fix(sidebar): set helper anchor color to match the other items [C9S-47] (#2058 )

fix(kube/app): enable edit button for regular apps [BE-12690] (#2039 )
feat(policies): banner and confirmation on change policy [C9S-20] (#1988 )
2026-03-16 15:50:59 +13:00 · 2026-03-15 11:22:09 +02:00 · 2026-03-13 14:11:53 +13:00 · 2026-03-13 11:34:28 +13:00 · 2026-03-13 08:30:45 +13:00 · 2026-03-12 12:30:40 +13:00
1436 changed files with 75714 additions and 33285 deletions
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -17,7 +17,7 @@ plugins:
  - import

 parserOptions:
-  ecmaVersion: 2018
+  ecmaVersion: latest
  sourceType: module
  project: './tsconfig.json'
  ecmaFeatures:
@@ -114,7 +114,13 @@ overrides:
      '@typescript-eslint/explicit-module-boundary-types': off
      '@typescript-eslint/no-unused-vars': 'error'
      '@typescript-eslint/no-explicit-any': 'error'
-      'jsx-a11y/label-has-associated-control': ['error', { 'assert': 'either', controlComponents: ['Input', 'Checkbox'] }]
+      'jsx-a11y/label-has-associated-control':
+        - error
+        - assert: either
+          controlComponents:
+            - Input
+            - Checkbox
+      'jsx-a11y/control-has-associated-label': off
      'react/function-component-definition': ['error', { 'namedComponents': 'function-declaration' }]
      'react/jsx-no-bind': off
      'no-await-in-loop': 'off'
@@ -133,15 +139,19 @@ overrides:
          'react/jsx-props-no-spreading': off
  - files:
      - app/**/*.test.*
+    plugins:
+      - '@vitest'
    extends:
-      - 'plugin:vitest/recommended'
+      - 'plugin:@vitest/legacy-recommended'
    env:
-      'vitest/env': true
+      '@vitest/env': true
    rules:
      'react/jsx-no-constructed-context-values': off
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
      'react/jsx-props-no-spreading': off
+      '@vitest/no-conditional-expect': warn
+      'max-classes-per-file': off
  - files:
      - app/**/*.stories.*
    rules:
@@ -149,3 +159,4 @@ overrides:
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
      'react/jsx-props-no-spreading': off
+      'storybook/no-renderer-packages': off
--- a/.github/DISCUSSION_TEMPLATE/ideas.yaml
+++ b/.github/DISCUSSION_TEMPLATE/ideas.yaml
@@ -6,7 +6,7 @@ body:
        
        Thanks for suggesting an idea for Portainer!

-        Before opening a new idea or feature request, make sure that we do not have any duplicates already open. You can ensure this by [searching this discussion cagetory](https://github.com/orgs/portainer/discussions/categories/ideas). If there is a duplicate, please add a comment to the existing idea instead.
+        Before opening a new idea or feature request, make sure that we do not have any duplicates already open. You can ensure this by [searching this discussion category](https://github.com/orgs/portainer/discussions/categories/ideas). If there is a duplicate, please add a comment to the existing idea instead.

        Also, be sure to check our [knowledge base](https://portal.portainer.io/knowledge) and [documentation](https://docs.portainer.io) as they may point you toward a solution.
        
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -22,7 +22,7 @@ body:
      options:
        - label: Yes, I've searched similar issues on [GitHub](https://github.com/portainer/portainer/issues).
          required: true
-        - label: Yes, I've checked whether this issue is covered in the Portainer [documentation](https://docs.portainer.io) or [knowledge base](https://portal.portainer.io/knowledge).
+        - label: Yes, I've checked whether this issue is covered in the Portainer [documentation](https://docs.portainer.io).
          required: true

  - type: markdown
@@ -94,6 +94,21 @@ body:
      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
      multiple: false
      options:
+        - '2.39.0'
+        - '2.38.1'
+        - '2.38.0'
+        - '2.37.0'
+        - '2.36.0'
+        - '2.35.0'
+        - '2.34.0'
+        - '2.33.7'
+        - '2.33.6'
+        - '2.33.5'
+        - '2.33.4'
+        - '2.33.3'
+        - '2.33.2'
+        - '2.33.1'
+        - '2.33.0'
        - '2.32.0'
        - '2.31.3'
        - '2.31.2'
@@ -128,8 +143,6 @@ body:
        - '2.21.4'
        - '2.21.3'
        - '2.21.2'
-        - '2.21.1'
-        - '2.21.0'
    validations:
      required: true

--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,5 @@ api/docs
 .env
 go.work.sum

+.vitest
+
--- a/.golangci-forward.yaml
+++ b/.golangci-forward.yaml
@@ -0,0 +1,16 @@
+version: "2"
+linters:
+  default: none
+  enable:
+    - forbidigo
+  settings:
+    forbidigo:
+      forbid:
+        - pattern: ^dataservices.DataStore.(EdgeGroup|EdgeJob|EdgeStack|EndpointRelation|Endpoint|GitCredential|Registry|ResourceControl|Role|Settings|Snapshot|SSLSettings|Stack|Tag|User)$
+          msg: Use a transaction instead
+      analyze-types: true
+  exclusions:
+    rules:
+      - path: _test\.go
+        linters:
+          - forbidigo
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,10 +1,14 @@
 version: "2"
+
+run:
+  allow-parallel-runners: true
 linters:
  default: none
  enable:
    - bodyclose
    - copyloopvar
    - depguard
+    - errcheck
    - errorlint
    - forbidigo
    - govet
@@ -13,6 +17,18 @@ linters:
    - perfsprint
    - staticcheck
    - unused
+    - mirror
+    - durationcheck
+    - errorlint
+    - govet
+    - usetesting
+    - zerologlint
+    - testifylint
+    - modernize
+    - unconvert
+    - unused
+    - zerologlint
+    - exptostd
  settings:
    staticcheck:
      checks: ["all", "-ST1003", "-ST1005", "-ST1016", "-SA1019", "-QF1003"]
@@ -32,12 +48,44 @@ linters:
              desc: use github.com/portainer/portainer/pkg/libcrypto
            - pkg: github.com/portainer/libhttp
              desc: use github.com/portainer/portainer/pkg/libhttp
+            - pkg: golang.org/x/crypto
+              desc: golang.org/x/crypto is not allowed because of FIPS mode
+            - pkg: github.com/ProtonMail/go-crypto/openpgp
+              desc: github.com/ProtonMail/go-crypto/openpgp is not allowed because of FIPS mode
+            - pkg: github.com/cosi-project/runtime
+              desc: github.com/cosi-project/runtime is not allowed because of FIPS mode
+            - pkg: gopkg.in/yaml.v2
+              desc: use go.yaml.in/yaml/v3 instead
+            - pkg: gopkg.in/yaml.v3
+              desc: use go.yaml.in/yaml/v3 instead
+            - pkg: github.com/golang-jwt/jwt/v4
+              desc: use github.com/golang-jwt/jwt/v5 instead
+            - pkg: github.com/mitchellh/mapstructure
+              desc: use github.com/go-viper/mapstructure/v2 instead
+            - pkg: gopkg.in/alecthomas/kingpin.v2
+              desc: use github.com/alecthomas/kingpin/v2 instead
+            - pkg: github.com/jcmturner/gokrb5$
+              desc: use github.com/jcmturner/gokrb5/v8 instead
+            - pkg: github.com/gofrs/uuid
+              desc: use github.com/google/uuid
+            - pkg: github.com/Masterminds/semver$
+              desc: use github.com/Masterminds/semver/v3
+            - pkg: github.com/blang/semver
+              desc: use github.com/Masterminds/semver/v3
+            - pkg: github.com/coreos/go-semver
+              desc: use github.com/Masterminds/semver/v3
+            - pkg: github.com/hashicorp/go-version
+              desc: use github.com/Masterminds/semver/v3
    forbidigo:
      forbid:
        - pattern: ^tls\.Config$
          msg: Use crypto.CreateTLSConfiguration() instead
        - pattern: ^tls\.Config\.(InsecureSkipVerify|MinVersion|MaxVersion|CipherSuites|CurvePreferences)$
          msg: Do not set this field directly, use crypto.CreateTLSConfiguration() instead
+        - pattern: ^object\.(Commit|Tag)\.Verify$
+          msg: "Not allowed because of FIPS mode"
+        - pattern: ^(types\.SystemContext\.)?(DockerDaemonInsecureSkipTLSVerify|DockerInsecureSkipTLSVerify|OCIInsecureSkipTLSVerify)$
+          msg: "Not allowed because of FIPS mode"
      analyze-types: true
  exclusions:
    generated: lax
@@ -45,12 +93,13 @@ linters:
      - comments
      - common-false-positives
      - legacy
-      - std-error-handling
    paths:
      - third_party$
      - builtin$
      - examples$
 formatters:
+  enable:
+    - gofmt
  exclusions:
    generated: lax
    paths:
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

-cd $(dirname -- "$0") && yarn lint-staged
+cd $(dirname -- "$0") && pnpm lint-staged
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,2 +1,3 @@
 dist
-api/datastore/test_data
+api/datastore/test_data
+coverage
--- a/.storybook/main.ts
+++ b/.storybook/main.ts
@@ -9,20 +9,38 @@ const config: StorybookConfig = {
  addons: [
    '@storybook/addon-links',
    '@storybook/addon-essentials',
+    '@storybook/addon-webpack5-compiler-swc',
+    '@chromatic-com/storybook',
    {
-      name: '@storybook/addon-styling',
+      name: '@storybook/addon-styling-webpack',
+
      options: {
-        cssLoaderOptions: {
-          importLoaders: 1,
-          modules: {
-            localIdentName: '[path][name]__[local]',
-            auto: true,
-            exportLocalsConvention: 'camelCaseOnly',
+        rules: [
+          {
+            test: /\.css$/,
+            sideEffects: true,
+            use: [
+              require.resolve('style-loader'),
+              {
+                loader: require.resolve('css-loader'),
+                options: {
+                  importLoaders: 1,
+                  modules: {
+                    localIdentName: '[path][name]__[local]',
+                    auto: true,
+                    exportLocalsConvention: 'camelCaseOnly',
+                  },
+                },
+              },
+              {
+                loader: require.resolve('postcss-loader'),
+                options: {
+                  implementation: postcss,
+                },
+              },
+            ],
          },
-        },
-        postCss: {
-          implementation: postcss,
-        },
+        ],
      },
    },
  ],
--- a/.storybook/preview.tsx
+++ b/.storybook/preview.tsx
@@ -1,9 +1,9 @@
 import '../app/assets/css';
-import React from 'react';
 import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
 import { initialize as initMSW, mswLoader } from 'msw-storybook-addon';
 import { handlers } from '../app/setup-tests/server-handlers';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { Preview } from '@storybook/react';

 initMSW(
  {
@@ -21,31 +21,30 @@ initMSW(
  handlers
 );

-export const parameters = {
-  actions: { argTypesRegex: '^on[A-Z].*' },
-  controls: {
-    matchers: {
-      color: /(background|color)$/i,
-      date: /Date$/,
-    },
-  },
-  msw: {
-    handlers,
-  },
-};
-
 const testQueryClient = new QueryClient({
  defaultOptions: { queries: { retry: false } },
 });

-export const decorators = [
-  (Story) => (
+const preview: Preview = {
+  decorators: (Story) => (
    <QueryClientProvider client={testQueryClient}>
      <UIRouter plugins={[pushStateLocationPlugin]}>
        <Story />
      </UIRouter>
    </QueryClientProvider>
  ),
-];
+  loaders: [mswLoader],
+  parameters: {
+    controls: {
+      matchers: {
+        color: /(background|color)$/i,
+        date: /Date$/,
+      },
+    },
+    msw: {
+      handlers,
+    },
+  },
+};

-export const loaders = [mswLoader];
+export default preview;
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,44 @@
+# Portainer Community Edition
+
+Open-source container management platform with full Docker and Kubernetes support.
+
+see also:
+
+- docs/guidelines/server-architecture.md
+- docs/guidelines/go-conventions.md
+- docs/guidelines/typescript-conventions.md
+
+## Package Manager
+
+- **PNPM** 10+ (for frontend)
+- **Go** 1.25.7 (for backend)
+
+## Build Commands
+
+```bash
+# Full build
+make build              # Build both client and server
+make build-client       # Build React/AngularJS frontend
+make build-server       # Build Go binary
+make build-image        # Build Docker image
+
+# Development
+make dev                # Run both in dev mode
+make dev-client         # Start webpack-dev-server (port 8999)
+make dev-server         # Run containerized Go server
+
+pnpm run dev            # Webpack dev server
+pnpm run build          # Build frontend with webpack
+pnpm run test           # Run frontend tests
+
+# Testing
+make test               # All tests (backend + frontend)
+make test-server        # Backend tests only
+make lint               # Lint all code
+make format             # Format code
+```
+
+## Development Servers
+
+- Frontend: http://localhost:8999
+- Backend: http://localhost:9000 (HTTP) / https://localhost:9443 (HTTPS)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -77,7 +77,7 @@ The feature request process is similar to the bug report process but has an extr

 ## Build and run Portainer locally

-Ensure you have Docker, Node.js, yarn, and Golang installed in the correct versions.
+Ensure you have Docker, Node.js, pnpm, and Golang installed in the correct versions.

 Install dependencies:

--- a/36
+++ b/36
@@ -1,9 +1,3 @@
-# See: https://gist.github.com/asukakenji/f15ba7e588ac42795f421b48b8aede63
-# For a list of valid GOOS and GOARCH values
-# Note: these can be overriden on the command line e.g. `make PLATFORM=<platform> ARCH=<arch>`
-PLATFORM=$(shell go env GOOS)
-ARCH=$(shell go env GOARCH)
-
 # build target, can be one of "production", "testing", "development"
 ENV=development
 WEBPACK_CONFIG=webpack/webpack.$(ENV).js
@@ -26,7 +20,7 @@ all: tidy deps build-server build-client ## Build the client, server and downloa
 build-all: all ## Alias for the 'all' target (used by CI)

 build-client: init-dist ## Build the client
-	export NODE_ENV=$(ENV) && yarn build --config $(WEBPACK_CONFIG)
+	export NODE_ENV=$(ENV) && pnpm run build --config $(WEBPACK_CONFIG)

 build-server: init-dist ## Build the server binary
 	./build/build_binary.sh "$(PLATFORM)" "$(ARCH)"
@@ -35,11 +29,7 @@ build-image: build-all ## Build the Portainer image locally
 	docker buildx build --load -t portainerci/portainer-ce:$(TAG) -f build/linux/Dockerfile .

 build-storybook: ## Build and serve the storybook files
-	yarn storybook:build
-
-devops: clean deps build-client ## Build the everything target specifically for CI
-	echo "Building the devops binary..."
-	@./build/build_binary_azuredevops.sh "$(PLATFORM)" "$(ARCH)"
+	pnpm run storybook:build

 ##@ Build dependencies
 .PHONY: deps server-deps client-deps tidy
@@ -49,25 +39,23 @@ server-deps: init-dist ## Download dependant server binaries
 	@./build/download_binaries.sh $(PLATFORM) $(ARCH)

 client-deps: ## Install client dependencies
-	yarn
+	pnpm install

 tidy: ## Tidy up the go.mod file
 	@go mod tidy

-
 ##@ Cleanup
 .PHONY: clean
 clean: ## Remove all build and download artifacts
 	@echo "Clearing the dist directory..."
 	@rm -rf dist/*

-
 ##@ Testing
 .PHONY: test test-client test-server
 test: test-server test-client ## Run all tests

 test-client: ## Run client tests
-	yarn test $(ARGS) --coverage
+	pnpm run test $(ARGS) --coverage

 test-server:	## Run server tests
 	$(GOTESTSUM) --format pkgname-and-test-fails --format-hide-empty-pkg --hide-summary skipped -- -cover -covermode=atomic -coverprofile=coverage.out ./...
@@ -79,7 +67,7 @@ dev: ## Run both the client and server in development mode
 	make dev-client

 dev-client: ## Run the client in development mode
-	yarn dev
+	pnpm install && pnpm run dev

 dev-server: build-server ## Run the server in development mode
 	@./dev/run_container.sh
@@ -93,7 +81,7 @@ dev-server-podman: build-server ## Run the server in development mode
 format: format-client format-server ## Format all code

 format-client: ## Format client code
-	yarn format
+	pnpm run format

 format-server: ## Format server code
 	go fmt ./...
@@ -103,26 +91,26 @@ format-server: ## Format server code
 lint: lint-client lint-server ## Lint all code

 lint-client: ## Lint client code
-	yarn lint
+	pnpm run lint

-lint-server: ## Lint server code
+lint-server: tidy ## Lint server code
 	golangci-lint run --timeout=10m -c .golangci.yaml
-
+	golangci-lint run --timeout=10m --new-from-rev=HEAD~ -c .golangci-forward.yaml

 ##@ Extension
 .PHONY: dev-extension
 dev-extension: build-server build-client ## Run the extension in development mode
 	make local -f build/docker-extension/Makefile

-
 ##@ Docs
 .PHONY: docs-build docs-validate docs-clean docs-validate-clean
 docs-build: init-dist ## Build docs
+	go mod download -x
 	cd api && $(SWAG) init -o "../dist/docs" -ot "yaml" -g ./http/handler/handler.go --parseDependency --parseInternal --parseDepth 2 -p pascalcase --markdownFiles ./

 docs-validate: docs-build ## Validate docs
-	yarn swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
-	yarn swagger-cli validate dist/docs/openapi.yaml
+	pnpm swagger2openapi --warnOnly dist/docs/swagger.yaml -o dist/docs/openapi.yaml
+	pnpm swagger-cli validate dist/docs/openapi.yaml

 ##@ Helpers
 .PHONY: help
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ You can join the Portainer Community by visiting [https://www.portainer.io/join-

 ## Security

- Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.
+For information about reporting security vulnerabilities, please see our [Security Policy](SECURITY.md).

 ## Work for us

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,61 @@
+# Security Policy
+
+## Supported Versions
+
+Portainer maintains both Short-Term Support (STS) and Long-Term Support (LTS) versions in accordance with our official [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle).
+
+| Version Type | Support Status |
+| --- | --- |
+| LTS (Long-Term Support) | Supported for critical security fixes |
+| STS (Short-Term Support) | Supported until the next STS or LTS release |
+| Legacy / EOL | Not supported |
+
+For a detailed breakdown of current versions and their specific End of Life (EOL) dates, 
+please refer to the [Portainer Lifecycle Policy](https://docs.portainer.io/start/lifecycle).
+
+## Reporting a Vulnerability
+
+The Portainer team takes the security of our products seriously. If you believe you have found a security vulnerability in any Portainer-owned repository, please report it to us responsibly.
+
+**Please do not report security vulnerabilities via public GitHub issues.**
+
+### Disclosure Process
+
+1. **Report**: You can report in one of two ways:
+
+    - **GitHub**: Use the **Report a vulnerability** button on the **Security** tab of this repository.
+
+    - **Email**: Send your findings to security@portainer.io.
+
+2. **Details**: To help us verify the issue, please include:
+
+    - A description of the vulnerability and its potential impact.
+
+    - Step-by-step instructions to reproduce the issue (e.g. proof-of-concept code, scripts, or screenshots).
+
+    - The version of the software and the environment in which it was found.
+
+3. **Acknowledge**: We will acknowledge receipt of your report and provide an initial assessment.
+
+4. **Resolution**: We will work to resolve the issue as quickly as possible. We request that you do not disclose the vulnerability publicly until we have released a fix and notified affected users.
+
+## Our Commitment
+
+If you follow the responsible disclosure process, we will:
+
+- Respond to your report in a timely manner.
+
+- Provide an estimated timeline for remediation.
+
+- Notify you when the vulnerability has been patched.
+
+- Give credit for the discovery (if desired) once the fix is public.
+
+
+We will make every effort to promptly address any security weaknesses. Security advisories and fixes will be published through GitHub Security Advisories and other channels as needed.
+
+Thank you for helping keep Portainer and our community secure.
+
+## Resources
+
+- [Contributing to Portainer](https://docs.portainer.io/contribute/contribute#contributing-to-the-portainer-ce-codebase)
--- a/api/agent/version.go
+++ b/api/agent/version.go
@@ -11,20 +11,18 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/url"
+
+	"github.com/rs/zerolog/log"
 )

 // GetAgentVersionAndPlatform returns the agent version and platform
 //
 // it sends a ping to the agent and parses the version and platform from the headers
 func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (portainer.AgentPlatform, string, error) { //nolint:forbidigo
-	httpCli := &http.Client{
-		Timeout: 3 * time.Second,
-	}
+	httpCli := &http.Client{Timeout: 3 * time.Second}

 	if tlsConfig != nil {
-		httpCli.Transport = &http.Transport{
-			TLSClientConfig: tlsConfig,
-		}
+		httpCli.Transport = &http.Transport{TLSClientConfig: tlsConfig}
 	}

 	parsedURL, err := url.ParseURL(endpointUrl + "/ping")
@@ -44,8 +42,10 @@ func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (port
 		return 0, "", err
 	}

-	io.Copy(io.Discard, resp.Body)
-	resp.Body.Close()
+	_, _ = io.Copy(io.Discard, resp.Body)
+	if err := resp.Body.Close(); err != nil {
+		log.Warn().Err(err).Msg("failed to close response body")
+	}

 	if resp.StatusCode != http.StatusNoContent {
 		return 0, "", fmt.Errorf("Failed request with status %d", resp.StatusCode)
--- a/api/apikey/apikey_test.go
+++ b/api/apikey/apikey_test.go
@@ -10,31 +10,31 @@ func Test_generateRandomKey(t *testing.T) {
 	is := assert.New(t)

 	tests := []struct {
-		name      string
-		wantLenth int
+		name       string
+		wantLength int
 	}{
 		{
-			name:      "Generate a random key of length 16",
-			wantLenth: 16,
+			name:       "Generate a random key of length 16",
+			wantLength: 16,
 		},
 		{
-			name:      "Generate a random key of length 32",
-			wantLenth: 32,
+			name:       "Generate a random key of length 32",
+			wantLength: 32,
 		},
 		{
-			name:      "Generate a random key of length 64",
-			wantLenth: 64,
+			name:       "Generate a random key of length 64",
+			wantLength: 64,
 		},
 		{
-			name:      "Generate a random key of length 128",
-			wantLenth: 128,
+			name:       "Generate a random key of length 128",
+			wantLength: 128,
 		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := GenerateRandomKey(tt.wantLenth)
-			is.Equal(tt.wantLenth, len(got))
+			got := GenerateRandomKey(tt.wantLength)
+			is.Len(got, tt.wantLength)
 		})
 	}

