version: bump version to 2.21.5 (#254 )

fix: security - CVE-2024-45337 - portainer-suite release 2.21 (#249 )
fix: 2.21.5 backported fixes (#251 )
2024-12-19 09:35:53 -03:00 · 2024-12-18 19:05:20 -03:00 · 2024-12-17 19:16:41 -03:00 · 2024-10-29 12:23:44 +13:00 · 2024-10-24 16:09:34 +13:00 · 2024-10-23 18:23:28 -03:00
2120 changed files with 24977 additions and 38216 deletions
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -87,7 +87,6 @@ overrides:
        version: 'detect'

    rules:
-      no-console: error
      import/order:
        [
          'error',
@@ -141,11 +140,9 @@ overrides:
      'react/jsx-no-constructed-context-values': off
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
-      'react/jsx-props-no-spreading': off
  - files:
      - app/**/*.stories.*
    rules:
      'no-alert': off
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
-      'react/jsx-props-no-spreading': off
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -93,16 +93,6 @@ body:
      description: We only provide support for the most recent version of Portainer and the previous 3 versions. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
      multiple: false
      options:
-        - '2.22.0'
-        - '2.21.3'
-        - '2.21.2'
-        - '2.21.1'
-        - '2.21.0'
-        - '2.20.3'
-        - '2.20.2'
-        - '2.20.1'
-        - '2.20.0'
-        - '2.19.5'
        - '2.19.4'
        - '2.19.3'
        - '2.19.2'
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,166 +0,0 @@
-name: ci
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - 'develop'
-      - 'release/*'
-  pull_request:
-    branches:
-      - 'develop'
-      - 'release/*'
-      - 'feat/*'
-      - 'fix/*'
-      - 'refactor/*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-
-env:
-  DOCKER_HUB_REPO: portainerci/portainer-ce
-  EXTENSION_HUB_REPO: portainerci/portainer-docker-extension
-  NODE_VERSION: 18.x
-
-jobs:
-  build_images:
-    strategy:
-      matrix:
-        config:
-          - { platform: linux, arch: amd64, version: "" }
-          - { platform: linux, arch: arm64, version: "" }
-          - { platform: linux, arch: arm, version: "" }
-          - { platform: linux, arch: ppc64le, version: "" }
-          - { platform: windows, arch: amd64, version: 1809 }
-          - { platform: windows, arch: amd64, version: ltsc2022 }
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    steps:
-      - name: '[preparation] checkout the current branch'
-        uses: actions/checkout@v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branch }}
-      - name: '[preparation] set up golang'
-        uses: actions/setup-go@v5.0.0
-        with:
-          go-version-file: go.mod
-      - name: '[preparation] set up node.js'
-        uses: actions/setup-node@v4.0.1
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - name: '[preparation] set up qemu'
-        uses: docker/setup-qemu-action@v3.0.0
-      - name: '[preparation] set up docker context for buildx'
-        run: docker context create builders
-      - name: '[preparation] set up docker buildx'
-        uses: docker/setup-buildx-action@v3.0.0
-        with:
-          endpoint: builders
-      - name: '[preparation] docker login'
-        uses: docker/login-action@v3.0.0
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-      - name: '[preparation] set the container image tag'
-        run: |
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            # use the release branch name as the tag for release branches
-            # for instance, release/2.19 becomes 2.19
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
-          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
-            # use pr${{ github.event.number }} as the tag for pull requests
-            # for instance, pr123
-            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
-          else
-            # replace / with - in the branch name
-            # for instance, feature/1.0.0 -> feature-1.0.0
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
-          fi
-          
-          echo "CONTAINER_IMAGE_TAG=${CONTAINER_IMAGE_TAG}-${{ matrix.config.platform }}${{ matrix.config.version }}-${{ matrix.config.arch }}" >> $GITHUB_ENV
-      - name: '[execution] build linux & windows portainer binaries'
-        run: |
-          export YARN_VERSION=$(yarn --version)
-          export WEBPACK_VERSION=$(yarn list webpack --depth=0 | grep webpack | awk -F@ '{print $2}')
-          export BUILDNUMBER=${GITHUB_RUN_NUMBER}
-          GIT_COMMIT_HASH_LONG=${{ github.sha }}
-          export GIT_COMMIT_HASH_SHORT={GIT_COMMIT_HASH_LONG:0:7}
-          
-          NODE_ENV="testing"
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            NODE_ENV="production"
-          fi
-          
-          make build-all PLATFORM=${{ matrix.config.platform }} ARCH=${{ matrix.config.arch }} ENV=${NODE_ENV}
-        env:
-          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
-      - name: '[execution] build and push docker images'
-        run: |
-          if [ "${{ matrix.config.platform }}" == "windows" ]; then
-            mv dist/portainer dist/portainer.exe
-            docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} --build-arg OSVERSION=${{ matrix.config.version }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-          else 
-            docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-            docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
-            
-            if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-              docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" -f build/${{ matrix.config.platform }}/Dockerfile .
