Release of libvirt-10.7.0

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
NEWS: Mention fix for CVE-2024-8235
2025-09-29 13:44:45 +03:00 · 2024-09-02 11:47:19 +02:00 · 2024-09-02 09:06:34 +02:00 · 2024-09-01 23:38:41 +02:00 · 2024-08-29 13:52:12 +02:00 · 2024-08-29 10:33:20 +02:00
5223 changed files with 300974 additions and 211308 deletions
--- a/.github/workflows/lockdown.yml
+++ b/.github/workflows/lockdown.yml
@@ -23,7 +23,7 @@ jobs:
            Thank you for your interest in the libvirt project.

            Since this repository is a read-only mirror of the project's master
-            repostory hosted on GitLab, issues opened here are not processed.
+            repository hosted on GitLab, issues opened here are not processed.

            We kindly request that new issues are reported to

@@ -36,16 +36,13 @@ jobs:
            Thank you for your interest in the libvirt project.

            Since this repository is a read-only mirror of the project's master
-            repostory hosted on GitLab, merge requests opened here are not
+            repository hosted on GitLab, merge requests opened here are not
            processed.

-            We kindly request that contributors fork the project at
+            For main libvirt.git repository all patch review and discussion
+            only occurs on the devel mailing list.

-              https://gitlab.com/libvirt/libvirt/
-
-            push changes to the fork, and then open a new merge request at
-
-              https://gitlab.com/libvirt/libvirt/-/merge_requests/new
+              https://libvirt.org/submitting-patches.html

            Thank you for your time and understanding.
          lock-pr: true
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,6 +6,7 @@ stages:
  - builds
  - integration_tests
  - sanity_checks
+  - pages

 .script_variables: &script_variables |
  export CCACHE_BASEDIR="$(pwd)"
@@ -20,6 +21,7 @@ include:
  - '/ci/integration.yml'

 .native_build_job:
+  extends: .gitlab_native_build_job
  cache:
    paths:
      - ccache/
@@ -40,17 +42,8 @@ include:
        mv "$HOME"/rpmbuild/RPMS/x86_64/ libvirt-rpms/;
      fi

-.native_build_job_prebuilt_env:
-  extends:
-    - .native_build_job
-    - .gitlab_native_build_job_prebuilt_env
-
-.native_build_job_local_env:
-  extends:
-    - .native_build_job
-    - .gitlab_native_build_job_local_env
-
 .cross_build_job:
+  extends: .gitlab_cross_build_job
  cache:
    paths:
      - ccache/
@@ -68,21 +61,14 @@ include:
        fi;
      fi

-.cross_build_job_prebuilt_env:
-  extends:
-    - .cross_build_job
-    - .gitlab_cross_build_job_prebuilt_env
-
-.cross_build_job_local_env:
-  extends:
-    - .cross_build_job
-    - .gitlab_cross_build_job_local_env
-
-
 # This artifact published by this job is downloaded by libvirt.org to
 # be deployed to the web root:
 #    https://gitlab.com/libvirt/libvirt/-/jobs/artifacts/master/download?job=website
-.website_job:
+website_job:
+  extends: .gitlab_native_build_job
+  needs:
+    - job: x86_64-almalinux-9-container
+      optional: true
  script:
    - source ci/jobs.sh
    - run_website_build
@@ -96,50 +82,40 @@ include:
    expire_in: 30 days
    paths:
      - website
-
-website_prebuilt_env:
-  extends:
-    - .website_job
-    - .gitlab_native_build_job_prebuilt_env
-  needs:
-    - job: x86_64-almalinux-8-container
-      optional: true
  variables:
-    NAME: almalinux-8
+    NAME: almalinux-9
+    TARGET_BASE_IMAGE: docker.io/library/almalinux:9

-website_local_env:
-  extends:
-    - .website_job
-    - .gitlab_native_build_job_local_env
-  variables:
-    IMAGE: docker.io/library/almalinux:8
-    NAME: almalinux-8
-
-
-.codestyle_job:
-  stage: sanity_checks
+# On push to master publish the website from 'website_job' via gitlab pages
+pages:
+  stage: pages
  script:
-    - source ci/jobs.sh
-    - run_codestyle
+    - mv website public
+    - cp .gitlab_pages_redirects public/_redirects
+  dependencies:
+    - website_job
+  rules:
+    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+      when: always
+    - when: never
+  artifacts:
+    expose_as: 'pages'
+    name: 'pages'
+    paths:
+      - public

-codestyle_prebuilt_env:
-  extends:
-    - .codestyle_job
-    - .gitlab_native_build_job_prebuilt_env
+codestyle_job:
+  stage: sanity_checks
+  extends: .gitlab_native_build_job
  needs:
    - job: x86_64-opensuse-leap-15-container
      optional: true
+  script:
+    - source ci/jobs.sh
+    - run_codestyle
  variables:
    NAME: opensuse-leap-15
-
-codestyle_local_env:
-  extends:
-    - .codestyle_job
-    - .gitlab_native_build_job_local_env
-  variables:
-    IMAGE: registry.opensuse.org/opensuse/leap:15.4
-    NAME: opensuse-leap-15
-
+    TARGET_BASE_IMAGE: registry.opensuse.org/opensuse/leap:15.5

 # This artifact published by this job is downloaded to push to Weblate
 # for translation usage:
@@ -148,11 +124,11 @@ potfile:
  image: $CI_REGISTRY/$RUN_UPSTREAM_NAMESPACE/libvirt/ci-$NAME:latest
  stage: builds
  variables:
-    NAME: almalinux-8
+    NAME: almalinux-9
  before_script:
    - cat /packages.txt
  needs:
-    - job: x86_64-almalinux-8-container
+    - job: x86_64-almalinux-9-container
      optional: true
  rules:
    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
@@ -179,7 +155,7 @@ coverity:
  image: $CI_REGISTRY/$RUN_UPSTREAM_NAMESPACE/libvirt/ci-$NAME:latest
  stage: builds
  needs:
-    - job: x86_64-almalinux-8-container
+    - job: x86_64-almalinux-9-container
      optional: true
  before_script:
    - cat /packages.txt
@@ -191,7 +167,7 @@ coverity:
    - tar cfz cov-int.tar.gz cov-int
    - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL --form file=@cov-int.tar.gz --form version="$(git describe --tags)" --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
  variables:
-    NAME: almalinux-8
+    NAME: almalinux-9
  rules:
    - if: '$COVERITY_SCAN_PROJECT_NAME == null || $COVERITY_SCAN_TOKEN == null'
      when: never
--- a/.gitlab_pages_redirects
+++ b/.gitlab_pages_redirects
@@ -0,0 +1,54 @@
+# Redirects to golang module pages
+/libvirt-go /libvirt-go.html 200
+/libvirt-go-xml /libvirt-go-xml.html 200
+/go/libvirt /go/libvirt.html 200
+/go/libvirtxml /go/libvirtxml.html 200
+
+# Redirects to the download server
+/sources/* https://download.libvirt.org/:splat 301
+/ruby/download/* https://download.libvirt.org/ruby/:splat 301
+/maven2/org/libvirt/* https://download.libvirt.org/maven2/org/libvirt/:splat 301
+
+# Redirects to subproject pages
+/ruby/* https://ruby.libvirt.org/:splat 301
+/ocaml/* https://ocaml.libvirt.org/:splat 301
+/php/* https://php.libvirt.org/:splat 301
+/libvirt-appdev-guide-python/en-US/html/* https://libvirt.gitlab.io/libvirt-appdev-guide-python/:splat: 301
+/java.html https://java.libvirt.org 301
+# Redirect to the proper javadoc directory on the subproject page
+/sources/java/javadoc/* https://java.libvirt.org/javadoc/:splat 301
+
+# Redirects from old gitweb location (see below)
+/git https://gitlab.com/libvirt/ 301
+
+# The above rules are adapted from the following set of 'mod_rewrite' rules used
+# originally on libvirt.org:
+#
+#    RewriteRule ^/libvirt-go$ /libvirt-go.html [L]
+#    RewriteRule ^/libvirt-go-xml$ /libvirt-go-xml.html [L]
+#    RewriteRule ^/go/libvirt$ /go/libvirt.html [L]
+#    RewriteRule ^/go/libvirtxml$ /go/libvirtxml.html [L]
+#    RewriteRule ^/sources/(.*) https://download.libvirt.org/$1 [L]
+#    RewriteRule ^/ruby/download/(.*) https://download.libvirt.org/ruby/$1 [L]
+#    RewriteRule ^/(maven2/org/libvirt.*) https://download.libvirt.org/$1 [L]
+#    RewriteRule ^/ocaml/(.*) https://ocaml.libvirt.org/$1 [L]
+#    RewriteRule ^/ruby/(.*) https://ruby.libvirt.org/$1 [L]
+#    RewriteRule ^/php/(.*) https://php.libvirt.org/$1 [L]
+#    RewriteRule ^/java.html https://java.libvirt.org [L]
+#    RewriteRule ^/docs/libvirt-appdev-guide-python/en-US/html/(.*) https://libvirt.gitlab.io/libvirt-appdev-guide-python/$1 [L]
+#    RewriteRule ^/git https://gitlab.com/libvirt/ [L]
+#
+#  Redirect replacing 'gitweb'. The 'gitweb' interface was originally replaced
+#  by the following redirect condition:
+#
+#    RewriteCond %{QUERY_STRING} p=([-a-zA-Z0-9]+).git
+#    RewriteRule ^/git/$ https://gitlab.com/libvirt/%1 [L]
+#
+# That unfortunately can't be represented in gitlab redirects as it doesn't
+# support redirects based on query strings. Given that the above redirect broke
+# most gitweb links anyways, due to handling only the 'p=' argument, git gitlab
+# redirect will break the rest of them.
+#
+#  The following rule was dropped as the page never existed:
+#
+#    RewriteRule ^/libvirt-console-proxy$ /libvirt-console-proxy.html [L]
--- a/.gitpublish
+++ b/.gitpublish
@@ -1,5 +1,5 @@
 [gitpublishprofile "default"]
 base = master
 to = devel@lists.libvirt.org
-prefix = libvirt PATCH
+prefix = PATCH
 suppresscc = misc-by
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -8,6 +8,615 @@ the changes introduced by each of them.
 For a more fine-grained view, use the `git log`_.


