9c8612dff8f8f34a87a433648a3e9b85b278196ece198533b29680a303ff6478171d43f8e095189  dhcpcd-mtu.hook
 e00a8f296c76446fe1241bf804c0108f47a2676f377a413ee9fede0943362a6582cad30fe13edd93f3d0daab0e2d7696553fb9458dca62adc05572dce339021a  monitrc
 c955dabe692c0a4a2fa2b09ab9096f6b14e83064b34ae8d22697096daf6551f00b590d837787d66ea1d0030a7cc30bef583cc4c936c980465663e73aec5fa2dc  monit_alert.sh.aws
diff --git a/kubezero/zdt-base/cloudbender.start b/kubezero/zdt-base/cloudbender.start
new file mode 100644
index 0000000..3839fff
--- /dev/null
+++ b/kubezero/zdt-base/cloudbender.start
@@ -0,0 +1,10 @@
+# mounts are shared to run containers later, eg. cilium, falco
+# should be handled in openrc, see: https://github.com/OpenRC/openrc/pull/526/files
+mount --make-rshared /
+
+# Enable THP incl. defrag but very conservatively
+# see: https://go.dev/doc/gc-guide#Linux_transparent_huge_pages
+echo "madvise" > /sys/kernel/mm/transparent_hugepage/enabled
+echo "defer+madvise" > /sys/kernel/mm/transparent_hugepage/defrag
+echo "0" > /sys/kernel/mm/transparent_hugepage/khugepaged/max_ptes_none
+
diff --git a/kubezero/zdt-base/cloudbender.stop b/kubezero/zdt-base/cloudbender.stop
new file mode 100644
index 0000000..e69de29
diff --git a/kubezero/zdt-base/common.sh b/kubezero/zdt-base/common.sh
index fd82303..64ba744 100644
--- a/kubezero/zdt-base/common.sh
+++ b/kubezero/zdt-base/common.sh
@@ -23,11 +23,6 @@ setup_instance() {
   add_once /etc/fstab "bpffs       /sys/fs/bpf    bpf      rw,nosuid,nodev,noexec,relatime,mode=700 0 0"
   mount -a
 
-  # Ensure certain mounts are shared to run containers later, eg. cilium, falco
-  mount --make-shared /sys/fs/cgroup
-  mount --make-shared /sys/fs/bpf
-  mount --make-shared /sys
-
   add_once /etc/hosts "${IP_ADDRESS} ${_META_HOSTNAME} ${HOSTNAME}"
 
   # workaround for dhcpcd / openresolv to omit search domain if equal to domain breaking DNS resolution of shortnames for eg. etcd and kube-apiserver
@@ -444,11 +439,8 @@ register_service_dns() {
     route53.py --fqdn "${SERVICENAME}.${DNSZONE}" --record $_IP
 
     # Register shutdown hook to remove DNS entry on terminate
-    cat <<EOF >> /etc/local.d/route53.stop
-echo "Deleting Route53 record for ${SERVICENAME}.${DNSZONE}" >> /tmp/shutdown.log
-route53.py --delete --fqdn "${SERVICENAME}.${DNSZONE}" --record ${PUBLIC_IP_ADDRESS:-$IP_ADDRESS}
-EOF
-    chmod +x /etc/local.d/route53.stop
+    add_once /etc/local.d/cloudbender.stop "echo \"Deleting Route53 record for ${SERVICENAME}.${DNSZONE}\" >> /tmp/shutdown.log"
+    add_once /etc/local.d/cloudbender.stop "route53.py --delete --fqdn \"${SERVICENAME}.${DNSZONE}\" --record ${PUBLIC_IP_ADDRESS:-$IP_ADDRESS}"
 
     # Short cut our public IP to private one to allow talking to our own service name
     add_once /etc/hosts "${IP_ADDRESS} ${SERVICENAME}.${DNSZONE}"