-              docker buildx build --output=type=registry --attest type=provenance,mode=max --attest type=sbom,disabled=false --platform ${{ matrix.config.platform }}/${{ matrix.config.arch }} -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" -f build/${{ matrix.config.platform }}/alpine.Dockerfile .
-            fi
-          fi
-        env:
-          CONTAINER_IMAGE_TAG: ${{ env.CONTAINER_IMAGE_TAG }}
-  build_manifests:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    needs: [build_images]
-    steps:
-      - name: '[preparation] docker login'
-        uses: docker/login-action@v3.0.0
-        with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-      - name: '[preparation] set up docker context for buildx'
-        run: docker version && docker context create builders
-      - name: '[preparation] set up docker buildx'
-        uses: docker/setup-buildx-action@v3.0.0
-        with:
-          endpoint: builders
-      - name: '[execution] build and push manifests'
-        run: |
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            # use the release branch name as the tag for release branches
-            # for instance, release/2.19 becomes 2.19
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -d "/" -f 2)
-          elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then
-            # use pr${{ github.event.number }} as the tag for pull requests
-            # for instance, pr123
-            CONTAINER_IMAGE_TAG="pr${{ github.event.number }}"
-          else
-            # replace / with - in the branch name
-            # for instance, feature/1.0.0 -> feature-1.0.0
-            CONTAINER_IMAGE_TAG=$(echo $GITHUB_REF_NAME | sed 's/\//-/g')
-          fi
-
-          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windows1809-amd64" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-windowsltsc2022-amd64"
-          
-          docker buildx imagetools create -t "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm-alpine" \
-            "${DOCKER_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-ppc64le-alpine"
-            
-          if [[ "${GITHUB_REF_NAME}" =~ ^release/.*$ ]]; then
-            docker buildx imagetools create -t "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-amd64" \
-              "${EXTENSION_HUB_REPO}:${CONTAINER_IMAGE_TAG}-linux-arm64"
-          fi
--- a/.github/workflows/label-conflcts.yaml
+++ b/.github/workflows/label-conflcts.yaml
@@ -1,15 +0,0 @@
-on:
-  push:
-    branches:
-      - develop
-      - 'release/**'
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: mschilde/auto-label-merge-conflicts@master
-        with:
-          CONFLICT_LABEL_NAME: 'has conflicts'
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          MAX_RETRIES: 10
-          WAIT_MS: 60000
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,55 +0,0 @@
-name: Lint
-
-on:
-  push:
-    branches:
-      - master
-      - develop
-      - release/*
-  pull_request:
-    branches:
-      - master
-      - develop
-      - release/*
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-
-env:
-  GO_VERSION: 1.22.5
-  NODE_VERSION: 18.x
-
-jobs:
-  run-linters:
-    name: Run linters
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - uses: actions/setup-go@v4
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - run: yarn --frozen-lockfile
-      - name: Run linters
-        uses: wearerequired/lint-action@v1
-        with:
-          eslint: true
-          eslint_extensions: ts,tsx,js,jsx
-          prettier: true
-          prettier_dir: app/
-          gofmt: true
-          gofmt_dir: api/
-      - name: Typecheck
-        uses: icrawl/action-tsc@v1
-      - name: GolangCI-Lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          version: v1.59.1
-          args: --timeout=10m -c .golangci.yaml
--- a/.github/workflows/nightly-security-scan.yml
+++ b/.github/workflows/nightly-security-scan.yml
@@ -1,254 +0,0 @@
-name: Nightly Code Security Scan
-
-on:
-  schedule:
-    - cron: '0 20 * * *'
-  workflow_dispatch:
-
-env:
-  GO_VERSION: 1.22.5
-  DOCKER_HUB_REPO: portainerci/portainer-ce
-  DOCKER_HUB_IMAGE_TAG: develop
-
-jobs:
-  client-dependencies:
-    name: Client Dependency Check
-    runs-on: ubuntu-latest
-    if: >- # only run for develop branch
-      github.ref == 'refs/heads/develop'
-    outputs:
-      js: ${{ steps.set-matrix.outputs.js_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: scan vulnerabilities by Snyk