+v10.7.0 (2024-09-02)
+====================
+
+* **Security**
+
+  * CVE-2024-8235: Crash of ``virtinterfaced`` via ``virConnectListInterfaces()``
+
+    A refactor of the code fetching the list of interfaces for multiple APIs
+    introduced corner case on platforms where allocating 0 bytes of memory
+    results in a NULL pointer.
+
+    This corner case would lead to a NULL-pointer dereference and subsequent
+    crash of ``virtinterfaced`` if ``virConnectListInterfaces()`` is called
+    requesting 0 networks to be filled.
+
+    The bug was introduced in libvirt-10.4.0
+
+* **New features**
+
+  * qemu: Introduce the ability to disable the built-in PS/2 controller
+
+    It is now possible to control the state of the ``ps2`` feature in the
+    domain XML for descendants of the generic PC machine type (``i440fx``,
+    ``q35``, ``xenfv`` and ``isapc``).
+
+* **Improvements**
+
+  * ch: support restore with network devices
+
+    Cloud-Hypervisor starting from V40.0 supports restoring file descriptor
+    backed network devices. So, create new net fds and pass them via
+    SCM_RIGHTS to CH during restore operation.
+
+  * ch: support basic networking modes
+    Cloud-Hypervisor driver now supports Ethernet, Network (NAT) and Bridge
+    networking modes.
+
+v10.6.0 (2024-08-05)
+====================
+
+* **Removed features**
+
+  * qemu: Require QEMU-5.2.0 or newer
+
+    The minimal required version of QEMU was bumped to 5.2.0.
+
+* **New features**
+
+  * qemu: Add support for the 'pauth' Arm CPU feature
+
+  * Introduce pstore device
+
+    The aim of pstore device is to provide a bit of NVRAM storage for guest
+    kernel to record oops/panic logs just before it crashes. Typical usage
+    includes usage in combination with a watchdog so that the logs can be
+    inspected after the watchdog rebooted the machine.
+
+* **Improvements**
+
+  * qemu: Set 'passt' net backend if 'default' is unsupported
+
+    If QEMU is compiled without SLIRP support, and if domain XML allows it,
+    starting from this release libvirt will use passt as the default backend
+    instead. Also, supported backends are now reported in the domain
+    capabilities XML.
+
+  * qemu: add a monitor to /proc/$pid when killing times out
+
+    In cases when a QEMU process takes longer to be killed, libvirt might have
+    skipped cleaning up after it. But now a /proc/$pid watch is installed so
+    this does not happen ever again.
+
+* **Bug fixes**
+
+  * virt-aa-helper: Allow RO access to /usr/share/edk2-ovmf
+
+    When binary version of edk2 is distributed, the files reside under
+    /usr/share/edk2-ovmf. Allow virt-aa-helper to generate paths under that
+    directory.
+
+  * virt-host-validate: Allow longer list of CPU flags
+
+    During its run, virt-host-validate parses /proc/cpuinfo to learn about CPU
+    flags. But due to a bug it parsed only the first 1024 bytes worth of CPU
+    flags leading to unexpected results. The file is now parsed properly.
+
+  * capabilities: Be more forgiving when decoding OEM strings
+
+    On some systems, OEM strings are scattered in multiple sections. This
+    confused libvirt when generating capabilities XML. Not anymore.
+
+
+v10.5.0 (2024-07-01)
+====================
+
+* **New features**
+
+  * Introduce SEV-SNP support
+
+    SEV-SNP is introduced as another type of ``<launchSecurity/>``. Its support
+    is reported in both domain capabilities and ``virt-host-validate``.
+
+* **Improvements**
+
+  * tools: virt-pki-validate has been rewritten in C
+
+    The ``virt-pki-validate`` shell script has been rewritten as a C program,
+    providing an output format that matches ``virt-host-validate``, removing
+    the dependency on ``certtool`` and providing more comprehensive checks
+    of the certificate properties.
+
+  * qemu: implement iommu coldplug/unplug
+
+    The ``<iommu/>`` device can be now cold plugged and/or cold unplugged.
+
+  * Pass shutoff reason to release hook
+
+    Sometimes in release hook it is useful to know if the VM shutdown was
+    graceful or not. This is especially useful to do cleanup based on the VM
+    shutdown failure reason in release hook. Starting with this release the
+    last argument 'extra' is used to pass VM shutoff reason in the call to
+    release hook.
+
+  * nodedev: improve DASD detection
+
+    In newer DASD driver versions the ID_TYPE tag is supported. This tag is
+    missing after a system reboot but when the ccw device is set offline and
+    online the tag is included. To fix this version independently we need to
+    check if a device detected as type disk is actually a DASD to maintain the
+    node object consistency and not end up with multiple node objects for
+    DASDs.
+
+* **Bug fixes**
+
+  * remote_daemon_dispatch: Unref sasl session when closing client connection
+
+    A memory leak was identified when a client started SASL but then suddenly
+    closed connection. This is now fixed.
+
+  * qemu: Fix migration with disabled vmx-* CPU features
+
+    Migrating a domain with some vmx-* CPU features marked as disabled could
+    have failed as the destination would incorrectly expect those features to
+    be enabled after starting QEMU.
+
+  * qemu: Fix ``libvirtd``/``virtqemud`` crash when VM shuts down during migration
+
+    The libvirt daemon could crash when a VM was shut down while being migrated
+    to another host.
+
+
+v10.4.0 (2024-06-03)
+====================
+
+* **New features**
+
+  * qemu: Support for ras feature for virt machine type
+
+    It is now possible to set on/off ``ras`` feature in the domain XML for virt
+    (Arm) machine type as ``<ras state='on'/>``.
+
+  * SSH proxy for VM
+
+    Libvirt now installs a binary helper that allows connecting to QEMU domains
+    via SSH using the following scheme: ``ssh user@qemu/virtualMachine``.
+
+  * qemu: Support for ``virtio`` sound model
+
+    Sound devices can now be configured to use the virtio model with
+    ``<sound model='virtio'/>``. This model is available from QEMU 8.2.0
+    onwards.
+
+  * network: use nftables to setup virtual network firewall rules
+
+    The network driver can now use nftables rules for the virtual
+    network firewalls, rather than iptables. With the standard build
+    options, nftables is preferred over iptables (with fallback to
+    iptables if nftables isn't installed), but this can be modified at
+    build time, or at runtime via the firewall_backend setting in
+    network.conf. (NB: the nwfilter driver still uses
+    ebtables/iptables).
+
+* **Improvements**
+
+  * qemu: add zstd to supported compression formats
+
+    Extend the list of supported formats of QEMU save image by adding zstd
+    compression.
+
+  * qemu: Implement support for hotplugging evdev input devices
+
+    As of this release, hotplug and hotunplug of evdev ``<input/>`` devices is
+    supported.
+
+* **Bug fixes**
+
+  * virsh/virt-admin: Fix ``--help`` option for all commands
+
+    A bug introduced in `v10.3.0 (2024-05-02)`_ caused that the attempt to print
+    help for any command by using the ``--help`` option in ``virsh`` and
+    ``virt-admin`` would print::
+
+      $ virsh list --help
+      error: command 'list' doesn't support option --help
+
+    instead of the help output. A workaround for the affected version is to use
+    the help command::
+
+      $ virsh help list
+
+  * qemu: Fix ``virsh save`` and migration when storage in question is root_squashed NFS
+
+    Attempting to save a VM to a root_squash NFS mount or migrating with disks
+    hosted on such mount could, in some scenarios, result in error stating::
+
+      'Unknown error 255'
+
+    The bug was introduced in `v10.1.0 (2024-03-01)`_.
+
+  * qemu: Don't set affinity for isolcpus unless explicitly requested
+
+    When starting a domain, by default libvirt sets affinity of QEMU process to
+    all online CPUs. This also included isolated CPUs (``isolcpus=``) which is
+    wrong. As of this release, isolated CPUs are left untouched, unless
+    explicitly configured in domain XML.
+
+  * qemu_hotplug: Properly assign USB address to hotplugged usb-net device
+
+    Previously, the network device hotplug logic would try to ensure only CCW
+    or PCI addresses. With recent support for the usb-net model, USB addresses
+    for usb-net network devices are assigned automatically.
+
+  * qemu: Fix hotplug of ``virtiofs`` filesystem device with ``<boot order=`` set
+
+    The bug was introduced in `v10.3.0 (2024-05-02)`_ when attempting to reject
+    unsupported configurations. During hotplug the addresses are
+    assigned after validation and thus errorneously reject valid configs.
+
+
+v10.3.0 (2024-05-02)
+====================
+
+* **New features**
+
+  * qemu: Proper support for USB network device
+
+    USB address is now automatically assigned to USB network devices thus they
+    can be used without manual configuration.
+
+  * conf: Introduce memReserve attribute to <controller/>
+
+    Some PCI devices have large non-prefetchable memory. This can be a problem
+    in case when such device needs to be hotplugged as the firmware can't
+    foresee such situation. The user thus can override the value calculated at
+    start to accomodate for such devices.
+
+* **Improvements**
+
+  * Improve validation of USB devices
+
+    Certain USB device types ('sound', 'fs', 'chr', 'ccid' and 'net') were not
+    properly handled in the check whether the VM config supports USB and thus
+    would result in poor error messages.
+
+  * virsh: Fix behaviour of ``--name`` and ``--parent`` used together when listing checkpoint and snapshots
+
+    The ``checkpoint-list`` and ``snapshot-list`` commands would ignore the
+    ``--name`` option to print only the name when used with ``--parent``.
+
+  * Extend libvirt-guests to shutdown only persistent VMs
+
+    Users can now choose to shutdown only persistent VMs when the host is being
+    shut down.
+
+* **Bug fixes**
+
+  * qemu: Fix migration with custom XML
+
+    Libvirt 10.2.0 would sometimes complain about incompatible CPU definition
+    when trying to migrate or save a domain and passing a custom XML even
+    though such XML was properly generated as migratable. Hitting this bug
+    depends on the guest CPU definition and the host on which a particular
+    domain was running.
+
+  * qemu: Fix TLS hostname verification failure in certain non-shared storage migration scenarios
+
+    In certain scenarios (parallel migration, newly also post-copy migration)
+    libvirt would wrongly pass an empty hostname to QEMU to be used for TLS
+    certificate hostname validation, which would result into failure of the
+    non-shared storage migration step::
+
+     error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname
+
+  * Create OVS ports as transient
+
+    Libvirt now creates OVS ports as transient which prevents them from
+    reappearing or going stale on sudden reboots.
+
+  * Clear OVS QoS settings when domain shuts down
+
+    Libvirt now clears QoS settings on domain shutdown, so they no longer pile
+    up in OVS database.
+
+
+v10.2.0 (2024-04-02)
+====================
+
+* **New features**
+
+  * ch: Basic save and restore support for ch driver
+
+    The ch driver now supports basic save and restore operations. This is
+    functional on domains without any network, host device config defined.
+    The ``path`` parameter for save and restore should be a directory.
+
+  * qemu: Support for driver type ``mtp`` in ``<filesystem/>`` devices
+
+    The ``mtp`` driver type exposes the ``usb-mtp`` device in QEMU. The
+    guest can access files on this driver through the Media Transfer
+    Protocol (MTP).
+
+  * qemu: Added support for the loongarch64 architecture
+
+    It is now possible for libvirt to run loongarch64 guests, including on
+    other architectures via TCG. For the best results, it is recommended to
+    use the upcoming QEMU 9.0.0 release together with the development version
+    of edk2.
+
+  * qemu: Introduce virDomainGraphicsReload API
+
+    Reloading the graphics display is now supported for QEMU guests using
+    VNC. This is useful to make QEMU reload the TLS certificates without
+    restarting the guest. Available via the ``virDomainGraphicsReload`` API
+    and the ``domdisplay-reload`` virsh command.
+
+* **Bug fixes**
+
+  * qemu: Fix migration from libvirt older than 9.10.0 when vmx is enabled
+
+    A domain with vmx feature enabled (which may be even done automatically
+    with ``mode='host-model'``) started by libvirt 9.9.0 or older cannot be
+    migrated to libvirt 9.10.0, 10.0.0, and 10.1.0 as the target host would
+    complain about a lot of extra ``vmx-*`` features. Migration of similar
+    domains started by the affected releases to libvirt 9.9.0 and older
+    does not work either. Since libvirt 10.2.0 migration works again with
+    libvirt 9.9.0 and older in both directions. Migration from the affected
+    releases to 10.2.0 works as well, but the other direction remains broken
+    unless the fix is backported.
+
+  * node_device: Don't report spurious errors from PCI VPD parsing
+
+    In last release the PCI Vital Product Data parser was enhanced to report
+    errors but that effort failed as some kernels have the file but don't allow
+    reading it causing logs to be spammed with::
+
+      libvirtd[21055]: operation failed: failed to read the PCI VPD data
+
+    Since the data is used only in the node device XML and errors are ignored if
+    the parsing failed, this release removes all the error reporting.
+
+  * qemu: set correct SELinux label for unprivileged virtiofsd
+
+    It is now possible to use virtiofsd-based ``<filesystem>`` shares even
+    if the guest is confined using SELinux.
+
+  * qemu: fix a crash on unprivileged virtiofsd hotplug
+
+    Hotplugging virtiofsd-based filesystems works now.
+
+  * virt-admin: Fix segfault when libvirtd dies
+
+    ``virt-admin`` no longer crashes when ``libvirtd`` unexpectedly closes
+    the connection.
+
+
+v10.1.0 (2024-03-01)
+====================
+
+* **Security**
+
+  * ``CVE-2024-1441``: Fix off-by-one error leading to a crash
+
+    In **libvirt-1.0.0** there were couple of interface listing APIs
+    introduced which had an off-by-one error.  That error could lead to a
+    very rare crash if an array was passed to those functions which did
+    not fit all the interfaces.
+
+    In **libvirt-5.10** a check for non-NULL arrays has been adjusted to
+    allow for NULL arrays with size 0 instead of rejecting all NULL
+    arrays.  However that made the above issue significantly worse since
+    that off-by-one error now did not write beyond an array, but
+    dereferenced said NULL pointer making the crash certain in a
+    specific scenario in which a NULL array of size 0 was passed to the
+    aforementioned functions.
+
+* **New features**
+
+  * nodedev: Support updating mdevs
+
+    The node device driver has been extended to allow updating mediated node
+    devices. Options are available to target the update against the persistent,
+    active or both configurations of a mediated device.
+    **Note:** The support is only available with at least mdevctl v1.3.0 installed.
+
+  * qemu: Add support for /dev/userfaultfd
+
+    On hosts with new enough kernel which supports /dev/userfaultfd libvirt will
+    now automatically grant QEMU access to this device. It's no longer needed to
+    set vm.unprivileged_userfaultfd sysctl.
+
+  * qemu: Support clusters in CPU topology
+
+    It is now possible to configure the guest CPU topology to use clusters.
+    Additionally, if CPU clusters are present in the host topology, they will
+    be reported as part of the capabilities XML.
+
+  * network: Make virtual domains resolvable from the host
+
+    When starting a virtual network with a new ``register='yes'`` attribute
+    in the ``<domain>`` element, libvirt will configure ``systemd-resolved``
+    to resolve names of the connected guests using the name server started
+    for this network.
+
+  * qemu: Introduce dynamicMemslots attribute for virtio-mem
+
+    QEMU now allows setting ``.dynamic-memslots`` attribute for virtio-mem-pci
+    devices. When turned on, it allows memory exposed to guest to be split into
+    multiple memory slots and thus smaller memory footprint (see the original
+    commit for detailed explanation).
+
+* **Improvements**
+
+  * nodedev: Add ability to update persistent mediated devices by defining them
+
+    Existing persistent mediated devices can now also be updated by
+    ``virNodeDeviceDefineXML()`` as long as parent and UUID remain unchanged.
+
+  * ch: Enable ``ethernet`` interface mode support
+
+    ``<interface type='ethernet'/>`` can now be used for CH domains.
+
+  * viraccessdriverpolkit: Add missing vtpm case
+
+    Secrets with ``<usage type='vtpm'>`` were left unable to be checked for in
+    the access driver, i.e. in ACL rules. Missing code was provided.
+
+  * virt-admin: Notify users to use explicit URI if connection fails
+
+    ``virt-admin`` doesn't try to guess the URI of the daemon to manage so a
+    failure to connect may be confusing for users if modular daemons are used.
+    Add a hint to use the URI of the dameon to manage.
+
+* **Bug fixes**
+
+  * qemu_process: Skip over non-virtio non-TAP NIC models when refreshing rx-filter
+
+    If ``trustGuestRxFilters`` is enabled for a vNIC that doesn't support it,
+    libvirt may throw an error when such domain is being started, loaded from a
+    saved state, migrated, etc. These errors are now silenced, but make sure to
+    fix such configurations (after previous release it is even possible to
+    change ``trustGuestRxFilters`` value on live domains via
+    ``virDomainUpdateDeviceFlags()`` or ``virsh device-update``).
+
+  * domain: Fix check for overlapping ``<memory/>`` devices
+
+    A bug was identified which caused libvirt to report two NVDIMMs as
+    overlapping even though they weren't. This now fixed.
+
+  * vmx: Accept empty fileName for cdrom-image
+
+    Turns out, ``fileName`` attribute (which contains path to CDROM image) can
+    be set to an empty string (``""``) to denote a state in which the CDROM has
+    no medium in it. Libvirt used to reject such configuration file, but not
+    anymore.
+
+  * qemu_hotplug: Don't lose 'created' flag in qemuDomainChangeNet()
+
+    When starting a domain, libvirt tracks what resources it created for it and
+    which were pre-existing and uses this information to preserve pre-existing
+    resources when cleaning up after said domain is shut off. But for macvtaps
+    this information was lost after the macvtap device was changed (e.g. via
+    ``virsh update-device``).
+
+  * Fix virStream hole handling
+
+    When a client sent multiple holes into a virStream it may have caused
+    daemon hangup as the daemon stopped processing RPC from the client
+    temporarily. This is now fixed.
+
+  * nodedev: Don't generate broken XML with certain hardware
+
+    A broken node device XML would be generated in a rare case when a hardware
+    device had certain characters in the VPD fields.
+
+  * qemu: Fix reservation of manually specified port for disk migration
+
+    A manually specified port would not be relased after disk migration making
+    it impossible to use it again.
+
+
+v10.0.0 (2024-01-15)
+====================
+
+* **New features**
+
+  * qemu: Enable ``postcopy-preempt`` migration capability
+
+    Post-copy migrations are now started with ``postcopy-preempt``
+    capability enabled as long as it is supported by both sides of migration.
+    This should enable faster migration of memory pages that the destination
+    tries to read before they are migrated from the source.
+
+  * qemu: Add support for mapping iothreads to virtqueues of ``virtio-blk`` devices
+
+    QEMU added the possibility to map multiple ``iothreads`` to a single
+    ``virtio-blk`` device and map them even to specific virtqueues. Libvirt
+    adds a ``<iothreads>`` subelement of the ``<disk> <driver>`` element that
+    users can use to configure the mapping.
+
+  * qemu: Allow automatic resize of block-device-backed disk to full size of the device
+
+    The new flag ``VIR_DOMAIN_BLOCK_RESIZE_CAPACITY`` for
+    ``virDomainBlockResize`` allows resizing a block-device backed ``raw`` disk
+    of a VM without the need to specify the full size of the block device.
+
+  * qemu: automatic selection/binding of VFIO variant drivers
+
+    When a device is assigned to a guest using VFIO with ``<hostdev
+    managed='yes'>``, libvirt will now search the running kernel's
+    modules.alias file for the most specific match to that device for
+    a VFIO driver, and bind that driver to the device rather than
+    vfio-pci. A specific driver can also be forced, using the
+    ``<driver model='plugh'/>`` attribute.
+
+  * qemu: add runtime configuration option for nbdkit
+
+    Since the new nbdkit support requires a recent selinux policy that is not
+    widely available yet, it is now possible to build libvirt with nbdkit
+    support for remote disks but disabled at runtime. This behavior is
+    controlled via the storage_use_nbdkit option of the qemu driver
+    configuration file. The option will default to being disabled, but this may
+    change in a future release and can be customized with the
+    nbdkit_config_default build option.
+
+  * qemu: add ID mapping support for virtiofsd
+
+    New ``<idmap>`` element was added for virtiofsd-based ``<filesystem>``
+    devices. It can be used to set up UID and GID mapping between host
+    and guest, making running virtiofsd unprivileged much more useful.
+
+* **Improvements**
+
+  * qemu: Improve migration XML use when persisting VM on destination
+
+    When migrating a VM with a custom migration XML, use it as a base for
+    persisting it on the destination as users could have changed non-ABI
+    breaking facts which would prevent subsequent start if the old XML were used.
+
+  * qemu: Simplify non-shared storage migration to ``raw`` block devices
+
+    The phase of copying storage during migration without shared storage
+    requires that both the source and destination image are identical in size.
+    This may not be possible if the destination is backed by a block device
+    and the source image size is not a multiple of the block device block size.
+
+    Libvirt aleviates this by automatically adding a ``<slice>`` to match the
+    size of the source image rather than failing the migration.
+
+  * test driver: Support for hotplug/hotunplug of PCI devices
+
+    The test driver now supports basic hotplug and hotunplug of PCI devices.
+
+  * qemu: allow virtiofsd to run unprivileged
+
+    Nowadays virtiofsd no longer requires to run with root privileges, so the
+    restriction to always run as root is now removed from libvirt too.
+
+* **Bug fixes**
+
+  * qemu: Various migration bug fixes and debuggability improvement
+
+    This release fixes multiple bugs in virsh and libvirt in handling of
+    migration arguments and XMLs and modifies error reporting for better
+    debugging.
+
+  * conf: Restore setting default bus for input devices
+
+    Because of a regression, starting from 9.3.0 libvirt did not autofill bus
+    for input devices. With this release the regression was identified and
+    fixed.
+
+  * qemu: Relax check for memory device coldplug
+
+    Because of a check that was too aggressive, a virtio-mem memory device
+    could not be cold plugged. This is now fixed.
+
+  * qemu: Be less aggressive when dropping channel source paths
+
+    Another regression is resolved, (introduced in 9.7.0) when libvirt was too
+    aggressive when dropping parsed paths for <channel/> sources
+
+  * qemuDomainChangeNet: Reflect trustGuestRxFilters change
+
+    On device-update, when a user requested change of trustGuestRxFilters for a
+    domain's <interface/> libvirt did nothing. It did not throw an error nor
+    did it reflect the change. Starting with this release, the change is
+    reflected.
+
+
 v9.10.0 (2023-12-01)
 ====================