--- a/api/apikey/service_test.go
+++ b/api/apikey/service_test.go
@@ -10,9 +10,10 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
-	"github.com/stretchr/testify/assert"

 	"github.com/rs/zerolog/log"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func Test_SatisfiesAPIKeyServiceInterface(t *testing.T) {
@@ -30,7 +31,7 @@ func Test_GenerateApiKey(t *testing.T) {
 	t.Run("Successfully generates API key", func(t *testing.T) {
 		desc := "test-1"
 		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, desc)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.NotEmpty(rawKey)
 		is.NotEmpty(apiKey)
 		is.Equal(desc, apiKey.Description)
@@ -38,7 +39,7 @@ func Test_GenerateApiKey(t *testing.T) {

 	t.Run("Api key prefix is 7 chars", func(t *testing.T) {
 		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-2")
-		is.NoError(err)
+		require.NoError(t, err)

 		is.Equal(rawKey[:7], apiKey.Prefix)
 		is.Len(apiKey.Prefix, 7)
@@ -46,7 +47,7 @@ func Test_GenerateApiKey(t *testing.T) {

 	t.Run("Api key has 'ptr_' as prefix", func(t *testing.T) {
 		rawKey, _, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x")
-		is.NoError(err)
+		require.NoError(t, err)

 		is.Equal(portainerAPIKeyPrefix, "ptr_")
 		is.True(strings.HasPrefix(rawKey, "ptr_"))
@@ -55,7 +56,7 @@ func Test_GenerateApiKey(t *testing.T) {
 	t.Run("Successfully caches API key", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-3")
-		is.NoError(err)
+		require.NoError(t, err)

 		userFromCache, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
@@ -65,7 +66,7 @@ func Test_GenerateApiKey(t *testing.T) {

 	t.Run("Decoded raw api-key digest matches generated digest", func(t *testing.T) {
 		rawKey, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-4")
-		is.NoError(err)
+		require.NoError(t, err)

 		generatedDigest := sha256.Sum256([]byte(rawKey))

@@ -83,10 +84,10 @@ func Test_GetAPIKey(t *testing.T) {
 	t.Run("Successfully returns all API keys", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		apiKeyGot, err := service.GetAPIKey(apiKey.ID)
-		is.NoError(err)
+		require.NoError(t, err)

 		is.Equal(apiKey, apiKeyGot)
 	})
@@ -102,12 +103,12 @@ func Test_GetAPIKeys(t *testing.T) {
 	t.Run("Successfully returns all API keys", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, _, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)
 		_, _, err = service.GenerateApiKey(user, "test-2")
-		is.NoError(err)
+		require.NoError(t, err)

 		keys, err := service.GetAPIKeys(user.ID)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.Len(keys, 2)
 	})
 }
@@ -122,10 +123,10 @@ func Test_GetDigestUserAndKey(t *testing.T) {
 	t.Run("Successfully returns user and api key associated to digest", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.Equal(user, userGot)
 		is.Equal(*apiKey, apiKeyGot)
 	})
@@ -133,10 +134,10 @@ func Test_GetDigestUserAndKey(t *testing.T) {
 	t.Run("Successfully caches user and api key associated to digest", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		userGot, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.Equal(user, userGot)
 		is.Equal(*apiKey, apiKeyGot)

@@ -156,16 +157,19 @@ func Test_UpdateAPIKey(t *testing.T) {

 	t.Run("Successfully updates the api-key LastUsed time", func(t *testing.T) {
 		user := portainer.User{ID: 1}
-		store.User().Create(&user)
+
+		err := store.User().Create(&user)
+		require.NoError(t, err)
+
 		_, apiKey, err := service.GenerateApiKey(user, "test-x")
-		is.NoError(err)
+		require.NoError(t, err)

 		apiKey.LastUsed = time.Now().UTC().Unix()
 		err = service.UpdateAPIKey(apiKey)
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
+		require.NoError(t, err)

 		log.Debug().Str("wanted", fmt.Sprintf("%+v", apiKey)).Str("got", fmt.Sprintf("%+v", apiKeyGot)).Msg("")

@@ -174,7 +178,7 @@ func Test_UpdateAPIKey(t *testing.T) {

 	t.Run("Successfully updates api-key in cache upon api-key update", func(t *testing.T) {
 		_, apiKey, err := service.GenerateApiKey(portainer.User{ID: 1}, "test-x2")
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
@@ -184,7 +188,7 @@ func Test_UpdateAPIKey(t *testing.T) {
 		is.NotEqual(*apiKey, apiKeyFromCache)

 		err = service.UpdateAPIKey(apiKey)
-		is.NoError(err)
+		require.NoError(t, err)

 		_, updatedAPIKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
@@ -202,30 +206,30 @@ func Test_DeleteAPIKey(t *testing.T) {
 	t.Run("Successfully updates the api-key", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKeyGot, err := service.GetDigestUserAndKey(apiKey.Digest)
-		is.NoError(err)
+		require.NoError(t, err)
 		is.Equal(*apiKey, apiKeyGot)

 		err = service.DeleteAPIKey(apiKey.ID)
-		is.NoError(err)
+		require.NoError(t, err)

 		_, _, err = service.GetDigestUserAndKey(apiKey.Digest)
-		is.Error(err)
+		require.Error(t, err)
 	})

 	t.Run("Successfully removes api-key from cache upon deletion", func(t *testing.T) {
 		user := portainer.User{ID: 1}
 		_, apiKey, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKeyFromCache, ok := service.cache.Get(apiKey.Digest)
 		is.True(ok)
 		is.Equal(*apiKey, apiKeyFromCache)

 		err = service.DeleteAPIKey(apiKey.ID)
-		is.NoError(err)
+		require.NoError(t, err)

 		_, _, ok = service.cache.Get(apiKey.Digest)
 		is.False(ok)
@@ -243,10 +247,10 @@ func Test_InvalidateUserKeyCache(t *testing.T) {
 		// generate api keys
 		user := portainer.User{ID: 1}
 		_, apiKey1, err := service.GenerateApiKey(user, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		_, apiKey2, err := service.GenerateApiKey(user, "test-2")
-		is.NoError(err)
+		require.NoError(t, err)

 		// verify api keys are present in cache
 		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
@@ -273,11 +277,11 @@ func Test_InvalidateUserKeyCache(t *testing.T) {
 		// generate keys for 2 users
 		user1 := portainer.User{ID: 1}
 		_, apiKey1, err := service.GenerateApiKey(user1, "test-1")
-		is.NoError(err)
+		require.NoError(t, err)

 		user2 := portainer.User{ID: 2}
 		_, apiKey2, err := service.GenerateApiKey(user2, "test-2")
-		is.NoError(err)
+		require.NoError(t, err)

 		// verify keys in cache
 		_, apiKeyFromCache, ok := service.cache.Get(apiKey1.Digest)
--- a/api/archive/tar.go
+++ b/api/archive/tar.go
@@ -17,18 +17,15 @@ func TarFileInBuffer(fileContent []byte, fileName string, mode int64) ([]byte, e
 		Size: int64(len(fileContent)),
 	}

-	err := tarWriter.WriteHeader(header)
-	if err != nil {
+	if err := tarWriter.WriteHeader(header); err != nil {
 		return nil, err
 	}

-	_, err = tarWriter.Write(fileContent)
-	if err != nil {
+	if _, err := tarWriter.Write(fileContent); err != nil {
 		return nil, err
 	}

-	err = tarWriter.Close()
-	if err != nil {
+	if err := tarWriter.Close(); err != nil {
 		return nil, err
 	}

@@ -43,10 +40,7 @@ type tarFileInBuffer struct {

 func NewTarFileInBuffer() *tarFileInBuffer {
 	var b bytes.Buffer
-	return &tarFileInBuffer{
-		b: &b,
-		w: tar.NewWriter(&b),
-	}
+	return &tarFileInBuffer{b: &b, w: tar.NewWriter(&b)}
 }

 // Put puts a single file to tar archive buffer.
@@ -61,11 +55,9 @@ func (t *tarFileInBuffer) Put(fileContent []byte, fileName string, mode int64) e
 		return err
 	}

-	if _, err := t.w.Write(fileContent); err != nil {
-		return err
-	}
+	_, err := t.w.Write(fileContent)

-	return nil
+	return err
 }

 // Bytes returns the archive as a byte array.
--- a/api/archive/targz.go
+++ b/api/archive/targz.go
@@ -9,6 +9,9 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/portainer/portainer/api/filesystem"
+	"github.com/portainer/portainer/api/logs"
 )

 // TarGzDir creates a tar.gz archive and returns it's path.
@@ -20,12 +23,13 @@ func TarGzDir(absolutePath string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer outFile.Close()
+	defer logs.CloseAndLogErr(outFile)

 	zipWriter := gzip.NewWriter(outFile)
-	defer zipWriter.Close()
+	defer logs.CloseAndLogErr(zipWriter)
+
 	tarWriter := tar.NewWriter(zipWriter)
-	defer tarWriter.Close()
+	defer logs.CloseAndLogErr(tarWriter)

 	err = filepath.Walk(absolutePath, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
@@ -86,7 +90,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 	if err != nil {
 		return err
 	}
-	defer zipReader.Close()
+	defer logs.CloseAndLogErr(zipReader)

 	tarReader := tar.NewReader(zipReader)

@@ -105,7 +109,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 		case tar.TypeDir:
 			// skip, dir will be created with a file
 		case tar.TypeReg:
-			p := filepath.Clean(filepath.Join(outputDirPath, header.Name))
+			p := filesystem.JoinPaths(outputDirPath, header.Name)
 			if err := os.MkdirAll(filepath.Dir(p), 0o744); err != nil {
 				return fmt.Errorf("Failed to extract dir %s", filepath.Dir(p))
 			}
@@ -116,7 +120,7 @@ func ExtractTarGz(r io.Reader, outputDirPath string) error {
 			if _, err := io.Copy(outFile, tarReader); err != nil {
 				return fmt.Errorf("Failed to extract file %s", header.Name)
 			}
-			outFile.Close()
+			logs.CloseAndLogErr(outFile)
 		default:
 			return fmt.Errorf("tar: unknown type: %v in %s",
 				header.Typeflag,
--- a/api/archive/targz_test.go
+++ b/api/archive/targz_test.go
@@ -1,24 +1,34 @@
 package archive

 import (
+	"archive/tar"
+	"compress/gzip"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"testing"

+	"github.com/portainer/portainer/api/filesystem"
+	"github.com/rs/zerolog/log"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func listFiles(dir string) []string {
 	items := make([]string, 0)
-	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
+
+	if err := filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
 		if path == dir {
 			return nil
 		}
+
 		items = append(items, path)
+
 		return nil
-	})
+	}); err != nil {
+		log.Warn().Err(err).Msg("failed to list files in directory")
+	}

 	return items
 }
@@ -26,13 +36,21 @@ func listFiles(dir string) []string {
 func Test_shouldCreateArchive(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
-	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
-	os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
-	os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+
+	err := os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	require.NoError(t, err)
+
+	err = os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
+	require.NoError(t, err)
+
+	err = os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	require.NoError(t, err)
+
+	err = os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+	require.NoError(t, err)

 	gzPath, err := TarGzDir(tmpdir)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
@@ -45,7 +63,8 @@ func Test_shouldCreateArchive(t *testing.T) {
 	wasExtracted := func(p string) {
 		fullpath := path.Join(extractionDir, p)
 		assert.Contains(t, extractedFiles, fullpath)
-		copyContent, _ := os.ReadFile(fullpath)
+		copyContent, err := os.ReadFile(fullpath)
+		require.NoError(t, err)
 		assert.Equal(t, content, copyContent)
 	}

@@ -57,13 +76,21 @@ func Test_shouldCreateArchive(t *testing.T) {
 func Test_shouldCreateArchive2(t *testing.T) {
 	tmpdir := t.TempDir()
 	content := []byte("content")
-	os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
-	os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
-	os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
-	os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+
+	err := os.WriteFile(path.Join(tmpdir, "outer"), content, 0600)
+	require.NoError(t, err)
+
+	err = os.MkdirAll(path.Join(tmpdir, "dir"), 0700)
+	require.NoError(t, err)
+
+	err = os.WriteFile(path.Join(tmpdir, "dir", ".dotfile"), content, 0600)
+	require.NoError(t, err)
+
+	err = os.WriteFile(path.Join(tmpdir, "dir", "inner"), content, 0600)
+	require.NoError(t, err)

 	gzPath, err := TarGzDir(tmpdir)
-	assert.Nil(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, filepath.Join(tmpdir, filepath.Base(tmpdir)+".tar.gz"), gzPath)

 	extractionDir := t.TempDir()
@@ -84,3 +111,56 @@ func Test_shouldCreateArchive2(t *testing.T) {
 	wasExtracted("dir/inner")
 	wasExtracted("dir/.dotfile")
 }
+
+func TestExtractTarGzPathTraversal(t *testing.T) {
+	testDir := t.TempDir()
+
+	// Create an evil file with a path traversal attempt
+	tarPath := filesystem.JoinPaths(testDir, "evil.tar.gz")
+
+	evilFile, err := os.Create(tarPath)
+	require.NoError(t, err)
+
+	gzWriter := gzip.NewWriter(evilFile)
+	tarWriter := tar.NewWriter(gzWriter)
+
+	content := []byte("evil content")
+
+	header := &tar.Header{
+		Name:     "../evil.txt",
+		Mode:     0600,
+		Size:     int64(len(content)),
+		Typeflag: tar.TypeReg,
+	}
+
+	err = tarWriter.WriteHeader(header)
+	require.NoError(t, err)
+
+	_, err = tarWriter.Write(content)
+	require.NoError(t, err)
+
+	err = tarWriter.Close()
+	require.NoError(t, err)
+
+	err = gzWriter.Close()
+	require.NoError(t, err)
+
+	err = evilFile.Close()
+	require.NoError(t, err)
+
+	// Attempt to extract the evil file
+	extractionDir := filesystem.JoinPaths(testDir, "extraction")
+	err = os.Mkdir(extractionDir, 0700)
+	require.NoError(t, err)
+
+	tarFile, err := os.Open(tarPath)
+	require.NoError(t, err)
+
+	// Check that the file didn't escape
+	err = ExtractTarGz(tarFile, extractionDir)
+	require.NoError(t, err)
+	require.NoFileExists(t, filesystem.JoinPaths(testDir, "evil.txt"))
+
+	err = tarFile.Close()
+	require.NoError(t, err)
+}
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -8,6 +8,8 @@ import (
 	"path/filepath"
 	"strings"

+	"github.com/portainer/portainer/api/logs"
+
 	"github.com/pkg/errors"
 )

@@ -18,7 +20,7 @@ func UnzipFile(src string, dest string) error {
 	if err != nil {
 		return err
 	}
-	defer r.Close()
+	defer logs.CloseAndLogErr(r)

 	for _, f := range r.File {
 		p := filepath.Join(dest, f.Name)
@@ -30,7 +32,9 @@ func UnzipFile(src string, dest string) error {

 		if f.FileInfo().IsDir() {
 			// Make Folder
-			os.MkdirAll(p, os.ModePerm)
+			if err := os.MkdirAll(p, os.ModePerm); err != nil {
+				return err
+			}

 			continue
 		}
@@ -53,13 +57,13 @@ func unzipFile(f *zip.File, p string) error {
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't create file %s", p)
 	}
-	defer outFile.Close()
+	defer logs.CloseAndLogErr(outFile)

 	rc, err := f.Open()
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't open zip file %s in the archive", f.Name)
 	}
-	defer rc.Close()
+	defer logs.CloseAndLogErr(rc)

 	if _, err = io.Copy(outFile, rc); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't copy an archived file content")
--- a/api/archive/zip_test.go
+++ b/api/archive/zip_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestUnzipFile(t *testing.T) {
@@ -20,7 +21,7 @@ func TestUnzipFile(t *testing.T) {

 	err := UnzipFile("./testdata/sample_archive.zip", dir)

-	assert.NoError(t, err)
+	require.NoError(t, err)
 	archiveDir := dir + "/sample_archive"
 	assert.FileExists(t, filepath.Join(archiveDir, "0.txt"))
 	assert.FileExists(t, filepath.Join(archiveDir, "0", "1.txt"))
--- a/api/aws/ecr/ecr.go
+++ b/api/aws/ecr/ecr.go
@@ -6,6 +6,15 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 )

+// Registry represents an ECR registry endpoint information.
+// This struct is used to parse and validate ECR endpoint URLs.
+type Registry struct {
+	ID     string // AWS account ID (empty for accountless endpoints like "ecr-fips.us-west-1.amazonaws.com")
+	FIPS   bool   // Whether this is a FIPS endpoint (contains "-fips" in the URL)
+	Region string // AWS region (e.g., "us-east-1", "us-gov-west-1")
+	Public bool   // Whether this is ecr-public.aws.com
+}
+
 type (
 	Service struct {
 		accessKey string
--- a/api/aws/ecr/parse_endpoints.go
+++ b/api/aws/ecr/parse_endpoints.go
@@ -0,0 +1,70 @@
+package ecr
+
+import (
+	"fmt"
+	"net/url"
+	"regexp"
+	"strings"
+)
+
+// ecrEndpointPattern matches all valid ECR endpoints including account-prefixed and accountless formats.
+// Based on AWS ECR credential helper regex but extended to support accountless endpoints.
+//
+// Supported formats:
+//   - Account-prefixed: 123456789012.dkr.ecr-fips.us-east-1.amazonaws.com
+//   - Account-prefixed (hyphen): 123456789012.dkr-ecr-fips.us-west-1.on.aws
+//   - Accountless service: ecr-fips.us-west-1.amazonaws.com
+//   - Accountless API: ecr-fips.us-east-1.api.aws
+//   - Non-FIPS variants: All formats above without "-fips"
+//
+// Regex groups:
+//   - Group 1: Full account prefix (optional) - e.g., "123456789012.dkr." or "123456789012.dkr-"
+//   - Group 2: Account ID (optional) - e.g., "123456789012"
+//   - Group 3: FIPS flag (optional) - either "-fips" or empty string
+//   - Group 4: Region - e.g., "us-east-1", "us-gov-west-1"
+//   - Group 5: Domain suffix - e.g., "amazonaws.com", "api.aws"
+var ecrEndpointPattern = regexp.MustCompile(
+	`^((\d{12})\.dkr[\.\-])?ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.(?:com(?:\.cn)?|eu)|api\.aws|on\.(?:aws|amazonwebservices\.com\.cn)|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`,
+)
+
+// ParseECREndpoint parses an ECR registry URL and extracts registry information.
+
+// This function replaces the AWS ECR credential helper library's ExtractRegistry function,
+// which only supports account-prefixed endpoints.
+//
+// Reference: https://docs.aws.amazon.com/general/latest/gr/ecr.html
+func ParseECREndpoint(urlStr string) (*Registry, error) {
+	// Normalize URL by adding https:// prefix if not present
+	if !strings.HasPrefix(urlStr, "https://") && !strings.HasPrefix(urlStr, "http://") {
+		urlStr = "https://" + urlStr
+	}
+
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		return nil, fmt.Errorf("invalid URL: %w", err)
+	}
+
+	hostname := u.Hostname()
+
+	// Special case: ECR Public
+	// ECR Public uses a different domain and doesn't have FIPS variant
+	if hostname == "ecr-public.aws.com" {
+		return &Registry{
+			FIPS:   false,
+			Public: true,
+		}, nil
+	}
+
+	// Parse standard ECR endpoints using regex
+	matches := ecrEndpointPattern.FindStringSubmatch(hostname)
+	if len(matches) == 0 {
+		return nil, fmt.Errorf("not a valid ECR endpoint: %s", hostname)
+	}
+
+	return &Registry{
+		ID:     matches[2],            // Account ID (may be empty for accountless endpoints)
+		FIPS:   matches[3] == "-fips", // Check if "-fips" is present
+		Region: matches[4],            // AWS region
+		Public: false,
+	}, nil
+}
--- a/api/aws/ecr/parse_endpoints_test.go
+++ b/api/aws/ecr/parse_endpoints_test.go
@@ -0,0 +1,253 @@
+package ecr
+
+import (
+	"testing"
+)
+
+func TestParseECREndpoint(t *testing.T) {
+	tests := []struct {
+		name      string
+		url       string
+		want      *Registry
+		wantError bool
+	}{
+		// Standard AWS Commercial - Account-prefixed FIPS
+		{
+			name: "account-prefixed FIPS us-east-1",
+			url:  "123456789012.dkr.ecr-fips.us-east-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-east-1",
+				Public: false,
+			},
+		},
+		{
+			name: "account-prefixed FIPS us-west-2",
+			url:  "123456789012.dkr.ecr-fips.us-west-2.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-west-2",
+				Public: false,
+			},
+		},
+
+		// Accountless FIPS service endpoints
+		{
+			name: "accountless FIPS us-west-1",
+			url:  "ecr-fips.us-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS us-east-2",
+			url:  "ecr-fips.us-east-2.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-east-2",
+				Public: false,
+			},
+		},
+
+		// Accountless FIPS API endpoints
+		{
+			name: "accountless FIPS API us-west-1",
+			url:  "ecr-fips.us-west-1.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS API us-east-1",
+			url:  "ecr-fips.us-east-1.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-east-1",
+				Public: false,
+			},
+		},
+
+		// on.aws domain with hyphen separator
+		{
+			name: "account-prefixed FIPS hyphen us-west-1",
+			url:  "123456789012.dkr-ecr-fips.us-west-1.on.aws",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "account-prefixed FIPS hyphen us-east-2",
+			url:  "123456789012.dkr-ecr-fips.us-east-2.on.aws",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-east-2",
+				Public: false,
+			},
+		},
+
+		// AWS GovCloud
+		{
+			name: "account-prefixed FIPS us-gov-east-1",
+			url:  "123456789012.dkr.ecr-fips.us-gov-east-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-gov-east-1",
+				Public: false,
+			},
+		},
+		{
+			name: "account-prefixed FIPS us-gov-west-1",
+			url:  "123456789012.dkr.ecr-fips.us-gov-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   true,
+				Region: "us-gov-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS us-gov-west-1",
+			url:  "ecr-fips.us-gov-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-gov-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless FIPS API us-gov-east-1",
+			url:  "ecr-fips.us-gov-east-1.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-gov-east-1",
+				Public: false,
+			},
+		},
+
+		// ECR Public
+		{
+			name: "ecr-public",
+			url:  "ecr-public.aws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   false,
+				Region: "",
+				Public: true,
+			},
+		},
+
+		// Non-FIPS endpoints (valid ECR but FIPS=false)
+		{
+			name: "account-prefixed non-FIPS us-east-1",
+			url:  "123456789012.dkr.ecr.us-east-1.amazonaws.com",
+			want: &Registry{
+				ID:     "123456789012",
+				FIPS:   false,
+				Region: "us-east-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless non-FIPS us-west-1",
+			url:  "ecr.us-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   false,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+		{
+			name: "accountless non-FIPS API us-east-2",
+			url:  "ecr.us-east-2.api.aws",
+			want: &Registry{
+				ID:     "",
+				FIPS:   false,
+				Region: "us-east-2",
+				Public: false,
+			},
+		},
+
+		// URLs with https:// prefix
+		{
+			name: "with https prefix",
+			url:  "https://ecr-fips.us-west-1.amazonaws.com",
+			want: &Registry{
+				ID:     "",
+				FIPS:   true,
+				Region: "us-west-1",
+				Public: false,
+			},
+		},
+
+		// Invalid endpoints
+		{
+			name:      "not an ECR URL",
+			url:       "not-an-ecr-url.com",
+			wantError: true,
+		},
+		{
+			name:      "invalid account ID length",
+			url:       "123.dkr.ecr-fips.us-east-1.amazonaws.com",
+			wantError: true,
+		},
+		{
+			name:      "empty string",
+			url:       "",
+			wantError: true,
+		},
+		{
+			name:      "docker hub",
+			url:       "docker.io",
+			wantError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseECREndpoint(tt.url)
+
+			if tt.wantError {
+				if err == nil {
+					t.Errorf("ParseECREndpoint() expected error but got none")
+				}
+				return
+			}
+
+			if err != nil {
+				t.Errorf("ParseECREndpoint() unexpected error: %v", err)
+				return
+			}
+
+			if got.ID != tt.want.ID {
+				t.Errorf("ParseECREndpoint() ID = %v, want %v", got.ID, tt.want.ID)
+			}
+			if got.FIPS != tt.want.FIPS {
+				t.Errorf("ParseECREndpoint() FIPS = %v, want %v", got.FIPS, tt.want.FIPS)
+			}
+			if got.Region != tt.want.Region {
+				t.Errorf("ParseECREndpoint() Region = %v, want %v", got.Region, tt.want.Region)
+			}
+			if got.Public != tt.want.Public {
+				t.Errorf("ParseECREndpoint() Public = %v, want %v", got.Public, tt.want.Public)
+			}
+		})
+	}
+}
--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -12,6 +12,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
@@ -97,7 +98,7 @@ func encrypt(path string, passphrase string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer in.Close()
+	defer logs.CloseAndLogErr(in)

 	outFileName := path + ".encrypted"
 	out, err := os.Create(outFileName)
@@ -105,7 +106,5 @@ func encrypt(path string, passphrase string) (string, error) {
 		return "", err
 	}