-        uses: snyk/actions/node@master
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          json: true
-
-      - name: upload scan result as develop artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: js-security-scan-develop-result
-          path: snyk.json
-
-      - name: develop scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/js-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-js-result-${{github.run_id}}
-          path: js-result.html
-
-      - name: analyse vulnerabilities
-        id: set-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
-          echo "js_result=${result}" >> $GITHUB_OUTPUT
-
-  server-dependencies:
-    name: Server Dependency Check
-    runs-on: ubuntu-latest
-    if: >- # only run for develop branch
-      github.ref == 'refs/heads/develop'
-    outputs:
-      go: ${{ steps.set-matrix.outputs.go_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: download Go modules
-        run: cd ./api && go get -t -v -d ./...
-
-      - name: scan vulnerabilities by Snyk
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: |
-          yarn global add snyk
-          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :
-
-      - name: upload scan result as develop artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: go-security-scan-develop-result
-          path: snyk.json
-
-      - name: develop scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/go-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-go-result-${{github.run_id}}
-          path: go-result.html
-
-      - name: analyse vulnerabilities
-        id: set-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
-          echo "go_result=${result}" >> $GITHUB_OUTPUT
-
-  image-vulnerability:
-    name: Image Vulnerability Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.ref == 'refs/heads/develop'
-    outputs:
-      image-trivy: ${{ steps.set-trivy-matrix.outputs.image_trivy_result }}
-      image-docker-scout: ${{ steps.set-docker-scout-matrix.outputs.image_docker_scout_result }}
-    steps:
-      - name: scan vulnerabilities by Trivy
-        uses: docker://docker.io/aquasec/trivy:latest
-        continue-on-error: true
-        with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress ${{ env.DOCKER_HUB_REPO }}:${{ env.DOCKER_HUB_IMAGE_TAG }}
-
-      - name: upload Trivy image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-develop-result
-          path: image-trivy.json
-
-      - name: develop Trivy scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-trivy-result")
-
-      - name: upload html file as Trivy artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-${{github.run_id}}
-          path: image-trivy-result.html
-
-      - name: analyse vulnerabilities from Trivy
-        id: set-trivy-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix)
-          echo "image_trivy_result=${result}" >> $GITHUB_OUTPUT
-
-      - name: scan vulnerabilities by Docker Scout
-        uses: docker/scout-action@v1
-        continue-on-error: true
-        with:
-          command: cves
-          image: ${{ env.DOCKER_HUB_REPO }}:${{ env.DOCKER_HUB_IMAGE_TAG }}
-          sarif-file: image-docker-scout.json
-          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
-          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: upload Docker Scout image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-develop-result
-          path: image-docker-scout.json
-
-      - name: develop Docker Scout scan report export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
-
-      - name: upload html file as Docker Scout artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-${{github.run_id}}
-          path: image-docker-scout-result.html
-
-      - name: analyse vulnerabilities from Docker Scout
-        id: set-docker-scout-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=docker-scout --path="/data/image-docker-scout.json" --output-type=matrix)
-          echo "image_docker_scout_result=${result}" >> $GITHUB_OUTPUT
-
-  result-analysis:
-    name: Analyse Scan Results
-    needs: [client-dependencies, server-dependencies, image-vulnerability]
-    runs-on: ubuntu-latest
-    if: >-
-      github.ref == 'refs/heads/develop'
-    strategy:
-      matrix:
-        js: ${{fromJson(needs.client-dependencies.outputs.js)}}
-        go: ${{fromJson(needs.server-dependencies.outputs.go)}}
-        image-trivy: ${{fromJson(needs.image-vulnerability.outputs.image-trivy)}}
