Remove all traces of CoreOS from the codebase

2025-05-02 22:34:56 -04:00 · 2022-10-21 10:16:44 +02:00 · 2022-10-21 10:16:44 +02:00 · 743f5fa627
commit 743f5fa627
parent 35e2267cf9
39 changed files with 117 additions and 799 deletions
--- a/.github/actions/constellation_create/action.yml
+++ b/.github/actions/constellation_create/action.yml
@ -1,6 +1,6 @@
 name: Constellation create
 description: |
-  Create a new Constellation cluster using latest CoreOS image.
+  Create a new Constellation cluster using latest OS image.
 inputs:
  workerNodesCount:
    description: "Number of worker nodes to spawn."
@ -17,11 +17,11 @@ inputs:
  machineType:
    description: "Machine type of VM to spawn."
    required: false
-  coreosImage:
+  osImage:
-    description: "CoreOS image to use. The default value 'debug-latest' will select the latest available debug image."
+    description: "OS image to use. The default value 'debug-latest' will select the latest available debug image."
    required: true
  isDebugImage:
-    description: "Is CoreOS img a debug img?"
+    description: "Is OS img a debug img?"
    required: true
  kubernetesVersion:
    description: "Kubernetes version to create the cluster from."
@ -74,23 +74,23 @@ runs:
      run: |
        case $CSP in
          azure)
-            if [ "${{ inputs.coreosImage == 'debug-latest' }}" = true ]
+            if [ "${{ inputs.osImage == 'debug-latest' }}" = true ]
            then
              IMAGE_DEFINITION=$(az sig image-definition list --resource-group constellation-images --gallery-name Constellation_Debug_CVM --query "[].name" -o tsv | sort --version-sort | tail -n 1)
              AZURE_IMAGE=$(az sig image-version list --resource-group constellation-images --gallery-name Constellation_Debug_CVM --gallery-image-definition ${IMAGE_DEFINITION} --query "sort_by([], &publishingProfile.publishedDate)[].id" -o table | tail -n 1)
            else
-              AZURE_IMAGE=${{ inputs.coreosImage }}
+              AZURE_IMAGE=${{ inputs.osImage }}
            fi
            yq eval -i "(.provider.azure.image) = \"${AZURE_IMAGE}\"" constellation-conf.yaml
            ;;
          gcp)
-            if [ "${{ inputs.coreosImage == 'debug-latest' }}" = true ]
+            if [ "${{ inputs.osImage == 'debug-latest' }}" = true ]
            then
              GCP_IMAGE_NAME=$(gcloud compute images list --project constellation-images --filter="name ~ constellation-\d{10} AND family~constellation-debug-v\d+-\d+-\d+" --sort-by=creationTimestamp --format="table(name)" | tail -n 1)
              GCP_IMAGE="projects/constellation-images/global/images/${GCP_IMAGE_NAME}"
            else
-              GCP_IMAGE=${{ inputs.coreosImage }}
+              GCP_IMAGE=${{ inputs.osImage }}
            fi
            yq eval -i "(.provider.gcp.image) = \"${GCP_IMAGE}\"" constellation-conf.yaml
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@ -13,12 +13,12 @@ inputs:
  machineType:
    description: "VM machine type. Make sure it matches selected cloud provider!"
    required: false
-  coreosImage:
+  osImage:
-    description: "CoreOS image to run. The default value 'debug-latest' will select the latest available debug image."
+    description: "OS image to run. The default value 'debug-latest' will select the latest available debug image."
    default: "debug-latest"
    required: true
  isDebugImage:
-    description: "Is CoreOS img a debug img?"
+    description: "Is OS img a debug img?"
    default: "true"
    required: true
  kubernetesVersion:
@ -93,7 +93,7 @@ runs:
        workerNodesCount: ${{ inputs.workerNodesCount }}
        controlNodesCount: ${{ inputs.controlNodesCount }}
        machineType: ${{ inputs.machineType }}
-        coreosImage: ${{ inputs.coreosImage }}
+        osImage: ${{ inputs.osImage }}
        isDebugImage: ${{ inputs.isDebugImage }}
        kubernetesVersion: ${{ inputs.kubernetesVersion }}
        azureClientSecret: ${{ inputs.azureClientSecret }}
--- a/.github/actions/generate_measurements/action.yml
+++ b/.github/actions/generate_measurements/action.yml
@ -4,11 +4,11 @@ inputs:
  cloudProvider:
    description: "Which cloud provider to use."
    required: true
-  coreosImage:
+  osImage:
-    description: "CoreOS image to run. The default value 'debug-latest' will select the latest available debug image."
+    description: "OS image to run. The default value 'debug-latest' will select the latest available debug image."
    required: true
  isDebugImage:
-    description: "Is CoreOS img a debug img?"
+    description: "Is OS img a debug img?"
    required: true
  workerNodesCount:
    description: "Number of worker nodes to spawn."
@ -87,7 +87,7 @@ runs:
        workerNodesCount: ${{ inputs.workerNodesCount }}
        controlNodesCount: ${{ inputs.controlNodesCount }}
        machineType: ${{ inputs.machineType }}
-        coreosImage: ${{ inputs.coreosImage }}
+        osImage: ${{ inputs.osImage }}
        isDebugImage: ${{ inputs.isDebugImage }}
        kubernetesVersion: ${{ inputs.kubernetesVersion }}
        azureClientSecret: ${{ inputs.azureClientSecret }}
--- a/.github/docs/README.md
+++ b/.github/docs/README.md
@ -107,7 +107,7 @@ For information on how to achieve this, refer to the [First steps](https://docs.
 ## Image versions
-The [build-coreos](../workflows/build-coreos.yml) workflow can be used to trigger an image build.
+The [build-os-image](../workflows/build-os-image.yml) workflow can be used to trigger an image build.
 The workflow can be used to build debug or release images.
 A debug image uses [`debugd`](../../debugd/) as its bootstrapper binary, while release images use the actual [`bootstrapper`](../../bootstrapper/)
--- a/.github/docs/layout.md
+++ b/.github/docs/layout.md
@ -20,6 +20,5 @@ Development components:
 Additional repositories:
 * [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config): CoreOS build configuration with changes for Constellation
 * [constellation-azuredisk-csi-driver](https://github.com/edgelesssys/constellation-azuredisk-csi-driver): Azure CSI driver with encryption on node
 * [constellation-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node
--- a/.github/docs/release.md
+++ b/.github/docs/release.md
@ -12,11 +12,8 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
    # push upstream via PR
    ```
-3. On the [CoreOS config repo](https://github.com/edgelesssys/constellation-fedora-coreos-config), create two new branches `release/v1.3`, `stream/v1.3` (new minor version) or use the existing ones (new patch version).
+3. Create a new branch `release/v1.3` (new minor version) or use the existing one (new patch version)
-   The release branch contains the squashed changeset and is branched from main while the stream branch contains the rebased changesets on top of the latest upstream changes.
+4. On this branch, prepare the following things:
   [Consult this guide on rebasing forks (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/rebasing_forks.md#managing-release-branches) on how to create those two branches.
 4. Create a new branch `release/v1.3` (new minor version) or use the existing one (new patch version)
 5. On this branch, prepare the following things:
    1. (new patch version) `cherry-pick` (only) the required commits from `main`
    2. Use [Build micro-service manual](https://github.com/edgelesssys/constellation/actions/workflows/build-micro-service-manual.yml) and run the pipeline once for each micro-service with the following parameters:
        * branch: `release/v1.3`
@ -55,10 +52,10 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
       2. Create a new block for unreleased changes
    5. Update project version in [CMakeLists.txt](/CMakeLists.txt) to `1.3.0` (without v).
    6. When the microservice builds are finished update versions in [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0`, **add the container hashes** and **push your changes**.