-	err = crypto.AesEncrypt(in, out, []byte(passphrase))
-
-	return outFileName, err
+	return outFileName, crypto.AesEncrypt(in, out, []byte(passphrase))
 }
--- a/api/backup/restore.go
+++ b/api/backup/restore.go
@@ -16,6 +16,8 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
+
+	"github.com/rs/zerolog/log"
 )

 var filesToRestore = append(filesToBackup, "portainer.db")
@@ -31,17 +33,20 @@ func RestoreArchive(archive io.Reader, password string, filestorePath string, ga
 	}

 	restorePath := filepath.Join(filestorePath, "restore", time.Now().Format("20060102150405"))
-	defer os.RemoveAll(filepath.Dir(restorePath))
+	defer func() {
+		if err := os.RemoveAll(filepath.Dir(restorePath)); err != nil {
+			log.Warn().Err(err).Msg("failed to clean up restore files")
+		}
+	}()

-	err = extractArchive(archive, restorePath)
-	if err != nil {
+	if err := extractArchive(archive, restorePath); err != nil {
 		return errors.Wrap(err, "cannot extract files from the archive. Please ensure the password is correct and try again")
 	}

 	unlock := gate.Lock()
 	defer unlock()

-	if err = datastore.Close(); err != nil {
+	if err := datastore.Close(); err != nil {
 		return errors.Wrap(err, "Failed to stop db")
 	}

@@ -51,7 +56,7 @@ func RestoreArchive(archive io.Reader, password string, filestorePath string, ga
 		return errors.Wrap(err, "failed to restore from backup. Portainer database missing from backup file")
 	}

-	if err = restoreFiles(restorePath, filestorePath); err != nil {
+	if err := restoreFiles(restorePath, filestorePath); err != nil {
 		return errors.Wrap(err, "failed to restore the system state")
 	}

@@ -89,8 +94,7 @@ func getRestoreSourcePath(dir string) (string, error) {

 func restoreFiles(srcDir string, destinationDir string) error {
 	for _, filename := range filesToRestore {
-		err := filesystem.CopyPath(filepath.Join(srcDir, filename), destinationDir)
-		if err != nil {
+		if err := filesystem.CopyPath(filepath.Join(srcDir, filename), destinationDir); err != nil {
 			return err
 		}
 	}
@@ -98,14 +102,18 @@ func restoreFiles(srcDir string, destinationDir string) error {
 	// TODO:  This is very boltdb module specific once again due to the filename.  Move to bolt module? Refactor for another day

 	// Prevent the possibility of having both databases.  Remove any default new instance
-	os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName))
-	os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName))
+	if err := os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName)); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	if err := os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName)); err != nil && !os.IsNotExist(err) {
+		return err
+	}

 	// Now copy the database.  It'll be either portainer.db or portainer.edb

 	// Note: CopyPath does not return an error if the source file doesn't exist
-	err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir)
-	if err != nil {
+	if err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir); err != nil {
 		return err
 	}

--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -89,10 +89,8 @@ func (service *Service) pingAgent(endpointID portainer.EndpointID) error {
 		return err
 	}

-	io.Copy(io.Discard, resp.Body)
-	resp.Body.Close()
-
-	return nil
+	_, _ = io.Copy(io.Discard, resp.Body)
+	return resp.Body.Close()
 }

 // KeepTunnelAlive keeps the tunnel of the given environment for maxAlive duration, or until ctx is done
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -142,7 +142,9 @@ func (s *Service) TunnelAddr(endpoint *portainer.Endpoint) (string, error) {
 			continue
 		}

-		conn.Close()
+		if err := conn.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close tcp connection")
+		}

 		break
 	}
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -32,7 +32,7 @@ func CLIFlags() *portainer.CLIFlags {
 		Assets:                    kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:                      kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
 		EndpointURL:               kingpin.Flag("host", "Environment URL").Short('H').String(),
-		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Strings(),
+		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Envar(portainer.FeatureFlagEnvVar).Strings(),
 		EnableEdgeComputeFeatures: kingpin.Flag("edge-compute", "Enable Edge Compute features").Bool(),
 		NoAnalytics:               kingpin.Flag("no-analytics", "Disable Analytics in app (deprecated)").Bool(),
 		TLSSkipVerify:             kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
@@ -52,7 +52,6 @@ func CLIFlags() *portainer.CLIFlags {
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
-		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
 		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 		TrustedOrigins:            kingpin.Flag("trusted-origins", "List of trusted origins for CSRF protection. Separate multiple origins with a comma.").Envar(portainer.TrustedOriginsEnvVar).String(),
 		CSP:                       kingpin.Flag("csp", "Content Security Policy (CSP) header").Envar(portainer.CSPEnvVar).Default("true").Bool(),
@@ -95,6 +94,11 @@ func (Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 	flags.TLSKey = tlsKeyFlag.String()
 	flags.TLSCacert = kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String()

+	flags.KubectlShellImage = kingpin.Flag(
+		"kubectl-shell-image",
+		"Kubectl shell image",
+	).Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String()
+
 	kingpin.Parse()

 	if !filepath.IsAbs(*flags.Assets) {
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package cli

--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -55,7 +55,7 @@ import (
 	"github.com/portainer/portainer/pkg/libstack/compose"
 	"github.com/portainer/portainer/pkg/validate"

-	"github.com/gofrs/uuid"
+	"github.com/google/uuid"
 	"github.com/rs/zerolog/log"
 )

@@ -119,7 +119,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	}

 	if isNew {
-		instanceId, err := uuid.NewV4()
+		instanceId, err := uuid.NewRandom()
 		if err != nil {
 			log.Fatal().Err(err).Msg("failed generating instance id")
 		}
@@ -134,15 +134,16 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 			InstanceID:    instanceId.String(),
 			MigratorCount: migratorCount,
 		}
-		store.VersionService.UpdateVersion(&v)
+
+		if err := store.VersionService.UpdateVersion(&v); err != nil {
+			log.Fatal().Err(err).Msg("failed to update version")
+		}

 		if err := updateSettingsFromFlags(store, flags); err != nil {
 			log.Fatal().Err(err).Msg("failed updating settings from flags")
 		}
-	} else {
-		if err := store.MigrateData(); err != nil {
-			log.Fatal().Err(err).Msg("failed migration")
-		}
+	} else if err := store.MigrateData(); err != nil {
+		log.Fatal().Err(err).Msg("failed migration")
 	}

 	if err := updateSettingsFromFlags(store, flags); err != nil {
@@ -153,7 +154,7 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	go func() {
 		<-shutdownCtx.Done()

-		defer connection.Close()
+		defer logs.CloseAndLogErr(connection)
 	}()

 	return store
@@ -347,7 +348,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	trustedOrigins := []string{}
 	if *flags.TrustedOrigins != "" {
 		// validate if the trusted origins are valid urls
-		for _, origin := range strings.Split(*flags.TrustedOrigins, ",") {
+		for origin := range strings.SplitSeq(*flags.TrustedOrigins, ",") {
 			if !validate.IsTrustedOrigin(origin) {
 				log.Fatal().Str("trusted_origin", origin).Msg("invalid url for trusted origin. Please check the trusted origins flag.")
 			}
@@ -529,7 +530,9 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	scheduler := scheduler.NewScheduler(shutdownCtx)
 	stackDeployer := deployments.NewStackDeployer(swarmStackManager, composeStackManager, kubernetesDeployer, dockerClientFactory, dataStore)
-	deployments.StartStackSchedules(scheduler, stackDeployer, dataStore, gitService)
+	if err := deployments.StartStackSchedules(scheduler, stackDeployer, dataStore, gitService); err != nil {
+		log.Fatal().Err(err).Msg("failed to start stack scheduler")
+	}

 	sslDBSettings, err := dataStore.SSLSettings().Settings()
 	if err != nil {
@@ -630,7 +633,7 @@ func main() {
 			Str("build_number", build.BuildNumber).
 			Str("image_tag", build.ImageTag).
 			Str("nodejs_version", build.NodejsVersion).
-			Str("yarn_version", build.YarnVersion).
+			Str("pnpm_version", build.PnpmVersion).
 			Str("webpack_version", build.WebpackVersion).
 			Str("go_version", build.GoVersion).
 			Msg("starting Portainer")
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@@ -15,8 +15,9 @@ import (

 	"github.com/portainer/portainer/pkg/fips"

-	"golang.org/x/crypto/argon2"
-	"golang.org/x/crypto/scrypt"
+	// Not allowed in FIPS mode
+	"golang.org/x/crypto/argon2" //nolint:depguard
+	"golang.org/x/crypto/scrypt" //nolint:depguard
 )

 const (
@@ -163,7 +164,9 @@ func aesEncryptGCM(input io.Reader, output io.Writer, passphrase []byte) error {
 			return err
 		}

-		nonce.Increment()
+		if err := nonce.Increment(); err != nil {
+			return err
+		}
 	}

 	return nil
@@ -234,7 +237,9 @@ func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
 			return nil, err
 		}

-		nonce.Increment()
+		if err := nonce.Increment(); err != nil {
+			return nil, err
+		}
 	}

 	return &buf, nil
--- a/api/crypto/aes_test.go
+++ b/api/crypto/aes_test.go
@@ -9,6 +9,7 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/pkg/fips"

 	"github.com/stretchr/testify/assert"
@@ -47,26 +48,29 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 		)

 		content := randBytes(1024*1024*100 + 523)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

 		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		defer logs.CloseAndLogErr(originFile)

 		encryptedFileWriter, _ := os.Create(encryptedFilePath)

-		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
-		require.Nil(t, err, "Failed to encrypt a file")
-		encryptedFileWriter.Close()
+		err = encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		require.NoError(t, err, "Failed to encrypt a file")
+		logs.CloseAndLogErr(encryptedFileWriter)

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		require.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
 		if !decryptShouldSucceed {
@@ -74,9 +78,11 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 		} else {
 			require.NoError(t, err, "Failed to decrypt file indicated by decryptShouldSucceed")

-			io.Copy(decryptedFileWriter, decryptedReader)
+			_, err = io.Copy(decryptedFileWriter, decryptedReader)
+			require.NoError(t, err)

-			decryptedContent, _ := os.ReadFile(decryptedFilePath)
+			decryptedContent, err := os.ReadFile(decryptedFilePath)
+			require.NoError(t, err)
 			assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 		}
 	}
@@ -147,33 +153,40 @@ func Test_encryptAndDecrypt_withStrongPassphrase(t *testing.T) {
 		)

 		content := randBytes(500)
-		os.WriteFile(originFilePath, content, 0600)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)
+
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

 		encryptedFileWriter, _ := os.Create(encryptedFilePath)

-		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
-		assert.Nil(t, err, "Failed to encrypt a file")
-		encryptedFileWriter.Close()
+		err = encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		require.NoError(t, err, "Failed to encrypt a file")
+		logs.CloseAndLogErr(encryptedFileWriter)

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		assert.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
-		assert.Nil(t, err, "Failed to decrypt file")
+		require.NoError(t, err, "Failed to decrypt file")

-		io.Copy(decryptedFileWriter, decryptedReader)
+		_, err = io.Copy(decryptedFileWriter, decryptedReader)
+		require.NoError(t, err)

-		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		decryptedContent, err := os.ReadFile(decryptedFilePath)
+		require.NoError(t, err)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -197,33 +210,40 @@ func Test_encryptAndDecrypt_withTheSamePasswordSmallFile(t *testing.T) {
 		)

 		content := randBytes(500)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

-		encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		encryptedFileWriter, err := os.Create(encryptedFilePath)
+		require.NoError(t, err)

-		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
-		assert.Nil(t, err, "Failed to encrypt a file")
-		encryptedFileWriter.Close()
+		err = encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		require.NoError(t, err, "Failed to encrypt a file")
+		logs.CloseAndLogErr(encryptedFileWriter)

 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		assert.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte("passphrase"))
-		assert.Nil(t, err, "Failed to decrypt file")
+		require.NoError(t, err, "Failed to decrypt file")

-		io.Copy(decryptedFileWriter, decryptedReader)
+		_, err = io.Copy(decryptedFileWriter, decryptedReader)
+		require.NoError(t, err)

-		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		decryptedContent, err := os.ReadFile(decryptedFilePath)
+		require.NoError(t, err)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -247,32 +267,40 @@ func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
 		)

 		content := randBytes(1024 * 50)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

-		encryptedFileWriter, _ := os.Create(encryptedFilePath)
-		defer encryptedFileWriter.Close()
+		encryptedFileWriter, err := os.Create(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileWriter)
+
+		err = encrypt(originFile, encryptedFileWriter, []byte(""))
+		require.NoError(t, err, "Failed to encrypt a file")

-		err := encrypt(originFile, encryptedFileWriter, []byte(""))
-		assert.Nil(t, err, "Failed to encrypt a file")
 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		assert.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		decryptedReader, err := decrypt(encryptedFileReader, []byte(""))
-		assert.Nil(t, err, "Failed to decrypt file")
+		require.NoError(t, err, "Failed to decrypt file")

-		io.Copy(decryptedFileWriter, decryptedReader)
+		_, err = io.Copy(decryptedFileWriter, decryptedReader)
+		require.NoError(t, err)

-		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		decryptedContent, err := os.ReadFile(decryptedFilePath)
+		require.NoError(t, err)
 		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
 	}

@@ -296,28 +324,33 @@ func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T)
 		)

 		content := randBytes(1034)
-		os.WriteFile(originFilePath, content, 0600)
+		err := os.WriteFile(originFilePath, content, 0600)
+		require.NoError(t, err)

-		originFile, _ := os.Open(originFilePath)
-		defer originFile.Close()
+		originFile, err := os.Open(originFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(originFile)

-		encryptedFileWriter, _ := os.Create(encryptedFilePath)
-		defer encryptedFileWriter.Close()
+		encryptedFileWriter, err := os.Create(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileWriter)

-		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
-		assert.Nil(t, err, "Failed to encrypt a file")
+		err = encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		require.NoError(t, err, "Failed to encrypt a file")
 		encryptedContent, err := os.ReadFile(encryptedFilePath)
-		assert.Nil(t, err, "Couldn't read encrypted file")
+		require.NoError(t, err, "Couldn't read encrypted file")
 		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")

-		encryptedFileReader, _ := os.Open(encryptedFilePath)
-		defer encryptedFileReader.Close()
+		encryptedFileReader, err := os.Open(encryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(encryptedFileReader)

-		decryptedFileWriter, _ := os.Create(decryptedFilePath)
-		defer decryptedFileWriter.Close()
+		decryptedFileWriter, err := os.Create(decryptedFilePath)
+		require.NoError(t, err)
+		defer logs.CloseAndLogErr(decryptedFileWriter)

 		_, err = decrypt(encryptedFileReader, []byte("garbage"))
-		assert.NotNil(t, err, "Should not allow decrypt with wrong passphrase")
+		require.Error(t, err, "Should not allow decrypt with wrong passphrase")
 	}

 	t.Run("fips", func(t *testing.T) {
--- a/api/crypto/ecdsa_test.go
+++ b/api/crypto/ecdsa_test.go
@@ -11,12 +11,12 @@ func TestCreateSignature(t *testing.T) {

 	privKey, pubKey, err := s.GenerateKeyPair()
 	require.NoError(t, err)
-	require.Greater(t, len(privKey), 0)
-	require.Greater(t, len(pubKey), 0)
+	require.NotEmpty(t, privKey)
+	require.NotEmpty(t, pubKey)

 	m := "test message"
 	r, err := s.CreateSignature(m)
 	require.NoError(t, err)
 	require.NotEqual(t, r, m)
-	require.Greater(t, len(r), 0)
+	require.NotEmpty(t, r)
 }
--- a/api/crypto/hash.go
+++ b/api/crypto/hash.go
@@ -1,7 +1,8 @@
 package crypto

 import (
-	"golang.org/x/crypto/bcrypt"
+	// Not allowed in FIPS mode
+	"golang.org/x/crypto/bcrypt" //nolint:depguard
 )

 // Service represents a service for encrypting/hashing data.
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@@ -92,7 +92,9 @@ func CreateTLSConfigurationFromDisk(config portainer.TLSConfiguration) (*tls.Con
 }

 func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
-	if !config.TLS {
+	if !config.TLS && fipsEnabled {
+		return nil, fips.ErrTLSRequired
+	} else if !config.TLS {
 		return nil, nil
 	}

--- a/api/crypto/tls_test.go
+++ b/api/crypto/tls_test.go
@@ -44,7 +44,7 @@ func TestCreateTLSConfigurationFIPS(t *testing.T) {
 func TestCreateTLSConfigurationFromBytes(t *testing.T) {
 	// No TLS
 	config, err := CreateTLSConfigurationFromBytes(false, nil, nil, nil, false, false)
-	require.Nil(t, err)
+	require.NoError(t, err)
 	require.Nil(t, config)

 	// Skip TLS client/server verifications
@@ -61,7 +61,7 @@ func TestCreateTLSConfigurationFromBytes(t *testing.T) {
 func TestCreateTLSConfigurationFromDisk(t *testing.T) {
 	// No TLS
 	config, err := CreateTLSConfigurationFromDisk(portainer.TLSConfiguration{})
-	require.Nil(t, err)
+	require.NoError(t, err)
 	require.Nil(t, config)

 	// Skip TLS verifications
--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -136,10 +136,8 @@ func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {
 func (connection *DbConnection) Open() error {
 	log.Info().Str("filename", connection.GetDatabaseFileName()).Msg("loading PortainerDB")

-	// Now we open the db
 	databasePath := connection.GetDatabaseFilePath()
-
-	db, err := bolt.Open(databasePath, 0600, connection.boltOptions())
+	db, err := bolt.Open(databasePath, 0600, connection.boltOptions(connection.Compact))
 	if err != nil {
 		return err
 	}
@@ -152,6 +150,15 @@ func (connection *DbConnection) Open() error {
 		log.Info().Msg("compacting database")
 		if err := connection.compact(); err != nil {
 			log.Error().Err(err).Msg("failed to compact database")
+
+			// Close the read-only database and re-open in read-write mode
+			if err := connection.Close(); err != nil {
+				log.Warn().Err(err).Msg("failure to close the database after failed compaction")
+			}
+
+			connection.Compact = false
+
+			return connection.Open()
 		} else {
 			log.Info().Msg("database compaction completed")
 		}
@@ -424,9 +431,14 @@ func (connection *DbConnection) RestoreMetadata(s map[string]any) error {
 }

 // compact attempts to compact the database and replace it iff it succeeds
-func (connection *DbConnection) compact() error {
+func (connection *DbConnection) compact() (err error) {
 	compactedPath := connection.GetDatabaseFilePath() + compactedSuffix
-	compactedDB, err := bolt.Open(compactedPath, 0o600, connection.boltOptions())
+
+	if err := os.Remove(compactedPath); err != nil && !errors.Is(err, os.ErrNotExist) {
+		return fmt.Errorf("failure to remove an existing compacted database: %w", err)
+	}
+
+	compactedDB, err := bolt.Open(compactedPath, 0o600, connection.boltOptions(false))
 	if err != nil {
 		return fmt.Errorf("failure to create the compacted database: %w", err)
 	}
@@ -453,11 +465,12 @@ func (connection *DbConnection) compact() error {
 	return nil
 }