@@ -75,6 +684,7 @@ v9.9.0 (2023-11-01)
    The ``virsh create --console`` now tries to connect to the guest console
    before starting the vCPUs.

+
 v9.8.0 (2023-10-02)
 ===================

@@ -117,6 +727,7 @@ v9.8.0 (2023-10-02)
    Now libvirt validates more values of virtio-mem and virtio-pmem devices,
    e.g. overlapping memory addresses or alignment.

+
 v9.7.0 (2023-09-01)
 ===================

@@ -160,10 +771,10 @@ v9.6.0 (2023-08-01)

  * ``CVE-2023-3750``: Fix race condition in storage driver leading to a crash

-   In **libvirt-8.3** a bug was introduced which in rare cases could cause
-   ``libvirtd`` or ``virtstoraged`` to crash if multiple clients attempted to
-   look up a storage volume by key, path or target path, while other clients
-   attempted to access something from the same storage pool.
+    In **libvirt-8.3** a bug was introduced which in rare cases could cause
+    ``libvirtd`` or ``virtstoraged`` to crash if multiple clients attempted to
+    look up a storage volume by key, path or target path, while other clients
+    attempted to access something from the same storage pool.

 * **Improvements**

@@ -1967,17 +2578,17 @@ v7.1.0 (2021-03-01)

  * qemu: Fix disk quiescing rollback when creating external snapshots

-   If the qemu guest agent call to freeze filesystems failed when creating
-   an external snapshot with ``VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE`` flag the
-   filesystems would be unconditionally thawed. This could cause problems when
-   the filesystems were frozen by an explicit call to ``virDomainFSFreeze``
-   since the guest agent then rejects any further freeze attempts once are
-   filesystems frozen, an explicit freeze followed by a quiesced snapshot
-   would fail and thaw filesystems.
+    If the qemu guest agent call to freeze filesystems failed when creating
+    an external snapshot with ``VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE`` flag the
+    filesystems would be unconditionally thawed. This could cause problems when
+    the filesystems were frozen by an explicit call to ``virDomainFSFreeze``
+    since the guest agent then rejects any further freeze attempts once are
+    filesystems frozen, an explicit freeze followed by a quiesced snapshot
+    would fail and thaw filesystems.

-   Users are also encouraged to use ``virDomainFSFreeze/Thaw`` manually instead
-   of relying on ``VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE`` if they need finer
-   grained control.
+    Users are also encouraged to use ``virDomainFSFreeze/Thaw`` manually instead
+    of relying on ``VIR_DOMAIN_SNAPSHOT_CREATE_QUIESCE`` if they need finer
+    grained control.

  * cgroups: Fix how we setup and configure cgroups on hosts with systemd

@@ -2139,11 +2750,12 @@ v6.10.0 (2020-12-01)
  * qemu: Enable client TLS certificate validation by default for ``chardev``,
    ``migration``, and ``backup`` servers.

-  The default value if qemu.conf options ``chardev_tls_x509_verify``,
-  ``migrate_tls_x509_verify``, or  ``backup_tls_x509_verify`` are not specified
-  explicitly in the config file and also the ``default_tls_x509_verify`` config
-  option is missing are now '1'. This ensures that only legitimate clients
-  access servers, which don't have any additional form of authentication.
+    The default value if qemu.conf options ``chardev_tls_x509_verify``,
+    ``migrate_tls_x509_verify``, or  ``backup_tls_x509_verify`` are not
+    specified explicitly in the config file and also the
+    ``default_tls_x509_verify`` config option is missing are now '1'. This
+    ensures that only legitimate clients access servers, which don't have any
+    additional form of authentication.

  * qemu: Introduce "migrate_tls_force" qemu.conf option

@@ -2535,7 +3147,6 @@ v6.6.0 (2020-08-02)
    management applications may wish to override this behaviour. This is now
    possible via new ``cow`` element.

-
 * **Improvements**

  * esx: Change the NIC limit for recent virtualHW versions
@@ -2560,7 +3171,6 @@ v6.6.0 (2020-08-02)
    instead of all possible CPUs are returned making these APIs consistent with
    the behavior of ``vcpuinfo``.

-
 * **Bug fixes**

  * virdevmapper: Don't use libdevmapper to obtain dependencies
--- a/build-aux/syntax-check.mk
+++ b/build-aux/syntax-check.mk
@@ -1,13 +1,12 @@
 #
-# Rules for running syntax-check, derived from gnulib's
-# maint.mk
+# Rules for running syntax-check, derived from gnulib's top/maint.mk
 #
 # Specifically, all shared code should match gnulib commit
 #
-#   dd2503c8e73621e919e8e214a29c495ac89d8a92 (2022-05-21)
+#   d5191e456737661d4a0df5287f6c2064ab74dbbe (2024-02-15)
 #
 # Copyright (C) 2008-2019 Red Hat, Inc.
-# Copyright (C) 2001-2022 Free Software Foundation, Inc.
+# Copyright (C) 2001-2024 Free Software Foundation, Inc.

 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -1083,7 +1082,8 @@ sc_prohibit_stdio--_without_use:
 	@h='stdio--.h' re='\<((f(re)?|p)open|tmpfile) *\(' \
 	  $(_sc_header_without_use)

-_stddef_syms_re = NULL|offsetof|ptrdiff_t|size_t|wchar_t
+_stddef_syms_re = \
+  NULL|max_align_t|nullptr_t|offsetof|ptrdiff_t|size_t|unreachable|wchar_t
 # Prohibit the inclusion of stddef.h without an actual use.
 sc_prohibit_stddef_without_use:
 	@h='stddef.h' \
@@ -1310,26 +1310,9 @@ sc_prohibit_path_max_allocation:
 	halt='Avoid stack allocations of size PATH_MAX' \
 	  $(_sc_search_regexp)

-ifneq ($(_gl-Makefile),)
-syntax-check: sc_spacing-check \
-	sc_prohibit-duplicate-header sc_mock-noinline sc_group-qemu-caps \
-        sc_header-ifdef
-	@if ! cppi --version >/dev/null 2>&1; then \
-		echo "*****************************************************" >&2; \
-		echo "* cppi not installed, some checks have been skipped *" >&2; \
-		echo "*****************************************************" >&2; \
-	fi; \
-	if [ -z "$(FLAKE8)" ]; then \
-		echo "*****************************************************" >&2; \
-		echo "* flake8 not installed, sc_flake8 has been skipped  *" >&2; \
-		echo "*****************************************************" >&2; \
-	fi
-	if [ -z "$(BLACK)" ]; then \
-		echo "*****************************************************" >&2; \
-		echo "* black not installed, sc_black has been skipped    *" >&2; \
-		echo "*****************************************************" >&2; \
-	fi
-endif
+sc_unportable_grep_q:
+	@prohibit='grep ''-q' halt="unportable 'grep ""-q', use >/dev/null instead" \
+	  $(_sc_search_regexp)

 # Don't include duplicate header in the source (either *.c or *.h)
 sc_prohibit-duplicate-header:
@@ -1359,6 +1342,11 @@ sc_prohibit_enum_impl_with_vir_prefix_in_virsh:
 	halt='avoid "vir" prefix for enums in virsh' \
 	  $(_sc_search_regexp)

+sc_rst_since:
+	@prohibit=':since:`[^`]+$|:since:`[^`]+[.,;]`|:since:`[^`]+` [.,;]' \
+	halt='format :since: correctly' \
+	  $(_sc_search_regexp)
+

 ## ---------- ##
 ## Exceptions ##
@@ -1398,7 +1386,7 @@ exclude_file_name_regexp--sc_prohibit_close = \
  (\.p[yl]$$|\.spec\.in$$|^docs/|^(src/util/vir(file|event)\.c|src/libvirt-stream\.c|tests/(vir.+mock\.c|commandhelper\.c|qemusecuritymock\.c)|tools/nss/libvirt_nss_(leases|macs)\.c)|tools/virt-qemu-qmp-proxy$$)

 exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \
-  ((^tests/(nodedevmdevctl|viracpi|virhostcpu|virpcitest|virstoragetest|qemunbdkit)data/|docs/js/.*\.js|docs/fonts/.*\.woff|\.diff|tests/virconfdata/no-newline\.conf$$)|\.bin)
+  ((^tests/(nodedevmdevctl|viracpi|virhostcpu|virpcitest|virstoragetest|qemunbdkit|virshtest)data/|docs/js/.*\.js|docs/fonts/.*\.woff|\.diff|tests/virconfdata/no-newline\.conf$$)|\.bin)

 exclude_file_name_regexp--sc_prohibit_fork_wrappers = \
  (^(src/(util/(vircommand|virdaemon)|lxc/lxc_controller)|tests/testutils)\.c$$)
@@ -1449,7 +1437,7 @@ exclude_file_name_regexp--sc_require_config_h_first = \
 	^(examples/|tools/virsh-edit\.c$$|tests/virmockstathelpers\.c$$|scripts/rpcgen/tests/test_demo\.c$$)

 exclude_file_name_regexp--sc_trailing_blank = \
-  /sysinfodata/.*\.data|/virhostcpudata/.*\.cpuinfo$$
+  /sysinfodata/.*\.data|/virhostcpudata/.*\.cpuinfo|tests/virshtestdata/.*$$

 exclude_file_name_regexp--sc_unmarked_diagnostics = \
  ^(scripts/apibuild.py|tests/virt-aa-helper-test|docs/js/.*\.js)$$
@@ -1478,7 +1466,7 @@ exclude_file_name_regexp--sc_prohibit_mixed_case_abbreviations = \
  ^src/(vbox/vbox_CAPI.*.h|esx/esx_vi.(c|h)|esx/esx_storage_backend_iscsi.c)$$

 exclude_file_name_regexp--sc_prohibit_empty_first_line = \
-  ^tests/vmwareverdata/fusion-5.0.3.txt|scripts/rpcgen/tests/demo\.c$$
+  ^tests/vmwareverdata/fusion-5.0.3.txt|scripts/rpcgen/tests/demo\.c|^tests/virshtestdata/.*$$

 exclude_file_name_regexp--sc_prohibit_useless_translation = \
  ^tests/virpolkittest.c
--- a/ci/buildenv/almalinux-9.sh
+++ b/ci/buildenv/almalinux-9.sh
@@ -7,8 +7,7 @@
 function install_buildenv() {
    dnf update -y
    dnf install 'dnf-command(config-manager)' -y
-    dnf config-manager --set-enabled -y powertools
-    dnf install -y centos-release-advanced-virtualization
+    dnf config-manager --set-enabled -y crb
    dnf install -y epel-release
    dnf install -y \
        audit-libs-devel \
@@ -17,6 +16,7 @@ function install_buildenv() {
        ca-certificates \
        ccache \
        clang \
+        compiler-rt \
        cpp \
        cyrus-sasl-devel \
        device-mapper-devel \
@@ -31,7 +31,6 @@ function install_buildenv() {
        glib2-devel \
        glibc-devel \
        glibc-langpack-en \
-        glusterfs-api-devel \
        gnutls-devel \
        grep \
        iproute \
@@ -61,35 +60,38 @@ function install_buildenv() {
        lvm2 \
        make \
        meson \
-        netcf-devel \
        nfs-utils \
        ninja-build \
        numactl-devel \
        numad \
        parted-devel \
-        perl \
+        perl-base \
        pkgconfig \
        polkit \
        python3 \
        python3-docutils \
        python3-flake8 \
+        python3-pip \
        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
        qemu-img \
        readline-devel \
        rpm-build \
        sanlock-devel \
-        scrub \
        sed \
        systemd-devel \
        systemd-rpm-macros \
        systemtap-sdt-devel \
        wireshark-devel \
        yajl-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    rpm -qa | sort > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+    /usr/bin/pip3 install black
 }

