fix(sidebar): set helper anchor color to match the other items [C9S-47] (#2058 )

fix(kube/app): enable edit button for regular apps [BE-12690] (#2039 )
feat(policies): banner and confirmation on change policy [C9S-20] (#1988 )
2026-03-16 15:50:59 +13:00 · 2026-03-15 11:22:09 +02:00 · 2026-03-13 14:11:53 +13:00 · 2026-03-13 11:34:28 +13:00 · 2026-03-13 08:30:45 +13:00 · 2026-03-12 12:30:40 +13:00
1497 changed files with 79437 additions and 33613 deletions
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -17,7 +17,7 @@ plugins:
  - import

 parserOptions:
-  ecmaVersion: 2018
+  ecmaVersion: latest
  sourceType: module
  project: './tsconfig.json'
  ecmaFeatures:
@@ -114,7 +114,13 @@ overrides:
      '@typescript-eslint/explicit-module-boundary-types': off
      '@typescript-eslint/no-unused-vars': 'error'
      '@typescript-eslint/no-explicit-any': 'error'
-      'jsx-a11y/label-has-associated-control': ['error', { 'assert': 'either', controlComponents: ['Input', 'Checkbox'] }]
+      'jsx-a11y/label-has-associated-control':
+        - error
+        - assert: either
+          controlComponents:
+            - Input
+            - Checkbox
+      'jsx-a11y/control-has-associated-label': off
      'react/function-component-definition': ['error', { 'namedComponents': 'function-declaration' }]
      'react/jsx-no-bind': off
      'no-await-in-loop': 'off'
@@ -133,15 +139,19 @@ overrides:
          'react/jsx-props-no-spreading': off
  - files:
      - app/**/*.test.*
+    plugins:
+      - '@vitest'
    extends:
-      - 'plugin:vitest/recommended'
+      - 'plugin:@vitest/legacy-recommended'
    env:
-      'vitest/env': true
+      '@vitest/env': true
    rules:
      'react/jsx-no-constructed-context-values': off
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
      'react/jsx-props-no-spreading': off
+      '@vitest/no-conditional-expect': warn
+      'max-classes-per-file': off
  - files:
      - app/**/*.stories.*
    rules:
@@ -149,3 +159,4 @@ overrides:
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
      'react/jsx-props-no-spreading': off
+      'storybook/no-renderer-packages': off
--- a/.github/DISCUSSION_TEMPLATE/ideas.yaml
+++ b/.github/DISCUSSION_TEMPLATE/ideas.yaml
@@ -6,7 +6,7 @@ body:
        
        Thanks for suggesting an idea for Portainer!

-        Before opening a new idea or feature request, make sure that we do not have any duplicates already open. You can ensure this by [searching this discussion cagetory](https://github.com/orgs/portainer/discussions/categories/ideas). If there is a duplicate, please add a comment to the existing idea instead.
+        Before opening a new idea or feature request, make sure that we do not have any duplicates already open. You can ensure this by [searching this discussion category](https://github.com/orgs/portainer/discussions/categories/ideas). If there is a duplicate, please add a comment to the existing idea instead.

        Also, be sure to check our [knowledge base](https://portal.portainer.io/knowledge) and [documentation](https://docs.portainer.io) as they may point you toward a solution.
        
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -22,7 +22,7 @@ body:
      options:
        - label: Yes, I've searched similar issues on [GitHub](https://github.com/portainer/portainer/issues).
          required: true
-        - label: Yes, I've checked whether this issue is covered in the Portainer [documentation](https://docs.portainer.io) or [knowledge base](https://portal.portainer.io/knowledge).
+        - label: Yes, I've checked whether this issue is covered in the Portainer [documentation](https://docs.portainer.io).
          required: true

  - type: markdown
@@ -94,6 +94,21 @@ body:
      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
      multiple: false
      options:
+        - '2.39.0'
+        - '2.38.1'
+        - '2.38.0'
+        - '2.37.0'
+        - '2.36.0'
+        - '2.35.0'
+        - '2.34.0'
+        - '2.33.7'
+        - '2.33.6'
+        - '2.33.5'
+        - '2.33.4'
+        - '2.33.3'
+        - '2.33.2'
+        - '2.33.1'
+        - '2.33.0'
        - '2.32.0'
        - '2.31.3'
        - '2.31.2'
@@ -128,8 +143,6 @@ body:
        - '2.21.4'
        - '2.21.3'
        - '2.21.2'
-        - '2.21.1'
-        - '2.21.0'
    validations:
      required: true

--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,5 @@ api/docs
 .env
 go.work.sum

+.vitest
+
--- a/.golangci-forward.yaml
+++ b/.golangci-forward.yaml
@@ -0,0 +1,16 @@
+version: "2"
+linters:
+  default: none
+  enable:
+    - forbidigo
+  settings:
+    forbidigo:
+      forbid:
+        - pattern: ^dataservices.DataStore.(EdgeGroup|EdgeJob|EdgeStack|EndpointRelation|Endpoint|GitCredential|Registry|ResourceControl|Role|Settings|Snapshot|SSLSettings|Stack|Tag|User)$
+          msg: Use a transaction instead
+      analyze-types: true
+  exclusions:
+    rules:
+      - path: _test\.go
+        linters:
+          - forbidigo
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,10 +1,14 @@
 version: "2"
+
+run:
+  allow-parallel-runners: true
 linters:
  default: none
  enable:
    - bodyclose
    - copyloopvar
    - depguard
+    - errcheck
    - errorlint
    - forbidigo
    - govet
@@ -13,6 +17,18 @@ linters:
    - perfsprint
    - staticcheck
    - unused
+    - mirror
+    - durationcheck
+    - errorlint
+    - govet
+    - usetesting
+    - zerologlint
+    - testifylint
+    - modernize
+    - unconvert
+    - unused
+    - zerologlint
+    - exptostd
  settings:
    staticcheck:
      checks: ["all", "-ST1003", "-ST1005", "-ST1016", "-SA1019", "-QF1003"]
@@ -32,12 +48,44 @@ linters:
              desc: use github.com/portainer/portainer/pkg/libcrypto
            - pkg: github.com/portainer/libhttp
              desc: use github.com/portainer/portainer/pkg/libhttp
+            - pkg: golang.org/x/crypto
+              desc: golang.org/x/crypto is not allowed because of FIPS mode
+            - pkg: github.com/ProtonMail/go-crypto/openpgp
+              desc: github.com/ProtonMail/go-crypto/openpgp is not allowed because of FIPS mode
+            - pkg: github.com/cosi-project/runtime
+              desc: github.com/cosi-project/runtime is not allowed because of FIPS mode
+            - pkg: gopkg.in/yaml.v2
+              desc: use go.yaml.in/yaml/v3 instead
+            - pkg: gopkg.in/yaml.v3
+              desc: use go.yaml.in/yaml/v3 instead
+            - pkg: github.com/golang-jwt/jwt/v4
+              desc: use github.com/golang-jwt/jwt/v5 instead
+            - pkg: github.com/mitchellh/mapstructure
+              desc: use github.com/go-viper/mapstructure/v2 instead
+            - pkg: gopkg.in/alecthomas/kingpin.v2
+              desc: use github.com/alecthomas/kingpin/v2 instead
+            - pkg: github.com/jcmturner/gokrb5$
+              desc: use github.com/jcmturner/gokrb5/v8 instead
+            - pkg: github.com/gofrs/uuid
+              desc: use github.com/google/uuid
+            - pkg: github.com/Masterminds/semver$
+              desc: use github.com/Masterminds/semver/v3
+            - pkg: github.com/blang/semver
+              desc: use github.com/Masterminds/semver/v3
+            - pkg: github.com/coreos/go-semver
+              desc: use github.com/Masterminds/semver/v3
+            - pkg: github.com/hashicorp/go-version
+              desc: use github.com/Masterminds/semver/v3
    forbidigo:
      forbid:
        - pattern: ^tls\.Config$
          msg: Use crypto.CreateTLSConfiguration() instead
        - pattern: ^tls\.Config\.(InsecureSkipVerify|MinVersion|MaxVersion|CipherSuites|CurvePreferences)$
          msg: Do not set this field directly, use crypto.CreateTLSConfiguration() instead
+        - pattern: ^object\.(Commit|Tag)\.Verify$
+          msg: "Not allowed because of FIPS mode"
+        - pattern: ^(types\.SystemContext\.)?(DockerDaemonInsecureSkipTLSVerify|DockerInsecureSkipTLSVerify|OCIInsecureSkipTLSVerify)$
+          msg: "Not allowed because of FIPS mode"
      analyze-types: true
  exclusions:
    generated: lax
@@ -45,12 +93,13 @@ linters:
      - comments
      - common-false-positives
      - legacy
-      - std-error-handling
    paths:
      - third_party$
      - builtin$
      - examples$
 formatters:
+  enable:
+    - gofmt
  exclusions:
    generated: lax
    paths:
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

-cd $(dirname -- "$0") && yarn lint-staged
+cd $(dirname -- "$0") && pnpm lint-staged
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,2 +1,3 @@
 dist
-api/datastore/test_data
+api/datastore/test_data
+coverage
--- a/.storybook/main.ts
+++ b/.storybook/main.ts
@@ -9,20 +9,38 @@ const config: StorybookConfig = {
  addons: [
    '@storybook/addon-links',
    '@storybook/addon-essentials',
+    '@storybook/addon-webpack5-compiler-swc',
+    '@chromatic-com/storybook',
    {
-      name: '@storybook/addon-styling',
+      name: '@storybook/addon-styling-webpack',
+
      options: {
-        cssLoaderOptions: {
-          importLoaders: 1,
-          modules: {
-            localIdentName: '[path][name]__[local]',
-            auto: true,
-            exportLocalsConvention: 'camelCaseOnly',
+        rules: [
+          {
+            test: /\.css$/,
+            sideEffects: true,
+            use: [
+              require.resolve('style-loader'),
+              {
+                loader: require.resolve('css-loader'),
+                options: {
+                  importLoaders: 1,
+                  modules: {
+                    localIdentName: '[path][name]__[local]',
+                    auto: true,
+                    exportLocalsConvention: 'camelCaseOnly',
+                  },
+                },
+              },
+              {
+                loader: require.resolve('postcss-loader'),
+                options: {
+                  implementation: postcss,
+                },
+              },
+            ],
          },
-        },
-        postCss: {
-          implementation: postcss,
-        },
+        ],
      },
    },
  ],
--- a/.storybook/preview.tsx
+++ b/.storybook/preview.tsx
@@ -1,9 +1,9 @@
 import '../app/assets/css';
-import React from 'react';
 import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
 import { initialize as initMSW, mswLoader } from 'msw-storybook-addon';
 import { handlers } from '../app/setup-tests/server-handlers';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { Preview } from '@storybook/react';

 initMSW(
  {
@@ -21,31 +21,30 @@ initMSW(
  handlers
 );

-export const parameters = {
-  actions: { argTypesRegex: '^on[A-Z].*' },
-  controls: {
-    matchers: {
-      color: /(background|color)$/i,
-      date: /Date$/,
-    },
-  },
-  msw: {
-    handlers,
-  },
-};
-
 const testQueryClient = new QueryClient({
  defaultOptions: { queries: { retry: false } },
 });

-export const decorators = [
-  (Story) => (
+const preview: Preview = {
+  decorators: (Story) => (
    <QueryClientProvider client={testQueryClient}>
      <UIRouter plugins={[pushStateLocationPlugin]}>
        <Story />
      </UIRouter>
    </QueryClientProvider>
  ),
-];
+  loaders: [mswLoader],
+  parameters: {
+    controls: {
+      matchers: {
+        color: /(background|color)$/i,
+        date: /Date$/,
+      },
+    },
+    msw: {
+      handlers,
+    },
+  },
+};

-export const loaders = [mswLoader];
+export default preview;
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,44 @@
+# Portainer Community Edition
+
+Open-source container management platform with full Docker and Kubernetes support.
+
+see also:
+
+- docs/guidelines/server-architecture.md
+- docs/guidelines/go-conventions.md
+- docs/guidelines/typescript-conventions.md
+
+## Package Manager
+
+- **PNPM** 10+ (for frontend)
+- **Go** 1.25.7 (for backend)
+
+## Build Commands
+
+```bash
+# Full build
+make build              # Build both client and server
+make build-client       # Build React/AngularJS frontend
+make build-server       # Build Go binary
+make build-image        # Build Docker image
+
+# Development
+make dev                # Run both in dev mode
+make dev-client         # Start webpack-dev-server (port 8999)
+make dev-server         # Run containerized Go server
+
+pnpm run dev            # Webpack dev server
+pnpm run build          # Build frontend with webpack
+pnpm run test           # Run frontend tests
+
+# Testing
+make test               # All tests (backend + frontend)
+make test-server        # Backend tests only
+make lint               # Lint all code
+make format             # Format code
+```
+
+## Development Servers
+
+- Frontend: http://localhost:8999
+- Backend: http://localhost:9000 (HTTP) / https://localhost:9443 (HTTPS)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -77,7 +77,7 @@ The feature request process is similar to the bug report process but has an extr

 ## Build and run Portainer locally

-Ensure you have Docker, Node.js, yarn, and Golang installed in the correct versions.
+Ensure you have Docker, Node.js, pnpm, and Golang installed in the correct versions.

 Install dependencies:

--- a/36
+++ b/36
@@ -1,9 +1,3 @@
-# See: https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63
-# For a list of valid GOOS and GOARCH values
-# Note: these can be overriden on the command line e.g. `make PLATFORM=<platform> ARCH=<arch>`
-PLATFORM=$(shell go env GOOS)
-ARCH=$(shell go env GOARCH)
-
 # build target, can be one of "production", "testing", "development"
 ENV=development
 WEBPACK_CONFIG=webpack/webpack.$(ENV).js
@@ -26,7 +20,7 @@ all: tidy deps build-server build-client ## Build the client, server and downloa
 build-all: all ## Alias for the 'all' target (used by CI)

 build-client: init-dist ## Build the client
-	export NODE_ENV=$(ENV) && yarn build --config $(WEBPACK_CONFIG)
+	export NODE_ENV=$(ENV) && pnpm run build --config $(WEBPACK_CONFIG)

 build-server: init-dist ## Build the server binary
 	./build/build_binary.sh "$(PLATFORM)" "$(ARCH)"
@@ -35,11 +29,7 @@ build-image: build-all ## Build the Portainer image locally
 	docker buildx build --load -t portainerci/portainer-ce:$(TAG) -f build/linux/Dockerfile .

 build-storybook: ## Build and serve the storybook files
-	yarn storybook:build
-
-devops: clean deps build-client ## Build the everything target specifically for CI
-	echo "Building the devops binary..."
-	@./build/build_binary_azuredevops.sh "$(PLATFORM)" "$(ARCH)"
+	pnpm run storybook:build

 ##@ Build dependencies
 .PHONY: deps server-deps client-deps tidy
@@ -49,25 +39,23 @@ server-deps: init-dist ## Download dependant server binaries
 	@./build/download_binaries.sh $(PLATFORM) $(ARCH)

 client-deps: ## Install client dependencies
-	yarn
+	pnpm install

 tidy: ## Tidy up the go.mod file
 	@go mod tidy

-
 ##@ Cleanup
 .PHONY: clean
 clean: ## Remove all build and download artifacts
 	@echo "Clearing the dist directory..."
 	@rm -rf dist/*

-
 ##@ Testing
 .PHONY: test test-client test-server
 test: test-server test-client ## Run all tests

 test-client: ## Run client tests
-	yarn test $(ARGS) --coverage
+	pnpm run test $(ARGS) --coverage

 test-server:	## Run server tests
 	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover -covermode=atomic -coverprofile=coverage.out ./...
@@ -79,7 +67,7 @@ dev: ## Run both the client and server in development mode
 	make dev-client

 dev-client: ## Run the client in development mode
-	yarn dev
+	pnpm install && pnpm run dev

 dev-server: build-server ## Run the server in development mode
 	@./dev/run_container.sh
@@ -93,7 +81,7 @@ dev-server-podman: build-server ## Run the server in development mode
 format: format-client format-server ## Format all code

 format-client: ## Format client code
-	yarn format
+	pnpm run format

 format-server: ## Format server code
 	go fmt ./...
@@ -103,26 +91,26 @@ format-server: ## Format server code
 lint: lint-client lint-server ## Lint all code

 lint-client: ## Lint client code
-	yarn lint
+	pnpm run lint

-lint-server: ## Lint server code
+lint-server: tidy ## Lint server code
 	golangci-lint run --timeout=10m -c .golangci.yaml
-
+	golangci-lint run --timeout=10m --new-from-rev=HEAD~ -c .golangci-forward.yaml

 ##@ Extension
 .PHONY: dev-extension
 dev-extension: build-server build-client ## Run the extension in development mode
 	make local -f build/docker-extension/Makefile

-
 ##@ Docs
 .PHONY: docs-build docs-validate docs-clean docs-validate-clean
 docs-build: init-dist ## Build docs
+	go mod download -x
 	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./

 docs-validate: docs-build ## Validate docs
-	yarn swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
-	yarn swagger-cli validate dist/docs/openapi.yaml
+	pnpm swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
+	pnpm swagger-cli validate dist/docs/openapi.yaml

 ##@ Helpers
 .PHONY: help
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ You can join the Portainer Community by visiting [https://www.portainer.io/join-

 ## Security

- Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.
+For information about reporting security vulnerabilities, please see our [Security Policy](SECURITY.md).

 ## Work for us

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,61 @@
+# Security Policy
+
+## Supported Versions
+
+Portainer maintains both Short-Term Support (STS) and Long-Term Support (LTS) versions in accordance with our official [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle).
+
+| Version Type | Support Status |
+| --- | --- |
+| LTS (Long-Term Support) | Supported for critical security fixes |
+| STS (Short-Term Support) | Supported until the next STS or LTS release |
+| Legacy / EOL | Not supported |
+
+For a detailed breakdown of current versions and their specific End of Life (EOL) dates, 
+please refer to the [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle).
+
+## Reporting a Vulnerability
+
+The Portainer team takes the security of our products seriously. If you believe you have found a security vulnerability in any Portainer-owned repository, please report it to us responsibly.
+
+**Please do not report security vulnerabilities via public GitHub issues.**
+
+### Disclosure Process
+
+1. **Report**: You can report in one of two ways:
+
+    - **GitHub**: Use the **Report a vulnerability** button on the **Security** tab of this repository.
+
+    - **Email**: Send your findings to security@portainer.io.
+
+2. **Details**: To help us verify the issue, please include:
+
+    - A description of the vulnerability and its potential impact.
+
+    - Step-by-step instructions to reproduce the issue (e.g. proof-of-concept code, scripts, or screenshots).
+
+    - The version of the software and the environment in which it was found.
+
+3. **Acknowledge**: We will acknowledge receipt of your report and provide an initial assessment.
+
+4. **Resolution**: We will work to resolve the issue as quickly as possible. We request that you do not disclose the vulnerability publicly until we have released a fix and notified affected users.
+
+## Our Commitment
+
+If you follow the responsible disclosure process, we will:
+
+- Respond to your report in a timely manner.
+
+- Provide an estimated timeline for remediation.
+
+- Notify you when the vulnerability has been patched.
+
+- Give credit for the discovery (if desired) once the fix is public.
+
+
+We will make every effort to promptly address any security weaknesses. Security advisories and fixes will be published through GitHub Security Advisories and other channels as needed.
+
+Thank you for helping keep Portainer and our community secure.
+
+## Resources
+
+- [Contributing to Portainer](https://docs.portainer.io/contribute/contribute#contributing-to-the-portainer-ce-codebase)
--- a/api/agent/version.go
+++ b/api/agent/version.go
@@ -11,20 +11,18 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/url"
+
+	"github.com/rs/zerolog/log"
 )

 // GetAgentVersionAndPlatform returns the agent version and platform
 //
 // it sends a ping to the agent and parses the version and platform from the headers
 func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (portainer.AgentPlatform, string, error) { //nolint:forbidigo
-	httpCli := &http.Client{
-		Timeout: 3 * time.Second,
-	}
+	httpCli := &http.Client{Timeout: 3 * time.Second}

 	if tlsConfig != nil {
-		httpCli.Transport = &http.Transport{
-			TLSClientConfig: tlsConfig,
-		}
+		httpCli.Transport = &http.Transport{TLSClientConfig: tlsConfig}
 	}

 	parsedURL, err := url.ParseURL(endpointUrl + "/ping")
@@ -44,8 +42,10 @@ func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (port
 		return 0, "", err
 	}

-	io.Copy(io.Discard, resp.Body)
-	resp.Body.Close()
+	_, _ = io.Copy(io.Discard, resp.Body)
+	if err := resp.Body.Close(); err != nil {
+		log.Warn().Err(err).Msg("failed to close response body")
+	}

 	if resp.StatusCode != http.StatusNoContent {
 		return 0, "", fmt.Errorf("Failed request with status %d", resp.StatusCode)
--- a/api/apikey/apikey_test.go
+++ b/api/apikey/apikey_test.go
@@ -10,31 +10,31 @@ func Test_generateRandomKey(t *testing.T) {
 	is := assert.New(t)

 	tests := []struct {
-		name      string
-		wantLenth int
+		name       string
+		wantLength int
 	}{
 		{
-			name:      "Generate a random key of length 16",
-			wantLenth: 16,
+			name:       "Generate a random key of length 16",
+			wantLength: 16,
 		},
 		{
-			name:      "Generate a random key of length 32",
-			wantLenth: 32,
+			name:       "Generate a random key of length 32",
+			wantLength: 32,
 		},
 		{
-			name:      "Generate a random key of length 64",
-			wantLenth: 64,
+			name:       "Generate a random key of length 64",
+			wantLength: 64,
 		},
 		{
-			name:      "Generate a random key of length 128",
-			wantLenth: 128,
+			name:       "Generate a random key of length 128",
+			wantLength: 128,
 		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := GenerateRandomKey(tt.wantLenth)
-			is.Equal(tt.wantLenth, len(got))
+			got := GenerateRandomKey(tt.wantLength)
+			is.Len(got, tt.wantLength)
 		})
 	}

--- a/api/apikey/service_test.go
+++ b/api/apikey/service_test.go
@@ -10,9 +10,10 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
-	"github.com/stretchr/testify/assert"

