From fb4d75542058f462b0994d14f67c5c113d7aa210 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 14:38:05 +0100
Subject: [PATCH 01/14] feat: use bootstrapped packages for building Talos
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update tools, pkgs and extras to use fully bootstrapped [Stageˣ]-derived toolchain for building Talos and its dependencies.

This brings in changes related to root being usrmerged now, so some paths have changed. Extras have been cleaned up: use only the needed package.

Addresses: #10187

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
---
 Dockerfile                                    | 157 +++++++++---------
 Makefile                                      |  10 +-
 hack/cleanup.sh                               |  13 +-
 hack/labeled-squashfs.sh                      |   4 +-
 .../k8s/templates/kube-proxy-template.yaml    |   2 +-
 .../machined/pkg/system/services/kubelet.go   |   2 +-
 internal/integration/api/extensions_qemu.go   |  16 +-
 internal/integration/base/api.go              |   2 +-
 internal/pkg/extensions/compress.go           |   4 +-
 internal/pkg/selinux/policy/file_contexts     |  23 ++-
 internal/pkg/selinux/policy/policy.33         | Bin 27068 -> 27067 bytes
 .../policy/selinux/services/machined.cil      |  18 +-
 .../selinux/services/system-containerd.cil    |   6 +-
 .../selinux/policy/selinux/services/udev.cil  |   5 +-
 pkg/machinery/constants/constants.go          |   4 +-
 pkg/machinery/extensions/extensions.go        |  10 +-
 pkg/machinery/gendata/data/extras             |   2 +-
 pkg/machinery/gendata/data/pkgs               |   2 +-
 .../vm/internal/ipxe/data/ipxe/amd64/snp.efi  | Bin 256000 -> 256000 bytes
 .../vm/internal/ipxe/data/ipxe/arm64/snp.efi  | Bin 282112 -> 282112 bytes
 .../advanced/proprietary-kernel-modules.md    |   2 +-
 21 files changed, 135 insertions(+), 147 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 210cad4189..c231291e4a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -44,7 +44,7 @@ ARG PKG_KMOD=scratch
 ARG PKG_KERNEL=scratch
 ARG PKG_CNI=scratch
 ARG PKG_FLANNEL_CNI=scratch
-ARG PKG_TALOSCTL_CNI_BUNDLE_INSTALL=scratch
+ARG PKG_TALOSCTL_CNI_BUNDLE=scratch
 
 ARG DEBUG_TOOLS_SOURCE=scratch
 
@@ -164,18 +164,18 @@ FROM scratch AS pkg-debug-tools-scratch-amd64
 FROM scratch AS pkg-debug-tools-scratch-arm64
 
 FROM scratch AS pkg-debug-tools-bash-minimal-amd64
-COPY --from=tools-amd64 /toolchain/bin/bash /toolchain/bin/bash
-COPY --from=tools-amd64 /toolchain/lib/ld-musl-x86_64.so.1 /toolchain/toolchain/lib/ld-musl-x86_64.so.1
-COPY --from=tools-amd64 /toolchain/bin/cat /toolchain/bin/cat
-COPY --from=tools-amd64 /toolchain/bin/ls /toolchain/bin/ls
-COPY --from=tools-amd64 /toolchain/bin/tee /toolchain/bin/tee
+COPY --from=tools-amd64 /bin/bash /bin/bash
+COPY --from=tools-amd64 /usr/lib/ld-musl-x86_64.so.1 /usr/lib/ld-musl-x86_64.so.1
+COPY --from=tools-amd64 /bin/cat /bin/cat
+COPY --from=tools-amd64 /bin/ls /bin/ls
+COPY --from=tools-amd64 /bin/tee /bin/tee
 
 FROM scratch AS pkg-debug-tools-bash-minimal-arm64
-COPY --from=tools-arm64 /toolchain/bin/bash /toolchain/bin/bash
-COPY --from=tools-arm64 /toolchain/lib/ld-musl-aarch64.so.1 /toolchain/toolchain/lib/ld-musl-aarch64.so.1
-COPY --from=tools-arm64 /toolchain/bin/cat /toolchain/bin/cat
-COPY --from=tools-arm64 /toolchain/bin/ls /toolchain/bin/ls
-COPY --from=tools-arm64 /toolchain/bin/tee /toolchain/bin/tee
+COPY --from=tools-arm64 /bin/bash /bin/bash
+COPY --from=tools-arm64 /usr/lib/ld-musl-aarch64.so.1 /usr/lib/ld-musl-aarch64.so.1
+COPY --from=tools-arm64 /bin/cat /bin/cat
+COPY --from=tools-arm64 /bin/ls /bin/ls
+COPY --from=tools-arm64 /bin/tee /bin/tee
 
 FROM pkg-debug-tools-${DEBUG_TOOLS_SOURCE}-amd64 AS pkg-debug-tools-amd64
 FROM pkg-debug-tools-${DEBUG_TOOLS_SOURCE}-arm64 AS pkg-debug-tools-arm64
@@ -198,72 +198,67 @@ COPY --from=pkg-cni-arm64 /opt/cni/bin/portmap /opt/cni/bin/portmap
 
 # Resolve package images using ${EXTRAS} to be used later in COPY --from=.
 
-FROM ${PKG_TALOSCTL_CNI_BUNDLE_INSTALL} AS extras-talosctl-cni-bundle-install
+FROM ${PKG_TALOSCTL_CNI_BUNDLE} AS extras-talosctl-cni-bundle
 
 # The tools target provides base toolchain for the build.
 
 FROM --platform=${BUILDPLATFORM} $TOOLS AS tools
-ENV PATH=/toolchain/bin:/toolchain/go/bin
-ENV LD_LIBRARY_PATH=/toolchain/lib
 ENV GOTOOLCHAIN=local
 ENV CGO_ENABLED=0
-RUN ["/toolchain/bin/mkdir", "/bin", "/tmp"]
-RUN ["/toolchain/bin/ln", "-svf", "/toolchain/bin/bash", "/bin/sh"]
-RUN ["/toolchain/bin/ln", "-svf", "/toolchain/etc/ssl", "/etc/ssl"]
+SHELL ["/bin/bash", "-c"]
 ARG GOLANGCILINT_VERSION
 RUN --mount=type=cache,target=/.cache go install github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCILINT_VERSION} \
-	&& mv /go/bin/golangci-lint /toolchain/go/bin/golangci-lint
+	&& mv /root/go/bin/golangci-lint /usr/bin/golangci-lint
 ARG GOIMPORTS_VERSION
 RUN --mount=type=cache,target=/.cache go install golang.org/x/tools/cmd/goimports@${GOIMPORTS_VERSION} \
-    && mv /go/bin/goimports /toolchain/go/bin/goimports
+    && mv /root/go/bin/goimports /usr/bin/goimports
 ARG GOFUMPT_VERSION
 RUN --mount=type=cache,target=/.cache go install mvdan.cc/gofumpt@${GOFUMPT_VERSION} \
-    && mv /go/bin/gofumpt /toolchain/go/bin/gofumpt
+    && mv /root/go/bin/gofumpt /usr/bin/gofumpt
 ARG DEEPCOPY_VERSION
 RUN --mount=type=cache,target=/.cache go install github.com/siderolabs/deep-copy@${DEEPCOPY_VERSION} \
-    && mv /go/bin/deep-copy /toolchain/go/bin/deep-copy
+    && mv /root/go/bin/deep-copy /usr/bin/deep-copy
 ARG STRINGER_VERSION
 RUN --mount=type=cache,target=/.cache go install golang.org/x/tools/cmd/stringer@${STRINGER_VERSION} \
-    && mv /go/bin/stringer /toolchain/go/bin/stringer
+    && mv /root/go/bin/stringer /usr/bin/stringer
 ARG ENUMER_VERSION
 RUN --mount=type=cache,target=/.cache go install github.com/dmarkham/enumer@${ENUMER_VERSION} \
-    && mv /go/bin/enumer /toolchain/go/bin/enumer
+    && mv /root/go/bin/enumer /usr/bin/enumer
 ARG DEEPCOPY_GEN_VERSION
 RUN --mount=type=cache,target=/.cache go install k8s.io/code-generator/cmd/deepcopy-gen@${DEEPCOPY_GEN_VERSION} \
-    && mv /go/bin/deepcopy-gen /toolchain/go/bin/deepcopy-gen
+    && mv /root/go/bin/deepcopy-gen /usr/bin/deepcopy-gen
 ARG VTPROTOBUF_VERSION
 RUN --mount=type=cache,target=/.cache go install github.com/planetscale/vtprotobuf/cmd/protoc-gen-go-vtproto@${VTPROTOBUF_VERSION} \
-    && mv /go/bin/protoc-gen-go-vtproto /toolchain/go/bin/protoc-gen-go-vtproto
+    && mv /root/go/bin/protoc-gen-go-vtproto /usr/bin/protoc-gen-go-vtproto
 ARG IMPORTVET_VERSION
 RUN --mount=type=cache,target=/.cache go install github.com/siderolabs/importvet/cmd/importvet@${IMPORTVET_VERSION} \
-    && mv /go/bin/importvet /toolchain/go/bin/importvet
+    && mv /root/go/bin/importvet /usr/bin/importvet
 RUN --mount=type=cache,target=/.cache go install golang.org/x/vuln/cmd/govulncheck@latest \
-    && mv /go/bin/govulncheck /toolchain/go/bin/govulncheck
+    && mv /root/go/bin/govulncheck /usr/bin/govulncheck
 ARG PROTOTOOL_VERSION
 RUN --mount=type=cache,target=/.cache go install github.com/uber/prototool/cmd/prototool@${PROTOTOOL_VERSION} \
-    && mv /go/bin/prototool /toolchain/go/bin/prototool
+    && mv /root/go/bin/prototool /usr/bin/prototool
 ARG PROTOC_GEN_DOC_VERSION
 RUN --mount=type=cache,target=/.cache go install github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc@${PROTOC_GEN_DOC_VERSION} \
-    && mv /go/bin/protoc-gen-doc /toolchain/go/bin/protoc-gen-doc
+    && mv /root/go/bin/protoc-gen-doc /usr/bin/protoc-gen-doc
 COPY ./hack/docgen /go/src/github.com/siderolabs/talos-hack-docgen
 RUN --mount=type=cache,target=/.cache cd /go/src/github.com/siderolabs/talos-hack-docgen \
     && go build -o docgen . \
-    && mv docgen /toolchain/go/bin/
+    && mv docgen /usr/bin/
 COPY ./hack/gotagsrewrite /go/src/github.com/siderolabs/gotagsrewrite
 RUN --mount=type=cache,target=/.cache cd /go/src/github.com/siderolabs/gotagsrewrite \
     && go build -o gotagsrewrite . \
-    && mv gotagsrewrite /toolchain/go/bin/
+    && mv gotagsrewrite /usr/bin/
 COPY ./hack/structprotogen /go/src/github.com/siderolabs/structprotogen
 RUN --mount=type=cache,target=/.cache cd /go/src/github.com/siderolabs/structprotogen \
     && go build -o structprotogen . \
-    && mv structprotogen /toolchain/go/bin/
+    && mv structprotogen /usr/bin/
 
 # The build target creates a container that will be used to build Talos source
 # code.
 
 FROM --platform=${BUILDPLATFORM} tools AS build
-SHELL ["/toolchain/bin/bash", "-c"]
-ENV PATH=/toolchain/bin:/toolchain/go/bin
+SHELL ["/bin/bash", "-c"]
 ENV GO111MODULE=on
 ENV GOPROXY=https://proxy.golang.org
 ARG CGO_ENABLED
@@ -329,8 +324,8 @@ FROM ${EMBED_TARGET} AS embed-target
 FROM build AS api-descriptors-build
 WORKDIR /src/api
 COPY api .
-RUN --mount=type=cache,target=/.cache prototool format --overwrite --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
-RUN --mount=type=cache,target=/.cache prototool break descriptor-set --output-path=api.descriptors --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
+RUN --mount=type=cache,target=/.cache prototool format --overwrite --protoc-bin-path=/usr/bin/protoc --protoc-wkt-path=/usr/include
+RUN --mount=type=cache,target=/.cache prototool break descriptor-set --output-path=api.descriptors --protoc-bin-path=/usr/bin/protoc --protoc-wkt-path=/usr/include
 
 FROM --platform=${BUILDPLATFORM} scratch AS api-descriptors
 COPY --from=api-descriptors-build /src/api/api.descriptors /api/api.descriptors
@@ -339,7 +334,7 @@ COPY --from=api-descriptors-build /src/api/api.descriptors /api/api.descriptors
 FROM build AS proto-format-build
 WORKDIR /src/api
 COPY api .
-RUN --mount=type=cache,target=/.cache prototool format --overwrite --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
+RUN --mount=type=cache,target=/.cache prototool format --overwrite --protoc-bin-path=/usr/bin/protoc --protoc-wkt-path=/usr/include
 
 FROM --platform=${BUILDPLATFORM} scratch AS fmt-protobuf
 COPY --from=proto-format-build /src/api/ /api/
@@ -650,36 +645,36 @@ COPY --from=pkg-sd-boot /*.efi.stub /sd-stub-${TARGETARCH}.efi
 FROM tools AS depmod-amd64
 WORKDIR /staging
 COPY hack/modules-amd64.txt .
-COPY --from=pkg-kernel-amd64 /lib/modules lib/modules
+COPY --from=pkg-kernel-amd64 /usr/lib/modules usr/lib/modules
 RUN <<EOF
 set -euo pipefail
 
-KERNEL_VERSION=$(ls lib/modules)
+KERNEL_VERSION=$(ls usr/lib/modules)
 
-xargs -a modules-amd64.txt -I {} install -D lib/modules/${KERNEL_VERSION}/{} /build/lib/modules/${KERNEL_VERSION}/{}
+xargs -a modules-amd64.txt -I {} install -D usr/lib/modules/${KERNEL_VERSION}/{} /build/usr/lib/modules/${KERNEL_VERSION}/{}
 
-depmod -b /build ${KERNEL_VERSION}
+depmod -b /build/usr ${KERNEL_VERSION}
 EOF
 
 FROM scratch AS modules-amd64
-COPY --from=depmod-amd64 /build/lib/modules /lib/modules
+COPY --from=depmod-amd64 /build/usr/lib/modules /usr/lib/modules
 