-func (connection *DbConnection) boltOptions() *bolt.Options {
+func (connection *DbConnection) boltOptions(readOnly bool) *bolt.Options {
 	return &bolt.Options{
 		Timeout:         1 * time.Second,
 		InitialMmapSize: connection.InitialMmapSize,
 		FreelistType:    bolt.FreelistMapType,
 		NoFreelistSync:  true,
+		ReadOnly:        readOnly,
 	}
 }
--- a/api/database/boltdb/db_test.go
+++ b/api/database/boltdb/db_test.go
@@ -5,6 +5,8 @@ import (
 	"path"
 	"testing"

+	"github.com/portainer/portainer/api/filesystem"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.etcd.io/bbolt"
@@ -96,18 +98,36 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 				// Special case.  If portainer.db and portainer.edb exist.
 				dbFile1 := path.Join(connection.Path, DatabaseFileName)
 				f, _ := os.Create(dbFile1)
-				f.Close()
-				defer os.Remove(dbFile1)
+
+				err := f.Close()
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(dbFile1)
+					require.NoError(t, err)
+				}()

 				dbFile2 := path.Join(connection.Path, EncryptedDatabaseFileName)
 				f, _ = os.Create(dbFile2)
-				f.Close()
-				defer os.Remove(dbFile2)
+
+				err = f.Close()
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(dbFile2)
+					require.NoError(t, err)
+				}()
 			} else if tc.dbname != "" {
 				dbFile := path.Join(connection.Path, tc.dbname)
 				f, _ := os.Create(dbFile)
-				f.Close()
-				defer os.Remove(dbFile)
+
+				err := f.Close()
+				require.NoError(t, err)
+
+				defer func() {
+					err := os.Remove(dbFile)
+					require.NoError(t, err)
+				}()
 			}

 			if tc.key {
@@ -123,10 +143,7 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 }

 func TestDBCompaction(t *testing.T) {
-	db := &DbConnection{
-		Path:    t.TempDir(),
-		Compact: true,
-	}
+	db := &DbConnection{Path: t.TempDir()}

 	err := db.Open()
 	require.NoError(t, err)
@@ -137,7 +154,8 @@ func TestDBCompaction(t *testing.T) {
 			return err
 		}

-		b.Put([]byte("key"), []byte("value"))
+		err = b.Put([]byte("key"), []byte("value"))
+		require.NoError(t, err)

 		return nil
 	})
@@ -147,6 +165,7 @@ func TestDBCompaction(t *testing.T) {
 	require.NoError(t, err)

 	// Reopen the DB to trigger compaction
+	db.Compact = true
 	err = db.Open()
 	require.NoError(t, err)

@@ -168,10 +187,14 @@ func TestDBCompaction(t *testing.T) {
 	require.NoError(t, err)

 	// Failures
-
-	err = os.Mkdir(db.GetDatabaseFilePath()+compactedSuffix, 0o755)
+	compactedPath := db.GetDatabaseFilePath() + compactedSuffix
+	err = os.Mkdir(compactedPath, 0o755)
 	require.NoError(t, err)

+	f, err := os.Create(filesystem.JoinPaths(compactedPath, "somefile"))
+	require.NoError(t, err)
+	require.NoError(t, f.Close())
+
 	err = db.Open()
 	require.NoError(t, err)
 }
--- a/api/database/boltdb/export.go
+++ b/api/database/boltdb/export.go
@@ -3,6 +3,7 @@ package boltdb
 import (
 	"time"

+	"github.com/portainer/portainer/api/logs"
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
 	bolt "go.etcd.io/bbolt"
@@ -37,7 +38,7 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 	if err != nil {
 		return []byte("{}"), err
 	}
-	defer connection.Close()
+	defer logs.CloseAndLogErr(connection)

 	backup := make(map[string]any)
 	if metadata {
--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -45,12 +45,12 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
 		}
 	}

-	if e := json.Unmarshal(data, object); e != nil {
+	if err := json.Unmarshal(data, object); err != nil {
 		// Special case for the VERSION bucket. Here we're not using json
 		// So we need to return it as a string
 		s, ok := object.(*string)
 		if !ok {
-			return errors.Wrap(err, e.Error())
+			return errors.Wrap(err, "Failed unmarshalling object")
 		}

 		*s = string(data)
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -10,14 +10,14 @@ import (
 	"io"
 	"testing"

-	"github.com/gofrs/uuid"
+	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

 const (
-	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
 	passphrase = "my secret key"
 )

@@ -29,7 +29,7 @@ func secretToEncryptionKey(passphrase string) []byte {
 func Test_MarshalObjectUnencrypted(t *testing.T) {
 	is := assert.New(t)

-	uuid := uuid.Must(uuid.NewV4())
+	uuid := uuid.New()

 	tests := []struct {
 		object   any
@@ -94,7 +94,7 @@ func Test_MarshalObjectUnencrypted(t *testing.T) {
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
 			data, err := conn.MarshalObject(test.object)
-			is.NoError(err)
+			require.NoError(t, err)
 			is.Equal(test.expected, string(data))
 		})
 	}
@@ -135,7 +135,7 @@ func Test_UnMarshalObjectUnencrypted(t *testing.T) {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
 			var object string
 			err := conn.UnmarshalObject(test.object, &object)
-			is.NoError(err)
+			require.NoError(t, err)
 			is.Equal(test.expected, object)
 		})
 	}
@@ -172,12 +172,12 @@ func Test_ObjectMarshallingEncrypted(t *testing.T) {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {

 			data, err := conn.MarshalObject(test.object)
-			is.NoError(err)
+			require.NoError(t, err)

 			var object []byte
 			err = conn.UnmarshalObject(data, &object)

-			is.NoError(err)
+			require.NoError(t, err)
 			is.Equal(test.object, object)
 		})
 	}
--- a/api/database/boltdb/tx_test.go
+++ b/api/database/boltdb/tx_test.go
@@ -6,6 +6,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/stretchr/testify/require"
 )

 const testBucketName = "test-bucket"
@@ -17,70 +18,55 @@ type testStruct struct {
 }

 func TestTxs(t *testing.T) {
-	conn := DbConnection{
-		Path: t.TempDir(),
-	}
+	conn := DbConnection{Path: t.TempDir()}

 	err := conn.Open()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer conn.Close()
+	require.NoError(t, err)
+	defer func() {
+		err := conn.Close()
+		require.NoError(t, err)
+	}()

 	// Error propagation
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return errors.New("this is an error")
 	})
-	if err == nil {
-		t.Fatal("an error was expected, got nil instead")
-	}
+	require.Error(t, err)

 	// Create an object
-	newObj := testStruct{
-		Key:   "key",
-		Value: "value",
-	}
+	newObj := testStruct{Key: "key", Value: "value"}

 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
-		err = tx.SetServiceName(testBucketName)
-		if err != nil {
+		if err := tx.SetServiceName(testBucketName); err != nil {
 			return err
 		}

 		return tx.CreateObjectWithId(testBucketName, testId, newObj)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	obj := testStruct{}
 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	if obj.Key != newObj.Key || obj.Value != newObj.Value {
 		t.Fatalf("expected %s:%s, got %s:%s instead", newObj.Key, newObj.Value, obj.Key, obj.Value)
 	}

 	// Update an object
-	updatedObj := testStruct{
-		Key:   "updated-key",
-		Value: "updated-value",
-	}
+	updatedObj := testStruct{Key: "updated-key", Value: "updated-value"}

 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.UpdateObject(testBucketName, conn.ConvertToKey(testId), &updatedObj)
 	})
+	require.NoError(t, err)

 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	if obj.Key != updatedObj.Key || obj.Value != updatedObj.Value {
 		t.Fatalf("expected %s:%s, got %s:%s instead", updatedObj.Key, updatedObj.Value, obj.Key, obj.Value)
@@ -90,16 +76,12 @@ func TestTxs(t *testing.T) {
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.DeleteObject(testBucketName, conn.ConvertToKey(testId))
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(testBucketName, conn.ConvertToKey(testId), &obj)
 	})
-	if !dataservices.IsErrObjectNotFound(err) {
-		t.Fatal(err)
-	}
+	require.True(t, dataservices.IsErrObjectNotFound(err))

 	// Get next identifier
 	err = conn.UpdateTx(func(tx portainer.Transaction) error {
@@ -112,15 +94,11 @@ func TestTxs(t *testing.T) {

 		return nil
 	})
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)

 	// Try to write in a read transaction
 	err = conn.ViewTx(func(tx portainer.Transaction) error {
 		return tx.CreateObjectWithId(testBucketName, testId, newObj)
 	})
-	if err == nil {
-		t.Fatal("an error was expected, got nil instead")
-	}
+	require.Error(t, err)
 }
--- a/api/database/database_test.go
+++ b/api/database/database_test.go
@@ -0,0 +1,24 @@
+package database
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/filesystem"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewDatabase(t *testing.T) {
+	dbPath := filesystem.JoinPaths(t.TempDir(), "test.db")
+	connection, err := NewDatabase("boltdb", dbPath, nil, false)
+	require.NoError(t, err)
+	require.NotNil(t, connection)
+
+	_, ok := connection.(*boltdb.DbConnection)
+	require.True(t, ok)
+
+	connection, err = NewDatabase("unknown", dbPath, nil, false)
+	require.Error(t, err)
+	require.Nil(t, connection)
+}
--- a/api/dataservices/base_test.go
+++ b/api/dataservices/base_test.go
@@ -21,7 +21,7 @@ type mockConnection struct {
 	portainer.Connection
 }

-func (m mockConnection) UpdateObject(bucket string, key []byte, value interface{}) error {
+func (m mockConnection) UpdateObject(bucket string, key []byte, value any) error {
 	obj := value.(*testObject)

 	m.store[obj.ID] = *obj
@@ -50,7 +50,6 @@ func (m mockConnection) ViewTx(fn func(portainer.Transaction) error) error {
 func (m mockConnection) ConvertToKey(v int) []byte {
 	return []byte(strconv.Itoa(v))
 }
-
 func TestReadAll(t *testing.T) {
 	service := BaseDataService[testObject, int]{
 		Bucket:     "testBucket",
--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -72,3 +72,13 @@ func (service BaseDataServiceTx[T, I]) Delete(ID I) error {
 	identifier := service.Connection.ConvertToKey(int(ID))
 	return service.Tx.DeleteObject(service.Bucket, identifier)
 }
+
+func Read[T any](tx portainer.Transaction, bucket string, key []byte) (*T, error) {
+	var element T
+
+	if err := tx.GetObject(bucket, key, &element); err != nil {
+		return nil, err
+	}
+
+	return &element, nil
+}
--- a/api/dataservices/edgestack/edgestack_test.go
+++ b/api/dataservices/edgestack/edgestack_test.go
@@ -5,6 +5,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -14,7 +15,7 @@ func TestUpdate(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn, func(portainer.Transaction, portainer.EdgeStackID) {})
 	require.NoError(t, err)
--- a/api/dataservices/endpoint/endpoint.go
+++ b/api/dataservices/endpoint/endpoint.go
@@ -119,6 +119,19 @@ func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 	return endpoints, nil
 }

+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service *Service) ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error) {
+	var endpoints []portainer.Endpoint
+	var err error
+
+	err = service.connection.ViewTx(func(tx portainer.Transaction) error {
+		endpoints, err = service.Tx(tx).ReadAll(predicates...)
+		return err
+	})
+
+	return endpoints, err
+}
+
 // EndpointIDByEdgeID returns the EndpointID from the given EdgeID using an in-memory index
 func (service *Service) EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool) {
 	service.mu.RLock()
--- a/api/dataservices/endpoint/tx.go
+++ b/api/dataservices/endpoint/tx.go
@@ -89,6 +89,11 @@ func (service ServiceTx) Endpoints() ([]portainer.Endpoint, error) {
 	)
 }

+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service ServiceTx) ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error) {
+	return dataservices.BaseDataServiceTx[portainer.Endpoint, portainer.EndpointID]{Bucket: BucketName, Connection: service.service.connection, Tx: service.tx}.ReadAll(predicates...)
+}
+
 func (service ServiceTx) EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool) {
 	log.Error().Str("func", "EndpointIDByEdgeID").Msg("cannot be called inside a transaction")

--- a/api/dataservices/endpointrelation/endpointrelation_test.go
+++ b/api/dataservices/endpointrelation/endpointrelation_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices/edgestack"
 	"github.com/portainer/portainer/api/internal/edge/cache"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -20,7 +21,7 @@ func TestUpdateRelation(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn)
 	require.NoError(t, err)
@@ -109,7 +110,7 @@ func TestAddEndpointRelationsForEdgeStack(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn)
 	require.NoError(t, err)
@@ -128,7 +129,7 @@ func TestEndpointRelations(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	service, err := NewService(conn)
 	require.NoError(t, err)
@@ -136,5 +137,5 @@ func TestEndpointRelations(t *testing.T) {
 	require.NoError(t, service.Create(&portainer.EndpointRelation{EndpointID: 1}))
 	rels, err := service.EndpointRelations()
 	require.NoError(t, err)
-	require.Equal(t, 1, len(rels))
+	require.Len(t, rels, 1)
 }
--- a/api/dataservices/errors/errors.go
+++ b/api/dataservices/errors/errors.go
@@ -6,7 +6,7 @@ import (

 var (
 	ErrObjectNotFound     = errors.New("object not found inside the database")
-	ErrWrongDBEdition     = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+	ErrWrongDBEdition     = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://docs.portainer.io/faqs/upgrading/can-i-downgrade-from-portainer-business-to-portainer-ce")
 	ErrDBImportFailed     = errors.New("importing backup failed")
 	ErrDatabaseIsUpdating = errors.New("database is currently in updating state. Failed prior upgrade. Please restore from backup or delete the database and restart Portainer")
 )
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -102,6 +102,9 @@ type (

 	// EndpointService represents a service for managing environment(endpoint) data
 	EndpointService interface {
+		// partial dataservices.BaseCRUD[portainer.Endpoint, portainer.EndpointID]
+		ReadAll(predicates ...func(endpoint portainer.Endpoint) bool) ([]portainer.Endpoint, error)
+
 		Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error)
 		EndpointIDByEdgeID(edgeID string) (portainer.EndpointID, bool)
 		EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.Endpoint, error)
@@ -223,6 +226,7 @@ type (
 	UserService interface {
 		BaseCRUD[portainer.User, portainer.UserID]
 		UserByUsername(username string) (*portainer.User, error)
+		UserIDByUsername(username string) (portainer.UserID, error)
 		UsersByRole(role portainer.UserRole) ([]portainer.User, error)
 	}

--- a/api/dataservices/resourcecontrol/resourcecontrol.go
+++ b/api/dataservices/resourcecontrol/resourcecontrol.go
@@ -3,6 +3,7 @@ package resourcecontrol
 import (
 	"errors"
 	"fmt"
+	"slices"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -64,11 +65,9 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 				return nil, stop
 			}

-			for _, subResourceID := range rc.SubResourceIDs {
-				if subResourceID == resourceID {
-					resourceControl = rc
-					return nil, stop
-				}
+			if slices.Contains(rc.SubResourceIDs, resourceID) {
+				resourceControl = rc
+				return nil, stop
 			}

 			return &portainer.ResourceControl{}, nil
--- a/api/dataservices/resourcecontrol/tx.go
+++ b/api/dataservices/resourcecontrol/tx.go
@@ -3,6 +3,7 @@ package resourcecontrol
 import (
 	"errors"
 	"fmt"
+	"slices"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -35,11 +36,9 @@ func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, r
 				return nil, stop
 			}

-			for _, subResourceID := range rc.SubResourceIDs {
-				if subResourceID == resourceID {
-					resourceControl = rc
-					return nil, stop
-				}
+			if slices.Contains(rc.SubResourceIDs, resourceID) {
+				resourceControl = rc
+				return nil, stop
 			}

 			return &portainer.ResourceControl{}, nil
--- a/api/dataservices/ssl/ssl.go
+++ b/api/dataservices/ssl/ssl.go
@@ -31,6 +31,13 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		service: service,
+		tx:      tx,
+	}
+}
+
 // Settings retrieve the ssl settings object.
 func (service *Service) Settings() (*portainer.SSLSettings, error) {
 	var settings portainer.SSLSettings
--- a/api/dataservices/ssl/tx.go
+++ b/api/dataservices/ssl/tx.go
@@ -0,0 +1,31 @@
+package ssl
+
+import (
+	portainer "github.com/portainer/portainer/api"
+)
+
+type ServiceTx struct {
+	service *Service
+	tx      portainer.Transaction
+}
+
+func (service ServiceTx) BucketName() string {
+	return BucketName
+}
+
+// Settings retrieve the settings object.
+func (service ServiceTx) Settings() (*portainer.SSLSettings, error) {
+	var settings portainer.SSLSettings
+
+	err := service.tx.GetObject(BucketName, []byte(key), &settings)
+	if err != nil {
+		return nil, err
+	}
+
+	return &settings, nil
+}
+
+// UpdateSettings persists a Settings object.
+func (service ServiceTx) UpdateSettings(settings *portainer.SSLSettings) error {
+	return service.tx.UpdateObject(BucketName, []byte(key), settings)
+}
--- a/api/dataservices/stack/tests/stack_test.go
+++ b/api/dataservices/stack/tests/stack_test.go
@@ -4,17 +4,18 @@ import (
 	"testing"
 	"time"

-	"github.com/portainer/portainer/api/datastore"
-
-	"github.com/gofrs/uuid"
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/filesystem"
+
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func newGuidString(t *testing.T) string {
-	uuid, err := uuid.NewV4()
-	assert.NoError(t, err)
+	uuid, err := uuid.NewRandom()
+	require.NoError(t, err)

 	return uuid.String()
 }
@@ -41,7 +42,7 @@ func TestService_StackByWebhookID(t *testing.T) {

 	// can find a stack by webhook ID
 	got, err := store.StackService.StackByWebhookID(webhookID)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, stack, *got)

 	// returns nil and object not found error if there's no stack associated with the webhook
@@ -94,10 +95,10 @@ func Test_RefreshableStacks(t *testing.T) {

 	for _, stack := range []*portainer.Stack{&staticStack, &stackWithWebhook, &refreshableStack} {
 		err := store.Stack().Create(stack)
-		assert.NoError(t, err)
+		require.NoError(t, err)
 	}

 	stacks, err := store.Stack().RefreshableStacks()
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.ElementsMatch(t, []portainer.Stack{refreshableStack}, stacks)
 }
--- a/api/dataservices/team/tests/team_test.go
+++ b/api/dataservices/team/tests/team_test.go
@@ -5,7 +5,9 @@ import (

 	"github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/portainer/portainer/api/datastore"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func Test_teamByName(t *testing.T) {
@@ -13,7 +15,7 @@ func Test_teamByName(t *testing.T) {
 		_, store := datastore.MustNewTestStore(t, true, true)

 		_, err := store.Team().TeamByName("name")
-		assert.ErrorIs(t, err, errors.ErrObjectNotFound)
+		require.ErrorIs(t, err, errors.ErrObjectNotFound)

 	})

@@ -29,7 +31,7 @@ func Test_teamByName(t *testing.T) {
 		teamBuilder.createNew("name1")

 		_, err := store.Team().TeamByName("name")
-		assert.ErrorIs(t, err, errors.ErrObjectNotFound)
+		require.ErrorIs(t, err, errors.ErrObjectNotFound)
 	})

 	t.Run("When there is an object with the same name should return the object", func(t *testing.T) {
@@ -44,7 +46,7 @@ func Test_teamByName(t *testing.T) {
 		expectedTeam := teamBuilder.createNew("name1")

 		team, err := store.Team().TeamByName("name1")
-		assert.NoError(t, err, "TeamByName should succeed")
+		require.NoError(t, err, "TeamByName should succeed")
 		assert.Equal(t, expectedTeam, team)
 	})
 }
--- a/api/dataservices/user/tx.go
+++ b/api/dataservices/user/tx.go
@@ -36,6 +36,18 @@ func (service ServiceTx) UserByUsername(username string) (*portainer.User, error
 	return nil, err
 }

+func (service ServiceTx) UserIDByUsername(username string) (portainer.UserID, error) {
+	user, err := service.UserByUsername(username)
+	if err != nil {
+		return 0, err
+	}
+
+	if user == nil {
+		return 0, dserrors.ErrObjectNotFound
+	}
+	return user.ID, nil
+}
+
 // UsersByRole return an array containing all the users with the specified role.
 func (service ServiceTx) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
--- a/api/dataservices/user/user.go
+++ b/api/dataservices/user/user.go
@@ -65,6 +65,18 @@ func (service *Service) UserByUsername(username string) (*portainer.User, error)
 	return nil, err
 }

+func (service *Service) UserIDByUsername(username string) (portainer.UserID, error) {
+	user, err := service.UserByUsername(username)
+	if err != nil {
+		return 0, err
+	}
+
+	if user == nil {
+		return 0, dserrors.ErrObjectNotFound
+	}
+	return user.ID, nil
+}
+
 // UsersByRole return an array containing all the users with the specified role.
 func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	var users = make([]portainer.User, 0)
--- a/api/dataservices/version/tx.go
+++ b/api/dataservices/version/tx.go
@@ -0,0 +1,70 @@
+package version
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/models"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+type ServiceTx struct {
+	dataservices.BaseDataServiceTx[models.Version, int] // ID is not used
+}
+
+func (tx ServiceTx) InstanceID() (string, error) {
+	v, err := tx.Version()
+	if err != nil {
+		return "", err
+	}
+
+	return v.InstanceID, nil
+}
+
+func (tx ServiceTx) UpdateInstanceID(ID string) error {
+	v, err := tx.Version()
+	if err != nil {
+		if !dataservices.IsErrObjectNotFound(err) {
+			return err
+		}
+
+		v = &models.Version{}
+	}
+
+	v.InstanceID = ID
+
+	return tx.UpdateVersion(v)
+}
+
+func (tx ServiceTx) Edition() (portainer.SoftwareEdition, error) {
+	v, err := tx.Version()
+	if err != nil {
+		return 0, err
+	}
+
+	return portainer.SoftwareEdition(v.Edition), nil
+}
+
+func (tx ServiceTx) Version() (*models.Version, error) {
+	var v models.Version
+
+	err := tx.Tx.GetObject(BucketName, []byte(versionKey), &v)
+	if err != nil {
+		return nil, err
+	}
+
+	return &v, nil
+}
+
+func (tx ServiceTx) UpdateVersion(version *models.Version) error {
+	return tx.Tx.UpdateObject(BucketName, []byte(versionKey), version)
+}
+
+func (tx ServiceTx) SchemaVersion() (string, error) {
+	var v models.Version
+
+	err := tx.Tx.GetObject(BucketName, []byte(versionKey), &v)
+	if err != nil {
+		return "", err
+	}
+
+	return v.SchemaVersion, nil
+}
--- a/api/dataservices/version/version.go
+++ b/api/dataservices/version/version.go
@@ -33,6 +33,16 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}, nil
 }