 	"github.com/rs/zerolog/log"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func Test_SatisfiesAPIKeyServiceInterface(t *testing.T) {
@@ -30,7 +31,7 @@ func Test_GenerateApiKey(t *testing.T) {
 	t.Run("Successfully generates API key", func(t *testing.T) {
 		desc := "test-1"
 		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, desc)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.NotEmpty(rawKey)
 		is.NotEmpty(apiKey)
 		is.Equal(desc, apiKey.Description)
@@ -38,7 +39,7 @@ func Test_GenerateApiKey(t *testing.T) {

 	t.Run("Api key prefix is 7 chars", func(t *testing.T) {
 		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-2")
-		is.NoError(err)
+		require.NoError(t, err)

 		is.Equal(rawKey[:7], apiKey.Prefix)
 		is.Len(apiKey.Prefix, 7)
@@ -46,7 +47,7 @@ func Test_GenerateApiKey(t *testing.T) {

 	t.Run("Api key has 'ptr_' as prefix", func(t *testing.T) {
 		rawKey, _, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x")
-		is.NoError(err)
+		require.NoError(t, err)

 		is.Equal(portainerAPIKeyPrefix, "ptr_")
 		is.True(strings.HasPrefix(rawKey, "ptr_"))
@@ -55,7 +56,7 @@ func Test_GenerateApiKey(t *testing.T) {
 	t.Run("Successfully caches API key", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-3")
-		is.NoError(err)
+		require.NoError(t, err)

 		userFromCache, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
@@ -65,7 +66,7 @@ func Test_GenerateApiKey(t *testing.T) {

 	t.Run("Decoded raw api-key digest matches generated digest", func(t *testing.T) {
 		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-4")
-		is.NoError(err)
+		require.NoError(t, err)

 		generatedDigest := sha256.Sum256([]byte(rawKey))

@@ -83,10 +84,10 @@ func Test_GetAPIKey(t *testing.T) {
 	t.Run("Successfully returns all API keys", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		apiKeyGot, err := service.GetAPIKey(apiKey.ID)
-		is.NoError(err)
+		require.NoError(t, err)

 		is.Equal(apiKey, apiKeyGot)
 	})
@@ -102,12 +103,12 @@ func Test_GetAPIKeys(t *testing.T) {
 	t.Run("Successfully returns all API keys", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, _, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)
 		_, _, err = service.GenerateApiKey(user, "test-2")
-		is.NoError(err)
+		require.NoError(t, err)

 		keys, err := service.GetAPIKeys(user.ID)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.Len(keys, 2)
 	})
 }
@@ -122,10 +123,10 @@ func Test_GetDigestUserAndKey(t *testing.T) {
 	t.Run("Successfully returns user and api key associated to digest", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.Equal(user, userGot)
 		is.Equal(*apiKey, apiKeyGot)
 	})
@@ -133,10 +134,10 @@ func Test_GetDigestUserAndKey(t *testing.T) {
 	t.Run("Successfully caches user and api key associated to digest", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.Equal(user, userGot)
 		is.Equal(*apiKey, apiKeyGot)

@@ -156,16 +157,19 @@ func Test_UpdateAPIKey(t *testing.T) {

 	t.Run("Successfully updates the api-key LastUsed time", func(t *testing.T) {
 		user := portainer.User{ID: 1}
-		store.User().Create(&user)
+
+		err := store.User().Create(&user)
+		require.NoError(t, err)
+
 		_, apiKey, err := service.GenerateApiKey(user, "test-x")
-		is.NoError(err)
+		require.NoError(t, err)

 		apiKey.LastUsed = time.Now().UTC().Unix()
 		err = service.UpdateAPIKey(apiKey)
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
+		require.NoError(t, err)

 		log.Debug().Str("wanted", fmt.Sprintf("%+v", apiKey)).Str("got", fmt.Sprintf("%+v", apiKeyGot)).Msg("")

@@ -174,7 +178,7 @@ func Test_UpdateAPIKey(t *testing.T) {

 	t.Run("Successfully updates api-key in cache upon api-key update", func(t *testing.T) {
 		_, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x2")
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
@@ -184,7 +188,7 @@ func Test_UpdateAPIKey(t *testing.T) {
 		is.NotEqual(*apiKey, apiKeyFromCache)

 		err = service.UpdateAPIKey(apiKey)
-		is.NoError(err)
+		require.NoError(t, err)

 		_, updatedAPIKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
@@ -202,30 +206,30 @@ func Test_DeleteAPIKey(t *testing.T) {
 	t.Run("Successfully updates the api-key", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.Equal(*apiKey, apiKeyGot)

 		err = service.DeleteAPIKey(apiKey.ID)
-		is.NoError(err)
+		require.NoError(t, err)

 		_, _, err = service.GetDigestUserAndKey(apiKey.Digest)
-		is.Error(err)
+		require.Error(t, err)
 	})

 	t.Run("Successfully removes api-key from cache upon deletion", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
 		is.Equal(*apiKey, apiKeyFromCache)

 		err = service.DeleteAPIKey(apiKey.ID)
-		is.NoError(err)
+		require.NoError(t, err)

 		_, _, ok = service.cache.Get(apiKey.Digest)
 		is.False(ok)
@@ -243,10 +247,10 @@ func Test_InvalidateUserKeyCache(t *testing.T) {
 		// generate api keys
 		user := portainer.User{ID: 1}
 		_, apiKey1, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKey2, err := service.GenerateApiKey(user, "test-2")
-		is.NoError(err)
+		require.NoError(t, err)

 		// verify api keys are present in cache
 		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
@@ -273,11 +277,11 @@ func Test_InvalidateUserKeyCache(t *testing.T) {
 		// generate keys for 2 users
 		user1 := portainer.User{ID: 1}
 		_, apiKey1, err := service.GenerateApiKey(user1, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		user2 := portainer.User{ID: 2}
 		_, apiKey2, err := service.GenerateApiKey(user2, "test-2")
-		is.NoError(err)
+		require.NoError(t, err)

 		// verify keys in cache
 		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
--- a/api/archive/tar.go
+++ b/api/archive/tar.go
@@ -17,18 +17,15 @@ func TarFileInBuffer(fileContent []byte, fileName string, mode int64) ([]byte, e
 		Size: int64(len(fileContent)),
 	}

-	err := tarWriter.WriteHeader(header)
-	if err != nil {
+	if err := tarWriter.WriteHeader(header); err != nil {
 		return nil, err
 	}

-	_, err = tarWriter.Write(fileContent)
-	if err != nil {
+	if _, err := tarWriter.Write(fileContent); err != nil {
 		return nil, err
 	}

-	err = tarWriter.Close()
-	if err != nil {
+	if err := tarWriter.Close(); err != nil {
 		return nil, err
 	}

@@ -43,10 +40,7 @@ type tarFileInBuffer struct {

 func NewTarFileInBuffer() *tarFileInBuffer {
 	var b bytes.Buffer
-	return &tarFileInBuffer{
-		b: &b,
-		w: tar.NewWriter(&b),
-	}
+	return &tarFileInBuffer{b: &b, w: tar.NewWriter(&b)}
 }

 // Put puts a single file to tar archive buffer.
@@ -61,11 +55,9 @@ func (t *tarFileInBuffer) Put(fileContent []byte, fileName string, mode int64) e
 		return err
 	}

-	if _, err := t.w.Write(fileContent); err != nil {
-		return err
-	}
+	_, err := t.w.Write(fileContent)

-	return nil
+	return err
 }

 // Bytes returns the archive as a byte array.
--- a/api/archive/targz.go
+++ b/api/archive/targz.go
@@ -9,6 +9,9 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/portainer/portainer/api/filesystem"
+	"github.com/portainer/portainer/api/logs"
 )

 // TarGzDir creates a tar.gz archive and returns it's path.
@@ -20,12 +23,13 @@ func TarGzDir(absolutePath string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer outFile.Close()
+	defer logs.CloseAndLogErr(outFile)

 	zipWriter := gzip.NewWriter(outFile)
-	defer zipWriter.Close()
+	defer logs.CloseAndLogErr(zipWriter)
+
 	tarWriter := tar.NewWriter(zipWriter)
-	defer tarWriter.Close()
+	defer logs.CloseAndLogErr(tarWriter)

 	err = filepath.Walk(absolutePath, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
@@ -86,7 +90,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 	if err != nil {
 		return err
 	}
-	defer zipReader.Close()
+	defer logs.CloseAndLogErr(zipReader)

 	tarReader := tar.NewReader(zipReader)

@@ -105,7 +109,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 		case tar.TypeDir:
 			// skip, dir will be created with a file
 		case tar.TypeReg:
-			p := filepath.Clean(filepath.Join(outputDirPath, header.Name))
+			p := filesystem.JoinPaths(outputDirPath, header.Name)
 			if err := os.MkdirAll(filepath.Dir(p), 0o744); err != nil {
 				return fmt.Errorf("Failed to extract dir %s", filepath.Dir(p))
 			}
@@ -116,7 +120,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 			if _, err := io.Copy(outFile, tarReader); err != nil {
 				return fmt.Errorf("Failed to extract file %s", header.Name)
 			}
-			outFile.Close()
+			logs.CloseAndLogErr(outFile)
 		default:
 			return fmt.Errorf("tar: unknown type: %v in %s",
 				header.Typeflag,
--- a/api/archive/targz_test.go
+++ b/api/archive/targz_test.go
@@ -1,24 +1,34 @@
 package archive

 import (
+	"archive/tar"
+	"compress/gzip"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"testing"

+	"github.com/portainer/portainer/api/filesystem"
+	"github.com/rs/zerolog/log"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func listFiles(dir string) []string {
 	items := make([]string, 0)
-	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+
+	if err := filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
 		if path == dir {
 			return nil
 		}
+
 		items = append(items, path)
+
 		return nil
-	})
+	}); err != nil {
+		log.Warn().Err(err).Msg("failed to list files in directory")
+	}

 	return items
 }
@@ -26,13 +36,21 @@ func listFiles(dir string) []string {
 func Test_shouldCreateArchive(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
-	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
-	os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
-	os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+
+	err := os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	require.NoError(t, err)
+
+	err = os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
+	require.NoError(t, err)
+
+	err = os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	require.NoError(t, err)
+
+	err = os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+	require.NoError(t, err)

 	gzPath, err := TarGzDir(tmpdir)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
@@ -45,7 +63,8 @@ func Test_shouldCreateArchive(t *testing.T) {
 	wasExtracted := func(p string) {
 		fullpath := path.Join(extractionDir, p)
 		assert.Contains(t, extractedFiles, fullpath)
-		copyContent, _ := os.ReadFile(fullpath)
+		copyContent, err := os.ReadFile(fullpath)
+		require.NoError(t, err)
 		assert.Equal(t, content, copyContent)
 	}

@@ -57,13 +76,21 @@ func Test_shouldCreateArchive(t *testing.T) {
 func Test_shouldCreateArchive2(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
-	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
-	os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
-	os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+
+	err := os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	require.NoError(t, err)
+
+	err = os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
+	require.NoError(t, err)
+
+	err = os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	require.NoError(t, err)
+
+	err = os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+	require.NoError(t, err)

 	gzPath, err := TarGzDir(tmpdir)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
@@ -84,3 +111,56 @@ func Test_shouldCreateArchive2(t *testing.T) {
 	wasExtracted("dir/inner")
 	wasExtracted("dir/.dotfile")
 }
+
+func TestExtractTarGzPathTraversal(t *testing.T) {
+	testDir := t.TempDir()
+
+	// Create an evil file with a path traversal attempt
+	tarPath := filesystem.JoinPaths(testDir, "evil.tar.gz")
+
+	evilFile, err := os.Create(tarPath)
+	require.NoError(t, err)
+
+	gzWriter := gzip.NewWriter(evilFile)
+	tarWriter := tar.NewWriter(gzWriter)
+
+	content := []byte("evil content")
+
+	header := &tar.Header{
+		Name:     "../evil.txt",
+		Mode:     0600,
+		Size:     int64(len(content)),
+		Typeflag: tar.TypeReg,
+	}
+
+	err = tarWriter.WriteHeader(header)
+	require.NoError(t, err)
+
+	_, err = tarWriter.Write(content)
+	require.NoError(t, err)
+
+	err = tarWriter.Close()
+	require.NoError(t, err)
+
+	err = gzWriter.Close()
+	require.NoError(t, err)
+
+	err = evilFile.Close()
+	require.NoError(t, err)
+
+	// Attempt to extract the evil file
+	extractionDir := filesystem.JoinPaths(testDir, "extraction")
+	err = os.Mkdir(extractionDir, 0700)
+	require.NoError(t, err)
+
+	tarFile, err := os.Open(tarPath)
+	require.NoError(t, err)
+
+	// Check that the file didn't escape
+	err = ExtractTarGz(tarFile, extractionDir)
+	require.NoError(t, err)
+	require.NoFileExists(t, filesystem.JoinPaths(testDir, "evil.txt"))
+
+	err = tarFile.Close()
+	require.NoError(t, err)
+}
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -8,6 +8,8 @@ import (
 	"path/filepath"
 	"strings"

+	"github.com/portainer/portainer/api/logs"
+
 	"github.com/pkg/errors"
 )

@@ -18,7 +20,7 @@ func UnzipFile(src string, dest string) error {
 	if err != nil {
 		return err
 	}
-	defer r.Close()
+	defer logs.CloseAndLogErr(r)

 	for _, f := range r.File {
 		p := filepath.Join(dest, f.Name)
@@ -30,7 +32,9 @@ func UnzipFile(src string, dest string) error {

 		if f.FileInfo().IsDir() {
 			// Make Folder
-			os.MkdirAll(p, os.ModePerm)
+			if err := os.MkdirAll(p, os.ModePerm); err != nil {
+				return err
+			}

 			continue
 		}
@@ -53,13 +57,13 @@ func unzipFile(f *zip.File, p string) error {
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't create file %s", p)
 	}
-	defer outFile.Close()
+	defer logs.CloseAndLogErr(outFile)

 	rc, err := f.Open()
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't open zip file %s in the archive", f.Name)
 	}
-	defer rc.Close()
+	defer logs.CloseAndLogErr(rc)

 	if _, err = io.Copy(outFile, rc); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't copy an archived file content")
--- a/api/archive/zip_test.go
+++ b/api/archive/zip_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestUnzipFile(t *testing.T) {
@@ -20,7 +21,7 @@ func TestUnzipFile(t *testing.T) {

 	err := UnzipFile("./testdata/sample_archive.zip", dir)

-	assert.NoError(t, err)
+	require.NoError(t, err)
 	archiveDir := dir + "/sample_archive"
 	assert.FileExists(t, filepath.Join(archiveDir, "0.txt"))
 	assert.FileExists(t, filepath.Join(archiveDir, "0", "1.txt"))
--- a/api/aws/ecr/ecr.go
+++ b/api/aws/ecr/ecr.go
@@ -6,6 +6,15 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 )

+// Registry represents an ECR registry endpoint information.
+// This struct is used to parse and validate ECR endpoint URLs.
+type Registry struct {
+	ID     string // AWS account ID (empty for accountless endpoints like "ecr-fips.us-west-1.amazonaws.com")
+	FIPS   bool   // Whether this is a FIPS endpoint (contains "-fips" in the URL)
+	Region string // AWS region (e.g., "us-east-1", "us-gov-west-1")
+	Public bool   // Whether this is ecr-public.aws.com
+}
+
 type (
 	Service struct {
 		accessKey string
--- a/api/aws/ecr/parse_endpoints.go
+++ b/api/aws/ecr/parse_endpoints.go
@@ -0,0 +1,70 @@
+package ecr
+
+import (
+	"fmt"
+	"net/url"
+	"regexp"
+	"strings"
+)
+
+// ecrEndpointPattern matches all valid ECR endpoints including account-prefixed and accountless formats.
+// Based on AWS ECR credential helper regex but extended to support accountless endpoints.
+//
+// Supported formats:
+//   - Account-prefixed: 123456789012.dkr.ecr-fips.us-east-1.amazonaws.com
+//   - Account-prefixed (hyphen): 123456789012.dkr-ecr-fips.us-west-1.on.aws
+//   - Accountless service: ecr-fips.us-west-1.amazonaws.com
+//   - Accountless API: ecr-fips.us-east-1.api.aws
+//   - Non-FIPS variants: All formats above without "-fips"
+//
+// Regex groups:
+//   - Group 1: Full account prefix (optional) - e.g., "123456789012.dkr." or "123456789012.dkr-"
+//   - Group 2: Account ID (optional) - e.g., "123456789012"
+//   - Group 3: FIPS flag (optional) - either "-fips" or empty string
+//   - Group 4: Region - e.g., "us-east-1", "us-gov-west-1"
+//   - Group 5: Domain suffix - e.g., "amazonaws.com", "api.aws"
+var ecrEndpointPattern = regexp.MustCompile(
+	`^((\d{12})\.dkr[\.\-])?ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.(?:com(?:\.cn)?|eu)|api\.aws|on\.(?:aws|amazonwebservices\.com\.cn)|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`,
+)
+
+// ParseECREndpoint parses an ECR registry URL and extracts registry information.
+
+// This function replaces the AWS ECR credential helper library's ExtractRegistry function,
+// which only supports account-prefixed endpoints.
+//
+// Reference: https://docs.aws.amazon.com/general/latest/gr/ecr.html
+func ParseECREndpoint(urlStr string) (*Registry, error) {
+	// Normalize URL by adding https:// prefix if not present
+	if !strings.HasPrefix(urlStr, "https://") && !strings.HasPrefix(urlStr, "http://") {
+		urlStr = "https://" + urlStr
+	}
+
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid URL: %w", err)
+	}
+
+	hostname := u.Hostname()
+
+	// Special case: ECR Public
+	// ECR Public uses a different domain and doesn't have FIPS variant
+	if hostname == "ecr-public.aws.com" {
+		return &Registry{
+			FIPS:   false,
+			Public: true,
+		}, nil
+	}
+
+	// Parse standard ECR endpoints using regex
+	matches := ecrEndpointPattern.FindStringSubmatch(hostname)
+	if len(matches) == 0 {
+		return nil, fmt.Errorf("not a valid ECR endpoint: %s", hostname)
+	}
+
+	return &Registry{
+		ID:     matches[2],            // Account ID (may be empty for accountless endpoints)
+		FIPS:   matches[3] == "-fips", // Check if "-fips" is present
+		Region: matches[4],            // AWS region
+		Public: false,
+	}, nil
+}
--- a/api/aws/ecr/parse_endpoints_test.go
+++ b/api/aws/ecr/parse_endpoints_test.go
@@ -0,0 +1,253 @@
+package ecr
+
+import (
+	"testing"
+)
+
+func TestParseECREndpoint(t *testing.T) {
+	tests := []struct {
+		name      string
+		url       string
+		want      *Registry
+		wantError bool
+	}{
+		// Standard AWS Commercial - Account-prefixed FIPS
+		{
+			name: "account-prefixed FIPS us-east-1",
+			url:  "123456789012.dkr.ecr-fips.us-east-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-east-1",
+				Public: false,
+			},
+		},
+		{
+			name: "account-prefixed FIPS us-west-2",
+			url:  "123456789012.dkr.ecr-fips.us-west-2.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-west-2",
+				Public: false,
+			},
+		},
+
+		// Accountless FIPS service endpoints
+		{
+			name: "accountless FIPS us-west-1",
+			url:  "ecr-fips.us-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS us-east-2",
+			url:  "ecr-fips.us-east-2.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-east-2",
+				Public: false,
+			},
+		},
+
+		// Accountless FIPS API endpoints
+		{
+			name: "accountless FIPS API us-west-1",
+			url:  "ecr-fips.us-west-1.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS API us-east-1",
+			url:  "ecr-fips.us-east-1.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-east-1",
+				Public: false,
+			},
+		},
+
+		// on.aws domain with hyphen separator
+		{
+			name: "account-prefixed FIPS hyphen us-west-1",
+			url:  "123456789012.dkr-ecr-fips.us-west-1.on.aws",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "account-prefixed FIPS hyphen us-east-2",
+			url:  "123456789012.dkr-ecr-fips.us-east-2.on.aws",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-east-2",
+				Public: false,
+			},
+		},
+
+		// AWS GovCloud
+		{
+			name: "account-prefixed FIPS us-gov-east-1",
+			url:  "123456789012.dkr.ecr-fips.us-gov-east-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-gov-east-1",
+				Public: false,
+			},
+		},
+		{
+			name: "account-prefixed FIPS us-gov-west-1",
+			url:  "123456789012.dkr.ecr-fips.us-gov-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-gov-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS us-gov-west-1",
+			url:  "ecr-fips.us-gov-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-gov-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS API us-gov-east-1",
+			url:  "ecr-fips.us-gov-east-1.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-gov-east-1",
+				Public: false,
+			},
+		},
+
+		// ECR Public
+		{
+			name: "ecr-public",
+			url:  "ecr-public.aws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   false,
+				Region: "",
+				Public: true,
+			},
+		},
+
+		// Non-FIPS endpoints (valid ECR but FIPS=false)
+		{
+			name: "account-prefixed non-FIPS us-east-1",
+			url:  "123456789012.dkr.ecr.us-east-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   false,
+				Region: "us-east-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless non-FIPS us-west-1",
+			url:  "ecr.us-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   false,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless non-FIPS API us-east-2",
+			url:  "ecr.us-east-2.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   false,
+				Region: "us-east-2",
+				Public: false,
+			},
+		},
+
+		// URLs with https:// prefix
+		{
+			name: "with https prefix",
+			url:  "https://ecr-fips.us-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+
+		// Invalid endpoints
+		{
+			name:      "not an ECR URL",
+			url:       "not-an-ecr-url.com",
+			wantError: true,
+		},
+		{
+			name:      "invalid account ID length",
+			url:       "123.dkr.ecr-fips.us-east-1.amazonaws.com",
+			wantError: true,
+		},
+		{
+			name:      "empty string",
+			url:       "",
+			wantError: true,
+		},
+		{
+			name:      "docker hub",
+			url:       "docker.io",
+			wantError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseECREndpoint(tt.url)
+
+			if tt.wantError {
+				if err == nil {
+					t.Errorf("ParseECREndpoint() expected error but got none")
+				}
+				return
+			}
+
+			if err != nil {
+				t.Errorf("ParseECREndpoint() unexpected error: %v", err)
+				return
+			}
+
+			if got.ID != tt.want.ID {
+				t.Errorf("ParseECREndpoint() ID = %v, want %v", got.ID, tt.want.ID)
+			}
+			if got.FIPS != tt.want.FIPS {
+				t.Errorf("ParseECREndpoint() FIPS = %v, want %v", got.FIPS, tt.want.FIPS)
+			}
+			if got.Region != tt.want.Region {
+				t.Errorf("ParseECREndpoint() Region = %v, want %v", got.Region, tt.want.Region)
+			}
+			if got.Public != tt.want.Public {
+				t.Errorf("ParseECREndpoint() Public = %v, want %v", got.Public, tt.want.Public)
+			}
+		})
+	}
+}
--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -12,6 +12,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
@@ -97,7 +98,7 @@ func encrypt(path string, passphrase string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer in.Close()
+	defer logs.CloseAndLogErr(in)

 	outFileName := path + ".encrypted"
 	out, err := os.Create(outFileName)
@@ -105,7 +106,5 @@ func encrypt(path string, passphrase string) (string, error) {
 		return "", err
 	}

-	err = crypto.AesEncrypt(in, out, []byte(passphrase))
-
-	return outFileName, err
+	return outFileName, crypto.AesEncrypt(in, out, []byte(passphrase))
 }
--- a/api/backup/restore.go
+++ b/api/backup/restore.go
@@ -16,6 +16,8 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
+
+	"github.com/rs/zerolog/log"
 )

 var filesToRestore = append(filesToBackup, "portainer.db")
@@ -31,17 +33,20 @@ func RestoreArchive(archive io.Reader, password string, filestorePath string, ga
 	}

 	restorePath := filepath.Join(filestorePath, "restore", time.Now().Format("20060102150405"))
-	defer os.RemoveAll(filepath.Dir(restorePath))
+	defer func() {
+		if err := os.RemoveAll(filepath.Dir(restorePath)); err != nil {
+			log.Warn().Err(err).Msg("failed to clean up restore files")
+		}
+	}()