 FROM tools AS depmod-arm64
 WORKDIR /staging
 COPY hack/modules-arm64.txt .
-COPY --from=pkg-kernel-arm64 /lib/modules lib/modules
+COPY --from=pkg-kernel-arm64 /usr/lib/modules usr/lib/modules
 RUN <<EOF
 set -euo pipefail
 
-KERNEL_VERSION=$(ls lib/modules)
+KERNEL_VERSION=$(ls usr/lib/modules)
 
-xargs -a modules-arm64.txt -I {} install -D lib/modules/${KERNEL_VERSION}/{} /build/lib/modules/${KERNEL_VERSION}/{}
+xargs -a modules-arm64.txt -I {} install -D usr/lib/modules/${KERNEL_VERSION}/{} /build/usr/lib/modules/${KERNEL_VERSION}/{}
 
-depmod -b /build ${KERNEL_VERSION}
+depmod -b /build/usr ${KERNEL_VERSION}
 EOF
 
 FROM scratch AS modules-arm64
-COPY --from=depmod-arm64 /build/lib/modules /lib/modules
+COPY --from=depmod-arm64 /build/usr/lib/modules /usr/lib/modules
 
 # The rootfs target provides the Talos rootfs.
 FROM build AS rootfs-base-amd64
@@ -710,32 +705,32 @@ COPY --link --from=pkg-libaio-amd64 / /rootfs
 COPY --link --from=pkg-musl-amd64 / /rootfs
 COPY --link --from=pkg-runc-amd64 / /rootfs
 COPY --link --from=pkg-xfsprogs-amd64 / /rootfs
-COPY --link --from=pkg-util-linux-amd64 /lib/libblkid.* /rootfs/lib/
-COPY --link --from=pkg-util-linux-amd64 /lib/libuuid.* /rootfs/lib/
-COPY --link --from=pkg-util-linux-amd64 /lib/libmount.* /rootfs/lib/
-COPY --link --from=pkg-kmod-amd64 /usr/lib/libkmod.* /rootfs/lib/
-COPY --link --from=pkg-kmod-amd64 /usr/bin/kmod /rootfs/sbin/modprobe
-COPY --link --from=modules-amd64 /lib/modules /rootfs/lib/modules
-COPY --link --from=machined-build-amd64 /machined /rootfs/sbin/init
+COPY --link --from=pkg-util-linux-amd64 /usr/lib/libblkid.* /rootfs/usr/lib/
+COPY --link --from=pkg-util-linux-amd64 /usr/lib/libuuid.* /rootfs/usr/lib/
+COPY --link --from=pkg-util-linux-amd64 /usr/lib/libmount.* /rootfs/usr/lib/
+COPY --link --from=pkg-kmod-amd64 /usr/lib/libkmod.* /rootfs/usr/lib/
+COPY --link --from=pkg-kmod-amd64 /usr/bin/kmod /rootfs/usr/sbin/modprobe
+COPY --link --from=modules-amd64 /usr/lib/modules /rootfs/usr/lib/modules
+COPY --link --from=machined-build-amd64 /machined /rootfs/usr/sbin/init
 
 # this is a no-op as it copies from a scratch image when WITH_DEBUG_SHELL is not set
 COPY --link --from=pkg-debug-tools-amd64 * /rootfs/
 
 RUN <<END
     # the orderly_poweroff call by the kernel will call '/sbin/poweroff'
-    ln /rootfs/sbin/init /rootfs/sbin/poweroff
-    chmod +x /rootfs/sbin/poweroff
+    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/poweroff
+    chmod +x /rootfs/usr/sbin/poweroff
     # some extensions like qemu-guest agent will call '/sbin/shutdown'
-    ln /rootfs/sbin/init /rootfs/sbin/shutdown
-    chmod +x /rootfs/sbin/shutdown
-    ln /rootfs/sbin/init /rootfs/sbin/dashboard
-    chmod +x /rootfs/sbin/dashboard
+    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/shutdown
+    chmod +x /rootfs/usr/sbin/shutdown
+    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/dashboard
+    chmod +x /rootfs/usr/sbin/dashboard
 END
 # NB: We run the cleanup step before creating extra directories, files, and
 # symlinks to avoid accidentally cleaning them up.
 COPY ./hack/cleanup.sh /toolchain/bin/cleanup.sh
 RUN <<END
-    cleanup.sh /rootfs
+    /toolchain/bin/cleanup.sh /rootfs
     mkdir -pv /rootfs/{boot/EFI,etc/{iscsi,nvme,cri/conf.d/hosts},lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
     mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders,etc/selinux/targeted/contexts/files}
     mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
@@ -787,32 +782,32 @@ COPY --link --from=pkg-libaio-arm64 / /rootfs
 COPY --link --from=pkg-musl-arm64 / /rootfs
 COPY --link --from=pkg-runc-arm64 / /rootfs
 COPY --link --from=pkg-xfsprogs-arm64 / /rootfs
-COPY --link --from=pkg-util-linux-arm64 /lib/libblkid.* /rootfs/lib/
-COPY --link --from=pkg-util-linux-arm64 /lib/libuuid.* /rootfs/lib/
-COPY --link --from=pkg-util-linux-arm64 /lib/libmount.* /rootfs/lib/
-COPY --link --from=pkg-kmod-arm64 /usr/lib/libkmod.* /rootfs/lib/
-COPY --link --from=pkg-kmod-arm64 /usr/bin/kmod /rootfs/sbin/modprobe
-COPY --link --from=modules-arm64 /lib/modules /rootfs/lib/modules
-COPY --link --from=machined-build-arm64 /machined /rootfs/sbin/init
+COPY --link --from=pkg-util-linux-arm64 /usr/lib/libblkid.* /rootfs/usr/lib/
+COPY --link --from=pkg-util-linux-arm64 /usr/lib/libuuid.* /rootfs/usr/lib/
+COPY --link --from=pkg-util-linux-arm64 /usr/lib/libmount.* /rootfs/usr/lib/
+COPY --link --from=pkg-kmod-arm64 /usr/usr/lib/libkmod.* /rootfs/usr/lib/
+COPY --link --from=pkg-kmod-arm64 /usr/bin/kmod /rootfs/usr/sbin/modprobe
+COPY --link --from=modules-arm64 /usr/lib/modules /rootfs/usr/lib/modules
+COPY --link --from=machined-build-arm64 /machined /rootfs/usr/sbin/init
 
 # this is a no-op as it copies from a scratch image when WITH_DEBUG_SHELL is not set
 COPY --link --from=pkg-debug-tools-arm64 * /rootfs/
 
 RUN <<END
     # the orderly_poweroff call by the kernel will call '/sbin/poweroff'
-    ln /rootfs/sbin/init /rootfs/sbin/poweroff
-    chmod +x /rootfs/sbin/poweroff
+    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/poweroff
+    chmod +x /rootfs/usr/sbin/poweroff
     # some extensions like qemu-guest agent will call '/sbin/shutdown'
-    ln /rootfs/sbin/init /rootfs/sbin/shutdown
-    chmod +x /rootfs/sbin/shutdown
-    ln /rootfs/sbin/init /rootfs/sbin/dashboard
-    chmod +x /rootfs/sbin/dashboard
+    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/shutdown
+    chmod +x /rootfs/usr/sbin/shutdown
+    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/dashboard
+    chmod +x /rootfs/usr/sbin/dashboard
 END
 # NB: We run the cleanup step before creating extra directories, files, and
 # symlinks to avoid accidentally cleaning them up.
 COPY ./hack/cleanup.sh /toolchain/bin/cleanup.sh
 RUN <<END
-    cleanup.sh /rootfs
+    /toolchain/bin/cleanup.sh /rootfs
     mkdir -pv /rootfs/{boot/EFI,etc/{iscsi,nvme,cri/conf.d/hosts},lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
     mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders,etc/selinux/targeted/contexts/files}
     mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
@@ -838,7 +833,7 @@ END
 
 FROM rootfs-base-${TARGETARCH} AS rootfs-base
 RUN echo "true" > /rootfs/usr/etc/in-container
-RUN rm -rf /rootfs/lib/modules/*
+RUN rm -rf /rootfs/usr/lib/modules/*
 RUN find /rootfs -print0 \
     | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
 
@@ -848,7 +843,6 @@ RUN find /rootfs -print0 \
     | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
 COPY --from=selinux-generate /policy/file_contexts /file_contexts
 COPY ./hack/labeled-squashfs.sh /
-ENV SHELL=/toolchain/bin/bash
 RUN fakeroot /labeled-squashfs.sh /rootfs /rootfs.sqsh /file_contexts ${ZSTD_COMPRESSION_LEVEL}
 
 FROM rootfs-base-amd64 AS rootfs-squashfs-amd64
@@ -857,7 +851,6 @@ RUN find /rootfs -print0 \
     | xargs -0r touch --no-dereference --date="@${SOURCE_DATE_EPOCH}"
 COPY --from=selinux-generate /policy/file_contexts /file_contexts
 COPY ./hack/labeled-squashfs.sh /
-ENV SHELL=/toolchain/bin/bash
 RUN fakeroot /labeled-squashfs.sh /rootfs /rootfs.sqsh /file_contexts ${ZSTD_COMPRESSION_LEVEL}
 
 FROM scratch AS squashfs-arm64
@@ -1106,8 +1099,8 @@ RUN --mount=type=cache,target=/.cache importvet github.com/siderolabs/talos/...
 FROM base AS lint-protobuf
 WORKDIR /src/api
 COPY api .
-RUN --mount=type=cache,target=/.cache prototool lint --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
-RUN --mount=type=cache,target=/.cache prototool break check --descriptor-set-path=api.descriptors --protoc-bin-path=/toolchain/bin/protoc --protoc-wkt-path=/toolchain/include
+RUN --mount=type=cache,target=/.cache prototool lint --protoc-bin-path=/usr/bin/protoc --protoc-wkt-path=/usr/include
+RUN --mount=type=cache,target=/.cache prototool break check --descriptor-set-path=api.descriptors --protoc-bin-path=/usr/bin/protoc --protoc-wkt-path=/usr/include
 
 # The markdownlint target performs linting on Markdown files.
 
@@ -1187,13 +1180,13 @@ COPY --from=proto-docs-build /tmp/api.md /website/content/v1.10/reference/
 
 FROM scratch AS talosctl-cni-bundle
 ARG TARGETARCH
-COPY --from=extras-talosctl-cni-bundle-install /opt/cni/bin/ /talosctl-cni-bundle-${TARGETARCH}/
+COPY --from=extras-talosctl-cni-bundle /opt/cni/bin/ /talosctl-cni-bundle-${TARGETARCH}/
 
 # The go-mod-outdated target lists all outdated modules.
 
 FROM base AS go-mod-outdated
 RUN --mount=type=cache,target=/.cache go install github.com/psampaz/go-mod-outdated@latest \
-    && mv /go/bin/go-mod-outdated /toolchain/go/bin/go-mod-outdated
+    && mv /root/go/bin/go-mod-outdated /usr/bin/go-mod-outdated
 COPY ./hack/cloud-image-uploader ./hack/cloud-image-uploader
 COPY ./hack/docgen ./hack/docgen
 COPY ./hack/gotagsrewrite ./hack/gotagsrewrite
diff --git a/Makefile b/Makefile
index 1d4cfb2555..b399d820a4 100644
--- a/Makefile
+++ b/Makefile
@@ -17,14 +17,14 @@ ZSTD_COMPRESSION_LEVEL ?= 18
 CI_RELEASE_TAG := $(shell git log --oneline --format=%B -n 1 HEAD^2 -- 2>/dev/null | head -n 1 | sed -r "/^release\(.*\)/ s/^release\((.*)\):.*$$/\\1/; t; Q")
 
 ARTIFACTS := _out
-TOOLS ?= ghcr.io/siderolabs/tools:v1.10.0-alpha.0-7-g7200845
+TOOLS ?= ghcr.io/siderolabs/tools:v1.10.0-alpha.0-10-g9db33dd
 
 DEBUG_TOOLS_SOURCE := scratch
 EMBED_TARGET ?= embed
 
 PKGS_PREFIX ?= ghcr.io/siderolabs
-PKGS ?= v1.10.0-alpha.0-34-g5763e3e
-EXTRAS ?= v1.10.0-alpha.0-2-gf4a110f
+PKGS ?= v1.10.0-alpha.0-35-g85f8901
+EXTRAS ?= v1.10.0-alpha.0-3-g4102a78
 
 KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
 CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest
@@ -64,7 +64,7 @@ PKG_KMOD ?= $(PKGS_PREFIX)/kmod:$(PKGS)
 PKG_CNI ?= $(PKGS_PREFIX)/cni:$(PKGS)
 PKG_FLANNEL_CNI ?= $(PKGS_PREFIX)/flannel-cni:$(PKGS)
 PKG_KERNEL ?= $(PKGS_PREFIX)/kernel:$(PKGS)
-PKG_TALOSCTL_CNI_BUNDLE_INSTALL ?= $(PKGS_PREFIX)/talosctl-cni-bundle-install:$(EXTRAS)
+PKG_TALOSCTL_CNI_BUNDLE ?= $(PKGS_PREFIX)/talosctl-cni-bundle:$(EXTRAS)
 
 # renovate: datasource=github-tags depName=golang/go
 GO_VERSION ?= 1.23
@@ -267,7 +267,7 @@ COMMON_ARGS += --build-arg=PKG_RASPBERYPI_FIRMWARE=$(PKG_RASPBERYPI_FIRMWARE)
 COMMON_ARGS += --build-arg=PKG_CNI=$(PKG_CNI)
 COMMON_ARGS += --build-arg=PKG_FLANNEL_CNI=$(PKG_FLANNEL_CNI)
 COMMON_ARGS += --build-arg=PKG_KERNEL=$(PKG_KERNEL)
-COMMON_ARGS += --build-arg=PKG_TALOSCTL_CNI_BUNDLE_INSTALL=$(PKG_TALOSCTL_CNI_BUNDLE_INSTALL)
+COMMON_ARGS += --build-arg=PKG_TALOSCTL_CNI_BUNDLE=$(PKG_TALOSCTL_CNI_BUNDLE)
 COMMON_ARGS += --build-arg=ABBREV_TAG=$(ABBREV_TAG)
 COMMON_ARGS += --build-arg=ZSTD_COMPRESSION_LEVEL=$(ZSTD_COMPRESSION_LEVEL)
 COMMON_ARGS += --build-arg=MICROSOFT_SECUREBOOT_RELEASE=$(MICROSOFT_SECUREBOOT_RELEASE)
diff --git a/hack/cleanup.sh b/hack/cleanup.sh
index f74cedaa85..b401f91c60 100755
--- a/hack/cleanup.sh
+++ b/hack/cleanup.sh
@@ -1,7 +1,4 @@
-#!/toolchain/bin/bash
-
-export PATH=/toolchain/bin
-
+#!/bin/bash
 PREFIX="${1}"
 
 function remove_symlinks() {
@@ -25,16 +22,16 @@ find ${PREFIX} -type f -name \*.la -delete
 find ${PREFIX} -type f \( -name \*.static -o -name \*.o \) -delete
 # Strip debug symbols from all libraries and binaries.
 find ${PREFIX}/{lib,usr/lib} -type f \( -name \*.so* -a ! -name \*dbg \) -exec strip --strip-unneeded {} ';' || true
-find ${PREFIX}/{bin,sbin,usr/bin,usr/sbin} -type f -exec strip --strip-all {} ';' || true
+find ${PREFIX}/{usr/bin,usr/sbin} -type f -exec strip --strip-all {} ';' || true
 