-    7. Create a [production coreOS image](/.github/workflows/build-coreos.yml)
+    7. Create a [production OS image](/.github/workflows/build-coreos.yml)
        ```sh
-        gh workflow run build-coreos.yml --ref release/v$minor -F debug=false -F coreOSConfigBranch=release/v$minor -F imageVersion=v$ver
+        gh workflow run build-os-image.yml --ref release/v$minor -F debug=false -F imageVersion=v$ver
        ```
    8. Update [default images in config](/internal/config/images_enterprise.go)
@ -66,17 +63,17 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
        ```sh
        sono='--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
-        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
+        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
-        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
+        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
-        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
+        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
-        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
+        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
        ```
    10. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP.
        ```sh
-           gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=azure -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
+           gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=azure -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
-           gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=gcp -F coreosImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
+           gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=gcp -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
        ```
    11. Create a new tag on this release branch
@ -92,14 +89,14 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
        ```
        * The previous step will create a draft release. Check build output for link to draft release. Review & approve.
-6. Follow [export flow (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted launch users.
+5. Follow [export flow (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted launch users.
-7. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main
+6. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main
-8. Milestones management
+7. Milestones management
   1. Create a new milestone for the next release
   2. Add the next release manager and an approximate release date to the milestone description
   3. Close the milestone for the release
   4. Move open issues and PRs from closed milestone to next milestone
-9. If the release is a minor version release, create an empty commit on main and tag it as the start of the next pre-release phase.
+8. If the release is a minor version release, create an empty commit on main and tag it as the start of the next pre-release phase.
    ```sh
    nextMinorVer=$(echo $ver | awk -F. -v OFS=. '{$2 += 1 ; print}')
    git checkout main
--- a/.github/runners/gcp-nested-virt/README.md
+++ b/.github/runners/gcp-nested-virt/README.md
@ -1,6 +0,0 @@
 This folder contains a template for deploying a builder for CoreOS on GCP.
 ## Manually start a builder instance
 ```
 gcloud compute instances create coreos-builder --enable-nested-virtualization --zone=us-central1-c --boot-disk-size 64GB --machine-type=n2-highmem-4 --image-project="ubuntu-os-cloud" --image="ubuntu-2110-impish-v20220118" --metadata-from-file=user-data=cloud-init.txt
 ```
--- a/.github/runners/gcp-nested-virt/cloud-init.txt
+++ b/.github/runners/gcp-nested-virt/cloud-init.txt
@ -1,37 +0,0 @@
 #cloud-config
 users:
 - default
 - name: github-actions-runner-user
   groups: docker
   sudo: ALL=(ALL) NOPASSWD:ALL
   homedir: /home/github-actions-runner-user
 package_update: true
 packages:
 - git
 - cryptsetup
 - build-essential
 - libguestfs-tools
 - ca-certificates
 - curl
 - gnupg
 - lsb-release
 - jq
 - pv
 runcmd:
 - [sudo, chmod, "+r", "/boot/vmlinuz*"]
 - [/bin/bash, -c, "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg"]
 - [/bin/bash, -c, "echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\" | tee /etc/apt/sources.list.d/docker.list > /dev/null "]
 - [apt-get, update]
 - [apt-get, install, -y, docker-ce, docker-ce-cli, containerd.io, libssl-dev, pigz]
 - [chmod, 666, /dev/kvm]
 - [mkdir, -p, /actions-runner]
 - [curl, -o, "/actions-runner/actions-runner-linux-x64-2.286.1.tar.gz", -L, "https://github.com/actions/runner/releases/download/v2.286.1/actions-runner-linux-x64-2.286.1.tar.gz"]
 - [/bin/bash, -c, "cd /actions-runner && tar xzf /actions-runner/actions-runner-linux-x64-2.286.1.tar.gz"]
 - [sed, -i, "s:# insert anything to setup env when running as a service:export HOME=/home/github-actions-runner-user:", runsvc.sh]
 - [chown, -R, github-actions-runner-user:github-actions-runner-user, /actions-runner]
 - [sudo, -u, github-actions-runner-user, /bin/bash, -c, "cd /actions-runner && /actions-runner/config.sh --url https://github.com/edgelesssys/constellation --ephemeral --labels nested-virt --replace --unattended --token $(curl -u api:$(gcloud secrets versions access latest --secret=constellation-images-coreos-builder-github-token) -X POST -H 'Accept: application/vnd.github.v3+json' https://api.github.com/repos/edgelesssys/constellation/actions/runners/registration-token | jq -r .token)"]
 - [/bin/bash, -c, "cd /actions-runner && ./svc.sh install"]
 - [/bin/bash, -c, "systemctl enable --now actions.runner.edgelesssys-constellation.$(hostname).service"]
--- a/.github/runners/gcp-nested-virt/google-cloud-function.py
+++ b/.github/runners/gcp-nested-virt/google-cloud-function.py
@ -1,205 +0,0 @@
 import os
 import sys
 import re
 import hmac
 import hashlib
 import random
 import string
 import google.cloud.compute_v1 as compute_v1
 LABEL="nested-virt"
 AUTH_TOKEN_ENV="COREOS_BUILDER_WORKFLOW_FUNCTION_TOKEN"
 SA_EMAIL="constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
 SA_SCOPES=[
    "https://www.googleapis.com/auth/compute",
    "https://www.googleapis.com/auth/servicecontrol",
    "https://www.googleapis.com/auth/cloud-platform",
 ]
 def workflow_job(request):
    """Responds to https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
    Args:
        request (flask.Request): HTTP request object.
    Returns:
        The response text or any set of values that can be turned into a
        Response object using
        `make_response <http://flask.pocoo.org/docs/1.0/api/#flask.Flask.make_response>`.
    """
    allow, reason = authorize(request)
    if not allow:
        return f'unauthorized: {reason}'
    request_json = request.get_json()
    if request_json and 'action' in request_json:
        if request_json['action'] == 'queued':
            return job_queued(request_json['workflow_job'])
        elif request_json['action'] == 'completed':
            return job_completed(request_json['workflow_job'])
        elif request_json['action'] == 'in_progress':
            return f'nothing to do here'
    else:
        return f'invalid message format'
 def authorize(request) -> (bool, str) :
    correct_token = os.environ.get(AUTH_TOKEN_ENV)
    if correct_token is None:
        return False, 'correct token not set'
    correct_hmac = 'sha256=' + hmac.new(correct_token.encode('utf-8'), request.get_data(), hashlib.sha256).hexdigest()
    request_hmac = request.headers.get('X-Hub-Signature-256')
    if request_hmac is None:
        return False, 'X-Hub-Signature-256 not set'
    if correct_hmac == request_hmac:
        return True, ''
    else:
        return False, f'X-Hub-Signature-256 incorrect'
 def job_queued(workflow_job) -> str:
    if not LABEL in workflow_job['labels']:
        return f'unexpected job labels: {workflow_job["labels"]}'
    cloud_init = generate_cloud_init()
    instance_uid = ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(6))
    try:
        create_instance(metadata={'user-data': cloud_init}, instance_name=f'coreos-builder-{instance_uid}')
    except Exception as e:
        return f'creating instance failed: {e}'
    return 'success'
 def job_completed(workflow_job) -> str:
    if not LABEL in workflow_job['labels']:
        return f'unexpected job labels: {workflow_job["labels"]}'
    instance_name = workflow_job["runner_name"]
    try:
        delete_instance(machine_name=instance_name)
    except Exception as e:
        return f'deleting instance failed: {e}'
    return 'success'
 def generate_cloud_init() -> str:
    with open("cloud-init.txt", "r") as f:
        cloud_init = f.read()
    return cloud_init
 def create_instance(
    metadata: dict[str, str],
    project_id: str = 'constellation-331613',
    zone: str = 'us-central1-c',
    instance_name: str = 'coreos-builder',
    machine_type: str = "n2-highmem-4",
    source_image: str = "projects/ubuntu-os-cloud/global/images/family/ubuntu-2004-lts",
    network_name: str = "global/networks/default",
    disk_size_gb: int = 64,
    enable_nested_virtualization: bool = True,
    service_accounts: list[compute_v1.ServiceAccount] = [compute_v1.ServiceAccount(email=SA_EMAIL, scopes=SA_SCOPES)],
 ) -> compute_v1.Instance:
    """
    Send an instance creation request to the Compute Engine API and wait for it to complete.