-        image-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.image-docker-scout)}}
-    steps:
-      - name: display the results of js, Go, and image scan
-        run: |
-          echo "${{ matrix.js.status }}"
-          echo "${{ matrix.go.status }}"
-          echo "${{ matrix.image-trivy.status }}"
-          echo "${{ matrix.image-docker-scout.status }}"
-          echo "${{ matrix.js.summary }}"
-          echo "${{ matrix.go.summary }}"
-          echo "${{ matrix.image-trivy.summary }}"
-          echo "${{ matrix.image-docker-scout.summary }}"
-
-      - name: send message to Slack
-        if: >-
-          matrix.js.status == 'failure' ||
-          matrix.go.status == 'failure' || 
-          matrix.image-trivy.status == 'failure' || 
-          matrix.image-docker-scout.status == 'failure'
-        uses: slackapi/slack-github-action@v1.23.0
-        with:
-          payload: |
-            {
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "Code Scanning Result (*${{ github.repository }}*)\n*<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Actions Workflow URL>*"
-                  }
-                }
-              ],
-              "attachments": [
-                {
-                  "color": "#FF0000",
-                  "blocks": [
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*JS dependency check*: *${{ matrix.js.status }}*\n${{ matrix.js.summary }}"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Go dependency check*: *${{ matrix.go.status }}*\n${{ matrix.go.summary }}"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Image Trivy vulnerability check*: *${{ matrix.image-trivy.status }}*\n${{ matrix.image-trivy.summary }}\n"
-                      }
-                    },
-                    {
-                      "type": "section",
-                      "text": {
-                        "type": "mrkdwn",
-                        "text": "*Image Docker Scout vulnerability check*: *${{ matrix.image-docker-scout.status }}*\n${{ matrix.image-docker-scout.summary }}\n"
-                      }
-                    }
-                  ]
-                }
-              ]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }}
-          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
--- a/.github/workflows/pr-security.yml
+++ b/.github/workflows/pr-security.yml
@@ -1,298 +0,0 @@
-name: PR Code Security Scan
-
-on:
-  pull_request_review:
-    types:
-      - submitted
-      - edited
-    paths:
-      - 'package.json'
-      - 'go.mod'
-      - 'build/linux/Dockerfile'
-      - 'build/linux/alpine.Dockerfile'
-      - 'build/windows/Dockerfile'
-      - '.github/workflows/pr-security.yml'
-
-env:
-  GO_VERSION: 1.22.5
-  NODE_VERSION: 18.x
-
-jobs:
-  client-dependencies:
-    name: Client Dependency Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    outputs:
-      jsdiff: ${{ steps.set-diff-matrix.outputs.js_diff_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: scan vulnerabilities by Snyk
-        uses: snyk/actions/node@master
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          json: true
-
-      - name: upload scan result as pull-request artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: js-security-scan-feat-result
-          path: snyk.json
-
-      - name: download artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./snyk.json ./js-snyk-feature.json
-          (gh run download -n js-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./snyk.json ]]; then
-            mv ./snyk.json ./js-snyk-develop.json
-          else
-            echo "null" > ./js-snyk-develop.json
-          fi
-
-      - name: pr vs develop scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=table --export --export-filename="/data/js-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-js-result-compare-to-develop-${{github.run_id}}
-          path: js-result.html
-
-      - name: analyse different vulnerabilities against develop branch
-        id: set-diff-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=matrix)
-          echo "js_diff_result=${result}" >> $GITHUB_OUTPUT
-
-  server-dependencies:
-    name: Server Dependency Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    outputs:
-      godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }}
-    steps:
-      - name: checkout repository
-        uses: actions/checkout@master
-
-      - name: install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: download Go modules
-        run: cd ./api && go get -t -v -d ./...