+func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[models.Version, int]{
+			Bucket:     BucketName,
+			Connection: service.connection,
+			Tx:         tx,
+		},
+	}
+}
+
 func (service *Service) SchemaVersion() (string, error) {
 	v, err := service.Version()
 	if err != nil {
--- a/api/datastore/backup.go
+++ b/api/datastore/backup.go
@@ -14,33 +14,40 @@ import (
 // corruption and if a path is not given a default is used.
 // The path or an error are returned.
 func (store *Store) Backup(path string) (string, error) {
+	if err := store.Close(); err != nil {
+		return "", fmt.Errorf("failed to close store before backup: %w", err)
+	}
+
+	filename, err := store.backupDBFile(path)
+	if err != nil {
+		return "", err
+	}
+
+	if _, err := store.Open(); err != nil {
+		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
+	}
+
+	return filename, nil
+}
+
+// backupDBFile copies the database file to the backup location.
+// Does not manage connection state - works with the database file directly regardless of connection state.
+func (store *Store) backupDBFile(backupPath string) (string, error) {
 	if err := store.createBackupPath(); err != nil {
 		return "", err
 	}

 	backupFilename := store.backupFilename()
-	if path != "" {
-		backupFilename = path
-	}
-	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msgf("Backing up database")
-
-	// Close the store before backing up
-	err := store.Close()
-	if err != nil {
-		return "", fmt.Errorf("failed to close store before backup: %w", err)
+	if backupPath != "" {
+		backupFilename = backupPath
 	}

-	err = store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true)
-	if err != nil {
+	log.Info().Str("from", store.connection.GetDatabaseFilePath()).Str("to", backupFilename).Msg("Backing up database")
+
+	if err := store.fileService.Copy(store.connection.GetDatabaseFilePath(), backupFilename, true); err != nil {
 		return "", fmt.Errorf("failed to create backup file: %w", err)
 	}

-	// reopen the store
-	_, err = store.Open()
-	if err != nil {
-		return "", fmt.Errorf("failed to reopen store after backup: %w", err)
-	}
-
 	return backupFilename, nil
 }

@@ -50,15 +57,17 @@ func (store *Store) Restore() error {
 }

 func (store *Store) RestoreFromFile(backupFilename string) error {
-	store.Close()
+	if err := store.Close(); err != nil {
+		return err
+	}
+
 	if err := store.fileService.Copy(backupFilename, store.connection.GetDatabaseFilePath(), true); err != nil {
 		return fmt.Errorf("unable to restore backup file %q. err: %w", backupFilename, err)
 	}

 	log.Info().Str("from", backupFilename).Str("to", store.connection.GetDatabaseFilePath()).Msgf("database restored")

-	_, err := store.Open()
-	if err != nil {
+	if _, err := store.Open(); err != nil {
 		return fmt.Errorf("unable to determine version of restored portainer backup file: %w", err)
 	}

@@ -80,6 +89,7 @@ func (store *Store) createBackupPath() error {
 			return fmt.Errorf("unable to create backup folder: %w", err)
 		}
 	}
+
 	return nil
 }

--- a/api/datastore/backup_test.go
+++ b/api/datastore/backup_test.go
@@ -1,19 +1,20 @@
 package datastore

 import (
+	"os"
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/database/models"
+	"github.com/stretchr/testify/require"

 	"github.com/rs/zerolog/log"
 )

 func TestStoreCreation(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)
-	if store == nil {
-		t.Fatal("Expect to create a store")
-	}
+	require.NotNil(t, store)

 	v, err := store.VersionService.Version()
 	if err != nil {
@@ -37,8 +38,12 @@ func TestBackup(t *testing.T) {
 			Edition:       int(portainer.PortainerCE),
 			SchemaVersion: portainer.APIVersion,
 		}
-		store.VersionService.UpdateVersion(&v)
-		store.Backup("")
+
+		err := store.VersionService.UpdateVersion(&v)
+		require.NoError(t, err)
+
+		_, err = store.Backup("")
+		require.NoError(t, err)

 		if !isFileExist(backupFileName) {
 			t.Errorf("Expect backup file to be created %s", backupFileName)
@@ -54,10 +59,14 @@ func TestRestore(t *testing.T) {
 		updateEdition(store, portainer.PortainerCE)
 		updateVersion(store, "2.4")

-		store.Backup("")
+		_, err := store.Backup("")
+		require.NoError(t, err)
+
 		updateVersion(store, "2.16")
 		testVersion(store, "2.16", t)
-		store.Restore()
+
+		err = store.Restore()
+		require.NoError(t, err)

 		// check if the restore is successful and the version is correct
 		testVersion(store, "2.4", t)
@@ -67,13 +76,65 @@ func TestRestore(t *testing.T) {
 		// override and set initial db version and edition
 		updateEdition(store, portainer.PortainerCE)
 		updateVersion(store, "2.4")
-		store.Backup("")
+
+		_, err := store.Backup("")
+		require.NoError(t, err)
+
 		updateVersion(store, "2.14")
 		updateVersion(store, "2.16")
 		testVersion(store, "2.16", t)
-		store.Restore()
+
+		err = store.Restore()
+		require.NoError(t, err)

 		// check if the restore is successful and the version is correct
 		testVersion(store, "2.4", t)
 	})
 }
+
+func TestBackupDBFile(t *testing.T) {
+	_, store := MustNewTestStore(t, true, false)
+
+	t.Run("creates backup file without managing connection state", func(t *testing.T) {
+		// Verify connection is usable before
+		_, err := store.VersionService.Version()
+		require.NoError(t, err, "connection should be usable before backupDBFile")
+
+		// backupDBFile should work without closing the connection
+		backupFilename, err := store.backupDBFile("")
+		require.NoError(t, err)
+		require.FileExists(t, backupFilename)
+
+		// Verify connection is still usable after (not closed/reopened)
+		_, err = store.VersionService.Version()
+		require.NoError(t, err, "connection should still be usable after backupDBFile")
+
+		require.NoError(t, os.Remove(backupFilename))
+	})
+
+	t.Run("uses custom path when provided", func(t *testing.T) {
+		customPath := t.TempDir() + "/custom-backup.db"
+		backupFilename, err := store.backupDBFile(customPath)
+		require.NoError(t, err)
+		require.Equal(t, customPath, backupFilename)
+		require.FileExists(t, backupFilename)
+	})
+}
+
+func TestBackupDBFileUsesCorrectPath(t *testing.T) {
+	_, store := MustNewTestStore(t, true, false)
+
+	t.Run("backs up unencrypted db when encrypted flag is false", func(t *testing.T) {
+		store.connection.SetEncrypted(false)
+
+		backupFilename, err := store.backupDBFile("")
+		require.NoError(t, err)
+		require.FileExists(t, backupFilename)
+
+		// Verify it backed up the unencrypted file (portainer.db)
+		require.Contains(t, backupFilename, boltdb.DatabaseFileName)
+		require.NotContains(t, backupFilename, boltdb.EncryptedDatabaseFileName)
+
+		require.NoError(t, os.Remove(backupFilename))
+	})
+}
--- a/api/datastore/datastore.go
+++ b/api/datastore/datastore.go
@@ -32,34 +32,38 @@ func (store *Store) Open() (newStore bool, err error) {
 	}

 	if encryptionReq {
-		backupFilename, err := store.Backup("")
+		// NeedsEncryptionMigration() sets encrypted=true as a side effect when a key exists.
+		// We need to set it back to false so GetDatabaseFilePath() returns the path to the
+		// actual unencrypted file (portainer.db) that we want to back up.
+		store.connection.SetEncrypted(false)
+
+		// Use backupDBFile directly since connection isn't open yet
+		// and we don't want to trigger the close/open cycle of Backup()
+		backupFilename, err := store.backupDBFile("")
 		if err != nil {
 			return false, fmt.Errorf("failed to backup database prior to encrypting: %w", err)
 		}

-		err = store.encryptDB()
-		if err != nil {
-			store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
-			return false, err
+		if err := store.encryptDB(); err != nil {
+			innerErr := store.RestoreFromFile(backupFilename) // restore from backup if encryption fails
+			return false, errors.Join(err, innerErr)
 		}
 	}

-	err = store.connection.Open()
-	if err != nil {
+	if err := store.connection.Open(); err != nil {
 		return false, err
 	}

-	err = store.initServices()
-	if err != nil {
+	if err := store.initServices(); err != nil {
 		return false, err
 	}

 	// If no settings object exists then assume we have a new store
-	_, err = store.SettingsService.Settings()
-	if err != nil {
+	if _, err := store.SettingsService.Settings(); err != nil {
 		if store.IsErrObjectNotFound(err) {
 			return true, nil
 		}
+
 		return false, err
 	}

@@ -72,19 +76,13 @@ func (store *Store) Close() error {

 func (store *Store) UpdateTx(fn func(dataservices.DataStoreTx) error) error {
 	return store.connection.UpdateTx(func(tx portainer.Transaction) error {
-		return fn(&StoreTx{
-			store: store,
-			tx:    tx,
-		})
+		return fn(&StoreTx{store: store, tx: tx})
 	})
 }

 func (store *Store) ViewTx(fn func(dataservices.DataStoreTx) error) error {
 	return store.connection.ViewTx(func(tx portainer.Transaction) error {
-		return fn(&StoreTx{
-			store: store,
-			tx:    tx,
-		})
+		return fn(&StoreTx{store: store, tx: tx})
 	})
 }

@@ -99,6 +97,7 @@ func (store *Store) CheckCurrentEdition() error {
 	if store.edition() != portainer.Edition {
 		return portainerErrors.ErrWrongDBEdition
 	}
+
 	return nil
 }

@@ -107,6 +106,7 @@ func (store *Store) edition() portainer.SoftwareEdition {
 	if store.IsErrObjectNotFound(err) {
 		edition = portainer.PortainerCE
 	}
+
 	return edition
 }

@@ -125,13 +125,11 @@ func (store *Store) Rollback(force bool) error {

 func (store *Store) encryptDB() error {
 	store.connection.SetEncrypted(false)
-	err := store.connection.Open()
-	if err != nil {
+	if err := store.connection.Open(); err != nil {
 		return err
 	}

-	err = store.initServices()
-	if err != nil {
+	if err := store.initServices(); err != nil {
 		return err
 	}

@@ -144,8 +142,7 @@ func (store *Store) encryptDB() error {

 	log.Info().Str("filename", exportFilename).Msg("exporting database backup")

-	err = store.Export(exportFilename)
-	if err != nil {
+	if err := store.Export(exportFilename); err != nil {
 		log.Error().Str("filename", exportFilename).Err(err).Msg("failed to export")

 		return err
@@ -154,38 +151,33 @@ func (store *Store) encryptDB() error {
 	log.Info().Msg("database backup exported")

 	// Close existing un-encrypted db so that we can delete the file later
-	store.connection.Close()
-
-	// Tell the db layer to create an encrypted db when opened
-	store.connection.SetEncrypted(true)
-	store.connection.Open()
-
-	// We have to init services before import
-	err = store.initServices()
-	if err != nil {
+	if err := store.connection.Close(); err != nil {
 		return err
 	}

-	err = store.Import(exportFilename)
-	if err != nil {
+	if err := store.Import(exportFilename); err != nil {
+		log.Error().Err(err).Msg("failed to import database backup")
+
 		// Remove the new encrypted file that we failed to import
-		os.Remove(store.connection.GetDatabaseFilePath())
+		if err := os.Remove(store.connection.GetDatabaseFilePath()); err != nil {
+			log.Error().Msg("failed to remove the file after import failure")
+		}

 		log.Fatal().Err(portainerErrors.ErrDBImportFailed).Msg("")
 	}

-	err = os.Remove(oldFilename)
-	if err != nil {
+	if err := os.Remove(oldFilename); err != nil {
 		log.Error().Msg("failed to remove the un-encrypted db file")
 	}

-	err = os.Remove(exportFilename)
-	if err != nil {
+	if err := os.Remove(exportFilename); err != nil {
 		log.Error().Msg("failed to remove the json backup file")
 	}

 	// Close db connection
-	store.connection.Close()
+	if err := store.connection.Close(); err != nil {
+		return err
+	}

 	log.Info().Msg("database successfully encrypted")

--- a/api/datastore/datastore_test.go
+++ b/api/datastore/datastore_test.go
@@ -6,12 +6,14 @@ import (
 	"strings"
 	"testing"

-	"github.com/dchest/uniuri"
-	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/chisel"
 	"github.com/portainer/portainer/api/crypto"
+
+	"github.com/dchest/uniuri"
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 const (
@@ -30,56 +32,32 @@ func TestStoreFull(t *testing.T) {
 	_, store := MustNewTestStore(t, true, true)

 	testCases := map[string]func(t *testing.T){
-		"User Accounts": func(t *testing.T) {
-			store.testUserAccounts(t)
-		},
-		"Environments": func(t *testing.T) {
-			store.testEnvironments(t)
-		},
-		"Settings": func(t *testing.T) {
-			store.testSettings(t)
-		},
-		"SSL Settings": func(t *testing.T) {
-			store.testSSLSettings(t)
-		},
-		"Tunnel Server": func(t *testing.T) {
-			store.testTunnelServer(t)
-		},
-		"Custom Templates": func(t *testing.T) {
-			store.testCustomTemplates(t)
-		},
-		"Registries": func(t *testing.T) {
-			store.testRegistries(t)
-		},
-		"Resource Control": func(t *testing.T) {
-			store.testResourceControl(t)
-		},
-		"Schedules": func(t *testing.T) {
-			store.testSchedules(t)
-		},
-		"Tags": func(t *testing.T) {
-			store.testTags(t)
-		},
-
-		// "Test Title": func(t *testing.T) {
-		// },
+		"User Accounts":    store.testUserAccounts,
+		"Environments":     store.testEnvironments,
+		"Settings":         store.testSettings,
+		"SSL Settings":     store.testSSLSettings,
+		"Tunnel Server":    store.testTunnelServer,
+		"Custom Templates": store.testCustomTemplates,
+		"Registries":       store.testRegistries,
+		"Resource Control": store.testResourceControl,
+		"Schedules":        store.testSchedules,
+		"Tags":             store.testTags,
 	}

 	for name, test := range testCases {
 		t.Run(name, test)
 	}
-
 }

 func (store *Store) testEnvironments(t *testing.T) {
 	id := store.CreateEndpoint(t, "local", portainer.KubernetesLocalEnvironment, "", true)
-	store.CreateEndpointRelation(id)
+	store.CreateEndpointRelation(t, id)

 	id = store.CreateEndpoint(t, "agent", portainer.AgentOnDockerEnvironment, agentOnDockerEnvironmentUrl, true)
-	store.CreateEndpointRelation(id)
+	store.CreateEndpointRelation(t, id)

 	id = store.CreateEndpoint(t, "edge", portainer.EdgeAgentOnKubernetesEnvironment, edgeAgentOnKubernetesEnvironmentUrl, true)
-	store.CreateEndpointRelation(id)
+	store.CreateEndpointRelation(t, id)
 }

 func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, name, URL string, TLS bool) *portainer.Endpoint {
@@ -112,18 +90,7 @@ func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, n
 }

 func setEndpointAuthorizations(endpoint *portainer.Endpoint) {
-	endpoint.SecuritySettings = portainer.EndpointSecuritySettings{
-		AllowVolumeBrowserForRegularUsers: false,
-		EnableHostManagementFeatures:      false,
-
-		AllowSysctlSettingForRegularUsers:         true,
-		AllowBindMountsForRegularUsers:            true,
-		AllowPrivilegedModeForRegularUsers:        true,
-		AllowHostNamespaceForRegularUsers:         true,
-		AllowContainerCapabilitiesForRegularUsers: true,
-		AllowDeviceMappingForRegularUsers:         true,
-		AllowStackManagementForRegularUsers:       true,
-	}
+	endpoint.SecuritySettings = portainer.DefaultEndpointSecuritySettings()
 }

 func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType portainer.EndpointType, URL string, tls bool) portainer.EndpointID {
@@ -164,22 +131,25 @@ func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType porta
 	}

 	setEndpointAuthorizations(expectedEndpoint)
-	store.Endpoint().Create(expectedEndpoint)
+
+	err := store.Endpoint().Create(expectedEndpoint)
+	require.NoError(t, err)

 	endpoint, err := store.Endpoint().Endpoint(id)
-	is.NoError(err, "Endpoint() should not return an error")
+	require.NoError(t, err, "Endpoint() should not return an error")
 	is.Equal(expectedEndpoint, endpoint, "endpoint should be the same")

 	return endpoint.ID
 }

-func (store *Store) CreateEndpointRelation(id portainer.EndpointID) {
+func (store *Store) CreateEndpointRelation(t *testing.T, id portainer.EndpointID) {
 	relation := &portainer.EndpointRelation{
 		EndpointID: id,
 		EdgeStacks: map[portainer.EdgeStackID]bool{},
 	}

-	store.EndpointRelation().Create(relation)
+	err := store.EndpointRelation().Create(relation)
+	require.NoError(t, err)
 }

 func (store *Store) testSSLSettings(t *testing.T) {
@@ -191,10 +161,11 @@ func (store *Store) testSSLSettings(t *testing.T) {
 		SelfSigned:  true,
 	}

-	store.SSLSettings().UpdateSettings(ssl)
+	err := store.SSLSettings().UpdateSettings(ssl)
+	require.NoError(t, err)

 	settings, err := store.SSLSettings().Settings()
-	is.NoError(err, "Get sslsettings should succeed")
+	require.NoError(t, err, "Get sslsettings should succeed")
 	is.Equal(ssl, settings, "Stored SSLSettings should be the same as what is read out")
 }

@@ -203,27 +174,27 @@ func (store *Store) testTunnelServer(t *testing.T) {
 	expectPrivateKeySeed := uniuri.NewLen(16)

 	err := store.TunnelServer().UpdateInfo(&portainer.TunnelServerInfo{PrivateKeySeed: expectPrivateKeySeed})
-	is.NoError(err, "UpdateInfo should have succeeded")
+	require.NoError(t, err, "UpdateInfo should have succeeded")

 	serverInfo, err := store.TunnelServer().Info()
-	is.NoError(err, "Info should have succeeded")
+	require.NoError(t, err, "Info should have succeeded")

 	is.Equal(expectPrivateKeySeed, serverInfo.PrivateKeySeed, "hashed passwords should not differ")
 }

 // add users, read them back and check the details are unchanged
 func (store *Store) testUserAccounts(t *testing.T) {
-	is := assert.New(t)
-
 	err := store.createAccount(adminUsername, adminPassword, portainer.AdministratorRole)
-	is.NoError(err, "CreateAccount should succeed")
-	store.checkAccount(adminUsername, adminPassword, portainer.AdministratorRole)
-	is.NoError(err, "Account failure")
+	require.NoError(t, err, "CreateAccount should succeed")
+
+	err = store.checkAccount(adminUsername, adminPassword, portainer.AdministratorRole)
+	require.NoError(t, err, "Account failure")

 	err = store.createAccount(standardUsername, standardPassword, portainer.StandardUserRole)
-	is.NoError(err, "CreateAccount should succeed")
-	store.checkAccount(standardUsername, standardPassword, portainer.StandardUserRole)
-	is.NoError(err, "Account failure")
+	require.NoError(t, err, "CreateAccount should succeed")
+
+	err = store.checkAccount(standardUsername, standardPassword, portainer.StandardUserRole)
+	require.NoError(t, err, "Account failure")
 }

 // create an account with the provided details
@@ -238,12 +209,7 @@ func (store *Store) createAccount(username, password string, role portainer.User
 		return err
 	}

-	err = store.User().Create(user)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return store.User().Create(user)
 }

 func (store *Store) checkAccount(username, expectPassword string, expectRole portainer.UserRole) error {
@@ -260,12 +226,7 @@ func (store *Store) checkAccount(username, expectPassword string, expectRole por

 	// Check the password
 	cs := crypto.Service{}
-	expectPasswordHash, err := cs.Hash(expectPassword)
-	if err != nil {
-		return errors.Wrap(err, "hash failed")
-	}
-
-	if user.Password != expectPasswordHash {
+	if cs.CompareHashAndData(user.Password, expectPassword) != nil {
 		return fmt.Errorf("%s user password hash failure", user.Username)
 	}

@@ -277,7 +238,7 @@ func (store *Store) testSettings(t *testing.T) {

 	// since many settings are default and basically nil, I'm going to update some and read them back
 	expectedSettings, err := store.Settings().Settings()
-	is.NoError(err, "Settings() should not return an error")
+	require.NoError(t, err, "Settings() should not return an error")
 	expectedSettings.TemplatesURL = "http://portainer.io/application-templates"
 	expectedSettings.HelmRepositoryURL = "http://portainer.io/helm-repository"
 	expectedSettings.EdgeAgentCheckinInterval = 60
@@ -291,10 +252,10 @@ func (store *Store) testSettings(t *testing.T) {
 	expectedSettings.SnapshotInterval = "10m"

 	err = store.Settings().UpdateSettings(expectedSettings)
-	is.NoError(err, "UpdateSettings() should succeed")
+	require.NoError(t, err, "UpdateSettings() should succeed")

 	settings, err := store.Settings().Settings()
-	is.NoError(err, "Settings() should not return an error")
+	require.NoError(t, err, "Settings() should not return an error")
 	is.Equal(expectedSettings, settings, "stored settings should match")
 }

@@ -314,10 +275,11 @@ func (store *Store) testCustomTemplates(t *testing.T) {
 		CreatedByUserID: 10,
 	}

-	customTemplate.Create(expectedTemplate)
+	err := customTemplate.Create(expectedTemplate)
+	require.NoError(t, err)

 	actualTemplate, err := customTemplate.Read(expectedTemplate.ID)
-	is.NoError(err, "CustomTemplate should not return an error")
+	require.NoError(t, err, "CustomTemplate should not return an error")
 	is.Equal(expectedTemplate, actualTemplate, "expected and actual template do not match")
 }