    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        zone: name of the zone you want to use. For example: “us-west3-b”
        instance_name: name of the new virtual machine.
        machine_type: machine type of the VM being created. This value uses the
            following format: "zones/{zone}/machineTypes/{type_name}".
            For example: "zones/europe-west3-c/machineTypes/f1-micro"
        source_image: path to the operating system image to mount on your boot
            disk. This can be one of the public images
            (like "projects/debian-cloud/global/images/family/debian-10")
            or a private image you have access to.
        network_name: name of the network you want the new instance to use.
            For example: "global/networks/default" represents the `default`
            network interface, which is created automatically for each project.
    Returns:
        Instance object.
    """
    instance_client = compute_v1.InstancesClient()
    operation_client = compute_v1.ZoneOperationsClient()
    # Describe the size and source image of the boot disk to attach to the instance.
    disk = compute_v1.AttachedDisk()
    initialize_params = compute_v1.AttachedDiskInitializeParams()
    initialize_params.source_image = (
        source_image
    )
    initialize_params.disk_size_gb = disk_size_gb
    disk.initialize_params = initialize_params
    disk.auto_delete = True
    disk.boot = True
    disk.type_ = "PERSISTENT"
    # Use the network interface provided in the network_name argument.
    network_interface = compute_v1.NetworkInterface()
    network_interface.name = network_name
    network_interface.access_configs = [compute_v1.AccessConfig()]
    # Collect information into the Instance object.
    instance = compute_v1.Instance()
    instance.name = instance_name
    instance.disks = [disk]
    if re.match(r"^zones/[a-z\d\-]+/machineTypes/[a-z\d\-]+$", machine_type):
        instance.machine_type = machine_type
    else:
        instance.machine_type = f"zones/{zone}/machineTypes/{machine_type}"
    instance.network_interfaces = [network_interface]
    # Enable nested virtualization if requested
    advanced_machine_features = compute_v1.AdvancedMachineFeatures()
    advanced_machine_features.enable_nested_virtualization = enable_nested_virtualization
    instance.advanced_machine_features = advanced_machine_features
    metadata_items = [compute_v1.Items(key=k, value=v) for k, v in metadata.items()]
    metadata = compute_v1.Metadata(items=metadata_items)
    instance.metadata = metadata
    # set service accounts.
    instance.service_accounts = service_accounts
    # Prepare the request to insert an instance.
    request = compute_v1.InsertInstanceRequest()
    request.zone = zone
    request.project = project_id
    request.instance_resource = instance
    # Wait for the create operation to complete.
    print(f"Creating the {instance_name} instance in {zone}...")
    operation = instance_client.insert_unary(request=request)
    while operation.status != compute_v1.Operation.Status.DONE:
        operation = operation_client.wait(
            operation=operation.name, zone=zone, project=project_id
        )
    if operation.error:
        print("Error during creation:", operation.error, file=sys.stderr)
    if operation.warnings:
        print("Warning during creation:", operation.warnings, file=sys.stderr)
    print(f"Instance {instance_name} created.")
    return instance
 def delete_instance(
    project_id: str = 'constellation-331613',
    zone: str = 'us-central1-c',
    machine_name: str = 'coreos-builder',
    ) -> None:
    """
    Send an instance deletion request to the Compute Engine API and wait for it to complete.
    Args:
        project_id: project ID or project number of the Cloud project you want to use.
        zone: name of the zone you want to use. For example: “us-west3-b”
        machine_name: name of the machine you want to delete.
    """
    instance_client = compute_v1.InstancesClient()
    operation_client = compute_v1.ZoneOperationsClient()
    print(f"Deleting {machine_name} from {zone}...")
    operation = instance_client.delete_unary(
        project=project_id, zone=zone, instance=machine_name
    )
    while operation.status != compute_v1.Operation.Status.DONE:
        operation = operation_client.wait(
            operation=operation.name, zone=zone, project=project_id
        )
    if operation.error:
        print("Error during deletion:", operation.error, file=sys.stderr)
    if operation.warnings:
        print("Warning during deletion:", operation.warnings, file=sys.stderr)
    print(f"Instance {machine_name} deleted.")
    return
--- a/.github/workflows/build-coreos.yml
+++ b/.github/workflows/build-coreos.yml
@ -1,136 +0,0 @@
 name: Build and Upload CoreOS image
 on:
  workflow_dispatch:
    inputs:
      coreOSConfigBranch:
        description: "Branch of CoreOS config repo to build from"
        default: "main"
        required: false
      imageVersion:
        description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
        required: false
      debug:
        description: "Build debug image"
        type: boolean
        default: false
        required: false
 jobs:
  build-coreos-image:
    name: "Build CoreOS using customized COSA"
    runs-on: [self-hosted, linux, nested-virt]
    permissions:
      contents: read
      packages: read
    env:
      SHELL: /bin/bash
    steps:
      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
        with:
          submodules: recursive
          token: ${{ secrets.CI_GITHUB_REPOSITORY }}
      - name: Install build packages
        id: install-packages
        uses: ./.github/actions/setup_linux
      - name: Setup Go environment
        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
        with:
          go-version: "1.19.2"
      - name: Build bootstrapper
        if: ${{ inputs.debug == false }}
        uses: ./.github/actions/build_bootstrapper
        with:
          outputPath: ${{ github.workspace }}/build/bootstrapper
      - name: Build debugd
        if: ${{ inputs.debug == true }}
        uses: ./.github/actions/build_debugd
        with:
          outputPath: ${{ github.workspace }}/build/bootstrapper
      - name: Build disk-mapper
        uses: ./.github/actions/build_disk_mapper
        with:
          outputPath: ${{ github.workspace }}/build/disk-mapper
      - name: Determine version
        id: version
        uses: ./.github/actions/pseudo_version
      - name: Log in to the Container registry
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Install AzCopy
        shell: bash
        run: |
          wget -q https://aka.ms/downloadazcopy-v10-linux -O azcopy.tar.gz
          tar --strip-components 1 -xf azcopy.tar.gz
          rm azcopy.tar.gz
          echo "$(pwd)" >> $GITHUB_PATH
      - name: Login to Azure
        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # tag=v1.4.6
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}
      - name: Store GH token to be mounted by cosa
        shell: bash
        run: echo "machine github.com login api password ${{ secrets.CI_GITHUB_REPOSITORY }}" > /tmp/.netrc
      # Make sure to set valid names for GCP and Azure
      #  Azure
      #    gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
      #    image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
      #    image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
      #
      #  GCP
      #    image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash
      - name: Configure input variables
        shell: bash
        run: |
          timestamp=${{ steps.version.outputs.timestamp }}
          semver=${{ steps.version.outputs.semanticVersion }}
          imageVersion=${{ inputs.imageVersion }}
          pseudover=${{ steps.version.outputs.pseudoVersion }}
          echo "azureImageName=constellation-${pseudover//./-}" >> $GITHUB_ENV
          if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
          then
            echo "gcpImageName=constellation-${imageVersion//./-}" >> $GITHUB_ENV
            echo "gcpImageFamily=constellation" >> $GITHUB_ENV
            echo "azureGalleryName=Constellation" >> $GITHUB_ENV
            echo "azureImageDefinition=constellation" >> $GITHUB_ENV
            echo "azureImageVersion=${imageVersion:1}" >> $GITHUB_ENV
          elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
          then
            echo "gcpImageName=constellation-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
            echo "gcpImageFamily=constellation-debug-${semver//./-}" >> $GITHUB_ENV
            echo "azureGalleryName=Constellation_Debug" >> $GITHUB_ENV
            echo "azureImageDefinition=${semver}" >> $GITHUB_ENV
            echo "azureImageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
          else
            echo "gcpImageName=constellation-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
            echo "gcpImageFamily=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
            echo "azureGalleryName=Constellation_Testing" >> $GITHUB_ENV
            echo "azureImageDefinition=${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
            echo "azureImageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
          fi
      - name: Build and Upload
        id: build-and-upload
        shell: bash
        run: |
          make cosa-image
          make -j$(nproc) CONTAINER_ENGINE=docker NETRC=/tmp/.netrc \
            COSA_INIT_BRANCH="${{ inputs.coreOSConfigBranch }}" \
            GCP_IMAGE_NAME="${{ env.gcpImageName }}" GCP_IMAGE_FAMILY="${{ env.gcpImageFamily }}" \
            AZURE_IMAGE_DEFINITION="${{ env.azureImageDefinition }}" AZURE_IMAGE_VERSION="${{ env.azureImageVersion }}" AZURE_GALLERY_NAME="${{ env.azureGalleryName }}" AZURE_IMAGE_NAME="${{ env.azureImageName }}"\
            image-gcp image-azure upload-gcp upload-azure
        working-directory: ${{ github.workspace }}/image
--- a/.github/workflows/e2e-test-manual-macos.yml
+++ b/.github/workflows/e2e-test-manual-macos.yml
@ -27,13 +27,13 @@ on:
        description: "Kubernetes version to create the cluster from."