 # Remove header files, man files, and any other non-runtime dependencies.
-rm -rf ${PREFIX}/{lib,usr/lib}/pkgconfig/ \
+rm -rf ${PREFIX}/usr/lib/pkgconfig/ \
        ${PREFIX}/{include,usr/include}/* \
        ${PREFIX}/{share,usr/share}/* \
        ${PREFIX}/usr/lib/cmake \
-       ${PREFIX}/lib/gconv/ \
+       ${PREFIX}/usr/lib/gconv/ \
        ${PREFIX}/usr/libexec/getconf \
        ${PREFIX}/var/db
 
 # Remove contents of /usr/bin except for udevadm
-find ${PREFIX}/usr/bin \( -type f -o -type l \) ! -name udevadm -delete
+# find ${PREFIX}/usr/bin \( -type f -o -type l \) ! -name udevadm -delete
diff --git a/hack/labeled-squashfs.sh b/hack/labeled-squashfs.sh
index cd1290ad9b..198b3b4b9e 100755
--- a/hack/labeled-squashfs.sh
+++ b/hack/labeled-squashfs.sh
@@ -1,6 +1,6 @@
-#!/toolchain/bin/bash
+#!/bin/bash
 
 set -e
 # set SELinux labels for files according to file_contexts supplied
-/toolchain/sbin/setfiles -r $1 -F -vv $3 $1
+/sbin/setfiles -r $1 -F -vv $3 $1
 mksquashfs $1 $2 -all-root -noappend -comp zstd -Xcompression-level $4 -no-progress
diff --git a/internal/app/machined/pkg/controllers/k8s/templates/kube-proxy-template.yaml b/internal/app/machined/pkg/controllers/k8s/templates/kube-proxy-template.yaml
index f42e0d73ac..ba03cef8f5 100644
--- a/internal/app/machined/pkg/controllers/k8s/templates/kube-proxy-template.yaml
+++ b/internal/app/machined/pkg/controllers/k8s/templates/kube-proxy-template.yaml
@@ -57,7 +57,7 @@ spec:
       volumes:
         - name: lib-modules
           hostPath:
-            path: /lib/modules
+            path: /usr/lib/modules
         - name: ssl-certs-host
           hostPath:
             path: /etc/ssl/certs
diff --git a/internal/app/machined/pkg/system/services/kubelet.go b/internal/app/machined/pkg/system/services/kubelet.go
index 4f5a9ed599..1ab55fb8d9 100644
--- a/internal/app/machined/pkg/system/services/kubelet.go
+++ b/internal/app/machined/pkg/system/services/kubelet.go
@@ -129,7 +129,7 @@ func (k *Kubelet) Runner(r runtime.Runtime) (runner.Runner, error) {
 		{Type: "bind", Destination: "/dev", Source: "/dev", Options: []string{"rbind", "rshared", "rw"}},
 		{Type: "sysfs", Destination: "/sys", Source: "/sys", Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: constants.CgroupMountPath, Source: constants.CgroupMountPath, Options: []string{"rbind", "rshared", "rw"}},
-		{Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "ro"}},
+		{Type: "bind", Destination: "/usr/lib/modules", Source: "/usr/lib/modules", Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: "/etc/kubernetes", Source: "/etc/kubernetes", Options: []string{"bind", "rshared", "rw"}},
 		{Type: "bind", Destination: constants.KubeletCredentialProviderBinDir, Source: constants.KubeletCredentialProviderBinDir, Options: []string{"bind", "ro"}},
 		{Type: "bind", Destination: "/etc/nfsmount.conf", Source: "/etc/nfsmount.conf", Options: []string{"bind", "ro"}},
diff --git a/internal/integration/api/extensions_qemu.go b/internal/integration/api/extensions_qemu.go
index 25da2aa70b..20091740b6 100644
--- a/internal/integration/api/extensions_qemu.go
+++ b/internal/integration/api/extensions_qemu.go
@@ -68,14 +68,14 @@ func (suite *ExtensionsSuiteQEMU) TearDownTest() {
 // TestExtensionsExpectedPaths verifies expected paths are present.
 func (suite *ExtensionsSuiteQEMU) TestExtensionsExpectedPaths() {
 	expectedPaths := []string{
-		"/lib/firmware/amdgpu",
-		"/lib/firmware/amd-ucode",
-		"/lib/firmware/bnx2x",
-		"/lib/firmware/cxgb3",
-		"/lib/firmware/cxgb4/configs",
-		"/lib/firmware/i915",
-		"/lib/firmware/intel/ice/ddp",
-		"/lib/firmware/intel-ucode",
+		"/usr/lib/firmware/amdgpu",
+		"/usr/lib/firmware/amd-ucode",
+		"/usr/lib/firmware/bnx2x",
+		"/usr/lib/firmware/cxgb3",
+		"/usr/lib/firmware/cxgb4/configs",
+		"/usr/lib/firmware/i915",
+		"/usr/lib/firmware/intel/ice/ddp",
+		"/usr/lib/firmware/intel-ucode",
 	}
 
 	node := suite.RandomDiscoveredNodeInternalIP(machine.TypeWorker)
diff --git a/internal/integration/base/api.go b/internal/integration/base/api.go
index 5369a274cd..a86c47bce7 100644
--- a/internal/integration/base/api.go
+++ b/internal/integration/base/api.go
@@ -538,7 +538,7 @@ func (apiSuite *APISuite) AssertExpectedModules(ctx context.Context, node string
 
 	apiSuite.Require().NoError(scanner.Err())
 
-	fileReader, err = apiSuite.Client.Read(nodeCtx, fmt.Sprintf("/lib/modules/%s/modules.dep", constants.DefaultKernelVersion))
+	fileReader, err = apiSuite.Client.Read(nodeCtx, fmt.Sprintf("/usr/lib/modules/%s/modules.dep", constants.DefaultKernelVersion))
 	apiSuite.Require().NoError(err)
 
 	defer func() {
diff --git a/internal/pkg/extensions/compress.go b/internal/pkg/extensions/compress.go
index 0988ce9cfe..2707792430 100644
--- a/internal/pkg/extensions/compress.go
+++ b/internal/pkg/extensions/compress.go
@@ -26,8 +26,8 @@ import (
 var earlyCPUUcode = []struct {
 	glob, dst string
 }{
-	{"/lib/firmware/intel-ucode/*", "kernel/x86/microcode/GenuineIntel.bin"},
-	{"/lib/firmware/amd-ucode/microcode_amd*.bin", "kernel/x86/microcode/AuthenticAMD.bin"},
+	{"/usr/lib/firmware/intel-ucode/*", "kernel/x86/microcode/GenuineIntel.bin"},
+	{"/usr/lib/firmware/amd-ucode/microcode_amd*.bin", "kernel/x86/microcode/AuthenticAMD.bin"},
 }
 
 // List of paths to be moved to the future initramfs.
diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts
index 6e34ca45f8..1193fb63fc 100644
--- a/internal/pkg/selinux/policy/file_contexts
+++ b/internal/pkg/selinux/policy/file_contexts
@@ -1,9 +1,9 @@
 /etc(/.*)?	system_u:object_r:etc_t:s0
 /opt(/.*)?	system_u:object_r:opt_t:s0
-/sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
 /etc/cni(/.*)?	system_u:object_r:cni_conf_t:s0
 /opt/cni(/.*)?	system_u:object_r:cni_plugin_t:s0
-/usr/sbin(/.*)?	system_u:object_r:sbin_exec_t:s0
+/usr/bin(/.*)?	system_u:object_r:bin_exec_t:s0
+/usr/sbin(/.*)?	system_u:object_r:bin_exec_t:s0
 /usr/lib/udev(/.*)?	system_u:object_r:udev_exec_t:s0
 /etc/kubernetes(/.*)?	system_u:object_r:k8s_conf_t:s0
 /opt/containerd(/.*)?	system_u:object_r:containerd_plugin_t:s0
@@ -11,14 +11,13 @@
 /usr/lib/udev/rules.d(/.*)?	system_u:object_r:udev_rules_t:s0
 /usr/libexec/kubernetes(/.*)?	system_u:object_r:k8s_plugin_t:s0
 /	system_u:object_r:rootfs_t:s0
-/bin/runc	system_u:object_r:containerd_exec_t:s0
-/sbin/init	--	system_u:object_r:init_exec_t:s0
-/sbin/udevadm	-l	system_u:object_r:udev_exec_t:s0
-/sbin/poweroff	system_u:object_r:init_exec_t:s0
-/sbin/shutdown	system_u:object_r:init_exec_t:s0
-/sbin/modprobe	--	system_u:object_r:modprobe_exec_t:s0
-/bin/containerd	system_u:object_r:containerd_exec_t:s0
-/sbin/dashboard	system_u:object_r:init_exec_t:s0
+/usr/bin/runc	system_u:object_r:containerd_exec_t:s0
+/usr/sbin/init	--	system_u:object_r:init_exec_t:s0
 /usr/bin/udevadm	--	system_u:object_r:udev_exec_t:s0
-/sbin/systemd-udevd	--	system_u:object_r:udev_exec_t:s0
-/bin/containerd-shim-runc-v2	system_u:object_r:containerd_exec_t:s0
+/usr/sbin/poweroff	system_u:object_r:init_exec_t:s0
+/usr/sbin/shutdown	system_u:object_r:init_exec_t:s0
+/usr/sbin/modprobe	--	system_u:object_r:modprobe_exec_t:s0
+/usr/bin/containerd	system_u:object_r:containerd_exec_t:s0
+/usr/sbin/dashboard	system_u:object_r:init_exec_t:s0
+/usr/sbin/systemd-udevd	--	system_u:object_r:udev_exec_t:s0
+/usr/bin/containerd-shim-runc-v2	system_u:object_r:containerd_exec_t:s0
diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
index 7a1c7a28279fa21697ffa4c450583ce828d3d848..59f08d7430e0fa26d7fdf94f7170dc7204c0b9e9 100644
GIT binary patch
delta 44
ucmdmUnQ`}J#tm$Gn-%pO*d@3a7#N~}m=TCUASp91KD8n>d2_sJtO)=DVG7>>

delta 45
vcmdmenQ_l$#tm$GlH3do3{gPL2*e;zoRpatpIVWcyqQJMiG6c|X|xFd0XYje

diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil
index 0a57ecac2a..74c2ed71e3 100644
--- a/internal/pkg/selinux/policy/selinux/services/machined.cil
+++ b/internal/pkg/selinux/policy/selinux/services/machined.cil
@@ -1,10 +1,10 @@
 (type init_exec_t)
 (call system_f (init_exec_t))
 (context init_exec_t (system_u object_r init_exec_t (systemLow systemLow)))
-(filecon "/sbin/init" file init_exec_t)
-(filecon "/sbin/poweroff" any init_exec_t)
-(filecon "/sbin/shutdown" any init_exec_t)
-(filecon "/sbin/dashboard" any init_exec_t)
+(filecon "/usr/sbin/init" file init_exec_t)
+(filecon "/usr/sbin/poweroff" any init_exec_t)
+(filecon "/usr/sbin/shutdown" any init_exec_t)
+(filecon "/usr/sbin/dashboard" any init_exec_t)
 
 (type init_t)
 (roletype system_r init_t)
@@ -36,10 +36,10 @@
 (roletype system_r unconfined_service_t)
 (typeattributeset service_p unconfined_service_t)
 
-(type sbin_exec_t)
-(call system_f (sbin_exec_t))
-(filecon "/sbin(/.*)?" any (system_u object_r sbin_exec_t (systemLow systemLow)))
-(filecon "/usr/sbin(/.*)?" any (system_u object_r sbin_exec_t (systemLow systemLow)))
+(type bin_exec_t)
+(call system_f (bin_exec_t))
+(filecon "/usr/bin(/.*)?" any (system_u object_r bin_exec_t (systemLow systemLow)))
+(filecon "/usr/sbin(/.*)?" any (system_u object_r bin_exec_t (systemLow systemLow)))
 ; Typically machined executes LVM, cryptsetup and similar utilities
 ; They are short-running, come from the rootfs and do not accept user input, so can be started in init_t domain
-(allow init_t sbin_exec_t (file (execute execute_no_trans)))
+(allow init_t bin_exec_t (file (execute execute_no_trans)))
diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
index 2b515625f4..8468592b71 100644
--- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
+++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil
@@ -1,9 +1,9 @@
 (type containerd_exec_t)
 (call system_f (containerd_exec_t))
 (context containerd_exec_t (system_u object_r containerd_exec_t (systemLow systemLow)))
-(filecon "/bin/containerd" any containerd_exec_t)
-(filecon "/bin/containerd-shim-runc-v2" any containerd_exec_t)
-(filecon "/bin/runc" any containerd_exec_t)
+(filecon "/usr/bin/containerd" any containerd_exec_t)
+(filecon "/usr/bin/containerd-shim-runc-v2" any containerd_exec_t)
+(filecon "/usr/bin/runc" any containerd_exec_t)
 
