diff --git a/Dockerfile b/Dockerfile
index b77da72..3f2284b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
-FROM    alpine:3.17
-ARG     ALPINE="v3.17"
+FROM    alpine:3.18
+ARG     ALPINE="v3.18"
 ARG     BUILDUSER=alpine
 
 RUN     echo "http://dl-cdn.alpinelinux.org/alpine/${ALPINE}/main" > /etc/apk/repositories && \
diff --git a/Makefile b/Makefile
index d08d6f7..995fdf6 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@ REGION := us-east-1
 
 include .ci/podman.mk
 
-BUILDER := v3.17.3
+BUILDER := v3.18.2
 PKG := '*'
 CF_DIST := E1YFUJXMCXT2RN
 
diff --git a/abuilder b/abuilder
index cdaa23a..0e5577f 100755
--- a/abuilder
+++ b/abuilder
@@ -11,7 +11,7 @@ if [ "$1" = 'aarch64-toolchain' ]; then
 else
   # Set ENV for cross compile for aarch64
   if [ "$2" = "cross-arm64" ]; then
-    ALPINE="v3.16"
+    ALPINE="v3.18"
     TARGET_ARCH=aarch64
     SUDO_APK=abuild-apk
     APORTS=/home/alpine/aports
diff --git a/kubezero/aws-neuron-driver/APKBUILD b/kubezero/aws-neuron-driver/APKBUILD
index a8a0e55..d90907b 100644
--- a/kubezero/aws-neuron-driver/APKBUILD
+++ b/kubezero/aws-neuron-driver/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=aws-neuron-driver
-pkgver=2.8.4.0
+pkgver=2.10.11.0
 pkgrel=0
 pkgdesc="Linux Kernel module for AWS Neuron INF instances"
 url="https://awsdocs-neuron.readthedocs-hosted.com/en/latest/release-notes/index.html#"
@@ -42,5 +42,5 @@ package() {
 }
 
 sha512sums="
-1fa536cf32fb9a0d383e73c6694ddbdee38a775a25a7d0013322c4e4b4c724d546082f88ac1c8e485e808312d7821453a9d27391e98f613431ccff0081a76483  aws-neuron-driver-2.8.4.0.deb
+0fdbc1ebd12044be77714affd427c198f72ce04f0236a100e49642fbdb143a4e6c1156f4555ac0fe8baa6bea09420408bbb1cfd2857f29d54e615b22193afd0d  aws-neuron-driver-2.10.11.0.deb
 "
diff --git a/kubezero/cri-o/APKBUILD b/kubezero/cri-o/APKBUILD
index d0f9b67..daf1408 100644
--- a/kubezero/cri-o/APKBUILD
+++ b/kubezero/cri-o/APKBUILD
@@ -3,23 +3,23 @@
 # Contributor: TBK <alpine@jjtc.eu>
 # Maintainer: ungleich <foss@ungleich.ch>
 pkgname=cri-o
-pkgver=1.25.3
+pkgver=1.26.3
 pkgrel=0
 pkgdesc="OCI-based implementation of Kubernetes Container Runtime Interface"
 url="https://github.com/cri-o/cri-o/"
 arch="all"
 license="Apache-2.0"
- # Most tests will fail if not ran as root
- # since it tries to create network interfaces
+# Most tests will fail if not ran as root
+# since it tries to create network interfaces
 options="net chmod-clean !check"
 depends="
 	cni-plugins
-	conmon
 	conntrack-tools
+	conmon
 	containers-common
 	iproute2
 	iptables
-	runc
+	oci-runtime
 	"
 makedepends="
 	bash
@@ -35,33 +35,41 @@ makedepends="
 	ostree-dev
 	tzdata
 	"
-checkdepends="bats cri-tools jq parallel sudo"
+checkdepends="bats cri-tools jq parallel sudo conmon"
 subpackages="
 	$pkgname-doc
 	$pkgname-bash-completion
 	$pkgname-zsh-completion
 	$pkgname-fish-completion
-	$pkgname-contrib-cni:contrib_cni:noarch
 	$pkgname-openrc
 	"
-source="https://github.com/cri-o/cri-o/archive/v$pkgver/cri-o-$pkgver.tar.gz
+source="
+	$pkgname-$pkgver.tar.gz::https://github.com/cri-o/cri-o/archive/v$pkgver/cri-o-$pkgver.tar.gz
 	crio.conf
 	crio.initd
 	crio.logrotated
 	cni-plugins-path.patch
 	makefile-fix-install.patch
+	fix-test.patch
 	remove-systemd-files.patch
 	"
 
 # secfixes:
 #   1.23.2-r0:
 #     - CVE-2022-0811
+#   1.24.1-r0:
+#     - CVE-2022-1708
+#   1.26.2-r0:
+#     - CVE-2022-4318
+
+export GOCACHE="${GOCACHE:-"$srcdir/go-cache"}"
+export GOTMPDIR="${GOTMPDIR:-"$srcdir"}"
+export GOMODCACHE="${GOMODCACHE:-"$srcdir/go"}"
+export GOBIN="$GOPATH/bin"
 
 build() {
-	export GOPATH="$srcdir"
-	export GOBIN="$GOPATH/bin"
 	# https://github.com/cri-o/cri-o/blob/master/install.md#build-tags
-	make BUILDTAGS="seccomp selinux containers_image_openpgp containers_image_ostree_stub apparmor"
+	make BUILDTAGS="seccomp selinux apparmor containers_image_openpgp containers_image_ostree_stub"
 }
 
 check() {
@@ -75,23 +83,21 @@ package() {
 	mkdir -p  "$pkgdir"/usr/share/oci-umount/oci-umount.d/
 	ln -sf /etc/crio/crio-umount.conf "$pkgdir"/usr/share/oci-umount/oci-umount.d/crio-umount.conf
 
+	# The CNI plugins are recommended to be installed as examples
+	install -Dm644 contrib/cni/*.conflist -t "$pkgdir"/usr/share/doc/cri-o/examples/cni/
+
 	install -Dm755 "$srcdir"/crio.initd "$pkgdir"/etc/init.d/crio
 	install -Dm644 "$srcdir"/crio.conf "$pkgdir"/etc/crio/crio.conf
 	install -Dm644 "$srcdir"/crio.logrotated "$pkgdir"/etc/logrotate.d/crio
 }
 