        default: "1.24"
        required: true
-      coreosImage:
+      osImage:
-        description: "CoreOS image (full path). Examples are in internal/config/config.go."
+        description: "OS image (full path). Examples are in internal/config/config.go."
        default: "debug-latest"
        type: string
        required: true
      isDebugImage:
-        description: "Is CoreOS image a debug image?"
+        description: "Is OS image a debug image?"
        type: boolean
        default: true
        required: false
@ -127,7 +127,7 @@ jobs:
          kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
          azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
          azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
-          coreosImage: ${{ github.event.inputs.coreosImage }}
+          osImage: ${{ github.event.inputs.osImage }}
          isDebugImage: ${{ github.event.inputs.isDebugImage }}
      - name: Always terminate cluster
--- a/.github/workflows/e2e-test-manual.yml
+++ b/.github/workflows/e2e-test-manual.yml
@ -27,12 +27,12 @@ on:
        description: "Kubernetes version to create the cluster from."
        default: "1.24"
        required: true
-      coreosImage:
+      osImage:
-        description: "CoreOS image (full path). Examples are in internal/config/config.go."
+        description: "OS image (full path). Examples are in internal/config/config.go."
        default: "debug-latest"
        required: false
      isDebugImage:
-        description: "Is CoreOS image a debug image?"
+        description: "Is OS image a debug image?"
        type: boolean
        default: true
        required: false
@ -89,7 +89,7 @@ jobs:
          kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
          azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
          azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
-          coreosImage: ${{ github.event.inputs.coreosImage }}
+          osImage: ${{ github.event.inputs.osImage }}
          isDebugImage: ${{ github.event.inputs.isDebugImage }}
      - name: Always terminate cluster
--- a/.github/workflows/generate-measurements.yml
+++ b/.github/workflows/generate-measurements.yml
@ -11,12 +11,12 @@ on:
          - "gcp"
        default: "gcp"
        required: true
-      coreosImage:
+      osImage:
-        description: "CoreOS image (full path). Examples are in internal/config/config.go."
+        description: "OS image (full path). Examples are in internal/config/config.go."
        type: string
        required: true
      isDebugImage:
-        description: "Is CoreOS image a debug image?"
+        description: "Is OS image a debug image?"
        type: boolean
        required: true
@ -56,7 +56,7 @@ jobs:
          gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
          azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
          azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
-          coreosImage: ${{ github.event.inputs.coreosImage }}
+          osImage: ${{ github.event.inputs.osImage }}
          isDebugImage: ${{ github.event.inputs.isDebugImage }}
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
--- a/3rdparty/coreos-assembler/.gitignore
+++ b/3rdparty/coreos-assembler/.gitignore
@ -1 +0,0 @@
 build
--- a/3rdparty/coreos-assembler/HACKING.md
+++ b/3rdparty/coreos-assembler/HACKING.md
@ -1,34 +0,0 @@
 # dm-verity patch for CoreOS assembler
 Constellation uses CoreOS as a base for OS images. While the images are mostly unmodified and can be built using the upstream CoreOS assembler, small modifications to the assembler are required to support dm-verity for the root filesystem.
 Checkout the CoreOS assembler source code [from the upstream repo](https://github.com/coreos/coreos-assembler) using the commit ID specified in the [Makefile](Makefile)
 ```shell-session
 make clone
 ```
 Apply the patch:
 ```shell-session
 make patch
 ```
 Now you can make changes to the coreos-assembler and compile it using the included `Dockerfile`:
 ```shell-session
 make containerimage
 ```
 Once you are done, create a new patch file (within `3rdparty/coreos-assembler/build/coreos-assembler`):
 ```shell-session
 git diff HEAD^ > ../../verity.patch
 ```
 ## Building the CoreOS assembler container image
 ```shell-session
 make
 ```
 The resulting container image will be tagged as `localhost/coreos-assembler`.
--- a/3rdparty/coreos-assembler/Makefile
+++ b/3rdparty/coreos-assembler/Makefile
@ -1,28 +0,0 @@
 CONTAINER_RUNTIME ?= docker
 IMAGENAME         ?= localhost/coreos-assembler
 IMAGETAG          ?= latest
 UPSTREAM          ?= https://github.com/coreos/coreos-assembler
 COMMIT            ?= 2dd33ddc36e6b9e1cc01ee0740f29020d203ceb2
 SRC_PATH           = $(CURDIR)
 BASE_PATH         ?= $(SRC_PATH)
 BUILDDIR          ?= $(BASE_PATH)/build
 CLONEDIR          ?= $(BUILDDIR)/coreos-assembler
 .PHONY: all clone patch containerimage clean
 all: clone patch containerimage
 clone:
 	@mkdir -p $(BUILDDIR)
 	git clone $(UPSTREAM) $(CLONEDIR)
 	cd $(CLONEDIR) && git checkout $(COMMIT)
 patch:
 	cd $(CLONEDIR) && patch --verbose -p1 < $(BASE_PATH)/verity.patch
 containerimage:
 	cd $(CLONEDIR) && $(CONTAINER_RUNTIME) build -t $(IMAGENAME):$(IMAGETAG) -f Dockerfile .
