41 files changed, 1047 insertions, 520 deletions

diff --git a/.gitreview b/.gitreview
new file mode 100644
index 0000000..39fc438
--- /dev/null
+++ b/.gitreview
@@ -0,0 +1,5 @@
+[gerrit]
+host=gerrit.enea.se
+port=29418
+project=linux/meta-el-nfv-access.git
+track=1
diff --git a/README b/README
index 2c463ba..9dc40dd 100644
--- a/README
+++ b/README
@@ -10,13 +10,10 @@ Dependencies
 This layer depends on:
 
   URI: git://git.yoctoproject.org/poky
-  branch: rocko
 
   URI: git://git.enea.com/linux/meta-nfv-access-common
-  branch: develop
 
   URI: git://git.enea.com/linux/meta-enea-virtualization
-  branch: develop
 
 
 
diff --git a/classes/override_grub-efi.inc b/classes/override_grub-efi.inc
deleted file mode 100644
index 15a7063..0000000
--- a/classes/override_grub-efi.inc
+++ /dev/null
@@ -1,89 +0,0 @@
-GRUB_GRAPHICS ?= "console=tty0"
-
-python build_efi_cfg() {
-    import sys
-
-    workdir = d.getVar('WORKDIR')
-    if not workdir:
-        bb.error("WORKDIR not defined, unable to package")
-        return
-
-    gfxserial = d.getVar('GRUB_GFXSERIAL') or ""
-
-    labels = d.getVar('LABELS')
-    if not labels:
-        bb.debug(1, "LABELS not defined, nothing to do")
-        return
-
-    if labels == []:
-        bb.debug(1, "No labels, nothing to do")
-        return
-
-    cfile = d.getVar('GRUB_CFG')
-    if not cfile:
-        bb.fatal('Unable to read GRUB_CFG')
-
-    try:
-         cfgfile = open(cfile, 'w')
-    except OSError:
-        bb.fatal('Unable to open %s' % cfile)
-
-    cfgfile.write('# Automatically created by OE\n')
-
-    opts = d.getVar('GRUB_OPTS')
-    if opts:
-        for opt in opts.split(';'):
-            cfgfile.write('%s\n' % opt)
-
-    cfgfile.write('default=%s\n' % (labels.split()[0]))
-
-    timeout = d.getVar('GRUB_TIMEOUT')
-    if timeout:
-        cfgfile.write('timeout=%s\n' % timeout)
-    else:
-        cfgfile.write('timeout=50\n')
-
-    root = d.getVar('GRUB_ROOT')
-    if not root:
-        bb.fatal('GRUB_ROOT not defined')
-
-    if gfxserial == "1":
-        btypes = [ [ " serial console", d.getVar('GRUB_SERIAL') or "" ],
-            [ " graphics console", d.getVar('GRUB_GRAPHICS') or "" ] ]
-    else:
-        btypes = [ [ "", "" ] ]
-
-    for label in labels.split():
-        localdata = d.createCopy()
-
-        overrides = localdata.getVar('OVERRIDES')
-        if not overrides:
-            bb.fatal('OVERRIDES not defined')
-
-        for btype in btypes:
-            localdata.setVar('OVERRIDES', label + ':' + overrides)
-
-            cfgfile.write('\nmenuentry \'%s%s\'{\n' % (label, btype[0]))
-            lb = label
-            if label == "install":
-                lb = "install-efi"
-            cfgfile.write('linux /vmlinuz LABEL=%s' % (lb))
-
-            cfgfile.write(' %s' % replace_rootfs_uuid(d, root))
-
-            append = localdata.getVar('APPEND')
-            initrd = localdata.getVar('INITRD')
-
-            if append:
-                append = replace_rootfs_uuid(d, append)
-                cfgfile.write(' %s' % (append))
-
-            cfgfile.write(' %s' % btype[1])
-            cfgfile.write('\n')
-
-            if initrd:
-                cfgfile.write('initrd /initrd')
-            cfgfile.write('\n}\n')
-
-    cfgfile.close()
-}
diff --git a/classes/override_grub-efi_secureboot.inc b/classes/override_grub-efi_secureboot.inc
deleted file mode 100644
index b944ec8..0000000
--- a/classes/override_grub-efi_secureboot.inc
+++ /dev/null
@@ -1,31 +0,0 @@
-efi_populate() {
-        # DEST must be the root of the image so that EFIDIR is not
-        # nested under a top level directory.
-        DEST=$1
-
-        install -d ${DEST}${EFIDIR}
-
-        GRUB_IMAGE="grub-efi-bootia32.efi"
-        DEST_IMAGE="bootia32.efi"
-        if [ "${TARGET_ARCH}" = "x86_64" ]; then
-                GRUB_IMAGE="grub-efi-bootx64.efi"
-                DEST_IMAGE="bootx64.efi"
-        fi
-
-        #Install EFI binaries
-        install -m 0644 ${IMAGE_ROOTFS}/boot/efi${EFIDIR}/*.* ${DEST}${EFIDIR}
-
-        #Install kernel and initramfs sig
-        install -m 0644 ${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}.p7b ${DEST}/vmlinuz.p7b
-        install -m 0644 ${INITRD_LIVE}.p7b ${DEST}/initrd.p7b
-
-        EFIPATH=$(echo "${EFIDIR}" | sed 's/\//\\/g')
-        printf 'fs0:%s\%s\n' "$EFIPATH" "$DEST_IMAGE" >${DEST}/startup.nsh
-
-        install -m 0644 ${GRUB_CFG} ${DEST}${EFIDIR}/grub.cfg
-
-        #Install UEFI keys
-        install -d ${DEST}/uefi_sb_keys
-        install -m 0644 ${DEPLOY_DIR_IMAGE}/user-keys/uefi_sb_keys/*.crt ${DEST}/uefi_sb_keys/
-        install -m 0644 ${DEPLOY_DIR_IMAGE}/user-keys/uefi_sb_keys/*.esl ${DEST}/uefi_sb_keys/
-}
diff --git a/classes/override_image_types_ostree.inc b/classes/override_image_types_ostree.inc
deleted file mode 100644
index 241afcd..0000000
--- a/classes/override_image_types_ostree.inc
+++ /dev/null
@@ -1,155 +0,0 @@
-# overrides meta-updater/classes/image_types_ostree.bbclass
-# - add do_image_ostree flags:
-#   - dirs, cleandirs: to avoid mktemp, rm, cd, and to also remove at clean
-#   - subimages, imgsuffix: to use automatic link creation
-# - override of IMAGE_CMD_ostree
-#   - use the added flags
-#   - IMGDEPLOYDIR, instead of DEPLOY_DIR_IMAGE
-
-OSTREE_ROOTFS="${WORKDIR}/ostree-root"
-do_image_ostree[dirs] = "${OSTREE_ROOTFS}"
-do_image_ostree[cleandirs] = "${OSTREE_ROOTFS}"
-do_image_ostree[subimages] = "rootfs.ostree.tar.bz2"
-do_image_ostree[imgsuffix] = "."
-export OSTREE_ROOTFS
-
-IMAGE_CMD_ostree () {
-    if [ -z "$OSTREE_REPO" ]; then
-        bbfatal "OSTREE_REPO should be set in your local.conf"
-    fi
-
-    if [ -z "$OSTREE_BRANCHNAME" ]; then
-        bbfatal "OSTREE_BRANCHNAME should be set in your local.conf"
-    fi
-
-    cp -a ${IMAGE_ROOTFS}/* ${OSTREE_ROOTFS}
-    chmod a+rx ${OSTREE_ROOTFS}
-    sync
-
-    for d in var/*; do
-      if [ "${d}" != "var/local" ]; then
-        rm -rf ${d}
-      fi
-    done
-
-    # Create sysroot directory to which physical sysroot will be mounted
-    mkdir sysroot
-    ln -sf sysroot/ostree ostree
-
-    rm -rf tmp/*
-    ln -sf sysroot/tmp tmp
-
-    mkdir -p usr/rootdirs
-
-    mv etc usr/
-    # Implement UsrMove
-    dirs="bin sbin lib"
-
-    for dir in ${dirs} ; do
-        if [ -d ${dir} ] && [ ! -L ${dir} ] ; then
-            mv ${dir} usr/rootdirs/
-            rm -rf ${dir}
-            ln -sf usr/rootdirs/${dir} ${dir}
-        fi
-    done
-
-    if [ -n "$SYSTEMD_USED" ]; then
-        mkdir -p usr/etc/tmpfiles.d
-        tmpfiles_conf=usr/etc/tmpfiles.d/00ostree-tmpfiles.conf
-        echo "d /var/rootdirs 0755 root root -" >>${tmpfiles_conf}
-        echo "L /var/rootdirs/home - - - - /sysroot/home" >>${tmpfiles_conf}
-    else
-        mkdir -p usr/etc/init.d
-        tmpfiles_conf=usr/etc/init.d/tmpfiles.sh
-        echo '#!/bin/sh' > ${tmpfiles_conf}
-        echo "mkdir -p /var/rootdirs; chmod 755 /var/rootdirs" >> ${tmpfiles_conf}
-        echo "ln -sf /sysroot/home /var/rootdirs/home" >> ${tmpfiles_conf}
-
-        ln -s ../init.d/tmpfiles.sh usr/etc/rcS.d/S20tmpfiles.sh
-    fi
-
-    # Preserve OSTREE_BRANCHNAME for future information
-    mkdir -p usr/share/sota/
-    echo -n "${OSTREE_BRANCHNAME}" > usr/share/sota/branchname
-
-    # Preserve data in /home to be later copied to /sysroot/home by sysroot
-    # generating procedure
-    mkdir -p usr/homedirs
-    if [ -d "home" ] && [ ! -L "home" ]; then
-        mv home usr/homedirs/home
-        ln -sf var/rootdirs/home home
-    fi
-
-    # Move persistent directories to /var
-    dirs="opt mnt media srv"
-
-    for dir in ${dirs}; do
-        if [ -d ${dir} ] && [ ! -L ${dir} ]; then
-            if [ "$(ls -A $dir)" ]; then
-                bbwarn "Data in /$dir directory is not preserved by OSTree. Consider moving it under /usr"
-            fi
-
-            if [ -n "$SYSTEMD_USED" ]; then
-                echo "d /var/rootdirs/${dir} 0755 root root -" >>${tmpfiles_conf}
-            else
-                echo "mkdir -p /var/rootdirs/${dir}; chown 755 /var/rootdirs/${dir}" >>${tmpfiles_conf}
-            fi
-            rm -rf ${dir}
-            ln -sf var/rootdirs/${dir} ${dir}
-        fi
-    done
-
-    if [ -d root ] && [ ! -L root ]; then
-        if [ "$(ls -A root)" ]; then
-            bberror "Data in /root directory is not preserved by OSTree."
-            exit 1
-        fi
-
-        if [ -n "$SYSTEMD_USED" ]; then
-            echo "d /var/roothome 0755 root root -" >>${tmpfiles_conf}
-        else
-            echo "mkdir -p /var/roothome; chown 755 /var/roothome" >>${tmpfiles_conf}
-        fi
-
-        rm -rf root
-        ln -sf var/roothome root
-    fi
-
-    if [ -n "${SOTA_SECONDARY_ECUS}" ]; then