-contrib_cni() {
-	pkgdesc="$pkgname contrib cni config files"
-	mkdir -p "$subpkgdir"/etc/cni/net.d
-	cp "$builddir"/contrib/cni/*.conf "$subpkgdir"/etc/cni/net.d
-}
-
 sha512sums="
-39b162c55141af009879f600c4b6cf91b6d710392bf07783080efe195f3ece1a0ed186eeadaf3a84bbed11a376995c3fab3c951a6d7ed14bb7e85b39e7920e21  cri-o-1.25.3.tar.gz
-e026f056ed92489413e16ed7955a9dcd7d1f4df1cc28e3ea785771b44d43811fea4f5b953cc46bc0c4aeac8ad07115bfff304d7516ebd24f2e58fe782ff812c8  crio.conf
-29561e95398975748236217bbd9df64997f6e3de6c0555d007306bd0535895a648368385a13079eb7d52c06249a91980523a73b6563e86d0575d9cd9c3fa4ee9  crio.initd
+58718db358d35b61e5edb8a16185bc534337a1ebfaf0d40ab17efb73c266fb2c337fad3cf92a7d8bcc7a02c4e2180b2b79a5896eb635b43334bcc1366b12baf8  cri-o-1.26.3.tar.gz
+1f60719677295c9c5c615eb25d9159bde0af68a132eee67747f57fe76642d457c98c896c6189f85637d7b4ac24ba55fd9eaeb1699f43c3c5077b645f72a479fb  crio.conf
+26048a219bc426ef4a4f50e96d6e0ded1c55dc8415df9a2773764d2ebcb3d9e91077b2916da1ff32674ca4a53062e41e185503d671dacc3167a018b0066347e1  crio.initd
 1115228546a696eeebeb6d4b3e5c3152af0c99a2559097fc5829d8b416d979c457b4b1789e0120054babf57f585d3f63cbe49949d40417ae7aab613184bf4516  crio.logrotated
 0a567dfa431ab1e53f2a351689be8d588a60cc5fcdbda403ec4f8b6ab9b1c18ad425f6c47f9a5ab1491e3a61a269dc4efa6a59e91e7521fa2b6bb165074aa8e0  cni-plugins-path.patch
 f9577aa7b1c90c6809010e9e406e65092251b6e82f6a0adbc3633290aa35f2a21895e1a8b6ba4b6375dcad3e02629b49a34ab16387e1c36eeb32c8f4dac74706  makefile-fix-install.patch
+1c1bfa5feeb0c5ddc92271a5ef80edc38d56afa1574ffc124605d5bb227a407b55dd5268df6cebc6720768ac31245e08b7950e5ab2b7f14ba934c94f1e325f86  fix-test.patch
 78c150f87027de489289596371dce0465159ced0758776b445deb58990e099de9c654406183c9da3cc909878b24d28db62121b7056cd180a6f2820e79e165cc6  remove-systemd-files.patch
 "
diff --git a/kubezero/cri-o/crio.conf b/kubezero/cri-o/crio.conf
index 70dc756..525c6a4 100644
--- a/kubezero/cri-o/crio.conf
+++ b/kubezero/cri-o/crio.conf
@@ -3,3 +3,9 @@
 # Overide defaults to not use systemd cgroups.
 conmon_cgroup = "pod"
 cgroup_manager = "cgroupfs"
+
+default_runtime = "crun"
+
+[crio.runtime.runtimes.crun]
+runtime_type = "oci"
+runtime_root = "/run/crun"
diff --git a/kubezero/cri-o/crio.initd b/kubezero/cri-o/crio.initd
index 9e6383a..c5eec65 100755
--- a/kubezero/cri-o/crio.initd
+++ b/kubezero/cri-o/crio.initd
@@ -21,6 +21,8 @@ checkconfig() {
 		/var/log/${RC_SVCNAME}
 	checkpath --file --owner root:root --mode 0644 \
 		/var/log/${RC_SVCNAME}/${RC_SVCNAME}.log
+	checkpath --directory --owner root:root --mode 0750 \
+		/var/lib/crio
 }
 
 start() {
diff --git a/kubezero/cri-o/fix-test.patch b/kubezero/cri-o/fix-test.patch
index a5b47b0..271773e 100644
--- a/kubezero/cri-o/fix-test.patch
+++ b/kubezero/cri-o/fix-test.patch
@@ -1,26 +1,45 @@
---- a/test/helpers.bash
-+++ b/test/helpers.bash
-@@ -68,7 +68,7 @@
- # The default log directory where all logs will go unless directly specified by the kubelet
- DEFAULT_LOG_PATH=${DEFAULT_LOG_PATH:-/var/log/crio/pods}
- # Cgroup manager to be used
--CONTAINER_CGROUP_MANAGER=${CONTAINER_CGROUP_MANAGER:-systemd}
-+CONTAINER_CGROUP_MANAGER=${CONTAINER_CGROUP_MANAGER:-cgroupfs}
- # Image volumes handling
- CONTAINER_IMAGE_VOLUMES=${CONTAINER_IMAGE_VOLUMES:-mkdir}
- # Container pids limit
-@@ -166,7 +166,7 @@
-     # Copy all the CNI dependencies around to ensure encapsulated tests
-     CRIO_CNI_PLUGIN="$TESTDIR/cni-bin"
-     mkdir "$CRIO_CNI_PLUGIN"
--    cp /opt/cni/bin/* "$CRIO_CNI_PLUGIN"
-+    cp /usr/libexec/cni/* "$CRIO_CNI_PLUGIN"
-     cp "$INTEGRATION_ROOT"/cni_plugin_helper.bash "$CRIO_CNI_PLUGIN"
-     sed -i "s;%TEST_DIR%;$TESTDIR;" "$CRIO_CNI_PLUGIN"/cni_plugin_helper.bash
+diff --git a/test/cgroups.bats b/test/cgroups.bats
+index 8beb6f06..80193413 100644
+--- a/test/cgroups.bats
++++ b/test/cgroups.bats
+@@ -45,6 +45,10 @@ EOF
+ }
  
+ @test "conmon pod cgroup" {
++	if [[ "$CONTAINER_CGROUP_MANAGER" != "systemd" ]]; then
++		skip "need systemd cgroup manager"
++	fi
++
+ 	CONTAINER_CGROUP_MANAGER="systemd" CONTAINER_DROP_INFRA_CTR=false CONTAINER_CONMON_CGROUP="pod" start_crio
+ 
+ 	jq '	 .linux.cgroup_parent = "Burstablecriotest123.slice"' \
+@@ -61,6 +65,10 @@ EOF
+ 		skip "not yet supported by conmonrs"
+ 	fi
+ 
++	if [[ "$CONTAINER_CGROUP_MANAGER" != "systemd" ]]; then
++		skip "need systemd cgroup manager"
++	fi
++
+ 	CONTAINER_CGROUP_MANAGER="systemd" CONTAINER_DROP_INFRA_CTR=false CONTAINER_MANAGE_NS_LIFECYCLE=false CONTAINER_CONMON_CGROUP="customcrioconmon.slice" start_crio
+ 
+ 	jq '	 .linux.cgroup_parent = "Burstablecriotest123.slice"' \
+@@ -77,6 +85,10 @@ EOF
+ 		skip "not supported for conmon"
+ 	fi
+ 
++	if [[ "$CONTAINER_CGROUP_MANAGER" != "systemd" ]]; then
++		skip "need systemd cgroup manager"
++	fi
++
+ 	configure_monitor_cgroup_for_conmonrs "customcrioconmon.slice"
+ 
+ 	CONTAINER_CGROUP_MANAGER="systemd" CONTAINER_DROP_INFRA_CTR=true start_crio
+diff --git a/test/cni_plugin_helper.bash b/test/cni_plugin_helper.bash
+index 04492172..abae521e 100755
 --- a/test/cni_plugin_helper.bash
 +++ b/test/cni_plugin_helper.bash
-@@ -43,7 +43,7 @@
+@@ -48,7 +48,7 @@ EOT
  . "$TEST_DIR"/cni_plugin_helper_input.env
  rm -f "$TEST_DIR"/cni_plugin_helper_input.env
  
@@ -29,16 +48,25 @@
  
  if [[ "${DEBUG_ARGS}" == "malformed-result" ]]; then
      cat <<-EOF
---- a/test/cgroups.bats
-+++ b/test/cgroups.bats
-@@ -26,6 +26,10 @@
- }
- 
- @test "conmon custom cgroup" {
-+	if [[ "$CONTAINER_CGROUP_MANAGER" != "systemd" ]]; then
-+		skip "need systemd cgroup manager"
-+	fi
-+
- 	CONTAINER_CGROUP_MANAGER="systemd" CONTAINER_DROP_INFRA_CTR=false CONTAINER_MANAGE_NS_LIFECYCLE=false CONTAINER_CONMON_CGROUP="customcrioconmon.slice" start_crio
- 
- 	jq '	  .linux.cgroup_parent = "Burstablecriotest123.slice"' \
+diff --git a/test/helpers.bash b/test/helpers.bash
+index f7f8e1f2..45b7dd58 100644
+--- a/test/helpers.bash
++++ b/test/helpers.bash
+@@ -38,7 +38,7 @@ CONTAINER_UID_MAPPINGS=${CONTAINER_UID_MAPPINGS:-}
+ CONTAINER_GID_MAPPINGS=${CONTAINER_GID_MAPPINGS:-}
+ OVERRIDE_OPTIONS=${OVERRIDE_OPTIONS:-}
+ # CNI path
+-CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/opt/cni/bin}
++CONTAINER_CNI_PLUGIN_DIR=${CONTAINER_CNI_PLUGIN_DIR:-/usr/libexec/cni}
+ # Runtime
+ CONTAINER_DEFAULT_RUNTIME=${CONTAINER_DEFAULT_RUNTIME:-runc}
+ RUNTIME_BINARY_PATH=$(command -v "$CONTAINER_DEFAULT_RUNTIME")
+@@ -70,7 +70,7 @@ CHECKCRIU_BINARY=${CHECKCRIU_BINARY:-${CRIO_ROOT}/test/checkcriu/checkcriu}
+ # The default log directory where all logs will go unless directly specified by the kubelet
+ DEFAULT_LOG_PATH=${DEFAULT_LOG_PATH:-/var/log/crio/pods}
+ # Cgroup manager to be used
+-CONTAINER_CGROUP_MANAGER=${CONTAINER_CGROUP_MANAGER:-systemd}
++CONTAINER_CGROUP_MANAGER=${CONTAINER_CGROUP_MANAGER:-cgroupfs}
+ # Image volumes handling
+ CONTAINER_IMAGE_VOLUMES=${CONTAINER_IMAGE_VOLUMES:-mkdir}
+ # Container pids limit
diff --git a/kubezero/cri-tools/APKBUILD b/kubezero/cri-tools/APKBUILD
index 8d0d95a..8b81337 100644
--- a/kubezero/cri-tools/APKBUILD
+++ b/kubezero/cri-tools/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Francesco Colista <fcolista@alpinelinux.org>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=cri-tools
-pkgver=1.24.2
-pkgrel=0
+pkgver=1.26.1
+pkgrel=1
 pkgdesc="CLI tool for Kubelet Container Runtime Interface (CRI)"
 url="https://github.com/kubernetes-sigs/cri-tools"
 arch="x86_64 aarch64 ppc64le s390x armv7 x86"
@@ -11,15 +11,21 @@ makedepends="go"
 options="!check" # no check available
 source="$pkgname-$pkgver.tar.gz::https://github.com/kubernetes-sigs/cri-tools/archive/v$pkgver.tar.gz"
 