 ; System containerd
 (type sys_containerd_t)
diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil
index 883b076ddc..13e6b08737 100644
--- a/internal/pkg/selinux/policy/selinux/services/udev.cil
+++ b/internal/pkg/selinux/policy/selinux/services/udev.cil
@@ -1,9 +1,8 @@
 (type udev_exec_t)
 (call system_f (udev_exec_t))
 (context udev_exec_t (system_u object_r udev_exec_t (systemLow systemLow)))
-(filecon "/sbin/systemd-udevd" file udev_exec_t)
+(filecon "/usr/sbin/systemd-udevd" file udev_exec_t)
 (filecon "/usr/bin/udevadm" file udev_exec_t)
-(filecon "/sbin/udevadm" symlink udev_exec_t)
 
 ; Do not reorder: label non-executable rules files as executable
 (type udev_rules_t)
@@ -36,7 +35,7 @@
 
 (type modprobe_exec_t)
 (call system_f (modprobe_exec_t))
-(filecon "/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow)))
+(filecon "/usr/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow)))
 (allow udev_t modprobe_exec_t (file (execute execute_no_trans)))
 (typetransition kernel_t modprobe_exec_t process udev_t)
 (typetransition init_t modprobe_exec_t process udev_t)
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index 20634ec006..f5e280e12f 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -17,7 +17,7 @@ const (
 	DefaultKernelVersion = "6.12.11-talos"
 
 	// KernelModulesPath is the default path to the kernel modules without the kernel version.
-	KernelModulesPath = "/lib/modules"
+	KernelModulesPath = "/usr/lib/modules"
 
 	// KernelParamConfig is the kernel parameter name for specifying the URL.
 	// to the config.
@@ -1074,7 +1074,7 @@ const (
 	PlatformNetworkConfigFilename = "platform-network.yaml"
 
 	// FirmwarePath is the path to the standard Linux firmware location.
-	FirmwarePath = "/lib/firmware"
+	FirmwarePath = "/usr/lib/firmware"
 
 	// ExtensionServiceConfigPath is the directory path which contains  configuration files of extension services.
 	//
diff --git a/pkg/machinery/extensions/extensions.go b/pkg/machinery/extensions/extensions.go
index 609aca5194..4d50b58772 100644
--- a/pkg/machinery/extensions/extensions.go
+++ b/pkg/machinery/extensions/extensions.go
@@ -10,12 +10,12 @@ import "path/filepath"
 // AllowedPaths lists paths allowed in the extension images.
 var AllowedPaths = []string{
 	"/etc/cri/conf.d",
-	"/lib/firmware",
-	"/lib/modules",
+	"/usr/lib/firmware",
+	"/usr/lib/modules",
 	// The glibc loader is required by glibc dynamic binaries.
-	"/lib64/ld-linux-x86-64.so.2",
-	// /sbin/ldconfig is required by the nvidia container toolkit.
-	"/sbin/ldconfig",
+	"/usr/lib/ld-linux-x86-64.so.2",
+	// /usr/sbin/ldconfig is required by the nvidia container toolkit.
+	"/usr/sbin/ldconfig",
 	"/usr/lib/udev/rules.d",
 	"/usr/local",
 	// glvnd, egl and vulkan are needed for OpenGL/Vulkan.
diff --git a/pkg/machinery/gendata/data/extras b/pkg/machinery/gendata/data/extras
index 8e9f7abe2a..e771dd5ee2 100644
--- a/pkg/machinery/gendata/data/extras
+++ b/pkg/machinery/gendata/data/extras
@@ -1 +1 @@
-v1.10.0-alpha.0-2-gf4a110f
\ No newline at end of file
+v1.10.0-alpha.0-3-g4102a78
\ No newline at end of file
diff --git a/pkg/machinery/gendata/data/pkgs b/pkg/machinery/gendata/data/pkgs
index cde5b32128..89b5248c31 100644
--- a/pkg/machinery/gendata/data/pkgs
+++ b/pkg/machinery/gendata/data/pkgs
@@ -1 +1 @@
-v1.10.0-alpha.0-34-g5763e3e
\ No newline at end of file
+v1.10.0-alpha.0-35-g85f8901
\ No newline at end of file
diff --git a/pkg/provision/providers/vm/internal/ipxe/data/ipxe/amd64/snp.efi b/pkg/provision/providers/vm/internal/ipxe/data/ipxe/amd64/snp.efi
index a9d6e06439041ec350bb76a73934dc836bb68b54..3441400561e042e2268c53b39edb921de52c87d5 100644
GIT binary patch
delta 26
gcmZp;z~2BwEsQNpTbL8lSwfecR@<JE&OE090F3GiSpWb4

delta 26
gcmZp;z~2BwEsQNpTbL8lS<<Uwg14unGtX%N0EyKJ{Qv*}

diff --git a/pkg/provision/providers/vm/internal/ipxe/data/ipxe/arm64/snp.efi b/pkg/provision/providers/vm/internal/ipxe/data/ipxe/arm64/snp.efi
index ecb18a133d884f1ff9bdcb85f3ddd648f73ae254..6fa8527baa15345c0d668950df28ad85f874f33e 100644
GIT binary patch
delta 25
fcmZpeBiH~$EsQNpOPH^)SX-Y9*v@i=`A;PPdwU81

delta 25
fcmZpeBiH~$EsQNpOPH^)yk&M1+0Jr>`A;PPdXovZ

diff --git a/website/content/v1.10/advanced/proprietary-kernel-modules.md b/website/content/v1.10/advanced/proprietary-kernel-modules.md
index 9a42ef4d7f..ccfef0632c 100644
--- a/website/content/v1.10/advanced/proprietary-kernel-modules.md
+++ b/website/content/v1.10/advanced/proprietary-kernel-modules.md
@@ -55,7 +55,7 @@ aliases:
         ```bash
         INSTALLER_VERSION=<talos version>
         IMAGE_NAME="ghcr.io/your-username/talos-installer:$INSTALLER_VERSION"
-        DOCKER_BUILDKIT=0 docker build --build-arg RM="/lib/modules" -t "$IMAGE_NAME" . && docker push "$IMAGE_NAME"
+        DOCKER_BUILDKIT=0 docker build --build-arg RM="/usr/lib/modules" -t "$IMAGE_NAME" . && docker push "$IMAGE_NAME"
         ```
 
 3. Deploying to your cluster

From 9d24107284b03dd11b84db3aa1cd802e625ae95f Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 14:52:48 +0100
Subject: [PATCH 02/14] fixup! feat: use bootstrapped packages for building
 Talos

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index c231291e4a..91571bd6e4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -785,7 +785,7 @@ COPY --link --from=pkg-xfsprogs-arm64 / /rootfs
 COPY --link --from=pkg-util-linux-arm64 /usr/lib/libblkid.* /rootfs/usr/lib/
 COPY --link --from=pkg-util-linux-arm64 /usr/lib/libuuid.* /rootfs/usr/lib/
 COPY --link --from=pkg-util-linux-arm64 /usr/lib/libmount.* /rootfs/usr/lib/
-COPY --link --from=pkg-kmod-arm64 /usr/usr/lib/libkmod.* /rootfs/usr/lib/
+COPY --link --from=pkg-kmod-arm64 /usr/lib/libkmod.* /rootfs/usr/lib/
 COPY --link --from=pkg-kmod-arm64 /usr/bin/kmod /rootfs/usr/sbin/modprobe
 COPY --link --from=modules-arm64 /usr/lib/modules /rootfs/usr/lib/modules
 COPY --link --from=machined-build-arm64 /machined /rootfs/usr/sbin/init

From 1401ba592a04668550a11c91675177c2a1a213fa Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 15:21:28 +0100
Subject: [PATCH 03/14] test: fix tests + add usrmerge ext test

---
 Dockerfile                                             |  2 --
 pkg/machinery/extensions/extensions_test.go            |  4 ++++
 .../extensions/testdata/bad/usrmerge/manifest.yaml     | 10 ++++++++++
 .../amd/cpu => bad/usrmerge/rootfs/usr/lib64/a.so}     |  0
 .../ld-linux-x86-64.so.2 => usr/lib/firmware/amd/cpu}  |  0
 .../extension1/rootfs/usr/lib/ld-linux-x86-64.so.2     |  0
 6 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 pkg/machinery/extensions/testdata/bad/usrmerge/manifest.yaml
 rename pkg/machinery/extensions/testdata/{good/extension1/rootfs/lib/firmware/amd/cpu => bad/usrmerge/rootfs/usr/lib64/a.so} (100%)
 rename pkg/machinery/extensions/testdata/good/extension1/rootfs/{lib64/ld-linux-x86-64.so.2 => usr/lib/firmware/amd/cpu} (100%)
 create mode 100644 pkg/machinery/extensions/testdata/good/extension1/rootfs/usr/lib/ld-linux-x86-64.so.2

diff --git a/Dockerfile b/Dockerfile
index 91571bd6e4..ee9c9ee475 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -998,7 +998,6 @@ FROM --platform=${BUILDPLATFORM} iso-${TARGETARCH} AS iso
 
 # The test target performs tests on the source code.
 FROM base AS unit-tests-runner
-RUN unlink /etc/ssl
 COPY --from=rootfs / /
 COPY --from=pkg-ca-certificates / /
 ARG TESTPKGS
@@ -1013,7 +1012,6 @@ COPY --from=unit-tests-runner /src/coverage.txt /coverage.txt
 # The unit-tests-race target performs tests with race detector.
 
 FROM base AS unit-tests-race
-RUN unlink /etc/ssl
 COPY --from=rootfs / /
 COPY --from=pkg-ca-certificates / /
 ARG TESTPKGS
diff --git a/pkg/machinery/extensions/extensions_test.go b/pkg/machinery/extensions/extensions_test.go
index e4fe864b72..8ededb2779 100644
--- a/pkg/machinery/extensions/extensions_test.go
+++ b/pkg/machinery/extensions/extensions_test.go
@@ -56,6 +56,10 @@ func TestValidateFailures(t *testing.T) {
 			name:          "badpaths",
 			validateError: "path \"/boot/vmlinuz\" is not allowed in extensions",
 		},
+		{
+			name:          "usrmerge",
+			validateError: "path \"/usr/lib64/a.so\" is not allowed in extensions",
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			ext, err := extensions.Load(filepath.Join("testdata/bad", tt.name))
diff --git a/pkg/machinery/extensions/testdata/bad/usrmerge/manifest.yaml b/pkg/machinery/extensions/testdata/bad/usrmerge/manifest.yaml
new file mode 100644
index 0000000000..45bb96b97a
--- /dev/null
+++ b/pkg/machinery/extensions/testdata/bad/usrmerge/manifest.yaml
@@ -0,0 +1,10 @@
+version: v1alpha1
+metadata:
+  name: gvisor
+  version: 20220117.0-v1.0.0
+  author: Andrew Rynhard
+  description: >
+    This system extension provides gVisor using containerd's runtime handler.
+  compatibility:
+    talos:
+      version: ">= v1.0.0"
diff --git a/pkg/machinery/extensions/testdata/good/extension1/rootfs/lib/firmware/amd/cpu b/pkg/machinery/extensions/testdata/bad/usrmerge/rootfs/usr/lib64/a.so
similarity index 100%
rename from pkg/machinery/extensions/testdata/good/extension1/rootfs/lib/firmware/amd/cpu
rename to pkg/machinery/extensions/testdata/bad/usrmerge/rootfs/usr/lib64/a.so
diff --git a/pkg/machinery/extensions/testdata/good/extension1/rootfs/lib64/ld-linux-x86-64.so.2 b/pkg/machinery/extensions/testdata/good/extension1/rootfs/usr/lib/firmware/amd/cpu
similarity index 100%
rename from pkg/machinery/extensions/testdata/good/extension1/rootfs/lib64/ld-linux-x86-64.so.2
rename to pkg/machinery/extensions/testdata/good/extension1/rootfs/usr/lib/firmware/amd/cpu
diff --git a/pkg/machinery/extensions/testdata/good/extension1/rootfs/usr/lib/ld-linux-x86-64.so.2 b/pkg/machinery/extensions/testdata/good/extension1/rootfs/usr/lib/ld-linux-x86-64.so.2
new file mode 100644
index 0000000000..e69de29bb2

From a425e4fa1a985eb9ee402505ac5ddbaf9ffa964e Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 15:45:24 +0100
Subject: [PATCH 04/14] use bash in tests

---
 Dockerfile                                       |  2 +-
 .../system/runner/containerd/containerd_test.go  | 14 +++++++-------
 .../pkg/system/runner/process/process_test.go    | 16 ++++++++--------
 .../pkg/containers/containerd/containerd_test.go |  8 ++++----
 4 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ee9c9ee475..ab12505f45 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -381,7 +381,7 @@ RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_o
 COPY ./api/inspect/inspect.proto /api/inspect/inspect.proto
 RUN protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size inspect/inspect.proto
 COPY --from=gen-proto-go /api/resource/definitions/ /api/resource/definitions/
-RUN find /api/resource/definitions/ -type f -name "*.proto" | xargs -I {} /bin/sh -c 'protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size {} && mkdir -p /api/resource/definitions_go/$(basename {} .proto) && mv /api/resource/definitions/$(basename {} .proto)/*.go /api/resource/definitions_go/$(basename {} .proto)'
+RUN find /api/resource/definitions/ -type f -name "*.proto" | xargs -I {} /bin/bash -c 'protoc -I/api -I/api/vendor/ --go_out=paths=source_relative:/api --go-grpc_out=paths=source_relative:/api --go-vtproto_out=paths=source_relative:/api --go-vtproto_opt=features=marshal+unmarshal+size {} && mkdir -p /api/resource/definitions_go/$(basename {} .proto) && mv /api/resource/definitions/$(basename {} .proto)/*.go /api/resource/definitions_go/$(basename {} .proto)'
 # Goimports and gofumpt generated files to adjust import order
 RUN goimports -w -local github.com/siderolabs/talos /api/
 RUN gofumpt -w /api/
diff --git a/internal/app/machined/pkg/system/runner/containerd/containerd_test.go b/internal/app/machined/pkg/system/runner/containerd/containerd_test.go
index eaebcc5875..9528b453dc 100644
--- a/internal/app/machined/pkg/system/runner/containerd/containerd_test.go
+++ b/internal/app/machined/pkg/system/runner/containerd/containerd_test.go
@@ -162,7 +162,7 @@ func (suite *ContainerdSuite) getLogContents(filename string) []byte {
 func (suite *ContainerdSuite) TestRunSuccess() {
 	r := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/sh", "-c", "exit 0"},
+		ProcessArgs: []string{"/bin/bash", "-c", "exit 0"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -182,7 +182,7 @@ func (suite *ContainerdSuite) TestRunSuccess() {
 func (suite *ContainerdSuite) TestRunTwice() {
 	r := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/sh", "-c", "exit 0"},
+		ProcessArgs: []string{"/bin/bash", "-c", "exit 0"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -216,7 +216,7 @@ func (suite *ContainerdSuite) TestContainerCleanup() {
 	// runner
 	r1 := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/sh", "-c", "exit 1"},
+		ProcessArgs: []string{"/bin/bash", "-c", "exit 1"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -228,7 +228,7 @@ func (suite *ContainerdSuite) TestContainerCleanup() {
 