-	err = extractArchive(archive, restorePath)
-	if err != nil {
+	if err := extractArchive(archive, restorePath); err != nil {
 		return errors.Wrap(err, "cannot extract files from the archive. Please ensure the password is correct and try again")
 	}

 	unlock := gate.Lock()
 	defer unlock()

-	if err = datastore.Close(); err != nil {
+	if err := datastore.Close(); err != nil {
 		return errors.Wrap(err, "Failed to stop db")
 	}

@@ -51,7 +56,7 @@ func RestoreArchive(archive io.Reader, password string, filestorePath string, ga
 		return errors.Wrap(err, "failed to restore from backup. Portainer database missing from backup file")
 	}

-	if err = restoreFiles(restorePath, filestorePath); err != nil {
+	if err := restoreFiles(restorePath, filestorePath); err != nil {
 		return errors.Wrap(err, "failed to restore the system state")
 	}

@@ -89,8 +94,7 @@ func getRestoreSourcePath(dir string) (string, error) {

 func restoreFiles(srcDir string, destinationDir string) error {
 	for _, filename := range filesToRestore {
-		err := filesystem.CopyPath(filepath.Join(srcDir, filename), destinationDir)
-		if err != nil {
+		if err := filesystem.CopyPath(filepath.Join(srcDir, filename), destinationDir); err != nil {
 			return err
 		}
 	}
@@ -98,14 +102,18 @@ func restoreFiles(srcDir string, destinationDir string) error {
 	// TODO:  This is very boltdb module specific once again due to the filename.  Move to bolt module? Refactor for another day

 	// Prevent the possibility of having both databases.  Remove any default new instance
-	os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName))
-	os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName))
+	if err := os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName)); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	if err := os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName)); err != nil && !os.IsNotExist(err) {
+		return err
+	}

 	// Now copy the database.  It'll be either portainer.db or portainer.edb

 	// Note: CopyPath does not return an error if the source file doesn't exist
-	err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir)
-	if err != nil {
+	if err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir); err != nil {
 		return err
 	}

--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -89,10 +89,8 @@ func (service *Service) pingAgent(endpointID portainer.EndpointID) error {
 		return err
 	}

-	io.Copy(io.Discard, resp.Body)
-	resp.Body.Close()
-
-	return nil
+	_, _ = io.Copy(io.Discard, resp.Body)
+	return resp.Body.Close()
 }

 // KeepTunnelAlive keeps the tunnel of the given environment for maxAlive duration, or until ctx is done
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -142,7 +142,9 @@ func (s *Service) TunnelAddr(endpoint *portainer.Endpoint) (string, error) {
 			continue
 		}

-		conn.Close()
+		if err := conn.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close tcp connection")
+		}

 		break
 	}
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -9,8 +9,8 @@ import (

 	portainer "github.com/portainer/portainer/api"

+	"github.com/alecthomas/kingpin/v2"
 	"github.com/rs/zerolog/log"
-	"gopkg.in/alecthomas/kingpin.v2"
 )

 // Service implements the CLIService interface
@@ -32,19 +32,12 @@ func CLIFlags() *portainer.CLIFlags {
 		Assets:                    kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:                      kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
 		EndpointURL:               kingpin.Flag("host", "Environment URL").Short('H').String(),
-		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Strings(),
+		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Envar(portainer.FeatureFlagEnvVar).Strings(),
 		EnableEdgeComputeFeatures: kingpin.Flag("edge-compute", "Enable Edge Compute features").Bool(),
 		NoAnalytics:               kingpin.Flag("no-analytics", "Disable Analytics in app (deprecated)").Bool(),
-		TLS:                       kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
 		TLSSkipVerify:             kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
-		TLSCacert:                 kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
-		TLSCert:                   kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
-		TLSKey:                    kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
 		HTTPDisabled:              kingpin.Flag("http-disabled", "Serve portainer only on https").Default(defaultHTTPDisabled).Bool(),
 		HTTPEnabled:               kingpin.Flag("http-enabled", "Serve portainer on http").Default(defaultHTTPEnabled).Bool(),
-		SSL:                       kingpin.Flag("ssl", "Secure Portainer instance using SSL (deprecated)").Default(defaultSSL).Bool(),
-		SSLCert:                   kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").String(),
-		SSLKey:                    kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").String(),
 		Rollback:                  kingpin.Flag("rollback", "Rollback the database to the previous backup").Bool(),
 		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each environment snapshot job").String(),
 		AdminPassword:             kingpin.Flag("admin-password", "Set admin password with provided hash").String(),
@@ -59,10 +52,10 @@ func CLIFlags() *portainer.CLIFlags {
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
-		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
 		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 		TrustedOrigins:            kingpin.Flag("trusted-origins", "List of trusted origins for CSRF protection. Separate multiple origins with a comma.").Envar(portainer.TrustedOriginsEnvVar).String(),
 		CSP:                       kingpin.Flag("csp", "Content Security Policy (CSP) header").Envar(portainer.CSPEnvVar).Default("true").Bool(),
+		CompactDB:                 kingpin.Flag("compact-db", "Enable database compaction on startup").Envar(portainer.CompactDBEnvVar).Default("false").Bool(),
 	}
 }

@@ -70,8 +63,42 @@ func CLIFlags() *portainer.CLIFlags {
 func (Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 	kingpin.Version(version)

+	var hasSSLFlag, hasSSLCertFlag, hasSSLKeyFlag bool
+	sslFlag := kingpin.Flag(
+		"ssl",
+		"Secure Portainer instance using SSL (deprecated)",
+	).Default(defaultSSL).IsSetByUser(&hasSSLFlag)
+	ssl := sslFlag.Bool()
+	sslCertFlag := kingpin.Flag(
+		"sslcert",
+		"Path to the SSL certificate used to secure the Portainer instance",
+	).IsSetByUser(&hasSSLCertFlag)
+	sslCert := sslCertFlag.String()
+	sslKeyFlag := kingpin.Flag(
+		"sslkey",
+		"Path to the SSL key used to secure the Portainer instance",
+	).IsSetByUser(&hasSSLKeyFlag)
+	sslKey := sslKeyFlag.String()
+
 	flags := CLIFlags()

+	var hasTLSFlag, hasTLSCertFlag, hasTLSKeyFlag bool
+	tlsFlag := kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).IsSetByUser(&hasTLSFlag)
+	flags.TLS = tlsFlag.Bool()
+	tlsCertFlag := kingpin.Flag(
+		"tlscert",
+		"Path to the TLS certificate file",
+	).Default(defaultTLSCertPath).IsSetByUser(&hasTLSCertFlag)
+	flags.TLSCert = tlsCertFlag.String()
+	tlsKeyFlag := kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).IsSetByUser(&hasTLSKeyFlag)
+	flags.TLSKey = tlsKeyFlag.String()
+	flags.TLSCacert = kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String()
+
+	flags.KubectlShellImage = kingpin.Flag(
+		"kubectl-shell-image",
+		"Kubectl shell image",
+	).Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String()
+
 	kingpin.Parse()

 	if !filepath.IsAbs(*flags.Assets) {
@@ -83,6 +110,41 @@ func (Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		*flags.Assets = filepath.Join(filepath.Dir(ex), *flags.Assets)
 	}

+	// If the user didn't provide a tls flag remove the defaults to match previous behaviour
+	if !hasTLSFlag {
+		if !hasTLSCertFlag {
+			*flags.TLSCert = ""
+		}
+
+		if !hasTLSKeyFlag {
+			*flags.TLSKey = ""
+		}
+	}
+
+	if hasSSLFlag {
+		log.Warn().Msgf("the %q flag is deprecated. use %q instead.", sslFlag.Model().Name, tlsFlag.Model().Name)
+
+		if !hasTLSFlag {
+			flags.TLS = ssl
+		}
+	}
+
+	if hasSSLCertFlag {
+		log.Warn().Msgf("the %q flag is deprecated. use %q instead.", sslCertFlag.Model().Name, tlsCertFlag.Model().Name)
+
+		if !hasTLSCertFlag {
+			flags.TLSCert = sslCert
+		}
+	}
+
+	if hasSSLKeyFlag {
+		log.Warn().Msgf("the %q flag is deprecated. use %q instead.", sslKeyFlag.Model().Name, tlsKeyFlag.Model().Name)
+
+		if !hasTLSKeyFlag {
+			flags.TLSKey = sslKey
+		}
+	}
+
 	return flags, nil
 }

@@ -109,10 +171,6 @@ func displayDeprecationWarnings(flags *portainer.CLIFlags) {
 	if *flags.NoAnalytics {
 		log.Warn().Msg("the --no-analytics flag has been kept to allow migration of instances running a previous version of Portainer with this flag enabled, to version 2.0 where enabling this flag will have no effect")
 	}
-
-	if *flags.SSL {
-		log.Warn().Msg("SSL is enabled by default and there is no need for the --ssl flag, it has been kept to allow migration of instances running a previous version of Portainer with this flag enabled")
-	}
 }

 func validateEndpointURL(endpointURL string) error {
--- a/api/cli/cli_test.go
+++ b/api/cli/cli_test.go
@@ -1,9 +1,12 @@
 package cli

 import (
+	"io"
 	"os"
+	"strings"
 	"testing"

+	zerolog "github.com/rs/zerolog/log"
 	"github.com/stretchr/testify/require"
 )

@@ -22,3 +25,185 @@ func TestOptionParser(t *testing.T) {
 	require.False(t, *opts.HTTPDisabled)
 	require.True(t, *opts.EnableEdgeComputeFeatures)
 }
+
+func TestParseTLSFlags(t *testing.T) {
+	testCases := []struct {
+		name                string
+		args                []string
+		expectedTLSFlag     bool
+		expectedTLSCertFlag string
+		expectedTLSKeyFlag  string
+		expectedLogMessages []string
+	}{
+		{
+			name:                "no flags",
+			expectedTLSFlag:     false,
+			expectedTLSCertFlag: "",
+			expectedTLSKeyFlag:  "",
+		},
+		{
+			name: "only ssl flag",
+			args: []string{
+				"portainer",
+				"--ssl",
+			},
+			expectedTLSFlag:     true,
+			expectedTLSCertFlag: "",
+			expectedTLSKeyFlag:  "",
+		},
+		{
+			name: "only tls flag",
+			args: []string{
+				"portainer",
+				"--tlsverify",
+			},
+			expectedTLSFlag:     true,
+			expectedTLSCertFlag: defaultTLSCertPath,
+			expectedTLSKeyFlag:  defaultTLSKeyPath,
+		},
+		{
+			name: "partial ssl flags",
+			args: []string{
+				"portainer",
+				"--ssl",
+				"--sslcert=ssl-cert-flag-value",
+			},
+			expectedTLSFlag:     true,
+			expectedTLSCertFlag: "ssl-cert-flag-value",
+			expectedTLSKeyFlag:  "",
+		},
+		{
+			name: "partial tls flags",
+			args: []string{
+				"portainer",
+				"--tlsverify",
+				"--tlscert=tls-cert-flag-value",
+			},
+			expectedTLSFlag:     true,
+			expectedTLSCertFlag: "tls-cert-flag-value",
+			expectedTLSKeyFlag:  defaultTLSKeyPath,
+		},
+		{
+			name: "partial tls and ssl flags",
+			args: []string{
+				"portainer",
+				"--tlsverify",
+				"--tlscert=tls-cert-flag-value",
+				"--sslkey=ssl-key-flag-value",
+			},
+			expectedTLSFlag:     true,
+			expectedTLSCertFlag: "tls-cert-flag-value",
+			expectedTLSKeyFlag:  "ssl-key-flag-value",
+		},
+		{
+			name: "partial tls and ssl flags 2",
+			args: []string{
+				"portainer",
+				"--ssl",
+				"--tlscert=tls-cert-flag-value",
+				"--sslkey=ssl-key-flag-value",
+			},
+			expectedTLSFlag:     true,
+			expectedTLSCertFlag: "tls-cert-flag-value",
+			expectedTLSKeyFlag:  "ssl-key-flag-value",
+		},
+		{
+			name: "ssl flags",
+			args: []string{
+				"portainer",
+				"--ssl",
+				"--sslcert=ssl-cert-flag-value",
+				"--sslkey=ssl-key-flag-value",
+			},
+			expectedTLSFlag:     true,
+			expectedTLSCertFlag: "ssl-cert-flag-value",
+			expectedTLSKeyFlag:  "ssl-key-flag-value",
+			expectedLogMessages: []string{
+				"the \\\"ssl\\\" flag is deprecated. use \\\"tlsverify\\\" instead.",
+				"the \\\"sslcert\\\" flag is deprecated. use \\\"tlscert\\\" instead.",
+				"the \\\"sslkey\\\" flag is deprecated. use \\\"tlskey\\\" instead.",
+			},
+		},
+		{
+			name: "tls flags",
+			args: []string{
+				"portainer",
+				"--tlsverify",
+				"--tlscert=tls-cert-flag-value",
+				"--tlskey=tls-key-flag-value",
+			},
+			expectedTLSFlag:     true,
+			expectedTLSCertFlag: "tls-cert-flag-value",
+			expectedTLSKeyFlag:  "tls-key-flag-value",
+		},
+		{
+			name: "tls and ssl flags",
+			args: []string{
+				"portainer",
+				"--tlsverify",
+				"--tlscert=tls-cert-flag-value",
+				"--tlskey=tls-key-flag-value",
+				"--ssl",
+				"--sslcert=ssl-cert-flag-value",
+				"--sslkey=ssl-key-flag-value",
+			},
+			expectedTLSFlag:     true,
+			expectedTLSCertFlag: "tls-cert-flag-value",
+			expectedTLSKeyFlag:  "tls-key-flag-value",
+			expectedLogMessages: []string{
+				"the \\\"ssl\\\" flag is deprecated. use \\\"tlsverify\\\" instead.",
+				"the \\\"sslcert\\\" flag is deprecated. use \\\"tlscert\\\" instead.",
+				"the \\\"sslkey\\\" flag is deprecated. use \\\"tlskey\\\" instead.",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var logOutput strings.Builder
+			setupLogOutput(t, &logOutput)
+
+			if tc.args == nil {
+				tc.args = []string{"portainer"}
+			}
+			setOsArgs(t, tc.args)
+
+			s := Service{}
+			flags, err := s.ParseFlags("test-version")
+			if err != nil {
+				t.Fatalf("error parsing flags: %v", err)
+			}
+
+			if flags.TLS == nil {
+				t.Fatal("TLS flag was nil")
+			}
+
+			require.Equal(t, tc.expectedTLSFlag, *flags.TLS, "tlsverify flag didn't match")
+			require.Equal(t, tc.expectedTLSCertFlag, *flags.TLSCert, "tlscert flag didn't match")
+			require.Equal(t, tc.expectedTLSKeyFlag, *flags.TLSKey, "tlskey flag didn't match")
+
+			for _, expectedLogMessage := range tc.expectedLogMessages {
+				require.Contains(t, logOutput.String(), expectedLogMessage, "Log didn't contain expected message")
+			}
+		})
+	}
+}
+
+func setOsArgs(t *testing.T, args []string) {
+	t.Helper()
+	previousArgs := os.Args
+	os.Args = args
+	t.Cleanup(func() {
+		os.Args = previousArgs
+	})
+}
+
+func setupLogOutput(t *testing.T, w io.Writer) {
+	t.Helper()
+
+	oldLogger := zerolog.Logger
+	zerolog.Logger = zerolog.Output(w)
+	t.Cleanup(func() {
+		zerolog.Logger = oldLogger
+	})
+}
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package cli

--- a/api/cli/pairlist.go
+++ b/api/cli/pairlist.go
@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"strings"

-	"gopkg.in/alecthomas/kingpin.v2"
+	"github.com/alecthomas/kingpin/v2"
 )

 type pairList []portainer.Pair
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -55,7 +55,7 @@ import (
 	"github.com/portainer/portainer/pkg/libstack/compose"
 	"github.com/portainer/portainer/pkg/validate"

-	"github.com/gofrs/uuid"
+	"github.com/google/uuid"
 	"github.com/rs/zerolog/log"
 )

@@ -84,7 +84,7 @@ func initFileService(dataStorePath string) portainer.FileService {
 }

 func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService portainer.FileService, shutdownCtx context.Context) dataservices.DataStore {
-	connection, err := database.NewDatabase("boltdb", *flags.Data, secretKey)
+	connection, err := database.NewDatabase("boltdb", *flags.Data, secretKey, *flags.CompactDB)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed creating database connection")
 	}
@@ -119,7 +119,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	}

 	if isNew {
-		instanceId, err := uuid.NewV4()
+		instanceId, err := uuid.NewRandom()
 		if err != nil {
 			log.Fatal().Err(err).Msg("failed generating instance id")
 		}
@@ -134,15 +134,16 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 			InstanceID:    instanceId.String(),
 			MigratorCount: migratorCount,
 		}
-		store.VersionService.UpdateVersion(&v)
+
+		if err := store.VersionService.UpdateVersion(&v); err != nil {
+			log.Fatal().Err(err).Msg("failed to update version")
+		}

 		if err := updateSettingsFromFlags(store, flags); err != nil {
 			log.Fatal().Err(err).Msg("failed updating settings from flags")
 		}
-	} else {
-		if err := store.MigrateData(); err != nil {
-			log.Fatal().Err(err).Msg("failed migration")
-		}
+	} else if err := store.MigrateData(); err != nil {
+		log.Fatal().Err(err).Msg("failed migration")
 	}

 	if err := updateSettingsFromFlags(store, flags); err != nil {
@@ -153,7 +154,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	go func() {
 		<-shutdownCtx.Done()

-		defer connection.Close()
+		defer logs.CloseAndLogErr(connection)
 	}()

 	return store
@@ -309,13 +310,13 @@ func initKeyPair(fileService portainer.FileService, signatureService portainer.D

 // dbSecretPath build the path to the file that contains the db encryption
 // secret. Normally in Docker this is built from the static path inside
-// /run/portainer for example: /run/portainer/<keyFilenameFlag> but for ease of
+// /run/secrets for example: /run/secrets/<keyFilenameFlag> but for ease of
 // use outside Docker it also accepts an absolute path
 func dbSecretPath(keyFilenameFlag string) string {
 	if path.IsAbs(keyFilenameFlag) {
 		return keyFilenameFlag
 	}
-	return path.Join("/run/portainer", keyFilenameFlag)
+	return path.Join("/run/secrets", keyFilenameFlag)
 }

 func loadEncryptionSecretKey(keyfilename string) []byte {
@@ -347,7 +348,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	trustedOrigins := []string{}
 	if *flags.TrustedOrigins != "" {
 		// validate if the trusted origins are valid urls
-		for _, origin := range strings.Split(*flags.TrustedOrigins, ",") {
+		for origin := range strings.SplitSeq(*flags.TrustedOrigins, ",") {
 			if !validate.IsTrustedOrigin(origin) {
 				log.Fatal().Str("trusted_origin", origin).Msg("invalid url for trusted origin. Please check the trusted origins flag.")
 			}
@@ -408,7 +409,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	edgeStacksService := edgestacks.NewService(dataStore)

-	sslService, err := initSSLService(*flags.AddrHTTPS, *flags.SSLCert, *flags.SSLKey, fileService, dataStore, shutdownTrigger)
+	sslService, err := initSSLService(*flags.AddrHTTPS, *flags.TLSCert, *flags.TLSKey, fileService, dataStore, shutdownTrigger)
 	if err != nil {
 		log.Fatal().Err(err).Msg("")
 	}
@@ -529,7 +530,9 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	scheduler := scheduler.NewScheduler(shutdownCtx)
 	stackDeployer := deployments.NewStackDeployer(swarmStackManager, composeStackManager, kubernetesDeployer, dockerClientFactory, dataStore)
-	deployments.StartStackSchedules(scheduler, stackDeployer, dataStore, gitService)
+	if err := deployments.StartStackSchedules(scheduler, stackDeployer, dataStore, gitService); err != nil {
+		log.Fatal().Err(err).Msg("failed to start stack scheduler")
+	}

 	sslDBSettings, err := dataStore.SSLSettings().Settings()
 	if err != nil {
@@ -630,7 +633,7 @@ func main() {
 			Str("build_number", build.BuildNumber).
 			Str("image_tag", build.ImageTag).
 			Str("nodejs_version", build.NodejsVersion).
-			Str("yarn_version", build.YarnVersion).
+			Str("pnpm_version", build.PnpmVersion).
 			Str("webpack_version", build.WebpackVersion).
 			Str("go_version", build.GoVersion).
 			Msg("starting Portainer")
--- a/api/cmd/portainer/main_test.go
+++ b/api/cmd/portainer/main_test.go
@@ -43,12 +43,12 @@ func TestDBSecretPath(t *testing.T) {
 		keyFilenameFlag string
 		expected        string
 	}{
-		{keyFilenameFlag: "secret.txt", expected: "/run/portainer/secret.txt"},
+		{keyFilenameFlag: "secret.txt", expected: "/run/secrets/secret.txt"},
 		{keyFilenameFlag: "/tmp/secret.txt", expected: "/tmp/secret.txt"},
-		{keyFilenameFlag: "/run/portainer/secret.txt", expected: "/run/portainer/secret.txt"},
-		{keyFilenameFlag: "./secret.txt", expected: "/run/portainer/secret.txt"},
+		{keyFilenameFlag: "/run/secrets/secret.txt", expected: "/run/secrets/secret.txt"},
+		{keyFilenameFlag: "./secret.txt", expected: "/run/secrets/secret.txt"},
 		{keyFilenameFlag: "../secret.txt", expected: "/run/secret.txt"},
-		{keyFilenameFlag: "foo/bar/secret.txt", expected: "/run/portainer/foo/bar/secret.txt"},
+		{keyFilenameFlag: "foo/bar/secret.txt", expected: "/run/secrets/foo/bar/secret.txt"},
 	}

 	for _, test := range tests {
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
+	"crypto/pbkdf2"
 	"crypto/rand"
 	"crypto/sha256"
 	"errors"
@@ -14,9 +15,9 @@ import (

 	"github.com/portainer/portainer/pkg/fips"

-	"golang.org/x/crypto/argon2"
-	"golang.org/x/crypto/pbkdf2"
-	"golang.org/x/crypto/scrypt"
+	// Not allowed in FIPS mode
+	"golang.org/x/crypto/argon2" //nolint:depguard
+	"golang.org/x/crypto/scrypt" //nolint:depguard
 )

 const (
@@ -163,7 +164,9 @@ func aesEncryptGCM(input io.Reader, output io.Writer, passphrase []byte) error {
 			return err
 		}

-		nonce.Increment()
+		if err := nonce.Increment(); err != nil {
+			return err
+		}
 	}

 	return nil
@@ -234,7 +237,9 @@ func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
 			return nil, err
 		}