+export GOCACHE="${GOCACHE:-"$srcdir/go-cache"}"
+export GOTMPDIR="${GOTMPDIR:-"$srcdir"}"
+export GOMODCACHE="${GOMODCACHE:-"$srcdir/go"}"
+
 build() {
 	make all
 }
 
+check() {
+	make test
+}
 package() {
-	install -Dm755 build/bin/crictl "$pkgdir/usr/bin/crictl"
-	install -Dm755 build/bin/critest "$pkgdir/usr/bin/critest"
+	make BINDIR="$pkgdir"/usr/bin install
 }
 
-sha512sums='
-9b5907b37bb5f00295eff4fa4207ae55d930feae7e0f48fa130c7ecc936bcd259a11d59ed240684a3e12c8bcee40f2c67d7f4af52c2a76df3d7bf82e5e388a75  cri-tools-1.24.2.tar.gz
-'
+sha512sums="
+1900b5d22a20ab1f01c13832be4dcf1e9845b64afb3cdcb6169752bbb20a6e69dcbb6ccc8d31b9d4bf091bf81aa04b9979544586763ea985499f229e7ab2a39d  cri-tools-1.26.1.tar.gz
+"
diff --git a/kubezero/docker-registry/APKBUILD b/kubezero/docker-registry/APKBUILD
index d46696a..18f7af4 100644
--- a/kubezero/docker-registry/APKBUILD
+++ b/kubezero/docker-registry/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Christian Kampka <christian@kampka.net>
-# Maintainer:
+# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=docker-registry
-pkgver=2.9.0_git20230327
-pkgrel=1
+pkgver=2.8.2_git20230519
+pkgrel=0
 pkgdesc="An implementation of the Docker Registry HTTP API V2 for use with docker 1.6+"
 url="https://github.com/distribution/distribution"
 # riscv64 blocked by dependency panicwrap
@@ -14,7 +14,7 @@ pkgusers="docker-registry"
 pkggroups="docker-registry"
 subpackages="$pkgname-openrc"
 #source="$pkgname-$pkgver.tar.gz::$url/archive/v$pkgver.tar.gz
-source="$pkgname-$pkgver.tar.gz::$url/archive/0c958010ace2e0c2a87f1bf9915b7c74157dfb62.tar.gz
+source="$pkgname-$pkgver.tar.gz::$url/archive/983358f8e2509bf8ae196a8e135180a2c5b11264.tar.gz
 	docker-registry.initd
 	config-example.patch"
 builddir="$srcdir/src/github.com/docker/distribution"
@@ -23,7 +23,7 @@ options="chmod-clean"
 prepare() {
 	mkdir -p "${builddir%/*}"
 	#mv "$srcdir"/distribution-$pkgver "$builddir"
-	mv "$srcdir"/distribution-0c958010ace2e0c2a87f1bf9915b7c74157dfb62 "$builddir"
+	mv "$srcdir"/distribution-* "$builddir"
 }
 
 build() {
@@ -57,7 +57,7 @@ package() {
 }
 
 sha512sums="
-baf540b81d5f736e105eb2c05f5f4775c61ace3118f965a52b7b477a596291e12b33e56f882ce364731e9701ae6e9b2e09add3bcf8a1a11bb25eb54833c14368  docker-registry-2.9.0_git20230327.tar.gz
+8ceb8b994085bc6522e8a203785bd670977117988d391023148a4153e3c150ad7c17fb98de863c4c2300714022444dc5141a75a2899b8b0f04cbbdc17794b5c7  docker-registry-2.8.2_git20230519.tar.gz
 96100a4de311afa19d293a3b8a63105e1fcdf49258aa8b1752befd389e6b4a2b1f70711341ea011b450d4468bd37dbd07a393ffab3b9aa1b2213cf0fdd915904  docker-registry.initd
 5a38f4d3f0ee5cd00c0a5ced744eb5b29b839da5921adea26c5de3eb88b6b2626a7ba29b1ab931e5f8fbfafbed8c94cb972a58737ec0c0a69cf515c32139e387  config-example.patch
 "
diff --git a/kubezero/ecr-credential-provider/APKBUILD b/kubezero/ecr-credential-provider/APKBUILD
index 2aa9cda..91cb2eb 100644
--- a/kubezero/ecr-credential-provider/APKBUILD
+++ b/kubezero/ecr-credential-provider/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=ecr-credential-provider
-pkgver=1.25.3
+pkgver=1.26.1
 pkgrel=0
 pkgdesc="AWS Kubernetes ecr-credential-provider"
 url="https://github.com/kubernetes/cloud-provider-aws"
@@ -24,5 +24,5 @@ package() {
 }
 