 export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
--- a/ci/buildenv/alpine-319.sh
+++ b/ci/buildenv/alpine-319.sh
@@ -13,6 +13,7 @@ function install_buildenv() {
        audit-dev \
        augeas \
        bash-completion \
+        black \
        ca-certificates \
        ccache \
        ceph-dev \
@@ -67,7 +68,8 @@ function install_buildenv() {
        wireshark-dev \
        xen-dev \
        yajl-dev
-    apk list | sort > /packages.txt
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
+    apk list --installed | sort > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
--- a/ci/buildenv/alpine-edge.sh
+++ b/ci/buildenv/alpine-edge.sh
@@ -13,6 +13,7 @@ function install_buildenv() {
        audit-dev \
        augeas \
        bash-completion \
+        black \
        ca-certificates \
        ccache \
        ceph-dev \
@@ -67,7 +68,8 @@ function install_buildenv() {
        wireshark-dev \
        xen-dev \
        yajl-dev
-    apk list | sort > /packages.txt
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
+    apk list --installed | sort > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
--- a/ci/buildenv/centos-stream-8.sh
+++ b/ci/buildenv/centos-stream-8.sh
@@ -1,100 +0,0 @@
-# THIS FILE WAS AUTO-GENERATED
-#
-#  $ lcitool manifest ci/manifest.yml
-#
-# https://gitlab.com/libvirt/libvirt-ci
-
-function install_buildenv() {
-    dnf distro-sync -y
-    dnf install 'dnf-command(config-manager)' -y
-    dnf config-manager --set-enabled -y powertools
-    dnf install -y centos-release-advanced-virtualization
-    dnf install -y epel-release
-    dnf install -y epel-next-release
-    dnf install -y \
-        audit-libs-devel \
-        augeas \
-        bash-completion \
-        ca-certificates \
-        ccache \
-        clang \
-        cpp \
-        cyrus-sasl-devel \
-        device-mapper-devel \
-        diffutils \
-        dwarves \
-        ebtables \
-        firewalld-filesystem \
-        fuse-devel \
-        gcc \
-        gettext \
-        git \
-        glib2-devel \
-        glibc-devel \
-        glibc-langpack-en \
-        glusterfs-api-devel \
-        gnutls-devel \
-        grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
-        kmod \
-        libacl-devel \
-        libattr-devel \
-        libblkid-devel \
-        libcap-ng-devel \
-        libcurl-devel \
-        libiscsi-devel \
-        libnbd-devel \
-        libnl3-devel \
-        libpcap-devel \
-        libpciaccess-devel \
-        librbd-devel \
-        libselinux-devel \
-        libssh-devel \
-        libssh2-devel \
-        libtirpc-devel \
-        libwsman-devel \
-        libxml2 \
-        libxml2-devel \
-        libxslt \
-        lvm2 \
-        make \
-        meson \
-        netcf-devel \
-        nfs-utils \
-        ninja-build \
-        numactl-devel \
-        numad \
-        parted-devel \
-        perl \
-        pkgconfig \
-        polkit \
-        python3 \
-        python3-docutils \
-        python3-flake8 \
-        python3-pytest \
-        qemu-img \
-        readline-devel \
-        rpm-build \
-        sanlock-devel \
-        scrub \
-        sed \
-        systemd-devel \
-        systemd-rpm-macros \
-        systemtap-sdt-devel \
-        wireshark-devel \
-        yajl-devel
-    rpm -qa | sort > /packages.txt
-    mkdir -p /usr/libexec/ccache-wrappers
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
-}
-
-export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
-export LANG="en_US.UTF-8"
-export MAKE="/usr/bin/make"
-export NINJA="/usr/bin/ninja"
-export PYTHON="/usr/bin/python3"
--- a/ci/buildenv/centos-stream-9.sh
+++ b/ci/buildenv/centos-stream-9.sh
@@ -17,6 +17,7 @@ function install_buildenv() {
        ca-certificates \
        ccache \
        clang \
+        compiler-rt \
        cpp \
        cyrus-sasl-devel \
        device-mapper-devel \
@@ -43,6 +44,7 @@ function install_buildenv() {
        libblkid-devel \
        libcap-ng-devel \
        libcurl-devel \
+        libiscsi-devel \
        libnbd-devel \
        libnl3-devel \
        libpcap-devel \
@@ -70,23 +72,27 @@ function install_buildenv() {
        python3 \
        python3-docutils \
        python3-flake8 \
+        python3-pip \
        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
        qemu-img \
        readline-devel \
        rpm-build \
        sanlock-devel \
-        scrub \
        sed \
        systemd-devel \
        systemd-rpm-macros \
        systemtap-sdt-devel \
        wireshark-devel \
        yajl-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    rpm -qa | sort > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+    /usr/bin/pip3 install black
 }

 export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
--- a/ci/buildenv/debian-11-cross-aarch64.sh
+++ b/ci/buildenv/debian-11-cross-aarch64.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-dev \
            libxml2-utils \
            locales \
            lvm2 \
@@ -42,11 +44,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture arm64
    apt-get update
--- a/ci/buildenv/debian-11-cross-armv6l.sh
+++ b/ci/buildenv/debian-11-cross-armv6l.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-dev \
            libxml2-utils \
            locales \
            lvm2 \
@@ -42,11 +44,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture armel
    apt-get update
--- a/ci/buildenv/debian-11-cross-armv7l.sh
+++ b/ci/buildenv/debian-11-cross-armv7l.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-dev \
            libxml2-utils \
            locales \
            lvm2 \
@@ -42,11 +44,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture armhf
    apt-get update
--- a/ci/buildenv/debian-11-cross-i686.sh
+++ b/ci/buildenv/debian-11-cross-i686.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-dev \
            libxml2-utils \
            locales \
            lvm2 \
@@ -42,11 +44,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture i386
    apt-get update
--- a/ci/buildenv/debian-11-cross-mips64el.sh
+++ b/ci/buildenv/debian-11-cross-mips64el.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-dev \
            libxml2-utils \
            locales \
            lvm2 \
@@ -42,11 +44,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture mips64el
    apt-get update
--- a/ci/buildenv/debian-11-cross-mipsel.sh
+++ b/ci/buildenv/debian-11-cross-mipsel.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-dev \
            libxml2-utils \
            locales \
            lvm2 \
@@ -42,11 +44,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture mipsel
    apt-get update
--- a/ci/buildenv/debian-11-cross-ppc64le.sh
+++ b/ci/buildenv/debian-11-cross-ppc64le.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-dev \
            libxml2-utils \
            locales \
            lvm2 \
@@ -42,11 +44,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture ppc64el
    apt-get update
--- a/ci/buildenv/debian-11-cross-s390x.sh
+++ b/ci/buildenv/debian-11-cross-s390x.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-dev \
            libxml2-utils \
            locales \
            lvm2 \
@@ -42,11 +44,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture s390x
    apt-get update
--- a/ci/buildenv/debian-11.sh
+++ b/ci/buildenv/debian-11.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            clang \
@@ -35,6 +36,7 @@ function install_buildenv() {
            libblkid-dev \
            libc6-dev \
            libcap-ng-dev \
+            libclang-dev \
            libcurl4-gnutls-dev \
            libdevmapper-dev \
            libfuse-dev \
@@ -77,13 +79,13 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            systemtap-sdt-dev \
            wireshark-dev \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
--- a/ci/buildenv/debian-12-cross-aarch64.sh
+++ b/ci/buildenv/debian-12-cross-aarch64.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture arm64
    apt-get update
--- a/ci/buildenv/debian-12-cross-armv6l.sh
+++ b/ci/buildenv/debian-12-cross-armv6l.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture armel
    apt-get update
--- a/ci/buildenv/debian-12-cross-armv7l.sh
+++ b/ci/buildenv/debian-12-cross-armv7l.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture armhf
    apt-get update
--- a/ci/buildenv/debian-12-cross-i686.sh
+++ b/ci/buildenv/debian-12-cross-i686.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture i386
    apt-get update
--- a/ci/buildenv/debian-12-cross-mips64el.sh
+++ b/ci/buildenv/debian-12-cross-mips64el.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture mips64el
    apt-get update
--- a/ci/buildenv/debian-12-cross-mipsel.sh
+++ b/ci/buildenv/debian-12-cross-mipsel.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture mipsel
    apt-get update
--- a/ci/buildenv/debian-12-cross-ppc64le.sh
+++ b/ci/buildenv/debian-12-cross-ppc64le.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture ppc64el
    apt-get update
--- a/ci/buildenv/debian-12-cross-s390x.sh
+++ b/ci/buildenv/debian-12-cross-s390x.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture s390x
    apt-get update
--- a/ci/buildenv/debian-12.sh
+++ b/ci/buildenv/debian-12.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            clang \
@@ -35,6 +36,7 @@ function install_buildenv() {
            libblkid-dev \
            libc6-dev \
            libcap-ng-dev \
+            libclang-rt-dev \
            libcurl4-gnutls-dev \
            libdevmapper-dev \
            libfuse-dev \
@@ -77,13 +79,13 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            systemtap-sdt-dev \
            wireshark-dev \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
--- a/ci/buildenv/debian-sid-cross-aarch64.sh
+++ b/ci/buildenv/debian-sid-cross-aarch64.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture arm64
    apt-get update
--- a/ci/buildenv/debian-sid-cross-armv6l.sh
+++ b/ci/buildenv/debian-sid-cross-armv6l.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture armel
    apt-get update
--- a/ci/buildenv/debian-sid-cross-armv7l.sh
+++ b/ci/buildenv/debian-sid-cross-armv7l.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture armhf
    apt-get update
--- a/ci/buildenv/debian-sid-cross-i686.sh
+++ b/ci/buildenv/debian-sid-cross-i686.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture i386
    apt-get update
--- a/ci/buildenv/debian-sid-cross-mips64el.sh
+++ b/ci/buildenv/debian-sid-cross-mips64el.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture mips64el
    apt-get update
--- a/ci/buildenv/debian-sid-cross-ppc64le.sh
+++ b/ci/buildenv/debian-sid-cross-ppc64le.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture ppc64el
    apt-get update
--- a/ci/buildenv/debian-sid-cross-s390x.sh
+++ b/ci/buildenv/debian-sid-cross-s390x.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            codespell \
@@ -26,6 +27,7 @@ function install_buildenv() {
            iproute2 \
            iptables \
            kmod \
+            libclang-rt-dev \
            libnbd-dev \
            libxml2-utils \
            locales \
@@ -43,11 +45,11 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    export DEBIAN_FRONTEND=noninteractive
    dpkg --add-architecture s390x
    apt-get update
--- a/ci/buildenv/debian-sid.sh
+++ b/ci/buildenv/debian-sid.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            clang \
@@ -35,6 +36,7 @@ function install_buildenv() {
            libblkid-dev \
            libc6-dev \
            libcap-ng-dev \
+            libclang-rt-dev \
            libcurl4-gnutls-dev \
            libdevmapper-dev \
            libfuse-dev \
@@ -77,13 +79,13 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            systemtap-sdt-dev \
            wireshark-dev \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
--- a/ci/buildenv/fedora-39.sh
+++ b/ci/buildenv/fedora-39.sh
@@ -14,6 +14,7 @@ function install_buildenv() {
        ccache \
        clang \
        codespell \
+        compiler-rt \
        cpp \
        cppi \
        cyrus-sasl-devel \
@@ -68,6 +69,7 @@ function install_buildenv() {
        pkgconfig \
        polkit \
        python3 \
+        python3-black \
        python3-docutils \
        python3-flake8 \
        python3-pytest \
@@ -75,7 +77,6 @@ function install_buildenv() {
        readline-devel \
        rpm-build \
        sanlock-devel \
-        scrub \
        sed \
        systemd-devel \
        systemd-rpm-macros \
@@ -83,6 +84,7 @@ function install_buildenv() {
        wireshark-devel \
        xen-devel \
        yajl-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    rpm -qa | sort > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
--- a/ci/buildenv/fedora-40-cross-mingw32.sh
+++ b/ci/buildenv/fedora-40-cross-mingw32.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
        ca-certificates \
        ccache \
        codespell \
+        compiler-rt \
        cpp \
        cppi \
        diffutils \
@@ -39,14 +40,15 @@ function install_buildenv() {
        perl-base \
        polkit \
        python3 \
+        python3-black \
        python3-docutils \
        python3-flake8 \
        python3-pytest \
        qemu-img \
        rpm-build \
-        scrub \
        sed \
        systemd-rpm-macros
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    dnf install -y \
        mingw32-curl \
        mingw32-dlfcn \
--- a/ci/buildenv/fedora-40-cross-mingw64.sh
+++ b/ci/buildenv/fedora-40-cross-mingw64.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
        ca-certificates \
        ccache \
        codespell \
+        compiler-rt \
        cpp \
        cppi \
        diffutils \
@@ -39,14 +40,15 @@ function install_buildenv() {
        perl-base \
        polkit \
        python3 \
+        python3-black \
        python3-docutils \
        python3-flake8 \
        python3-pytest \
        qemu-img \
        rpm-build \
-        scrub \
        sed \
        systemd-rpm-macros
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    dnf install -y \
        mingw64-curl \
        mingw64-dlfcn \
--- a/ci/buildenv/fedora-40.sh
+++ b/ci/buildenv/fedora-40.sh
@@ -14,6 +14,7 @@ function install_buildenv() {
        ccache \
        clang \
        codespell \
+        compiler-rt \
        cpp \
        cppi \
        cyrus-sasl-devel \
@@ -68,6 +69,7 @@ function install_buildenv() {
        pkgconfig \
        polkit \
        python3 \
+        python3-black \
        python3-docutils \
        python3-flake8 \
        python3-pytest \
@@ -75,7 +77,6 @@ function install_buildenv() {
        readline-devel \
        rpm-build \
        sanlock-devel \
-        scrub \
        sed \
        systemd-devel \
        systemd-rpm-macros \
@@ -83,6 +84,7 @@ function install_buildenv() {
        wireshark-devel \
        xen-devel \
        yajl-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    rpm -qa | sort > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
--- a/ci/buildenv/fedora-rawhide-cross-mingw32.sh
+++ b/ci/buildenv/fedora-rawhide-cross-mingw32.sh
@@ -9,10 +9,11 @@ function install_buildenv() {
    dnf distro-sync -y
    dnf install -y \
        augeas \
-        bash-completion \
+        bash-completion-devel \
        ca-certificates \
        ccache \
        codespell \
+        compiler-rt \
        cpp \
        cppi \
        diffutils \
@@ -40,14 +41,15 @@ function install_buildenv() {
        perl-base \
        polkit \
        python3 \
+        python3-black \
        python3-docutils \
        python3-flake8 \
        python3-pytest \
        qemu-img \
        rpm-build \
-        scrub \
        sed \
        systemd-rpm-macros
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    dnf install -y \
        mingw32-curl \
        mingw32-dlfcn \
--- a/ci/buildenv/fedora-rawhide-cross-mingw64.sh
+++ b/ci/buildenv/fedora-rawhide-cross-mingw64.sh
@@ -9,10 +9,11 @@ function install_buildenv() {
    dnf distro-sync -y
    dnf install -y \
        augeas \
-        bash-completion \
+        bash-completion-devel \
        ca-certificates \
        ccache \
        codespell \
+        compiler-rt \
        cpp \
        cppi \
        diffutils \
@@ -40,14 +41,15 @@ function install_buildenv() {
        perl-base \
        polkit \
        python3 \
+        python3-black \
        python3-docutils \
        python3-flake8 \
        python3-pytest \
        qemu-img \
        rpm-build \
-        scrub \
        sed \
        systemd-rpm-macros
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    dnf install -y \
        mingw64-curl \
        mingw64-dlfcn \
--- a/ci/buildenv/fedora-rawhide.sh
+++ b/ci/buildenv/fedora-rawhide.sh
@@ -10,11 +10,12 @@ function install_buildenv() {
    dnf install -y \
        audit-libs-devel \
        augeas \
-        bash-completion \
+        bash-completion-devel \
        ca-certificates \
        ccache \
        clang \
        codespell \
+        compiler-rt \
        cpp \
        cppi \
        cyrus-sasl-devel \
@@ -69,6 +70,7 @@ function install_buildenv() {
        pkgconfig \
        polkit \
        python3 \
+        python3-black \
        python3-docutils \
        python3-flake8 \
        python3-pytest \
@@ -76,7 +78,6 @@ function install_buildenv() {
        readline-devel \
        rpm-build \
        sanlock-devel \
-        scrub \
        sed \
        systemd-devel \
        systemd-rpm-macros \
@@ -84,6 +85,7 @@ function install_buildenv() {
        wireshark-devel \
        xen-devel \
        yajl-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    rpm -qa | sort > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
--- a/ci/buildenv/opensuse-leap-15.sh
+++ b/ci/buildenv/opensuse-leap-15.sh
@@ -10,10 +10,11 @@ function install_buildenv() {
           audit-devel \
           augeas \
           augeas-lenses \
-           bash-completion \
+           bash-completion-devel \
           ca-certificates \
           ccache \
           clang \
+           clang-devel \
           codespell \
           cpp \
           cppi \
@@ -72,22 +73,26 @@ function install_buildenv() {
           python3-base \
           python3-docutils \
           python3-flake8 \
+           python3-pip \
           python3-pytest \
+           python3-setuptools \
+           python3-wheel \
           qemu-tools \
           readline-devel \
           rpm-build \
           sanlock-devel \
-           scrub \
           sed \
           systemd-rpm-macros \
           systemtap-sdt-devel \
           wireshark-devel \
           xen-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    rpm -qa | sort > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
+    /usr/bin/pip3 install black
 }