-		nonce.Increment()
+		if err := nonce.Increment(); err != nil {
+			return nil, err
+		}
 	}

 	return &buf, nil
@@ -248,7 +253,10 @@ func aesEncryptGCMFIPS(input io.Reader, output io.Writer, passphrase []byte) err
 		return err
 	}

-	key := pbkdf2.Key(passphrase, salt, pbkdf2Iterations, 32, sha256.New)
+	key, err := pbkdf2.Key(sha256.New, string(passphrase), salt, pbkdf2Iterations, 32)
+	if err != nil {
+		return fmt.Errorf("error deriving key: %w", err)
+	}

 	block, err := aes.NewCipher(key)
 	if err != nil {
@@ -315,7 +323,10 @@ func aesDecryptGCMFIPS(input io.Reader, passphrase []byte) (io.Reader, error) {
 		return nil, err
 	}

-	key := pbkdf2.Key(passphrase, salt, pbkdf2Iterations, 32, sha256.New)
+	key, err := pbkdf2.Key(sha256.New, string(passphrase), salt, pbkdf2Iterations, 32)
+	if err != nil {
+		return nil, fmt.Errorf("error deriving key: %w", err)
+	}

 	// Initialize AES cipher block
 	block, err := aes.NewCipher(key)
@@ -382,3 +393,18 @@ func aesDecryptOFB(input io.Reader, passphrase []byte) (io.Reader, error) {

 	return reader, nil
 }
+
+// HasEncryptedHeader checks if the data has an encrypted header, note that fips
+// mode changes this behavior and so will only recognize data encrypted by the
+// same mode (fips enabled or disabled)
+func HasEncryptedHeader(data []byte) bool {
+	return hasEncryptedHeader(data, fips.FIPSMode())
+}
+
+func hasEncryptedHeader(data []byte, fipsMode bool) bool {
+	if fipsMode {
+		return bytes.HasPrefix(data, []byte(aesGcmFIPSHeader))
+	}
+
+	return bytes.HasPrefix(data, []byte(aesGcmHeader))
+}
--- a/api/crypto/aes_test.go
+++ b/api/crypto/aes_test.go
@@ -9,6 +9,7 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/pkg/fips"

 	"github.com/stretchr/testify/assert"
@@ -47,26 +48,29 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 		)

 		content := randBytes(1024*1024*100 + 523)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

 		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		defer logs.CloseAndLogErr(originFile)

 		encryptedFileWriter, _ := os.Create(encryptedFilePath)

-		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
-		require.Nil(t, err, "Failed to encrypt a file")
-		encryptedFileWriter.Close()
+		err = encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		require.NoError(t, err, "Failed to encrypt a file")
+		logs.CloseAndLogErr(encryptedFileWriter)

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		require.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
 		if !decryptShouldSucceed {
@@ -74,9 +78,11 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 		} else {
 			require.NoError(t, err, "Failed to decrypt file indicated by decryptShouldSucceed")

-			io.Copy(decryptedFileWriter, decryptedReader)
+			_, err = io.Copy(decryptedFileWriter, decryptedReader)
+			require.NoError(t, err)

-			decryptedContent, _ := os.ReadFile(decryptedFilePath)
+			decryptedContent, err := os.ReadFile(decryptedFilePath)
+			require.NoError(t, err)
 			assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 		}
 	}
@@ -147,33 +153,40 @@ func Test_encryptAndDecrypt_withStrongPassphrase(t *testing.T) {
 		)

 		content := randBytes(500)
-		os.WriteFile(originFilePath, content, 0600)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)
+
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

 		encryptedFileWriter, _ := os.Create(encryptedFilePath)

-		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
-		assert.Nil(t, err, "Failed to encrypt a file")
-		encryptedFileWriter.Close()
+		err = encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		require.NoError(t, err, "Failed to encrypt a file")
+		logs.CloseAndLogErr(encryptedFileWriter)

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		assert.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
-		assert.Nil(t, err, "Failed to decrypt file")
+		require.NoError(t, err, "Failed to decrypt file")

-		io.Copy(decryptedFileWriter, decryptedReader)
+		_, err = io.Copy(decryptedFileWriter, decryptedReader)
+		require.NoError(t, err)

-		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		decryptedContent, err := os.ReadFile(decryptedFilePath)
+		require.NoError(t, err)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -197,33 +210,40 @@ func Test_encryptAndDecrypt_withTheSamePasswordSmallFile(t *testing.T) {
 		)

 		content := randBytes(500)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

-		encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		encryptedFileWriter, err := os.Create(encryptedFilePath)
+		require.NoError(t, err)

-		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
-		assert.Nil(t, err, "Failed to encrypt a file")
-		encryptedFileWriter.Close()
+		err = encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		require.NoError(t, err, "Failed to encrypt a file")
+		logs.CloseAndLogErr(encryptedFileWriter)

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		assert.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte("passphrase"))
-		assert.Nil(t, err, "Failed to decrypt file")
+		require.NoError(t, err, "Failed to decrypt file")

-		io.Copy(decryptedFileWriter, decryptedReader)
+		_, err = io.Copy(decryptedFileWriter, decryptedReader)
+		require.NoError(t, err)

-		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		decryptedContent, err := os.ReadFile(decryptedFilePath)
+		require.NoError(t, err)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -247,32 +267,40 @@ func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
 		)

 		content := randBytes(1024 * 50)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

-		encryptedFileWriter, _ := os.Create(encryptedFilePath)
-		defer encryptedFileWriter.Close()
+		encryptedFileWriter, err := os.Create(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileWriter)
+
+		err = encrypt(originFile, encryptedFileWriter, []byte(""))
+		require.NoError(t, err, "Failed to encrypt a file")

-		err := encrypt(originFile, encryptedFileWriter, []byte(""))
-		assert.Nil(t, err, "Failed to encrypt a file")
 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		assert.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(""))
-		assert.Nil(t, err, "Failed to decrypt file")
+		require.NoError(t, err, "Failed to decrypt file")

-		io.Copy(decryptedFileWriter, decryptedReader)
+		_, err = io.Copy(decryptedFileWriter, decryptedReader)
+		require.NoError(t, err)

-		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		decryptedContent, err := os.ReadFile(decryptedFilePath)
+		require.NoError(t, err)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -296,28 +324,33 @@ func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T)
 		)

 		content := randBytes(1034)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

-		encryptedFileWriter, _ := os.Create(encryptedFilePath)
-		defer encryptedFileWriter.Close()
+		encryptedFileWriter, err := os.Create(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileWriter)

-		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
-		assert.Nil(t, err, "Failed to encrypt a file")
+		err = encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		require.NoError(t, err, "Failed to encrypt a file")
 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		assert.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		_, err = decrypt(encryptedFileReader, []byte("garbage"))
-		assert.NotNil(t, err, "Should not allow decrypt with wrong passphrase")
+		require.Error(t, err, "Should not allow decrypt with wrong passphrase")
 	}

 	t.Run("fips", func(t *testing.T) {
@@ -350,3 +383,62 @@ func legacyAesEncrypt(input io.Reader, output io.Writer, passphrase []byte) erro

 	return nil
 }
+
+func Test_hasEncryptedHeader(t *testing.T) {
+	tests := []struct {
+		name     string
+		data     []byte
+		fipsMode bool
+		want     bool
+	}{
+		{
+			name:     "non-FIPS mode with valid header",
+			data:     []byte("AES256-GCM" + "some encrypted data"),
+			fipsMode: false,
+			want:     true,
+		},
+		{
+			name:     "non-FIPS mode with FIPS header",
+			data:     []byte("FIPS-AES256-GCM" + "some encrypted data"),
+			fipsMode: false,
+			want:     false,
+		},
+		{
+			name:     "FIPS mode with valid header",
+			data:     []byte("FIPS-AES256-GCM" + "some encrypted data"),
+			fipsMode: true,
+			want:     true,
+		},
+		{
+			name:     "FIPS mode with non-FIPS header",
+			data:     []byte("AES256-GCM" + "some encrypted data"),
+			fipsMode: true,
+			want:     false,
+		},
+		{
+			name:     "invalid header",
+			data:     []byte("INVALID-HEADER" + "some data"),
+			fipsMode: false,
+			want:     false,
+		},
+		{
+			name:     "empty data",
+			data:     []byte{},
+			fipsMode: false,
+			want:     false,
+		},
+		{
+			name:     "nil data",
+			data:     nil,
+			fipsMode: false,
+			want:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := hasEncryptedHeader(tt.data, tt.fipsMode)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/api/crypto/ecdsa_test.go
+++ b/api/crypto/ecdsa_test.go
@@ -11,12 +11,12 @@ func TestCreateSignature(t *testing.T) {

 	privKey, pubKey, err := s.GenerateKeyPair()
 	require.NoError(t, err)
-	require.Greater(t, len(privKey), 0)
-	require.Greater(t, len(pubKey), 0)
+	require.NotEmpty(t, privKey)
+	require.NotEmpty(t, pubKey)

 	m := "test message"
 	r, err := s.CreateSignature(m)
 	require.NoError(t, err)
 	require.NotEqual(t, r, m)
-	require.Greater(t, len(r), 0)
+	require.NotEmpty(t, r)
 }
--- a/api/crypto/hash.go
+++ b/api/crypto/hash.go
@@ -1,7 +1,8 @@
 package crypto

 import (
-	"golang.org/x/crypto/bcrypt"
+	// Not allowed in FIPS mode
+	"golang.org/x/crypto/bcrypt" //nolint:depguard
 )

 // Service represents a service for encrypting/hashing data.
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@@ -1,18 +1,17 @@
 package crypto

 import (
-	"crypto/fips140"
 	"crypto/tls"
 	"crypto/x509"
 	"os"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/pkg/fips"
 )

 // CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings
 func CreateTLSConfiguration(insecureSkipVerify bool) *tls.Config { //nolint:forbidigo
-	// TODO: use fips.FIPSMode() instead
-	return createTLSConfiguration(fips140.Enabled(), insecureSkipVerify)
+	return createTLSConfiguration(fips.FIPSMode(), insecureSkipVerify)
 }

 func createTLSConfiguration(fipsEnabled bool, insecureSkipVerify bool) *tls.Config { //nolint:forbidigo
@@ -58,8 +57,7 @@ func createTLSConfiguration(fipsEnabled bool, insecureSkipVerify bool) *tls.Conf
 // CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from memory.
 func CreateTLSConfigurationFromBytes(useTLS bool, caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) { //nolint:forbidigo
-	// TODO: use fips.FIPSMode() instead
-	return createTLSConfigurationFromBytes(fips140.Enabled(), useTLS, caCert, cert, key, skipClientVerification, skipServerVerification)
+	return createTLSConfigurationFromBytes(fips.FIPSMode(), useTLS, caCert, cert, key, skipClientVerification, skipServerVerification)
 }

 func createTLSConfigurationFromBytes(fipsEnabled, useTLS bool, caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) { //nolint:forbidigo
@@ -90,12 +88,13 @@ func createTLSConfigurationFromBytes(fipsEnabled, useTLS bool, caCert, cert, key
 // CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from disk.
 func CreateTLSConfigurationFromDisk(config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
-	// TODO: use fips.FIPSMode() instead
-	return createTLSConfigurationFromDisk(fips140.Enabled(), config)
+	return createTLSConfigurationFromDisk(fips.FIPSMode(), config)
 }

 func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
-	if !config.TLS {
+	if !config.TLS && fipsEnabled {
+		return nil, fips.ErrTLSRequired
+	} else if !config.TLS {
 		return nil, nil
 	}

--- a/api/crypto/tls_test.go
+++ b/api/crypto/tls_test.go
@@ -44,7 +44,7 @@ func TestCreateTLSConfigurationFIPS(t *testing.T) {
 func TestCreateTLSConfigurationFromBytes(t *testing.T) {
 	// No TLS
 	config, err := CreateTLSConfigurationFromBytes(false, nil, nil, nil, false, false)
-	require.Nil(t, err)
+	require.NoError(t, err)
 	require.Nil(t, config)

 	// Skip TLS client/server verifications
@@ -61,7 +61,7 @@ func TestCreateTLSConfigurationFromBytes(t *testing.T) {
 func TestCreateTLSConfigurationFromDisk(t *testing.T) {
 	// No TLS
 	config, err := CreateTLSConfigurationFromDisk(portainer.TLSConfiguration{})
-	require.Nil(t, err)
+	require.NoError(t, err)
 	require.Nil(t, config)

 	// Skip TLS verifications
--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -21,6 +21,9 @@ import (
 const (
 	DatabaseFileName          = "portainer.db"
 	EncryptedDatabaseFileName = "portainer.edb"
+
+	txMaxSize       = 65536
+	compactedSuffix = ".compacted"
 )

 var (
@@ -35,6 +38,7 @@ type DbConnection struct {
 	InitialMmapSize int
 	EncryptionKey   []byte
 	isEncrypted     bool
+	Compact         bool

 	*bolt.DB
 }
@@ -132,15 +136,8 @@ func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {
 func (connection *DbConnection) Open() error {
 	log.Info().Str("filename", connection.GetDatabaseFileName()).Msg("loading PortainerDB")

-	// Now we open the db
 	databasePath := connection.GetDatabaseFilePath()
-
-	db, err := bolt.Open(databasePath, 0600, &bolt.Options{
-		Timeout:         1 * time.Second,
-		InitialMmapSize: connection.InitialMmapSize,
-		FreelistType:    bolt.FreelistMapType,
-		NoFreelistSync:  true,
-	})
+	db, err := bolt.Open(databasePath, 0600, connection.boltOptions(connection.Compact))
 	if err != nil {
 		return err
 	}
@@ -149,6 +146,24 @@ func (connection *DbConnection) Open() error {
 	db.MaxBatchDelay = connection.MaxBatchDelay
 	connection.DB = db

+	if connection.Compact {
+		log.Info().Msg("compacting database")
+		if err := connection.compact(); err != nil {
+			log.Error().Err(err).Msg("failed to compact database")
+
+			// Close the read-only database and re-open in read-write mode
+			if err := connection.Close(); err != nil {
+				log.Warn().Err(err).Msg("failure to close the database after failed compaction")
+			}
+
+			connection.Compact = false
+
+			return connection.Open()
+		} else {
+			log.Info().Msg("database compaction completed")
+		}
+	}
+
 	return nil
 }

@@ -414,3 +429,48 @@ func (connection *DbConnection) RestoreMetadata(s map[string]any) error {

 	return err
 }
+
+// compact attempts to compact the database and replace it iff it succeeds
+func (connection *DbConnection) compact() (err error) {
+	compactedPath := connection.GetDatabaseFilePath() + compactedSuffix
+
+	if err := os.Remove(compactedPath); err != nil && !errors.Is(err, os.ErrNotExist) {
+		return fmt.Errorf("failure to remove an existing compacted database: %w", err)
+	}
+
+	compactedDB, err := bolt.Open(compactedPath, 0o600, connection.boltOptions(false))
+	if err != nil {
+		return fmt.Errorf("failure to create the compacted database: %w", err)
+	}
+
+	compactedDB.MaxBatchSize = connection.MaxBatchSize
+	compactedDB.MaxBatchDelay = connection.MaxBatchDelay
+
+	if err := bolt.Compact(compactedDB, connection.DB, txMaxSize); err != nil {
+		return fmt.Errorf("failure to compact the database: %w",
+			errors.Join(err, compactedDB.Close(), os.Remove(compactedPath)))
+	}
+
+	if err := os.Rename(compactedPath, connection.GetDatabaseFilePath()); err != nil {
+		return fmt.Errorf("failure to move the compacted database: %w",
+			errors.Join(err, compactedDB.Close(), os.Remove(compactedPath)))
+	}
+
+	if err := connection.Close(); err != nil {
+		log.Warn().Err(err).Msg("failure to close the database after compaction")
+	}
+
+	connection.DB = compactedDB
+
+	return nil
+}
+
+func (connection *DbConnection) boltOptions(readOnly bool) *bolt.Options {
+	return &bolt.Options{
+		Timeout:         1 * time.Second,
+		InitialMmapSize: connection.InitialMmapSize,
+		FreelistType:    bolt.FreelistMapType,
+		NoFreelistSync:  true,
+		ReadOnly:        readOnly,
+	}
+}
--- a/api/database/boltdb/db_test.go
+++ b/api/database/boltdb/db_test.go
@@ -5,7 +5,11 @@ import (
 	"path"
 	"testing"

+	"github.com/portainer/portainer/api/filesystem"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.etcd.io/bbolt"
 )

 func Test_NeedsEncryptionMigration(t *testing.T) {
@@ -94,18 +98,36 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 				// Special case.  If portainer.db and portainer.edb exist.
 				dbFile1 := path.Join(connection.Path, DatabaseFileName)
 				f, _ := os.Create(dbFile1)
-				f.Close()
-				defer os.Remove(dbFile1)
+
+				err := f.Close()
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(dbFile1)
+					require.NoError(t, err)
+				}()

 				dbFile2 := path.Join(connection.Path, EncryptedDatabaseFileName)
 				f, _ = os.Create(dbFile2)
-				f.Close()
-				defer os.Remove(dbFile2)
+
+				err = f.Close()
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(dbFile2)
+					require.NoError(t, err)
+				}()
 			} else if tc.dbname != "" {
 				dbFile := path.Join(connection.Path, tc.dbname)
 				f, _ := os.Create(dbFile)
-				f.Close()
-				defer os.Remove(dbFile)
+
+				err := f.Close()
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(dbFile)
+					require.NoError(t, err)
+				}()
 			}

 			if tc.key {
@@ -119,3 +141,60 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 		})
 	}
 }
+
+func TestDBCompaction(t *testing.T) {
+	db := &DbConnection{Path: t.TempDir()}
+
+	err := db.Open()
+	require.NoError(t, err)
+
+	err = db.Update(func(tx *bbolt.Tx) error {
+		b, err := tx.CreateBucketIfNotExists([]byte("testbucket"))
+		if err != nil {
+			return err
+		}
+
+		err = b.Put([]byte("key"), []byte("value"))
+		require.NoError(t, err)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	err = db.Close()
+	require.NoError(t, err)
+
+	// Reopen the DB to trigger compaction
+	db.Compact = true
+	err = db.Open()
+	require.NoError(t, err)
+
+	// Check that the data is still there
+	err = db.View(func(tx *bbolt.Tx) error {
+		b := tx.Bucket([]byte("testbucket"))
+		if b == nil {
+			return nil
+		}
+
+		val := b.Get([]byte("key"))
+		require.Equal(t, []byte("value"), val)
+
+		return nil
+	})
+	require.NoError(t, err)
+
+	err = db.Close()
+	require.NoError(t, err)
+
+	// Failures
+	compactedPath := db.GetDatabaseFilePath() + compactedSuffix
+	err = os.Mkdir(compactedPath, 0o755)
+	require.NoError(t, err)
+
+	f, err := os.Create(filesystem.JoinPaths(compactedPath, "somefile"))
+	require.NoError(t, err)
+	require.NoError(t, f.Close())
+
+	err = db.Open()
+	require.NoError(t, err)
+}
--- a/api/database/boltdb/export.go
+++ b/api/database/boltdb/export.go
@@ -3,6 +3,7 @@ package boltdb
 import (
 	"time"

+	"github.com/portainer/portainer/api/logs"
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
 	bolt "go.etcd.io/bbolt"
@@ -37,7 +38,7 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 	if err != nil {
 		return []byte("{}"), err
 	}
-	defer connection.Close()
+	defer logs.CloseAndLogErr(connection)

 	backup := make(map[string]any)
 	if metadata {
--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -45,12 +45,12 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
 		}
 	}

-	if e := json.Unmarshal(data, object); e != nil {
+	if err := json.Unmarshal(data, object); err != nil {
 		// Special case for the VERSION bucket. Here we're not using json
 		// So we need to return it as a string
 		s, ok := object.(*string)
 		if !ok {
-			return errors.Wrap(err, e.Error())
+			return errors.Wrap(err, "Failed unmarshalling object")
 		}

 		*s = string(data)
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -10,14 +10,14 @@ import (
 	"io"
 	"testing"

-	"github.com/gofrs/uuid"
+	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

 const (
-	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
 	passphrase = "my secret key"
 )

@@ -29,7 +29,7 @@ func secretToEncryptionKey(passphrase string) []byte {
 func Test_MarshalObjectUnencrypted(t *testing.T) {
 	is := assert.New(t)

-	uuid := uuid.Must(uuid.NewV4())
+	uuid := uuid.New()

 	tests := []struct {
 		object   any
@@ -94,7 +94,7 @@ func Test_MarshalObjectUnencrypted(t *testing.T) {
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
 			data, err := conn.MarshalObject(test.object)
-			is.NoError(err)
+			require.NoError(t, err)
 			is.Equal(test.expected, string(data))
 		})
 	}
@@ -135,7 +135,7 @@ func Test_UnMarshalObjectUnencrypted(t *testing.T) {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
 			var object string
 			err := conn.UnmarshalObject(test.object, &object)
-			is.NoError(err)
+			require.NoError(t, err)
 			is.Equal(test.expected, object)
 		})
 	}
@@ -172,12 +172,12 @@ func Test_ObjectMarshallingEncrypted(t *testing.T) {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {

 			data, err := conn.MarshalObject(test.object)
-			is.NoError(err)
+			require.NoError(t, err)

 			var object []byte
 			err = conn.UnmarshalObject(data, &object)

-			is.NoError(err)
+			require.NoError(t, err)
 			is.Equal(test.object, object)
 		})
 	}
--- a/api/database/boltdb/tx_test.go
+++ b/api/database/boltdb/tx_test.go
@@ -6,6 +6,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/stretchr/testify/require"
 )

 const testBucketName = "test-bucket"
@@ -17,70 +18,55 @@ type testStruct struct {
 }

 func TestTxs(t *testing.T) {
-	conn := DbConnection{
-		Path: t.TempDir(),
-	}
+	conn := DbConnection{Path: t.TempDir()}

 	err := conn.Open()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer conn.Close()
+	require.NoError(t, err)
+	defer func() {
+		err := conn.Close()
+		require.NoError(t, err)
+	}()

 	// Error propagation
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return errors.New("this is an error")
 	})
-	if err == nil {
-		t.Fatal("an error was expected, got nil instead")
-	}
+	require.Error(t, err)

 	// Create an object
-	newObj := testStruct{
-		Key:   "key",
-		Value: "value",
-	}
+	newObj := testStruct{Key: "key", Value: "value"}

 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
-		err = tx.SetServiceName(testBucketName)
-		if err != nil {
+		if err := tx.SetServiceName(testBucketName); err != nil {
 			return err
 		}

 		return tx.CreateObjectWithId(testBucketName, testId, newObj)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	obj := testStruct{}
 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	if obj.Key != newObj.Key || obj.Value != newObj.Value {
 		t.Fatalf("expected %s:%s, got %s:%s instead", newObj.Key, newObj.Value, obj.Key, obj.Value)
 	}

 	// Update an object
-	updatedObj := testStruct{
-		Key:   "updated-key",
-		Value: "updated-value",
-	}
+	updatedObj := testStruct{Key: "updated-key", Value: "updated-value"}

 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.UpdateObject(testBucketName, conn.ConvertToKey(testId), &updatedObj)
 	})
+	require.NoError(t, err)