 clean:
 	rm -rf $(BUILDDIR)
--- a/3rdparty/coreos-assembler/verity.patch
+++ b/3rdparty/coreos-assembler/verity.patch
@ -1,232 +0,0 @@
 diff --git a/Dockerfile b/Dockerfile
 index 80c008a2d..329171970 100644
 --- a/Dockerfile
 +++ b/Dockerfile
@@ -38,3 +38,12 @@ RUN chmod g=u /etc/passwd
 # run as `builder` user
 USER builder
 ENTRYPOINT ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"]
 +
 +# Constellation start
 +USER root
 +
 +RUN dnf -y update && \
 +    dnf install -y veritysetup && \
 +    dnf clean all
 +
 +USER builder
 +# Constellation end
 diff --git a/mantle/platform/qemu.go b/mantle/platform/qemu.go
 index d4d5eafa7..20f156315 100644
 --- a/mantle/platform/qemu.go
 +++ b/mantle/platform/qemu.go
@@ -449,7 +449,7 @@ type QemuBuilder struct {
 func NewQemuBuilder() *QemuBuilder {
 	ret := QemuBuilder{
 		Firmware:  "bios",
 -		Swtpm:     true,
 +		Swtpm:     false,
 		Pdeathsig: true,
 		Argv:      []string{},
 	}
 diff --git a/src/cosalib/qemuvariants.py b/src/cosalib/qemuvariants.py
 index 8d57803b1..cdad6aeba 100644
 --- a/src/cosalib/qemuvariants.py
 +++ b/src/cosalib/qemuvariants.py
@@ -81,7 +81,7 @@ VARIANTS = {
         "image_suffix": "tar.gz",
         "gzip": True,
         "convert_options": {
 -            '-o': 'preallocation=off'
 +            '-o': 'preallocation=full'
         },
         "tar_members": [
             "disk.raw"
 diff --git a/src/create_disk.sh b/src/create_disk.sh
 index 61d52cd96..fa3fe1655 100755
 --- a/src/create_disk.sh
 +++ b/src/create_disk.sh
@@ -188,6 +188,7 @@ set -x
 SDPART=1
 BOOTPN=3
 ROOTPN=4
 +VERITYHASHPN=5
 # Make the size relative
 if [ "${rootfs_size}" != "0" ]; then
     rootfs_size="+${rootfs_size}"
@@ -201,7 +202,8 @@ case "$arch" in
         -n 1:0:+1M -c 1:BIOS-BOOT -t 1:21686148-6449-6E6F-744E-656564454649 \
         -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
         -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
 -        -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
 +        -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
 +        -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
         sgdisk -p "$disk"
         ;;
     aarch64)
@@ -212,7 +214,8 @@ case "$arch" in
         -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
         -n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
         -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
 -        -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
 +        -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
 +        -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
         sgdisk -p "$disk"
         ;;
     s390x)
@@ -222,6 +225,7 @@ case "$arch" in
                 -n ${SDPART}:0:+200M -c ${SDPART}:se -t ${SDPART}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
                 -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
 -                -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
 +                -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
 +                -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
         else
             # NB: in the bare metal case when targeting ECKD DASD disks, this
             # partition table is not what actually gets written to disk in the end:
@@ -231,7 +235,8 @@ case "$arch" in
                 -U "${uninitialized_gpt_uuid}" \
                 -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
 -                -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
 +                -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
 +                -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
         fi
         sgdisk -p "$disk"
         ;;
     ppc64le)
@@ -243,7 +248,8 @@ case "$arch" in
         -n ${PREPPN}:0:+4M -c ${PREPPN}:PowerPC-PReP-boot -t ${PREPPN}:9E1A2D38-C612-4316-AA26-8B49521E5A8B \
         -n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
         -n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
 -        -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
 +        -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
 +        -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
         sgdisk -p "$disk"
         ;;
 esac
@@ -251,10 +257,11 @@ esac
 udevtrig
 zipl_dev="${disk}${SDPART}"
 boot_dev="${disk}${BOOTPN}"
 root_dev="${disk}${ROOTPN}"
 +hash_dev="${disk}${VERITYHASHPN}"
 bootargs=
 # If the bootfs_metadata_csum_seed image.yaml knob is set to true then
 # we'll enable the metadata_csum_seed filesystem feature. This is
 # gated behind an image.yaml knob because support for this feature
@@ -305,17 +315,17 @@ case "${rootfs_type}" in
         # And reflinks are *very* useful for the container stack with overlayfs (and in general).
         # So basically, we're choosing performance over half-implemented security.
         # Eventually, we'd like both - once XFS gains verity (probably not too hard),
         # we could unconditionally enable it there.
         # shellcheck disable=SC2086
 -        mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
 +        mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
         ;;
     btrfs)
         # shellcheck disable=SC2086
 -        mkfs.btrfs -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
 +        mkfs.btrfs -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
         ;;
     xfs|"")
         # shellcheck disable=SC2086
 -        mkfs.xfs "${root_dev}" -L root -m reflink=1 -m uuid="${rootfs_uuid}" ${rootfs_args}
 +        mkfs.xfs "${root_dev}" -L root_raw -m reflink=1 -m uuid="${rootfs_uuid}" -s "size=4096" ${rootfs_args}
         ;;
     *)
         echo "Unknown rootfs_type: $rootfs_type" 1>&2
@@ -536,11 +428,10 @@ s390x)
 esac
 ostree config --repo $rootfs/ostree/repo set sysroot.bootloader "${bootloader_backend}"
 -# Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA
 -# https://github.com/ostreedev/ostree/issues/1265
 -ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
 +# constellation: setting readonly to false interestingly stops ostree from remounting anything as rw
 +ostree config --repo $rootfs/ostree/repo set sysroot.readonly false
 # enable support for GRUB password
 if [ "${bootloader_backend}" = "none" ]; then
     ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""'
 fi
@@ -542,15 +548,16 @@ s390x)
 # enable support for GRUB password
 if [ "${bootloader_backend}" = "none" ]; then
     ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""'
 fi
 -touch $rootfs/boot/ignition.firstboot
 +# constellation: do not enable ignition on first boot
 +# touch $rootfs/boot/ignition.firstboot
 # Finally, add the immutable bit to the physical root; we don't
 # expect people to be creating anything there.  A use case for
 # OSTree in general is to support installing *inside* the existing
 # root of a deployed OS, so OSTree doesn't do this by default, but
 # we have no reason not to enable it here.  Administrators should
 # generally expect that state data is in /etc and /var; if anything
 # else is in /sysroot it's probably by accident.
 chattr +i $rootfs
@@ -557,10 +564,21 @@ chattr +i $rootfs
 fstrim -a -v
 # Ensure the filesystem journals are flushed
 -for fs in $rootfs/boot $rootfs; do
 +mount -o remount,ro $rootfs/boot
 +for fs in $rootfs; do
     mount -o remount,ro $fs
     xfs_freeze -f $fs
 done
 umount -R $rootfs
 rmdir $rootfs
 +
 +# setup dm-verity and disable audit logs
 +veritysetup_out=$(veritysetup format "${root_dev}" "${hash_dev}")
 +verity_root_hash=$(echo "${veritysetup_out}" | grep 'Root hash:' | sed --expression='s/Root hash:\s*//g')
 +bootfs_mount=/tmp/boot
 +rm -rf "${bootfs_mount}"
 +mkdir -p "${bootfs_mount}"
 +mount "${disk}${BOOTPN}" "${bootfs_mount}"
 +sed -i -e "s/^options .*/\0 audit=0 verity.sysroot=${verity_root_hash}/g" "${bootfs_mount}/loader.1/entries/ostree-1-fedora-coreos.conf"
 +umount "${bootfs_mount}"
 diff --git a/src/gf-fsck b/src/gf-fsck
 index 2d07eca2a..46c137672 100755
 --- a/src/gf-fsck
 +++ b/src/gf-fsck