 sha512sums="
-d727c01ea98608b0b51edc2bfe892218b55eee7148e358e18387f3f4a52ad765f8d0ee372884e36f95f1303c13dbeba81926f7560c325a8d3c258da11cdfc24b  ecr-credential-provider-1.25.3.tar.gz
+59ec934a93b94290b0dce830a53301957842d8d45118471bb6eaa142b06dc37ed7f32e4c4a83f1f5341b0dda6745cfa7d8ebbac6d31378e3288857808f2aef71  ecr-credential-provider-1.26.1.tar.gz
 "
diff --git a/kubezero/falco/APKBUILD b/kubezero/falco/APKBUILD
new file mode 100644
index 0000000..1a81812
--- /dev/null
+++ b/kubezero/falco/APKBUILD
@@ -0,0 +1,59 @@
+# Contributor: Stefan Reimer <stefan@zero-downtime.net>
+# Maintainer: Stefan Reimer <stefan@zero-downtime.net>
+pkgname=falco
+pkgver=0.35.1
+pkgrel=0
+pkgdesc="Falco is the open source solution for runtime security for hosts, containers, Kubernetes and the cloud"
+url="https://github.com/falcosecurity/falco"
+arch="x86_64 aarch64"
+license="AGPL-3.0"
+makedepends="cmake bash linux-virt-dev linux-headers perl autoconf elfutils-dev libtool argp-standalone musl-fts-dev musl-libintl musl-obstack-dev"
+             #protobuf-dev jq-dev openssl-dev curl-dev c-ares-dev grpc-dev yaml-dev yaml-cpp-dev jsoncpp-dev re2-dev"
+options="!check"
+source="$pkgname-$pkgver.tar.gz::https://github.com/falcosecurity/falco/archive/refs/tags/$pkgver.tar.gz"
+
+subpackages="$pkgname-kernel" # $pkgname-plugins"
+
+prepare() {
+  [[ -d build ]] || mkdir build
+}
+
+build() {
+  # Hack running the build inside a container other uname -r returns host kernel
+  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
+
+  cd build
+  cmake .. \
+    -DCMAKE_BUILD_TYPE=Release \
+    -DFALCO_VERSION=$pkgver \
+    -DCMAKE_INSTALL_PREFIX=/usr \
+    -DMUSL_OPTIMIZED_BUILD=On \
+    -DUSE_BUNDLED_DEPS=On
+
+  KERNELDIR=/lib/modules/$KERNEL_VERSION/build make -j4
+}
+
+package() {
+  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
+
+  cd build
+  make DESTDIR="${pkgdir}" KERNELDIR=/lib/modules/$KERNEL_VERSION/build install
+
+  # We dont build anything on targets so remove sources
+  rm -rf $pkgdir/usr/src
+  rm -rf $pkgdir/usr/lib
+  rm -rf $pkgdir/usr/include
+}
+
+kernel() {
+  KERNEL_VERSION=$(basename $(ls -d /lib/modules/*-virt))
+  depends="linux-virt~$(echo $KERNEL_VERSION | sed -e 's/-.*$//')"
+
+  cd src/$pkgname-$pkgver/build
+  mkdir -p "$subpkgdir"/lib/modules/$KERNEL_VERSION/kernel
+  gzip -9 -c driver/falco.ko > "$subpkgdir"/lib/modules/$KERNEL_VERSION/kernel/falco.ko.gz 
+}
+
+sha512sums="
+dc648d9b0a625a02320ff0235bbf4f4940e7ba40c684a8a1f972d34f0a3447b4a34e665d7fbc0ee1ec9a014f65f81a304dc76b4ec804fc7b4e448f330b9474af  falco-0.35.1.tar.gz
+"
diff --git a/kubezero/fluent-bit/APKBUILD b/kubezero/fluent-bit/APKBUILD
index 8669014..6d2cd00 100644
--- a/kubezero/fluent-bit/APKBUILD
+++ b/kubezero/fluent-bit/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=fluent-bit
-pkgver=2.1.1
+pkgver=2.1.5
 pkgrel=0
 pkgdesc="Fast and Lightweight Log processor and forwarder"
 url="https://fluentbit.io/"
@@ -27,6 +27,8 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/fluent/fluent-bit/archive/v$
     fluent-bit.confd
     fluent-bit.initd
     chunkio-static-lib-fts.patch
+    fluent-bit.conf
+    zdt-parsers.conf
     "
 # enable check when this solved - https://github.com/fluent/fluent-bit/issues/2464#issuecomment-673280055
 # Disable all things AWS to make tests pass
@@ -38,7 +40,7 @@ build() {
     fi
     # default CORE_STACK_SIZE=((3 * PTHREAD_STACK_MIN) / 2)=3072 is invalid
     # set default to 24576
-  # Disable stream processor due to issue see: https://github.com/fluent/fluent-bit/issues/2464
+    # Disable stream processor due to issue see: https://github.com/fluent/fluent-bit/issues/2464
     cmake -B build \
       -DCMAKE_INSTALL_PREFIX=/usr \
       -DCMAKE_INSTALL_LIBDIR=lib \
@@ -52,7 +54,7 @@ build() {
       -DFLB_IN_SYSTEMD=Off \
       -DFLB_PROXY_GO=No \
       -DFLB_HTTP_SERVER=Yes \
-        $CMAKE_CROSSOPTS .
+       $CMAKE_CROSSOPTS .
     make -C build
       #-DCMAKE_FIND_LIBRARY_SUFFIXES=".a" \
       #-DCMAKE_EXE_LINKER_FLAGS="-static" \
@@ -83,11 +85,19 @@ package() {
         "$pkgdir"/etc/conf.d/$pkgname
 
     mv "$pkgdir"/usr/etc/* "$pkgdir"/etc
+    rm "$pkgdir"/etc/fluent-bit/fluent-bit.conf
+
+    mkdir -p "$pkgdir"/var/spool/fluent-bit
+    install -Dm644 "$srcdir/fluent-bit.conf" "$pkgdir/etc/fluent-bit/fluent-bit.conf"
+    install -Dm644 "$srcdir/zdt-parsers.conf" "$pkgdir/etc/fluent-bit/zdt-parsers.conf"
+    touch "$pkgdir"/etc/fluent-bit/metadata.conf
 }
 
 sha512sums="
-8c682e41411cae42580636a8d55b3f6c09b729f8e25f7d4e4b306ff286e0aea91da9ebc1a57dee153a90117884cc2a9d4342cae0e860a2f5f74a8a8c4f3b1e81  fluent-bit-2.1.1.tar.gz
+de9c6a4744223ed0f6f401adeb95956c90524feba6f592459ed517e1058f7e1a21f1c42910d3ac721be639264979ba3ebb5503cd7dc5874e1f676bf32a7e7df0  fluent-bit-2.1.5.tar.gz
 f6431397c80a036980b5377b51e38aec25dfceeb8dbe4cd54dce1f6e77d669d9f8daf983fcc96d25332385888f1809ced5e8ab0e8ccfcd93d19494036e3dc949  fluent-bit.confd
 8ba6c8e84dee90176f9b4375fb2c6444fa5d32fa601d9bcf3ea7960fec87f1ef664f175caf08bd0b052843e971efdbf08e2a5cd180ad9a8f23ff2c5cb233814f  fluent-bit.initd
 6bd7d8b4da93a17f29b6ea1e0286ea226d0e376024284741110936779b3229bd8d6cd03ffbdc5d3b4842294e7f32a888de0dd16b0851b65d91b062ca58530ea0  chunkio-static-lib-fts.patch
+ea125b68825ae17bb6d08b1cbe7b3594d4844f7abb06465d7de0a39995dfa927087a28e592f40239792aee7f3494a8ba7a2d2373efc36f6ac712e802ace2f8a2  fluent-bit.conf
+31899a3c68bbb43adb9025a3a46bad4ca0c740d5bca5c252c8667197575698d98ac4a3b6e11ee160c4bb8df0d0089b639bfd7d0ffa52391e6c4f8f734a6952a6  zdt-parsers.conf
 "
diff --git a/kubezero/fluent-bit/fluent-bit.conf b/kubezero/fluent-bit/fluent-bit.conf
new file mode 100644
index 0000000..3f0d808
--- /dev/null
+++ b/kubezero/fluent-bit/fluent-bit.conf
@@ -0,0 +1,41 @@
+[SERVICE]
+    Flush 5
+    Daemon Off
+    Log_Level info
+    log_file /var/log/fluent-bit.log
+
+    HTTP_Server On
+    HTTP_Listen 0.0.0.0
+    HTTP_Port 2020
+    Health_Check On
+
+    parsers_file parsers.conf
+    parsers_file zdt-parsers.conf
+    plugins_file plugins.conf
+
+    storage.metrics on
+    storage.path /var/spool/fluent-bit
+    storage.sync normal
+    storage.checksum on
+    storage.backlog.mem_limit 5M
+
+[INPUT]
+    Name tail
+    Path /var/log/messages
+    Parser syslog-ng-json
+    Tag system
+    DB /var/log/flb_kube.db
+    DB.Sync Normal
+    DB.locking true
+
+@INCLUDE metadata.conf
+
+[OUTPUT]
+    Match *
+    Name forward
+    Host fluentd
+    Port 24224
+    Shared_Key cloudbender
+    tls on
+    Send_options true
+    Require_ack_response true
diff --git a/kubezero/fluent-bit/zdt-parsers.conf b/kubezero/fluent-bit/zdt-parsers.conf
new file mode 100644
index 0000000..0b43e90
--- /dev/null
+++ b/kubezero/fluent-bit/zdt-parsers.conf
@@ -0,0 +1,22 @@
+[PARSER]
+    Name        syslog-ng-json
+    Format      json
+    Time_Key    time
+    Time_Format %s.%L
+
+# SQUID access.logs
+# "%9d.%03d %6d %s %s/%03d %d %s %s %s %s%s/%s %s"
+[PARSER]
+    Name        squid-access
+    Format      regex
+    Regex       /^(?<time>\d+\.\d{1,3})\s+\d+\s(?<host>[^ ]*)\s(?<cache>\w+)\/(?<code>\d+)\s(?<size>\d+)\s(?<method>\S+)\s(?<request_url>[^ ]*)\s(?<user>\S+)\s(?<hierachy_code>\S+)\/(?<forward_host>[^ ]*)\s(?<content_type>\S+)$/
+    Time_Key    time
+    Time_Format %s.%L
+
+# Laravel logs
+[PARSER]
+    Name        laravel
+    Format      regex
+    Regex       /^\[(?<time>\d{4}-\d\d-\d\d \d\d:\d\d:\d\d)\]\s(?<ident>[a-zA-Z0-9]*)\.(?<severity>[a-zA-Z0-9]*):\s(?<message>.*)$/
+    Time_Key    time
+    Time_Format %Y-%m-%d %H:%M:%S
diff --git a/kubezero/kubernetes/APKBUILD b/kubezero/kubernetes/APKBUILD
index afde254..c6976be 100644
--- a/kubezero/kubernetes/APKBUILD
+++ b/kubezero/kubernetes/APKBUILD
@@ -5,14 +5,14 @@
 # Contributor: Dave <dj.2dixx@gmail.com>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=kubernetes
-pkgver=1.25.8
+pkgver=1.26.6
 pkgrel=0
 pkgdesc="Container Cluster Manager"
 url="https://kubernetes.io/"
 # ppc64le: failed to build
 arch="x86_64 aarch64 armv7 x86"
 license="Apache-2.0"
-options="!check chmod-clean" # Tests hang
+options="!check chmod-clean net" # Tests hang
 