 export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
--- a/ci/buildenv/opensuse-tumbleweed.sh
+++ b/ci/buildenv/opensuse-tumbleweed.sh
@@ -10,10 +10,11 @@ function install_buildenv() {
           audit-devel \
           augeas \
           augeas-lenses \
-           bash-completion \
+           bash-completion-devel \
           ca-certificates \
           ccache \
           clang \
+           clang-devel \
           codespell \
           cpp \
           cppi \
@@ -70,19 +71,20 @@ function install_buildenv() {
           pkgconfig \
           polkit \
           python3-base \
+           python3-black \
           python3-docutils \
+           python3-flake8 \
           python3-pytest \
-           python39-flake8 \
           qemu-tools \
           readline-devel \
           rpm-build \
           sanlock-devel \
-           scrub \
           sed \
           systemd-rpm-macros \
           systemtap-sdt-devel \
           wireshark-devel \
           xen-devel
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    rpm -qa | sort > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
--- a/ci/buildenv/ubuntu-2204.sh
+++ b/ci/buildenv/ubuntu-2204.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            clang \
@@ -35,6 +36,7 @@ function install_buildenv() {
            libblkid-dev \
            libc6-dev \
            libcap-ng-dev \
+            libclang-dev \
            libcurl4-gnutls-dev \
            libdevmapper-dev \
            libfuse-dev \
@@ -78,13 +80,13 @@ function install_buildenv() {
            python3-docutils \
            python3-pytest \
            qemu-utils \
-            scrub \
            sed \
            systemtap-sdt-dev \
            wireshark-dev \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
--- a/ci/buildenv/ubuntu-2404.sh
+++ b/ci/buildenv/ubuntu-2404.sh
@@ -12,6 +12,7 @@ function install_buildenv() {
            augeas-lenses \
            augeas-tools \
            bash-completion \
+            black \
            ca-certificates \
            ccache \
            clang \
@@ -35,6 +36,7 @@ function install_buildenv() {
            libblkid-dev \
            libc6-dev \
            libcap-ng-dev \
+            libclang-rt-dev \
            libcurl4-gnutls-dev \
            libdevmapper-dev \
            libfuse-dev \
@@ -42,7 +44,7 @@ function install_buildenv() {
            libglusterfs-dev \
            libgnutls28-dev \
            libiscsi-dev \
-            libnetcf-dev \
+            libnbd-dev \
            libnl-3-dev \
            libnl-route-3-dev \
            libnuma-dev \
@@ -66,6 +68,7 @@ function install_buildenv() {
            locales \
            lvm2 \
            make \
+            meson \
            nfs-common \
            ninja-build \
            numad \
@@ -75,24 +78,20 @@ function install_buildenv() {
            policykit-1 \
            python3 \
            python3-docutils \
-            python3-pip \
            python3-pytest \
-            python3-setuptools \
-            python3-wheel \
            qemu-utils \
-            scrub \
            sed \
            systemtap-sdt-dev \
            wireshark-dev \
            xsltproc
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen
    dpkg-reconfigure locales
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt
    mkdir -p /usr/libexec/ccache-wrappers
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
-    /usr/bin/pip3 install meson==0.56.0
 }

 export CCACHE_WRAPPERSDIR="/usr/libexec/ccache-wrappers"
--- a/ci/cirrus/build.yml
+++ b/ci/cirrus/build.yml
@@ -6,7 +6,7 @@ env:
  CI_COMMIT_REF_NAME: "@CI_COMMIT_REF_NAME@"
  CI_MERGE_REQUEST_REF_PATH: "@CI_MERGE_REQUEST_REF_PATH@"
  CI_COMMIT_SHA: "@CI_COMMIT_SHA@"
-  PATH: "@PATH@"
+  PATH: "@PATH_EXTRA@:$PATH"
  PKG_CONFIG_PATH: "@PKG_CONFIG_PATH@"
  PYTHON: "@PYTHON@"
  MAKE: "@MAKE@"
@@ -18,7 +18,7 @@ build_task:
    - @UPDATE_COMMAND@
    - @UPGRADE_COMMAND@
    - @INSTALL_COMMAND@ @PKGS@
-    - if test -n "@PYPI_PKGS@" ; then @PIP3@ install @PYPI_PKGS@ ; fi
+    - if test -n "@PYPI_PKGS@" ; then @PIP3@ install --break-system-packages @PYPI_PKGS@ ; fi
  clone_script:
    - git clone --depth 100 "$CI_REPOSITORY_URL" .
    - git fetch origin "${CI_MERGE_REQUEST_REF_PATH:-$CI_COMMIT_REF_NAME}"
--- a/ci/cirrus/freebsd-13.vars
+++ b/ci/cirrus/freebsd-13.vars
@@ -11,6 +11,6 @@ MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
 PACKAGING_COMMAND='pkg'
 PIP3='/usr/local/bin/pip-3.8'
-PKGS='augeas bash-completion ca_root_nss ccache codespell cppi curl cyrus-sasl diffutils diskscrub fusefs-libs gettext git glib gmake gnugrep gnutls gsed libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf polkit py39-docutils py39-flake8 py39-pytest python3 qemu readline yajl'
+PKGS='augeas bash-completion ca_root_nss ccache codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf polkit py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline yajl'
 PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'
--- a/ci/cirrus/freebsd-14.vars
+++ b/ci/cirrus/freebsd-14.vars
@@ -11,6 +11,6 @@ MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
 PACKAGING_COMMAND='pkg'
 PIP3='/usr/local/bin/pip-3.8'
-PKGS='augeas bash-completion ca_root_nss ccache codespell cppi curl cyrus-sasl diffutils diskscrub fusefs-libs gettext git glib gmake gnugrep gnutls gsed libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf polkit py39-docutils py39-flake8 py39-pytest python3 qemu readline yajl'
+PKGS='augeas bash-completion ca_root_nss ccache codespell cppi curl cyrus-sasl diffutils fusefs-libs gettext git glib gmake gnugrep gnutls gsed libpcap libpciaccess libssh libssh2 libxml2 libxslt meson ninja perl5 pkgconf polkit py311-black py311-docutils py311-flake8 py311-pytest python3 qemu readline yajl'
 PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'
--- a/ci/cirrus/macos-13.vars
+++ b/ci/cirrus/macos-13.vars
@@ -11,6 +11,6 @@ MAKE='/opt/homebrew/bin/gmake'
 NINJA='/opt/homebrew/bin/ninja'
 PACKAGING_COMMAND='brew'
 PIP3='/opt/homebrew/bin/pip3'
-PKGS='augeas bash-completion ccache codespell cppi curl diffutils docutils flake8 gettext git glib gnu-sed gnutls grep libiscsi libpcap libssh libssh2 libxml2 libxslt make meson ninja perl pkg-config python3 qemu readline scrub yajl'
+PKGS='augeas bash-completion black ccache codespell cppi curl diffutils docutils flake8 gettext git glib gnu-sed gnutls grep libiscsi libpcap libssh libssh2 libxml2 libxslt make meson ninja perl pkg-config python3 qemu readline yajl'
 PYPI_PKGS='pytest'
 PYTHON='/opt/homebrew/bin/python3'
--- a/ci/cirrus/macos-14.vars
+++ b/ci/cirrus/macos-14.vars
@@ -11,6 +11,6 @@ MAKE='/opt/homebrew/bin/gmake'
 NINJA='/opt/homebrew/bin/ninja'
 PACKAGING_COMMAND='brew'
 PIP3='/opt/homebrew/bin/pip3'
-PKGS='augeas bash-completion ccache codespell cppi curl diffutils docutils flake8 gettext git glib gnu-sed gnutls grep libiscsi libpcap libssh libssh2 libxml2 libxslt make meson ninja perl pkg-config python3 qemu readline scrub yajl'
+PKGS='augeas bash-completion black ccache codespell cppi curl diffutils docutils flake8 gettext git glib gnu-sed gnutls grep libiscsi libpcap libssh libssh2 libxml2 libxslt make meson ninja perl pkg-config python3 qemu readline yajl'
 PYPI_PKGS='pytest'
 PYTHON='/opt/homebrew/bin/python3'
--- a/ci/containers/almalinux-9.Dockerfile
+++ b/ci/containers/almalinux-9.Dockerfile
@@ -4,12 +4,11 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci

-FROM docker.io/library/almalinux:8
+FROM docker.io/library/almalinux:9

 RUN dnf update -y && \
    dnf install 'dnf-command(config-manager)' -y && \
-    dnf config-manager --set-enabled -y powertools && \
-    dnf install -y centos-release-advanced-virtualization && \
+    dnf config-manager --set-enabled -y crb && \
    dnf install -y epel-release && \
    dnf install -y \
        audit-libs-devel \
@@ -18,6 +17,7 @@ RUN dnf update -y && \
        ca-certificates \
        ccache \
        clang \
+        compiler-rt \
        cpp \
        cyrus-sasl-devel \
        device-mapper-devel \
@@ -32,7 +32,6 @@ RUN dnf update -y && \
        glib2-devel \
        glibc-devel \
        glibc-langpack-en \
-        glusterfs-api-devel \
        gnutls-devel \
        grep \
        iproute \
@@ -62,24 +61,25 @@ RUN dnf update -y && \
        lvm2 \
        make \
        meson \
-        netcf-devel \
        nfs-utils \
        ninja-build \
        numactl-devel \
        numad \
        parted-devel \
-        perl \
+        perl-base \
        pkgconfig \
        polkit \
        python3 \
        python3-docutils \
        python3-flake8 \
+        python3-pip \
        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
        qemu-img \
        readline-devel \
        rpm-build \
        sanlock-devel \
-        scrub \
        sed \
        systemd-devel \
        systemd-rpm-macros \
@@ -88,12 +88,15 @@ RUN dnf update -y && \
        yajl-devel && \
    dnf autoremove -y && \
    dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    rpm -qa | sort > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc

+RUN /usr/bin/pip3 install black
+
 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
 ENV MAKE "/usr/bin/make"
--- a/ci/containers/alpine-319.Dockerfile
+++ b/ci/containers/alpine-319.Dockerfile
@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci

-FROM docker.io/library/alpine:3.17
+FROM docker.io/library/alpine:3.19

 RUN apk update && \
    apk upgrade && \
@@ -14,6 +14,7 @@ RUN apk update && \
        audit-dev \
        augeas \
        bash-completion \
+        black \
        ca-certificates \
        ccache \
        ceph-dev \
@@ -68,7 +69,8 @@ RUN apk update && \
        wireshark-dev \
        xen-dev \
        yajl-dev && \
-    apk list | sort > /packages.txt && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
+    apk list --installed | sort > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
--- a/ci/containers/alpine-edge.Dockerfile
+++ b/ci/containers/alpine-edge.Dockerfile
@@ -14,6 +14,7 @@ RUN apk update && \
        audit-dev \
        augeas \
        bash-completion \
+        black \
        ca-certificates \
        ccache \
        ceph-dev \
@@ -68,7 +69,8 @@ RUN apk update && \
        wireshark-dev \
        xen-dev \
        yajl-dev && \
-    apk list | sort > /packages.txt && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
+    apk list --installed | sort > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
--- a/ci/containers/centos-stream-8.Dockerfile
+++ b/ci/containers/centos-stream-8.Dockerfile
@@ -1,102 +0,0 @@
-# THIS FILE WAS AUTO-GENERATED
-#
-#  $ lcitool manifest ci/manifest.yml
-#
-# https://gitlab.com/libvirt/libvirt-ci
-
-FROM quay.io/centos/centos:stream8
-
-RUN dnf distro-sync -y && \
-    dnf install 'dnf-command(config-manager)' -y && \
-    dnf config-manager --set-enabled -y powertools && \
-    dnf install -y centos-release-advanced-virtualization && \
-    dnf install -y epel-release && \
-    dnf install -y epel-next-release && \
-    dnf install -y \
-        audit-libs-devel \
-        augeas \
-        bash-completion \
-        ca-certificates \
-        ccache \
-        clang \
-        cpp \
-        cyrus-sasl-devel \
-        device-mapper-devel \
-        diffutils \
-        dwarves \
-        ebtables \
-        firewalld-filesystem \
-        fuse-devel \
-        gcc \
-        gettext \
-        git \
-        glib2-devel \
-        glibc-devel \
-        glibc-langpack-en \
-        glusterfs-api-devel \
-        gnutls-devel \
-        grep \
-        iproute \
-        iproute-tc \
-        iptables \
-        iscsi-initiator-utils \
-        kmod \
-        libacl-devel \
-        libattr-devel \
-        libblkid-devel \
-        libcap-ng-devel \
-        libcurl-devel \
-        libiscsi-devel \
-        libnbd-devel \
-        libnl3-devel \
-        libpcap-devel \
-        libpciaccess-devel \
-        librbd-devel \
-        libselinux-devel \
-        libssh-devel \
-        libssh2-devel \
-        libtirpc-devel \
-        libwsman-devel \
-        libxml2 \
-        libxml2-devel \
-        libxslt \
-        lvm2 \
-        make \
-        meson \
-        netcf-devel \
-        nfs-utils \
-        ninja-build \
-        numactl-devel \
-        numad \
-        parted-devel \
-        perl \
-        pkgconfig \
-        polkit \
-        python3 \
-        python3-docutils \
-        python3-flake8 \
-        python3-pytest \
-        qemu-img \
-        readline-devel \
-        rpm-build \
-        sanlock-devel \
-        scrub \
-        sed \
-        systemd-devel \
-        systemd-rpm-macros \
-        systemtap-sdt-devel \
-        wireshark-devel \
-        yajl-devel && \
-    dnf autoremove -y && \
-    dnf clean all -y && \
-    rpm -qa | sort > /packages.txt && \
-    mkdir -p /usr/libexec/ccache-wrappers && \
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
-    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc
-
-ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
-ENV LANG "en_US.UTF-8"
-ENV MAKE "/usr/bin/make"
-ENV NINJA "/usr/bin/ninja"
-ENV PYTHON "/usr/bin/python3"
--- a/ci/containers/centos-stream-9.Dockerfile
+++ b/ci/containers/centos-stream-9.Dockerfile
@@ -18,6 +18,7 @@ RUN dnf distro-sync -y && \
        ca-certificates \
        ccache \
        clang \
+        compiler-rt \
        cpp \
        cyrus-sasl-devel \
        device-mapper-devel \
@@ -44,6 +45,7 @@ RUN dnf distro-sync -y && \
        libblkid-devel \
        libcap-ng-devel \
        libcurl-devel \
+        libiscsi-devel \
        libnbd-devel \
        libnl3-devel \
        libpcap-devel \
@@ -71,12 +73,14 @@ RUN dnf distro-sync -y && \
        python3 \
        python3-docutils \
        python3-flake8 \
+        python3-pip \
        python3-pytest \
+        python3-setuptools \
+        python3-wheel \
        qemu-img \
        readline-devel \
        rpm-build \
        sanlock-devel \
-        scrub \
        sed \
        systemd-devel \
        systemd-rpm-macros \
@@ -85,12 +89,15 @@ RUN dnf distro-sync -y && \
        yajl-devel && \
    dnf autoremove -y && \
    dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    rpm -qa | sort > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc

+RUN /usr/bin/pip3 install black
+
 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
 ENV MAKE "/usr/bin/make"
--- a/ci/containers/debian-11-cross-aarch64.Dockerfile
+++ b/ci/containers/debian-11-cross-aarch64.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-dev \
                      libxml2-utils \
                      locales \
                      lvm2 \
@@ -44,13 +46,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-11-cross-armv6l.Dockerfile
+++ b/ci/containers/debian-11-cross-armv6l.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-dev \
                      libxml2-utils \
                      locales \
                      lvm2 \
@@ -44,13 +46,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-11-cross-armv7l.Dockerfile
+++ b/ci/containers/debian-11-cross-armv7l.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-dev \
                      libxml2-utils \
                      locales \
                      lvm2 \
@@ -44,13 +46,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-11-cross-i686.Dockerfile
+++ b/ci/containers/debian-11-cross-i686.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-dev \
                      libxml2-utils \
                      locales \
                      lvm2 \
@@ -44,13 +46,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-11-cross-mips64el.Dockerfile
+++ b/ci/containers/debian-11-cross-mips64el.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-dev \
                      libxml2-utils \
                      locales \
                      lvm2 \
@@ -44,13 +46,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-11-cross-mipsel.Dockerfile
+++ b/ci/containers/debian-11-cross-mipsel.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-dev \
                      libxml2-utils \
                      locales \
                      lvm2 \
@@ -44,13 +46,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-11-cross-ppc64le.Dockerfile
+++ b/ci/containers/debian-11-cross-ppc64le.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-dev \
                      libxml2-utils \
                      locales \
                      lvm2 \
@@ -44,13 +46,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-11-cross-s390x.Dockerfile
+++ b/ci/containers/debian-11-cross-s390x.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-dev \
                      libxml2-utils \
                      locales \
                      lvm2 \
@@ -44,13 +46,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-11.Dockerfile
+++ b/ci/containers/debian-11.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      clang \
@@ -37,6 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      libblkid-dev \
                      libc6-dev \
                      libcap-ng-dev \
+                      libclang-dev \
                      libcurl4-gnutls-dev \
                      libdevmapper-dev \
                      libfuse-dev \
@@ -79,7 +81,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      systemtap-sdt-dev \
                      wireshark-dev \
@@ -88,6 +89,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
--- a/ci/containers/debian-12-cross-aarch64.Dockerfile
+++ b/ci/containers/debian-12-cross-aarch64.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-12-cross-armv6l.Dockerfile
+++ b/ci/containers/debian-12-cross-armv6l.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-12-cross-armv7l.Dockerfile
+++ b/ci/containers/debian-12-cross-armv7l.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-12-cross-i686.Dockerfile
+++ b/ci/containers/debian-12-cross-i686.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-12-cross-mips64el.Dockerfile
+++ b/ci/containers/debian-12-cross-mips64el.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-12-cross-mipsel.Dockerfile
+++ b/ci/containers/debian-12-cross-mipsel.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-12-cross-ppc64le.Dockerfile
+++ b/ci/containers/debian-12-cross-ppc64le.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-12-cross-s390x.Dockerfile
+++ b/ci/containers/debian-12-cross-s390x.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-12.Dockerfile
+++ b/ci/containers/debian-12.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      clang \
@@ -37,6 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      libblkid-dev \
                      libc6-dev \
                      libcap-ng-dev \
+                      libclang-rt-dev \
                      libcurl4-gnutls-dev \
                      libdevmapper-dev \
                      libfuse-dev \
@@ -79,7 +81,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      systemtap-sdt-dev \
                      wireshark-dev \
@@ -88,6 +89,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
--- a/ci/containers/debian-sid-cross-aarch64.Dockerfile
+++ b/ci/containers/debian-sid-cross-aarch64.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-sid-cross-armv6l.Dockerfile
+++ b/ci/containers/debian-sid-cross-armv6l.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-sid-cross-armv7l.Dockerfile
+++ b/ci/containers/debian-sid-cross-armv7l.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-sid-cross-i686.Dockerfile
+++ b/ci/containers/debian-sid-cross-i686.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-sid-cross-mips64el.Dockerfile
+++ b/ci/containers/debian-sid-cross-mips64el.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-sid-cross-ppc64le.Dockerfile
+++ b/ci/containers/debian-sid-cross-ppc64le.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-sid-cross-s390x.Dockerfile
+++ b/ci/containers/debian-sid-cross-s390x.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      codespell \
@@ -28,6 +29,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      iproute2 \
                      iptables \
                      kmod \
+                      libclang-rt-dev \
                      libnbd-dev \
                      libxml2-utils \
                      locales \
@@ -45,13 +47,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      xsltproc && \
    eatmydata apt-get autoremove -y && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
-    dpkg-reconfigure locales
+    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/debian-sid.Dockerfile
+++ b/ci/containers/debian-sid.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      clang \
@@ -37,6 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      libblkid-dev \
                      libc6-dev \
                      libcap-ng-dev \
+                      libclang-rt-dev \
                      libcurl4-gnutls-dev \
                      libdevmapper-dev \
                      libfuse-dev \
@@ -79,7 +81,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      systemtap-sdt-dev \
                      wireshark-dev \
@@ -88,6 +89,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
--- a/ci/containers/fedora-39.Dockerfile
+++ b/ci/containers/fedora-39.Dockerfile
@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci

-FROM registry.fedoraproject.org/fedora:38
+FROM registry.fedoraproject.org/fedora:39

 RUN dnf install -y nosync && \
    printf '#!/bin/sh\n\
@@ -25,6 +25,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               ccache \
               clang \
               codespell \
+               compiler-rt \
               cpp \
               cppi \
               cyrus-sasl-devel \
@@ -79,6 +80,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               pkgconfig \
               polkit \
               python3 \
+               python3-black \
               python3-docutils \
               python3-flake8 \
               python3-pytest \
@@ -86,7 +88,6 @@ exec "$@"\n' > /usr/bin/nosync && \
               readline-devel \
               rpm-build \
               sanlock-devel \
-               scrub \
               sed \
               systemd-devel \
               systemd-rpm-macros \
@@ -96,6 +97,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               yajl-devel && \
    nosync dnf autoremove -y && \
    nosync dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    rpm -qa | sort > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
--- a/ci/containers/fedora-40-cross-mingw32.Dockerfile
+++ b/ci/containers/fedora-40-cross-mingw32.Dockerfile
@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci

-FROM registry.fedoraproject.org/fedora:38
+FROM registry.fedoraproject.org/fedora:40

 RUN dnf install -y nosync && \
    printf '#!/bin/sh\n\
@@ -23,6 +23,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               ca-certificates \
               ccache \
               codespell \
+               compiler-rt \
               cpp \
               cppi \
               diffutils \
@@ -50,16 +51,17 @@ exec "$@"\n' > /usr/bin/nosync && \
               perl-base \
               polkit \
               python3 \
+               python3-black \
               python3-docutils \
               python3-flake8 \
               python3-pytest \
               qemu-img \
               rpm-build \
-               scrub \
               sed \
               systemd-rpm-macros && \
    nosync dnf autoremove -y && \
-    nosync dnf clean all -y
+    nosync dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/fedora-40-cross-mingw64.Dockerfile
+++ b/ci/containers/fedora-40-cross-mingw64.Dockerfile
@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci

-FROM registry.fedoraproject.org/fedora:38
+FROM registry.fedoraproject.org/fedora:40

 RUN dnf install -y nosync && \
    printf '#!/bin/sh\n\
@@ -23,6 +23,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               ca-certificates \
               ccache \
               codespell \
+               compiler-rt \
               cpp \
               cppi \
               diffutils \
@@ -50,16 +51,17 @@ exec "$@"\n' > /usr/bin/nosync && \
               perl-base \
               polkit \
               python3 \
+               python3-black \
               python3-docutils \
               python3-flake8 \
               python3-pytest \
               qemu-img \
               rpm-build \
-               scrub \
               sed \
               systemd-rpm-macros && \
    nosync dnf autoremove -y && \
-    nosync dnf clean all -y
+    nosync dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/fedora-40.Dockerfile
+++ b/ci/containers/fedora-40.Dockerfile
@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci

-FROM registry.fedoraproject.org/fedora:37
+FROM registry.fedoraproject.org/fedora:40

 RUN dnf install -y nosync && \
    printf '#!/bin/sh\n\
@@ -25,6 +25,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               ccache \
               clang \
               codespell \
+               compiler-rt \
               cpp \
               cppi \
               cyrus-sasl-devel \
@@ -79,6 +80,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               pkgconfig \
               polkit \
               python3 \
+               python3-black \
               python3-docutils \
               python3-flake8 \
               python3-pytest \
@@ -86,7 +88,6 @@ exec "$@"\n' > /usr/bin/nosync && \
               readline-devel \
               rpm-build \
               sanlock-devel \
-               scrub \
               sed \
               systemd-devel \
               systemd-rpm-macros \
@@ -96,6 +97,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               yajl-devel && \
    nosync dnf autoremove -y && \
    nosync dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    rpm -qa | sort > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
--- a/ci/containers/fedora-rawhide-cross-mingw32.Dockerfile
+++ b/ci/containers/fedora-rawhide-cross-mingw32.Dockerfile
@@ -20,10 +20,11 @@ exec "$@"\n' > /usr/bin/nosync && \
    nosync dnf distro-sync -y && \
    nosync dnf install -y \
               augeas \
-               bash-completion \
+               bash-completion-devel \
               ca-certificates \
               ccache \
               codespell \
+               compiler-rt \
               cpp \
               cppi \
               diffutils \
@@ -51,16 +52,17 @@ exec "$@"\n' > /usr/bin/nosync && \
               perl-base \
               polkit \
               python3 \
+               python3-black \
               python3-docutils \
               python3-flake8 \
               python3-pytest \
               qemu-img \
               rpm-build \
-               scrub \
               sed \
               systemd-rpm-macros && \
    nosync dnf autoremove -y && \
-    nosync dnf clean all -y
+    nosync dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/fedora-rawhide-cross-mingw64.Dockerfile
+++ b/ci/containers/fedora-rawhide-cross-mingw64.Dockerfile
@@ -20,10 +20,11 @@ exec "$@"\n' > /usr/bin/nosync && \
    nosync dnf distro-sync -y && \
    nosync dnf install -y \
               augeas \
-               bash-completion \
+               bash-completion-devel \
               ca-certificates \
               ccache \
               codespell \
+               compiler-rt \
               cpp \
               cppi \
               diffutils \
@@ -51,16 +52,17 @@ exec "$@"\n' > /usr/bin/nosync && \
               perl-base \
               polkit \
               python3 \
+               python3-black \
               python3-docutils \
               python3-flake8 \
               python3-pytest \
               qemu-img \
               rpm-build \
-               scrub \
               sed \
               systemd-rpm-macros && \
    nosync dnf autoremove -y && \
-    nosync dnf clean all -y
+    nosync dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED

 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
--- a/ci/containers/fedora-rawhide.Dockerfile
+++ b/ci/containers/fedora-rawhide.Dockerfile
@@ -21,11 +21,12 @@ exec "$@"\n' > /usr/bin/nosync && \
    nosync dnf install -y \
               audit-libs-devel \
               augeas \
-               bash-completion \
+               bash-completion-devel \
               ca-certificates \
               ccache \
               clang \
               codespell \
+               compiler-rt \
               cpp \
               cppi \
               cyrus-sasl-devel \
@@ -80,6 +81,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               pkgconfig \
               polkit \
               python3 \
+               python3-black \
               python3-docutils \
               python3-flake8 \
               python3-pytest \
@@ -87,7 +89,6 @@ exec "$@"\n' > /usr/bin/nosync && \
               readline-devel \
               rpm-build \
               sanlock-devel \
-               scrub \
               sed \
               systemd-devel \
               systemd-rpm-macros \
@@ -97,6 +98,7 @@ exec "$@"\n' > /usr/bin/nosync && \
               yajl-devel && \
    nosync dnf autoremove -y && \
    nosync dnf clean all -y && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    rpm -qa | sort > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
--- a/ci/containers/opensuse-leap-15.Dockerfile
+++ b/ci/containers/opensuse-leap-15.Dockerfile
@@ -4,17 +4,18 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci

-FROM registry.opensuse.org/opensuse/leap:15.5
+FROM registry.opensuse.org/opensuse/leap:15.6