@@ -28,7 +28,7 @@ for pt in $partitions; do
 done
 # And fsck the main rootfs
 -root=$(coreos_gf findfs-label root)
 +root=$(coreos_gf findfs-label root_raw)
 coreos_gf debug sh "fsck.xfs -f -n ${root}"
 coreos_gf_shutdown
 diff --git a/src/libguestfish.sh b/src/libguestfish.sh
 index 82cfcf86e..635fb9eaa 100755
 --- a/src/libguestfish.sh
 +++ b/src/libguestfish.sh
@@ -64,7 +64,7 @@ coreos_gf_run_mount() {
         shift
     fi
     coreos_gf_run "$@"
 -    root=$(coreos_gf findfs-label root)
 +    root=$(coreos_gf findfs-label root_raw)
     coreos_gf ${mntarg} "${root}" /
     local boot
     boot=$(coreos_gf findfs-label boot)
 diff --git a/src/vmdeps.txt b/src/vmdeps.txt
 index 6c6045840..ddbece267 100644
 --- a/src/vmdeps.txt
 +++ b/src/vmdeps.txt
@@ -27,5 +27,8 @@ gdisk xfsprogs e2fsprogs dosfstools btrfs-progs
 # needed for basic CA support
 ca-certificates
 tar
 +
 +# dm-verity
 +veritysetup
--- a/README.md
+++ b/README.md
@ -42,7 +42,7 @@ Encrypting your K8s is good for:
 ### 🔍 Everything verifiable
 * "Whole cluster" [attestation][cluster-attestation] based on the remote-attestation feature of CVMs
-* Confidential computing-optimized [node images][images] based on Fedora CoreOS; fully measured and integrity-protected
+* Confidential computing-optimized [node images][images]; fully measured and integrity-protected
 * [Supply chain protection][supply-chain] with [sigstore](https://www.sigstore.dev/)
 ### 🚀 Performance and scale
--- a/bootstrapper/cmd/bootstrapper/main.go
+++ b/bootstrapper/cmd/bootstrapper/main.go
@ -109,7 +109,7 @@ func main() {
 			log.With(zap.Error(err)).Fatalf("Failed to create cloud controller manager")
 		}
 		clusterInitJoiner = kubernetes.New(
-			"gcp", k8sapi.NewKubernetesUtil(), &k8sapi.CoreOSConfiguration{}, kubectl.New(), cloudControllerManager,
+			"gcp", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), cloudControllerManager,
 			&gcpcloud.CloudNodeManager{}, &gcpcloud.Autoscaler{}, metadata, pcrsJSON, helmClient,
 		)
 		openTPM = vtpm.OpenVTPM
@ -142,7 +142,7 @@ func main() {
 			log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
 		}
 		clusterInitJoiner = kubernetes.New(
-			"azure", k8sapi.NewKubernetesUtil(), &k8sapi.CoreOSConfiguration{}, kubectl.New(), azurecloud.NewCloudControllerManager(metadata),
+			"azure", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), azurecloud.NewCloudControllerManager(metadata),
 			&azurecloud.CloudNodeManager{}, &azurecloud.Autoscaler{}, metadata, pcrsJSON, helmClient,
 		)
@ -163,7 +163,7 @@ func main() {
 			log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
 		}
 		clusterInitJoiner = kubernetes.New(
-			"qemu", k8sapi.NewKubernetesUtil(), &k8sapi.CoreOSConfiguration{}, kubectl.New(), &qemucloud.CloudControllerManager{},
+			"qemu", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), &qemucloud.CloudControllerManager{},
 			&qemucloud.CloudNodeManager{}, &qemucloud.Autoscaler{}, metadata, pcrsJSON, helmClient,
 		)
 		metadataAPI = metadata
--- a/bootstrapper/internal/helm/client.go
+++ b/bootstrapper/internal/helm/client.go
@ -38,7 +38,7 @@ type Client struct {
 // New creates a new client with the given logger.
 func New(log *logger.Logger) (*Client, error) {
 	settings := cli.New()
-	settings.KubeConfig = constants.CoreOSAdminConfFilename
+	settings.KubeConfig = constants.ControlPlaneAdminConfFilename
 	actionConfig := &action.Configuration{}
 	if err := actionConfig.Init(settings.RESTClientGetter(), constants.HelmNamespace,
@ -83,7 +83,7 @@ func (h *Client) installCiliumAzure(ctx context.Context, release helm.Release, k
 }
 func (h *Client) installlCiliumGCP(ctx context.Context, kubectl k8sapi.Client, release helm.Release, nodeName, nodePodCIDR, subnetworkPodCIDR, kubeAPIEndpoint string) error {
-	out, err := exec.CommandContext(ctx, constants.KubectlPath, "--kubeconfig", constants.CoreOSAdminConfFilename, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput()
+	out, err := exec.CommandContext(ctx, constants.KubectlPath, "--kubeconfig", constants.ControlPlaneAdminConfFilename, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput()
 	if err != nil {
 		err = errors.New(string(out))
 		return err
--- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
@ -29,9 +29,9 @@ const (
 	auditPolicyPath = "/etc/kubernetes/audit-policy.yaml"
 )
-type CoreOSConfiguration struct{}
+type KubdeadmConfiguration struct{}
-func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool, k8sVersion versions.ValidK8sVersion) KubeadmInitYAML {
+func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, k8sVersion versions.ValidK8sVersion) KubeadmInitYAML {
 	var cloudProvider string
 	if externalCloudProvider {
 		cloudProvider = "external"
@ -171,7 +171,7 @@ func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool, k8sV
 	}
 }
-func (c *CoreOSConfiguration) JoinConfiguration(externalCloudProvider bool) KubeadmJoinYAML {
+func (c *KubdeadmConfiguration) JoinConfiguration(externalCloudProvider bool) KubeadmJoinYAML {
 	var cloudProvider string
 	if externalCloudProvider {
 		cloudProvider = "external"
--- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go
+++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go
@ -22,17 +22,17 @@ func TestMain(m *testing.M) {
 }
 func TestInitConfiguration(t *testing.T) {
-	coreOSConfig := CoreOSConfiguration{}
+	kubeadmConfig := KubdeadmConfiguration{}
 	testCases := map[string]struct {
 		config KubeadmInitYAML
 	}{
-		"CoreOS init config can be created": {
+		"kubeadm init config can be created": {
-			config: coreOSConfig.InitConfiguration(true, versions.Default),
+			config: kubeadmConfig.InitConfiguration(true, versions.Default),
 		},
-		"CoreOS init config with all fields can be created": {
+		"kubeadm init config with all fields can be created": {
 			config: func() KubeadmInitYAML {
-				c := coreOSConfig.InitConfiguration(true, versions.Default)
+				c := kubeadmConfig.InitConfiguration(true, versions.Default)
 				c.SetAPIServerAdvertiseAddress("192.0.2.0")
 				c.SetNodeIP("192.0.2.0")
 				c.SetNodeName("node")
@ -60,7 +60,7 @@ func TestInitConfiguration(t *testing.T) {
 }
 func TestInitConfigurationKubeadmCompatibility(t *testing.T) {
-	coreOSConfig := CoreOSConfiguration{}
+	kubeadmConfig := KubdeadmConfiguration{}
 	testCases := map[string]struct {
 		config          KubeadmInitYAML
@ -68,11 +68,11 @@ func TestInitConfigurationKubeadmCompatibility(t *testing.T) {
 		wantErr         bool
 	}{
 		"Kubeadm accepts version 'Latest'": {
-			config:          coreOSConfig.InitConfiguration(true, versions.Default),
+			config:          kubeadmConfig.InitConfiguration(true, versions.Default),
 			expectedVersion: fmt.Sprintf("v%s", versions.VersionConfigs[versions.Default].PatchVersion),
 		},
 		"Kubeadm receives incompatible version": {
-			config:  coreOSConfig.InitConfiguration(true, "1.19"),
+			config:  kubeadmConfig.InitConfiguration(true, "1.19"),
 			wantErr: true,
 		},
 	}
@ -92,17 +92,17 @@ func TestInitConfigurationKubeadmCompatibility(t *testing.T) {
 }
 func TestJoinConfiguration(t *testing.T) {
-	coreOSConfig := CoreOSConfiguration{}
+	kubdeadmConfig := KubdeadmConfiguration{}
 	testCases := map[string]struct {
 		config KubeadmJoinYAML
 	}{
-		"CoreOS join config can be created": {
+		"kubeadm join config can be created": {
-			config: coreOSConfig.JoinConfiguration(true),
+			config: kubdeadmConfig.JoinConfiguration(true),
 		},
-		"CoreOS join config with all fields can be created": {
+		"kubeadm join config with all fields can be created": {
 			config: func() KubeadmJoinYAML {
-				c := coreOSConfig.JoinConfiguration(true)
+				c := kubdeadmConfig.JoinConfiguration(true)
 				c.SetAPIServerEndpoint("192.0.2.0:6443")
 				c.SetNodeIP("192.0.2.0")
 				c.SetNodeName("node")
--- a/cli/internal/cloudcmd/upgrade.go
+++ b/cli/internal/cloudcmd/upgrade.go
@ -71,7 +71,7 @@ func (u *Upgrader) Upgrade(ctx context.Context, image string, measurements map[u
 // GetCurrentImage returns the currently used image of the cluster.