@@ -345,17 +307,17 @@ func (store *Store) testRegistries(t *testing.T) {
 	}

 	err := regService.Create(reg1)
-	is.NoError(err)
+	require.NoError(t, err)

 	err = regService.Create(reg2)
-	is.NoError(err)
+	require.NoError(t, err)

 	actualReg1, err := regService.Read(reg1.ID)
-	is.NoError(err)
+	require.NoError(t, err)
 	is.Equal(reg1, actualReg1, "registries differ")

 	actualReg2, err := regService.Read(reg2.ID)
-	is.NoError(err)
+	require.NoError(t, err)
 	is.Equal(reg2, actualReg2, "registries differ")
 }

@@ -378,10 +340,10 @@ func (store *Store) testSchedules(t *testing.T) {
 	}

 	err := schedule.CreateSchedule(s)
-	is.NoError(err, "CreateSchedule should succeed")
+	require.NoError(t, err, "CreateSchedule should succeed")

 	actual, err := schedule.Schedule(s.ID)
-	is.NoError(err, "schedule should be found")
+	require.NoError(t, err, "schedule should be found")
 	is.Equal(s, actual, "schedules differ")
 }

@@ -401,16 +363,16 @@ func (store *Store) testTags(t *testing.T) {
 	}

 	err := tags.Create(tag1)
-	is.NoError(err, "Tags.Create should succeed")
+	require.NoError(t, err, "Tags.Create should succeed")

 	err = tags.Create(tag2)
-	is.NoError(err, "Tags.Create should succeed")
+	require.NoError(t, err, "Tags.Create should succeed")

 	actual, err := tags.Read(tag1.ID)
-	is.NoError(err, "tag1 should be found")
+	require.NoError(t, err, "tag1 should be found")
 	is.Equal(tag1, actual, "tags differ")

 	actual, err = tags.Read(tag2.ID)
-	is.NoError(err, "tag2 should be found")
+	require.NoError(t, err, "tag2 should be found")
 	is.Equal(tag2, actual, "tags differ")
 }
--- a/api/datastore/init.go
+++ b/api/datastore/init.go
@@ -31,7 +31,6 @@ func (store *Store) checkOrCreateDefaultSettings() error {
 	settings, err := store.SettingsService.Settings()
 	if store.IsErrObjectNotFound(err) {
 		defaultSettings := &portainer.Settings{
-			EnableTelemetry:      false,
 			AuthenticationMethod: portainer.AuthenticationInternal,
 			BlackListedLabels:    make([]portainer.Pair, 0),
 			InternalAuthSettings: portainer.InternalAuthSettings{
--- a/api/datastore/migrate_data_test.go
+++ b/api/datastore/migrate_data_test.go
@@ -9,14 +9,15 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/Masterminds/semver"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/datastore/migrator"

+	"github.com/Masterminds/semver/v3"
 	"github.com/google/go-cmp/cmp"
 	"github.com/rs/zerolog/log"
+	"github.com/stretchr/testify/require"
 )

 func TestMigrateData(t *testing.T) {
@@ -53,9 +54,11 @@ func TestMigrateData(t *testing.T) {
 		}

 		testVersion(store, portainer.APIVersion, t)
-		store.Close()
+		err := store.Close()
+		require.NoError(t, err)

-		newStore, _ = store.Open()
+		newStore, err = store.Open()
+		require.NoError(t, err)
 		if newStore {
 			t.Error("Expect store to NOT be new DB")
 		}
@@ -63,8 +66,11 @@ func TestMigrateData(t *testing.T) {

 	t.Run("MigrateData should create backup file upon update", func(t *testing.T) {
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "1.0", Edition: int(portainer.PortainerCE)})
-		store.MigrateData()
+		err := store.VersionService.UpdateVersion(&models.Version{SchemaVersion: "2.0", Edition: int(portainer.PortainerCE)})
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.NoError(t, err)

 		backupfilename := store.backupFilename()
 		if exists, _ := store.fileService.FileExists(backupfilename); !exists {
@@ -73,21 +79,28 @@ func TestMigrateData(t *testing.T) {
 	})

 	t.Run("MigrateData should recover and restore backup during migration critical failure", func(t *testing.T) {
-		os.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")
+		t.Setenv("PORTAINER_TEST_MIGRATE_FAIL", "FAIL")

 		version := "2.15"
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
-		store.MigrateData()

-		store.Open()
+		err := store.VersionService.UpdateVersion(&models.Version{SchemaVersion: version, Edition: int(portainer.PortainerCE)})
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.Error(t, err)
+
 		testVersion(store, version, t)
 	})

 	t.Run("MigrateData should fail to create backup if database file is set to updating", func(t *testing.T) {
 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.StoreIsUpdating(true)
-		store.MigrateData()
+
+		err := store.VersionService.StoreIsUpdating(true)
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.Error(t, err)

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -115,10 +128,12 @@ func TestMigrateData(t *testing.T) {

 		if latestMigrations.Version.Equal(semver.MustParse(portainer.APIVersion)) {
 			v.MigratorCount = len(latestMigrations.MigrationFuncs)
-			store.VersionService.UpdateVersion(v)
+			err = store.VersionService.UpdateVersion(v)
+			require.NoError(t, err)
 		}

-		store.MigrateData()
+		err = store.MigrateData()
+		require.NoError(t, err)

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -141,8 +156,12 @@ func TestMigrateData(t *testing.T) {
 		}

 		v.MigratorCount = 1000
-		store.VersionService.UpdateVersion(v)
-		store.MigrateData()
+
+		err = store.VersionService.UpdateVersion(v)
+		require.NoError(t, err)
+
+		err = store.MigrateData()
+		require.NoError(t, err)

 		// If you get an error, it usually means that the backup folder doesn't exist (no backups). Expected!
 		// If the backup file is not blank, then it means a backup was created.  We don't want that because we
@@ -158,14 +177,14 @@ func TestRollback(t *testing.T) {
 	t.Run("Rollback should restore upgrade after backup", func(t *testing.T) {
 		version := "2.11"

-		v := models.Version{
-			SchemaVersion: version,
-		}
+		v := models.Version{SchemaVersion: version}

 		_, store := MustNewTestStore(t, false, false)
-		store.VersionService.UpdateVersion(&v)

-		_, err := store.Backup("")
+		err := store.VersionService.UpdateVersion(&v)
+		require.NoError(t, err)
+
+		_, err = store.Backup("")
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -184,7 +203,9 @@ func TestRollback(t *testing.T) {
 			return
 		}

-		store.Open()
+		_, err = store.Open()
+		require.NoError(t, err)
+
 		testVersion(store, version, t)
 	})

@@ -197,9 +218,11 @@ func TestRollback(t *testing.T) {
 		}

 		_, store := MustNewTestStore(t, true, false)
-		store.VersionService.UpdateVersion(&v)

-		_, err := store.Backup("")
+		err := store.VersionService.UpdateVersion(&v)
+		require.NoError(t, err)
+
+		_, err = store.Backup("")
 		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
@@ -218,7 +241,8 @@ func TestRollback(t *testing.T) {
 			return
 		}

-		store.Open()
+		_, err = store.Open()
+		require.NoError(t, err)
 		testVersion(store, version, t)
 	})
 }
@@ -237,17 +261,17 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	_, store := MustNewTestStore(t, true, false)

 	fmt.Println("store.path=", store.GetConnection().GetDatabaseFilePath())
-	store.connection.DeleteObject("version", []byte("VERSION"))
+
+	err = store.connection.DeleteObject("version", []byte("VERSION"))
+	require.NoError(t, err)

 	//	defer teardown()
-	err = importJSON(t, bytes.NewReader(srcJSON), store)
-	if err != nil {
+	if err := importJSON(t, bytes.NewReader(srcJSON), store); err != nil {
 		return err
 	}

 	// Run the actual migrations on our input database.
-	err = store.MigrateData()
-	if err != nil {
+	if err := store.MigrateData(); err != nil {
 		return err
 	}

@@ -260,8 +284,7 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 		}

 		v.InstanceID = "463d5c47-0ea5-4aca-85b1-405ceefee254"
-		err = store.VersionService.UpdateVersion(v)
-		if err != nil {
+		if err := store.VersionService.UpdateVersion(v); err != nil {
 			return err
 		}
 	}
@@ -270,10 +293,10 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	// exportJson rather than ExportRaw. The exportJson function allows us to
 	// strip out the metadata which we don't want for our tests.
 	// TODO: update connection interface in CE to allow us to use ExportRaw and pass meta false
-	err = store.connection.Close()
-	if err != nil {
+	if err := store.connection.Close(); err != nil {
 		t.Fatalf("err closing bolt connection: %v", err)
 	}
+
 	con, ok := store.connection.(*boltdb.DbConnection)
 	if !ok {
 		t.Fatalf("backing database is not using boltdb, but the migrations test requires it")
@@ -302,11 +325,15 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 	// Compare the result we got with the one we wanted.
 	if diff := cmp.Diff(wantJSON, gotJSON); diff != "" {
 		gotPath := filepath.Join(os.TempDir(), "portainer-migrator-test-fail.json")
-		os.WriteFile(
+		err = os.WriteFile(
 			gotPath,
 			gotJSON,
 			0o600,
 		)
+		if err != nil {
+			log.Warn().Err(err).Msg("failed writing migrated output to temp file")
+		}
+
 		t.Errorf(
 			"migrate data from %s to %s failed\nwrote migrated input to %s\nmismatch (-want +got):\n%s",
 			srcPath,
--- a/api/datastore/migrate_dbversion33_test.go
+++ b/api/datastore/migrate_dbversion33_test.go
@@ -6,7 +6,9 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore/migrator"
 	gittypes "github.com/portainer/portainer/api/git/types"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestMigrateStackEntryPoint(t *testing.T) {
@@ -28,25 +30,25 @@ func TestMigrateStackEntryPoint(t *testing.T) {

 	for _, s := range stacks {
 		err := stackService.Create(s)
-		assert.NoError(t, err, "failed to create stack")
+		require.NoError(t, err, "failed to create stack")
 	}

 	s, err := stackService.Read(1)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Nil(t, s.GitConfig, "first stack should not have git config")

 	s, err = stackService.Read(2)
-	assert.NoError(t, err)
-	assert.Equal(t, "", s.GitConfig.ConfigFilePath, "not migrated yet migrated")
+	require.NoError(t, err)
+	assert.Empty(t, s.GitConfig.ConfigFilePath, "not migrated yet migrated")

 	err = migrator.MigrateStackEntryPoint(stackService)
-	assert.NoError(t, err, "failed to migrate entry point to Git ConfigFilePath")
+	require.NoError(t, err, "failed to migrate entry point to Git ConfigFilePath")

 	s, err = stackService.Read(1)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Nil(t, s.GitConfig, "first stack should not have git config")

 	s, err = stackService.Read(2)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, "dir/sub/compose.yml", s.GitConfig.ConfigFilePath, "second stack should have config file path migrated")
 }
--- a/api/datastore/migrate_legacyversion.go
+++ b/api/datastore/migrate_legacyversion.go
@@ -105,12 +105,18 @@ func (store *Store) getOrMigrateLegacyVersion() (*models.Version, error) {

 // finishMigrateLegacyVersion writes the new version to the DB and removes the old version keys from the DB
 func (store *Store) finishMigrateLegacyVersion(versionToWrite *models.Version) error {
-	err := store.VersionService.UpdateVersion(versionToWrite)
+	if err := store.VersionService.UpdateVersion(versionToWrite); err != nil {
+		return err
+	}

 	// Remove legacy keys if present
-	store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey))
-	store.connection.DeleteObject(bucketName, []byte(legacyEditionKey))
-	store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))
+	if err := store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey)); err != nil {
+		return err
+	}

-	return err
+	if err := store.connection.DeleteObject(bucketName, []byte(legacyEditionKey)); err != nil {
+		return err
+	}
+
+	return store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))
 }
--- a/api/datastore/migrator/migrate_2_33_test.go
+++ b/api/datastore/migrator/migrate_2_33_test.go
@@ -6,6 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices/edgegroup"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/stretchr/testify/require"
 )
@@ -15,7 +16,7 @@ func TestMigrateEdgeGroupEndpointsToRoars_2_33_0Idempotency(t *testing.T) {
 	err := conn.Open()
 	require.NoError(t, err)

-	defer conn.Close()
+	defer logs.CloseAndLogErr(conn)

 	edgeGroupService, err := edgegroup.NewService(conn)
 	require.NoError(t, err)
@@ -39,7 +40,7 @@ func TestMigrateEdgeGroupEndpointsToRoars_2_33_0Idempotency(t *testing.T) {
 	migratedEdgeGroup, err := edgeGroupService.Read(edgeGroup.ID)
 	require.NoError(t, err)

-	require.Len(t, migratedEdgeGroup.Endpoints, 0)
+	require.Empty(t, migratedEdgeGroup.Endpoints)
 	require.Equal(t, len(edgeGroup.Endpoints), migratedEdgeGroup.EndpointIDs.Len())

 	// Run migration again to ensure the results didn't change
@@ -50,6 +51,6 @@ func TestMigrateEdgeGroupEndpointsToRoars_2_33_0Idempotency(t *testing.T) {
 	migratedEdgeGroup, err = edgeGroupService.Read(edgeGroup.ID)
 	require.NoError(t, err)

-	require.Len(t, migratedEdgeGroup.Endpoints, 0)
+	require.Empty(t, migratedEdgeGroup.Endpoints)
 	require.Equal(t, len(edgeGroup.Endpoints), migratedEdgeGroup.EndpointIDs.Len())
 }
--- a/api/datastore/migrator/migrate_ce.go
+++ b/api/datastore/migrator/migrate_ce.go
@@ -7,7 +7,7 @@ import (
 	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"

-	"github.com/Masterminds/semver"
+	"github.com/Masterminds/semver/v3"
 	"github.com/rs/zerolog/log"
 )

@@ -95,7 +95,7 @@ func (m *Migrator) NeedsMigration() bool {

 	// In this particular instance we should log a fatal error
 	if m.CurrentDBEdition() != portainer.PortainerCE {
-		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://docs.portainer.io/faqs/upgrading/can-i-downgrade-from-portainer-business-to-portainer-ce")

 		return false
 	}
--- a/api/datastore/migrator/migrate_dbversion24.go
+++ b/api/datastore/migrator/migrate_dbversion24.go
@@ -21,7 +21,6 @@ func (m *Migrator) updateSettingsToDB25() error {
 	}

 	legacySettings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
-	legacySettings.EnableTelemetry = true

 	legacySettings.AllowContainerCapabilitiesForRegularUsers = true

--- a/api/datastore/migrator/migrate_dbversion31.go
+++ b/api/datastore/migrator/migrate_dbversion31.go
@@ -77,8 +77,12 @@ func (m *Migrator) updateRegistriesToDB32() error {
 				Namespaces:         []string{},
 			}
 		}
-		m.registryService.Update(registry.ID, &registry)
+
+		if err := m.registryService.Update(registry.ID, &registry); err != nil {
+			return err
+		}
 	}
+
 	return nil
 }

@@ -121,10 +125,11 @@ func (m *Migrator) updateDockerhubToDB32() error {
 			if !migrated {
 				// keep this one entry
 				migrated = true
-			} else {
 				// delete subsequent duplicates
-				m.registryService.Delete(r.ID)
+			} else if err := m.registryService.Delete(r.ID); err != nil {
+				return err
 			}
+
 		}
 	}

@@ -138,7 +143,6 @@ func (m *Migrator) updateDockerhubToDB32() error {
 	}

 	for _, endpoint := range endpoints {
-
 		if endpoint.Type != portainer.KubernetesLocalEnvironment &&
 			endpoint.Type != portainer.AgentOnKubernetesEnvironment &&
 			endpoint.Type != portainer.EdgeAgentOnKubernetesEnvironment {
@@ -146,18 +150,14 @@ func (m *Migrator) updateDockerhubToDB32() error {
 			userAccessPolicies := portainer.UserAccessPolicies{}
 			for userId := range endpoint.UserAccessPolicies {
 				if _, found := endpoint.UserAccessPolicies[userId]; found {
-					userAccessPolicies[userId] = portainer.AccessPolicy{
-						RoleID: 0,
-					}
+					userAccessPolicies[userId] = portainer.AccessPolicy{RoleID: 0}
 				}
 			}

 			teamAccessPolicies := portainer.TeamAccessPolicies{}
 			for teamId := range endpoint.TeamAccessPolicies {
 				if _, found := endpoint.TeamAccessPolicies[teamId]; found {
-					teamAccessPolicies[teamId] = portainer.AccessPolicy{
-						RoleID: 0,
-					}
+					teamAccessPolicies[teamId] = portainer.AccessPolicy{RoleID: 0}
 				}
 			}

--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -29,7 +29,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/version"
 	"github.com/portainer/portainer/api/internal/authorization"

-	"github.com/Masterminds/semver"
+	"github.com/Masterminds/semver/v3"
 	"github.com/rs/zerolog/log"
 )

@@ -258,6 +258,8 @@ func (m *Migrator) initMigrations() {

 	m.addMigrations("2.33.1", m.migrateEdgeGroupEndpointsToRoars_2_33_0)

+	// WARNING: do not change migrations that have already been released!
+
 	// Add new migrations above...
 	// One function per migration, each versions migration funcs in the same file.
 }
--- a/api/datastore/pendingactions_test.go
+++ b/api/datastore/pendingactions_test.go
@@ -6,6 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/pendingactions/actions"
 	"github.com/portainer/portainer/api/pendingactions/handlers"
+	"github.com/stretchr/testify/require"
 )

 type cleanNAPWithOverridePolicies struct {
@@ -16,7 +17,10 @@ func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
 	t.Run("test ConvertCleanNAPWithOverridePoliciesPayload", func(t *testing.T) {

 		_, store := MustNewTestStore(t, true, false)
-		defer store.Close()
+		defer func() {
+			err := store.Close()
+			require.NoError(t, err)
+		}()

 		gid := portainer.EndpointGroupID(1)

@@ -92,7 +96,8 @@ func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
 				})
 			}

-			store.PendingActions().Delete(d.PendingAction.ID)
+			err = store.PendingActions().Delete(d.PendingAction.ID)
+			require.NoError(t, err)
 		}
 	})
 }
--- a/api/datastore/postinit/migrate_post_init.go
+++ b/api/datastore/postinit/migrate_post_init.go
@@ -1,8 +1,10 @@
 package postinit

 import (
+	"cmp"
 	"context"
 	"fmt"
+	"slices"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -11,6 +13,7 @@ import (
 	dockerClient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/kubernetes/cli"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/pendingactions/actions"
 	"github.com/portainer/portainer/pkg/endpoints"

@@ -43,40 +46,65 @@ func NewPostInitMigrator(

 // PostInitMigrate will run all post-init migrations, which require docker/kube clients for all edge or non-edge environments
 func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {
-	environments, err := postInitMigrator.dataStore.Endpoint().Endpoints()
-	if err != nil {
-		log.Error().Err(err).Msg("Error getting environments")
-		return err
-	}
+	var environments []portainer.Endpoint

-	for _, environment := range environments {
-		// edge environments will run after the server starts, in pending actions
-		if endpoints.IsEdgeEndpoint(&environment) {
-			// Skip edge environments that do not have direct connectivity
-			if !endpoints.HasDirectConnectivity(&environment) {
+	if err := postInitMigrator.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		if environments, err = tx.Endpoint().ReadAll(func(endpoint portainer.Endpoint) bool {
+			return endpoints.HasDirectConnectivity(&endpoint)
+		}); err != nil {
+			return fmt.Errorf("failed to retrieve environments: %w", err)
+		}
+
+		var pendingActions []portainer.PendingAction
+		if pendingActions, err = tx.PendingActions().ReadAll(func(action portainer.PendingAction) bool {
+			return action.Action == actions.PostInitMigrateEnvironment
+		}); err != nil {
+			return fmt.Errorf("failed to retrieve pending actions: %w", err)
+		}
+
+		// Sort for the binary search in createPostInitMigrationPendingAction()
+		slices.SortFunc(pendingActions, func(a, b portainer.PendingAction) int {
+			return cmp.Compare(a.EndpointID, b.EndpointID)
+		})
+
+		for _, environment := range environments {
+			if !endpoints.IsEdgeEndpoint(&environment) {
 				continue
 			}

+			// Edge environments will run after the server starts, in pending actions
 			log.Info().
 				Int("endpoint_id", int(environment.ID)).
 				Msg("adding pending action 'PostInitMigrateEnvironment' for environment")

-			if err := postInitMigrator.createPostInitMigrationPendingAction(environment.ID); err != nil {
+			if err := postInitMigrator.createPostInitMigrationPendingAction(tx, environment.ID, pendingActions); err != nil {
 				log.Error().
 					Err(err).
 					Int("endpoint_id", int(environment.ID)).
 					Msg("error creating pending action for environment")
 			}
-		} else {
-			// Non-edge environments will run before the server starts.
-			if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
-				log.Error().
-					Err(err).
-					Int("endpoint_id", int(environment.ID)).
-					Msg("error running post-init migrations for non-edge environment")
-			}
 		}

+		return err
+	}); err != nil {
+		log.Error().Err(err).Msg("error running post-init migrations")
+
+		return err
+	}
+
+	for _, environment := range environments {
+		if endpoints.IsEdgeEndpoint(&environment) {
+			continue
+		}
+
+		// Non-edge environments will run before the server starts.
+		if err := postInitMigrator.MigrateEnvironment(&environment); err != nil {
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error running post-init migrations for non-edge environment")
+		}
 	}

 	return nil
@@ -84,56 +112,73 @@ func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {

 // try to create a post init migration pending action. If it already exists, do nothing
 // this function exists for readability, not reusability
-func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(environmentID portainer.EndpointID) error {
+// pending actions must be passed in ascending order by endpoint ID
+func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(tx dataservices.DataStoreTx, environmentID portainer.EndpointID, pendingActions []portainer.PendingAction) error {
 	action := portainer.PendingAction{
 		EndpointID: environmentID,
 		Action:     actions.PostInitMigrateEnvironment,
 	}
-	pendingActions, err := postInitMigrator.dataStore.PendingActions().ReadAll()
-	if err != nil {
-		return fmt.Errorf("failed to retrieve pending actions: %w", err)
+
+	if _, found := slices.BinarySearchFunc(pendingActions, environmentID, func(e portainer.PendingAction, id portainer.EndpointID) int {
+		return cmp.Compare(e.EndpointID, id)
+	}); found {
+		log.Debug().
+			Str("action", action.Action).
+			Int("endpoint_id", int(action.EndpointID)).
+			Msg("pending action already exists for environment, skipping...")
+
+		return nil
 	}