 RUN zypper update -y && \
    zypper install -y \
           audit-devel \
           augeas \
           augeas-lenses \
-           bash-completion \
+           bash-completion-devel \
           ca-certificates \
           ccache \
           clang \
+           clang-devel \
           codespell \
           cpp \
           cppi \
@@ -73,24 +74,29 @@ RUN zypper update -y && \
           python3-base \
           python3-docutils \
           python3-flake8 \
+           python3-pip \
           python3-pytest \
+           python3-setuptools \
+           python3-wheel \
           qemu-tools \
           readline-devel \
           rpm-build \
           sanlock-devel \
-           scrub \
           sed \
           systemd-rpm-macros \
           systemtap-sdt-devel \
           wireshark-devel \
           xen-devel && \
    zypper clean --all && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    rpm -qa | sort > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc

+RUN /usr/bin/pip3 install black
+
 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
 ENV MAKE "/usr/bin/make"
--- a/ci/containers/opensuse-tumbleweed.Dockerfile
+++ b/ci/containers/opensuse-tumbleweed.Dockerfile
@@ -11,10 +11,11 @@ RUN zypper dist-upgrade -y && \
           audit-devel \
           augeas \
           augeas-lenses \
-           bash-completion \
+           bash-completion-devel \
           ca-certificates \
           ccache \
           clang \
+           clang-devel \
           codespell \
           cpp \
           cppi \
@@ -71,20 +72,21 @@ RUN zypper dist-upgrade -y && \
           pkgconfig \
           polkit \
           python3-base \
+           python3-black \
           python3-docutils \
+           python3-flake8 \
           python3-pytest \
-           python39-flake8 \
           qemu-tools \
           readline-devel \
           rpm-build \
           sanlock-devel \
-           scrub \
           sed \
           systemd-rpm-macros \
           systemtap-sdt-devel \
           wireshark-devel \
           xen-devel && \
    zypper clean --all && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    rpm -qa | sort > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
--- a/ci/containers/ubuntu-2204.Dockerfile
+++ b/ci/containers/ubuntu-2204.Dockerfile
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      clang \
@@ -37,6 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      libblkid-dev \
                      libc6-dev \
                      libcap-ng-dev \
+                      libclang-dev \
                      libcurl4-gnutls-dev \
                      libdevmapper-dev \
                      libfuse-dev \
@@ -80,7 +82,6 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      python3-docutils \
                      python3-pytest \
                      qemu-utils \
-                      scrub \
                      sed \
                      systemtap-sdt-dev \
                      wireshark-dev \
@@ -89,6 +90,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
--- a/ci/containers/ubuntu-2404.Dockerfile
+++ b/ci/containers/ubuntu-2404.Dockerfile
@@ -4,7 +4,7 @@
 #
 # https://gitlab.com/libvirt/libvirt-ci

-FROM docker.io/library/ubuntu:20.04
+FROM docker.io/library/ubuntu:24.04

 RUN export DEBIAN_FRONTEND=noninteractive && \
    apt-get update && \
@@ -14,6 +14,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      augeas-lenses \
                      augeas-tools \
                      bash-completion \
+                      black \
                      ca-certificates \
                      ccache \
                      clang \
@@ -37,6 +38,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      libblkid-dev \
                      libc6-dev \
                      libcap-ng-dev \
+                      libclang-rt-dev \
                      libcurl4-gnutls-dev \
                      libdevmapper-dev \
                      libfuse-dev \
@@ -44,7 +46,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      libglusterfs-dev \
                      libgnutls28-dev \
                      libiscsi-dev \
-                      libnetcf-dev \
+                      libnbd-dev \
                      libnl-3-dev \
                      libnl-route-3-dev \
                      libnuma-dev \
@@ -68,6 +70,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      locales \
                      lvm2 \
                      make \
+                      meson \
                      nfs-common \
                      ninja-build \
                      numad \
@@ -77,12 +80,8 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
                      policykit-1 \
                      python3 \
                      python3-docutils \
-                      python3-pip \
                      python3-pytest \
-                      python3-setuptools \
-                      python3-wheel \
                      qemu-utils \
-                      scrub \
                      sed \
                      systemtap-sdt-dev \
                      wireshark-dev \
@@ -91,14 +90,13 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
    eatmydata apt-get autoclean -y && \
    sed -Ei 's,^# (en_US\.UTF-8 .*)$,\1,' /etc/locale.gen && \
    dpkg-reconfigure locales && \
+    rm -f /usr/lib*/python3*/EXTERNALLY-MANAGED && \
    dpkg-query --showformat '${Package}_${Version}_${Architecture}\n' --show > /packages.txt && \
    mkdir -p /usr/libexec/ccache-wrappers && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/cc && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/clang && \
    ln -s /usr/bin/ccache /usr/libexec/ccache-wrappers/gcc

-RUN /usr/bin/pip3 install meson==0.56.0
-
 ENV CCACHE_WRAPPERSDIR "/usr/libexec/ccache-wrappers"
 ENV LANG "en_US.UTF-8"
 ENV MAKE "/usr/bin/make"
--- a/ci/gitlab/build-templates.yml
+++ b/ci/gitlab/build-templates.yml
@@ -20,16 +20,25 @@
 #    include CI changes
 #  - Validating code committed to a fork branch
 #
-# Note: the rules across the prebuilt_env and local_env templates
+# Note: the rules across the prebuilt and local container scenarios
 # should be logical inverses, such that jobs are mutually exclusive
 #
-.gitlab_native_build_job_prebuilt_env:
-  image: $CI_REGISTRY/$RUN_UPSTREAM_NAMESPACE/libvirt/ci-$NAME:latest
+.gitlab_native_build_job:
+  image: $IMAGE
  stage: builds
  interruptible: true
  before_script:
+    - if test "$IMAGE" == "$TARGET_BASE_IMAGE" ;
+      then
+        source ci/buildenv/$NAME.sh ;
+        install_buildenv ;
+      fi
    - cat /packages.txt
+  variables:
+    IMAGE: $CI_REGISTRY/$RUN_UPSTREAM_NAMESPACE/libvirt/ci-$NAME:latest
  rules:
+    ### PUSH events
+
    # upstream: pushes to the default branch
    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
      when: manual
@@ -44,68 +53,19 @@
    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $RUN_PIPELINE_UPSTREAM_ENV'
      when: on_success

-    # upstream: other web/api/scheduled pipelines targeting the default branch
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
-      when: on_success
-
-    # upstream+forks: merge requests targeting the default branch, without CI changes
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
-      changes:
-        - ci/gitlab/container-templates.yml
-        - ci/containers/$NAME.Dockerfile
-      when: never
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
-      when: on_success
-
-    # upstream+forks: that's all folks
-    - when: never
-
-.gitlab_native_build_job_local_env:
-  image: $IMAGE
-  stage: builds
-  interruptible: true
-  before_script:
-    - source ci/buildenv/$NAME.sh
-    - install_buildenv
-    - cat /packages.txt
-  rules:
-    # upstream: pushes to a non-default branch
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
-      when: on_success
-
-    # forks: avoid build in local env when job requests run in upstream containers
-    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $RUN_PIPELINE_UPSTREAM_ENV'
-      when: never
-
    # forks: pushes to branches with pipeline requested
    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $RUN_PIPELINE && $JOB_OPTIONAL'
      when: manual
      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $RUN_PIPELINE'
      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE

-    # upstream: other web/api/scheduled pipelines targeting non-default branches
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH'
-      when: on_success

-    # forks: other web/api/scheduled pipelines
-    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/'
-      when: on_success
+    ### MERGE REQUEST events

    # upstream+forks: merge requests targeting the default branch, with CI changes
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
@@ -114,18 +74,68 @@
        - ci/containers/$NAME.Dockerfile
      when: manual
      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
      changes:
        - ci/gitlab/container-templates.yml
        - ci/containers/$NAME.Dockerfile
      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+
+    # upstream+forks: merge requests targeting the default branch
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
+      when: manual
+      allow_failure: true
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
+      when: on_success

    # upstream+forks: merge requests targeting non-default branches
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
      when: manual
      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != $CI_DEFAULT_BRANCH'
      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+
+
+    ### WEB / API / SCHEDULED events
+
+    # upstream: other web/api/scheduled pipelines targeting the default branch
+    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
+      when: manual
+      allow_failure: true
+    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
+      when: on_success
+
+    # upstream: other web/api/scheduled pipelines targeting non-default branches
+    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
+      when: manual
+      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH'
+      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+
+    # forks: other web/api/scheduled pipelines on any branches
+    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $JOB_OPTIONAL'
+      when: manual
+      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/'
+      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+
+
+    ### Catch all unhandled events

    # upstream+forks: that's all folks
    - when: never
@@ -146,16 +156,25 @@
 #    include CI changes
 #  - Validating code committed to a fork branch
 #
-# Note: the rules across the prebuilt_env and local_env templates
+# Note: the rules across the prebuilt and local container scenarios
 # should be logical inverses, such that jobs are mutually exclusive
 #
-.gitlab_cross_build_job_prebuilt_env:
-  image: $CI_REGISTRY/$RUN_UPSTREAM_NAMESPACE/libvirt/ci-$NAME-cross-$CROSS:latest
+.gitlab_cross_build_job:
+  image: $IMAGE
  stage: builds
  interruptible: true
  before_script:
+    - if test "$IMAGE" == "$TARGET_BASE_IMAGE" ;
+      then
+        source ci/buildenv/$NAME-cross-$CROSS.sh ;
+        install_buildenv ;
+      fi
    - cat /packages.txt
+  variables:
+    IMAGE: $CI_REGISTRY/$RUN_UPSTREAM_NAMESPACE/libvirt/ci-$NAME-cross-$CROSS:latest
  rules:
+    ### PUSH events
+
    # upstream: pushes to the default branch
    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
      when: manual
@@ -170,68 +189,19 @@
    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $RUN_PIPELINE_UPSTREAM_ENV'
      when: on_success

-    # upstream: other web/api/scheduled pipelines targeting the default branch
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
-      when: on_success
-
-    # upstream+forks: merge requests targeting the default branch, without CI changes
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
-      changes:
-        - ci/gitlab/container-templates.yml
-        - ci/containers/$NAME-cross-$CROSS.Dockerfile
-      when: never
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
-      when: on_success
-
-    # upstream+forks: that's all folks
-    - when: never
-
-.gitlab_cross_build_job_local_env:
-  image: $IMAGE
-  stage: builds
-  interruptible: true
-  before_script:
-    - source ci/buildenv/$NAME-cross-$CROSS.sh
-    - install_buildenv
-    - cat /packages.txt
-  rules:
-    # upstream: pushes to a non-default branch
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
-      when: on_success
-
-    # forks: avoid build in local env when job requests run in upstream containers
-    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $RUN_PIPELINE_UPSTREAM_ENV'
-      when: never
-
    # forks: pushes to branches with pipeline requested
    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $RUN_PIPELINE && $JOB_OPTIONAL'
      when: manual
      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE == "push" && $RUN_PIPELINE'
      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE

-    # upstream: other web/api/scheduled pipelines targeting non-default branches
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH'
-      when: on_success

-    # forks: other web/api/scheduled pipelines
-    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/'
-      when: on_success
+    ### MERGE REQUEST events

    # upstream+forks: merge requests targeting the default branch, with CI changes
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
@@ -240,18 +210,68 @@
        - ci/containers/$NAME-cross-$CROSS.Dockerfile
      when: manual
      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
      changes:
        - ci/gitlab/container-templates.yml
        - ci/containers/$NAME-cross-$CROSS.Dockerfile
      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+
+    # upstream+forks: merge requests targeting the default branch
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
+      when: manual
+      allow_failure: true
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH'
+      when: on_success

    # upstream+forks: merge requests targeting non-default branches
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
      when: manual
      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != $CI_DEFAULT_BRANCH'
      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+
+
+    ### WEB / API / SCHEDULED events
+
+    # upstream: other web/api/scheduled pipelines targeting the default branch
+    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
+      when: manual
+      allow_failure: true
+    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH'
+      when: on_success
+
+    # upstream: other web/api/scheduled pipelines targeting non-default branches
+    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH && $JOB_OPTIONAL'
+      when: manual
+      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+    - if: '$CI_PROJECT_NAMESPACE == $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH'
+      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+
+    # forks: other web/api/scheduled pipelines on any branches
+    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/ && $JOB_OPTIONAL'
+      when: manual
+      allow_failure: true
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+    - if: '$CI_PROJECT_NAMESPACE != $RUN_UPSTREAM_NAMESPACE && $CI_PIPELINE_SOURCE =~ /(web|api|schedule)/'
+      when: on_success
+      variables:
+        IMAGE: $TARGET_BASE_IMAGE
+
+
+    ### Catch all unhandled events

    # upstream+forks: that's all folks
    - when: never
@@ -263,26 +283,10 @@
  interruptible: true
  needs: []
  script:
+    - set -o allexport
    - source ci/cirrus/$NAME.vars
-    - sed -e "s|[@]CI_REPOSITORY_URL@|$CI_REPOSITORY_URL|g"
-          -e "s|[@]CI_COMMIT_REF_NAME@|$CI_COMMIT_REF_NAME|g"
-          -e "s|[@]CI_MERGE_REQUEST_REF_PATH@|$CI_MERGE_REQUEST_REF_PATH|g"
-          -e "s|[@]CI_COMMIT_SHA@|$CI_COMMIT_SHA|g"
-          -e "s|[@]CIRRUS_VM_INSTANCE_TYPE@|$CIRRUS_VM_INSTANCE_TYPE|g"
-          -e "s|[@]CIRRUS_VM_IMAGE_SELECTOR@|$CIRRUS_VM_IMAGE_SELECTOR|g"
-          -e "s|[@]CIRRUS_VM_IMAGE_NAME@|$CIRRUS_VM_IMAGE_NAME|g"
-          -e "s|[@]UPDATE_COMMAND@|$UPDATE_COMMAND|g"
-          -e "s|[@]UPGRADE_COMMAND@|$UPGRADE_COMMAND|g"
-          -e "s|[@]INSTALL_COMMAND@|$INSTALL_COMMAND|g"
-          -e "s|[@]PATH@|$PATH_EXTRA${PATH_EXTRA:+:}\$PATH|g"
-          -e "s|[@]PKG_CONFIG_PATH@|$PKG_CONFIG_PATH|g"
-          -e "s|[@]PKGS@|$PKGS|g"
-          -e "s|[@]MAKE@|$MAKE|g"
-          -e "s|[@]PYTHON@|$PYTHON|g"
-          -e "s|[@]PIP3@|$PIP3|g"
-          -e "s|[@]PYPI_PKGS@|$PYPI_PKGS|g"
-          -e "s|[@]XML_CATALOG_FILES@|$XML_CATALOG_FILES|g"
-      <ci/cirrus/build.yml >ci/cirrus/$NAME.yml
+    - set +o allexport
+    - cirrus-vars <ci/cirrus/build.yml >ci/cirrus/$NAME.yml
    - cat ci/cirrus/$NAME.yml
    - cirrus-run -v --show-build-log always ci/cirrus/$NAME.yml
  rules:
--- a/ci/gitlab/builds.yml
+++ b/ci/gitlab/builds.yml
--- a/ci/gitlab/containers.yml
+++ b/ci/gitlab/containers.yml
@@ -7,18 +7,18 @@