 func (u *Upgrader) GetCurrentImage(ctx context.Context) (*unstructured.Unstructured, string, error) {
-	imageStruct, err := u.imageUpdater.getCurrent(ctx, "constellation-coreos")
+	imageStruct, err := u.imageUpdater.getCurrent(ctx, "constellation-os")
 	if err != nil {
 		return nil, "", err
 	}
--- a/cli/internal/cmd/upgradeplan.go
+++ b/cli/internal/cmd/upgradeplan.go
@ -307,8 +307,8 @@ type upgradePlanFlags struct {
 }
 type imageManifest struct {
-	AzureImage string `json:"AzureCoreOSImage"`
+	AzureImage string `json:"AzureOSImage"`
-	GCPImage   string `json:"GCPCoreOSImage"`
+	GCPImage   string `json:"GCPOSImage"`
 }
 type nopWriteCloser struct {
--- a/cli/internal/terraform/terraform/qemu/main.tf
+++ b/cli/internal/terraform/terraform/qemu/main.tf
@ -57,7 +57,7 @@ module "control_plane" {
  cidr            = "10.42.1.0/24"
  network_id      = libvirt_network.constellation.id
  pool            = libvirt_pool.cluster.name
-  boot_volume_id  = libvirt_volume.constellation_coreos_image.id
+  boot_volume_id  = libvirt_volume.constellation_os_image.id
  machine         = var.machine
  firmware        = var.firmware
  nvram           = var.nvram
@ -74,7 +74,7 @@ module "worker" {
  cidr            = "10.42.2.0/24"
  network_id      = libvirt_network.constellation.id
  pool            = libvirt_pool.cluster.name
-  boot_volume_id  = libvirt_volume.constellation_coreos_image.id
+  boot_volume_id  = libvirt_volume.constellation_os_image.id
  machine         = var.machine
  firmware        = var.firmware
  nvram           = var.nvram
@ -87,10 +87,10 @@ resource "libvirt_pool" "cluster" {
  path = "/var/lib/libvirt/images"
 }
-resource "libvirt_volume" "constellation_coreos_image" {
+resource "libvirt_volume" "constellation_os_image" {
  name   = "${var.name}-node-image"
  pool   = libvirt_pool.cluster.name
-  source = var.constellation_coreos_image
+  source = var.constellation_os_image
  format = var.image_format
 }
--- a/cli/internal/terraform/terraform/qemu/variables.tf
+++ b/cli/internal/terraform/terraform/qemu/variables.tf
@ -3,7 +3,7 @@ variable "libvirt_uri" {
  description = "libvirt socket uri"
 }
-variable "constellation_coreos_image" {
+variable "constellation_os_image" {
  type        = string
  description = "constellation OS file path"
 }
--- a/cli/internal/terraform/variables.go
+++ b/cli/internal/terraform/variables.go
@ -155,7 +155,7 @@ func (v *QEMUVariables) String() string {
 	b.WriteString(v.CommonVariables.String())
 	writeLinef(b, "libvirt_uri = %q", v.LibvirtURI)
 	writeLinef(b, "libvirt_socket_path = %q", v.LibvirtSocketPath)
-	writeLinef(b, "constellation_coreos_image = %q", v.ImagePath)
+	writeLinef(b, "constellation_os_image = %q", v.ImagePath)
 	writeLinef(b, "image_format = %q", v.ImageFormat)
 	writeLinef(b, "vcpus = %d", v.CPUCount)
 	writeLinef(b, "memory = %d", v.MemorySizeMiB)
--- a/debugd/README.md
+++ b/debugd/README.md
@ -1,7 +1,7 @@
 # debug daemon (debugd)
 Debugd is a tool we built to allow for shorter iteration cycles during development.
-The debugd gets embedded into coreOS images at the place where the bootstrapper normally sits.
+The debugd gets embedded into OS images at the place where the bootstrapper normally sits.
 Therefore, when a debug image is started, the debugd starts executing instead of the bootstrapper.
 The debugd will then wait for a request from the `cdbg` tool to upload a bootstrapper binary.
 Once the upload is finished debugd will start the bootstrapper.
--- a/debugd/internal/cdbg/cmd/root.go
+++ b/debugd/internal/cdbg/cmd/root.go
@ -18,7 +18,7 @@ func newRootCmd() *cobra.Command {
 		Use:   "cdbg",
 		Short: "Constellation debugging client",
 		Long: `cdbg is the constellation debugging client.
-	It connects to CoreOS instances running debugd and deploys a self-compiled version of the bootstrapper.`,
+	It connects to Constellation instances running debugd and deploys a self-compiled version of the bootstrapper.`,
 	}
 	cmd.PersistentFlags().String("config", constants.ConfigFilename, "Constellation config file")
 	cmd.AddCommand(newDeployCmd())
--- a/hack/build-manifest/manifest.go
+++ b/hack/build-manifest/manifest.go
@ -13,8 +13,8 @@ type Manifest struct {
 }
 type Images struct {
-	AzureCoreosImage string `json:"AzureCoreOSImage"`
+	AzureOSImage string `json:"AzureOSImage"`
-	GCPCoreOSImage   string `json:"GCPCoreOSImage"`
+	GCPOSImage   string `json:"GCPOSImage"`
 }
 // OldManifests provides Constellation releases to image mapping. These are the
@ -23,28 +23,28 @@ func OldManifests() Manifest {
 	return Manifest{
 		releases: map[string]Images{
 			"v1.0.0": {
-				AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1651150807",
+				AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1651150807",
-				GCPCoreOSImage:   "constellation-coreos-1651150807",
+				GCPOSImage:   "constellation-coreos-1651150807",
 			},
 			"v1.1.0": {
-				AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654096948",
+				AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654096948",
-				GCPCoreOSImage:   "projects/constellation-images/global/images/constellation-coreos-1654096948",
+				GCPOSImage:   "projects/constellation-images/global/images/constellation-coreos-1654096948",
 			},
 			"v1.2.0": {
-				AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332",
+				AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332",
-				GCPCoreOSImage:   "projects/constellation-images/global/images/constellation-coreos-1654162332",
+				GCPOSImage:   "projects/constellation-images/global/images/constellation-coreos-1654162332",
 			},
 			"v1.3.0": {
-				AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332",
+				AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332",
-				GCPCoreOSImage:   "projects/constellation-images/global/images/constellation-coreos-1654162332",
+				GCPOSImage:   "projects/constellation-images/global/images/constellation-coreos-1654162332",
 			},
 			"v1.3.1": {
-				AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1657199013",
+				AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1657199013",
-				GCPCoreOSImage:   "projects/constellation-images/global/images/constellation-coreos-1657199013",
+				GCPOSImage:   "projects/constellation-images/global/images/constellation-coreos-1657199013",
 			},
 			"v1.4.0": {
-				AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699",
+				AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699",
-				GCPCoreOSImage:   "projects/constellation-images/global/images/constellation-coreos-1659453699",
+				GCPOSImage:   "projects/constellation-images/global/images/constellation-coreos-1659453699",
 			},
 		},
 	}
@ -56,20 +56,20 @@ func (m *Manifest) MarshalJSON() ([]byte, error) {
 func (m *Manifest) SetAzureImage(version string, image string) {
 	if release, ok := m.releases[version]; !ok {
-		images := Images{AzureCoreosImage: image}
+		images := Images{AzureOSImage: image}
 		m.releases[version] = images
 	} else {
-		release.AzureCoreosImage = image
+		release.AzureOSImage = image
 		m.releases[version] = release
 	}
 }
 func (m *Manifest) SetGCPImage(version string, image string) {
 	if release, ok := m.releases[version]; !ok {
-		images := Images{GCPCoreOSImage: image}
+		images := Images{GCPOSImage: image}
 		m.releases[version] = images
 	} else {
-		release.GCPCoreOSImage = image
+		release.GCPOSImage = image
 		m.releases[version] = release
 	}
 }
--- a/hack/importAzure.sh
+++ b/hack/importAzure.sh
@ -43,7 +43,7 @@ AZURE_PUBLISHER="${AZURE_PUBLISHER:-edgelesssys}"
 AZURE_IMAGE_NAME="${AZURE_IMAGE_NAME:-upload-target}"
 AZURE_IMAGE_OFFER="${AZURE_IMAGE_OFFER:-constellation}"
 AZURE_IMAGE_DEFINITION="${AZURE_IMAGE_DEFINITION:-constellation}"
-AZURE_SKU="${AZURE_SKU:-constellation-coreos}"
+AZURE_SKU="${AZURE_SKU:-constellation}"
 AZURE_SECURITY_TYPE="${AZURE_SECURITY_TYPE:-TrustedLaunch}"
 if [[ -z "${AZURE_RESOURCE_GROUP_NAME}" ]]; then
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -58,16 +58,16 @@ const (
 	//
 	// Filenames.