 	r2 := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/sh", "-c", "exit 0"},
+		ProcessArgs: []string{"/bin/bash", "-c", "exit 0"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -247,7 +247,7 @@ func (suite *ContainerdSuite) TestContainerCleanup() {
 func (suite *ContainerdSuite) TestRunLogs() {
 	r := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/sh", "-c", "echo -n \"Test 1\nTest 2\n\""},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo -n \"Test 1\nTest 2\n\""},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -283,7 +283,7 @@ func (suite *ContainerdSuite) TestStopFailingAndRestarting() {
 
 	r := restart.New(containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/sh", "-c", "test -f " + testFile + " && echo ok || (echo fail; false)"},
+		ProcessArgs: []string{"/bin/bash", "-c", "test -f " + testFile + " && echo ok || (echo fail; false)"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -361,7 +361,7 @@ func (suite *ContainerdSuite) TestStopSigKill() {
 
 	r := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/sh", "-c", "trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/bash", "-c", "trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
diff --git a/internal/app/machined/pkg/system/runner/process/process_test.go b/internal/app/machined/pkg/system/runner/process/process_test.go
index 9485aee25c..44b979dc66 100644
--- a/internal/app/machined/pkg/system/runner/process/process_test.go
+++ b/internal/app/machined/pkg/system/runner/process/process_test.go
@@ -60,7 +60,7 @@ func (suite *ProcessSuite) TearDownSuite() {
 func (suite *ProcessSuite) TestRunSuccess() {
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "test",
-		ProcessArgs: []string{"/bin/sh", "-c", "exit 0"},
+		ProcessArgs: []string{"/bin/bash", "-c", "exit 0"},
 	}, runner.WithLoggingManager(suite.loggingManager))
 
 	suite.Assert().NoError(r.Open())
@@ -75,7 +75,7 @@ func (suite *ProcessSuite) TestRunSuccess() {
 func (suite *ProcessSuite) TestRunLogs() {
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "logtest",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo -n \"Test 1\nTest 2\n\""},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo -n \"Test 1\nTest 2\n\""},
 	}, runner.WithLoggingManager(suite.loggingManager))
 
 	suite.Assert().NoError(r.Open())
@@ -103,7 +103,7 @@ func (suite *ProcessSuite) TestRunRestartFailed() {
 
 	r := restart.New(process.NewRunner(false, &runner.Args{
 		ID:          "restarter",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo \"ran\"; test -f " + testFile},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo \"ran\"; test -f " + testFile},
 	}, runner.WithLoggingManager(suite.loggingManager)), restart.WithType(restart.UntilSuccess), restart.WithRestartInterval(time.Millisecond))
 
 	suite.Assert().NoError(r.Open())
@@ -156,7 +156,7 @@ func (suite *ProcessSuite) TestStopFailingAndRestarting() {
 
 	r := restart.New(process.NewRunner(false, &runner.Args{
 		ID:          "endless",
-		ProcessArgs: []string{"/bin/sh", "-c", "test -f " + testFile},
+		ProcessArgs: []string{"/bin/bash", "-c", "test -f " + testFile},
 	}, runner.WithLoggingManager(suite.loggingManager)), restart.WithType(restart.Forever), restart.WithRestartInterval(5*time.Millisecond))
 
 	suite.Assert().NoError(r.Open())
@@ -200,7 +200,7 @@ func (suite *ProcessSuite) TestStopFailingAndRestarting() {
 func (suite *ProcessSuite) TestStopSigKill() {
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "nokill",
-		ProcessArgs: []string{"/bin/sh", "-c", "trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/bash", "-c", "trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithGracefulShutdownTimeout(10*time.Millisecond),
@@ -240,7 +240,7 @@ func (suite *ProcessSuite) TestPriority() {
 
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "nokill",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithGracefulShutdownTimeout(10*time.Millisecond),
@@ -294,7 +294,7 @@ func (suite *ProcessSuite) TestIOPriority() {
 
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "nokill",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithGracefulShutdownTimeout(10*time.Millisecond),
@@ -347,7 +347,7 @@ func (suite *ProcessSuite) TestSchedulingPolicy() {
 
 	r := process.NewRunner(false, &runner.Args{
 		ID:          "nokill",
-		ProcessArgs: []string{"/bin/sh", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/bash", "-c", "echo $BASHPID >> " + pidFile + "; trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithGracefulShutdownTimeout(10*time.Millisecond),
diff --git a/internal/pkg/containers/containerd/containerd_test.go b/internal/pkg/containers/containerd/containerd_test.go
index 3b33a09d36..cc1c271071 100644
--- a/internal/pkg/containers/containerd/containerd_test.go
+++ b/internal/pkg/containers/containerd/containerd_test.go
@@ -197,7 +197,7 @@ func (suite *ContainerdSuite) TearDownTest() {
 func (suite *ContainerdSuite) runK8sContainers() {
 	suite.run(containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID + "1",
-		ProcessArgs: []string{"/bin/sh", "-c", "sleep 3600"},
+		ProcessArgs: []string{"/bin/bash", "-c", "sleep 3600"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -213,7 +213,7 @@ func (suite *ContainerdSuite) runK8sContainers() {
 		runner.WithContainerdAddress(suite.containerdAddress),
 	), containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID + "2",
-		ProcessArgs: []string{"/bin/sh", "-c", "sleep 3600"},
+		ProcessArgs: []string{"/bin/bash", "-c", "sleep 3600"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -233,7 +233,7 @@ func (suite *ContainerdSuite) runK8sContainers() {
 func (suite *ContainerdSuite) TestPodsNonK8s() {
 	suite.run(containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/sh", "-c", "sleep 3600"},
+		ProcessArgs: []string{"/bin/bash", "-c", "sleep 3600"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -298,7 +298,7 @@ func (suite *ContainerdSuite) TestPodsK8s() {
 func (suite *ContainerdSuite) TestContainerNonK8s() {
 	suite.run(containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/sh", "-c", "sleep 3600"},
+		ProcessArgs: []string{"/bin/bash", "-c", "sleep 3600"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),

From 1e2d014d0ef0463b10c20712f5a0b61a4d48dcf2 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 16:21:01 +0100
Subject: [PATCH 05/14] fixup! use bash in tests

---
 internal/pkg/containers/containerd/containerd_test.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/pkg/containers/containerd/containerd_test.go b/internal/pkg/containers/containerd/containerd_test.go
index cc1c271071..3b33a09d36 100644
--- a/internal/pkg/containers/containerd/containerd_test.go
+++ b/internal/pkg/containers/containerd/containerd_test.go
@@ -197,7 +197,7 @@ func (suite *ContainerdSuite) TearDownTest() {
 func (suite *ContainerdSuite) runK8sContainers() {
 	suite.run(containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID + "1",
-		ProcessArgs: []string{"/bin/bash", "-c", "sleep 3600"},
+		ProcessArgs: []string{"/bin/sh", "-c", "sleep 3600"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -213,7 +213,7 @@ func (suite *ContainerdSuite) runK8sContainers() {
 		runner.WithContainerdAddress(suite.containerdAddress),
 	), containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID + "2",
-		ProcessArgs: []string{"/bin/bash", "-c", "sleep 3600"},
+		ProcessArgs: []string{"/bin/sh", "-c", "sleep 3600"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -233,7 +233,7 @@ func (suite *ContainerdSuite) runK8sContainers() {
 func (suite *ContainerdSuite) TestPodsNonK8s() {
 	suite.run(containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/bash", "-c", "sleep 3600"},
+		ProcessArgs: []string{"/bin/sh", "-c", "sleep 3600"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -298,7 +298,7 @@ func (suite *ContainerdSuite) TestPodsK8s() {
 func (suite *ContainerdSuite) TestContainerNonK8s() {
 	suite.run(containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/bash", "-c", "sleep 3600"},
+		ProcessArgs: []string{"/bin/sh", "-c", "sleep 3600"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),

From 502e0270dab5844e6ff050c16d1b5c236b134acd Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 16:42:54 +0100
Subject: [PATCH 06/14] fixup! fixup! use bash in tests

---
 .../system/runner/containerd/containerd_test.go    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/internal/app/machined/pkg/system/runner/containerd/containerd_test.go b/internal/app/machined/pkg/system/runner/containerd/containerd_test.go
index 9528b453dc..eaebcc5875 100644
--- a/internal/app/machined/pkg/system/runner/containerd/containerd_test.go
+++ b/internal/app/machined/pkg/system/runner/containerd/containerd_test.go
@@ -162,7 +162,7 @@ func (suite *ContainerdSuite) getLogContents(filename string) []byte {
 func (suite *ContainerdSuite) TestRunSuccess() {
 	r := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/bash", "-c", "exit 0"},
+		ProcessArgs: []string{"/bin/sh", "-c", "exit 0"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -182,7 +182,7 @@ func (suite *ContainerdSuite) TestRunSuccess() {
 func (suite *ContainerdSuite) TestRunTwice() {
 	r := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/bash", "-c", "exit 0"},
+		ProcessArgs: []string{"/bin/sh", "-c", "exit 0"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -216,7 +216,7 @@ func (suite *ContainerdSuite) TestContainerCleanup() {
 	// runner
 	r1 := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/bash", "-c", "exit 1"},
+		ProcessArgs: []string{"/bin/sh", "-c", "exit 1"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -228,7 +228,7 @@ func (suite *ContainerdSuite) TestContainerCleanup() {
 
 	r2 := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/bash", "-c", "exit 0"},
+		ProcessArgs: []string{"/bin/sh", "-c", "exit 0"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -247,7 +247,7 @@ func (suite *ContainerdSuite) TestContainerCleanup() {
 func (suite *ContainerdSuite) TestRunLogs() {
 	r := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/bash", "-c", "echo -n \"Test 1\nTest 2\n\""},
+		ProcessArgs: []string{"/bin/sh", "-c", "echo -n \"Test 1\nTest 2\n\""},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -283,7 +283,7 @@ func (suite *ContainerdSuite) TestStopFailingAndRestarting() {
 
 	r := restart.New(containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/bash", "-c", "test -f " + testFile + " && echo ok || (echo fail; false)"},
+		ProcessArgs: []string{"/bin/sh", "-c", "test -f " + testFile + " && echo ok || (echo fail; false)"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),
@@ -361,7 +361,7 @@ func (suite *ContainerdSuite) TestStopSigKill() {
 
 	r := containerdrunner.NewRunner(false, &runner.Args{
 		ID:          suite.containerID,
-		ProcessArgs: []string{"/bin/bash", "-c", "trap -- '' SIGTERM; while :; do :; done"},
+		ProcessArgs: []string{"/bin/sh", "-c", "trap -- '' SIGTERM; while :; do :; done"},
 	},
 		runner.WithLoggingManager(suite.loggingManager),
 		runner.WithNamespace(suite.containerdNamespace),

From 3646a9f74b102ba80772664d969a91e75b78119a Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 17:19:08 +0100
Subject: [PATCH 07/14] fix ext tests

---
 Dockerfile                                                    | 4 ++--
 internal/app/init/main.go                                     | 2 +-
 internal/pkg/extensions/extensions_test.go                    | 2 +-
 internal/pkg/extensions/kernel_modules.go                     | 4 ++--
 .../good/extension1/rootfs/{ => usr}/lib/firmware/amd/cpu     | 0
 .../extension1/rootfs/{lib64 => usr/lib}/ld-linux-x86-64.so.2 | 0
 6 files changed, 6 insertions(+), 6 deletions(-)
 rename internal/pkg/extensions/testdata/good/extension1/rootfs/{ => usr}/lib/firmware/amd/cpu (100%)
 rename internal/pkg/extensions/testdata/good/extension1/rootfs/{lib64 => usr/lib}/ld-linux-x86-64.so.2 (100%)

diff --git a/Dockerfile b/Dockerfile
index ab12505f45..c561be0a6d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -731,7 +731,7 @@ END
 COPY ./hack/cleanup.sh /toolchain/bin/cleanup.sh
 RUN <<END
     /toolchain/bin/cleanup.sh /rootfs
-    mkdir -pv /rootfs/{boot/EFI,etc/{iscsi,nvme,cri/conf.d/hosts},lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
+    mkdir -pv /rootfs/{boot/EFI,etc/{iscsi,nvme,cri/conf.d/hosts},usr/lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
     mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders,etc/selinux/targeted/contexts/files}
     mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
 END
@@ -808,7 +808,7 @@ END
 COPY ./hack/cleanup.sh /toolchain/bin/cleanup.sh
 RUN <<END
     /toolchain/bin/cleanup.sh /rootfs
-    mkdir -pv /rootfs/{boot/EFI,etc/{iscsi,nvme,cri/conf.d/hosts},lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
+    mkdir -pv /rootfs/{boot/EFI,etc/{iscsi,nvme,cri/conf.d/hosts},usr/lib/firmware,usr/etc,usr/local/share,usr/share/zoneinfo/Etc,mnt,system,opt,.extra}
     mkdir -pv /rootfs/{etc/kubernetes/manifests,etc/cni/net.d,etc/ssl/certs,usr/libexec/kubernetes,/usr/local/lib/kubelet/credentialproviders,etc/selinux/targeted/contexts/files}
     mkdir -pv /rootfs/opt/{containerd/bin,containerd/lib}
 END
diff --git a/internal/app/init/main.go b/internal/app/init/main.go
index da7c890bb4..25c2aa2d64 100644
--- a/internal/app/init/main.go
+++ b/internal/app/init/main.go
@@ -73,7 +73,7 @@ func run() error {
 		return err
 	}
 