-        mkdir -p var/sota/ecus
-        cp ${SOTA_SECONDARY_ECUS} var/sota/ecus
-    fi
-
-    # Creating boot directories is required for "ostree admin deploy"
-
-    mkdir -p boot/loader.0
-    mkdir -p boot/loader.1
-    ln -sf boot/loader.0 boot/loader
-
-    checksum=`sha256sum ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} | cut -f 1 -d " "`
-
-    # Copy kernel and initramfs and their signature files
-    cp ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL} boot/vmlinuz-${checksum}
-    cp ${DEPLOY_DIR_IMAGE}/${OSTREE_KERNEL}.p7b boot/vmlinuz-${checksum}.p7b
-    cp ${DEPLOY_DIR_IMAGE}/${OSTREE_INITRAMFS_IMAGE}-${MACHINE}${RAMDISK_EXT} boot/initramfs-${checksum}
-    cp ${DEPLOY_DIR_IMAGE}/${OSTREE_INITRAMFS_IMAGE}-${MACHINE}${RAMDISK_EXT}.p7b boot/initramfs-${checksum}.p7b
-
-    # Copy image manifest
-    cat ${IMAGE_MANIFEST} | cut -d " " -f1,3 > usr/package.manifest
-
-    # Create a tarball that can be then commited to OSTree repo
-    OSTREE_TAR=${IMGDEPLOYDIR}/${IMAGE_NAME}.rootfs.ostree.tar.bz2
-    tar -C ${OSTREE_ROOTFS} --xattrs --xattrs-include='*' -cjf ${OSTREE_TAR} .
-    sync
-
-    if ! ostree --repo=${OSTREE_REPO} refs 2>&1 > /dev/null; then
-        ostree --repo=${OSTREE_REPO} init --mode=archive-z2
-    fi
-
-    # Commit the result
-    ostree --repo=${OSTREE_REPO} commit \
-           --tree=dir=${OSTREE_ROOTFS} \
-           --skip-if-unchanged \
-           --branch=${OSTREE_BRANCHNAME} \
-           --subject="Commit-id: ${IMAGE_NAME}"
-}
diff --git a/classes/override_image_types_ota.inc b/classes/override_image_types_ota.inc
deleted file mode 100644
index 17508b2..0000000
--- a/classes/override_image_types_ota.inc
+++ /dev/null
@@ -1,98 +0,0 @@
-# overrides meta-updater/classes/image_types_ota.bbclass
-# - add do_image_otaimg flags:
-#   - dirs, cleandirs: to avoid mktemp, rm, cd, and to also remove at clean
-# - override of IMAGE_CMD_otaimg
-#   - use the added flags
-#   - avoid untar-ing the ostree image, and use OSTREE_ROOTFS
-#   - IMGDEPLOYDIR, instead of DEPLOY_DIR_IMAGE
-
-OSTREE_REPO = "${WORKDIR}/ostree-repo"
-PHYS_SYSROOT = "${WORKDIR}/ota-sysroot"
-
-do_image_otaimg[dirs] = "${PHYS_SYSROOT}"
-do_image_otaimg[cleandirs] = "${PHYS_SYSROOT}"
-
-IMAGE_CMD_otaimg () {
-        if ${@bb.utils.contains('IMAGE_FSTYPES', 'otaimg', 'true', 'false', d)}; then
-                if [ -z "$OSTREE_REPO" ]; then
-                        bbfatal "OSTREE_REPO should be set in your local.conf"
-                fi
-
-                if [ -z "$OSTREE_OSNAME" ]; then
-                        bbfatal "OSTREE_OSNAME should be set in your local.conf"
-                fi
-
-                if [ -z "$OSTREE_BRANCHNAME" ]; then
-                        bbfatal "OSTREE_BRANCHNAME should be set in your local.conf"
-                fi
-
-                ostree admin --sysroot=${PHYS_SYSROOT} init-fs ${PHYS_SYSROOT}
-                ostree admin --sysroot=${PHYS_SYSROOT} os-init ${OSTREE_OSNAME}
-
-                mkdir -p ${PHYS_SYSROOT}/boot/loader.0
-                ln -s loader.0 ${PHYS_SYSROOT}/boot/loader
-
-                if [ "${OSTREE_BOOTLOADER}" = "grub" ]; then
-                        mkdir -p ${PHYS_SYSROOT}/boot/grub2
-                        ln -s ../loader/grub.cfg ${PHYS_SYSROOT}/boot/grub2/grub.cfg
-                elif [ "${OSTREE_BOOTLOADER}" = "u-boot" ]; then
-                        touch ${PHYS_SYSROOT}/boot/loader/uEnv.txt
-                else
-                        bberror "Invalid bootloader: ${OSTREE_BOOTLOADER}"
-                fi;
-
-                ostree_target_hash=$(cat ${OSTREE_REPO}/refs/heads/${OSTREE_BRANCHNAME})
-
-                ostree --repo=${PHYS_SYSROOT}/ostree/repo pull-local --remote=${OSTREE_OSNAME} ${OSTREE_REPO} ${ostree_target_hash}
-                export OSTREE_BOOT_PARTITION="/boot"
-                kargs_list=""
-                for arg in ${OSTREE_KERNEL_ARGS}; do
-                        kargs_list="${kargs_list} --karg-append=$arg"
-                done
-
-                ostree admin --sysroot=${PHYS_SYSROOT} deploy ${kargs_list} --os=${OSTREE_OSNAME} ${ostree_target_hash}
-
-                cp -a ${IMAGE_ROOTFS}/var/sota ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/ || true
-                # Create /var/sota if it doesn't exist yet
-                mkdir -p ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota
-                # Ensure the permissions are correctly set
-                chmod 700 ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota
-
-                cp -a ${OSTREE_ROOTFS}/var/local ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/ || true
-                cp -a ${OSTREE_ROOTFS}/usr/homedirs/home ${PHYS_SYSROOT}/ || true
-                # Ensure that /var/local exists (AGL symlinks /usr/local to /var/local)
-                install -d ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/local
-                # Set package version for the first deployment
-                target_version=${ostree_target_hash}
-                if [ -n "${GARAGE_TARGET_VERSION}" ]; then
-                        target_version=${GARAGE_TARGET_VERSION}
-                elif [ -e "${STAGING_DATADIR_NATIVE}/target_version" ]; then
-                        target_version=$(cat "${STAGING_DATADIR_NATIVE}/target_version")
-                fi
-                mkdir -p ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota/import
-                echo "{\"${ostree_target_hash}\":\"${GARAGE_TARGET_NAME}-${target_version}\"}" > ${PHYS_SYSROOT}/ostree/deploy/${OSTREE_OSNAME}/var/sota/import/installed_versions
-
-                # Calculate image type
-                OTA_ROOTFS_SIZE=$(calculate_size `du -ks ${PHYS_SYSROOT} | cut -f 1`  "${IMAGE_OVERHEAD_FACTOR}" "${IMAGE_ROOTFS_SIZE}" "${IMAGE_ROOTFS_MAXSIZE}" `expr ${IMAGE_ROOTFS_EXTRA_SPACE}` "${IMAGE_ROOTFS_ALIGNMENT}")
-
-                if [ $OTA_ROOTFS_SIZE -lt 0 ]; then
-                        exit -1
-                fi
-                eval local COUNT=\"0\"
-                eval local MIN_COUNT=\"60\"
-                if [ $OTA_ROOTFS_SIZE -lt $MIN_COUNT ]; then
-                        eval COUNT=\"$MIN_COUNT\"
-                fi
-
-                # create image
-                dd if=/dev/zero of=${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.otaimg seek=${OTA_ROOTFS_SIZE} count=${COUNT} bs=1024
-                mkfs.ext4 -O ^64bit ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.otaimg -L otaroot -d ${PHYS_SYSROOT}
-                rm -f ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.otaimg
-                ln -s ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.otaimg ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.otaimg
-                # for forward compatibility
-                rm -f ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.ota-ext4
-                ln -s ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.otaimg ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.ota-ext4
-        fi
-}
-
-IMAGE_TYPEDEP_otaimg = "ostree"
diff --git a/classes/override_live-vm-common.inc b/classes/override_live-vm-common.inc
new file mode 100644
index 0000000..3ac92b9
--- /dev/null
+++ b/classes/override_live-vm-common.inc
@@ -0,0 +1,29 @@
+# efi_populate_common DEST BOOTLOADER
+efi_populate_common() {
+        # DEST must be the root of the image so that EFIDIR is not
+        # nested under a top level directory.
+        DEST=$1
+
+        install -d ${DEST}${EFIDIR}
+
+        ## ENEA_start ##
+        # install -m 0644 ${DEPLOY_DIR_IMAGE}/$2-${EFI_BOOT_IMAGE} ${DEST}${EFIDIR}/${EFI_BOOT_IMAGE}
+        ## ENEA_end ##
+
+        EFIPATH=$(echo "${EFIDIR}" | sed 's/\//\\/g')
+        printf 'fs0:%s\%s\n' "$EFIPATH" "${EFI_BOOT_IMAGE}" >${DEST}/startup.nsh
+
+        ## ENEA_start ##
+        # Install EFI binaries
+        install -m 0644 ${DEPLOY_DIR_IMAGE}/${SBFOLDER}/*.efi ${DEST}${EFIDIR}
+
+        # Install kernel and initramfs sig
+        install -m 0644 ${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}${SB_FILE_EXT} ${DEST}/${KERNEL_IMAGETYPE}${SB_FILE_EXT}
+        install -m 0644 ${INITRD_LIVE}${SB_FILE_EXT} ${DEST}/initrd${SB_FILE_EXT}
+
+        # Install UEFI keys
+        install -d ${DEST}/uefi_sb_keys
+        install -m 0644 ${DEPLOY_DIR_IMAGE}/user-keys/uefi_sb_keys/*.crt ${DEST}/uefi_sb_keys/
+        install -m 0644 ${DEPLOY_DIR_IMAGE}/user-keys/uefi_sb_keys/*.esl ${DEST}/uefi_sb_keys/
+        ## ENEA_end ##
+}
diff --git a/classes/sota_atom-c3000.bbclass b/classes/sota_atom-c3000.bbclass
index dff4294..a6bc65f 100644
--- a/classes/sota_atom-c3000.bbclass
+++ b/classes/sota_atom-c3000.bbclass
@@ -4,10 +4,10 @@ PREFERRED_PROVIDER_virtual/bootloader_sota = "grub-efi"
 