 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	if obj.Key != updatedObj.Key || obj.Value != updatedObj.Value {
 		t.Fatalf("expected %s:%s, got %s:%s instead", updatedObj.Key, updatedObj.Value, obj.Key, obj.Value)
@@ -90,16 +76,12 @@ func TestTxs(t *testing.T) {
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.DeleteObject(testBucketName, conn.ConvertToKey(testId))
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	if !dataservices.IsErrObjectNotFound(err) {
-		t.Fatal(err)
-	}
+	require.True(t, dataservices.IsErrObjectNotFound(err))

 	// Get next identifier
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
@@ -112,15 +94,11 @@ func TestTxs(t *testing.T) {

 		return nil
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	// Try to write in a read transaction
 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.CreateObjectWithId(testBucketName, testId, newObj)
 	})
-	if err == nil {
-		t.Fatal("an error was expected, got nil instead")
-	}
+	require.Error(t, err)
 }
--- a/api/database/database.go
+++ b/api/database/database.go
@@ -8,11 +8,12 @@ import (
 )

 // NewDatabase should use config options to return a connection to the requested database
-func NewDatabase(storeType, storePath string, encryptionKey []byte) (connection portainer.Connection, err error) {
+func NewDatabase(storeType, storePath string, encryptionKey []byte, compact bool) (connection portainer.Connection, err error) {
 	if storeType == "boltdb" {
 		return &boltdb.DbConnection{
 			Path:          storePath,
 			EncryptionKey: encryptionKey,
+			Compact:       compact,
 		}, nil
 	}

--- a/api/database/database_test.go
+++ b/api/database/database_test.go
@@ -0,0 +1,24 @@
+package database
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/filesystem"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewDatabase(t *testing.T) {
+	dbPath := filesystem.JoinPaths(t.TempDir(), "test.db")
+	connection, err := NewDatabase("boltdb", dbPath, nil, false)
+	require.NoError(t, err)
+	require.NotNil(t, connection)
+
+	_, ok := connection.(*boltdb.DbConnection)
+	require.True(t, ok)
+
+	connection, err = NewDatabase("unknown", dbPath, nil, false)
+	require.Error(t, err)
+	require.Nil(t, connection)
+}
--- a/api/dataservices/base_test.go
+++ b/api/dataservices/base_test.go
@@ -21,7 +21,7 @@ type mockConnection struct {
 	portainer.Connection
 }

-func (m mockConnection) UpdateObject(bucket string, key []byte, value interface{}) error {
+func (m mockConnection) UpdateObject(bucket string, key []byte, value any) error {
 	obj := value.(*testObject)

 	m.store[obj.ID] = *obj
@@ -50,7 +50,6 @@ func (m mockConnection) ViewTx(fn func(portainer.Transaction) error) error {
 func (m mockConnection) ConvertToKey(v int) []byte {
 	return []byte(strconv.Itoa(v))
 }
-
 func TestReadAll(t *testing.T) {
 	service := BaseDataService[testObject, int]{
 		Bucket:     "testBucket",
--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -72,3 +72,13 @@ func (service BaseDataServiceTx[T, I]) Delete(ID I) error {
 	identifier := service.Connection.ConvertToKey(int(ID))
 	return service.Tx.DeleteObject(service.Bucket, identifier)
 }
+
+func Read[T any](tx portainer.Transaction, bucket string, key []byte) (*T, error) {
+	var element T
+
+	if err := tx.GetObject(bucket, key, &element); err != nil {
+		return nil, err
+	}
+
+	return &element, nil
+}
--- a/api/dataservices/customtemplate/customtemplate.go
+++ b/api/dataservices/customtemplate/customtemplate.go
@@ -28,13 +28,12 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

-// CreateCustomTemplate uses the existing id and saves it.
-// TODO: where does the ID come from, and is it safe?
-func (service *Service) Create(customTemplate *portainer.CustomTemplate) error {
-	return service.Connection.CreateObjectWithId(BucketName, int(customTemplate.ID), customTemplate)
-}
-
-// GetNextIdentifier returns the next identifier for a custom template.
 func (service *Service) GetNextIdentifier() int {
 	return service.Connection.GetNextIdentifier(BucketName)
 }
+
+func (service *Service) Create(customTemplate *portainer.CustomTemplate) error {
+	return service.Connection.UpdateTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).Create(customTemplate)
+	})
+}
--- a/api/dataservices/customtemplate/customtemplate_test.go
+++ b/api/dataservices/customtemplate/customtemplate_test.go
@@ -0,0 +1,19 @@
+package customtemplate_test
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCustomTemplateCreate(t *testing.T) {
+	_, ds := datastore.MustNewTestStore(t, true, false)
+	require.NotNil(t, ds)
+
+	require.NoError(t, ds.CustomTemplate().Create(&portainer.CustomTemplate{ID: 1}))
+	e, err := ds.CustomTemplate().Read(1)
+	require.NoError(t, err)
+	require.Equal(t, portainer.CustomTemplateID(1), e.ID)
+}
--- a/api/dataservices/customtemplate/tx.go
+++ b/api/dataservices/customtemplate/tx.go
@@ -0,0 +1,31 @@
+package customtemplate
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+// Service represents a service for managing custom template data.
+type ServiceTx struct {
+	dataservices.BaseDataServiceTx[portainer.CustomTemplate, portainer.CustomTemplateID]
+}
+
+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[portainer.CustomTemplate, portainer.CustomTemplateID]{
+			Bucket:     BucketName,
+			Connection: service.Connection,
+			Tx:         tx,
+		},
+	}
+}
+
+func (service ServiceTx) GetNextIdentifier() int {
+	return service.Tx.GetNextIdentifier(BucketName)
+}
+
+// CreateCustomTemplate uses the existing id and saves it.
+// TODO: where does the ID come from, and is it safe?
+func (service ServiceTx) Create(customTemplate *portainer.CustomTemplate) error {
+	return service.Tx.CreateObjectWithId(BucketName, int(customTemplate.ID), customTemplate)
+}
--- a/api/dataservices/customtemplate/tx_test.go
+++ b/api/dataservices/customtemplate/tx_test.go
@@ -0,0 +1,28 @@
+package customtemplate_test
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCustomTemplateCreateTx(t *testing.T) {
+	_, ds := datastore.MustNewTestStore(t, true, false)
+	require.NotNil(t, ds)
+
+	require.NoError(t, ds.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		return tx.CustomTemplate().Create(&portainer.CustomTemplate{ID: 1})
+	}))
+
+	var template *portainer.CustomTemplate
+	require.NoError(t, ds.ViewTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		template, err = tx.CustomTemplate().Read(1)
+		return err
+	}))
+
+	require.Equal(t, portainer.CustomTemplateID(1), template.ID)
+}
--- a/api/dataservices/edgestack/edgestack_test.go
+++ b/api/dataservices/edgestack/edgestack_test.go
@@ -5,6 +5,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -14,7 +15,7 @@ func TestUpdate(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn, func(portainer.Transaction, portainer.EdgeStackID) {})
 	require.NoError(t, err)
--- a/api/dataservices/endpoint/endpoint.go
+++ b/api/dataservices/endpoint/endpoint.go
@@ -119,6 +119,19 @@ func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 	return endpoints, nil
 }

+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service *Service) ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error) {
+	var endpoints []portainer.Endpoint
+	var err error
+
+	err = service.connection.ViewTx(func(tx portainer.Transaction) error {
+		endpoints, err = service.Tx(tx).ReadAll(predicates...)
+		return err
+	})
+
+	return endpoints, err
+}
+
 // EndpointIDByEdgeID returns the EndpointID from the given EdgeID using an in-memory index
 func (service *Service) EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool) {
 	service.mu.RLock()
--- a/api/dataservices/endpoint/tx.go
+++ b/api/dataservices/endpoint/tx.go
@@ -89,6 +89,11 @@ func (service ServiceTx) Endpoints() ([]portainer.Endpoint, error) {
 	)
 }

+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service ServiceTx) ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error) {
+	return dataservices.BaseDataServiceTx[portainer.Endpoint, portainer.EndpointID]{Bucket: BucketName, Connection: service.service.connection, Tx: service.tx}.ReadAll(predicates...)
+}
+
 func (service ServiceTx) EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool) {
 	log.Error().Str("func", "EndpointIDByEdgeID").Msg("cannot be called inside a transaction")

--- a/api/dataservices/endpointrelation/endpointrelation.go
+++ b/api/dataservices/endpointrelation/endpointrelation.go
@@ -91,9 +91,9 @@ func (service *Service) UpdateEndpointRelation(endpointID portainer.EndpointID,
 	})
 }

-func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStack *portainer.EdgeStack) error {
 	return service.connection.UpdateTx(func(tx portainer.Transaction) error {
-		return service.Tx(tx).AddEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+		return service.Tx(tx).AddEndpointRelationsForEdgeStack(endpointIDs, edgeStack)
 	})
 }

--- a/api/dataservices/endpointrelation/endpointrelation_test.go
+++ b/api/dataservices/endpointrelation/endpointrelation_test.go
@@ -5,7 +5,9 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/dataservices/edgestack"
 	"github.com/portainer/portainer/api/internal/edge/cache"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -19,7 +21,7 @@ func TestUpdateRelation(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn)
 	require.NoError(t, err)
@@ -102,3 +104,38 @@ func TestUpdateRelation(t *testing.T) {
 	require.Equal(t, 0, edgeStacks[edgeStackID1].NumDeployments)
 	require.Equal(t, 0, edgeStacks[edgeStackID2].NumDeployments)
 }
+
+func TestAddEndpointRelationsForEdgeStack(t *testing.T) {
+	var conn portainer.Connection = &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+
+	defer logs.CloseAndLogErr(conn)
+
+	service, err := NewService(conn)
+	require.NoError(t, err)
+
+	edgeStackService, err := edgestack.NewService(conn, func(t portainer.Transaction, esi portainer.EdgeStackID) {})
+	require.NoError(t, err)
+
+	service.RegisterUpdateStackFunction(edgeStackService.UpdateEdgeStackFuncTx)
+	require.NoError(t, edgeStackService.Create(1, &portainer.EdgeStack{}))
+	require.NoError(t, service.Create(&portainer.EndpointRelation{EndpointID: 1, EdgeStacks: map[portainer.EdgeStackID]bool{}}))
+	require.NoError(t, service.AddEndpointRelationsForEdgeStack([]portainer.EndpointID{1}, &portainer.EdgeStack{ID: 1}))
+}
+
+func TestEndpointRelations(t *testing.T) {
+	var conn portainer.Connection = &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+
+	defer logs.CloseAndLogErr(conn)
+
+	service, err := NewService(conn)
+	require.NoError(t, err)
+
+	require.NoError(t, service.Create(&portainer.EndpointRelation{EndpointID: 1}))
+	rels, err := service.EndpointRelations()
+	require.NoError(t, err)
+	require.Len(t, rels, 1)
+}
--- a/api/dataservices/endpointrelation/tx.go
+++ b/api/dataservices/endpointrelation/tx.go
@@ -76,14 +76,14 @@ func (service ServiceTx) UpdateEndpointRelation(endpointID portainer.EndpointID,
 	return nil
 }

-func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStack *portainer.EdgeStack) error {
 	for _, endpointID := range endpointIDs {
 		rel, err := service.EndpointRelation(endpointID)
 		if err != nil {
 			return err
 		}

-		rel.EdgeStacks[edgeStackID] = true
+		rel.EdgeStacks[edgeStack.ID] = true

 		identifier := service.service.connection.ConvertToKey(int(endpointID))
 		err = service.tx.UpdateObject(BucketName, identifier, rel)
@@ -97,8 +97,12 @@ func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portaine
 	service.service.endpointRelationsCache = nil
 	service.service.mu.Unlock()

-	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
-		edgeStack.NumDeployments += len(endpointIDs)
+	if err := service.service.updateStackFnTx(service.tx, edgeStack.ID, func(es *portainer.EdgeStack) {
+		es.NumDeployments += len(endpointIDs)
+
+		// sync changes in `edgeStack` in case it is re-persisted after `AddEndpointRelationsForEdgeStack` call
+		// to avoid overriding with the previous values
+		edgeStack.NumDeployments = es.NumDeployments
 	}); err != nil {
 		log.Error().Err(err).Msg("could not update the number of deployments")
 	}
--- a/api/dataservices/errors/errors.go
+++ b/api/dataservices/errors/errors.go
@@ -6,7 +6,7 @@ import (

 var (
 	ErrObjectNotFound     = errors.New("object not found inside the database")
-	ErrWrongDBEdition     = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+	ErrWrongDBEdition     = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://docs.portainer.io/faqs/upgrading/can-i-downgrade-from-portainer-business-to-portainer-ce")
 	ErrDBImportFailed     = errors.New("importing backup failed")
 	ErrDatabaseIsUpdating = errors.New("database is currently in updating state. Failed prior upgrade. Please restore from backup or delete the database and restart Portainer")
 )
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -102,6 +102,9 @@ type (

 	// EndpointService represents a service for managing environment(endpoint) data
 	EndpointService interface {
+		// partial dataservices.BaseCRUD[portainer.Endpoint, portainer.EndpointID]
+		ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error)
+
 		Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error)
 		EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool)
 		EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error)
@@ -126,7 +129,7 @@ type (
 		EndpointRelation(EndpointID portainer.EndpointID) (*portainer.EndpointRelation, error)
 		Create(endpointRelation *portainer.EndpointRelation) error
 		UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error
-		AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
+		AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStack *portainer.EdgeStack) error
 		RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
 		DeleteEndpointRelation(EndpointID portainer.EndpointID) error
 		BucketName() string
@@ -223,6 +226,7 @@ type (
 	UserService interface {
 		BaseCRUD[portainer.User, portainer.UserID]
 		UserByUsername(username string) (*portainer.User, error)
+		UserIDByUsername(username string) (portainer.UserID, error)
 		UsersByRole(role portainer.UserRole) ([]portainer.User, error)
 	}

--- a/api/dataservices/pendingactions/pendingactions.go
+++ b/api/dataservices/pendingactions/pendingactions.go
@@ -1,13 +1,8 @@
 package pendingactions

 import (
-	"fmt"
-	"time"
-
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-
-	"github.com/rs/zerolog/log"
 )

 const BucketName = "pending_actions"
@@ -16,10 +11,6 @@ type Service struct {
 	dataservices.BaseDataService[portainer.PendingAction, portainer.PendingActionID]
 }

-type ServiceTx struct {
-	dataservices.BaseDataServiceTx[portainer.PendingAction, portainer.PendingActionID]
-}
-
 func NewService(connection portainer.Connection) (*Service, error) {
 	err := connection.SetServiceName(BucketName)
 	if err != nil {
@@ -34,6 +25,11 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

+// GetNextIdentifier returns the next identifier for a custom template.
+func (service *Service) GetNextIdentifier() int {
+	return service.Connection.GetNextIdentifier(BucketName)
+}
+
 func (s Service) Create(config *portainer.PendingAction) error {
 	return s.Connection.UpdateTx(func(tx portainer.Transaction) error {
 		return s.Tx(tx).Create(config)
@@ -61,43 +57,3 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 		},
 	}
 }
-
-func (s ServiceTx) Create(config *portainer.PendingAction) error {
-	return s.Tx.CreateObject(BucketName, func(id uint64) (int, any) {
-		config.ID = portainer.PendingActionID(id)
-		config.CreatedAt = time.Now().Unix()
-
-		return int(config.ID), config
-	})
-}
-
-func (s ServiceTx) Update(ID portainer.PendingActionID, config *portainer.PendingAction) error {
-	return s.BaseDataServiceTx.Update(ID, config)
-}
-
-func (s ServiceTx) DeleteByEndpointID(ID portainer.EndpointID) error {
-	log.Debug().Int("endpointId", int(ID)).Msg("deleting pending actions for endpoint")
-	pendingActions, err := s.ReadAll()
-	if err != nil {
-		return fmt.Errorf("failed to retrieve pending-actions for endpoint (%d): %w", ID, err)
-	}
-
-	for _, pendingAction := range pendingActions {
-		if pendingAction.EndpointID == ID {
-			if err := s.Delete(pendingAction.ID); err != nil {
-				log.Debug().Int("endpointId", int(ID)).Msgf("failed to delete pending action: %v", err)
-			}
-		}
-	}
-	return nil
-}
-
-// GetNextIdentifier returns the next identifier for a custom template.
-func (service ServiceTx) GetNextIdentifier() int {
-	return service.Tx.GetNextIdentifier(BucketName)
-}
-
-// GetNextIdentifier returns the next identifier for a custom template.
-func (service *Service) GetNextIdentifier() int {
-	return service.Connection.GetNextIdentifier(BucketName)
-}
--- a/api/dataservices/pendingactions/tx.go
+++ b/api/dataservices/pendingactions/tx.go
@@ -0,0 +1,49 @@
+package pendingactions
+
+import (
+	"fmt"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/rs/zerolog/log"
+)
+
+type ServiceTx struct {
+	dataservices.BaseDataServiceTx[portainer.PendingAction, portainer.PendingActionID]
+}
+
+func (s ServiceTx) Create(config *portainer.PendingAction) error {
+	return s.Tx.CreateObject(BucketName, func(id uint64) (int, any) {
+		config.ID = portainer.PendingActionID(id)
+		config.CreatedAt = time.Now().Unix()
+
+		return int(config.ID), config
+	})
+}
+
+func (s ServiceTx) Update(ID portainer.PendingActionID, config *portainer.PendingAction) error {
+	return s.BaseDataServiceTx.Update(ID, config)
+}
+
+func (s ServiceTx) DeleteByEndpointID(ID portainer.EndpointID) error {
+	log.Debug().Int("endpointId", int(ID)).Msg("deleting pending actions for endpoint")
+	pendingActions, err := s.ReadAll()
+	if err != nil {
+		return fmt.Errorf("failed to retrieve pending-actions for endpoint (%d): %w", ID, err)
+	}
+
+	for _, pendingAction := range pendingActions {
+		if pendingAction.EndpointID == ID {
+			if err := s.Delete(pendingAction.ID); err != nil {
+				log.Debug().Int("endpointId", int(ID)).Msgf("failed to delete pending action: %v", err)
+			}
+		}
+	}
+	return nil
+}
+
+// GetNextIdentifier returns the next identifier for a custom template.
+func (service ServiceTx) GetNextIdentifier() int {
+	return service.Tx.GetNextIdentifier(BucketName)
+}
--- a/api/dataservices/resourcecontrol/resourcecontrol.go
+++ b/api/dataservices/resourcecontrol/resourcecontrol.go
@@ -3,6 +3,7 @@ package resourcecontrol
 import (
 	"errors"
 	"fmt"
+	"slices"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -64,11 +65,9 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 				return nil, stop
 			}

-			for _, subResourceID := range rc.SubResourceIDs {
-				if subResourceID == resourceID {
-					resourceControl = rc
-					return nil, stop
-				}
+			if slices.Contains(rc.SubResourceIDs, resourceID) {
+				resourceControl = rc
+				return nil, stop
 			}

 			return &portainer.ResourceControl{}, nil
--- a/api/dataservices/resourcecontrol/tx.go
+++ b/api/dataservices/resourcecontrol/tx.go
@@ -3,6 +3,7 @@ package resourcecontrol
 import (
 	"errors"
 	"fmt"
+	"slices"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -35,11 +36,9 @@ func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, r
 				return nil, stop
 			}

-			for _, subResourceID := range rc.SubResourceIDs {
-				if subResourceID == resourceID {
-					resourceControl = rc
-					return nil, stop
-				}
+			if slices.Contains(rc.SubResourceIDs, resourceID) {
+				resourceControl = rc
+				return nil, stop
 			}

 			return &portainer.ResourceControl{}, nil
--- a/api/dataservices/ssl/ssl.go
+++ b/api/dataservices/ssl/ssl.go
@@ -31,6 +31,13 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		service: service,
+		tx:      tx,
+	}
+}
+
 // Settings retrieve the ssl settings object.
 func (service *Service) Settings() (*portainer.SSLSettings, error) {
 	var settings portainer.SSLSettings
--- a/api/dataservices/ssl/tx.go
+++ b/api/dataservices/ssl/tx.go
@@ -0,0 +1,31 @@
+package ssl
+
+import (
+	portainer "github.com/portainer/portainer/api"
+)
+
+type ServiceTx struct {
+	service *Service
+	tx      portainer.Transaction
+}
+
+func (service ServiceTx) BucketName() string {
+	return BucketName
+}
+
+// Settings retrieve the settings object.
+func (service ServiceTx) Settings() (*portainer.SSLSettings, error) {
+	var settings portainer.SSLSettings
+
+	err := service.tx.GetObject(BucketName, []byte(key), &settings)
+	if err != nil {
+		return nil, err
+	}
+
+	return &settings, nil
+}
+
+// UpdateSettings persists a Settings object.
+func (service ServiceTx) UpdateSettings(settings *portainer.SSLSettings) error {
+	return service.tx.UpdateObject(BucketName, []byte(key), settings)
+}
--- a/api/dataservices/stack/tests/stack_test.go
+++ b/api/dataservices/stack/tests/stack_test.go
@@ -4,17 +4,18 @@ import (
 	"testing"
 	"time"

-	"github.com/portainer/portainer/api/datastore"
-
-	"github.com/gofrs/uuid"
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/filesystem"
+
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func newGuidString(t *testing.T) string {
-	uuid, err := uuid.NewV4()
-	assert.NoError(t, err)
+	uuid, err := uuid.NewRandom()
+	require.NoError(t, err)

 	return uuid.String()
 }
@@ -41,7 +42,7 @@ func TestService_StackByWebhookID(t *testing.T) {

 	// can find a stack by webhook ID
 	got, err := store.StackService.StackByWebhookID(webhookID)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, stack, *got)

 	// returns nil and object not found error if there's no stack associated with the webhook
@@ -94,10 +95,10 @@ func Test_RefreshableStacks(t *testing.T) {

 	for _, stack := range []*portainer.Stack{&staticStack, &stackWithWebhook, &refreshableStack} {
 		err := store.Stack().Create(stack)
-		assert.NoError(t, err)
+		require.NoError(t, err)
 	}

 	stacks, err := store.Stack().RefreshableStacks()
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.ElementsMatch(t, []portainer.Stack{refreshableStack}, stacks)
 }
--- a/api/dataservices/team/tests/team_test.go
+++ b/api/dataservices/team/tests/team_test.go
@@ -5,7 +5,9 @@ import (

 	"github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/portainer/portainer/api/datastore"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func Test_teamByName(t *testing.T) {
@@ -13,7 +15,7 @@ func Test_teamByName(t *testing.T) {
 		_, store := datastore.MustNewTestStore(t, true, true)

 		_, err := store.Team().TeamByName("name")
-		assert.ErrorIs(t, err, errors.ErrObjectNotFound)
+		require.ErrorIs(t, err, errors.ErrObjectNotFound)

 	})

@@ -29,7 +31,7 @@ func Test_teamByName(t *testing.T) {
 		teamBuilder.createNew("name1")