 _kube_proxy_deps="iptables"
 _kubelet_deps="iptables"
@@ -72,9 +72,10 @@ _services="kube-apiserver kube-controller-manager kube-proxy kube-scheduler"
 export GOCACHE="${GOCACHE:-"$srcdir/go-cache"}"
 export GOTMPDIR="${GOTMPDIR:-"$srcdir"}"
 export GOMODCACHE="${GOMODCACHE:-"$srcdir/go"}"
+export FORCE_HOST_GO="y"
 
 build() {
-	make generated_files
+	hack/update-codegen.sh
 	for _pkgs in $_agent $_cli $_services ; do
 		make -j1 GOFLAGS="-buildmode=pie -v -tags=providerless" GOLDFLAGS="-extldflags=-static" WHAT=cmd/$_pkgs
 	done
@@ -207,9 +208,9 @@ _do_zshcomp() {
 }
 
 sha512sums="
-30f1815de4d5bf3a091f1937c94e0e6cf0abc0f527488b72ec4a7d72c014bb8fef450abbf4c908f8a5b791e8d4ab501edb3f5c55af4e370359a952a6228362be  kubernetes-1.25.8.tar.gz
-c350bb0a63ada0cc3657fe07598101775243083aa1eabda898080b7b01b129e6fdd7ad1a61950cc039b73b081f38de3b856baedf5c075f39916be1547b11d184  make-e2e_node-run-over-distro-bins.patch
-56201491d2dfe3a487931cbf5c6e60af898701b9541a936d80e3823948fcfb98508e3d51f4aaa415ce971f7bd20a7b51f74f025c76b83f58d5a8de8ce0ab679b  make-test-cmd-run-over-hyperkube-based-kubectl.patch
+02a6ce3c0ec44dce5b03b97d4a544ac96d43a2342f172c176cbe83b269ffec4c3704f01f620eb11cfdc61728f8431ab6ffdbecc21e0cb29cb388b62c1a930cdf  kubernetes-1.26.6.tar.gz
+5427c2e653504cfd5b0bcaf195d4734ee40947ddfebc9f155cd96dddccfc27692c29d94af4ac99f1018925b52995c593b584c5d7a82df2f185ebce1a9e463c40  make-e2e_node-run-over-distro-bins.patch
+94d07edfe7ca52b12e85dd9e29f4c9edcd144abc8d120fb71e2a0507f064afd4bac5dde30da7673a35bdd842b79a4770a03a1f3946bfae361c01dd4dc4903c64  make-test-cmd-run-over-hyperkube-based-kubectl.patch
 e690daff2adb1013c92124f32e71f8ed9a18c611ae6ae5fcb5ce9674768dbf9d911a05d7e4028488cda886e63b82e8ac0606d14389a05844c1b5538a33dd09d1  kube-apiserver.initd
 302b2a7ec715967c0aa7d1c177d4e55b26e37ebba8d04dd37ecf627d20042fe91cd7e6192ff9d71422129b0ea54a9eec6046f505af550548bd450998924f37ee  kube-apiserver.confd
 1a4bcd54dafaedc614e34bbadc2a1163f003b5925d47552fb2c47049c033c147e612171e263d9659d189fc2d95688a0b7153322d8dba97c083c079fdef6c400e  kube-apiserver.logrotated
diff --git a/kubezero/kubernetes/make-e2e_node-run-over-distro-bins.patch b/kubezero/kubernetes/make-e2e_node-run-over-distro-bins.patch
index 8fa737b..fef91ed 100644
--- a/kubezero/kubernetes/make-e2e_node-run-over-distro-bins.patch
+++ b/kubezero/kubernetes/make-e2e_node-run-over-distro-bins.patch
@@ -1,10 +1,10 @@
 diff --git a/hack/make-rules/test-e2e-node.sh b/hack/make-rules/test-e2e-node.sh
-index fb0720a7..43a57c1f 100755
+index f468d36b..a115aab9 100755
 --- a/hack/make-rules/test-e2e-node.sh
 +++ b/hack/make-rules/test-e2e-node.sh
-@@ -240,6 +240,6 @@ else
-     --alsologtostderr --v 4 --report-dir=${artifacts} --node-name $(hostname) \
-     ${test_args}" --runtime-config="${runtime_config}" \
+@@ -225,6 +225,6 @@ else
+     --test-flags="--v 4 --report-dir=${artifacts} --node-name $(hostname) ${test_args}" \
+     --runtime-config="${runtime_config}" \
      --kubelet-config-file="${kubelet_config_file}" \
 -    --build-dependencies=true 2>&1 | tee -i "${artifacts}/build-log.txt"
 +    --k8s-bin-dir "/usr/bin" --build-dependencies=true 2>&1 | tee -i "${artifacts}/build-log.txt"
diff --git a/kubezero/kubernetes/make-test-cmd-run-over-hyperkube-based-kubectl.patch b/kubezero/kubernetes/make-test-cmd-run-over-hyperkube-based-kubectl.patch
index 16f4407..5040267 100644
--- a/kubezero/kubernetes/make-test-cmd-run-over-hyperkube-based-kubectl.patch
+++ b/kubezero/kubernetes/make-test-cmd-run-over-hyperkube-based-kubectl.patch
@@ -1,8 +1,8 @@
 diff --git a/hack/lib/test.sh b/hack/lib/test.sh
-index 62a6765f..775d1d96 100644
+index 36ea5f04..045de151 100644
 --- a/hack/lib/test.sh
 +++ b/hack/lib/test.sh
-@@ -77,12 +77,12 @@ kube::test::object_assert() {
+@@ -78,12 +78,12 @@ kube::test::object_assert() {
    local object=$2
    local request=$3
    local expected=$4
@@ -11,9 +11,9 @@ index 62a6765f..775d1d96 100644
  
    for j in $(seq 1 "${tries}"); do
      # shellcheck disable=SC2086
-     # Disabling because "args" needs to allow for expansion here
--    res=$(eval kubectl get "${kube_flags[@]}" ${args} "${object}" -o go-template=\""${request}"\")
-+    res=$(eval kubectl ${args} get "${kube_flags[@]}" ${get_args} "${object}" -o go-template=\""${request}"\")
+     # Disabling because to allow for expansion here
+-    res=$(kubectl get "${kube_flags[@]}" ${args} ${object} -o go-template="${request}")
++	res=$(eval kubectl ${args} get "${kube_flags[@]}" ${get_args} "${object}" -o go-template=\""${request}"\")
      if [[ "${res}" =~ ^$expected$ ]]; then
          echo -n "${green}"
          echo "$(kube::test::get_caller 3): Successful get ${object} ${request}: ${res}"
diff --git a/kubezero/kubezero/APKBUILD b/kubezero/kubezero/APKBUILD
index f0f2d9b..4191dcf 100644
--- a/kubezero/kubezero/APKBUILD
+++ b/kubezero/kubezero/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=kubezero
-pkgver=1.25
+pkgver=1.26
 pkgrel=0
 pkgdesc="KubeZero release package"
 url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/kubezero"
@@ -29,7 +29,10 @@ source="
        evictLocalNode.sh
        "
 