 WKS_FILE_sota = "efiimage-sota.wks"
 
-OSTREE_INITRAMFS_FSTYPES ?= "ext4.gz"
+OSTREE_INITRAMFS_FSTYPES ?= "cpio.gz"
 
 # Set .otaimg to be used as source for generating hddimg
-ROOTFS_sota = "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.otaimg"
+ROOTFS_sota = "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.ota-ext4"
 
 # OSTree initrd needs 'ramdisk_size' and 'rw' parameters in order to boot
 OSTREE_KERNEL_ARGS ?= "rw"
diff --git a/classes/sota_xeon-d.bbclass b/classes/sota_xeon-d.bbclass
index dff4294..a6bc65f 100644
--- a/classes/sota_xeon-d.bbclass
+++ b/classes/sota_xeon-d.bbclass
@@ -4,10 +4,10 @@ PREFERRED_PROVIDER_virtual/bootloader_sota = "grub-efi"
 
 WKS_FILE_sota = "efiimage-sota.wks"
 
-OSTREE_INITRAMFS_FSTYPES ?= "ext4.gz"
+OSTREE_INITRAMFS_FSTYPES ?= "cpio.gz"
 
 # Set .otaimg to be used as source for generating hddimg
-ROOTFS_sota = "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.otaimg"
+ROOTFS_sota = "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.ota-ext4"
 
 # OSTree initrd needs 'ramdisk_size' and 'rw' parameters in order to boot
 OSTREE_KERNEL_ARGS ?= "rw"
diff --git a/conf/distro/eneanfvaccess.conf b/conf/distro/eneanfvaccess.conf
index 617b5dd..40e6e1b 100644
--- a/conf/distro/eneanfvaccess.conf
+++ b/conf/distro/eneanfvaccess.conf
@@ -1,20 +1,31 @@
 require conf/distro/enea.conf
 
-DISTRO_NAME = "Enea NFV Access"
-DISTRO_VERSION_MAJOR ??= "2.2"
-DISTRO_VERSION_MINOR ??= ".3"
+DISTRO_NAME = "Enea Edge Runtime"
+DISTRO_VERSION_MAJOR ??= "2.6"
+DISTRO_VERSION_MINOR ??= ".0"
 DISTRO_VERSION = "${DISTRO_VERSION_MAJOR}${DISTRO_VERSION_MINOR}"
 
 SDK_VERSION := "${@'${DISTRO_VERSION}'.replace('snapshot-${DATE}','snapshot')}"
 
+# OSTree integration
+require ${@bb.utils.contains('SOTA_MACHINE', '${MACHINE}', 'conf/distro/sota.conf.inc', '', d)}
+
 INHERIT += "distrooverrides"
-DISTRO_FEATURES_append = " odm efi-secure-boot"
+DISTRO_FEATURES_append = " odm efi-secure-boot usrmerge"
+DISTRO_FEATURES_remove = "x11 opengl wayland vulkan pulseaudio alsa"
 DISTRO_FEATURES_OVERRIDES += "odm efi-secure-boot"
 
 PREFERRED_PROVIDER_virtual/java-initial-native = "cacao-initial-native"
 PREFERRED_PROVIDER_virtual/java-native = "jamvm-native"
 PREFERRED_PROVIDER_virtual/javac-native = "ecj-bootstrap-native"
 
+# Override ESP mount path set by meta/conf/image-uefi.conf to align with meta-secure-core paths
+EFI_PREFIX_df-efi-secure-boot = "/boot/efi"
 SBFOLDER = "bootloader"
 