 		_, err := store.Team().TeamByName("name")
-		assert.ErrorIs(t, err, errors.ErrObjectNotFound)
+		require.ErrorIs(t, err, errors.ErrObjectNotFound)
 	})

 	t.Run("When there is an object with the same name should return the object", func(t *testing.T) {
@@ -44,7 +46,7 @@ func Test_teamByName(t *testing.T) {
 		expectedTeam := teamBuilder.createNew("name1")

 		team, err := store.Team().TeamByName("name1")
-		assert.NoError(t, err, "TeamByName should succeed")
+		require.NoError(t, err, "TeamByName should succeed")
 		assert.Equal(t, expectedTeam, team)
 	})
 }
--- a/api/dataservices/user/tx.go
+++ b/api/dataservices/user/tx.go
@@ -36,6 +36,18 @@ func (service ServiceTx) UserByUsername(username string) (*portainer.User, error
 	return nil, err
 }

+func (service ServiceTx) UserIDByUsername(username string) (portainer.UserID, error) {
+	user, err := service.UserByUsername(username)
+	if err != nil {
+		return 0, err
+	}
+
+	if user == nil {
+		return 0, dserrors.ErrObjectNotFound
+	}
+	return user.ID, nil
+}
+
 // UsersByRole return an array containing all the users with the specified role.
 func (service ServiceTx) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
--- a/api/dataservices/user/user.go
+++ b/api/dataservices/user/user.go
@@ -65,6 +65,18 @@ func (service *Service) UserByUsername(username string) (*portainer.User, error)
 	return nil, err
 }

+func (service *Service) UserIDByUsername(username string) (portainer.UserID, error) {
+	user, err := service.UserByUsername(username)
+	if err != nil {
+		return 0, err
+	}
+
+	if user == nil {
+		return 0, dserrors.ErrObjectNotFound
+	}
+	return user.ID, nil
+}
+
 // UsersByRole return an array containing all the users with the specified role.
 func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
--- a/api/dataservices/version/tx.go
+++ b/api/dataservices/version/tx.go
@@ -0,0 +1,70 @@
+package version
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/models"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+type ServiceTx struct {
+	dataservices.BaseDataServiceTx[models.Version, int] // ID is not used
+}
+
+func (tx ServiceTx) InstanceID() (string, error) {
+	v, err := tx.Version()
+	if err != nil {
+		return "", err
+	}
+
+	return v.InstanceID, nil
+}
+
+func (tx ServiceTx) UpdateInstanceID(ID string) error {
+	v, err := tx.Version()
+	if err != nil {
+		if !dataservices.IsErrObjectNotFound(err) {
+			return err
+		}
+
+		v = &models.Version{}
+	}
+
+	v.InstanceID = ID
+
+	return tx.UpdateVersion(v)
+}
+
+func (tx ServiceTx) Edition() (portainer.SoftwareEdition, error) {
+	v, err := tx.Version()
+	if err != nil {
+		return 0, err
+	}
+
+	return portainer.SoftwareEdition(v.Edition), nil
+}
+
+func (tx ServiceTx) Version() (*models.Version, error) {
+	var v models.Version
+
+	err := tx.Tx.GetObject(BucketName, []byte(versionKey), &v)
+	if err != nil {
+		return nil, err
+	}
+
+	return &v, nil
+}
+
+func (tx ServiceTx) UpdateVersion(version *models.Version) error {
+	return tx.Tx.UpdateObject(BucketName, []byte(versionKey), version)
+}
+
+func (tx ServiceTx) SchemaVersion() (string, error) {
+	var v models.Version
+
+	err := tx.Tx.GetObject(BucketName, []byte(versionKey), &v)
+	if err != nil {
+		return "", err
+	}
+
+	return v.SchemaVersion, nil
+}
--- a/api/dataservices/version/version.go
+++ b/api/dataservices/version/version.go
@@ -33,6 +33,16 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[models.Version, int]{
+			Bucket:     BucketName,
+			Connection: service.connection,
+			Tx:         tx,
+		},
+	}
+}
+
 func (service *Service) SchemaVersion() (string, error) {
 	v, err := service.Version()
 	if err != nil {
--- a/api/datastore/backup.go
+++ b/api/datastore/backup.go
@@ -14,33 +14,40 @@ import (
 // corruption and if a path is not given a default is used.
 // The path or an error are returned.
 func (store *Store) Backup(path string) (string, error) {
+	if err := store.Close(); err != nil {
+		return "", fmt.Errorf("failed to close store before backup: %w", err)
+	}
+
+	filename, err := store.backupDBFile(path)
+	if err != nil {
+		return "", err
+	}
+
+	if _, err := store.Open(); err != nil {
+		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
+	}
+
+	return filename, nil
+}
+
+// backupDBFile copies the database file to the backup location.
+// Does not manage connection state - works with the database file directly regardless of connection state.
+func (store *Store) backupDBFile(backupPath string) (string, error) {
 	if err := store.createBackupPath(); err != nil {
 		return "", err
 	}

 	backupFilename := store.backupFilename()
-	if path != "" {
-		backupFilename = path
-	}
-	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msgf("Backing up database")
-
-	// Close the store before backing up
-	err := store.Close()
-	if err != nil {
-		return "", fmt.Errorf("failed to close store before backup: %w", err)
+	if backupPath != "" {
+		backupFilename = backupPath
 	}

-	err = store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true)
-	if err != nil {
+	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msg("Backing up database")
+
+	if err := store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true); err != nil {
 		return "", fmt.Errorf("failed to create backup file: %w", err)
 	}

-	// reopen the store
-	_, err = store.Open()
-	if err != nil {
-		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
-	}
-
 	return backupFilename, nil
 }

@@ -50,15 +57,17 @@ func (store *Store) Restore() error {
 }

 func (store *Store) RestoreFromFile(backupFilename string) error {
-	store.Close()
+	if err := store.Close(); err != nil {
+		return err
+	}
+
 	if err := store.fileService.Copy(backupFilename, store.connection.GetDatabaseFilePath(), true); err != nil {
 		return fmt.Errorf("unable to restore backup file %q. err: %w", backupFilename, err)
 	}

 	log.Info().Str("from", backupFilename).Str("to", store.connection.GetDatabaseFilePath()).Msgf("database restored")

-	_, err := store.Open()
-	if err != nil {
+	if _, err := store.Open(); err != nil {
 		return fmt.Errorf("unable to determine version of restored portainer backup file: %w", err)
 	}

@@ -80,6 +89,7 @@ func (store *Store) createBackupPath() error {
 			return fmt.Errorf("unable to create backup folder: %w", err)
 		}
 	}
+
 	return nil
 }

--- a/api/datastore/backup_test.go
+++ b/api/datastore/backup_test.go
@@ -1,19 +1,20 @@
 package datastore

 import (
+	"os"
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/database/models"
+	"github.com/stretchr/testify/require"

 	"github.com/rs/zerolog/log"
 )

 func TestStoreCreation(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)
-	if store == nil {
-		t.Fatal("Expect to create a store")
-	}
+	require.NotNil(t, store)

 	v, err := store.VersionService.Version()
 	if err != nil {
@@ -37,8 +38,12 @@ func TestBackup(t *testing.T) {
 			Edition:       int(portainer.PortainerCE),
 			SchemaVersion: portainer.APIVersion,
 		}
-		store.VersionService.UpdateVersion(&v)
-		store.Backup("")
+
+		err := store.VersionService.UpdateVersion(&v)
+		require.NoError(t, err)
+
+		_, err = store.Backup("")
+		require.NoError(t, err)

 		if !isFileExist(backupFileName) {
 			t.Errorf("Expect backup file to be created %s", backupFileName)
@@ -54,10 +59,14 @@ func TestRestore(t *testing.T) {
 		updateEdition(store, portainer.PortainerCE)
 		updateVersion(store, "2.4")

-		store.Backup("")
+		_, err := store.Backup("")
+		require.NoError(t, err)
+
 		updateVersion(store, "2.16")
 		testVersion(store, "2.16", t)
-		store.Restore()
+
+		err = store.Restore()
+		require.NoError(t, err)

 		// check if the restore is successful and the version is correct
 		testVersion(store, "2.4", t)
@@ -67,13 +76,65 @@ func TestRestore(t *testing.T) {
 		// override and set initial db version and edition
 		updateEdition(store, portainer.PortainerCE)
 		updateVersion(store, "2.4")
-		store.Backup("")
+
+		_, err := store.Backup("")
+		require.NoError(t, err)
+
 		updateVersion(store, "2.14")
 		updateVersion(store, "2.16")
 		testVersion(store, "2.16", t)
-		store.Restore()
+
+		err = store.Restore()
+		require.NoError(t, err)

 		// check if the restore is successful and the version is correct
 		testVersion(store, "2.4", t)
 	})
 }
+
+func TestBackupDBFile(t *testing.T) {
+	_, store := MustNewTestStore(t, true, false)
+
+	t.Run("creates backup file without managing connection state", func(t *testing.T) {
+		// Verify connection is usable before
+		_, err := store.VersionService.Version()
+		require.NoError(t, err, "connection should be usable before backupDBFile")
+
+		// backupDBFile should work without closing the connection
+		backupFilename, err := store.backupDBFile("")
+		require.NoError(t, err)
+		require.FileExists(t, backupFilename)
+
+		// Verify connection is still usable after (not closed/reopened)
+		_, err = store.VersionService.Version()
+		require.NoError(t, err, "connection should still be usable after backupDBFile")
+
+		require.NoError(t, os.Remove(backupFilename))
+	})
+
+	t.Run("uses custom path when provided", func(t *testing.T) {
+		customPath := t.TempDir() + "/custom-backup.db"
+		backupFilename, err := store.backupDBFile(customPath)
+		require.NoError(t, err)
+		require.Equal(t, customPath, backupFilename)
+		require.FileExists(t, backupFilename)
+	})
+}
+
+func TestBackupDBFileUsesCorrectPath(t *testing.T) {
+	_, store := MustNewTestStore(t, true, false)
+
+	t.Run("backs up unencrypted db when encrypted flag is false", func(t *testing.T) {
+		store.connection.SetEncrypted(false)
+
+		backupFilename, err := store.backupDBFile("")
+		require.NoError(t, err)
+		require.FileExists(t, backupFilename)
+
+		// Verify it backed up the unencrypted file (portainer.db)
+		require.Contains(t, backupFilename, boltdb.DatabaseFileName)
+		require.NotContains(t, backupFilename, boltdb.EncryptedDatabaseFileName)
+
+		require.NoError(t, os.Remove(backupFilename))
+	})
+}
--- a/api/datastore/datastore.go
+++ b/api/datastore/datastore.go
@@ -32,34 +32,38 @@ func (store *Store) Open() (newStore bool, err error) {
 	}

 	if encryptionReq {
-		backupFilename, err := store.Backup("")
+		// NeedsEncryptionMigration() sets encrypted=true as a side effect when a key exists.
+		// We need to set it back to false so GetDatabaseFilePath() returns the path to the
+		// actual unencrypted file (portainer.db) that we want to back up.
+		store.connection.SetEncrypted(false)
+
+		// Use backupDBFile directly since connection isn't open yet
+		// and we don't want to trigger the close/open cycle of Backup()
+		backupFilename, err := store.backupDBFile("")
 		if err != nil {
 			return false, fmt.Errorf("failed to backup database prior to encrypting: %w", err)
 		}

-		err = store.encryptDB()
-		if err != nil {
-			store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
-			return false, err
+		if err := store.encryptDB(); err != nil {
+			innerErr := store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
+			return false, errors.Join(err, innerErr)
 		}
 	}

-	err = store.connection.Open()
-	if err != nil {
+	if err := store.connection.Open(); err != nil {
 		return false, err
 	}

-	err = store.initServices()
-	if err != nil {
+	if err := store.initServices(); err != nil {
 		return false, err
 	}

 	// If no settings object exists then assume we have a new store
-	_, err = store.SettingsService.Settings()
-	if err != nil {
+	if _, err := store.SettingsService.Settings(); err != nil {
 		if store.IsErrObjectNotFound(err) {
 			return true, nil
 		}
+
 		return false, err
 	}

@@ -72,19 +76,13 @@ func (store *Store) Close() error {

 func (store *Store) UpdateTx(fn func(dataservices.DataStoreTx) error) error {
 	return store.connection.UpdateTx(func(tx portainer.Transaction) error {
-		return fn(&StoreTx{
-			store: store,
-			tx:    tx,
-		})
+		return fn(&StoreTx{store: store, tx: tx})
 	})
 }

 func (store *Store) ViewTx(fn func(dataservices.DataStoreTx) error) error {
 	return store.connection.ViewTx(func(tx portainer.Transaction) error {
-		return fn(&StoreTx{
-			store: store,
-			tx:    tx,
-		})
+		return fn(&StoreTx{store: store, tx: tx})
 	})
 }

@@ -99,6 +97,7 @@ func (store *Store) CheckCurrentEdition() error {
 	if store.edition() != portainer.Edition {
 		return portainerErrors.ErrWrongDBEdition
 	}
+
 	return nil
 }

@@ -107,6 +106,7 @@ func (store *Store) edition() portainer.SoftwareEdition {
 	if store.IsErrObjectNotFound(err) {
 		edition = portainer.PortainerCE
 	}
+
 	return edition
 }

@@ -125,13 +125,11 @@ func (store *Store) Rollback(force bool) error {

 func (store *Store) encryptDB() error {
 	store.connection.SetEncrypted(false)
-	err := store.connection.Open()
-	if err != nil {
+	if err := store.connection.Open(); err != nil {
 		return err
 	}

-	err = store.initServices()
-	if err != nil {
+	if err := store.initServices(); err != nil {
 		return err
 	}

@@ -144,8 +142,7 @@ func (store *Store) encryptDB() error {

 	log.Info().Str("filename", exportFilename).Msg("exporting database backup")

-	err = store.Export(exportFilename)
-	if err != nil {
+	if err := store.Export(exportFilename); err != nil {
 		log.Error().Str("filename", exportFilename).Err(err).Msg("failed to export")

 		return err
@@ -154,38 +151,33 @@ func (store *Store) encryptDB() error {
 	log.Info().Msg("database backup exported")

 	// Close existing un-encrypted db so that we can delete the file later
-	store.connection.Close()
-
-	// Tell the db layer to create an encrypted db when opened
-	store.connection.SetEncrypted(true)
-	store.connection.Open()
-
-	// We have to init services before import
-	err = store.initServices()
-	if err != nil {
+	if err := store.connection.Close(); err != nil {
 		return err
 	}

-	err = store.Import(exportFilename)
-	if err != nil {
+	if err := store.Import(exportFilename); err != nil {
+		log.Error().Err(err).Msg("failed to import database backup")
+
 		// Remove the new encrypted file that we failed to import
-		os.Remove(store.connection.GetDatabaseFilePath())
+		if err := os.Remove(store.connection.GetDatabaseFilePath()); err != nil {
+			log.Error().Msg("failed to remove the file after import failure")
+		}

 		log.Fatal().Err(portainerErrors.ErrDBImportFailed).Msg("")
 	}

-	err = os.Remove(oldFilename)
-	if err != nil {
+	if err := os.Remove(oldFilename); err != nil {
 		log.Error().Msg("failed to remove the un-encrypted db file")
 	}

-	err = os.Remove(exportFilename)
-	if err != nil {
+	if err := os.Remove(exportFilename); err != nil {
 		log.Error().Msg("failed to remove the json backup file")
 	}

 	// Close db connection
-	store.connection.Close()
+	if err := store.connection.Close(); err != nil {
+		return err
+	}

 	log.Info().Msg("database successfully encrypted")

--- a/api/datastore/datastore_test.go
+++ b/api/datastore/datastore_test.go
@@ -6,12 +6,14 @@ import (
 	"strings"
 	"testing"

-	"github.com/dchest/uniuri"
-	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/chisel"
 	"github.com/portainer/portainer/api/crypto"
+
+	"github.com/dchest/uniuri"
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 const (
@@ -30,56 +32,32 @@ func TestStoreFull(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)

 	testCases := map[string]func(t *testing.T){
-		"User Accounts": func(t *testing.T) {
-			store.testUserAccounts(t)
-		},
-		"Environments": func(t *testing.T) {
-			store.testEnvironments(t)
-		},
-		"Settings": func(t *testing.T) {
-			store.testSettings(t)
-		},
-		"SSL Settings": func(t *testing.T) {
-			store.testSSLSettings(t)
-		},
-		"Tunnel Server": func(t *testing.T) {
-			store.testTunnelServer(t)
-		},
-		"Custom Templates": func(t *testing.T) {
-			store.testCustomTemplates(t)
-		},
-		"Registries": func(t *testing.T) {
-			store.testRegistries(t)
-		},
-		"Resource Control": func(t *testing.T) {
-			store.testResourceControl(t)
-		},
-		"Schedules": func(t *testing.T) {
-			store.testSchedules(t)
-		},
-		"Tags": func(t *testing.T) {
-			store.testTags(t)
-		},
-
-		// "Test Title": func(t *testing.T) {
-		// },
+		"User Accounts":    store.testUserAccounts,
+		"Environments":     store.testEnvironments,
+		"Settings":         store.testSettings,
+		"SSL Settings":     store.testSSLSettings,
+		"Tunnel Server":    store.testTunnelServer,
+		"Custom Templates": store.testCustomTemplates,
+		"Registries":       store.testRegistries,
+		"Resource Control": store.testResourceControl,
+		"Schedules":        store.testSchedules,
+		"Tags":             store.testTags,
 	}

 	for name, test := range testCases {
 		t.Run(name, test)
 	}
-
 }

 func (store *Store) testEnvironments(t *testing.T) {
 	id := store.CreateEndpoint(t, "local", portainer.KubernetesLocalEnvironment, "", true)
-	store.CreateEndpointRelation(id)
+	store.CreateEndpointRelation(t, id)

 	id = store.CreateEndpoint(t, "agent", portainer.AgentOnDockerEnvironment, agentOnDockerEnvironmentUrl, true)
-	store.CreateEndpointRelation(id)
+	store.CreateEndpointRelation(t, id)

 	id = store.CreateEndpoint(t, "edge", portainer.EdgeAgentOnKubernetesEnvironment, edgeAgentOnKubernetesEnvironmentUrl, true)
-	store.CreateEndpointRelation(id)
+	store.CreateEndpointRelation(t, id)
 }

 func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, name, URL string, TLS bool) *portainer.Endpoint {
@@ -112,18 +90,7 @@ func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, n
 }

 func setEndpointAuthorizations(endpoint *portainer.Endpoint) {
-	endpoint.SecuritySettings = portainer.EndpointSecuritySettings{
-		AllowVolumeBrowserForRegularUsers: false,
-		EnableHostManagementFeatures:      false,
-
-		AllowSysctlSettingForRegularUsers:         true,
-		AllowBindMountsForRegularUsers:            true,
-		AllowPrivilegedModeForRegularUsers:        true,
-		AllowHostNamespaceForRegularUsers:         true,
-		AllowContainerCapabilitiesForRegularUsers: true,
-		AllowDeviceMappingForRegularUsers:         true,
-		AllowStackManagementForRegularUsers:       true,
-	}
+	endpoint.SecuritySettings = portainer.DefaultEndpointSecuritySettings()
 }

 func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType portainer.EndpointType, URL string, tls bool) portainer.EndpointID {
@@ -164,22 +131,25 @@ func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType porta
 	}

 	setEndpointAuthorizations(expectedEndpoint)
-	store.Endpoint().Create(expectedEndpoint)
+
+	err := store.Endpoint().Create(expectedEndpoint)
+	require.NoError(t, err)

 	endpoint, err := store.Endpoint().Endpoint(id)
-	is.NoError(err, "Endpoint() should not return an error")
+	require.NoError(t, err, "Endpoint() should not return an error")
 	is.Equal(expectedEndpoint, endpoint, "endpoint should be the same")

 	return endpoint.ID
 }

-func (store *Store) CreateEndpointRelation(id portainer.EndpointID) {
+func (store *Store) CreateEndpointRelation(t *testing.T, id portainer.EndpointID) {
 	relation := &portainer.EndpointRelation{
 		EndpointID: id,
 		EdgeStacks: map[portainer.EdgeStackID]bool{},
 	}

-	store.EndpointRelation().Create(relation)
+	err := store.EndpointRelation().Create(relation)
+	require.NoError(t, err)
 }

 func (store *Store) testSSLSettings(t *testing.T) {
@@ -191,10 +161,11 @@ func (store *Store) testSSLSettings(t *testing.T) {
 		SelfSigned:  true,
 	}

-	store.SSLSettings().UpdateSettings(ssl)
+	err := store.SSLSettings().UpdateSettings(ssl)
+	require.NoError(t, err)

 	settings, err := store.SSLSettings().Settings()
-	is.NoError(err, "Get sslsettings should succeed")
+	require.NoError(t, err, "Get sslsettings should succeed")
 	is.Equal(ssl, settings, "Stored SSLSettings should be the same as what is read out")
 }

@@ -203,27 +174,27 @@ func (store *Store) testTunnelServer(t *testing.T) {
 	expectPrivateKeySeed := uniuri.NewLen(16)

 	err := store.TunnelServer().UpdateInfo(&portainer.TunnelServerInfo{PrivateKeySeed: expectPrivateKeySeed})
-	is.NoError(err, "UpdateInfo should have succeeded")
+	require.NoError(t, err, "UpdateInfo should have succeeded")

 	serverInfo, err := store.TunnelServer().Info()
-	is.NoError(err, "Info should have succeeded")
+	require.NoError(t, err, "Info should have succeeded")

 	is.Equal(expectPrivateKeySeed, serverInfo.PrivateKeySeed, "hashed passwords should not differ")
 }

 // add users, read them back and check the details are unchanged
 func (store *Store) testUserAccounts(t *testing.T) {
-	is := assert.New(t)
-
 	err := store.createAccount(adminUsername, adminPassword, portainer.AdministratorRole)
-	is.NoError(err, "CreateAccount should succeed")
-	store.checkAccount(adminUsername, adminPassword, portainer.AdministratorRole)
-	is.NoError(err, "Account failure")
+	require.NoError(t, err, "CreateAccount should succeed")
+
+	err = store.checkAccount(adminUsername, adminPassword, portainer.AdministratorRole)
+	require.NoError(t, err, "Account failure")

 	err = store.createAccount(standardUsername, standardPassword, portainer.StandardUserRole)
-	is.NoError(err, "CreateAccount should succeed")
-	store.checkAccount(standardUsername, standardPassword, portainer.StandardUserRole)
-	is.NoError(err, "Account failure")
+	require.NoError(t, err, "CreateAccount should succeed")
+
+	err = store.checkAccount(standardUsername, standardPassword, portainer.StandardUserRole)
+	require.NoError(t, err, "Account failure")
 }

 // create an account with the provided details
@@ -238,12 +209,7 @@ func (store *Store) createAccount(username, password string, role portainer.User
 		return err
 	}

-	err = store.User().Create(user)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return store.User().Create(user)
 }

 func (store *Store) checkAccount(username, expectPassword string, expectRole portainer.UserRole) error {
@@ -260,12 +226,7 @@ func (store *Store) checkAccount(username, expectPassword string, expectRole por