-IMAGES="quay.io/cilium/cilium:v1.13.1 ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3"
+IMAGES="
+       quay.io/cilium/cilium:v1.13.4
+       ghcr.io/k8snetworkplumbingwg/multus-cni:v3.9.3
+       "
 
 build() {
   for i in $IMAGES; do
@@ -58,6 +61,6 @@ imagecache() {
 }
 
 sha512sums="
-b0cadf577ea912630efabf8d104f2edaa79bd1697a1f9224ce8a75354dd204196c6d3c15c0318afa44be10be9696ce20ef0015198ee0b74050897d164f77ae60  shared-sys-fs.start
+ecb33fc3a0ffc378723624858002f9f5e180e851b55b98ab6611ecc6a73d4719bc7de240f87683fc58de8bf577059e6f19b417655b5301ef8c32deff67a29dff  shared-sys-fs.start
 fce1013f7b1bfa8ee526de62e642a37fda3168889723e873d3fb69e257f4caa1423b5a14b9343b12a87f3b6f93c7d3861b854efda67ef2d6a42a5ca8cf3d1593  evictLocalNode.sh
 "
diff --git a/kubezero/kubezero/shared-sys-fs.start b/kubezero/kubezero/shared-sys-fs.start
index 492505e..a6cd245 100644
--- a/kubezero/kubezero/shared-sys-fs.start
+++ b/kubezero/kubezero/shared-sys-fs.start
@@ -1,3 +1,4 @@
 #!/bin/sh
 mount --make-shared /sys/fs/cgroup
+mount --make-shared /sys/fs/bpf
 mount --make-shared /sys
diff --git a/kubezero/nvidia-container-toolkit/APKBUILD b/kubezero/nvidia-container-toolkit/APKBUILD
index e719f4e..2d18039 100644
--- a/kubezero/nvidia-container-toolkit/APKBUILD
+++ b/kubezero/nvidia-container-toolkit/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=nvidia-container-toolkit
-pkgver=1.10.0
-pkgrel=1
+pkgver=1.13.2
+pkgrel=0
 pkgdesc="NVIDIA Container toolkit incl. cri hooks"
 url="https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/overview.html"
 arch="x86_64"
@@ -67,12 +67,12 @@ package() {
   install -Dm644 config.toml "$pkgdir"/etc/nvidia-container-runtime/config.toml
 }
 
-sha512sums='
-23ba2aec28f01c0037bbb4812ea542589e96f6527cf49468a4a7c54ca05808cf0984a8dfe13ee3455b8c6ae8468c58590f9e1e6996927c710bcf3e545772a356  libnvidia-container1_1.10.0-1_amd64.deb
-c5369c832bd91703e6e6e86a4431c2eebb2ddeaadff126174b41ed11e969dc8cc49dcab26b3ac18abb43b466a86ce76908eaa2f5e4109c689a0c3a4fa47548b5  libnvidia-container-tools_1.10.0-1_amd64.deb
-3043729bd96dd153db1dc317685167f34da6b9d202134335212fb7d861532a265a59e002c86fff2664c67687f4c8bcc75913c74018930a6c68c0f2044eceacf0  nvidia-container-toolkit_1.10.0-1_amd64.deb
+sha512sums="
+0edd50e9d42d345bcc26410752ac50425a5806144b0fdd4f6eea07f62501a325a3f58e74d68b6bb2a834b33977ddcc86723b1d96c4ae9664827ad86b4756172b  libnvidia-container1_1.13.2-1_amd64.deb
+3d61c5e610402344411f40db7b9da090b4de467f170779eac7fd8787bd5c30035128196b265a55af5ddadee704056dbcdf30b5cfb0ed72e90ea307db25285b1d  libnvidia-container-tools_1.13.2-1_amd64.deb
+f15af5460823667476e8b788708d1b76e81b73e99e0c6c9a045c830160ab2bb78988de1b4ad1963656f590faa1c5ee415b951275704fd77849d16a0ef712ed4a  nvidia-container-toolkit_1.13.2-1_amd64.deb
 694a3ec64ef3056d5874ff03b889b868c294bccb16506468fdf1c289fe3aaadc2da25a5934de653af9633a5d993d2bb21491d84b3b2e2529e6b31d92c78a2228  libcap2_2.25-2_amd64.deb
 5a4eaa96e6e774948889909d618a8ed44a82f649cbba11622dc7b4478098bea006995d5a5a60ca026a57b76ad866d1e2c6caebd154a26eb6bd7e15291b558057  libseccomp2_2.3.3-4_amd64.deb
 040ac2e3f58549dc09e5bce0d694e4be2f6aae736014bf0ee90042646562d5f1ef1f5990eb9f2c2a2fdf504587b82f4aa0eb99d04c5d3e407670e4012e3edd4e  config.toml
 cf5673231d1862e3ec03f792cddf54ff27237656f762c3f42b6d7e1584de2201c487861ac399ab26951b5dbf3e3cd9b4451dbf61f02b55e0991889b507319764  oci-nvidia-hook.json
-'
+"
diff --git a/kubezero/nvidia-drivers/APKBUILD b/kubezero/nvidia-drivers/APKBUILD
index 2497de8..eea656a 100644
--- a/kubezero/nvidia-drivers/APKBUILD
+++ b/kubezero/nvidia-drivers/APKBUILD
@@ -1,7 +1,8 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=nvidia-drivers
-pkgver=515.65.01
+#pkgver=535.54.03
+pkgver=525.125.06
 pkgrel=0
 pkgdesc="NVIDIA Driver"
 url="https://www.nvidia.com/download/index.aspx"
@@ -27,7 +28,7 @@ package() {
   cd "$srcdir"/NVIDIA-Linux-x86_64-$pkgver
 
   # GSP firmware
-  cp firmware/gsp.bin "$pkgdir"/lib/firmware/nvidia/"$pkgver"/gsp.bin
+  cp firmware/*.bin "$pkgdir"/lib/firmware/nvidia/"$pkgver"/
 
   # Various bins
   SBINS="nvidia-smi nvidia-debugdump nvidia-cuda-mps-control nvidia-cuda-mps-server nvidia-persistenced"
@@ -54,6 +55,6 @@ package() {
   done
 }
 
-sha512sums='
-5221a4ac071eb39a37a841f19cfe4983286dc35e918956b40604404ef36c122612475df7b9a391a9a70bd60f44e598c8a0e5ec54ccc3e90d51f01e1b2fbe5e33  NVIDIA-Linux-x86_64-515.65.01.run
-'
+sha512sums="
+a5f13b633d111d9dc928e8522cd916a2b756fccbf2dc532649762a3f9bdc5503bd57c9c698da8205c49e82720b45789413a1afc26be77d741f823b49ae2f333d  NVIDIA-Linux-x86_64-525.125.06.run
+"
diff --git a/kubezero/nvidia-open-gpu/APKBUILD b/kubezero/nvidia-open-gpu/APKBUILD
index 0e03014..c7af6ad 100644
--- a/kubezero/nvidia-open-gpu/APKBUILD
+++ b/kubezero/nvidia-open-gpu/APKBUILD
@@ -1,7 +1,8 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=nvidia-open-gpu
-pkgver=515.65.01
+#pkgver=535.54.03
+pkgver=525.125.06
 pkgrel=0
 pkgdesc="NVIDIA Linux open GPU kernel modules"
 url="https://github.com/NVIDIA/open-gpu-kernel-modules"
@@ -43,8 +44,8 @@ package() {
   install -Dm755 "$srcdir"/create-nvidia-uvm-dev-node.sh "$pkgdir"/usr/sbin/create-nvidia-uvm-dev-node.sh
 }
 