 HOSTTOOLS_append = " scp"
+
+BB_HASHBASE_WHITELIST_append += "\
+    SAMPLE_UEFI_SB_KEYS_DIR \
+    SAMPLE_BOOT_KEYS_DIR \
+"
diff --git a/conf/layer.conf b/conf/layer.conf
index 7fec7c8..db496a4 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -11,3 +11,4 @@ BBFILE_COLLECTIONS += "el-nfv-access"
 BBFILE_PATTERN_el-nfv-access = "^${LAYERDIR}/"
 BBFILE_PRIORITY_el-nfv-access = "7"
 LAYERDEPENDS_el-nfv-access = "nfv-access-common enea-virtualization"
+LAYERSERIES_COMPAT_el-nfv-access = "hardknott"
diff --git a/conf/template.atom-c3000-debug/bblayers.conf.sample b/conf/template.atom-c3000-debug/bblayers.conf.sample
new file mode 100644
index 0000000..71c77cc
--- /dev/null
+++ b/conf/template.atom-c3000-debug/bblayers.conf.sample
@@ -0,0 +1,31 @@
+# POKY_BBLAYERS_CONF_VERSION is increased each time build/conf/bblayers.conf
+# changes incompatibly
+POKY_BBLAYERS_CONF_VERSION = "2"
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+
+BBLAYERS ?= " \
+  ##OEROOT##/meta \
+  ##OEROOT##/meta-poky \
+  ##OEROOT##/meta-intel \
+  ##OEROOT##/meta-dpdk \
+  ##OEROOT##/meta-nfv-access-bsp-common \
+  ##OEROOT##/meta-nfv-access-bsp-x86 \
+  ##OEROOT##/meta-virtualization \
+  ##OEROOT##/meta-enea-virtualization \
+  ##OEROOT##/meta-nfv-access-common \
+  ##OEROOT##/meta-el-nfv-access \
+  ##OEROOT##/meta-openembedded/meta-oe \
+  ##OEROOT##/meta-openembedded/meta-networking \
+  ##OEROOT##/meta-openembedded/meta-filesystems \
+  ##OEROOT##/meta-openembedded/meta-python \
+  ##OEROOT##/meta-openembedded/meta-webserver \
+  ##OEROOT##/meta-java \
+  ##OEROOT##/meta-updater \
+  ##OEROOT##/meta-openembedded/meta-perl \
+  ##OEROOT##/meta-secure-core/meta \
+  ##OEROOT##/meta-secure-core/meta-signing-key \
+  ##OEROOT##/meta-secure-core/meta-efi-secure-boot \
+  ##OEROOT##/meta-enea-user-keys \
+  "
diff --git a/conf/template.atom-c3000-debug/conf-notes.txt b/conf/template.atom-c3000-debug/conf-notes.txt
new file mode 100644
index 0000000..d4da82b
--- /dev/null
+++ b/conf/template.atom-c3000-debug/conf-notes.txt
@@ -0,0 +1,2 @@
+Common targets are:
+    enea-edge-runtime-debug
diff --git a/conf/template.atom-c3000-debug/local.conf.sample b/conf/template.atom-c3000-debug/local.conf.sample
new file mode 100644
index 0000000..1c5fbb2
--- /dev/null
+++ b/conf/template.atom-c3000-debug/local.conf.sample
@@ -0,0 +1,270 @@
+#
+# This file is your local configuration file and is where all local user settings
+# are placed. The comments in this file give some guide to the options a new user
+# to the system might want to change but pretty much any configuration option can
+# be set in this file. More adventurous users can look at local.conf.extended
+# which contains other examples of configuration which can be placed in this file
+# but new users likely won't need any of them initially.
+#
+# Lines starting with the '#' character are commented out and in some cases the
+# default values are provided as comments to show people example syntax. Enabling
+# the option is a question of removing the # character and making any change to the
+# variable as required.
+
+#
+# Machine Selection
+#
+# You need to select a specific machine to target the build with. There are a selection
+# of emulated machines available which can boot and run in the QEMU emulator:
+#
+#MACHINE ?= "qemuarm"
+#MACHINE ?= "qemuarm64"
+#MACHINE ?= "qemumips"
+#MACHINE ?= "qemumips64"
+#MACHINE ?= "qemuppc"
+#MACHINE ?= "qemux86"
+#MACHINE ?= "qemux86-64"
+#
+# There are also the following hardware board target machines included for
+# demonstration purposes:
+#
+#MACHINE ?= "beaglebone"
+#MACHINE ?= "genericx86"
+#MACHINE ?= "genericx86-64"
+#MACHINE ?= "mpc8315e-rdb"
+#MACHINE ?= "edgerouter"
+#
+# This sets the default machine to be qemux86 if no other machine is selected:
+MACHINE ?= "atom-c3000"
+
+#
+# Where to place downloads
+#
+# During a first build the system will download many different source code tarballs
+# from various upstream projects. This can take a while, particularly if your network
+# connection is slow. These are all stored in DL_DIR. When wiping and rebuilding you
+# can preserve this directory to speed up this part of subsequent builds. This directory
+# is safe to share between multiple builds on the same machine too.
+#
+# The default is a downloads directory under TOPDIR which is the build directory.
+#
+#DL_DIR ?= "${TOPDIR}/downloads"
+
+#
+# Where to place shared-state files
+#
+# BitBake has the capability to accelerate builds based on previously built output.
+# This is done using "shared state" files which can be thought of as cache objects
+# and this option determines where those files are placed.
+#
+# You can wipe out TMPDIR leaving this directory intact and the build would regenerate
+# from these files if no changes were made to the configuration. If changes were made
+# to the configuration, only shared state files where the state was still valid would
+# be used (done using checksums).
+#
+# The default is a sstate-cache directory under TOPDIR.
+#
+#SSTATE_DIR ?= "${TOPDIR}/sstate-cache"
+
+#
+# Where to place the build output
+#
+# This option specifies where the bulk of the building work should be done and
+# where BitBake should place its temporary files and output. Keep in mind that
+# this includes the extraction and compilation of many applications and the toolchain
+# which can use Gigabytes of hard disk space.
+#
+# The default is a tmp directory under TOPDIR.
+#
+#TMPDIR = "${TOPDIR}/tmp"
+
+#
+# Default policy config
+#
+# The distribution setting controls which policy settings are used as defaults.
+# The default value is fine for general Yocto project use, at least initially.
+# Ultimately when creating custom policy, people will likely end up subclassing
+# these defaults.
+#
+DISTRO ?= "eneanfvaccess"
+# As an example of a subclass there is a "bleeding" edge policy configuration
+# where many versions are set to the absolute latest code from the upstream
+# source control systems. This is just mentioned here as an example, its not
+# useful to most new users.
+# DISTRO ?= "poky-bleeding"
+
+#
+# Package Management configuration
+#
+# This variable lists which packaging formats to enable. Multiple package backends
+# can be enabled at once and the first item listed in the variable will be used
+# to generate the root filesystems.
+# Options are:
+#  - 'package_deb' for debian style deb files
+#  - 'package_ipk' for ipk files are used by opkg (a debian style embedded package manager)
+#  - 'package_rpm' for rpm style packages
+# E.g.: PACKAGE_CLASSES ?= "package_rpm package_deb package_ipk"
+# We default to rpm:
+PACKAGE_CLASSES ?= "package_deb"
+
+#
+# SDK/ADT target architecture
+#
+# This variable specifies the architecture to build SDK/ADT items for and means
+# you can build the SDK packages for architectures other than the machine you are
+# running the build on (i.e. building i686 packages on an x86_64 host).
+# Supported values are i686 and x86_64
+#SDKMACHINE ?= "i686"
+
+#
+# Extra image configuration defaults
+#
+# The EXTRA_IMAGE_FEATURES variable allows extra packages to be added to the generated
+# images. Some of these options are added to certain image types automatically. The
+# variable can contain the following options:
+#  "dbg-pkgs"       - add -dbg packages for all installed packages
+#                     (adds symbol information for debugging/profiling)
+#  "dev-pkgs"       - add -dev packages for all installed packages
+#                     (useful if you want to develop against libs in the image)
+#  "ptest-pkgs"     - add -ptest packages for all ptest-enabled packages
+#                     (useful if you want to run the package test suites)
+#  "tools-sdk"      - add development tools (gcc, make, pkgconfig etc.)
+#  "tools-debug"    - add debugging tools (gdb, strace)
+#  "eclipse-debug"  - add Eclipse remote debugging support
+#  "tools-profile"  - add profiling tools (oprofile, lttng, valgrind)
+#  "tools-testapps" - add useful testing tools (ts_print, aplay, arecord etc.)
+#  "debug-tweaks"   - make an image suitable for development
+#                     e.g. ssh root access has a blank password
+# There are other application targets that can be used here too, see
+# meta/classes/image.bbclass and meta/classes/core-image.bbclass for more details.
+# We default to enabling the debugging tweaks.
+EXTRA_IMAGE_FEATURES = " \
+                       tools-debug \
+                       debug-tweaks \
+                       "
+
+#
+# Additional image features
+#
+# The following is a list of additional classes to use when building images which
+# enable extra features. Some available options which can be included in this variable
+# are:
+#   - 'buildstats' collect build statistics
+#   - 'image-mklibs' to reduce shared library files size for an image
+#   - 'image-prelink' in order to prelink the filesystem image
+#   - 'image-swab' to perform host system intrusion detection
+# NOTE: if listing mklibs & prelink both, then make sure mklibs is before prelink
+# NOTE: mklibs also needs to be explicitly enabled for a given image, see local.conf.extended
+# NOTE: image-prelink is removed by sota.conf.inc
+USER_CLASSES ?= "buildstats image-mklibs image-prelink"
+
+#
+# Runtime testing of images
+#
+# The build system can test booting virtual machine images under qemu (an emulator)
+# after any root filesystems are created and run tests against those images. To
+# enable this uncomment this line. See classes/testimage(-auto).bbclass for
+# further details.
+#TEST_IMAGE = "1"
+#
+# Interactive shell configuration
+#
+# Under certain circumstances the system may need input from you and to do this it
+# can launch an interactive shell. It needs to do this since the build is
+# multithreaded and needs to be able to handle the case where more than one parallel
+# process may require the user's attention. The default is iterate over the available
+# terminal types to find one that works.
+#
+# Examples of the occasions this may happen are when resolving patches which cannot
+# be applied, to use the devshell or the kernel menuconfig
+#
+# Supported values are auto, gnome, xfce, rxvt, screen, konsole (KDE 3.x only), none
+# Note: currently, Konsole support only works for KDE 3.x due to the way
+# newer Konsole versions behave
+#OE_TERMINAL = "auto"
+# By default disable interactive patch resolution (tasks will just fail instead):
+PATCHRESOLVE = "noop"
+
+#
+# Disk Space Monitoring during the build
+#
+# Monitor the disk space during the build. If there is less that 1GB of space or less
+# than 100K inodes in any key build location (TMPDIR, DL_DIR, SSTATE_DIR), gracefully
+# shutdown the build. If there is less that 100MB or 1K inodes, perform a hard abort
+# of the build. The reason for this is that running completely out of space can corrupt
+# files and damages the build in ways which may not be easily recoverable.
+# It's necesary to monitor /tmp, if there is no space left the build will fail
+# with very exotic errors.
+BB_DISKMON_DIRS = "\
+    STOPTASKS,${TMPDIR},1G,100K \
+    STOPTASKS,${DL_DIR},1G,100K \
+    STOPTASKS,${SSTATE_DIR},1G,100K \
+    STOPTASKS,/tmp,100M,100K \
+    ABORT,${TMPDIR},100M,1K \
+    ABORT,${DL_DIR},100M,1K \
+    ABORT,${SSTATE_DIR},100M,1K \
+    ABORT,/tmp,10M,1K"
+
+#
+# Shared-state files from other locations
+#
+# As mentioned above, shared state files are prebuilt cache data objects which can
+# used to accelerate build time. This variable can be used to configure the system
+# to search other mirror locations for these objects before it builds the data itself.
+#
+# This can be a filesystem directory, or a remote url such as http or ftp. These
+# would contain the sstate-cache results from previous builds (possibly from other
+# machines). This variable works like fetcher MIRRORS/PREMIRRORS and points to the
+# cache locations to check for the shared objects.
+# NOTE: if the mirror uses the same structure as SSTATE_DIR, you need to add PATH
+# at the end as shown in the examples below. This will be substituted with the
+# correct path within the directory structure.
+#SSTATE_MIRRORS ?= "\
+#file://.* http://someserver.tld/share/sstate/PATH;downloadfilename=PATH \n \
+#file://.* file:///some/local/dir/sstate/PATH"
+
+
+#
+# Qemu configuration
+#
+# By default qemu will build with a builtin VNC server where graphical output can be
+# seen. The two lines below enable the SDL backend too. By default libsdl-native will
+# be built, if you want to use your host's libSDL instead of the minimal libsdl built
+# by libsdl-native then uncomment the ASSUME_PROVIDED line below.
+PACKAGECONFIG_append_pn-qemu-native = " sdl"
+PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
+#ASSUME_PROVIDED += "libsdl-native"
+
+# CONF_VERSION is increased each time build/conf/ changes incompatibly and is used to
+# track the version of this file when it was generated. This can safely be ignored if
+# this doesn't mean anything to you.
+CONF_VERSION = "1"
+
+SKIP_META_VIRT_SANITY_CHECK = "1"
+
+# Various packages dynamically add users and groups to the system at package
+# install time.  For programs that do not care what the uid/gid is of the
+# resulting users/groups, the order of the install will determine the final
+# uid/gid.  This can lead to non-deterministic uid/gid values from one build
+# to another.  Use the following settings to specify that all user/group adds
+# should be created based on a static passwd/group file.
+#
+# Note, if you enable or disable the useradd-staticids in a configured system,
+# the TMPDIR may contain incorrect uid/gid values.  Clearing the TMPDIR
+# will correct this condition.
+#
+# By default the system looks in the BBPATH for files/passwd and files/group
+# the default can be overriden by spefying USERADD_UID/GID_TABLES.
+#
+USERADDEXTENSION = "useradd-staticids"
+USERADD_UID_TABLES = "files/passwd"
+USERADD_GID_TABLES = "files/group"
+ROOTFS_POSTPROCESS_COMMAND_remove = "systemd_create_users;"
+#
+# In order to prevent generating a system where a dynamicly assigned uid/gid
+# can exist, you should enable the following setting.  This will force the
+# system to error out if the user/group name is not defined in the
+# files/passwd or files/group (or specified replacements.)
+# Unfortunately, setting the variable below breaks the build, so do not set it
+# for now
+# USERADD_ERROR_DYNAMIC = "1"
diff --git a/conf/template.atom-c3000/conf-notes.txt b/conf/template.atom-c3000/conf-notes.txt
index ebd6162..580c5c9 100644
--- a/conf/template.atom-c3000/conf-notes.txt
+++ b/conf/template.atom-c3000/conf-notes.txt
@@ -1,2 +1,2 @@
 Common targets are:
-    enea-nfv-access
+    enea-edge-runtime
diff --git a/conf/template.atom-c3000/local.conf.sample b/conf/template.atom-c3000/local.conf.sample
index 8c24e77..54d065c 100644
--- a/conf/template.atom-c3000/local.conf.sample
+++ b/conf/template.atom-c3000/local.conf.sample
@@ -152,6 +152,7 @@ EXTRA_IMAGE_FEATURES = "debug-tweaks"
 #   - 'image-swab' to perform host system intrusion detection
 # NOTE: if listing mklibs & prelink both, then make sure mklibs is before prelink
 # NOTE: mklibs also needs to be explicitly enabled for a given image, see local.conf.extended
+# NOTE: image-prelink is removed by sota.conf.inc
 USER_CLASSES ?= "buildstats image-mklibs image-prelink"
 
 #
@@ -238,12 +239,29 @@ CONF_VERSION = "1"
 
 SKIP_META_VIRT_SANITY_CHECK = "1"
 