 	// Check the password
 	cs := crypto.Service{}
-	expectPasswordHash, err := cs.Hash(expectPassword)
-	if err != nil {
-		return errors.Wrap(err, "hash failed")
-	}
-
-	if user.Password != expectPasswordHash {
+	if cs.CompareHashAndData(user.Password, expectPassword) != nil {
 		return fmt.Errorf("%s user password hash failure", user.Username)
 	}

@@ -277,7 +238,7 @@ func (store *Store) testSettings(t *testing.T) {

 	// since many settings are default and basically nil, I'm going to update some and read them back
 	expectedSettings, err := store.Settings().Settings()
-	is.NoError(err, "Settings() should not return an error")
+	require.NoError(t, err, "Settings() should not return an error")
 	expectedSettings.TemplatesURL = "http://portainer.io/application-templates"
 	expectedSettings.HelmRepositoryURL = "http://portainer.io/helm-repository"
 	expectedSettings.EdgeAgentCheckinInterval = 60
@@ -291,10 +252,10 @@ func (store *Store) testSettings(t *testing.T) {
 	expectedSettings.SnapshotInterval = "10m"

 	err = store.Settings().UpdateSettings(expectedSettings)
-	is.NoError(err, "UpdateSettings() should succeed")
+	require.NoError(t, err, "UpdateSettings() should succeed")

 	settings, err := store.Settings().Settings()
-	is.NoError(err, "Settings() should not return an error")
+	require.NoError(t, err, "Settings() should not return an error")
 	is.Equal(expectedSettings, settings, "stored settings should match")
 }

@@ -314,10 +275,11 @@ func (store *Store) testCustomTemplates(t *testing.T) {
 		CreatedByUserID: 10,
 	}

-	customTemplate.Create(expectedTemplate)
+	err := customTemplate.Create(expectedTemplate)
+	require.NoError(t, err)

 	actualTemplate, err := customTemplate.Read(expectedTemplate.ID)
-	is.NoError(err, "CustomTemplate should not return an error")
+	require.NoError(t, err, "CustomTemplate should not return an error")
 	is.Equal(expectedTemplate, actualTemplate, "expected and actual template do not match")
 }

@@ -345,17 +307,17 @@ func (store *Store) testRegistries(t *testing.T) {
 	}

 	err := regService.Create(reg1)
-	is.NoError(err)
+	require.NoError(t, err)

 	err = regService.Create(reg2)
-	is.NoError(err)
+	require.NoError(t, err)

 	actualReg1, err := regService.Read(reg1.ID)
-	is.NoError(err)
+	require.NoError(t, err)
 	is.Equal(reg1, actualReg1, "registries differ")

 	actualReg2, err := regService.Read(reg2.ID)
-	is.NoError(err)
+	require.NoError(t, err)
 	is.Equal(reg2, actualReg2, "registries differ")
 }

@@ -378,10 +340,10 @@ func (store *Store) testSchedules(t *testing.T) {
 	}

 	err := schedule.CreateSchedule(s)
-	is.NoError(err, "CreateSchedule should succeed")
+	require.NoError(t, err, "CreateSchedule should succeed")

 	actual, err := schedule.Schedule(s.ID)
-	is.NoError(err, "schedule should be found")
+	require.NoError(t, err, "schedule should be found")
 	is.Equal(s, actual, "schedules differ")
 }

@@ -401,16 +363,16 @@ func (store *Store) testTags(t *testing.T) {
 	}

 	err := tags.Create(tag1)
-	is.NoError(err, "Tags.Create should succeed")
+	require.NoError(t, err, "Tags.Create should succeed")

 	err = tags.Create(tag2)
-	is.NoError(err, "Tags.Create should succeed")
+	require.NoError(t, err, "Tags.Create should succeed")

 	actual, err := tags.Read(tag1.ID)
-	is.NoError(err, "tag1 should be found")
+	require.NoError(t, err, "tag1 should be found")
 	is.Equal(tag1, actual, "tags differ")

 	actual, err = tags.Read(tag2.ID)
-	is.NoError(err, "tag2 should be found")
+	require.NoError(t, err, "tag2 should be found")
 	is.Equal(tag2, actual, "tags differ")
 }
--- a/api/datastore/init.go
+++ b/api/datastore/init.go
@@ -31,7 +31,6 @@ func (store *Store) checkOrCreateDefaultSettings() error {
 	settings, err := store.SettingsService.Settings()
 	if store.IsErrObjectNotFound(err) {
 		defaultSettings := &portainer.Settings{
-			EnableTelemetry:      false,
 			AuthenticationMethod: portainer.AuthenticationInternal,
 			BlackListedLabels:    make([]portainer.Pair, 0),
 			InternalAuthSettings: portainer.InternalAuthSettings{
--- a/api/datastore/migrate_data_test.go
+++ b/api/datastore/migrate_data_test.go
@@ -9,14 +9,15 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/Masterminds/semver"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/datastore/migrator"

+	"github.com/Masterminds/semver/v3"
 	"github.com/google/go-cmp/cmp"
 	"github.com/rs/zerolog/log"
+	"github.com/stretchr/testify/require"
 )

 func TestMigrateData(t *testing.T) {
@@ -53,9 +54,11 @@ func TestMigrateData(t *testing.T) {
 		}

 		testVersion(store, portainer.APIVersion, t)
-		store.Close()
+		err := store.Close()
+		require.NoError(t, err)

-		newStore, _ = store.Open()
+		newStore, err = store.Open()
+		require.NoError(t, err)
 		if newStore {
 			t.Error("Expect store to NOT be new DB")
 		}
@@ -63,8 +66,11 @@ func TestMigrateData(t *testing.T) {

 	t.Run("MigrateData should create backup file upon update", func(t *testing.T) {
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "1.0", Edition: int(portainer.PortainerCE)})
-		store.MigrateData()
+		err := store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "2.0", Edition: int(portainer.PortainerCE)})
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.NoError(t, err)

 		backupfilename := store.backupFilename()
 		if exists, _ := store.fileService.FileExists(backupfilename); !exists {
@@ -73,21 +79,28 @@ func TestMigrateData(t *testing.T) {
 	})

 	t.Run("MigrateData should recover and restore backup during migration critical failure", func(t *testing.T) {
-		os.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")
+		t.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")

 		version := "2.15"
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
-		store.MigrateData()

-		store.Open()
+		err := store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.Error(t, err)
+
 		testVersion(store, version, t)
 	})

 	t.Run("MigrateData should fail to create backup if database file is set to updating", func(t *testing.T) {
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.StoreIsUpdating(true)
-		store.MigrateData()
+
+		err := store.VersionService.StoreIsUpdating(true)
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.Error(t, err)

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -115,10 +128,12 @@ func TestMigrateData(t *testing.T) {

 		if latestMigrations.Version.Equal(semver.MustParse(portainer.APIVersion)) {
 			v.MigratorCount = len(latestMigrations.MigrationFuncs)
-			store.VersionService.UpdateVersion(v)
+			err = store.VersionService.UpdateVersion(v)
+			require.NoError(t, err)
 		}

-		store.MigrateData()
+		err = store.MigrateData()
+		require.NoError(t, err)

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -141,8 +156,12 @@ func TestMigrateData(t *testing.T) {
 		}

 		v.MigratorCount = 1000
-		store.VersionService.UpdateVersion(v)
-		store.MigrateData()
+
+		err = store.VersionService.UpdateVersion(v)
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.NoError(t, err)

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -158,14 +177,14 @@ func TestRollback(t *testing.T) {
 	t.Run("Rollback should restore upgrade after backup", func(t *testing.T) {
 		version := "2.11"

-		v := models.Version{
-			SchemaVersion: version,
-		}
+		v := models.Version{SchemaVersion: version}

 		_, store := MustNewTestStore(t, false, false)
-		store.VersionService.UpdateVersion(&v)

-		_, err := store.Backup("")
+		err := store.VersionService.UpdateVersion(&v)
+		require.NoError(t, err)
+
+		_, err = store.Backup("")
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -184,7 +203,9 @@ func TestRollback(t *testing.T) {
 			return
 		}

-		store.Open()
+		_, err = store.Open()
+		require.NoError(t, err)
+
 		testVersion(store, version, t)
 	})

@@ -197,9 +218,11 @@ func TestRollback(t *testing.T) {
 		}

 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&v)

-		_, err := store.Backup("")
+		err := store.VersionService.UpdateVersion(&v)
+		require.NoError(t, err)
+
+		_, err = store.Backup("")
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -218,7 +241,8 @@ func TestRollback(t *testing.T) {
 			return
 		}

-		store.Open()
+		_, err = store.Open()
+		require.NoError(t, err)
 		testVersion(store, version, t)
 	})
 }
@@ -237,17 +261,17 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	_, store := MustNewTestStore(t, true, false)

 	fmt.Println("store.path=", store.GetConnection().GetDatabaseFilePath())
-	store.connection.DeleteObject("version", []byte("VERSION"))
+
+	err = store.connection.DeleteObject("version", []byte("VERSION"))
+	require.NoError(t, err)

 	//	defer teardown()
-	err = importJSON(t, bytes.NewReader(srcJSON), store)
-	if err != nil {
+	if err := importJSON(t, bytes.NewReader(srcJSON), store); err != nil {
 		return err
 	}

 	// Run the actual migrations on our input database.
-	err = store.MigrateData()
-	if err != nil {
+	if err := store.MigrateData(); err != nil {
 		return err
 	}

@@ -260,8 +284,7 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 		}

 		v.InstanceID = "463d5c47-0ea5-4aca-85b1-405ceefee254"
-		err = store.VersionService.UpdateVersion(v)
-		if err != nil {
+		if err := store.VersionService.UpdateVersion(v); err != nil {
 			return err
 		}
 	}
@@ -270,10 +293,10 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	// exportJson rather than ExportRaw. The exportJson function allows us to
 	// strip out the metadata which we don't want for our tests.
 	// TODO: update connection interface in CE to allow us to use ExportRaw and pass meta false
-	err = store.connection.Close()
-	if err != nil {
+	if err := store.connection.Close(); err != nil {
 		t.Fatalf("err closing bolt connection: %v", err)
 	}
+
 	con, ok := store.connection.(*boltdb.DbConnection)
 	if !ok {
 		t.Fatalf("backing database is not using boltdb, but the migrations test requires it")
@@ -302,11 +325,15 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	// Compare the result we got with the one we wanted.
 	if diff := cmp.Diff(wantJSON, gotJSON); diff != "" {
 		gotPath := filepath.Join(os.TempDir(), "portainer-migrator-test-fail.json")
-		os.WriteFile(
+		err = os.WriteFile(
 			gotPath,
 			gotJSON,
 			0o600,
 		)
+		if err != nil {
+			log.Warn().Err(err).Msg("failed writing migrated output to temp file")
+		}
+
 		t.Errorf(
 			"migrate data from %s to %s failed\nwrote migrated input to %s\nmismatch (-want +got):\n%s",
 			srcPath,
--- a/api/datastore/migrate_dbversion33_test.go
+++ b/api/datastore/migrate_dbversion33_test.go
@@ -6,7 +6,9 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore/migrator"
 	gittypes "github.com/portainer/portainer/api/git/types"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestMigrateStackEntryPoint(t *testing.T) {
@@ -28,25 +30,25 @@ func TestMigrateStackEntryPoint(t *testing.T) {

 	for _, s := range stacks {
 		err := stackService.Create(s)
-		assert.NoError(t, err, "failed to create stack")
+		require.NoError(t, err, "failed to create stack")
 	}

 	s, err := stackService.Read(1)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Nil(t, s.GitConfig, "first stack should not have git config")

 	s, err = stackService.Read(2)
-	assert.NoError(t, err)
-	assert.Equal(t, "", s.GitConfig.ConfigFilePath, "not migrated yet migrated")
+	require.NoError(t, err)
+	assert.Empty(t, s.GitConfig.ConfigFilePath, "not migrated yet migrated")

 	err = migrator.MigrateStackEntryPoint(stackService)
-	assert.NoError(t, err, "failed to migrate entry point to Git ConfigFilePath")
+	require.NoError(t, err, "failed to migrate entry point to Git ConfigFilePath")

 	s, err = stackService.Read(1)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Nil(t, s.GitConfig, "first stack should not have git config")

 	s, err = stackService.Read(2)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, "dir/sub/compose.yml", s.GitConfig.ConfigFilePath, "second stack should have config file path migrated")
 }
--- a/api/datastore/migrate_legacyversion.go
+++ b/api/datastore/migrate_legacyversion.go
@@ -105,12 +105,18 @@ func (store *Store) getOrMigrateLegacyVersion() (*models.Version, error) {

 // finishMigrateLegacyVersion writes the new version to the DB and removes the old version keys from the DB
 func (store *Store) finishMigrateLegacyVersion(versionToWrite *models.Version) error {
-	err := store.VersionService.UpdateVersion(versionToWrite)
+	if err := store.VersionService.UpdateVersion(versionToWrite); err != nil {
+		return err
+	}

 	// Remove legacy keys if present
-	store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey))
-	store.connection.DeleteObject(bucketName, []byte(legacyEditionKey))
-	store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))
+	if err := store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey)); err != nil {
+		return err
+	}

-	return err
+	if err := store.connection.DeleteObject(bucketName, []byte(legacyEditionKey)); err != nil {
+		return err
+	}
+
+	return store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))
 }
--- a/api/datastore/migrator/migrate_2_33_0.go
+++ b/api/datastore/migrator/migrate_2_33_0.go
@@ -11,8 +11,10 @@ func (m *Migrator) migrateEdgeGroupEndpointsToRoars_2_33_0() error {
 	}

 	for _, eg := range egs {
-		eg.EndpointIDs = roar.FromSlice(eg.Endpoints)
-		eg.Endpoints = nil
+		if eg.EndpointIDs.Len() == 0 {
+			eg.EndpointIDs = roar.FromSlice(eg.Endpoints)
+			eg.Endpoints = nil
+		}

 		if err := m.edgeGroupService.Update(eg.ID, &eg); err != nil {
 			return err
--- a/api/datastore/migrator/migrate_2_33_test.go
+++ b/api/datastore/migrator/migrate_2_33_test.go
@@ -0,0 +1,56 @@
+package migrator
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/dataservices/edgegroup"
+	"github.com/portainer/portainer/api/logs"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestMigrateEdgeGroupEndpointsToRoars_2_33_0Idempotency(t *testing.T) {
+	var conn portainer.Connection = &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+
+	defer logs.CloseAndLogErr(conn)
+
+	edgeGroupService, err := edgegroup.NewService(conn)
+	require.NoError(t, err)
+
+	edgeGroup := &portainer.EdgeGroup{
+		ID:        1,
+		Name:      "test-edge-group",
+		Endpoints: []portainer.EndpointID{1, 2, 3},
+	}
+
+	err = conn.CreateObjectWithId(edgegroup.BucketName, int(edgeGroup.ID), edgeGroup)
+	require.NoError(t, err)
+
+	m := NewMigrator(&MigratorParameters{EdgeGroupService: edgeGroupService})
+
+	// Run migration once
+
+	err = m.migrateEdgeGroupEndpointsToRoars_2_33_0()
+	require.NoError(t, err)
+
+	migratedEdgeGroup, err := edgeGroupService.Read(edgeGroup.ID)
+	require.NoError(t, err)
+
+	require.Empty(t, migratedEdgeGroup.Endpoints)
+	require.Equal(t, len(edgeGroup.Endpoints), migratedEdgeGroup.EndpointIDs.Len())
+
+	// Run migration again to ensure the results didn't change
+
+	err = m.migrateEdgeGroupEndpointsToRoars_2_33_0()
+	require.NoError(t, err)
+
+	migratedEdgeGroup, err = edgeGroupService.Read(edgeGroup.ID)
+	require.NoError(t, err)
+
+	require.Empty(t, migratedEdgeGroup.Endpoints)
+	require.Equal(t, len(edgeGroup.Endpoints), migratedEdgeGroup.EndpointIDs.Len())
+}
--- a/api/datastore/migrator/migrate_ce.go
+++ b/api/datastore/migrator/migrate_ce.go
@@ -7,7 +7,7 @@ import (
 	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"

-	"github.com/Masterminds/semver"
+	"github.com/Masterminds/semver/v3"
 	"github.com/rs/zerolog/log"
 )

@@ -95,7 +95,7 @@ func (m *Migrator) NeedsMigration() bool {

 	// In this particular instance we should log a fatal error
 	if m.CurrentDBEdition() != portainer.PortainerCE {
-		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://docs.portainer.io/faqs/upgrading/can-i-downgrade-from-portainer-business-to-portainer-ce")

 		return false
 	}
--- a/api/datastore/migrator/migrate_dbversion24.go
+++ b/api/datastore/migrator/migrate_dbversion24.go
@@ -21,7 +21,6 @@ func (m *Migrator) updateSettingsToDB25() error {
 	}

 	legacySettings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
-	legacySettings.EnableTelemetry = true

 	legacySettings.AllowContainerCapabilitiesForRegularUsers = true

--- a/api/datastore/migrator/migrate_dbversion31.go
+++ b/api/datastore/migrator/migrate_dbversion31.go
@@ -77,8 +77,12 @@ func (m *Migrator) updateRegistriesToDB32() error {
 				Namespaces:         []string{},
 			}
 		}
-		m.registryService.Update(registry.ID, &registry)
+
+		if err := m.registryService.Update(registry.ID, &registry); err != nil {
+			return err
+		}
 	}
+
 	return nil
 }

@@ -121,10 +125,11 @@ func (m *Migrator) updateDockerhubToDB32() error {
 			if !migrated {
 				// keep this one entry
 				migrated = true
-			} else {
 				// delete subsequent duplicates
-				m.registryService.Delete(r.ID)
+			} else if err := m.registryService.Delete(r.ID); err != nil {
+				return err
 			}
+
 		}
 	}

@@ -138,7 +143,6 @@ func (m *Migrator) updateDockerhubToDB32() error {
 	}

 	for _, endpoint := range endpoints {
-
 		if endpoint.Type != portainer.KubernetesLocalEnvironment &&
 			endpoint.Type != portainer.AgentOnKubernetesEnvironment &&
 			endpoint.Type != portainer.EdgeAgentOnKubernetesEnvironment {
@@ -146,18 +150,14 @@ func (m *Migrator) updateDockerhubToDB32() error {
 			userAccessPolicies := portainer.UserAccessPolicies{}
 			for userId := range endpoint.UserAccessPolicies {
 				if _, found := endpoint.UserAccessPolicies[userId]; found {
-					userAccessPolicies[userId] = portainer.AccessPolicy{
-						RoleID: 0,
-					}
+					userAccessPolicies[userId] = portainer.AccessPolicy{RoleID: 0}
 				}
 			}

 			teamAccessPolicies := portainer.TeamAccessPolicies{}
 			for teamId := range endpoint.TeamAccessPolicies {
 				if _, found := endpoint.TeamAccessPolicies[teamId]; found {
-					teamAccessPolicies[teamId] = portainer.AccessPolicy{
-						RoleID: 0,
-					}
+					teamAccessPolicies[teamId] = portainer.AccessPolicy{RoleID: 0}
 				}
 			}

--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -29,7 +29,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/version"
 	"github.com/portainer/portainer/api/internal/authorization"

-	"github.com/Masterminds/semver"
+	"github.com/Masterminds/semver/v3"
 	"github.com/rs/zerolog/log"
 )

@@ -256,7 +256,9 @@ func (m *Migrator) initMigrations() {

 	m.addMigrations("2.32.0", m.addEndpointRelationForEdgeAgents_2_32_0)

-	m.addMigrations("2.33.0", m.migrateEdgeGroupEndpointsToRoars_2_33_0)
+	m.addMigrations("2.33.1", m.migrateEdgeGroupEndpointsToRoars_2_33_0)
+
+	// WARNING: do not change migrations that have already been released!