-sha512sums='
-c2ff6fd02272b6981a65e7e14c6b636f0113e21da910898c27682f58e60fa8e6deea3670081c57e4961fb5e7794eef8eddb90d134ba1892536a8468c5dc9d669  nvidia-515.65.01.tar.gz
+sha512sums="
+4cedcf56e87c93354bc56d168de64b30866cf0b8fba2d2861ac60893b43f8140fa29626c4825af8250c420f9228fd1b64c93750cc50dd210040b4e7c4927e90a  nvidia-525.125.06.tar.gz
 b16b86ded8601ff802477e2b191c5728290014f90bb85ad6ec0e5b7e84f8004c467f5b6c66b80dc5d205fb70a3900ac286764a3829ca3ad3b8a3a5fd0b73a702  91-nvidia.rules
 8335bd69c482da1f67b5cddd31a0b40d01b5c627aeca137b40ac7776cb3e7475767bec808a972ed739c26914207aca264324c41496f6fb579d910c8477f7cc1c  create-nvidia-uvm-dev-node.sh
-'
+"
diff --git a/kubezero/zdt-base/APKBUILD b/kubezero/zdt-base/APKBUILD
index 84e8fc0..be4e2f4 100644
--- a/kubezero/zdt-base/APKBUILD
+++ b/kubezero/zdt-base/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Stefan Reimer <stefan@zero-downtime.net>
 # Maintainer: Stefan Reimer <stefan@zero-downtime.net>
 pkgname=zdt-base
-pkgver=0.1.2
+pkgver=0.3.18
 pkgrel=0
 pkgdesc="ZeroDownTime Alpine additions and customizations"
 url="https://git.zero-downtime.net/ZeroDownTime/alpine-overlay/src/branch/master/kubezero/zdt-base"
@@ -28,7 +28,6 @@ source="
         monit_alert.sh.aws
         neofetch.conf
         zdt-ascii.txt
-        dhclient.conf
         profile
         route53.py
         get_iam_sshkeys.py
@@ -50,9 +49,6 @@ package() {
   mkdir -p "$pkgdir"/etc/cloudbender "$pkgdir/home/alpine"
   install -Dm644 "$srcdir/profile" "$pkgdir/home/alpine/.profile"
 
-  # dhcp tuning for MTU
-  install -Dm644 "$srcdir"/dhclient.conf "$pkgdir"/etc/dhcp/dhclient.conf
-
   # various sysctl tunings
   install -Dm644 "$srcdir"/zdt-sysctl.conf "$pkgdir"/etc/sysctl.d/60-zdt.conf
 
@@ -93,24 +89,23 @@ aws() {
 }
 
 sha512sums="
-92e669eb440dbc89e083e3b61c9f9fa871bedfdca404b8c3533fa1caec0d061f428c39697921c68c49d3de9af2043946d9baf989ba47482827d5626fe9f3e479  cb_base.sh
+13944b955f3c2db54674cd84d58950fc9d8ca522d96081f05ed9bfef8289e30c3dd508796c94d9b283b9c168aadc70f9a934442ec48a5c0c9f25578e62ea0b78  cb_base.sh
 3e02b858680d751b2c1fb22feeec2b767e328fdf007d9fb6687f309e62630467e982cc33d47c4417311938d35bb17dc210f9e0a40b90298dc22cf142f022c124  cb_lock.sh
-f392ae57c4a5ccc019eb5fcc191429a4ba81b2593bfb12bab3b3da3365342b2b89908dfd90d8debf813e3455a61ff8d123f49fa4adce8ea44c06d9db1f7b7e19  cb_volumes.sh
-89a27da781fe302aaed9ed7dcd1b8fc8b94f39802f86b1faeedee50d68a9d61fcbfe037bc29a938994c507cbcda08d86d2c387db118408ca9b7d085f99bb0a17  cb_init.sh
+d7bb357e25aa797b68185036814f1b34d4d6b098de43ef0cf3b71011ebee3d6c2e4bd8fa73a5c7dd6f37c6bbbf3c9c344461a9507346104d4fe783dd1f8b2e23  cb_volumes.sh
+4ccae4451de8fa83d1a73182ad539ca218a98f68f0bbfe2fc4d99ade75e802e3baa65b4a0e00ae2a0b3c870e6467b219d1c5a22e04f3930c3efd7de6c3cf38ab  cb_init.sh
 9c688e08e44ae965eaa6021e005f65077690c30fe6b2de7371c57ae3a53a18f12a356587261c950b8c900f73cb35af3ba7795d33181532b485aeee3b6ca41757  cloudbender-early.init
-46500f8dc08e2e5e5d34886225ef4993f02da9f0a8b55107e886337ec1318fe683a172c398d1236e8f2559b57e0aba66238725e0a20e0440e1423d71aa3d77ea  cloudbender.init
+7fea4ed0ebcf781ae197962c9f6d287c66e7380c758126a1b46c711baf3c7e93d6ccf1d536dada590ca02a7f7b271fd5ecb0dcb4854772cc8b1b70d379249f65  cloudbender.init
 b9479835d8667fa99f8b1b140f969f0464a9bb3c60c7d19b57e306cfe82357d453932791e446caded71fddd379161ae8328367f1ee75ae3afc1b85e12294b621  zdt-sysctl.conf
 76e6a4f309f31bfa07de2d3b1faebe5670722752e18157b69d6e868cbe9e85eda393aed0728b0347a01a810eee442844c78259f86ff71e3136a013f4cbfaaea4  ps_mem.py
-9d087f2d4403a9c6d4d2f06fbb86519f2b8b134d8eb305facaef07c183815f917fb7bac916d39d504dbab7fdf3321a3f70954dde57e8986cc223371715bb1c54  syslog-ng.conf
+5376f4bf8356ce9249c45e78085073245181e8742c7b4be47c71dcd97a611ae125a7dfd3060502bdd591560af070334f89fe60dbc09c008926149c538ab0560a  syslog-ng.conf
 484bdcf001b71ce5feed26935db437c613c059790b99f3f5a3e788b129f3e22ba096843585309993446a88c0ab5d60fd0fa530ef3cfb6de1fd34ffc828172329  syslog-ng.logrotate.conf
-1db58e670748bf9a507068251c21c9ca1744727bbf53fd925059239a58721f6f60c0bd357e4c52e9277a913640a6784e0025a7f3834868a1e93e9e1cbc66d5a6  syslog-ng.apparmor
+e86eed7dd2f4507b04050b869927b471e8de26bc7d97e7064850478323380a0580a92de302509901ea531d6e3fa79afcbf24997ef13cd0496bb3ee719ad674ee  syslog-ng.apparmor
 b928ba547af080a07dc9063d44cb0f258d0e88e7c5a977e8f1cf1263c23608f0a138b8ffca0cdf5818ee72fccb3ce8433f877811be3107bb9c275dfff988179c  monitrc
 64944727d658ff37e7ff9d22a23869e225e104d9229756ba4fef1fc481c56f782472a1c74f8127636b4a98d4545ae30e7d35822a1f0a0fa31a59ec8eaf8c0396  monit_alert.sh.aws
 346b0170ada6cc1207ffb7b8ef138a1570a63c7df4d57618aa4b6b6c0d2df2197b0f5b23578ec83c641ee5e724865ac06985222e125809c990467426a0851b72  neofetch.conf
 532b8e2eb04942ab20bdc36b5dea1c60239fcbfcb85706123f3e05c18d65c938b85e9072d964ae5793177625a8db47b532db1f5bd5ed5ecbb70d5a331666ff54  zdt-ascii.txt
-c565516121b9e6f9d5f769511eb900546753e67cc4208d1b388fdce44cd28699261a5c3905f9a168d4b2d45ac65ac3a2a6a95335f1bbd76d2f444d5f50ec5c9e  dhclient.conf
 c3e72cd92936b03f2b9eab5e97e9a12fcddcdf2c943342e42e7702e2d2407e00859c62dc9b4de3378688d2f05458aa5c104272af7ab13e53a62f1676d1a9a1b4  profile
-2d419d5c25a3829e99326b09876f459e48ab66f5756a8ad39b406c0f2829f5a323e8ff512afd8f32b7b07f24c88efa911bee495ce6c4d1925194cb54d3ba57bd  route53.py
-00eaff6c0a506580340b2547c3b1602a54238bac6090a15516839411478a4b4fdc138668b8ad23455445131f3a3e3fda175ed4bb0dd375402641c0e7b69c3218  get_iam_sshkeys.py
+816049360aa442f9e9aa4d6525795913cfe3dc7c6c14dc4ccad59c0880500f9d42f198edc442fe036bc84ba2690d9c5bc8ae622341d8276b3f14947db6b879b1  route53.py
+7da28446762a36a6737c5b30becbce78775bd943b4d0c5ef938a50f49b4f51f66708434aa79004c19d16c56c83f54c8d6d68e1502ebc250c73f8aae12bed83c0  get_iam_sshkeys.py
 8fd5dca9b9fdae61022f136215afa8adc0d199afcf26593bdd0bd1946d0f2efc5d7ed345704ef9642fbeedeeea007ed31b67fafe89289b749a560a045da45b8e  uniq_hostname.py
 "
diff --git a/kubezero/zdt-base/cb_base.sh b/kubezero/zdt-base/cb_base.sh
index 1a68d7f..78c0501 100644
--- a/kubezero/zdt-base/cb_base.sh
+++ b/kubezero/zdt-base/cb_base.sh
@@ -17,7 +17,7 @@ retry() {
   shift 2
   while true; do
     # Only use timeout of $1 is an executable, call directly if function
-    type -tf $1 >/dev/null && { timeout --preserve-status 30 $@ && return; } || { $@ && return; }
+    type -tf $1 >/dev/null && { timeout 30 $@ && return; } || { $@ && return; }
     ((tries=tries-1))
     [ $tries -eq 0 ] && return 1
     sleep $waitfor
@@ -143,5 +143,8 @@ function exit_trap {
   end_uptime=$(awk '{print $1}' < /proc/uptime)
   log "Exiting user-data. Duration: $(echo "$end_uptime-$start_uptime" | bc) seconds"
 