-	for _, dba := range pendingActions {
-		if dba.EndpointID == action.EndpointID && dba.Action == action.Action {
-			log.Debug().
-				Str("action", action.Action).
-				Int("endpoint_id", int(action.EndpointID)).
-				Msg("pending action already exists for environment, skipping...")
-			return nil
-		}
-	}
-
-	return postInitMigrator.dataStore.PendingActions().Create(&action)
+	return tx.PendingActions().Create(&action)
 }

 // MigrateEnvironment runs migrations on a single environment
 func (migrator *PostInitMigrator) MigrateEnvironment(environment *portainer.Endpoint) error {
-	log.Info().Msgf("Executing post init migration for environment %d", environment.ID)
+	log.Info().
+		Int("endpoint_id", int(environment.ID)).
+		Msg("executing post init migration for environment")

 	switch {
 	case endpointutils.IsKubernetesEndpoint(environment):
 		// get the kubeclient for the environment, and skip all kube migrations if there's an error
 		kubeclient, err := migrator.kubeFactory.GetPrivilegedKubeClient(environment)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error creating kubeclient for environment: %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error creating kubeclient for environment")
+
 			return err
 		}
-		// if one environment fails, it is logged and the next migration runs. The error is returned at the end and handled by pending actions
-		err = migrator.MigrateIngresses(*environment, kubeclient)
-		if err != nil {
+
+		// If one environment fails, it is logged and the next migration runs. The error is returned at the end and handled by pending actions
+		if err := migrator.MigrateIngresses(*environment, kubeclient); err != nil {
 			return err
 		}
+
 		return nil
 	case endpointutils.IsDockerEndpoint(environment):
 		// get the docker client for the environment, and skip all docker migrations if there's an error
 		dockerClient, err := migrator.dockerFactory.CreateClient(environment, "", nil)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error creating docker client for environment: %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error creating docker client for environment")
+
+			return err
+		}
+		defer logs.CloseAndLogErr(dockerClient)
+
+		if err := migrator.MigrateGPUs(*environment, dockerClient); err != nil {
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error migrating GPUs for environment")
+
 			return err
 		}
-		defer dockerClient.Close()
-		migrator.MigrateGPUs(*environment, dockerClient)
 	}

 	return nil
@@ -144,13 +189,20 @@ func (migrator *PostInitMigrator) MigrateIngresses(environment portainer.Endpoin
 	if !environment.PostInitMigrations.MigrateIngresses {
 		return nil
 	}
-	log.Debug().Msgf("Migrating ingresses for environment %d", environment.ID)

-	err := migrator.kubeFactory.MigrateEndpointIngresses(&environment, migrator.dataStore, kubeclient)
-	if err != nil {
-		log.Error().Err(err).Msgf("Error migrating ingresses for environment %d", environment.ID)
+	log.Debug().
+		Int("endpoint_id", int(environment.ID)).
+		Msg("migrating ingresses for environment")
+
+	if err := migrator.kubeFactory.MigrateEndpointIngresses(&environment, migrator.dataStore, kubeclient); err != nil {
+		log.Error().
+			Err(err).
+			Int("endpoint_id", int(environment.ID)).
+			Msg("error migrating ingresses for environment")
+
 		return err
 	}
+
 	return nil
 }

@@ -160,29 +212,42 @@ func (migrator *PostInitMigrator) MigrateGPUs(e portainer.Endpoint, dockerClient
 	return migrator.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
 		environment, err := tx.Endpoint().Endpoint(e.ID)
 		if err != nil {
-			log.Error().Err(err).Msgf("Error getting environment %d", e.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(e.ID)).
+				Msg("error getting environment")
+
 			return err
 		}
+
 		// Early exit if we do not need to migrate!
 		if !environment.PostInitMigrations.MigrateGPUs {
 			return nil
 		}
-		log.Debug().Msgf("Migrating GPUs for environment %d", e.ID)

-		// get all containers
+		log.Debug().
+			Int("endpoint_id", int(e.ID)).
+			Msg("migrating GPUs for environment")
+
+		// Get all containers
 		containers, err := dockerClient.ContainerList(context.Background(), container.ListOptions{All: true})
 		if err != nil {
-			log.Error().Err(err).Msgf("failed to list containers for environment %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("failed to list containers for environment")
+
 			return err
 		}

-		// check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole environment
+		// Check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole environment
 	containersLoop:
 		for _, container := range containers {
 			// https://www.sobyte.net/post/2022-10/go-docker/ has nice documentation on the docker client with GPUs
 			containerDetails, err := dockerClient.ContainerInspect(context.Background(), container.ID)
 			if err != nil {
 				log.Error().Err(err).Msg("failed to inspect container")
+
 				continue
 			}

@@ -196,10 +261,14 @@ func (migrator *PostInitMigrator) MigrateGPUs(e portainer.Endpoint, dockerClient
 			}
 		}

-		// set the MigrateGPUs flag to false so we don't run this again
+		// Set the MigrateGPUs flag to false so we don't run this again
 		environment.PostInitMigrations.MigrateGPUs = false
 		if err := tx.Endpoint().UpdateEndpoint(environment.ID, environment); err != nil {
-			log.Error().Err(err).Msgf("Error updating EnableGPUManagement flag for environment %d", environment.ID)
+			log.Error().
+				Err(err).
+				Int("endpoint_id", int(environment.ID)).
+				Msg("error updating EnableGPUManagement flag for environment")
+
 			return err
 		}

--- a/api/datastore/postinit/migrate_post_init_test.go
+++ b/api/datastore/postinit/migrate_post_init_test.go
@@ -22,8 +22,9 @@ func TestMigrateGPUs(t *testing.T) {
 		if strings.HasSuffix(r.URL.Path, "/containers/json") {
 			containerSummary := []container.Summary{{ID: "container1"}}

-			err := json.NewEncoder(w).Encode(containerSummary)
-			require.NoError(t, err)
+			if err := json.NewEncoder(w).Encode(containerSummary); err != nil {
+				w.WriteHeader(http.StatusInternalServerError)
+			}

 			return
 		}
@@ -41,8 +42,9 @@ func TestMigrateGPUs(t *testing.T) {
 			},
 		}

-		err := json.NewEncoder(w).Encode(container)
-		require.NoError(t, err)
+		if err := json.NewEncoder(w).Encode(container); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+		}
 	}))
 	defer srv.Close()

@@ -129,12 +131,12 @@ func TestPostInitMigrate_PendingActionsCreated(t *testing.T) {
 				EdgeID: "edgeID",
 			}
 			err := store.Endpoint().Create(endpoint)
-			is.NoError(err, "error creating endpoint")
+			require.NoError(t, err, "error creating endpoint")

 			// Create any existing pending actions
 			for _, action := range tt.existingPendingActions {
 				err = store.PendingActions().Create(action)
-				is.NoError(err, "error creating pending action")
+				require.NoError(t, err, "error creating pending action")
 			}

 			migrator := NewPostInitMigrator(
@@ -146,11 +148,11 @@ func TestPostInitMigrate_PendingActionsCreated(t *testing.T) {
 			)

 			err = migrator.PostInitMigrate()
-			is.NoError(err, "PostInitMigrate should not return error")
+			require.NoError(t, err, "PostInitMigrate should not return error")

 			// Verify the results
 			pendingActions, err := store.PendingActions().ReadAll()
-			is.NoError(err, "error reading pending actions")
+			require.NoError(t, err, "error reading pending actions")
 			is.Len(pendingActions, tt.expectedPendingActions, "unexpected number of pending actions")

 			// If we expect any actions, verify at least one has the expected action type
@@ -160,9 +162,11 @@ func TestPostInitMigrate_PendingActionsCreated(t *testing.T) {
 					if action.Action == tt.expectedAction {
 						hasExpectedAction = true
 						is.Equal(endpoint.ID, action.EndpointID, "action should reference correct endpoint")
+
 						break
 					}
 				}
+
 				is.True(hasExpectedAction, "should have found action of expected type")
 			}
 		})
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -391,16 +391,16 @@ type storeExport struct {
 	ResourceControl    []portainer.ResourceControl    `json:"resource_control,omitempty"`
 	Role               []portainer.Role               `json:"roles,omitempty"`
 	Schedules          []portainer.Schedule           `json:"schedules,omitempty"`
-	Settings           portainer.Settings             `json:"settings,omitempty"`
+	Settings           portainer.Settings             `json:"settings,omitzero"`
 	Snapshot           []portainer.Snapshot           `json:"snapshots,omitempty"`
-	SSLSettings        portainer.SSLSettings          `json:"ssl,omitempty"`
+	SSLSettings        portainer.SSLSettings          `json:"ssl,omitzero"`
 	Stack              []portainer.Stack              `json:"stacks,omitempty"`
 	Tag                []portainer.Tag                `json:"tags,omitempty"`
 	TeamMembership     []portainer.TeamMembership     `json:"team_membership,omitempty"`
 	Team               []portainer.Team               `json:"teams,omitempty"`
-	TunnelServer       portainer.TunnelServerInfo     `json:"tunnel_server,omitempty"`
+	TunnelServer       portainer.TunnelServerInfo     `json:"tunnel_server,omitzero"`
 	User               []portainer.User               `json:"users,omitempty"`
-	Version            models.Version                 `json:"version,omitempty"`
+	Version            models.Version                 `json:"version,omitzero"`
 	Webhook            []portainer.Webhook            `json:"webhooks,omitempty"`
 	Metadata           map[string]any                 `json:"metadata,omitempty"`
 }
@@ -625,85 +625,129 @@ func (store *Store) Import(filename string) (err error) {
 		return err
 	}

-	store.Version().UpdateVersion(&backup.Version)
+	err = store.Version().UpdateVersion(&backup.Version)
+	if err != nil {
+		return err
+	}

 	for _, v := range backup.CustomTemplate {
-		store.CustomTemplate().Update(v.ID, &v)
+		if err := store.CustomTemplate().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the custom template in the database")
+		}
 	}

 	for _, v := range backup.EdgeGroup {
-		store.EdgeGroup().Update(v.ID, &v)
+		if err := store.EdgeGroup().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the edge group in the database")
+		}
 	}

 	for _, v := range backup.EdgeJob {
-		store.EdgeJob().Update(v.ID, &v)
+		if err := store.EdgeJob().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the edge job in the database")
+		}
 	}

 	for _, v := range backup.EdgeStack {
-		store.EdgeStack().UpdateEdgeStack(v.ID, &v)
+		if err := store.EdgeStack().UpdateEdgeStack(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the edge stack in the database")
+		}
 	}

 	for _, v := range backup.Endpoint {
-		store.Endpoint().UpdateEndpoint(v.ID, &v)
+		if err := store.Endpoint().UpdateEndpoint(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the endpoint in the database")
+		}
 	}

 	for _, v := range backup.EndpointGroup {
-		store.EndpointGroup().Update(v.ID, &v)
+		if err := store.EndpointGroup().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the endpoint group in the database")
+		}
 	}

 	for _, v := range backup.EndpointRelation {
-		store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v)
+		if err := store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the endpoint relation in the database")
+		}
 	}

 	for _, v := range backup.HelmUserRepository {
-		store.HelmUserRepository().Update(v.ID, &v)
+		if err := store.HelmUserRepository().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the helm user repository in the database")
+		}
 	}

 	for _, v := range backup.Registry {
-		store.Registry().Update(v.ID, &v)
+		if err := store.Registry().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the registry in the database")
+		}
 	}

 	for _, v := range backup.ResourceControl {
-		store.ResourceControl().Update(v.ID, &v)
+		if err := store.ResourceControl().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the resource control in the database")
+		}
 	}

 	for _, v := range backup.Role {
-		store.Role().Update(v.ID, &v)
+		if err := store.Role().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the role in the database")
+		}
 	}

-	store.Settings().UpdateSettings(&backup.Settings)
-	store.SSLSettings().UpdateSettings(&backup.SSLSettings)
+	if err := store.Settings().UpdateSettings(&backup.Settings); err != nil {
+		log.Warn().Err(err).Msg("failed to update the settings in the database")
+	}
+
+	if err := store.SSLSettings().UpdateSettings(&backup.SSLSettings); err != nil {
+		log.Warn().Err(err).Msg("failed to update the SSL settings in the database")
+	}

 	for _, v := range backup.Snapshot {
-		store.Snapshot().Update(v.EndpointID, &v)
+		if err := store.Snapshot().Update(v.EndpointID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the snapshot in the database")
+		}
 	}

 	for _, v := range backup.Stack {
-		store.Stack().Update(v.ID, &v)
+		if err := store.Stack().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the stack in the database")
+		}
 	}

 	for _, v := range backup.Tag {
-		store.Tag().Update(v.ID, &v)
+		if err := store.Tag().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the tag in the database")
+		}
 	}

 	for _, v := range backup.TeamMembership {
-		store.TeamMembership().Update(v.ID, &v)
+		if err := store.TeamMembership().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the team membership in the database")
+		}
 	}

 	for _, v := range backup.Team {
-		store.Team().Update(v.ID, &v)
+		if err := store.Team().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the team in the database")
+		}
 	}

-	store.TunnelServer().UpdateInfo(&backup.TunnelServer)
+	if err := store.TunnelServer().UpdateInfo(&backup.TunnelServer); err != nil {
+		log.Warn().Err(err).Msg("failed to update the tunnel server info in the database")
+	}

 	for _, user := range backup.User {
 		if err := store.User().Update(user.ID, &user); err != nil {
-			log.Debug().Str("user", fmt.Sprintf("%+v", user)).Err(err).Msg("failed to update the user in the database")
+			log.Warn().Str("user", fmt.Sprintf("%+v", user)).Err(err).Msg("failed to update the user in the database")
 		}
 	}

 	for _, v := range backup.Webhook {
-		store.Webhook().Update(v.ID, &v)
+		if err := store.Webhook().Update(v.ID, &v); err != nil {
+			log.Warn().Err(err).Msg("failed to update the webhook in the database")
+		}
 	}

 	return store.connection.RestoreMetadata(backup.Metadata)
--- a/api/datastore/services_tx.go
+++ b/api/datastore/services_tx.go
@@ -74,7 +74,9 @@ func (tx *StoreTx) Snapshot() dataservices.SnapshotService {
 	return tx.store.SnapshotService.Tx(tx.tx)
 }

-func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService { return nil }
+func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService {
+	return tx.store.SSLSettingsService.Tx(tx.tx)
+}

 func (tx *StoreTx) Stack() dataservices.StackService {
 	return tx.store.StackService.Tx(tx.tx)
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -83,13 +83,13 @@
        "MigrateIngresses": true
      },
      "PublicURL": "",
-      "QueryDate": 0,
      "SecuritySettings": {
        "allowBindMountsForRegularUsers": true,
        "allowContainerCapabilitiesForRegularUsers": true,
        "allowDeviceMappingForRegularUsers": true,
        "allowHostNamespaceForRegularUsers": true,
        "allowPrivilegedModeForRegularUsers": true,
+        "allowSecurityOptForRegularUsers": false,
        "allowStackManagementForRegularUsers": true,
        "allowSysctlSettingForRegularUsers": false,
        "allowVolumeBrowserForRegularUsers": false,
@@ -604,7 +604,6 @@
    "EdgeAgentCheckinInterval": 5,
    "EdgePortainerUrl": "",
    "EnableEdgeComputeFeatures": false,
-    "EnableTelemetry": true,
    "EnforceEdgeID": false,
    "FeatureFlagSettings": null,
    "GlobalDeploymentOptions": {
@@ -615,7 +614,7 @@
      "RequiredPasswordLength": 12
    },
    "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.33.2",
+    "KubectlShellImage": "portainer/kubectl-shell:2.39.0",
    "LDAPSettings": {
      "AnonymousMode": true,
      "AutoCreateUsers": true,
@@ -944,7 +943,7 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.33.2\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.39.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
  },
  "webhooks": null
 }
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -11,6 +11,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
+	"github.com/rs/zerolog/log"

 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
@@ -143,11 +144,16 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)

 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		resp.Body.Close()
+		if err := resp.Body.Close(); err != nil {
+			log.Warn().Err(err).Msg("failed to close response body")
+		}
+
 		return resp, err
 	}

-	resp.Body.Close()
+	if err := resp.Body.Close(); err != nil {
+		log.Warn().Err(err).Msg("failed to close response body")
+	}

 	resp.Body = io.NopCloser(bytes.NewReader(body))

--- a/api/docker/container.go
+++ b/api/docker/container.go
@@ -8,8 +8,9 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/docker/images"
+	"github.com/portainer/portainer/api/logs"

-	"github.com/Masterminds/semver"
+	"github.com/Masterminds/semver/v3"
 	"github.com/docker/docker/api/types"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
@@ -75,7 +76,7 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	if err != nil {
 		return nil, errors.Wrap(err, "create client error")
 	}
-	defer cli.Close()
+	defer logs.CloseAndLogErr(cli)

 	log.Debug().Str("container_id", containerId).Msg("starting to fetch container information")

@@ -146,13 +147,19 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End

 	c.sr.push(func() {
 		log.Debug().Str("container_id", containerId).Str("container", container.Name).Msg("restoring the container")
-		cli.ContainerRename(ctx, containerId, container.Name)
-
-		for _, network := range container.NetworkSettings.Networks {
-			cli.NetworkConnect(ctx, network.NetworkID, containerId, network)
+		if err := cli.ContainerRename(ctx, containerId, container.Name); err != nil {
+			log.Warn().Err(err).Msg("failure to rename container")
 		}

-		cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{})
+		for _, network := range container.NetworkSettings.Networks {
+			if err := cli.NetworkConnect(ctx, network.NetworkID, containerId, network); err != nil {
+				log.Warn().Err(err).Msg("failure to connect container to network")
+			}
+		}
+
+		if err := cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{}); err != nil {
+			log.Warn().Err(err).Msg("failure to start container")
+		}
 	})

 	log.Debug().Str("container", strings.Split(container.Name, "/")[1]).Msg("starting to create a new container")
@@ -175,8 +182,14 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End

 	c.sr.push(func() {
 		log.Debug().Str("container_id", create.ID).Msg("removing the new container")
-		cli.ContainerStop(ctx, create.ID, dockercontainer.StopOptions{})
-		cli.ContainerRemove(ctx, create.ID, dockercontainer.RemoveOptions{})
+
+		if err := cli.ContainerStop(ctx, create.ID, dockercontainer.StopOptions{}); err != nil {
+			log.Warn().Err(err).Msg("failure to stop container")
+		}
+
+		if err := cli.ContainerRemove(ctx, create.ID, dockercontainer.RemoveOptions{}); err != nil {
+			log.Warn().Err(err).Msg("failure to remove container")
+		}
 	})

 	if err != nil {
--- a/api/docker/container_stats.go
+++ b/api/docker/container_stats.go
@@ -1,37 +0,0 @@
-package docker
-
-import "github.com/docker/docker/api/types"
-
-type ContainerStats struct {
-	Running   int `json:"running"`
-	Stopped   int `json:"stopped"`
-	Healthy   int `json:"healthy"`
-	Unhealthy int `json:"unhealthy"`
-	Total     int `json:"total"`
-}
-
-func CalculateContainerStats(containers []types.Container) ContainerStats {
-	var running, stopped, healthy, unhealthy int
-	for _, container := range containers {
-		switch container.State {
-		case "running":
-			running++
-		case "healthy":
-			running++
-			healthy++
-		case "unhealthy":
-			running++
-			unhealthy++
-		case "exited", "stopped":
-			stopped++
-		}
-	}
-
-	return ContainerStats{
-		Running:   running,
-		Stopped:   stopped,
-		Healthy:   healthy,
-		Unhealthy: unhealthy,
-		Total:     len(containers),
-	}
-}
--- a/api/docker/container_stats_test.go
+++ b/api/docker/container_stats_test.go
@@ -1,27 +0,0 @@
-package docker
-
-import (
-	"testing"
-
-	"github.com/docker/docker/api/types"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestCalculateContainerStats(t *testing.T) {
-	containers := []types.Container{
-		{State: "running"},
-		{State: "running"},
-		{State: "exited"},
-		{State: "stopped"},
-		{State: "healthy"},
-		{State: "unhealthy"},
-	}
-
-	stats := CalculateContainerStats(containers)
-
-	assert.Equal(t, 4, stats.Running)
-	assert.Equal(t, 2, stats.Stopped)
-	assert.Equal(t, 1, stats.Healthy)
-	assert.Equal(t, 1, stats.Unhealthy)
-	assert.Equal(t, 6, stats.Total)
-}
--- a/api/docker/images/digest.go
+++ b/api/docker/images/digest.go
@@ -7,12 +7,12 @@ import (

 	dockerclient "github.com/portainer/portainer/api/docker/client"

-	"github.com/containers/image/v5/docker"
-	imagetypes "github.com/containers/image/v5/types"
 	"github.com/docker/docker/api/types/image"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
+	"go.podman.io/image/v5/docker"
+	imagetypes "go.podman.io/image/v5/types"
 )

 // Options holds docker registry object options
--- a/api/docker/images/image.go
+++ b/api/docker/images/image.go
@@ -7,11 +7,11 @@ import (
 	"strings"
 	"text/template"

-	"github.com/containers/image/v5/docker/reference"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/image"
 	"github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
+	"go.podman.io/image/v5/docker/reference"
 )

 type ImageID string
--- a/api/docker/images/image_test.go
+++ b/api/docker/images/image_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestImageParser(t *testing.T) {
@@ -14,7 +15,7 @@ func TestImageParser(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "portainer/portainer-ee",
 		})
-		is.NoError(err, "")
+		require.NoError(t, err)
 		is.Equal("docker.io/portainer/portainer-ee:latest", image.FullName())
 		is.Equal("portainer/portainer-ee", image.Opts.Name)
 		is.Equal("latest", image.Tag)
@@ -30,10 +31,10 @@ func TestImageParser(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		is.NoError(err, "")
+		require.NoError(t, err)
 		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
-		is.Equal("", image.Tag)
+		is.Empty(image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
 		is.Equal("https://gcr.io/k8s-minikube/kicbase", image.HubLink)
@@ -47,7 +48,7 @@ func TestImageParser(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		is.NoError(err, "")
+		require.NoError(t, err)
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
@@ -68,8 +69,9 @@ func TestUpdateParsedImage(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		is.NoError(err, "")
-		_ = image.WithTag("v0.0.31")
+		require.NoError(t, err)
+		err = image.WithTag("v0.0.31")
+		require.NoError(t, err)
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.31", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.31", image.Tag)
@@ -86,8 +88,9 @@ func TestUpdateParsedImage(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		is.NoError(err, "")
-		_ = image.WithDigest("sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b3")
+		require.NoError(t, err)
+		err = image.WithDigest("sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b3")
+		require.NoError(t, err)
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
@@ -104,8 +107,9 @@ func TestUpdateParsedImage(t *testing.T) {
 		image, err := ParseImage(ParseImageOptions{
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
-		is.NoError(err, "")
-		_ = image.TrimDigest()
+		require.NoError(t, err)
+		err = image.TrimDigest()
+		require.NoError(t, err)
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
--- a/api/docker/images/puller.go
+++ b/api/docker/images/puller.go
@@ -5,6 +5,7 @@ import (
 	"io"