 	// Add new migrations above...
 	// One function per migration, each versions migration funcs in the same file.
--- a/api/datastore/pendingactions_test.go
+++ b/api/datastore/pendingactions_test.go
@@ -6,6 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/pendingactions/actions"
 	"github.com/portainer/portainer/api/pendingactions/handlers"
+	"github.com/stretchr/testify/require"
 )

 type cleanNAPWithOverridePolicies struct {
@@ -16,7 +17,10 @@ func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
 	t.Run("test ConvertCleanNAPWithOverridePoliciesPayload", func(t *testing.T) {

 		_, store := MustNewTestStore(t, true, false)
-		defer store.Close()
+		defer func() {
+			err := store.Close()
+			require.NoError(t, err)
+		}()

 		gid := portainer.EndpointGroupID(1)

@@ -92,7 +96,8 @@ func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
 				})
 			}

-			store.PendingActions().Delete(d.PendingAction.ID)
+			err = store.PendingActions().Delete(d.PendingAction.ID)
+			require.NoError(t, err)
 		}
 	})
 }
--- a/api/datastore/postinit/migrate_post_init.go
+++ b/api/datastore/postinit/migrate_post_init.go
@@ -1,7 +1,10 @@
 package postinit

 import (
+	"cmp"
 	"context"
+	"fmt"
+	"slices"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -10,6 +13,7 @@ import (
 	dockerClient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/kubernetes/cli"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/pendingactions/actions"
 	"github.com/portainer/portainer/pkg/endpoints"

@@ -42,40 +46,65 @@ func NewPostInitMigrator(

 // PostInitMigrate will run all post-init migrations, which require docker/kube clients for all edge or non-edge environments
 func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {
-	environments, err := postInitMigrator.dataStore.Endpoint().Endpoints()
-	if err != nil {
-		log.Error().Err(err).Msg("Error getting environments")
-		return err
-	}
+	var environments []portainer.Endpoint

-	for _, environment := range environments {
-		// edge environments will run after the server starts, in pending actions
-		if endpoints.IsEdgeEndpoint(&environment) {
-			// Skip edge environments that do not have direct connectivity
-			if !endpoints.HasDirectConnectivity(&environment) {
+	if err := postInitMigrator.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		if environments, err = tx.Endpoint().ReadAll(func(endpoint portainer.Endpoint) bool {
+			return endpoints.HasDirectConnectivity(&endpoint)
+		}); err != nil {
+			return fmt.Errorf("failed to retrieve environments: %w", err)
+		}
+
+		var pendingActions []portainer.PendingAction
+		if pendingActions, err = tx.PendingActions().ReadAll(func(action portainer.PendingAction) bool {
+			return action.Action == actions.PostInitMigrateEnvironment
+		}); err != nil {
+			return fmt.Errorf("failed to retrieve pending actions: %w", err)
+		}
+
+		// Sort for the binary search in createPostInitMigrationPendingAction()
+		slices.SortFunc(pendingActions, func(a, b portainer.PendingAction) int {
+			return cmp.Compare(a.EndpointID, b.EndpointID)
+		})
+
+		for _, environment := range environments {
+			if !endpoints.IsEdgeEndpoint(&environment) {
 				continue
 			}

+			// Edge environments will run after the server starts, in pending actions
 			log.Info().
 				Int("endpoint_id", int(environment.ID)).
 				Msg("adding pending action 'PostInitMigrateEnvironment' for environment")

-			if err := postInitMigrator.createPostInitMigrationPendingAction(environment.ID); err != nil {
+			if err := postInitMigrator.createPostInitMigrationPendingAction(tx, environment.ID, pendingActions); err != nil {
 				log.Error().
 					Err(err).
 					Int("endpoint_id", int(environment.ID)).
 					Msg("error creating pending action for environment")
 			}
-		} else {
-			// Non-edge environments will run before the server starts.
-			if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
-				log.Error().
-					Err(err).
-					Int("endpoint_id", int(environment.ID)).
-					Msg("error running post-init migrations for non-edge environment")
-			}
 		}

+		return err
+	}); err != nil {
+		log.Error().Err(err).Msg("error running post-init migrations")
+
+		return err
+	}
+
+	for _, environment := range environments {
+		if endpoints.IsEdgeEndpoint(&environment) {
+			continue
+		}
+
+		// Non-edge environments will run before the server starts.
+		if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error running post-init migrations for non-edge environment")
+		}
 	}

 	return nil
@@ -83,46 +112,73 @@ func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {

 // try to create a post init migration pending action. If it already exists, do nothing
 // this function exists for readability, not reusability
-// TODO: This should be moved into pending actions as part of the pending action migration
-func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(environmentID portainer.EndpointID) error {
-	// If there are no pending actions for the given endpoint, create one
-	err := postInitMigrator.dataStore.PendingActions().Create(&portainer.PendingAction{
+// pending actions must be passed in ascending order by endpoint ID
+func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(tx dataservices.DataStoreTx, environmentID portainer.EndpointID, pendingActions []portainer.PendingAction) error {
+	action := portainer.PendingAction{
 		EndpointID: environmentID,
 		Action:     actions.PostInitMigrateEnvironment,
-	})
-	if err != nil {
-		log.Error().Err(err).Msgf("Error creating pending action for environment %d", environmentID)
 	}
-	return nil
+
+	if _, found := slices.BinarySearchFunc(pendingActions, environmentID, func(e portainer.PendingAction, id portainer.EndpointID) int {
+		return cmp.Compare(e.EndpointID, id)
+	}); found {
+		log.Debug().
+			Str("action", action.Action).
+			Int("endpoint_id", int(action.EndpointID)).
+			Msg("pending action already exists for environment, skipping...")
+
+		return nil
+	}
+
+	return tx.PendingActions().Create(&action)
 }

 // MigrateEnvironment runs migrations on a single environment
 func (migrator *PostInitMigrator) MigrateEnvironment(environment *portainer.Endpoint) error {
-	log.Info().Msgf("Executing post init migration for environment %d", environment.ID)
+	log.Info().
+		Int("endpoint_id", int(environment.ID)).
+		Msg("executing post init migration for environment")

 	switch {
 	case endpointutils.IsKubernetesEndpoint(environment):
 		// get the kubeclient for the environment, and skip all kube migrations if there's an error
 		kubeclient, err := migrator.kubeFactory.GetPrivilegedKubeClient(environment)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error creating kubeclient for environment: %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error creating kubeclient for environment")
+
 			return err
 		}
-		// if one environment fails, it is logged and the next migration runs. The error is returned at the end and handled by pending actions
-		err = migrator.MigrateIngresses(*environment, kubeclient)
-		if err != nil {
+
+		// If one environment fails, it is logged and the next migration runs. The error is returned at the end and handled by pending actions
+		if err := migrator.MigrateIngresses(*environment, kubeclient); err != nil {
 			return err
 		}
+
 		return nil
 	case endpointutils.IsDockerEndpoint(environment):
 		// get the docker client for the environment, and skip all docker migrations if there's an error
 		dockerClient, err := migrator.dockerFactory.CreateClient(environment, "", nil)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error creating docker client for environment: %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error creating docker client for environment")
+
+			return err
+		}
+		defer logs.CloseAndLogErr(dockerClient)
+
+		if err := migrator.MigrateGPUs(*environment, dockerClient); err != nil {
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error migrating GPUs for environment")
+
 			return err
 		}
-		defer dockerClient.Close()
-		migrator.MigrateGPUs(*environment, dockerClient)
 	}

 	return nil
@@ -133,13 +189,20 @@ func (migrator *PostInitMigrator) MigrateIngresses(environment portainer.Endpoin
 	if !environment.PostInitMigrations.MigrateIngresses {
 		return nil
 	}
-	log.Debug().Msgf("Migrating ingresses for environment %d", environment.ID)

-	err := migrator.kubeFactory.MigrateEndpointIngresses(&environment, migrator.dataStore, kubeclient)
-	if err != nil {
-		log.Error().Err(err).Msgf("Error migrating ingresses for environment %d", environment.ID)
+	log.Debug().
+		Int("endpoint_id", int(environment.ID)).
+		Msg("migrating ingresses for environment")
+
+	if err := migrator.kubeFactory.MigrateEndpointIngresses(&environment, migrator.dataStore, kubeclient); err != nil {
+		log.Error().
+			Err(err).
+			Int("endpoint_id", int(environment.ID)).
+			Msg("error migrating ingresses for environment")
+
 		return err
 	}
+
 	return nil
 }

@@ -149,29 +212,42 @@ func (migrator *PostInitMigrator) MigrateGPUs(e portainer.Endpoint, dockerClient
 	return migrator.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
 		environment, err := tx.Endpoint().Endpoint(e.ID)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error getting environment %d", e.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(e.ID)).
+				Msg("error getting environment")
+
 			return err
 		}
+
 		// Early exit if we do not need to migrate!
 		if !environment.PostInitMigrations.MigrateGPUs {
 			return nil
 		}
-		log.Debug().Msgf("Migrating GPUs for environment %d", e.ID)

-		// get all containers
+		log.Debug().
+			Int("endpoint_id", int(e.ID)).
+			Msg("migrating GPUs for environment")
+
+		// Get all containers
 		containers, err := dockerClient.ContainerList(context.Background(), container.ListOptions{All: true})
 		if err != nil {
-			log.Error().Err(err).Msgf("failed to list containers for environment %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("failed to list containers for environment")
+
 			return err
 		}

-		// check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole environment
+		// Check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole environment
 	containersLoop:
 		for _, container := range containers {
 			// https://www.sobyte.net/post/2022-10/go-docker/ has nice documentation on the docker client with GPUs
 			containerDetails, err := dockerClient.ContainerInspect(context.Background(), container.ID)
 			if err != nil {
 				log.Error().Err(err).Msg("failed to inspect container")
+
 				continue
 			}

@@ -185,10 +261,14 @@ func (migrator *PostInitMigrator) MigrateGPUs(e portainer.Endpoint, dockerClient
 			}
 		}

-		// set the MigrateGPUs flag to false so we don't run this again
+		// Set the MigrateGPUs flag to false so we don't run this again
 		environment.PostInitMigrations.MigrateGPUs = false
 		if err := tx.Endpoint().UpdateEndpoint(environment.ID, environment); err != nil {
-			log.Error().Err(err).Msgf("Error updating EnableGPUManagement flag for environment %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error updating EnableGPUManagement flag for environment")
+
 			return err
 		}

--- a/api/datastore/postinit/migrate_post_init_test.go
+++ b/api/datastore/postinit/migrate_post_init_test.go
@@ -8,10 +8,12 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/pendingactions/actions"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

@@ -20,8 +22,9 @@ func TestMigrateGPUs(t *testing.T) {
 		if strings.HasSuffix(r.URL.Path, "/containers/json") {
 			containerSummary := []container.Summary{{ID: "container1"}}

-			err := json.NewEncoder(w).Encode(containerSummary)
-			require.NoError(t, err)
+			if err := json.NewEncoder(w).Encode(containerSummary); err != nil {
+				w.WriteHeader(http.StatusInternalServerError)
+			}

 			return
 		}
@@ -39,8 +42,9 @@ func TestMigrateGPUs(t *testing.T) {
 			},
 		}

-		err := json.NewEncoder(w).Encode(container)
-		require.NoError(t, err)
+		if err := json.NewEncoder(w).Encode(container); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
 	}))
 	defer srv.Close()

@@ -73,3 +77,98 @@ func TestMigrateGPUs(t *testing.T) {
 	require.False(t, migratedEndpoint.PostInitMigrations.MigrateGPUs)
 	require.True(t, migratedEndpoint.EnableGPUManagement)
 }
+
+func TestPostInitMigrate_PendingActionsCreated(t *testing.T) {
+	tests := []struct {
+		name                   string
+		existingPendingActions []*portainer.PendingAction
+		expectedPendingActions int
+		expectedAction         string
+	}{
+		{
+			name: "when existing non-matching action exists, should add migration action",
+			existingPendingActions: []*portainer.PendingAction{
+				{
+					EndpointID: 7,
+					Action:     "some-other-action",
+				},
+			},
+			expectedPendingActions: 2,
+			expectedAction:         actions.PostInitMigrateEnvironment,
+		},
+		{
+			name: "when matching action exists, should not add duplicate",
+			existingPendingActions: []*portainer.PendingAction{
+				{
+					EndpointID: 7,
+					Action:     actions.PostInitMigrateEnvironment,
+				},
+			},
+			expectedPendingActions: 1,
+			expectedAction:         actions.PostInitMigrateEnvironment,
+		},
+		{
+			name:                   "when no actions exist, should add migration action",
+			existingPendingActions: []*portainer.PendingAction{},
+			expectedPendingActions: 1,
+			expectedAction:         actions.PostInitMigrateEnvironment,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			is := assert.New(t)
+			_, store := datastore.MustNewTestStore(t, true, true)
+
+			// Create test endpoint
+			endpoint := &portainer.Endpoint{
+				ID:          7,
+				UserTrusted: true,
+				Type:        portainer.EdgeAgentOnDockerEnvironment,
+				Edge: portainer.EnvironmentEdgeSettings{
+					AsyncMode: false,
+				},
+				EdgeID: "edgeID",
+			}
+			err := store.Endpoint().Create(endpoint)
+			require.NoError(t, err, "error creating endpoint")
+
+			// Create any existing pending actions
+			for _, action := range tt.existingPendingActions {
+				err = store.PendingActions().Create(action)
+				require.NoError(t, err, "error creating pending action")
+			}
+
+			migrator := NewPostInitMigrator(
+				nil, // kubeFactory not needed for this test
+				nil, // dockerFactory not needed for this test
+				store,
+				"",  // assetsPath not needed for this test
+				nil, // kubernetesDeployer not needed for this test
+			)
+
+			err = migrator.PostInitMigrate()
+			require.NoError(t, err, "PostInitMigrate should not return error")
+
+			// Verify the results
+			pendingActions, err := store.PendingActions().ReadAll()
+			require.NoError(t, err, "error reading pending actions")
+			is.Len(pendingActions, tt.expectedPendingActions, "unexpected number of pending actions")
+
+			// If we expect any actions, verify at least one has the expected action type
+			if tt.expectedPendingActions > 0 {
+				hasExpectedAction := false
+				for _, action := range pendingActions {
+					if action.Action == tt.expectedAction {
+						hasExpectedAction = true
+						is.Equal(endpoint.ID, action.EndpointID, "action should reference correct endpoint")
+
+						break
+					}
+				}
+
+				is.True(hasExpectedAction, "should have found action of expected type")
+			}
+		})
+	}
+}
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -391,16 +391,16 @@ type storeExport struct {
 	ResourceControl    []portainer.ResourceControl    `json:"resource_control,omitempty"`
 	Role               []portainer.Role               `json:"roles,omitempty"`
 	Schedules          []portainer.Schedule           `json:"schedules,omitempty"`
-	Settings           portainer.Settings             `json:"settings,omitempty"`
+	Settings           portainer.Settings             `json:"settings,omitzero"`
 	Snapshot           []portainer.Snapshot           `json:"snapshots,omitempty"`
-	SSLSettings        portainer.SSLSettings          `json:"ssl,omitempty"`
+	SSLSettings        portainer.SSLSettings          `json:"ssl,omitzero"`
 	Stack              []portainer.Stack              `json:"stacks,omitempty"`
 	Tag                []portainer.Tag                `json:"tags,omitempty"`
 	TeamMembership     []portainer.TeamMembership     `json:"team_membership,omitempty"`
 	Team               []portainer.Team               `json:"teams,omitempty"`
-	TunnelServer       portainer.TunnelServerInfo     `json:"tunnel_server,omitempty"`
+	TunnelServer       portainer.TunnelServerInfo     `json:"tunnel_server,omitzero"`
 	User               []portainer.User               `json:"users,omitempty"`
-	Version            models.Version                 `json:"version,omitempty"`
+	Version            models.Version                 `json:"version,omitzero"`
 	Webhook            []portainer.Webhook            `json:"webhooks,omitempty"`
 	Metadata           map[string]any                 `json:"metadata,omitempty"`
 }
@@ -625,85 +625,129 @@ func (store *Store) Import(filename string) (err error) {
 		return err
 	}

-	store.Version().UpdateVersion(&backup.Version)
+	err = store.Version().UpdateVersion(&backup.Version)
+	if err != nil {
+		return err
+	}

 	for _, v := range backup.CustomTemplate {
-		store.CustomTemplate().Update(v.ID, &v)
+		if err := store.CustomTemplate().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the custom template in the database")
+		}
 	}

 	for _, v := range backup.EdgeGroup {
-		store.EdgeGroup().Update(v.ID, &v)
+		if err := store.EdgeGroup().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the edge group in the database")
+		}
 	}

 	for _, v := range backup.EdgeJob {
-		store.EdgeJob().Update(v.ID, &v)
+		if err := store.EdgeJob().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the edge job in the database")
+		}
 	}

 	for _, v := range backup.EdgeStack {
-		store.EdgeStack().UpdateEdgeStack(v.ID, &v)
+		if err := store.EdgeStack().UpdateEdgeStack(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the edge stack in the database")
+		}
 	}

 	for _, v := range backup.Endpoint {
-		store.Endpoint().UpdateEndpoint(v.ID, &v)
+		if err := store.Endpoint().UpdateEndpoint(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the endpoint in the database")
+		}
 	}

 	for _, v := range backup.EndpointGroup {
-		store.EndpointGroup().Update(v.ID, &v)
+		if err := store.EndpointGroup().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the endpoint group in the database")
+		}
 	}

 	for _, v := range backup.EndpointRelation {
-		store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v)
+		if err := store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the endpoint relation in the database")
+		}
 	}

 	for _, v := range backup.HelmUserRepository {
-		store.HelmUserRepository().Update(v.ID, &v)
+		if err := store.HelmUserRepository().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the helm user repository in the database")
+		}
 	}

 	for _, v := range backup.Registry {
-		store.Registry().Update(v.ID, &v)
+		if err := store.Registry().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the registry in the database")
+		}
 	}

 	for _, v := range backup.ResourceControl {
-		store.ResourceControl().Update(v.ID, &v)
+		if err := store.ResourceControl().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the resource control in the database")
+		}
 	}

 	for _, v := range backup.Role {
-		store.Role().Update(v.ID, &v)
+		if err := store.Role().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the role in the database")
+		}
 	}

-	store.Settings().UpdateSettings(&backup.Settings)
-	store.SSLSettings().UpdateSettings(&backup.SSLSettings)
+	if err := store.Settings().UpdateSettings(&backup.Settings); err != nil {
+		log.Warn().Err(err).Msg("failed to update the settings in the database")
+	}
+
+	if err := store.SSLSettings().UpdateSettings(&backup.SSLSettings); err != nil {
+		log.Warn().Err(err).Msg("failed to update the SSL settings in the database")
+	}

 	for _, v := range backup.Snapshot {
-		store.Snapshot().Update(v.EndpointID, &v)
+		if err := store.Snapshot().Update(v.EndpointID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the snapshot in the database")
+		}
 	}

 	for _, v := range backup.Stack {
-		store.Stack().Update(v.ID, &v)
+		if err := store.Stack().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the stack in the database")
+		}
 	}

 	for _, v := range backup.Tag {
-		store.Tag().Update(v.ID, &v)
+		if err := store.Tag().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the tag in the database")
+		}
 	}

 	for _, v := range backup.TeamMembership {
-		store.TeamMembership().Update(v.ID, &v)
+		if err := store.TeamMembership().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the team membership in the database")
+		}
 	}

 	for _, v := range backup.Team {
-		store.Team().Update(v.ID, &v)
+		if err := store.Team().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the team in the database")
+		}
 	}

-	store.TunnelServer().UpdateInfo(&backup.TunnelServer)
+	if err := store.TunnelServer().UpdateInfo(&backup.TunnelServer); err != nil {
+		log.Warn().Err(err).Msg("failed to update the tunnel server info in the database")
+	}

 	for _, user := range backup.User {
 		if err := store.User().Update(user.ID, &user); err != nil {
-			log.Debug().Str("user", fmt.Sprintf("%+v", user)).Err(err).Msg("failed to update the user in the database")
+			log.Warn().Str("user", fmt.Sprintf("%+v", user)).Err(err).Msg("failed to update the user in the database")
 		}
 	}

 	for _, v := range backup.Webhook {
-		store.Webhook().Update(v.ID, &v)
+		if err := store.Webhook().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the webhook in the database")
+		}
 	}

 	return store.connection.RestoreMetadata(backup.Metadata)
--- a/api/datastore/services_tx.go
+++ b/api/datastore/services_tx.go
@@ -14,7 +14,9 @@ func (tx *StoreTx) IsErrObjectNotFound(err error) bool {
 	return tx.store.IsErrObjectNotFound(err)
 }

-func (tx *StoreTx) CustomTemplate() dataservices.CustomTemplateService { return nil }
+func (tx *StoreTx) CustomTemplate() dataservices.CustomTemplateService {
+	return tx.store.CustomTemplateService.Tx(tx.tx)
+}

 func (tx *StoreTx) PendingActions() dataservices.PendingActionsService {
 	return tx.store.PendingActionsService.Tx(tx.tx)
@@ -72,7 +74,9 @@ func (tx *StoreTx) Snapshot() dataservices.SnapshotService {
 	return tx.store.SnapshotService.Tx(tx.tx)
 }

-func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService { return nil }
+func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService {
+	return tx.store.SSLSettingsService.Tx(tx.tx)
+}

 func (tx *StoreTx) Stack() dataservices.StackService {
 	return tx.store.StackService.Tx(tx.tx)
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -83,13 +83,13 @@
        "MigrateIngresses": true
      },
      "PublicURL": "",
-      "QueryDate": 0,
      "SecuritySettings": {
        "allowBindMountsForRegularUsers": true,
        "allowContainerCapabilitiesForRegularUsers": true,
        "allowDeviceMappingForRegularUsers": true,
        "allowHostNamespaceForRegularUsers": true,
        "allowPrivilegedModeForRegularUsers": true,
+        "allowSecurityOptForRegularUsers": false,
        "allowStackManagementForRegularUsers": true,
        "allowSysctlSettingForRegularUsers": false,
        "allowVolumeBrowserForRegularUsers": false,
@@ -604,7 +604,6 @@
    "EdgeAgentCheckinInterval": 5,
    "EdgePortainerUrl": "",
    "EnableEdgeComputeFeatures": false,
-    "EnableTelemetry": true,
    "EnforceEdgeID": false,
    "FeatureFlagSettings": null,
    "GlobalDeploymentOptions": {
@@ -615,7 +614,7 @@
      "RequiredPasswordLength": 12
    },
    "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.32.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.39.0",
    "LDAPSettings": {
      "AnonymousMode": true,
      "AutoCreateUsers": true,
@@ -944,7 +943,7 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.32.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.39.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
  },
  "webhooks": null
 }
--- a/api/datastore/teststore.go
+++ b/api/datastore/teststore.go
@@ -44,7 +44,7 @@ func NewTestStore(t testing.TB, init, secure bool) (bool, *Store, func(), error)
 		secretKey = nil
 	}

-	connection, err := database.NewDatabase("boltdb", storePath, secretKey)
+	connection, err := database.NewDatabase("boltdb", storePath, secretKey, false)
 	if err != nil {
 		panic(err)
 	}
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -11,6 +11,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
+	"github.com/rs/zerolog/log"

 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
@@ -143,11 +144,16 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)

 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		resp.Body.Close()
+		if err := resp.Body.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close response body")
+		}
+
 		return resp, err
 	}

-	resp.Body.Close()
+	if err := resp.Body.Close(); err != nil {
+		log.Warn().Err(err).Msg("failed to close response body")
+	}

 	resp.Body = io.NopCloser(bytes.NewReader(body))

--- a/api/docker/client/client_test.go
+++ b/api/docker/client/client_test.go
@@ -4,10 +4,14 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/pkg/fips"
+
 	"github.com/stretchr/testify/require"
 )

 func TestHttpClient(t *testing.T) {
+	fips.InitFIPS(false)
+
 	// Valid TLS configuration
 	endpoint := &portainer.Endpoint{}
 	endpoint.TLSConfig = portainer.TLSConfiguration{TLS: true}
--- a/api/docker/container.go
+++ b/api/docker/container.go
@@ -8,8 +8,9 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/docker/images"
+	"github.com/portainer/portainer/api/logs"

-	"github.com/Masterminds/semver"
+	"github.com/Masterminds/semver/v3"
 	"github.com/docker/docker/api/types"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
@@ -75,7 +76,7 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	if err != nil {
 		return nil, errors.Wrap(err, "create client error")
 	}
-	defer cli.Close()
+	defer logs.CloseAndLogErr(cli)

 	log.Debug().Str("container_id", containerId).Msg("starting to fetch container information")

@@ -146,13 +147,19 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End

 	c.sr.push(func() {
 		log.Debug().Str("container_id", containerId).Str("container", container.Name).Msg("restoring the container")
-		cli.ContainerRename(ctx, containerId, container.Name)
-
-		for _, network := range container.NetworkSettings.Networks {
-			cli.NetworkConnect(ctx, network.NetworkID, containerId, network)
+		if err := cli.ContainerRename(ctx, containerId, container.Name); err != nil {
+			log.Warn().Err(err).Msg("failure to rename container")
 		}

-		cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{})
+		for _, network := range container.NetworkSettings.Networks {
+			if err := cli.NetworkConnect(ctx, network.NetworkID, containerId, network); err != nil {
+				log.Warn().Err(err).Msg("failure to connect container to network")
+			}
+		}
+
+		if err := cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{}); err != nil {
+			log.Warn().Err(err).Msg("failure to start container")
+		}
 	})

 	log.Debug().Str("container", strings.Split(container.Name, "/")[1]).Msg("starting to create a new container")
@@ -175,8 +182,14 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End

 	c.sr.push(func() {
 		log.Debug().Str("container_id", create.ID).Msg("removing the new container")
-		cli.ContainerStop(ctx, create.ID, dockercontainer.StopOptions{})
-		cli.ContainerRemove(ctx, create.ID, dockercontainer.RemoveOptions{})
+
+		if err := cli.ContainerStop(ctx, create.ID, dockercontainer.StopOptions{}); err != nil {
+			log.Warn().Err(err).Msg("failure to stop container")
+		}
+
+		if err := cli.ContainerRemove(ctx, create.ID, dockercontainer.RemoveOptions{}); err != nil {
+			log.Warn().Err(err).Msg("failure to remove container")
+		}
 	})

 	if err != nil {
--- a/Show More
+++ b/Show More