-	// Bind mount the lib/firmware if needed.
+	// Bind mount the usr/lib/firmware if needed.
 	if err := bindMountFirmware(); err != nil {
 		return err
 	}
diff --git a/internal/pkg/extensions/extensions_test.go b/internal/pkg/extensions/extensions_test.go
index 5d17db0773..151f42a2c8 100644
--- a/internal/pkg/extensions/extensions_test.go
+++ b/internal/pkg/extensions/extensions_test.go
@@ -34,5 +34,5 @@ func TestCompress(t *testing.T) {
 	assert.NoError(t, err)
 
 	assert.FileExists(t, squashFile)
-	assert.FileExists(t, filepath.Join(initramfsDest, "lib", "firmware", "amd", "cpu"))
+	assert.FileExists(t, filepath.Join(initramfsDest, "usr", "lib", "firmware", "amd", "cpu"))
 }
diff --git a/internal/pkg/extensions/kernel_modules.go b/internal/pkg/extensions/kernel_modules.go
index 5f260f7f5e..2a7ad7b2e9 100644
--- a/internal/pkg/extensions/kernel_modules.go
+++ b/internal/pkg/extensions/kernel_modules.go
@@ -90,7 +90,7 @@ func GenerateKernelModuleDependencyTreeExtension(extensionPathsWithKernelModules
 		return nil, fmt.Errorf("error extacting cpio: %w", err)
 	}
 
-	// extract /lib/modules from the squashfs under a temporary root to run depmod on it
+	// extract /usr/lib/modules from the squashfs under a temporary root to run depmod on it
 	tempLibModules := filepath.Join(tempDir, "modules")
 
 	if err = unsquash(tempRootfsFile, tempLibModules, constants.KernelModulesPath); err != nil {
@@ -99,7 +99,7 @@ func GenerateKernelModuleDependencyTreeExtension(extensionPathsWithKernelModules
 
 	rootfsKernelModulesPath := filepath.Join(tempLibModules, constants.KernelModulesPath)
 
-	// under the /lib/modules there should be the only path which is the kernel version
+	// under the /usr/lib/modules there should be the only path which is the kernel version
 	contents, err := os.ReadDir(rootfsKernelModulesPath)
 	if err != nil {
 		return nil, err
diff --git a/internal/pkg/extensions/testdata/good/extension1/rootfs/lib/firmware/amd/cpu b/internal/pkg/extensions/testdata/good/extension1/rootfs/usr/lib/firmware/amd/cpu
similarity index 100%
rename from internal/pkg/extensions/testdata/good/extension1/rootfs/lib/firmware/amd/cpu
rename to internal/pkg/extensions/testdata/good/extension1/rootfs/usr/lib/firmware/amd/cpu
diff --git a/internal/pkg/extensions/testdata/good/extension1/rootfs/lib64/ld-linux-x86-64.so.2 b/internal/pkg/extensions/testdata/good/extension1/rootfs/usr/lib/ld-linux-x86-64.so.2
similarity index 100%
rename from internal/pkg/extensions/testdata/good/extension1/rootfs/lib64/ld-linux-x86-64.so.2
rename to internal/pkg/extensions/testdata/good/extension1/rootfs/usr/lib/ld-linux-x86-64.so.2

From 1995e7a018df0bd21e393277c0a67ee2316c9e91 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 17:56:02 +0100
Subject: [PATCH 08/14] chore: update Go to 1.23.6

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
---
 go.mod                               | 2 +-
 go.work                              | 2 +-
 hack/cloud-image-uploader/go.mod     | 2 +-
 hack/docgen/go.mod                   | 2 +-
 hack/gotagsrewrite/go.mod            | 2 +-
 hack/module-sig-verify/go.mod        | 2 +-
 hack/release.toml                    | 2 +-
 hack/structprotogen/go.mod           | 2 +-
 pkg/machinery/constants/constants.go | 2 +-
 pkg/machinery/go.mod                 | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/go.mod b/go.mod
index cc2e3e3de1..3779bdc684 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/siderolabs/talos
 
-go 1.23.5
+go 1.23.6
 
 replace (
 	// see e.g. https://github.com/grpc/grpc-go/issues/6696
diff --git a/go.work b/go.work
index 5722a6d97c..8ef867cf3f 100644
--- a/go.work
+++ b/go.work
@@ -1,4 +1,4 @@
-go 1.23.5
+go 1.23.6
 
 use (
 	.
diff --git a/hack/cloud-image-uploader/go.mod b/hack/cloud-image-uploader/go.mod
index 7874114dd7..7a04b6fe86 100644
--- a/hack/cloud-image-uploader/go.mod
+++ b/hack/cloud-image-uploader/go.mod
@@ -1,6 +1,6 @@
 module github.com/siderolabs/cloud-image-uploader
 
-go 1.23.5
+go 1.23.6
 
 require (
 	cloud.google.com/go/storage v1.49.0
diff --git a/hack/docgen/go.mod b/hack/docgen/go.mod
index c69269ea8e..4bce03d742 100644
--- a/hack/docgen/go.mod
+++ b/hack/docgen/go.mod
@@ -1,6 +1,6 @@
 module github.com/siderolabs/talos-hack-docgen
 
-go 1.23.5
+go 1.23.6
 
 // forked go-yaml that introduces RawYAML interface, which can be used to populate YAML fields using bytes
 // which are then encoded as a valid YAML blocks with proper indentiation
diff --git a/hack/gotagsrewrite/go.mod b/hack/gotagsrewrite/go.mod
index 2326aa6243..052131f47d 100644
--- a/hack/gotagsrewrite/go.mod
+++ b/hack/gotagsrewrite/go.mod
@@ -1,6 +1,6 @@
 module github.com/siderolabs/gotagsrewrite
 
-go 1.23.5
+go 1.23.6
 
 require (
 	github.com/fatih/structtag v1.2.0
diff --git a/hack/module-sig-verify/go.mod b/hack/module-sig-verify/go.mod
index 1c8cf1a8a5..bc9ddc071b 100644
--- a/hack/module-sig-verify/go.mod
+++ b/hack/module-sig-verify/go.mod
@@ -1,5 +1,5 @@
 module module-sig-verify
 
-go 1.23.5
+go 1.23.6
 
 require go.mozilla.org/pkcs7 v0.9.0
diff --git a/hack/release.toml b/hack/release.toml
index 315942e54e..d44abc06e2 100644
--- a/hack/release.toml
+++ b/hack/release.toml
@@ -25,7 +25,7 @@ preface = """
 * etcd: 3.5.18
 * Flannel: 0.26.4
 
-Talos is built with Go 1.23.5.
+Talos is built with Go 1.23.6.
 """
 
     [notes.driver-rebind]
diff --git a/hack/structprotogen/go.mod b/hack/structprotogen/go.mod
index 0dd637add7..a1c4bf681a 100644
--- a/hack/structprotogen/go.mod
+++ b/hack/structprotogen/go.mod
@@ -1,6 +1,6 @@
 module github.com/siderolabs/structprotogen
 
-go 1.23.5
+go 1.23.6
 
 require (
 	github.com/fatih/structtag v1.2.0
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index f5e280e12f..22fb02061a 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -1100,7 +1100,7 @@ const (
 	DBusClientSocketLabel = "system_u:object_r:dbus_client_socket_t:s0"
 
 	// GoVersion is the version of Go compiler this release was built with.
-	GoVersion = "go1.23.5"
+	GoVersion = "go1.23.6"
 
 	// KubernetesTalosAPIServiceName is the name of the Kubernetes service to access Talos API.
 	KubernetesTalosAPIServiceName = "talos"
diff --git a/pkg/machinery/go.mod b/pkg/machinery/go.mod
index f2003a94e5..87faebdf1d 100644
--- a/pkg/machinery/go.mod
+++ b/pkg/machinery/go.mod
@@ -1,6 +1,6 @@
 module github.com/siderolabs/talos/pkg/machinery
 
-go 1.23.5
+go 1.23.6
 
 replace (
 	// forked ethtool introduces missing APIs

From b57a478101ed5b71a02bbfacb6158b8914c14597 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 21:13:27 +0100
Subject: [PATCH 09/14] quirk for moved modules

---
 internal/app/init/main.go                   |  8 +++---
 internal/pkg/extensions/compress.go         | 28 +++++++++++++--------
 internal/pkg/extensions/kernel_modules.go   | 20 ++++++++++-----
 internal/pkg/mount/switchroot/switchroot.go |  3 ++-
 pkg/imager/extensions/extensions.go         |  2 +-
 pkg/machinery/constants/constants.go        |  6 -----
 pkg/machinery/imager/quirks/quirks.go       | 23 +++++++++++++++++
 7 files changed, 62 insertions(+), 28 deletions(-)

diff --git a/internal/app/init/main.go b/internal/app/init/main.go
index 25c2aa2d64..faedecdfd8 100644
--- a/internal/app/init/main.go
+++ b/internal/app/init/main.go
@@ -28,6 +28,7 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/extensions"
+	"github.com/siderolabs/talos/pkg/machinery/imager/quirks"
 	"github.com/siderolabs/talos/pkg/machinery/version"
 )
 
@@ -199,7 +200,8 @@ func mountRootFS() error {
 }
 
 func bindMountFirmware() error {
-	if _, err := os.Stat(constants.FirmwarePath); err != nil {
+	firmwarePath := quirks.New("").FirmwarePath()
+	if _, err := os.Stat(firmwarePath); err != nil {
 		if os.IsNotExist(err) {
 			return nil
 		}
@@ -207,9 +209,9 @@ func bindMountFirmware() error {
 		return err
 	}
 
-	log.Printf("bind mounting %s", constants.FirmwarePath)
+	log.Printf("bind mounting %s", firmwarePath)
 
-	return unix.Mount(constants.FirmwarePath, filepath.Join(constants.NewRoot, constants.FirmwarePath), "", unix.MS_BIND|unix.MS_RDONLY, "")
+	return unix.Mount(firmwarePath, filepath.Join(constants.NewRoot, firmwarePath), "", unix.MS_BIND|unix.MS_RDONLY, "")
 }
 
 func bindMountExtra() error {
diff --git a/internal/pkg/extensions/compress.go b/internal/pkg/extensions/compress.go
index 2707792430..b604cd73f8 100644
--- a/internal/pkg/extensions/compress.go
+++ b/internal/pkg/extensions/compress.go
@@ -12,7 +12,6 @@ import (
 	"os/exec"
 	"path/filepath"
 
-	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/imager/quirks"
 )
 
@@ -23,16 +22,23 @@ import (
 // We need to repackage the ucode blobs matching the glob into the destination concatenating
 // them all together.
 // The resulting blobs should be placed into uncompressed cpio archive prepended to the normal (compressed) initramfs.
-var earlyCPUUcode = []struct {
+func earlyCPUUcode(quirks quirks.Quirks) []struct {
 	glob, dst string
-}{
-	{"/usr/lib/firmware/intel-ucode/*", "kernel/x86/microcode/GenuineIntel.bin"},
-	{"/usr/lib/firmware/amd-ucode/microcode_amd*.bin", "kernel/x86/microcode/AuthenticAMD.bin"},
+} {
+	fwPath := quirks.FirmwarePath()
+	return []struct {
+		glob, dst string
+	}{
+		{fwPath + "/intel-ucode/*", "kernel/x86/microcode/GenuineIntel.bin"},
+		{fwPath + "/amd-ucode/microcode_amd*.bin", "kernel/x86/microcode/AuthenticAMD.bin"},
+	}
 }
 
 // List of paths to be moved to the future initramfs.
-var initramfsPaths = []string{
-	constants.FirmwarePath,
+func initramfsPaths(quirks quirks.Quirks) []string {
+	return []string{
+		quirks.FirmwarePath(),
+	}
 }
 
 // Compress builds the squashfs image in the specified destination folder.
@@ -40,11 +46,11 @@ var initramfsPaths = []string{
 // Components which should be placed to the initramfs are moved to the initramfsPath.
 // Ucode components are moved into a separate designated location.
 func (ext *Extension) Compress(squashPath, initramfsPath string, quirks quirks.Quirks) (string, error) {
-	if err := ext.handleUcode(initramfsPath); err != nil {
+	if err := ext.handleUcode(initramfsPath, quirks); err != nil {
 		return "", err
 	}
 
-	for _, path := range initramfsPaths {
+	for _, path := range initramfsPaths(quirks) {
 		if _, err := os.Stat(filepath.Join(ext.RootfsPath(), path)); err == nil {
 			if err = moveFiles(filepath.Join(ext.RootfsPath(), path), filepath.Join(initramfsPath, path)); err != nil {
 				return "", err
@@ -87,8 +93,8 @@ func appendBlob(dst io.Writer, srcPath string) error {
 	return os.Remove(srcPath)
 }
 
-func (ext *Extension) handleUcode(initramfsPath string) error {
-	for _, ucode := range earlyCPUUcode {
+func (ext *Extension) handleUcode(initramfsPath string, quirks quirks.Quirks) error {
+	for _, ucode := range earlyCPUUcode(quirks) {
 		matches, err := filepath.Glob(filepath.Join(ext.RootfsPath(), ucode.glob))
 		if err != nil {
 			return err
diff --git a/internal/pkg/extensions/kernel_modules.go b/internal/pkg/extensions/kernel_modules.go
index 2a7ad7b2e9..86f11fc0ee 100644
--- a/internal/pkg/extensions/kernel_modules.go
+++ b/internal/pkg/extensions/kernel_modules.go
@@ -22,6 +22,7 @@ import (
 
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/extensions"
+	"github.com/siderolabs/talos/pkg/machinery/imager/quirks"
 )
 
 // ProvidesKernelModules returns true if the extension provides kernel modules.
@@ -35,7 +36,11 @@ func (ext *Extension) ProvidesKernelModules() bool {
 