 # Native container jobs

-x86_64-almalinux-8-container:
+x86_64-almalinux-9-container:
  extends: .container_job
  allow_failure: false
  variables:
-    NAME: almalinux-8
+    NAME: almalinux-9


-x86_64-alpine-317-container:
+x86_64-alpine-319-container:
  extends: .container_job
  allow_failure: false
  variables:
-    NAME: alpine-317
+    NAME: alpine-319


 x86_64-alpine-edge-container:
@@ -28,13 +28,6 @@ x86_64-alpine-edge-container:
    NAME: alpine-edge


-x86_64-centos-stream-8-container:
-  extends: .container_job
-  allow_failure: false
-  variables:
-    NAME: centos-stream-8
-
-
 x86_64-centos-stream-9-container:
  extends: .container_job
  allow_failure: false
@@ -64,18 +57,18 @@ x86_64-debian-sid-container:
    NAME: debian-sid


-x86_64-fedora-37-container:
+x86_64-fedora-39-container:
  extends: .container_job
  allow_failure: false
  variables:
-    NAME: fedora-37
+    NAME: fedora-39


-x86_64-fedora-38-container:
+x86_64-fedora-40-container:
  extends: .container_job
  allow_failure: false
  variables:
-    NAME: fedora-38
+    NAME: fedora-40


 x86_64-fedora-rawhide-container:
@@ -99,13 +92,6 @@ x86_64-opensuse-tumbleweed-container:
    NAME: opensuse-tumbleweed


-x86_64-ubuntu-2004-container:
-  extends: .container_job
-  allow_failure: false
-  variables:
-    NAME: ubuntu-2004
-
-
 x86_64-ubuntu-2204-container:
  extends: .container_job
  allow_failure: false
@@ -113,6 +99,13 @@ x86_64-ubuntu-2204-container:
    NAME: ubuntu-2204


+x86_64-ubuntu-2404-container:
+  extends: .container_job
+  allow_failure: false
+  variables:
+    NAME: ubuntu-2404
+
+

 # Cross container jobs

@@ -245,7 +238,7 @@ s390x-debian-12-container:

 aarch64-debian-sid-container:
  extends: .container_job
-  allow_failure: false
+  allow_failure: true
  variables:
    JOB_OPTIONAL: 1
    NAME: debian-sid-cross-aarch64
@@ -253,7 +246,7 @@ aarch64-debian-sid-container:

 armv6l-debian-sid-container:
  extends: .container_job
-  allow_failure: false
+  allow_failure: true
  variables:
    JOB_OPTIONAL: 1
    NAME: debian-sid-cross-armv6l
@@ -261,7 +254,7 @@ armv6l-debian-sid-container:

 armv7l-debian-sid-container:
  extends: .container_job
-  allow_failure: false
+  allow_failure: true
  variables:
    JOB_OPTIONAL: 1
    NAME: debian-sid-cross-armv7l
@@ -269,7 +262,7 @@ armv7l-debian-sid-container:

 i686-debian-sid-container:
  extends: .container_job
-  allow_failure: false
+  allow_failure: true
  variables:
    JOB_OPTIONAL: 1
    NAME: debian-sid-cross-i686
@@ -277,7 +270,7 @@ i686-debian-sid-container:

 mips64el-debian-sid-container:
  extends: .container_job
-  allow_failure: false
+  allow_failure: true
  variables:
    JOB_OPTIONAL: 1
    NAME: debian-sid-cross-mips64el
@@ -285,7 +278,7 @@ mips64el-debian-sid-container:

 ppc64le-debian-sid-container:
  extends: .container_job
-  allow_failure: false
+  allow_failure: true
  variables:
    JOB_OPTIONAL: 1
    NAME: debian-sid-cross-ppc64le
@@ -293,25 +286,25 @@ ppc64le-debian-sid-container:

 s390x-debian-sid-container:
  extends: .container_job
-  allow_failure: false
+  allow_failure: true
  variables:
    JOB_OPTIONAL: 1
    NAME: debian-sid-cross-s390x


-mingw32-fedora-38-container:
+mingw32-fedora-40-container:
  extends: .container_job
  allow_failure: false
  variables:
    JOB_OPTIONAL: 1
-    NAME: fedora-38-cross-mingw32
+    NAME: fedora-40-cross-mingw32


-mingw64-fedora-38-container:
+mingw64-fedora-40-container:
  extends: .container_job
  allow_failure: false
  variables:
-    NAME: fedora-38-cross-mingw64
+    NAME: fedora-40-cross-mingw64


 mingw32-fedora-rawhide-container:
--- a/ci/integration-template.yml
+++ b/ci/integration-template.yml
@@ -1,4 +1,5 @@
 .qemu-build-template: &qemu-build-template
+  - pushd "$SCRATCH_DIR"
  - git clone --depth 1 https://gitlab.com/qemu-project/qemu.git
  - cd qemu
  #
@@ -22,6 +23,8 @@
  # other user
  - sudo git config --global --add safe.directory "$SCRATCH_DIR/qemu"
  - sudo make install
+  - sudo restorecon -R /usr
+  - popd


 .collect-logs: &collect-logs
@@ -44,6 +47,10 @@

 .integration_tests:
  stage: integration_tests
+  rules:
+    - if: '$LIBVIRT_CI_INTEGRATION == null'
+      when: never
+    - !reference [.gitlab_native_build_job, rules]
  before_script:
    - mkdir "$SCRATCH_DIR"
    - sudo dnf install -y libvirt-rpms/* libvirt-perl-rpms/* libvirt-python-rpms/*
@@ -62,37 +69,13 @@
      - logs
    when: on_failure

-.integration_tests_prebuilt_env:
-  extends: .integration_tests
-  rules:
-    - if: '$LIBVIRT_CI_INTEGRATION == null'
-      when: never
-    - !reference [.gitlab_native_build_job_prebuilt_env, rules]
-
-.integration_tests_local_env:
-  extends: .integration_tests
-  rules:
-    - if: '$LIBVIRT_CI_INTEGRATION == null'
-      when: never
-    - !reference [.gitlab_native_build_job_local_env, rules]
-

 # YAML anchors don't work with Shell conditions so we can't use a variable
 # to conditionally build+install QEMU from source.
 # Instead, create a new test job template for this scenario.
 .integration_tests_upstream_qemu:
+  extends:
+    - .integration_tests
  before_script:
    - !reference [.integration_tests, before_script]
-    - cd "$SCRATCH_DIR"
    - *qemu-build-template
-    - sudo restorecon -R /usr
-
-.integration_tests_upstream_qemu_prebuilt_env:
-  extends:
-    - .integration_tests_prebuilt_env
-    - .integration_tests_upstream_qemu
-
-.integration_tests_upstream_qemu_local_env:
-  extends:
-    - .integration_tests_local_env
-    - .integration_tests_upstream_qemu
--- a/ci/integration.yml
+++ b/ci/integration.yml
@@ -1,47 +1,12 @@
 include:
  - 'ci/integration-template.yml'

-.centos-stream-8-tests:
-  variables:
-    # needed by libvirt-gitlab-executor
-    DISTRO: centos-stream-8
-    # can be overridden in forks to set a different runner tag
-    LIBVIRT_CI_INTEGRATION_RUNNER_TAG: redhat-vm-host
-  tags:
-    - $LIBVIRT_CI_INTEGRATION_RUNNER_TAG
-
-centos-stream-8-tests-prebuilt-env:
-  extends:
-    - .integration_tests_prebuilt_env
-    - .centos-stream-8-tests
-  needs:
-    - x86_64-centos-stream-8-prebuilt-env
-    - project: libvirt/libvirt-perl
-      job: x86_64-centos-stream-8-prebuilt-env
-      ref: master
-      artifacts: true
-    - project: libvirt/libvirt-python
-      job: x86_64-centos-stream-8-prebuilt-env
-      ref: master
-      artifacts: true
-
-centos-stream-8-tests-local-env:
-  extends:
-    - .integration_tests_local_env
-    - .centos-stream-8-tests
-  needs:
-    - x86_64-centos-stream-8-local-env
-    - project: libvirt/libvirt-perl
-      job: x86_64-centos-stream-8-prebuilt-env
-      ref: master
-      artifacts: true
-    - project: libvirt/libvirt-python
-      job: x86_64-centos-stream-8-prebuilt-env
-      ref: master
-      artifacts: true
-
-
-.centos-stream-9-tests:
+# NOTE The integration tests use artifacts produced by the libvirt-perl
+# and libvirt-python CI jobs, so the new target needs to be introduced
+# there before it can be used here. The VM template for the target
+# also needs to be created on the runner host.
+centos-stream-9-tests:
+  extends: .integration_tests
  variables:
    # needed by libvirt-gitlab-executor
    DISTRO: centos-stream-9
@@ -49,153 +14,61 @@ centos-stream-8-tests-local-env:
    LIBVIRT_CI_INTEGRATION_RUNNER_TAG: redhat-vm-host
  tags:
    - $LIBVIRT_CI_INTEGRATION_RUNNER_TAG
-
-centos-stream-9-tests-prebuilt-env:
-  extends:
-    - .integration_tests_prebuilt_env
-    - .centos-stream-9-tests
  needs:
-    - x86_64-centos-stream-9-prebuilt-env
+    - x86_64-centos-stream-9
    - project: libvirt/libvirt-perl
-      job: x86_64-centos-stream-9-prebuilt-env
+      job: x86_64-centos-stream-9
      ref: master
      artifacts: true
    - project: libvirt/libvirt-python
-      job: x86_64-centos-stream-9-prebuilt-env
+      job: x86_64-centos-stream-9
      ref: master
      artifacts: true

-centos-stream-9-tests-local-env:
-  extends:
-    - .integration_tests_local_env
-    - .centos-stream-9-tests
-  needs:
-    - x86_64-centos-stream-9-local-env
-    - project: libvirt/libvirt-perl
-      job: x86_64-centos-stream-9-prebuilt-env
-      ref: master
-      artifacts: true
-    - project: libvirt/libvirt-python
-      job: x86_64-centos-stream-9-prebuilt-env
-      ref: master
-      artifacts: true
-
-
-.fedora-37-tests:
+# NOTE The integration tests use artifacts produced by the libvirt-perl
+# and libvirt-python CI jobs, so the new target needs to be introduced
+# there before it can be used here. The VM template for the target
+# also needs to be created on the runner host.
+fedora-39-tests:
+  extends: .integration_tests
  variables:
    # needed by libvirt-gitlab-executor
-    DISTRO: fedora-37
+    DISTRO: fedora-39
    # can be overridden in forks to set a different runner tag
    LIBVIRT_CI_INTEGRATION_RUNNER_TAG: redhat-vm-host
  tags:
    - $LIBVIRT_CI_INTEGRATION_RUNNER_TAG
-
-fedora-37-tests-prebuilt-env:
-  extends:
-    - .integration_tests_prebuilt_env
-    - .fedora-37-tests
  needs:
-    - x86_64-fedora-37-prebuilt-env
+    - x86_64-fedora-39
    - project: libvirt/libvirt-perl
-      job: x86_64-fedora-37-prebuilt-env
+      job: x86_64-fedora-39
      ref: master
      artifacts: true
    - project: libvirt/libvirt-python
-      job: x86_64-fedora-37-prebuilt-env
+      job: x86_64-fedora-39
      ref: master
      artifacts: true

-fedora-37-tests-local-env:
-  extends:
-    - .integration_tests_local_env
-    - .fedora-37-tests
-  needs:
-    - x86_64-fedora-37-local-env
-    - project: libvirt/libvirt-perl
-      job: x86_64-fedora-37-prebuilt-env
-      ref: master
-      artifacts: true
-    - project: libvirt/libvirt-python
-      job: x86_64-fedora-37-prebuilt-env
-      ref: master
-      artifacts: true
-
-
-.fedora-38-tests:
+# NOTE The integration tests use artifacts produced by the libvirt-perl
+# and libvirt-python CI jobs, so the new target needs to be introduced
+# there before it can be used here. The VM template for the target
+# also needs to be created on the runner host.
+.fedora-39-upstream-qemu-tests:
+  extends: .integration_tests
  variables:
    # needed by libvirt-gitlab-executor
-    DISTRO: fedora-38
+    DISTRO: fedora-39
    # can be overridden in forks to set a different runner tag
    LIBVIRT_CI_INTEGRATION_RUNNER_TAG: redhat-vm-host
  tags:
    - $LIBVIRT_CI_INTEGRATION_RUNNER_TAG
-
-fedora-38-tests-prebuilt-env:
-  extends:
-    - .integration_tests_prebuilt_env
-    - .fedora-38-tests
  needs:
-    - x86_64-fedora-38-prebuilt-env
+    - x86_64-fedora-39
    - project: libvirt/libvirt-perl
-      job: x86_64-fedora-38-prebuilt-env
+      job: x86_64-fedora-39
      ref: master
      artifacts: true
    - project: libvirt/libvirt-python
-      job: x86_64-fedora-38-prebuilt-env
-      ref: master
-      artifacts: true
-
-fedora-38-tests-local-env:
-  extends:
-    - .integration_tests_local_env
-    - .fedora-38-tests
-  needs:
-    - x86_64-fedora-38-local-env
-    - project: libvirt/libvirt-perl
-      job: x86_64-fedora-38-prebuilt-env
-      ref: master
-      artifacts: true
-    - project: libvirt/libvirt-python
-      job: x86_64-fedora-38-prebuilt-env
-      ref: master
-      artifacts: true
-
-
-.fedora-38-upstream-qemu-tests:
-  variables:
-    # needed by libvirt-gitlab-executor
-    DISTRO: fedora-38
-    # can be overridden in forks to set a different runner tag
-    LIBVIRT_CI_INTEGRATION_RUNNER_TAG: redhat-vm-host
-  tags:
-    - $LIBVIRT_CI_INTEGRATION_RUNNER_TAG
-
-fedora-38-upstream-qemu-tests-prebuilt-env:
-  extends:
-    - .integration_tests_prebuilt_env
-    - .fedora-38-upstream-qemu-tests
-  needs:
-    - x86_64-fedora-38-prebuilt-env
-    - project: libvirt/libvirt-perl
-      job: x86_64-fedora-38-prebuilt-env
-      ref: master
-      artifacts: true
-    - project: libvirt/libvirt-python
-      job: x86_64-fedora-38-prebuilt-env
-      ref: master
-      artifacts: true
-
-fedora-38-upstream-qemu-tests-local-env:
-  extends:
-    - .integration_tests_local_env
-    - .fedora-38-upstream-qemu-tests
-  needs:
-    - x86_64-fedora-38-local-env
-    - project: libvirt/libvirt-perl
-      job: x86_64-fedora-38-prebuilt-env
-      ref: master
-      artifacts: true
-    - project: libvirt/libvirt-python
-      job: x86_64-fedora-38-prebuilt-env
+      job: x86_64-fedora-39
      ref: master
      artifacts: true
--- a/Show More
+++ b/Show More