-#
-# OSTree integration
-#
-
-SOTA_MACHINE ?= "${MACHINE}"
-
-DISTRO_FEATURES_append = " sota"
-DISTRO_FEATURES_NATIVE_append = " sota"
-INHERIT += " sota"
+# Various packages dynamically add users and groups to the system at package
+# install time.  For programs that do not care what the uid/gid is of the
+# resulting users/groups, the order of the install will determine the final
+# uid/gid.  This can lead to non-deterministic uid/gid values from one build
+# to another.  Use the following settings to specify that all user/group adds
+# should be created based on a static passwd/group file.
+#
+# Note, if you enable or disable the useradd-staticids in a configured system,
+# the TMPDIR may contain incorrect uid/gid values.  Clearing the TMPDIR
+# will correct this condition.
+#
+# By default the system looks in the BBPATH for files/passwd and files/group
+# the default can be overriden by spefying USERADD_UID/GID_TABLES.
+#
+USERADDEXTENSION = "useradd-staticids"
+USERADD_UID_TABLES = "files/passwd"
+USERADD_GID_TABLES = "files/group"
+ROOTFS_POSTPROCESS_COMMAND_remove = "systemd_create_users;"
+#
+# In order to prevent generating a system where a dynamicly assigned uid/gid
+# can exist, you should enable the following setting.  This will force the
+# system to error out if the user/group name is not defined in the
+# files/passwd or files/group (or specified replacements.)
+# Unfortunately, setting the variable below breaks the build, so do not set it
+# for now
+# USERADD_ERROR_DYNAMIC = "1"
diff --git a/conf/template.qemux86-64-esdk/conf-notes.txt b/conf/template.qemux86-64-esdk/conf-notes.txt
index e939ec6..14d7575 100644
--- a/conf/template.qemux86-64-esdk/conf-notes.txt
+++ b/conf/template.qemux86-64-esdk/conf-notes.txt
@@ -1,2 +1,2 @@
 Common targets are:
-    enea-nfv-access-esdk
+    enea-edge-runtime-esdk
diff --git a/conf/template.qemux86-64/bblayers.conf.sample b/conf/template.qemux86-64/bblayers.conf.sample
index ea5510a..214386c 100644
--- a/conf/template.qemux86-64/bblayers.conf.sample
+++ b/conf/template.qemux86-64/bblayers.conf.sample
@@ -21,6 +21,4 @@ BBLAYERS ?= " \
   ##OEROOT##/meta-openembedded/meta-filesystems \
   ##OEROOT##/meta-openembedded/meta-python \
   ##OEROOT##/meta-openembedded/meta-webserver \
-  ##OEROOT##/meta-cloud-services \
-  ##OEROOT##/meta-cloud-services/meta-openstack \
   "
diff --git a/conf/template.qemux86-64/conf-notes.txt b/conf/template.qemux86-64/conf-notes.txt
index e55e538..2b65747 100644
--- a/conf/template.qemux86-64/conf-notes.txt
+++ b/conf/template.qemux86-64/conf-notes.txt
@@ -1,2 +1,2 @@
 Common targets are:
-    enea-nfv-access-vnf
+    enea-edge-vnf
diff --git a/conf/template.xeon-d-debug/bblayers.conf.sample b/conf/template.xeon-d-debug/bblayers.conf.sample
new file mode 100644
index 0000000..71c77cc
--- /dev/null
+++ b/conf/template.xeon-d-debug/bblayers.conf.sample
@@ -0,0 +1,31 @@
+# POKY_BBLAYERS_CONF_VERSION is increased each time build/conf/bblayers.conf
+# changes incompatibly
+POKY_BBLAYERS_CONF_VERSION = "2"
+
+BBPATH = "${TOPDIR}"
+BBFILES ?= ""
+
+BBLAYERS ?= " \
+  ##OEROOT##/meta \
+  ##OEROOT##/meta-poky \
+  ##OEROOT##/meta-intel \
+  ##OEROOT##/meta-dpdk \
+  ##OEROOT##/meta-nfv-access-bsp-common \
+  ##OEROOT##/meta-nfv-access-bsp-x86 \
+  ##OEROOT##/meta-virtualization \
+  ##OEROOT##/meta-enea-virtualization \
+  ##OEROOT##/meta-nfv-access-common \
+  ##OEROOT##/meta-el-nfv-access \
+  ##OEROOT##/meta-openembedded/meta-oe \
+  ##OEROOT##/meta-openembedded/meta-networking \
+  ##OEROOT##/meta-openembedded/meta-filesystems \
+  ##OEROOT##/meta-openembedded/meta-python \
+  ##OEROOT##/meta-openembedded/meta-webserver \
+  ##OEROOT##/meta-java \
+  ##OEROOT##/meta-updater \
+  ##OEROOT##/meta-openembedded/meta-perl \
+  ##OEROOT##/meta-secure-core/meta \
+  ##OEROOT##/meta-secure-core/meta-signing-key \
+  ##OEROOT##/meta-secure-core/meta-efi-secure-boot \
+  ##OEROOT##/meta-enea-user-keys \
+  "
diff --git a/conf/template.xeon-d-debug/conf-notes.txt b/conf/template.xeon-d-debug/conf-notes.txt
new file mode 100644
index 0000000..d4da82b
--- /dev/null
+++ b/conf/template.xeon-d-debug/conf-notes.txt
@@ -0,0 +1,2 @@
+Common targets are:
+    enea-edge-runtime-debug
diff --git a/conf/template.xeon-d-debug/local.conf.sample b/conf/template.xeon-d-debug/local.conf.sample
new file mode 100644
index 0000000..3f8ef4a
--- /dev/null
+++ b/conf/template.xeon-d-debug/local.conf.sample
@@ -0,0 +1,271 @@
+#
+# This file is your local configuration file and is where all local user settings
+# are placed. The comments in this file give some guide to the options a new user
+# to the system might want to change but pretty much any configuration option can
+# be set in this file. More adventurous users can look at local.conf.extended
+# which contains other examples of configuration which can be placed in this file
+# but new users likely won't need any of them initially.
+#
+# Lines starting with the '#' character are commented out and in some cases the
+# default values are provided as comments to show people example syntax. Enabling
+# the option is a question of removing the # character and making any change to the
+# variable as required.
+
+#
+# Machine Selection
+#
+# You need to select a specific machine to target the build with. There are a selection
+# of emulated machines available which can boot and run in the QEMU emulator:
+#
+#MACHINE ?= "qemuarm"
+#MACHINE ?= "qemuarm64"
+#MACHINE ?= "qemumips"
+#MACHINE ?= "qemumips64"
+#MACHINE ?= "qemuppc"
+#MACHINE ?= "qemux86"
+#MACHINE ?= "qemux86-64"
+#
+# There are also the following hardware board target machines included for
+# demonstration purposes:
+#
+#MACHINE ?= "beaglebone"
+#MACHINE ?= "genericx86"
+#MACHINE ?= "genericx86-64"
+#MACHINE ?= "mpc8315e-rdb"
+#MACHINE ?= "edgerouter"
+#
+# This sets the default machine to be qemux86 if no other machine is selected:
+MACHINE ?= "xeon-d"
+
+
+#
+# Where to place downloads
+#
+# During a first build the system will download many different source code tarballs
+# from various upstream projects. This can take a while, particularly if your network
+# connection is slow. These are all stored in DL_DIR. When wiping and rebuilding you
+# can preserve this directory to speed up this part of subsequent builds. This directory
+# is safe to share between multiple builds on the same machine too.
+#
+# The default is a downloads directory under TOPDIR which is the build directory.
+#
+#DL_DIR ?= "${TOPDIR}/downloads"
+
+#
+# Where to place shared-state files
+#
+# BitBake has the capability to accelerate builds based on previously built output.
+# This is done using "shared state" files which can be thought of as cache objects
+# and this option determines where those files are placed.
+#
+# You can wipe out TMPDIR leaving this directory intact and the build would regenerate
+# from these files if no changes were made to the configuration. If changes were made
+# to the configuration, only shared state files where the state was still valid would
+# be used (done using checksums).
+#
+# The default is a sstate-cache directory under TOPDIR.
+#
+#SSTATE_DIR ?= "${TOPDIR}/sstate-cache"
+
+#
+# Where to place the build output
+#
+# This option specifies where the bulk of the building work should be done and
+# where BitBake should place its temporary files and output. Keep in mind that
+# this includes the extraction and compilation of many applications and the toolchain
+# which can use Gigabytes of hard disk space.
+#
+# The default is a tmp directory under TOPDIR.
+#
+#TMPDIR = "${TOPDIR}/tmp"
+
+#
+# Default policy config
+#
+# The distribution setting controls which policy settings are used as defaults.
+# The default value is fine for general Yocto project use, at least initially.
+# Ultimately when creating custom policy, people will likely end up subclassing
+# these defaults.
+#
+DISTRO ?= "eneanfvaccess"
+# As an example of a subclass there is a "bleeding" edge policy configuration
+# where many versions are set to the absolute latest code from the upstream
+# source control systems. This is just mentioned here as an example, its not
+# useful to most new users.
+# DISTRO ?= "poky-bleeding"
+
+#
+# Package Management configuration
+#
+# This variable lists which packaging formats to enable. Multiple package backends
+# can be enabled at once and the first item listed in the variable will be used
+# to generate the root filesystems.
+# Options are:
+#  - 'package_deb' for debian style deb files
+#  - 'package_ipk' for ipk files are used by opkg (a debian style embedded package manager)
+#  - 'package_rpm' for rpm style packages
+# E.g.: PACKAGE_CLASSES ?= "package_rpm package_deb package_ipk"
+# We default to rpm:
+PACKAGE_CLASSES ?= "package_deb"
+
+#
+# SDK/ADT target architecture
+#
+# This variable specifies the architecture to build SDK/ADT items for and means
+# you can build the SDK packages for architectures other than the machine you are
+# running the build on (i.e. building i686 packages on an x86_64 host).
+# Supported values are i686 and x86_64
+#SDKMACHINE ?= "i686"
+
+#
+# Extra image configuration defaults
+#
+# The EXTRA_IMAGE_FEATURES variable allows extra packages to be added to the generated
+# images. Some of these options are added to certain image types automatically. The
+# variable can contain the following options:
+#  "dbg-pkgs"       - add -dbg packages for all installed packages
+#                     (adds symbol information for debugging/profiling)
+#  "dev-pkgs"       - add -dev packages for all installed packages
+#                     (useful if you want to develop against libs in the image)
+#  "ptest-pkgs"     - add -ptest packages for all ptest-enabled packages
+#                     (useful if you want to run the package test suites)
+#  "tools-sdk"      - add development tools (gcc, make, pkgconfig etc.)
+#  "tools-debug"    - add debugging tools (gdb, strace)
+#  "eclipse-debug"  - add Eclipse remote debugging support
+#  "tools-profile"  - add profiling tools (oprofile, lttng, valgrind)
+#  "tools-testapps" - add useful testing tools (ts_print, aplay, arecord etc.)
+#  "debug-tweaks"   - make an image suitable for development
+#                     e.g. ssh root access has a blank password
+# There are other application targets that can be used here too, see
+# meta/classes/image.bbclass and meta/classes/core-image.bbclass for more details.
+# We default to enabling the debugging tweaks.
+EXTRA_IMAGE_FEATURES = " \
+                     tools-debug \
+                     debug-tweaks \
+                     "
+
+#
+# Additional image features
+#
+# The following is a list of additional classes to use when building images which
+# enable extra features. Some available options which can be included in this variable
+# are:
+#   - 'buildstats' collect build statistics
+#   - 'image-mklibs' to reduce shared library files size for an image
+#   - 'image-prelink' in order to prelink the filesystem image
+#   - 'image-swab' to perform host system intrusion detection
+# NOTE: if listing mklibs & prelink both, then make sure mklibs is before prelink
+# NOTE: mklibs also needs to be explicitly enabled for a given image, see local.conf.extended
+# NOTE: image-prelink is removed by sota.conf.inc
+USER_CLASSES ?= "buildstats image-mklibs image-prelink"
+
+#
+# Runtime testing of images
+#
+# The build system can test booting virtual machine images under qemu (an emulator)
+# after any root filesystems are created and run tests against those images. To
+# enable this uncomment this line. See classes/testimage(-auto).bbclass for
+# further details.
+#TEST_IMAGE = "1"
+#
+# Interactive shell configuration
+#
+# Under certain circumstances the system may need input from you and to do this it
+# can launch an interactive shell. It needs to do this since the build is
+# multithreaded and needs to be able to handle the case where more than one parallel
+# process may require the user's attention. The default is iterate over the available
+# terminal types to find one that works.
+#
+# Examples of the occasions this may happen are when resolving patches which cannot
+# be applied, to use the devshell or the kernel menuconfig
+#
+# Supported values are auto, gnome, xfce, rxvt, screen, konsole (KDE 3.x only), none
+# Note: currently, Konsole support only works for KDE 3.x due to the way
+# newer Konsole versions behave
+#OE_TERMINAL = "auto"
+# By default disable interactive patch resolution (tasks will just fail instead):
+PATCHRESOLVE = "noop"
+
+#
+# Disk Space Monitoring during the build
+#
+# Monitor the disk space during the build. If there is less that 1GB of space or less
+# than 100K inodes in any key build location (TMPDIR, DL_DIR, SSTATE_DIR), gracefully
+# shutdown the build. If there is less that 100MB or 1K inodes, perform a hard abort
+# of the build. The reason for this is that running completely out of space can corrupt
+# files and damages the build in ways which may not be easily recoverable.
+# It's necesary to monitor /tmp, if there is no space left the build will fail
+# with very exotic errors.
+BB_DISKMON_DIRS = "\
+    STOPTASKS,${TMPDIR},1G,100K \
+    STOPTASKS,${DL_DIR},1G,100K \
+    STOPTASKS,${SSTATE_DIR},1G,100K \
+    STOPTASKS,/tmp,100M,100K \
+    ABORT,${TMPDIR},100M,1K \
+    ABORT,${DL_DIR},100M,1K \
+    ABORT,${SSTATE_DIR},100M,1K \
+    ABORT,/tmp,10M,1K"
+
+#
+# Shared-state files from other locations
+#
+# As mentioned above, shared state files are prebuilt cache data objects which can
+# used to accelerate build time. This variable can be used to configure the system
+# to search other mirror locations for these objects before it builds the data itself.
+#
+# This can be a filesystem directory, or a remote url such as http or ftp. These
+# would contain the sstate-cache results from previous builds (possibly from other
+# machines). This variable works like fetcher MIRRORS/PREMIRRORS and points to the
+# cache locations to check for the shared objects.
+# NOTE: if the mirror uses the same structure as SSTATE_DIR, you need to add PATH
+# at the end as shown in the examples below. This will be substituted with the
+# correct path within the directory structure.
+#SSTATE_MIRRORS ?= "\
+#file://.* http://someserver.tld/share/sstate/PATH;downloadfilename=PATH \n \
+#file://.* file:///some/local/dir/sstate/PATH"
+
+
+#
+# Qemu configuration
+#
+# By default qemu will build with a builtin VNC server where graphical output can be
+# seen. The two lines below enable the SDL backend too. By default libsdl-native will
+# be built, if you want to use your host's libSDL instead of the minimal libsdl built
+# by libsdl-native then uncomment the ASSUME_PROVIDED line below.
+PACKAGECONFIG_append_pn-qemu-native = " sdl"
+PACKAGECONFIG_append_pn-nativesdk-qemu = " sdl"
+#ASSUME_PROVIDED += "libsdl-native"
+
+# CONF_VERSION is increased each time build/conf/ changes incompatibly and is used to
+# track the version of this file when it was generated. This can safely be ignored if
+# this doesn't mean anything to you.
+CONF_VERSION = "1"
+
+SKIP_META_VIRT_SANITY_CHECK = "1"
+
+# Various packages dynamically add users and groups to the system at package
+# install time.  For programs that do not care what the uid/gid is of the
+# resulting users/groups, the order of the install will determine the final
+# uid/gid.  This can lead to non-deterministic uid/gid values from one build
+# to another.  Use the following settings to specify that all user/group adds
+# should be created based on a static passwd/group file.
+#
+# Note, if you enable or disable the useradd-staticids in a configured system,
+# the TMPDIR may contain incorrect uid/gid values.  Clearing the TMPDIR
+# will correct this condition.
+#
+# By default the system looks in the BBPATH for files/passwd and files/group
+# the default can be overriden by spefying USERADD_UID/GID_TABLES.
+#
+USERADDEXTENSION = "useradd-staticids"
+USERADD_UID_TABLES = "files/passwd"
+USERADD_GID_TABLES = "files/group"
+ROOTFS_POSTPROCESS_COMMAND_remove = "systemd_create_users;"
+#
+# In order to prevent generating a system where a dynamicly assigned uid/gid
+# can exist, you should enable the following setting.  This will force the
+# system to error out if the user/group name is not defined in the
+# files/passwd or files/group (or specified replacements.)
+# Unfortunately, setting the variable below breaks the build, so do not set it
+# for now
+# USERADD_ERROR_DYNAMIC = "1"
diff --git a/conf/template.xeon-d/conf-notes.txt b/conf/template.xeon-d/conf-notes.txt
index ebd6162..580c5c9 100644
--- a/conf/template.xeon-d/conf-notes.txt
+++ b/conf/template.xeon-d/conf-notes.txt
@@ -1,2 +1,2 @@
 Common targets are:
-    enea-nfv-access
+    enea-edge-runtime
diff --git a/conf/template.xeon-d/local.conf.sample b/conf/template.xeon-d/local.conf.sample
index 3b1063e..ace57dd 100644
--- a/conf/template.xeon-d/local.conf.sample
+++ b/conf/template.xeon-d/local.conf.sample
@@ -153,6 +153,7 @@ EXTRA_IMAGE_FEATURES = "debug-tweaks"
 #   - 'image-swab' to perform host system intrusion detection
 # NOTE: if listing mklibs & prelink both, then make sure mklibs is before prelink
 # NOTE: mklibs also needs to be explicitly enabled for a given image, see local.conf.extended
+# NOTE: image-prelink is removed by sota.conf.inc
 USER_CLASSES ?= "buildstats image-mklibs image-prelink"
 