+  # Shutdown / poweroff if we ran into error and not DEBUG
+  [ $ERR_CODE -ne 0 -a -z "$DEBUG" ] && poweroff
+
   exit 0
 }
diff --git a/kubezero/zdt-base/cb_init.sh b/kubezero/zdt-base/cb_init.sh
index 854fd75..08ad0f1 100644
--- a/kubezero/zdt-base/cb_init.sh
+++ b/kubezero/zdt-base/cb_init.sh
@@ -1,8 +1,8 @@
 # We built on top of tiny-cloud
-. /etc/conf.d/tiny-cloud
+. /etc/tiny-cloud.conf
 
 IMDS_ENDPOINT="169.254.169.254"
-. /lib/tiny-cloud/"$CLOUD"/imds
+. /lib/tiny-cloud/cloud/"$CLOUD"/imds
 
 _imds() {
     wget --quiet --timeout 1 --output-document - \
diff --git a/kubezero/zdt-base/cb_volumes.sh b/kubezero/zdt-base/cb_volumes.sh
index 70b98c4..3e412e3 100644
--- a/kubezero/zdt-base/cb_volumes.sh
+++ b/kubezero/zdt-base/cb_volumes.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # We built on top of tiny-cloud
-. /etc/conf.d/tiny-cloud
+. /etc/tiny-cloud.conf
 
 # archive orig /var, mount new var on top and restore orig var
 copy_and_mount() {
@@ -13,7 +13,7 @@ copy_and_mount() {
 }
 
 setup_var() {
-  for d in $(find /dev/sd?); do
+  for d in $(find /dev/xvd[a-z] /dev/sd[a-z]); do
     # resolve to a valid block device
     dev="$(realpath "$d")"
     [ -b "$dev" ] || continue
@@ -23,8 +23,8 @@ setup_var() {
 
     case "$CLOUD" in
       aws)
-        # on AWS look for sdx 
-        if [ "$d" = "/dev/sdx" ]; then
+        # on AWS look for sdx/xvdx 
+        if [ "$d" = "/dev/sdx" -o "$d" = "/dev/xvdx" ]; then
           # check volume for existing filesystem
           type=$(file -Lbs $d)
           if [[ "$type" =~ "XFS filesystem" ]]; then
diff --git a/kubezero/zdt-base/cloudbender.init b/kubezero/zdt-base/cloudbender.init
index e17a304..23882c4 100755
--- a/kubezero/zdt-base/cloudbender.init
+++ b/kubezero/zdt-base/cloudbender.init
@@ -7,7 +7,7 @@ description="CloudBender - mount additional volumes, send shutdown messages"
 depend() {
 	need net
 	before sshd
-	after tiny-cloud
+	after tiny-cloud-main
 }
 
 start() {
diff --git a/kubezero/zdt-base/dhclient.conf b/kubezero/zdt-base/dhclient.conf
deleted file mode 100644
index 12b6b25..0000000
--- a/kubezero/zdt-base/dhclient.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# Borrowed from Ubuntu 20.04LTS minimal EC2 AMi
-
-option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
-
-send host-name = gethostname();
-request subnet-mask, broadcast-address, time-offset, routers,
-        domain-name, domain-name-servers, domain-search, host-name,
-        dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
-        netbios-name-servers, netbios-scope, interface-mtu,
-        rfc3442-classless-static-routes, ntp-servers;
-
-timeout 300;
diff --git a/kubezero/zdt-base/get_iam_sshkeys.py b/kubezero/zdt-base/get_iam_sshkeys.py
index e459e64..15d2831 100755
--- a/kubezero/zdt-base/get_iam_sshkeys.py
+++ b/kubezero/zdt-base/get_iam_sshkeys.py
@@ -58,6 +58,7 @@ try:
                 Encoding="SSH",
             )
             if key["SSHPublicKey"]["Status"] == "Active":
-                print(key["SSHPublicKey"]["SSHPublicKeyBody"], user["UserName"])
+                print(key["SSHPublicKey"]
+                      ["SSHPublicKeyBody"], user["UserName"])
 except:
     pass
diff --git a/kubezero/zdt-base/route53.py b/kubezero/zdt-base/route53.py
index 20424de..6547e63 100755
--- a/kubezero/zdt-base/route53.py
+++ b/kubezero/zdt-base/route53.py
@@ -29,7 +29,8 @@ def update_dns(record_name, ips=[], ttl=180, action="UPSERT", record_type='A'):
             {"Value": ip}
         )
 
-    route53.change_resource_record_sets(HostedZoneId=zone_id, ChangeBatch=changeset)
+    route53.change_resource_record_sets(
+        HostedZoneId=zone_id, ChangeBatch=changeset)
 
 
 parser = argparse.ArgumentParser(description='Update Route53 entries')
@@ -49,4 +50,5 @@ action = "UPSERT"
 if args.delete:
     action = "DELETE"
 
-update_dns(args.fqdn, args.record, action=action, ttl=args.ttl, record_type=args.record_type)
+update_dns(args.fqdn, args.record, action=action,
+           ttl=args.ttl, record_type=args.record_type)
diff --git a/kubezero/zdt-base/syslog-ng.apparmor b/kubezero/zdt-base/syslog-ng.apparmor
index 7f32c17..bb68ae2 100644
--- a/kubezero/zdt-base/syslog-ng.apparmor
+++ b/kubezero/zdt-base/syslog-ng.apparmor
@@ -1,4 +1,6 @@
+/proc/uptime r,                                                                               
 /var/lib/syslog-ng/syslog-ng.ctl rw,
 @{PROC}/@{pid}/cmdline r,
 @{PROC}/@{pid}/loginuid r,
 @{PROC}/@{pid}/sessionid r,
+ptrace (read) peer=unconfined,
diff --git a/kubezero/zdt-base/syslog-ng.conf b/kubezero/zdt-base/syslog-ng.conf
index 0570d26..2a537e3 100644
--- a/kubezero/zdt-base/syslog-ng.conf
+++ b/kubezero/zdt-base/syslog-ng.conf
@@ -1,12 +1,12 @@
 # syslog-ng, format all json into messages
 # https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.23/administration-guide/63#TOPIC-1268643
 
-@version: 3.36
+@version: 4.1
 @include "scl.conf"
 
 options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
           dns_cache(no); owner("root"); group("adm"); perm(0640);
-          stats_freq(0); bad_hostname("^gconfd$"); frac-digits(6);
+          stats(freq(43200)); bad_hostname("^gconfd$"); frac-digits(6);
 };
 
 source s_sys { system(); internal();};
diff --git a/kubezero/zdt-base/zdt-base.post-install b/kubezero/zdt-base/zdt-base.post-install
index ca4178a..c3afc58 100644
--- a/kubezero/zdt-base/zdt-base.post-install
+++ b/kubezero/zdt-base/zdt-base.post-install
@@ -28,4 +28,3 @@ echo 'Enable monit via inittab'
 # QoL
 mv /etc/profile.d/color_prompt.sh.disabled /etc/profile.d/color_prompt.sh || true
 echo 'alias rs="doas bash"' > /etc/profile.d/alias.sh
-