 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/logs"

 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
@@ -42,7 +43,7 @@ func (puller *Puller) Pull(ctx context.Context, img Image) error {
 	if err != nil {
 		return err
 	}
-	defer out.Close()
+	defer logs.CloseAndLogErr(out)

 	_, err = io.ReadAll(out)

--- a/api/docker/images/ref.go
+++ b/api/docker/images/ref.go
@@ -3,8 +3,8 @@ package images
 import (
 	"strings"

-	"github.com/containers/image/v5/docker"
-	"github.com/containers/image/v5/types"
+	"go.podman.io/image/v5/docker"
+	"go.podman.io/image/v5/types"
 )

 func ParseReference(imageStr string) (types.ImageReference, error) {
--- a/api/docker/images/registry_test.go
+++ b/api/docker/images/registry_test.go
@@ -4,7 +4,9 @@ import (
 	"testing"

 	portainer "github.com/portainer/portainer/api"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
@@ -15,9 +17,9 @@ func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
 		registries := []portainer.Registry{createNewRegistry("docker.io", "USERNAME", false),
 			createNewRegistry("hub-mirror.c.163.com", "", false)}
 		r, err := findBestMatchRegistry(image, registries)
-		is.NoError(err, "")
-		is.NotNil(r, "")
-		is.False(r.Authentication, "")
+		require.NoError(t, err)
+		is.NotNil(r)
+		is.False(r.Authentication)
 		is.Equal("docker.io", r.URL)
 	})

@@ -26,9 +28,9 @@ func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
 		registries := []portainer.Registry{createNewRegistry("docker.io", "", false),
 			createNewRegistry("hub-mirror.c.163.com", "USERNAME", false)}
 		r, err := findBestMatchRegistry(image, registries)
-		is.NoError(err, "")
-		is.NotNil(r, "")
-		is.False(r.Authentication, "")
+		require.NoError(t, err)
+		is.NotNil(r)
+		is.False(r.Authentication)
 		is.Equal("docker.io", r.URL)
 	})

@@ -37,9 +39,9 @@ func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
 		registries := []portainer.Registry{createNewRegistry("docker.io", "USERNAME", true),
 			createNewRegistry("hub-mirror.c.163.com", "", false)}
 		r, err := findBestMatchRegistry(image, registries)
-		is.NoError(err, "")
-		is.NotNil(r, "")
-		is.True(r.Authentication, "")
+		require.NoError(t, err)
+		is.NotNil(r)
+		is.True(r.Authentication)
 		is.Equal("docker.io", r.URL)
 	})

@@ -47,9 +49,9 @@ func TestFindBestMatchNeedAuthRegistry(t *testing.T) {
 		image := "portainer/portainer-ee:latest"
 		registries := []portainer.Registry{createNewRegistry("docker.io", "", true)}
 		r, err := findBestMatchRegistry(image, registries)
-		is.NoError(err, "")
-		is.NotNil(r, "")
-		is.True(r.Authentication, "")
+		require.NoError(t, err)
+		is.NotNil(r)
+		is.True(r.Authentication)
 		is.Equal("docker.io", r.URL)
 	})
 }
--- a/api/docker/images/status.go
+++ b/api/docker/images/status.go
@@ -280,13 +280,7 @@ func contains(statuses []Status, status Status) bool {
 		return false
 	}

-	for _, s := range statuses {
-		if s == status {
-			return true
-		}
-	}
-
-	return false
+	return slices.Contains(statuses, status)
 }

 func allMatch(statuses []Status, status Status) bool {
--- a/api/docker/snapshot.go
+++ b/api/docker/snapshot.go
@@ -3,6 +3,7 @@ package docker
 import (
 	portainer "github.com/portainer/portainer/api"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/pkg/snapshot"
 )

@@ -24,7 +25,7 @@ func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*p
 	if err != nil {
 		return nil, err
 	}
-	defer cli.Close()
+	defer logs.CloseAndLogErr(cli)

 	return snapshot.CreateDockerSnapshot(cli)
 }
--- a/api/docker/stats/container_stats.go
+++ b/api/docker/stats/container_stats.go
@@ -0,0 +1,138 @@
+package stats
+
+import (
+	"context"
+	"errors"
+	"strings"
+	"sync"
+
+	"github.com/containerd/containerd/errdefs"
+	"github.com/docker/docker/api/types/container"
+)
+
+type ContainerStats struct {
+	Running   int `json:"running"`
+	Stopped   int `json:"stopped"`
+	Healthy   int `json:"healthy"`
+	Unhealthy int `json:"unhealthy"`
+	Total     int `json:"total"`
+}
+
+type DockerClient interface {
+	ContainerInspect(ctx context.Context, containerID string) (container.InspectResponse, error)
+}
+
+func CalculateContainerStats(ctx context.Context, cli DockerClient, isSwarm bool, containers []container.Summary) (ContainerStats, error) {
+	if isSwarm {
+		return CalculateContainerStatsForSwarm(containers), nil
+	}
+
+	var running, stopped, healthy, unhealthy int
+
+	var mu sync.Mutex
+	var wg sync.WaitGroup
+	semaphore := make(chan struct{}, 5)
+
+	var aggErr error
+	var aggMu sync.Mutex
+
+	var processedCount int
+	for i := range containers {
+		id := containers[i].ID
+
+		semaphore <- struct{}{}
+		wg.Go(func() {
+			defer func() { <-semaphore }()
+
+			containerInspection, err := cli.ContainerInspect(ctx, id)
+			stat := ContainerStats{}
+			if err != nil {
+				if errdefs.IsNotFound(err) {
+					// An edge case is reported that Docker can list containers with no names,
+					// but when inspecting a container with specific ID and it is not found.
+					// In this case, we can safely ignore the error.
+					// ref@https://linear.app/portainer/issue/BE-12567/500-error-when-loading-docker-dashboard-in-portainer
+					return
+				}
+
+				aggMu.Lock()
+				aggErr = errors.Join(aggErr, err)
+				processedCount++
+				aggMu.Unlock()
+				return
+			}
+			stat = getContainerStatus(containerInspection.State)
+
+			mu.Lock()
+			running += stat.Running
+			stopped += stat.Stopped
+			healthy += stat.Healthy
+			unhealthy += stat.Unhealthy
+			processedCount++
+			mu.Unlock()
+		})
+	}
+
+	wg.Wait()
+
+	return ContainerStats{
+		Running:   running,
+		Stopped:   stopped,
+		Healthy:   healthy,
+		Unhealthy: unhealthy,
+		Total:     processedCount,
+	}, aggErr
+}
+
+func getContainerStatus(state *container.State) ContainerStats {
+	stat := ContainerStats{}
+	if state == nil {
+		return stat
+	}
+
+	switch state.Status {
+	case container.StateRunning:
+		stat.Running++
+	case container.StateExited, container.StateDead:
+		stat.Stopped++
+	}
+
+	if state.Health != nil {
+		switch state.Health.Status {
+		case container.Healthy:
+			stat.Healthy++
+		case container.Unhealthy:
+			stat.Unhealthy++
+		}
+	}
+
+	return stat
+}
+
+// This is a temporary workaround to calculate container stats for Swarm
+// TODO: Remove this once we have a proper way to calculate container stats for Swarm
+func CalculateContainerStatsForSwarm(containers []container.Summary) ContainerStats {
+	var running, stopped, healthy, unhealthy int
+	for _, container := range containers {
+		switch container.State {
+		case "running":
+			running++
+		case "exited", "stopped":
+			stopped++
+		}
+
+		if strings.Contains(container.Status, "(healthy)") {
+			healthy++
+		} else if strings.Contains(container.Status, "(unhealthy)") {
+			unhealthy++
+		}
+	}
+
+	return ContainerStats{
+		Running:   running,
+		Stopped:   stopped,
+		Healthy:   healthy,
+		Unhealthy: unhealthy,
+		Total:     len(containers),
+	}
+}
--- a/api/docker/stats/container_stats_test.go
+++ b/api/docker/stats/container_stats_test.go
@@ -0,0 +1,251 @@
+package stats
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/containerd/containerd/errdefs"
+	"github.com/docker/docker/api/types/container"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+)
+
+// MockDockerClient implements the DockerClient interface for testing
+type MockDockerClient struct {
+	mock.Mock
+}
+
+func (m *MockDockerClient) ContainerInspect(ctx context.Context, containerID string) (container.InspectResponse, error) {
+	args := m.Called(ctx, containerID)
+	return args.Get(0).(container.InspectResponse), args.Error(1)
+}
+
+func TestCalculateContainerStats(t *testing.T) {
+	mockClient := new(MockDockerClient)
+
+	// Test containers - using enough containers to test concurrent processing
+	containers := []container.Summary{
+		{ID: "container1"},
+		{ID: "container2"},
+		{ID: "container3"},
+		{ID: "container4"},
+		{ID: "container5"},
+		{ID: "container6"},
+		{ID: "container7"},
+		{ID: "container8"},
+		{ID: "container9"},
+		{ID: "container10"},
+		{ID: "container11"},
+	}
+
+	// Setup mock expectations with different container states to test various scenarios
+	containerStates := []struct {
+		id       string
+		status   string
+		health   *container.Health
+		expected ContainerStats
+	}{
+		{"container1", container.StateRunning, &container.Health{Status: container.Healthy}, ContainerStats{Running: 1, Stopped: 0, Healthy: 1, Unhealthy: 0}},
+		{"container2", container.StateRunning, &container.Health{Status: container.Unhealthy}, ContainerStats{Running: 1, Stopped: 0, Healthy: 0, Unhealthy: 1}},
+		{"container3", container.StateRunning, nil, ContainerStats{Running: 1, Stopped: 0, Healthy: 0, Unhealthy: 0}},
+		{"container4", container.StateExited, nil, ContainerStats{Running: 0, Stopped: 1, Healthy: 0, Unhealthy: 0}},
+		{"container5", container.StateDead, nil, ContainerStats{Running: 0, Stopped: 1, Healthy: 0, Unhealthy: 0}},
+		{"container6", container.StateRunning, &container.Health{Status: container.Healthy}, ContainerStats{Running: 1, Stopped: 0, Healthy: 1, Unhealthy: 0}},
+		{"container7", container.StateRunning, &container.Health{Status: container.Unhealthy}, ContainerStats{Running: 1, Stopped: 0, Healthy: 0, Unhealthy: 1}},
+		{"container8", container.StateExited, nil, ContainerStats{Running: 0, Stopped: 1, Healthy: 0, Unhealthy: 0}},
+		{"container9", container.StateRunning, nil, ContainerStats{Running: 1, Stopped: 0, Healthy: 0, Unhealthy: 0}},
+		{"container10", container.StateDead, nil, ContainerStats{Running: 0, Stopped: 1, Healthy: 0, Unhealthy: 0}},
+	}
+
+	// Setup mock expectations for all containers with artificial delays to simulate real Docker calls
+	for _, state := range containerStates {
+		mockClient.On("ContainerInspect", mock.Anything, state.id).Return(container.InspectResponse{
+			ContainerJSONBase: &container.ContainerJSONBase{
+				State: &container.State{
+					Status: state.status,
+					Health: state.health,
+				},
+			},
+		}, nil).After(30 * time.Millisecond) // Simulate 30ms Docker API call
+	}
+
+	// Setup mock expectation for a container that returns NotFound error
+	mockClient.On("ContainerInspect", mock.Anything, "container11").Return(container.InspectResponse{}, fmt.Errorf("No such container: %w", errdefs.ErrNotFound)).After(50 * time.Millisecond)
+
+	// Call the function and measure time
+	startTime := time.Now()
+	stats, err := CalculateContainerStats(context.Background(), mockClient, false, containers)
+	require.NoError(t, err, "failed to calculate container stats")
+	duration := time.Since(startTime)
+
+	// Assert results
+	assert.Equal(t, 6, stats.Running)
+	assert.Equal(t, 4, stats.Stopped)
+	assert.Equal(t, 2, stats.Healthy)
+	assert.Equal(t, 2, stats.Unhealthy)
+	assert.Equal(t, 10, stats.Total)
+
+	// Verify concurrent processing by checking that all mock calls were made
+	mockClient.AssertExpectations(t)
+
+	// Test concurrency: With 5 workers and 10 containers taking 50ms each:
+	// Sequential would take: 10 * 50ms = 500ms
+	sequentialTime := 10 * 50 * time.Millisecond
+
+	// Verify that concurrent processing is actually faster than sequential
+	// Allow some overhead for goroutine scheduling
+	assert.Less(t, duration, sequentialTime, "Concurrent processing should be faster than sequential")
+	// Concurrent should take: ~100-150ms (depending on scheduling)
+	assert.Less(t, duration, 150*time.Millisecond, "Concurrent processing should be significantly faster")
+	assert.Greater(t, duration, 100*time.Millisecond, "Concurrent processing should be longer than 100ms")
+}
+
+func TestCalculateContainerStatsAllErrors(t *testing.T) {
+	mockClient := new(MockDockerClient)
+
+	// Test containers
+	containers := []container.Summary{
+		{ID: "container1"},
+		{ID: "container2"},
+	}
+
+	// Setup mock expectations with all calls returning errors
+	mockClient.On("ContainerInspect", mock.Anything, "container1").Return(container.InspectResponse{}, errors.New("network error"))
+	mockClient.On("ContainerInspect", mock.Anything, "container2").Return(container.InspectResponse{}, errors.New("permission denied"))
+
+	// Call the function
+	stats, err := CalculateContainerStats(context.Background(), mockClient, false, containers)
+
+	// Assert that an error was returned
+	require.Error(t, err, "should return error when all containers fail to inspect")
+	assert.Contains(t, err.Error(), "network error", "error should contain one of the original error messages")
+	assert.Contains(t, err.Error(), "permission denied", "error should contain the other original error message")
+
+	// Assert that stats are zero since no containers were successfully processed
+	expectedStats := ContainerStats{
+		Running:   0,
+		Stopped:   0,
+		Healthy:   0,
+		Unhealthy: 0,
+		Total:     2, // total containers processed
+	}
+	assert.Equal(t, expectedStats, stats)
+
+	// Verify all mock calls were made
+	mockClient.AssertExpectations(t)
+}
+
+func TestGetContainerStatus(t *testing.T) {
+	testCases := []struct {
+		name     string
+		state    *container.State
+		expected ContainerStats
+	}{
+		{
+			name: "running healthy container",
+			state: &container.State{
+				Status: container.StateRunning,
+				Health: &container.Health{
+					Status: container.Healthy,
+				},
+			},
+			expected: ContainerStats{
+				Running:   1,
+				Stopped:   0,
+				Healthy:   1,
+				Unhealthy: 0,
+			},
+		},
+		{
+			name: "running unhealthy container",
+			state: &container.State{
+				Status: container.StateRunning,
+				Health: &container.Health{
+					Status: container.Unhealthy,
+				},
+			},
+			expected: ContainerStats{
+				Running:   1,
+				Stopped:   0,
+				Healthy:   0,
+				Unhealthy: 1,
+			},
+		},
+		{
+			name: "running container without health check",
+			state: &container.State{
+				Status: container.StateRunning,
+			},
+			expected: ContainerStats{
+				Running:   1,
+				Stopped:   0,
+				Healthy:   0,
+				Unhealthy: 0,
+			},
+		},
+		{
+			name: "exited container",
+			state: &container.State{
+				Status: container.StateExited,
+			},
+			expected: ContainerStats{
+				Running:   0,
+				Stopped:   1,
+				Healthy:   0,
+				Unhealthy: 0,
+			},
+		},
+		{
+			name: "dead container",
+			state: &container.State{
+				Status: container.StateDead,
+			},
+			expected: ContainerStats{
+				Running:   0,
+				Stopped:   1,
+				Healthy:   0,
+				Unhealthy: 0,
+			},
+		},
+		{
+			name:  "nil state",
+			state: nil,
+			expected: ContainerStats{
+				Running:   0,
+				Stopped:   0,
+				Healthy:   0,
+				Unhealthy: 0,
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			stat := getContainerStatus(testCase.state)
+			assert.Equal(t, testCase.expected, stat)
+		})
+	}
+}
+
+func TestCalculateContainerStatsForSwarm(t *testing.T) {
+	containers := []container.Summary{
+		{State: "running"},
+		{State: "running", Status: "Up 5 minutes (healthy)"},
+		{State: "exited"},
+		{State: "stopped"},
+		{State: "running", Status: "Up 10 minutes"},
+		{State: "running", Status: "Up about an hour (unhealthy)"},
+	}
+
+	stats := CalculateContainerStatsForSwarm(containers)
+
+	assert.Equal(t, 4, stats.Running)
+	assert.Equal(t, 2, stats.Stopped)
+	assert.Equal(t, 1, stats.Healthy)
+	assert.Equal(t, 1, stats.Unhealthy)
+	assert.Equal(t, 6, stats.Total)
+}
--- a/api/edge/edge.go
+++ b/api/edge/edge.go
@@ -60,11 +60,26 @@ type (
 		// EnvVars is a list of environment variables to inject into the stack
 		EnvVars []portainer.Pair

-		// Used only for EE async edge agent
-		// ReadyRePullImage is a flag to indicate whether the auto update is trigger to re-pull image
-		ReadyRePullImage bool
+		// ForceUpdate is a flag indicating if the agent must force the update of the stack.
+		// Used only for EE
+		ForceUpdate bool

 		DeployerOptionsPayload DeployerOptionsPayload
+
+		// Used only for EE async edge agent
+		// ReadyRePullImage is a flag to indicate whether the auto update is trigger to re-pull image
+		// Deprecated(2.36): use DeployerOptionsPayload.ForceRecreate instead
+		ReadyRePullImage bool
+
+		// CreatedBy is the username that created this stack
+		// Used for adding labels to Kubernetes manifests
+		CreatedBy string
+		// CreatedByUserId is the user ID that created this stack
+		// Used for adding labels to Kubernetes manifests
+		CreatedByUserId string
+
+		// HelmConfig represents the Helm configuration for an edge stack
+		HelmConfig portainer.HelmConfig
 	}

 	DeployerOptionsPayload struct {
@@ -77,6 +92,14 @@ type (
 		// This flag drives `docker compose down --volumes` option
 		// Used only for EE
 		RemoveVolumes bool
+
+		// ForceRecreate is a flag indicating if the agent must force the redeployment of the stack.
+		// This field is only used when the Force Redeployment is triggered.
+		// Once the stack is redeployed, this field will be reset to false.
+		// For standard edge agent, this field is used in agent side
+		// For async edge agent, this field is used in both agent side and server side.
+		// This flag drives `docker compose up --force-recreate` option
+		ForceRecreate bool
 	}

 	// RegistryCredentials holds the credentials for a Docker registry.
--- a/api/exec/compose_stack.go
+++ b/api/exec/compose_stack.go
@@ -13,6 +13,7 @@ import (
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory"
 	"github.com/portainer/portainer/api/internal/registryutils"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/stacks/stackutils"
 	"github.com/portainer/portainer/pkg/libstack"

@@ -180,7 +181,7 @@ func createEnvFile(stack *portainer.Stack) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer envfile.Close()
+	defer logs.CloseAndLogErr(envfile)

 	// Copy from default .env file
 	defaultEnvPath := path.Join(stack.ProjectPath, path.Dir(stack.EntryPoint), ".env")
@@ -205,13 +206,14 @@ func copyDefaultEnvFile(w io.Writer, defaultEnvFilePath string) error {
 		return nil
 	}

-	defer defaultEnvFile.Close()
+	defer logs.CloseAndLogErr(defaultEnvFile)

 	if _, err = io.Copy(w, defaultEnvFile); err == nil {
 		if _, err = fmt.Fprintf(w, "\n"); err != nil {
 			return fmt.Errorf("failed to copy default env file: %w", err)
 		}
 	}
+
 	return nil
 	// If couldn't copy the .env file, then ignore the error and try to continue
 }
@@ -223,6 +225,7 @@ func copyConfigEnvVars(w io.Writer, envs []portainer.Pair) error {
 			return fmt.Errorf("failed to copy config env vars: %w", err)
 		}
 	}
+
 	return nil
 }

--- a/api/exec/compose_stack_integration_test.go
+++ b/api/exec/compose_stack_integration_test.go
@@ -11,6 +11,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/pkg/libstack/compose"
 	"github.com/portainer/portainer/pkg/testhelpers"
+	"github.com/stretchr/testify/require"

 	"github.com/rs/zerolog/log"
 )
@@ -25,8 +26,11 @@ const composedContainerName = "compose_wrapper_test"
 func setup(t *testing.T) (*portainer.Stack, *portainer.Endpoint) {
 	dir := t.TempDir()
 	composeFileName := "compose_wrapper_test.yml"
-	f, _ := os.Create(filepath.Join(dir, composeFileName))
-	f.WriteString(composeFile)
+	f, err := os.Create(filepath.Join(dir, composeFileName))
+	require.NoError(t, err)
+
+	_, err = f.WriteString(composeFile)
+	require.NoError(t, err)

 	stack := &portainer.Stack{
 		ProjectPath: dir,
@@ -34,11 +38,7 @@ func setup(t *testing.T) (*portainer.Stack, *portainer.Endpoint) {
 		Name:        "project-name",
 	}

-	endpoint := &portainer.Endpoint{
-		URL: "unix://",
-	}
-
-	return stack, endpoint
+	return stack, &portainer.Endpoint{URL: "unix://"}
 }

 func Test_UpAndDown(t *testing.T) {
--- a/Show More
+++ b/Show More