 // KernelModuleDirectory returns the path to the kernel modules directory.
 func (ext *Extension) KernelModuleDirectory() string {
-	return filepath.Join(ext.RootfsPath(), constants.KernelModulesPath)
+	// default to /lib/modules (for older versions)
+	if _, err := os.Stat(filepath.Join(ext.RootfsPath(), "/usr/lib/modules")); os.IsNotExist(err) {
+		return filepath.Join(ext.RootfsPath(), "/lib/modules")
+	}
+	return filepath.Join(ext.RootfsPath(), "/usr/lib/modules")
 }
 
 func autoDecompress(r io.Reader) (io.Reader, error) {
@@ -58,7 +63,7 @@ func autoDecompress(r io.Reader) (io.Reader, error) {
 // GenerateKernelModuleDependencyTreeExtension generates a kernel module dependency tree extension.
 //
 //nolint:gocyclo
-func GenerateKernelModuleDependencyTreeExtension(extensionPathsWithKernelModules []string, initramfsPath, scratchPath string, printFunc func(format string, v ...any)) (*Extension, error) {
+func GenerateKernelModuleDependencyTreeExtension(extensionPathsWithKernelModules []string, initramfsPath, scratchPath string, q quirks.Quirks, printFunc func(format string, v ...any)) (*Extension, error) {
 	printFunc("preparing to run depmod to generate kernel modules dependency tree")
 
 	tempDir, err := os.MkdirTemp("", "ext-modules")
@@ -90,14 +95,16 @@ func GenerateKernelModuleDependencyTreeExtension(extensionPathsWithKernelModules
 		return nil, fmt.Errorf("error extacting cpio: %w", err)
 	}
 
+	kernelModulesPath := q.KernelModulesPath()
+
 	// extract /usr/lib/modules from the squashfs under a temporary root to run depmod on it
 	tempLibModules := filepath.Join(tempDir, "modules")
 
-	if err = unsquash(tempRootfsFile, tempLibModules, constants.KernelModulesPath); err != nil {
+	if err = unsquash(tempRootfsFile, tempLibModules, kernelModulesPath); err != nil {
 		return nil, fmt.Errorf("error running unsquashfs: %w", err)
 	}
 
-	rootfsKernelModulesPath := filepath.Join(tempLibModules, constants.KernelModulesPath)
+	rootfsKernelModulesPath := filepath.Join(tempLibModules, kernelModulesPath)
 
 	// under the /usr/lib/modules there should be the only path which is the kernel version
 	contents, err := os.ReadDir(rootfsKernelModulesPath)
@@ -132,7 +139,7 @@ func GenerateKernelModuleDependencyTreeExtension(extensionPathsWithKernelModules
 		return nil, err
 	}
 
-	kernelModulesDepenencyTreeDirectory := filepath.Join(kernelModulesDependencyTreeStagingDir, constants.KernelModulesPath, kernelVersionPath)
+	kernelModulesDepenencyTreeDirectory := filepath.Join(kernelModulesDependencyTreeStagingDir, kernelModulesPath, kernelVersionPath)
 
 	if err := os.MkdirAll(kernelModulesDepenencyTreeDirectory, 0o755); err != nil {
 		return nil, err
@@ -201,7 +208,8 @@ func unsquash(squashfsPath, dest, path string) error {
 }
 
 func depmod(baseDir, kernelVersionPath string) error {
-	baseDir = strings.TrimSuffix(baseDir, constants.KernelModulesPath)
+	// Do not trim /usr, because it is needed for depmod
+	baseDir = strings.TrimSuffix(baseDir, "/lib/modules")
 
 	cmd := exec.Command("depmod", "--all", "--basedir", baseDir, "--config", "/etc/modules.d/10-extra-modules.conf", kernelVersionPath)
 	cmd.Stderr = os.Stderr
diff --git a/internal/pkg/mount/switchroot/switchroot.go b/internal/pkg/mount/switchroot/switchroot.go
index a96729cf92..ba432df083 100644
--- a/internal/pkg/mount/switchroot/switchroot.go
+++ b/internal/pkg/mount/switchroot/switchroot.go
@@ -20,12 +20,13 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
 	"github.com/siderolabs/talos/internal/pkg/selinux"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/machinery/imager/quirks"
 )
 
 // Paths preserved in the initramfs.
 var preservedPaths = map[string]struct{}{
 	constants.ExtensionsConfigFile:    {},
-	constants.FirmwarePath:            {},
+	quirks.New("").FirmwarePath():     {},
 	constants.SDStubDynamicInitrdPath: {},
 }
 
diff --git a/pkg/imager/extensions/extensions.go b/pkg/imager/extensions/extensions.go
index 0e42fc4441..08f567c7d7 100644
--- a/pkg/imager/extensions/extensions.go
+++ b/pkg/imager/extensions/extensions.go
@@ -66,7 +66,7 @@ func (builder *Builder) Build() error {
 
 		defer os.RemoveAll(scratchPath) //nolint:errcheck
 
-		kernelModuleDepExtension, genErr := extensions.GenerateKernelModuleDependencyTreeExtension(extensionPathsWithKernelModules, builder.InitramfsPath, scratchPath, builder.Printf)
+		kernelModuleDepExtension, genErr := extensions.GenerateKernelModuleDependencyTreeExtension(extensionPathsWithKernelModules, builder.InitramfsPath, scratchPath, builder.Quirks, builder.Printf)
 		if genErr != nil {
 			return genErr
 		}
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index 22fb02061a..ab89783712 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -16,9 +16,6 @@ const (
 	// DefaultKernelVersion is the default Linux kernel version.
 	DefaultKernelVersion = "6.12.11-talos"
 
-	// KernelModulesPath is the default path to the kernel modules without the kernel version.
-	KernelModulesPath = "/usr/lib/modules"
-
 	// KernelParamConfig is the kernel parameter name for specifying the URL.
 	// to the config.
 	KernelParamConfig = "talos.config"
@@ -1073,9 +1070,6 @@ const (
 	// PlatformNetworkConfigFilename is the filename to cache platform network configuration reboots.
 	PlatformNetworkConfigFilename = "platform-network.yaml"
 
-	// FirmwarePath is the path to the standard Linux firmware location.
-	FirmwarePath = "/usr/lib/firmware"
-
 	// ExtensionServiceConfigPath is the directory path which contains  configuration files of extension services.
 	//
 	// See pkg/machinery/extensions/services for the file format.
diff --git a/pkg/machinery/imager/quirks/quirks.go b/pkg/machinery/imager/quirks/quirks.go
index fb70cf7dd3..c5cd268125 100644
--- a/pkg/machinery/imager/quirks/quirks.go
+++ b/pkg/machinery/imager/quirks/quirks.go
@@ -174,3 +174,26 @@ func (q Quirks) UseSDBootForUEFI() bool {
 
 	return q.v.GTE(minTalosVersionUseSDBootOnly)
 }
+
+// minTalosVersionUsrMerge is the version that has /lib and /bin symlinked into /usr.
+var minTalosVersionUsrMerge = semver.MustParse("1.10.0")
+
+// KernelModulesPath returns kernel module storage path for the given Talos version.
+func (q Quirks) KernelModulesPath() string {
+	// if the version doesn't parse, we assume it's latest Talos
+	if q.v == nil || q.v.GTE(minTalosVersionUsrMerge) {
+		return "/usr/lib/modules"
+	}
+
+	return "/lib/modules"
+}
+
+// FirmwarePath returns firmware storage path for the given Talos version.
+func (q Quirks) FirmwarePath() string {
+	// if the version doesn't parse, we assume it's latest Talos
+	if q.v == nil || q.v.GTE(minTalosVersionUsrMerge) {
+		return "/usr/lib/firmware"
+	}
+
+	return "/lib/firmware"
+}

From c46f6a0e4ce3caf2c508bb612b558eb13d177302 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 21:22:15 +0100
Subject: [PATCH 10/14] fixup! quirk for moved modules

---
 internal/pkg/extensions/compress.go       | 1 +
 internal/pkg/extensions/kernel_modules.go | 1 +
 2 files changed, 2 insertions(+)

diff --git a/internal/pkg/extensions/compress.go b/internal/pkg/extensions/compress.go
index b604cd73f8..f8ead91046 100644
--- a/internal/pkg/extensions/compress.go
+++ b/internal/pkg/extensions/compress.go
@@ -26,6 +26,7 @@ func earlyCPUUcode(quirks quirks.Quirks) []struct {
 	glob, dst string
 } {
 	fwPath := quirks.FirmwarePath()
+
 	return []struct {
 		glob, dst string
 	}{
diff --git a/internal/pkg/extensions/kernel_modules.go b/internal/pkg/extensions/kernel_modules.go
index 86f11fc0ee..5874836871 100644
--- a/internal/pkg/extensions/kernel_modules.go
+++ b/internal/pkg/extensions/kernel_modules.go
@@ -40,6 +40,7 @@ func (ext *Extension) KernelModuleDirectory() string {
 	if _, err := os.Stat(filepath.Join(ext.RootfsPath(), "/usr/lib/modules")); os.IsNotExist(err) {
 		return filepath.Join(ext.RootfsPath(), "/lib/modules")
 	}
+
 	return filepath.Join(ext.RootfsPath(), "/usr/lib/modules")
 }
 

From b3f475664c9ddaeaaedd314b4ee5f5752562ea8d Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 6 Feb 2025 21:25:27 +0100
Subject: [PATCH 11/14] fixup! quirk for moved modules

---
 internal/pkg/extensions/kernel_modules.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/pkg/extensions/kernel_modules.go b/internal/pkg/extensions/kernel_modules.go
index 5874836871..a16a7015c0 100644
--- a/internal/pkg/extensions/kernel_modules.go
+++ b/internal/pkg/extensions/kernel_modules.go
@@ -64,7 +64,12 @@ func autoDecompress(r io.Reader) (io.Reader, error) {
 // GenerateKernelModuleDependencyTreeExtension generates a kernel module dependency tree extension.
 //
 //nolint:gocyclo
-func GenerateKernelModuleDependencyTreeExtension(extensionPathsWithKernelModules []string, initramfsPath, scratchPath string, q quirks.Quirks, printFunc func(format string, v ...any)) (*Extension, error) {
+func GenerateKernelModuleDependencyTreeExtension(
+	extensionPathsWithKernelModules []string,
+	initramfsPath, scratchPath string,
+	q quirks.Quirks,
+	printFunc func(format string, v ...any),
+) (*Extension, error) {
 	printFunc("preparing to run depmod to generate kernel modules dependency tree")
 
 	tempDir, err := os.MkdirTemp("", "ext-modules")

From 92de2810683c359c5155aa3923017808a08d8e8a Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Fri, 7 Feb 2025 11:27:08 +0100
Subject: [PATCH 12/14] fix lvm

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index c561be0a6d..c385f9689e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -709,7 +709,7 @@ COPY --link --from=pkg-util-linux-amd64 /usr/lib/libblkid.* /rootfs/usr/lib/
 COPY --link --from=pkg-util-linux-amd64 /usr/lib/libuuid.* /rootfs/usr/lib/
 COPY --link --from=pkg-util-linux-amd64 /usr/lib/libmount.* /rootfs/usr/lib/
 COPY --link --from=pkg-kmod-amd64 /usr/lib/libkmod.* /rootfs/usr/lib/
-COPY --link --from=pkg-kmod-amd64 /usr/bin/kmod /rootfs/usr/sbin/modprobe
+COPY --link --from=pkg-kmod-amd64 /usr/bin/kmod /rootfs/usr/bin/modprobe
 COPY --link --from=modules-amd64 /usr/lib/modules /rootfs/usr/lib/modules
 COPY --link --from=machined-build-amd64 /machined /rootfs/usr/sbin/init
 

From bb041fd3c35ad67524e280c04b80174affb11f68 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Fri, 7 Feb 2025 11:40:08 +0100
Subject: [PATCH 13/14] merge /usr/bin and /usr/sbin

Talos, as well as Fedora, Arch and others who have done this, do not actually separate /sbin binaries as being used for recovery environment, being static or other criteria.

make the merge for making the filesystem structure easier to follow and binaries less likely to be not found
---
 Dockerfile                                    | 48 +++++++++++++------
 hack/cleanup.sh                               |  2 +-
 internal/pkg/selinux/policy/file_contexts     | 13 +++--
 .../policy/selinux/services/machined.cil      |  9 ++--
 .../selinux/policy/selinux/services/udev.cil  |  4 +-
 pkg/machinery/constants/constants.go          |  2 +-
 pkg/machinery/extensions/extensions.go        |  4 +-
 7 files changed, 49 insertions(+), 33 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c385f9689e..7d7d1219e9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -711,20 +711,29 @@ COPY --link --from=pkg-util-linux-amd64 /usr/lib/libmount.* /rootfs/usr/lib/
 COPY --link --from=pkg-kmod-amd64 /usr/lib/libkmod.* /rootfs/usr/lib/
 COPY --link --from=pkg-kmod-amd64 /usr/bin/kmod /rootfs/usr/bin/modprobe
 COPY --link --from=modules-amd64 /usr/lib/modules /rootfs/usr/lib/modules
-COPY --link --from=machined-build-amd64 /machined /rootfs/usr/sbin/init
+COPY --link --from=machined-build-amd64 /machined /rootfs/usr/bin/init
+RUN <<END
+    # move everything from /usr/sbin to /usr/bin and symlink
+    # TODO: make FHS and other packages already install everything to /usr/bin
+    # udevadm is a recursive symlink
+    rm /rootfs/usr/sbin/udevadm
+    mv /rootfs/usr/sbin/* /rootfs/usr/bin/
+    rmdir /rootfs/usr/sbin/
+    ln -s bin /rootfs/usr/sbin
+END
 
 # this is a no-op as it copies from a scratch image when WITH_DEBUG_SHELL is not set
 COPY --link --from=pkg-debug-tools-amd64 * /rootfs/
 
 RUN <<END
     # the orderly_poweroff call by the kernel will call '/sbin/poweroff'
-    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/poweroff
-    chmod +x /rootfs/usr/sbin/poweroff
+    ln /rootfs/usr/bin/init /rootfs/usr/bin/poweroff
+    chmod +x /rootfs/usr/bin/poweroff
     # some extensions like qemu-guest agent will call '/sbin/shutdown'
-    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/shutdown
-    chmod +x /rootfs/usr/sbin/shutdown
-    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/dashboard
-    chmod +x /rootfs/usr/sbin/dashboard
+    ln /rootfs/usr/bin/init /rootfs/usr/bin/shutdown
+    chmod +x /rootfs/usr/bin/shutdown
+    ln /rootfs/usr/bin/init /rootfs/usr/bin/dashboard
+    chmod +x /rootfs/usr/bin/dashboard
 END
 # NB: We run the cleanup step before creating extra directories, files, and
 # symlinks to avoid accidentally cleaning them up.
@@ -786,22 +795,31 @@ COPY --link --from=pkg-util-linux-arm64 /usr/lib/libblkid.* /rootfs/usr/lib/
 COPY --link --from=pkg-util-linux-arm64 /usr/lib/libuuid.* /rootfs/usr/lib/
 COPY --link --from=pkg-util-linux-arm64 /usr/lib/libmount.* /rootfs/usr/lib/
 COPY --link --from=pkg-kmod-arm64 /usr/lib/libkmod.* /rootfs/usr/lib/
-COPY --link --from=pkg-kmod-arm64 /usr/bin/kmod /rootfs/usr/sbin/modprobe
+COPY --link --from=pkg-kmod-arm64 /usr/bin/kmod /rootfs/usr/bin/modprobe
 COPY --link --from=modules-arm64 /usr/lib/modules /rootfs/usr/lib/modules
-COPY --link --from=machined-build-arm64 /machined /rootfs/usr/sbin/init
+COPY --link --from=machined-build-arm64 /machined /rootfs/usr/bin/init
+RUN <<END
+    # move everything from /usr/sbin to /usr/bin and symlink
+    # TODO: make FHS and other packages already install everything to /usr/bin
+    # udevadm is a recursive symlink
+    rm /rootfs/usr/sbin/udevadm
+    mv /rootfs/usr/sbin/* /rootfs/usr/bin/
+    rmdir /rootfs/usr/sbin/
+    ln -s bin /rootfs/usr/sbin
+END
 