 #
@@ -239,12 +240,29 @@ CONF_VERSION = "1"
 
 SKIP_META_VIRT_SANITY_CHECK = "1"
 
-#
-# OSTree integration
-#
-
-SOTA_MACHINE ?= "${MACHINE}"
-
-DISTRO_FEATURES_append = " sota"
-DISTRO_FEATURES_NATIVE_append = " sota"
-INHERIT += " sota"
+# Various packages dynamically add users and groups to the system at package
+# install time.  For programs that do not care what the uid/gid is of the
+# resulting users/groups, the order of the install will determine the final
+# uid/gid.  This can lead to non-deterministic uid/gid values from one build
+# to another.  Use the following settings to specify that all user/group adds
+# should be created based on a static passwd/group file.
+#
+# Note, if you enable or disable the useradd-staticids in a configured system,
+# the TMPDIR may contain incorrect uid/gid values.  Clearing the TMPDIR
+# will correct this condition.
+#
+# By default the system looks in the BBPATH for files/passwd and files/group
+# the default can be overriden by spefying USERADD_UID/GID_TABLES.
+#
+USERADDEXTENSION = "useradd-staticids"
+USERADD_UID_TABLES = "files/passwd"
+USERADD_GID_TABLES = "files/group"
+ROOTFS_POSTPROCESS_COMMAND_remove = "systemd_create_users;"
+#
+# In order to prevent generating a system where a dynamicly assigned uid/gid
+# can exist, you should enable the following setting.  This will force the
+# system to error out if the user/group name is not defined in the
+# files/passwd or files/group (or specified replacements.)
+# Unfortunately, setting the variable below breaks the build, so do not set it
+# for now
+# USERADD_ERROR_DYNAMIC = "1"
diff --git a/files/group b/files/group
new file mode 100644
index 0000000..ffb9c82
--- /dev/null
+++ b/files/group
@@ -0,0 +1,52 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+input:x:19:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+kvm:x:47:qemu
+staff:x:50:
+games:x:60:
+shutdown:x:70:
+users:x:100:
+render:x:983:
+systemd-bus-proxy:x:985:
+systemd-timesync:x:988:
+systemd-journal:x:989:
+sshd:x:991:
+qemu:x:992:
+docker:x:995:
+messagebus:x:996:
+bind:x:998:
+_apt:x:999:
+nogroup:x:65534:
diff --git a/files/passwd b/files/passwd
new file mode 100644
index 0000000..2b3f831
--- /dev/null
+++ b/files/passwd
@@ -0,0 +1,25 @@
+root:x:0:0:root:/home/root:/bin/sh
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+systemd-bus-proxy:x:989:985::/:/bin/nologin
+systemd-timesync:x:992:988::/:/bin/nologin
+sshd:x:993:991::/var/run/sshd:/bin/false
+qemu:x:994:992::/home/qemu:/bin/sh
+messagebus:x:997:996::/var/lib/dbus:/bin/false
+bind:x:998:998::/var/cache/bind:/bin/sh
+_apt:x:999:999::/nonexistent:/bin/false
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
diff --git a/images/core-image-minimal-initramfs.bbappend b/images/core-image-minimal-initramfs.bbappend
index 2ca1d47..88dd198 100644
--- a/images/core-image-minimal-initramfs.bbappend
+++ b/images/core-image-minimal-initramfs.bbappend
@@ -1,5 +1,21 @@
 PACKAGE_INSTALL += " nfv-installer kernel-modules"
 