 	//
-	ClusterIDsFileName      = "constellation-id.json"
+	ClusterIDsFileName            = "constellation-id.json"
-	ConfigFilename          = "constellation-conf.yaml"
+	ConfigFilename                = "constellation-conf.yaml"
-	LicenseFilename         = "constellation.license"
+	LicenseFilename               = "constellation.license"
-	DebugdConfigFilename    = "cdbg-conf.yaml"
+	DebugdConfigFilename          = "cdbg-conf.yaml"
-	AdminConfFilename       = "constellation-admin.conf"
+	AdminConfFilename             = "constellation-admin.conf"
-	MasterSecretFilename    = "constellation-mastersecret.json"
+	MasterSecretFilename          = "constellation-mastersecret.json"
-	WGQuickConfigFilename   = "wg0.conf"
+	WGQuickConfigFilename         = "wg0.conf"
-	CoreOSAdminConfFilename = "/etc/kubernetes/admin.conf"
+	ControlPlaneAdminConfFilename = "/etc/kubernetes/admin.conf"
-	KubeadmCertificateDir   = "/etc/kubernetes/pki"
+	KubeadmCertificateDir         = "/etc/kubernetes/pki"
-	KubectlPath             = "/run/state/bin/kubectl"
+	KubectlPath                   = "/run/state/bin/kubectl"
 	//
 	// Filenames for Constellation's micro services.
--- a/internal/deploy/ssh/ssh.go
+++ b/internal/deploy/ssh/ssh.go
@ -65,6 +65,7 @@ func (s *Access) GetAuthorizedKeys() []UserKey {
 }
 // DeployAuthorizedKey takes an user & public key pair, creates the user if required and deploy a SSH key for them.
 // TODO: Refactor to not write to /etc or /home.
 func (s *Access) DeployAuthorizedKey(ctx context.Context, sshKey UserKey) error {
 	// allow only one thread to write to authorized keys, create users and update the authorized map at a time
 	s.mux.Lock()
--- a/joinservice/internal/kubeadm/kubeadm.go
+++ b/joinservice/internal/kubeadm/kubeadm.go
@ -85,7 +85,7 @@ func (k *Kubeadm) GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscov
 	// parse Kubernetes CA certs
 	k.log.Infof("Preparing join token for new node")
-	rawConfig, err := k.file.Read(constants.CoreOSAdminConfFilename)
+	rawConfig, err := k.file.Read(constants.ControlPlaneAdminConfFilename)
 	if err != nil {
 		return nil, fmt.Errorf("loading kubeconfig file: %w", err)
 	}
--- a/joinservice/internal/kubeadm/kubeadm_test.go
+++ b/joinservice/internal/kubeadm/kubeadm_test.go
@ -90,7 +90,7 @@ kind: Config`,
 				client: fake.NewSimpleClientset(),
 			}
 			if tc.adminConf != "" {
-				require.NoError(client.file.Write(constants.CoreOSAdminConfFilename, []byte(tc.adminConf), file.OptNone))
+				require.NoError(client.file.Write(constants.ControlPlaneAdminConfFilename, []byte(tc.adminConf), file.OptNone))
 			}
 			res, err := client.GetJoinToken(time.Minute)
--- a/operators/constellation-node-operator/README.md
+++ b/operators/constellation-node-operator/README.md
@ -24,7 +24,7 @@ Example for GCP:
 apiVersion: update.edgeless.systems/v1alpha1
 kind: NodeImage
 metadata:
-  name: constellation-coreos
+  name: constellation-os
 spec:
  image: "projects/constellation-images/global/images/<image-name>"
 ```
@ -34,7 +34,7 @@ Example for Azure:
 apiVersion: update.edgeless.systems/v1alpha1
 kind: NodeImage
 metadata:
-  name: constellation-coreos
+  name: constellation-os
 spec:
  image: "/subscriptions/<subscription-id>/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/<image-definition-name>/versions/<image-version>"
 ```
@ -70,7 +70,7 @@ kind: ScalingGroup
 metadata:
  name: scalinggroup-worker
 spec:
-  nodeImage: "constellation-coreos"
+  nodeImage: "constellation-os"
  groupId: "projects/<project-id>/zones/<zone>/instanceGroupManagers/<instance-group-name>"
  autoscaling: true
 ```
@ -83,7 +83,7 @@ kind: ScalingGroup
 metadata:
  name: scalinggroup-worker
 spec:
-  nodeImage: "constellation-coreos"
+  nodeImage: "constellation-os"
  groupId: "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachineScaleSets/<scale-set-name>"
  autoscaling: true
 ```
--- a/operators/constellation-node-operator/config/samples/update_v1alpha1_nodeimage.yaml
+++ b/operators/constellation-node-operator/config/samples/update_v1alpha1_nodeimage.yaml
@ -1,7 +1,7 @@
 apiVersion: update.edgeless.systems/v1alpha1
 kind: NodeImage
 metadata:
-  name: constellation-coreos-azure
+  name: constellation-os-azure
  namespace: kube-system
 spec:
  image: "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/galleries/<gallery-name>/images/<image-definition-name>/versions/<version>"
@ -9,7 +9,7 @@ spec:
 apiVersion: update.edgeless.systems/v1alpha1
 kind: NodeImage
 metadata:
-  name: constellation-coreos-gcp
+  name: constellation-os-gcp
  namespace: kube-system
 spec:
  image: projects/<project>/global/images/<image-name>
--- a/operators/constellation-node-operator/config/samples/update_v1alpha1_scalinggroup.yaml
+++ b/operators/constellation-node-operator/config/samples/update_v1alpha1_scalinggroup.yaml
@ -4,7 +4,7 @@ metadata:
  name: scalinggroup-worker-azure
  namespace: kube-system
 spec:
-  nodeImage: "constellation-coreos-azure"
+  nodeImage: "constellation-os-azure"
  groupId: "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachineScaleSets/<scale-set-name>"
  autoscaling: true
 ---
@ -14,6 +14,6 @@ metadata:
  name: scalinggroup-worker-gcp
  namespace: kube-system
 spec:
-  nodeImage: "constellation-coreos-gcp"
+  nodeImage: "constellation-os-gcp"
  groupId: "projects/<project>/zones/<zone>/instanceGroupManagers/<instance-group-name>"
  autoscaling: true
--- a/operators/constellation-node-operator/internal/constants/constants.go
+++ b/operators/constellation-node-operator/internal/constants/constants.go
@ -8,7 +8,7 @@ package constants
 const (
 	AutoscalingStrategyResourceName      = "autoscalingstrategy"
-	NodeImageResourceName                = "constellation-coreos"
+	NodeImageResourceName                = "constellation-os"
 	ControlPlaneScalingGroupResourceName = "scalinggroup-controlplane"
 	WorkerScalingGroupResourceName       = "scalinggroup-worker"
 )