 # this is a no-op as it copies from a scratch image when WITH_DEBUG_SHELL is not set
 COPY --link --from=pkg-debug-tools-arm64 * /rootfs/
 
 RUN <<END
     # the orderly_poweroff call by the kernel will call '/sbin/poweroff'
-    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/poweroff
-    chmod +x /rootfs/usr/sbin/poweroff
+    ln /rootfs/usr/bin/init /rootfs/usr/bin/poweroff
+    chmod +x /rootfs/usr/bin/poweroff
     # some extensions like qemu-guest agent will call '/sbin/shutdown'
-    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/shutdown
-    chmod +x /rootfs/usr/sbin/shutdown
-    ln /rootfs/usr/sbin/init /rootfs/usr/sbin/dashboard
-    chmod +x /rootfs/usr/sbin/dashboard
+    ln /rootfs/usr/bin/init /rootfs/usr/bin/shutdown
+    chmod +x /rootfs/usr/bin/shutdown
+    ln /rootfs/usr/bin/init /rootfs/usr/bin/dashboard
+    chmod +x /rootfs/usr/bin/dashboard
 END
 # NB: We run the cleanup step before creating extra directories, files, and
 # symlinks to avoid accidentally cleaning them up.
diff --git a/hack/cleanup.sh b/hack/cleanup.sh
index b401f91c60..57bf2034c6 100755
--- a/hack/cleanup.sh
+++ b/hack/cleanup.sh
@@ -22,7 +22,7 @@ find ${PREFIX} -type f -name \*.la -delete
 find ${PREFIX} -type f \( -name \*.static -o -name \*.o \) -delete
 # Strip debug symbols from all libraries and binaries.
 find ${PREFIX}/{lib,usr/lib} -type f \( -name \*.so* -a ! -name \*dbg \) -exec strip --strip-unneeded {} ';' || true
-find ${PREFIX}/{usr/bin,usr/sbin} -type f -exec strip --strip-all {} ';' || true
+find ${PREFIX}/usr/bin -type f -exec strip --strip-all {} ';' || true
 
 # Remove header files, man files, and any other non-runtime dependencies.
 rm -rf ${PREFIX}/usr/lib/pkgconfig/ \
diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts
index 1193fb63fc..a3fde2841d 100644
--- a/internal/pkg/selinux/policy/file_contexts
+++ b/internal/pkg/selinux/policy/file_contexts
@@ -3,7 +3,6 @@
 /etc/cni(/.*)?	system_u:object_r:cni_conf_t:s0
 /opt/cni(/.*)?	system_u:object_r:cni_plugin_t:s0
 /usr/bin(/.*)?	system_u:object_r:bin_exec_t:s0
-/usr/sbin(/.*)?	system_u:object_r:bin_exec_t:s0
 /usr/lib/udev(/.*)?	system_u:object_r:udev_exec_t:s0
 /etc/kubernetes(/.*)?	system_u:object_r:k8s_conf_t:s0
 /opt/containerd(/.*)?	system_u:object_r:containerd_plugin_t:s0
@@ -12,12 +11,12 @@
 /usr/libexec/kubernetes(/.*)?	system_u:object_r:k8s_plugin_t:s0
 /	system_u:object_r:rootfs_t:s0
 /usr/bin/runc	system_u:object_r:containerd_exec_t:s0
-/usr/sbin/init	--	system_u:object_r:init_exec_t:s0
+/usr/bin/init	--	system_u:object_r:init_exec_t:s0
 /usr/bin/udevadm	--	system_u:object_r:udev_exec_t:s0
-/usr/sbin/poweroff	system_u:object_r:init_exec_t:s0
-/usr/sbin/shutdown	system_u:object_r:init_exec_t:s0
-/usr/sbin/modprobe	--	system_u:object_r:modprobe_exec_t:s0
+/usr/bin/poweroff	system_u:object_r:init_exec_t:s0
+/usr/bin/shutdown	system_u:object_r:init_exec_t:s0
+/usr/bin/modprobe	--	system_u:object_r:modprobe_exec_t:s0
+/usr/bin/dashboard	system_u:object_r:init_exec_t:s0
 /usr/bin/containerd	system_u:object_r:containerd_exec_t:s0
-/usr/sbin/dashboard	system_u:object_r:init_exec_t:s0
-/usr/sbin/systemd-udevd	--	system_u:object_r:udev_exec_t:s0
+/usr/bin/systemd-udevd	--	system_u:object_r:udev_exec_t:s0
 /usr/bin/containerd-shim-runc-v2	system_u:object_r:containerd_exec_t:s0
diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil
index 74c2ed71e3..ba0e8c2ec9 100644
--- a/internal/pkg/selinux/policy/selinux/services/machined.cil
+++ b/internal/pkg/selinux/policy/selinux/services/machined.cil
@@ -1,10 +1,10 @@
 (type init_exec_t)
 (call system_f (init_exec_t))
 (context init_exec_t (system_u object_r init_exec_t (systemLow systemLow)))
-(filecon "/usr/sbin/init" file init_exec_t)
-(filecon "/usr/sbin/poweroff" any init_exec_t)
-(filecon "/usr/sbin/shutdown" any init_exec_t)
-(filecon "/usr/sbin/dashboard" any init_exec_t)
+(filecon "/usr/bin/init" file init_exec_t)
+(filecon "/usr/bin/poweroff" any init_exec_t)
+(filecon "/usr/bin/shutdown" any init_exec_t)
+(filecon "/usr/bin/dashboard" any init_exec_t)
 
 (type init_t)
 (roletype system_r init_t)
@@ -39,7 +39,6 @@
 (type bin_exec_t)
 (call system_f (bin_exec_t))
 (filecon "/usr/bin(/.*)?" any (system_u object_r bin_exec_t (systemLow systemLow)))
-(filecon "/usr/sbin(/.*)?" any (system_u object_r bin_exec_t (systemLow systemLow)))
 ; Typically machined executes LVM, cryptsetup and similar utilities
 ; They are short-running, come from the rootfs and do not accept user input, so can be started in init_t domain
 (allow init_t bin_exec_t (file (execute execute_no_trans)))
diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil
index 13e6b08737..9893b27583 100644
--- a/internal/pkg/selinux/policy/selinux/services/udev.cil
+++ b/internal/pkg/selinux/policy/selinux/services/udev.cil
@@ -1,7 +1,7 @@
 (type udev_exec_t)
 (call system_f (udev_exec_t))
 (context udev_exec_t (system_u object_r udev_exec_t (systemLow systemLow)))
-(filecon "/usr/sbin/systemd-udevd" file udev_exec_t)
+(filecon "/usr/bin/systemd-udevd" file udev_exec_t)
 (filecon "/usr/bin/udevadm" file udev_exec_t)
 
 ; Do not reorder: label non-executable rules files as executable
@@ -35,7 +35,7 @@
 
 (type modprobe_exec_t)
 (call system_f (modprobe_exec_t))
-(filecon "/usr/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow)))
+(filecon "/usr/bin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow)))
 (allow udev_t modprobe_exec_t (file (execute execute_no_trans)))
 (typetransition kernel_t modprobe_exec_t process udev_t)
 (typetransition init_t modprobe_exec_t process udev_t)
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index ab89783712..1f472c1237 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -226,7 +226,7 @@ const (
 	ISOFilesystemLabel = "TALOS"
 
 	// PATH defines all locations where executables are stored.
-	PATH = "/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:" + cni.DefaultCNIDir
+	PATH = "/usr/bin:/usr/local/sbin:/usr/local/bin:" + cni.DefaultCNIDir
 
 	// KubernetesDefaultCertificateValidityDuration specifies default certificate duration for Kubernetes generated certificates.
 	KubernetesDefaultCertificateValidityDuration = time.Hour * 24 * 365
diff --git a/pkg/machinery/extensions/extensions.go b/pkg/machinery/extensions/extensions.go
index 4d50b58772..b509dee4f7 100644
--- a/pkg/machinery/extensions/extensions.go
+++ b/pkg/machinery/extensions/extensions.go
@@ -14,8 +14,8 @@ var AllowedPaths = []string{
 	"/usr/lib/modules",
 	// The glibc loader is required by glibc dynamic binaries.
 	"/usr/lib/ld-linux-x86-64.so.2",
-	// /usr/sbin/ldconfig is required by the nvidia container toolkit.
-	"/usr/sbin/ldconfig",
+	// /usr/bin/ldconfig is required by the nvidia container toolkit.
+	"/usr/bin/ldconfig",
 	"/usr/lib/udev/rules.d",
 	"/usr/local",
 	// glvnd, egl and vulkan are needed for OpenGL/Vulkan.

From d320c878a451875aebc983d81b35bbb44e5e085f Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Fri, 7 Feb 2025 12:33:10 +0100
Subject: [PATCH 14/14] fixup! quirk for moved modules

---
 internal/pkg/extensions/kernel_modules.go | 17 ++++++-----------
 pkg/imager/extensions/contents.go         |  7 ++++---
 pkg/imager/extensions/extensions.go       |  2 +-
 3 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/internal/pkg/extensions/kernel_modules.go b/internal/pkg/extensions/kernel_modules.go
index a16a7015c0..45213c20d0 100644
--- a/internal/pkg/extensions/kernel_modules.go
+++ b/internal/pkg/extensions/kernel_modules.go
@@ -26,8 +26,8 @@ import (
 )
 
 // ProvidesKernelModules returns true if the extension provides kernel modules.
-func (ext *Extension) ProvidesKernelModules() bool {
-	if _, err := os.Stat(ext.KernelModuleDirectory()); os.IsNotExist(err) {
+func (ext *Extension) ProvidesKernelModules(quirks quirks.Quirks) bool {
+	if _, err := os.Stat(ext.KernelModuleDirectory(quirks)); os.IsNotExist(err) {
 		return false
 	}
 
@@ -35,13 +35,8 @@ func (ext *Extension) ProvidesKernelModules() bool {
 }
 
 // KernelModuleDirectory returns the path to the kernel modules directory.
-func (ext *Extension) KernelModuleDirectory() string {
-	// default to /lib/modules (for older versions)
-	if _, err := os.Stat(filepath.Join(ext.RootfsPath(), "/usr/lib/modules")); os.IsNotExist(err) {
-		return filepath.Join(ext.RootfsPath(), "/lib/modules")
-	}
-
-	return filepath.Join(ext.RootfsPath(), "/usr/lib/modules")
+func (ext *Extension) KernelModuleDirectory(quirks quirks.Quirks) string {
+	return filepath.Join(ext.RootfsPath(), quirks.KernelModulesPath())
 }
 
 func autoDecompress(r io.Reader) (io.Reader, error) {
@@ -67,7 +62,7 @@ func autoDecompress(r io.Reader) (io.Reader, error) {
 func GenerateKernelModuleDependencyTreeExtension(
 	extensionPathsWithKernelModules []string,
 	initramfsPath, scratchPath string,
-	q quirks.Quirks,
+	quirks quirks.Quirks,
 	printFunc func(format string, v ...any),
 ) (*Extension, error) {
 	printFunc("preparing to run depmod to generate kernel modules dependency tree")
@@ -101,7 +96,7 @@ func GenerateKernelModuleDependencyTreeExtension(
 		return nil, fmt.Errorf("error extacting cpio: %w", err)
 	}
 
-	kernelModulesPath := q.KernelModulesPath()
+	kernelModulesPath := quirks.KernelModulesPath()
 
 	// extract /usr/lib/modules from the squashfs under a temporary root to run depmod on it
 	tempLibModules := filepath.Join(tempDir, "modules")
diff --git a/pkg/imager/extensions/contents.go b/pkg/imager/extensions/contents.go
index 479ac8840c..540143324b 100644
--- a/pkg/imager/extensions/contents.go
+++ b/pkg/imager/extensions/contents.go
@@ -13,14 +13,15 @@ import (
 	"strings"
 
 	"github.com/siderolabs/talos/internal/pkg/extensions"
+	"github.com/siderolabs/talos/pkg/machinery/imager/quirks"
 )
 
-func findExtensionsWithKernelModules(extensions []*extensions.Extension) []string {
+func findExtensionsWithKernelModules(extensions []*extensions.Extension, quirks quirks.Quirks) []string {
 	var modulesPath []string
 
 	for _, ext := range extensions {
-		if ext.ProvidesKernelModules() {
-			modulesPath = append(modulesPath, ext.KernelModuleDirectory())
+		if ext.ProvidesKernelModules(quirks) {
+			modulesPath = append(modulesPath, ext.KernelModuleDirectory(quirks))
 		}
 	}
 
diff --git a/pkg/imager/extensions/extensions.go b/pkg/imager/extensions/extensions.go
index 08f567c7d7..456b6ab61e 100644
--- a/pkg/imager/extensions/extensions.go
+++ b/pkg/imager/extensions/extensions.go
@@ -53,7 +53,7 @@ func (builder *Builder) Build() error {
 		return err
 	}
 
-	extensionPathsWithKernelModules := findExtensionsWithKernelModules(extensionsList)
+	extensionPathsWithKernelModules := findExtensionsWithKernelModules(extensionsList, builder.Quirks)
 
 	if len(extensionPathsWithKernelModules) > 0 {
 		var scratchPath string