-# ostree-switchroot is used by the init script to switch root to the
-# ostree version specified in the kernel command line
-PACKAGE_INSTALL_append_sota = " ostree-switchroot"
+INITRAMFS_SCRIPTS = " \
+    initramfs-framework-base \
+    initramfs-module-udev \
+    initramfs-module-setup-live \
+"
+
+# run-postinsts does not belong in the minimal initramfs
+PACKAGE_INSTALL_remove = "run-postinsts"
+
+PACKAGE_EXCLUDE_x86-64_sota += "grub-common-extras"
+
+create_enea_symlink() {
+    # enea image used in bare metal installation
+    cd ${DEPLOY_DIR_IMAGE}
+    ln -sf ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cpio.gz enea-image-minimal-initramfs-${MACHINE}.cpio.gz
+    cd -
+}
+
+IMAGE_POSTPROCESS_COMMAND_append += " create_enea_symlink;"
diff --git a/images/enea-edge-common.inc b/images/enea-edge-common.inc
new file mode 100644
index 0000000..b174064
--- /dev/null
+++ b/images/enea-edge-common.inc
@@ -0,0 +1,40 @@
+require images/enea-image-common.inc
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL += " \
+    packagegroup-enea-virtualization \
+    kernel-modules \
+    "
+
+# run-postinsts duplicates dpkg-configure if package_deb is used
+PACKAGE_INSTALL_remove = "${@bb.utils.contains('PACKAGE_CLASSES', 'package_deb', 'run-postinsts', '', d)}"
+
+PACKAGE_EXCLUDE_x86-64_sota += "grub-common-extras"
+
+# After installing packages inside the rootfs, remove backup DPKG status file
+rootfs_postinstall_dpkg_cleanup () {
+    if ${@bb.utils.contains('PACKAGE_CLASSES', 'package_deb', 'true', 'false', d)}; then
+        rm -f ${IMAGE_ROOTFS}/var/lib/dpkg/status-old
+    fi
+}
+ROOTFS_POSTINSTALL_COMMAND_append += " rootfs_postinstall_dpkg_cleanup;"
+
+IMAGE_FSTYPES += "ext4 ext4.gz tar.gz"
+
+# Remove aktualizr packages from the image, we don't use it and creates odd dependencies, e.g.
+# it creates a systemd unit that depends on network-online.target, which leads to enabling
+# NetworkManager-wait-online.service, delaying boot up.
+SOTA_CLIENT_PROV = ""
+IMAGE_INSTALL_remove_sota = " \
+    aktualizr \
+    aktualizr-info \
+    "
+
+# We currently don't use automatic push/sign/check to a backend server, so skip running useless
+# OSTree tasks during image build.
+IMAGE_FSTYPES_remove_sota = " \
+    ostreepush \
+    garagesign \
+    garagecheck \
+    "
diff --git a/images/enea-edge-host-common.inc b/images/enea-edge-host-common.inc
new file mode 100644
index 0000000..3df6cb9
--- /dev/null
+++ b/images/enea-edge-host-common.inc
@@ -0,0 +1,84 @@
+IMAGE_FSTYPES += "hddimg"
+IMAGE_FSTYPES_remove = "wic"
+
+REQUIRE_FILES = " \
+    images/enea-edge-common.inc \
+    "
+REQUIRE_FILES_append_df-efi-secure-boot = " \
+    classes/override_live-vm-common.inc \
+    images/secure-boot.inc \
+    "
+
+require ${REQUIRE_FILES}
+
+IMAGE_INSTALL += " \
+    packagegroup-enea-virtualization-host \
+    packagegroup-enea-virtualization-4gusb-modems \
+    "
+
+# Set labels for GRUB and SYSLINUX
+LABELS_LIVE = "installer live-boot"
+
+# Append default parameters for x86-64 targets
+APPEND_x86-64 = "quiet console=tty0 console=ttyS0,115200"
+SYSLINUX_DEFAULT_CONSOLE_x86-64 = "console=ttyS0,115200"
+
+# Skip menu and boot installer immediately
+GRUB_TIMEOUT_x86-64 = "0"
+AUTO_SYSLINUXMENU_x86-64 = "0"
+
+# If building with sota enabled, build the otaimg before the hddimg, because
+# the hddimg needs it as a base image
+python __anonymous() {
+    ## ENEA_start ##
+    if bb.utils.contains('DISTRO_FEATURES', 'sota', True, False, d):
+        d.appendVarFlag("do_bootimg", "depends", " %s:do_image_ota_ext4" % d.getVar("IMAGE_BASENAME", True))
+    ## ENEA_end ##
+}
+
+# Append OSTree specific parameters to the kernel command line before creating the live image
+python do_bootimg_prepend () {
+    ## ENEA_start ##
+    if bb.utils.contains('DISTRO_FEATURES', 'sota', True, False, d):
+        ostree_osname = d.getVar('OSTREE_OSNAME')
+        checksum = bb.utils.sha256_file(d.getVar('DEPLOY_DIR_IMAGE') + "/" + d.getVar('OSTREE_KERNEL'))
+
+        # The boot tree is identified through a sha256 checksum over the kernel binary
+        ostree_params = " ostree=/ostree/boot.1/" + ostree_osname + "/" + checksum + "/0"
+
+        d.setVar("APPEND", d.getVar("APPEND") + ostree_params)
+    ## ENEA_end ##
+}
+
+# Before building the OSTree image, move DPKG data to /usr/dpkg, because
+# OSTree does not preserve the contents of /var
+IMAGE_CMD_ostree_prepend () {
+    ## ENEA_start ##
+    # Note: We do configure DPKG admindir at build time, but we can't do the same for APT since
+    # yocto hardcodes /var/lib/dpkg paths in various places in OE-core, which we can't override,
+    # so instead we move the contents to their expected location here and configure apt at runtime
+    # via a configuration fragment to use the new location.
+    mkdir -p usr/dpkg/lib/dpkg
+    if [ "$(ls -A var/lib/dpkg)" ]; then
+        mv var/lib/dpkg/* usr/dpkg/lib/dpkg/
+    fi
+    # In Enea Edge, the EFI binaries (shim, seloader etc.) are copied from the yocto deploy dir to
+    # the installation image (hddimg) - see "classes/override_live-vm-common.inc" in this repo;
+    # and during Enea Edge installation (via utils.sh) from hddimg to the destination disk.
+    # Files installed by the package manager end up under OSTree /boot hardlink tree, but are
+    # never actually used. To avoid confusion and save some resources, clean them up.
+    rm -rf boot/*
+    ## ENEA_end ##
+}
+
+IMAGE_CMD_ota_prepend () {
+        ## ENEA_start ##
+        if [ "${OSTREE_BOOTLOADER}" = "grub" ]; then
+                # Upstream bbclass creates /boot/grub2, complement it with /boot/grub
+                # Note: /boot/grub2 is a dir with /boot/grub2/grub.cfg -> ../loader/grub.cfg symlink
+                # while /boot/grub -> loader is a symlink to also account for /boot/grub/grubenv
+                mkdir -p ${OTA_SYSROOT}/boot
+                ln -s loader ${OTA_SYSROOT}/boot/grub
+        fi
+        ## ENEA_end ##
+}
diff --git a/images/enea-edge-runtime-debug.bb b/images/enea-edge-runtime-debug.bb
new file mode 100644
index 0000000..4736f24
--- /dev/null
+++ b/images/enea-edge-runtime-debug.bb
@@ -0,0 +1,9 @@
+DESCRIPTION = "Image for the host side of the Enea Edge Runtime with ODM and NETCONF Edgelink customizations"
+
+require images/enea-edge-host-common.inc
+
+IMAGE_INSTALL += " \
+    element-vcpe \
+    gdbserver \
+    oprofile \
+    "
diff --git a/images/enea-nfv-access-esdk.bb b/images/enea-edge-runtime-esdk.bb
index d424ef6..d424ef6 100644
--- a/images/enea-nfv-access-esdk.bb
+++ b/images/enea-edge-runtime-esdk.bb
diff --git a/images/enea-nfv-access-sdk.bb b/images/enea-edge-runtime-sdk.bb
index a957add..c6a15b4 100644
--- a/images/enea-nfv-access-sdk.bb
+++ b/images/enea-edge-runtime-sdk.bb
@@ -1,6 +1,6 @@
-DESCRIPTION = "Image for building the SDK for the host side of the Enea NFV Access Platform with ODM customizations"
+DESCRIPTION = "Image for building the SDK for the host side of the Enea Edge Runtime with ODM customizations"
 
-require images/enea-nfv-access-host-common.inc
+require images/enea-edge-host-common.inc
 
 IMAGE_INSTALL += " \
     element-odm-sdk \
diff --git a/images/enea-edge-runtime.bb b/images/enea-edge-runtime.bb
new file mode 100644
index 0000000..5071619
--- /dev/null
+++ b/images/enea-edge-runtime.bb
@@ -0,0 +1,7 @@
+DESCRIPTION = "Image for the host side of the Enea Edge Runtime with ODM and NETCONF Edgelink customizations"
+
+require images/enea-edge-host-common.inc
+
+IMAGE_INSTALL += " \
+    element-vcpe \
+    "
diff --git a/images/enea-edge-vnf.bb b/images/enea-edge-vnf.bb
new file mode 100644
index 0000000..5d2365b
--- /dev/null
+++ b/images/enea-edge-vnf.bb
@@ -0,0 +1,15 @@
+DESCRIPTION = "VNF image of the Enea Edge Runtime, includes kernel, rootfs and boot parameters"
+
+require images/enea-edge-common.inc
+
+IMAGE_FSTYPES += "wic.qcow2"
+WKS_FILE = "enea-edge-vnf-qemux86-64.wks"
+
+CLOUDINITPKGS = "cloud-init util-linux-blkid"
+
+IMAGE_INSTALL += " \
+    packagegroup-enea-virtualization-guest \
+    nfv-init \
+    iperf3 \
+    ${CLOUDINITPKGS} \
+    "
diff --git a/images/enea-nfv-access-common.inc b/images/enea-nfv-access-common.inc
deleted file mode 100644
index 3f9fc84..0000000
--- a/images/enea-nfv-access-common.inc
+++ /dev/null
@@ -1,15 +0,0 @@
-require images/enea-image-common.inc
-
-IMAGE_FEATURES += "ssh-server-openssh"
-
-IMAGE_INSTALL += " \
-    packagegroup-enea-virtualization \
-    kernel-modules \
-    "
-
-IMAGE_FSTYPES = "ext4 ext4.gz tar.gz"
-
-# Add ostree specific image types if sota support is set
-IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'otaimg wic', ' ', d)}"
-SOTA_CLIENT = ""
-SOTA_CLIENT_PROV = ""
diff --git a/images/enea-nfv-access-host-common.inc b/images/enea-nfv-access-host-common.inc
deleted file mode 100644
index 1cde827..0000000
--- a/images/enea-nfv-access-host-common.inc
+++ /dev/null
@@ -1,69 +0,0 @@
-REQUIRE_FILES = " \
-    images/enea-nfv-access-common.inc \
-    classes/override_grub-efi.inc \
-    "
-REQUIRE_FILES_append_df-efi-secure-boot = " \
-    classes/override_image_types_ostree.inc \
-    classes/override_image_types_ota.inc \
-    classes/override_grub-efi_secureboot.inc \
-    images/secure-boot.inc \
-    "
-
-require ${REQUIRE_FILES}
-
-IMAGE_INSTALL += " \
-    packagegroup-enea-virtualization-host \
-    packagegroup-enea-virtualization-4gusb-modems \
-    "
-
-# Set labels for GRUB and SYSLINUX
-LABELS_LIVE = "installer live-boot"
-
-GRUB_GFXSERIAL_x86-64 = "1"
-# Append default parameters for x86-64 targets
-APPEND_x86-64 = "quiet"
-SYSLINUX_DEFAULT_CONSOLE_x86-64 = "console=ttyS0,115200"
-
-# Skip menu and boot installer immediately
-GRUB_TIMEOUT_x86-64 = "0"
-AUTO_SYSLINUXMENU_x86-64 = "0"
-
-# grub-efi-native is needed in recipe-sysroot-native to generate the initial
-# configuration file for grub
-DEPENDS_append += " grub-efi-native"
-
-# If building with sota enabled, build the otaimg before the hddimg, because
-# the hddimg needs it as a base image
-python __anonymous() {
-    if bb.utils.contains('DISTRO_FEATURES', 'sota', True, False, d):
-        d.appendVarFlag("do_bootimg", "depends", " %s:do_image_otaimg" % d.getVar("IMAGE_BASENAME", True))
-}
-
-# Append OSTree specific parameters to the kernel command line before creating the live image
-python do_bootimg_prepend () {
-    if bb.utils.contains('DISTRO_FEATURES', 'sota', True, False, d):
-        ostree_osname = d.getVar('OSTREE_OSNAME')
-        checksum = bb.utils.sha256_file(d.getVar('DEPLOY_DIR_IMAGE') + "/" + d.getVar('OSTREE_KERNEL'))
-
-        # The boot tree is identified through a sha256 checksum over the kernel binary
-        ostree_params = " ostree=/ostree/boot.1/" + ostree_osname + "/" + checksum + "/0"
-
-        d.setVar("APPEND", d.getVar("APPEND") + ostree_params)
-}
-
-# Get rid of GRUB dependencies added by ostree. See:
-# https://git.enea.com/cgit/linux/meta-updater.git/tree/classes/image_types_ota.bbclass#n45
-python __anonymous () {
-    d.delVarFlag("do_image_otaimg", "depends")
-    d.setVarFlag("do_image_otaimg", "depends", "e2fsprogs-native:do_populate_sysroot")
-}
-
-# Before building the OSTree image, move DPKG data to /usr/dpkg, because
-# OSTree does not preserve the contents of /var
-IMAGE_CMD_ostree_prepend () {
-
-    install -d ${IMAGE_ROOTFS}/usr/dpkg/lib/dpkg
-    if [ "$(ls -A ${IMAGE_ROOTFS}/var/lib/dpkg)" ]; then
-        mv ${IMAGE_ROOTFS}/var/lib/dpkg/* ${IMAGE_ROOTFS}/usr/dpkg/lib/dpkg/
-    fi
-}
diff --git a/images/enea-nfv-access-vnf.bb b/images/enea-nfv-access-vnf.bb
deleted file mode 100644
index a3902c2..0000000
--- a/images/enea-nfv-access-vnf.bb
+++ /dev/null
@@ -1,16 +0,0 @@
-DESCRIPTION = "VNF image of the Enea NFV Access Platform, includes kernel, rootfs and boot parameters"
-
-require images/enea-nfv-access-common.inc
-
-IMAGE_FSTYPES += "wic.qcow2"
-WKS_FILE = "enea-nfv-access-vnf-qemux86-64.wks"
-
-CLOUDINITPKGS = "cloud-init util-linux-blkid"
-CLOUDINITPKGS += " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'cloud-init-systemd', '', d)}"
-
-IMAGE_INSTALL += " \
-    packagegroup-enea-virtualization-guest \
-    nfv-init \
-    iperf3 \
-    ${CLOUDINITPKGS} \
-    "
diff --git a/images/enea-nfv-access.bb b/images/enea-nfv-access.bb
deleted file mode 100644
index 9311992..0000000
--- a/images/enea-nfv-access.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-DESCRIPTION = "Image for the host side of the Enea NFV Access Platform with ODM and NETCONF Edgelink customizations"
-
-require images/enea-nfv-access-host-common.inc
-
-IMAGE_INSTALL += " \
-    element-vcpe \
-    "
diff --git a/recipes-core/systemd/files/basic.conf.in b/recipes-core/systemd/files/basic.conf.in
new file mode 100644
index 0000000..6532f64
--- /dev/null
+++ b/recipes-core/systemd/files/basic.conf.in
@@ -0,0 +1,50 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# The superuser
+u root    0     "Super User" /root
+
+# Administrator group: can *see* more than normal users
+g adm     -     -            -
+
+# Access to certain kernel and userspace facilities
+g kmem    -     -            -
+g tty     @TTY_GID@     -            -
+g utmp    -     -            -
+
+# Hardware access groups
+g audio   -     -            -
+g cdrom   -     -            -
+g dialout -     -            -
+g disk    -     -            -
+g input   -     -            -
+g lp      -     -            -
+g tape    -     -            -
+g video   -     -            -
+
+# Default group for normal users
+g users   @USERS_GID@     -            -
+## ENEA_start ##
+# Handle systemd-sysusers hardcoded users/groups interfering with OSTree upgrades:
+# - nothing in NFVA uses the wheel group, do not create it;
+# - the 'nobody' group was automatically created for the existing 'nobody' user,
+#   which is not necessary, NFVA already has 'nogroup' (GID 65534);
+#
+# Administrator group: can *do* more than normal users
+# g wheel   -     -            -
+# The nobody user for NFS file systems
+# u @NOBODY_USER_NAME@  65534 "Nobody"     -
+#
+# Keep the next users/groups in sync with those in <layer>/files/{passwd,group}
+# If an upgrade updates /etc/{passwd,group} then the next users and groups already exist
+# and the next lines will do nothing. If the upgrade did not update /etc/{passwd,group}
+# we must dynamically add them, with fixed ids. Ids are the same as in
+# <layer>/files/{passwd,group}
+g kvm     47       -      -
+m qemu    kvm
+g render  983      -      -
+## ENEA_end ##
diff --git a/recipes-core/systemd/systemd_247.6.bbappend b/recipes-core/systemd/systemd_247.6.bbappend
new file mode 100644
index 0000000..eb2b118
--- /dev/null
+++ b/recipes-core/systemd/systemd_247.6.bbappend
@@ -0,0 +1,25 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI_append_sota = " file://basic.conf.in"
+
+GROUPADD_PARAM_${PN}_append_sota = "; -r render"
+
+# systemd uses certain groups unless configured not to (e.g. journal logs are more
+# broadly available to the 'wheel' group unless told otherwise), while some resources
+# are using to the 'nobody' group. Configure systemd to:
+# - not use the 'wheel' group (journal access will be restriced to root user);
+# - use the proper group for 'nobody', which should have GID 65534 (for NFVA 'nogroup');
+EXTRA_OEMESON += " \
+    -Dwheel-group=false \
+    -Dnobody-group=nogroup \
+"
+
+do_configure_prepend_sota() {
+    cp ${WORKDIR}/basic.conf.in ${S}/sysusers.d/basic.conf.in
+}
+
+do_install_append () {
+    # Update default udev rules for /dev/kvm to be less permissive
+    sed -e 's/\(KERNEL=="kvm".*\)0666/\10660/' \
+        -i ${D}${rootlibexecdir}/udev/rules.d/50-udev-default.rules
+}
diff --git a/scripts/lib/wic/canned-wks/enea-nfv-access-vnf-qemux86-64.wks b/scripts/lib/wic/canned-wks/enea-edge-vnf-qemux86-64.wks
index 89c8e4d..89c8e4d 100644
--- a/scripts/lib/wic/canned-wks/enea-nfv-access-vnf-qemux86-64.wks
+++ b/scripts/lib/wic/canned-wks/enea-edge-vnf-qemux86-64.wks