-
-      - name: scan vulnerabilities by Snyk
-        continue-on-error: true # To make sure that artifact upload gets called
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: |
-          yarn global add snyk
-          snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || :
-
-      - name: upload scan result as pull-request artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: go-security-scan-feature-result
-          path: snyk.json
-
-      - name: download artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./snyk.json ./go-snyk-feature.json
-          (gh run download -n go-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./snyk.json ]]; then
-            mv ./snyk.json ./go-snyk-develop.json
-          else
-            echo "null" > ./go-snyk-develop.json
-          fi
-
-      - name: pr vs develop scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result")
-
-      - name: upload html file as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-go-result-compare-to-develop-${{github.run_id}}
-          path: go-result.html
-
-      - name: analyse different vulnerabilities against develop branch
-        id: set-diff-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=matrix)
-          echo "go_diff_result=${result}" >> $GITHUB_OUTPUT
-
-  image-vulnerability:
-    name: Image Vulnerability Check
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    outputs:
-      imagediff-trivy: ${{ steps.set-diff-trivy-matrix.outputs.image_diff_trivy_result }}
-      imagediff-docker-scout: ${{ steps.set-diff-docker-scout-matrix.outputs.image_diff_docker_scout_result }}
-    steps:
-      - name: checkout code
-        uses: actions/checkout@master
-
-      - name: install Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: install Node.js
-        uses: actions/setup-node@v3
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-
-      - name: Install packages
-        run: yarn --frozen-lockfile
-
-      - name: build
-        run: make build-all
-
-      - name: set up docker buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: build and compress image
-        uses: docker/build-push-action@v4
-        with:
-          context: .
-          file: build/linux/Dockerfile
-          tags: local-portainer:${{ github.sha }}
-          outputs: type=docker,dest=/tmp/local-portainer-image.tar
-
-      - name: load docker image
-        run: |
-          docker load --input /tmp/local-portainer-image.tar
-
-      - name: scan vulnerabilities by Trivy
-        uses: docker://docker.io/aquasec/trivy:latest
-        continue-on-error: true
-        with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress local-portainer:${{ github.sha }}
-
-      - name: upload Trivy image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-feature-result
-          path: image-trivy.json
-
-      - name: download Trivy artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./image-trivy.json ./image-trivy-feature.json
-          (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./image-trivy.json ]]; then
-            mv ./image-trivy.json ./image-trivy-develop.json
-          else
-            echo "null" > ./image-trivy-develop.json
-          fi
-
-      - name: pr vs develop Trivy scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-trivy-result")
-
-      - name: upload html file as Trivy artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-trivy-result.html
-
-      - name: analyse different vulnerabilities against develop branch by Trivy
-        id: set-diff-trivy-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix)
-          echo "image_diff_trivy_result=${result}" >> $GITHUB_OUTPUT
-
-      - name: scan vulnerabilities by Docker Scout
-        uses: docker/scout-action@v1
-        continue-on-error: true
-        with:
-          command: cves
-          image: local-portainer:${{ github.sha }}
-          sarif-file: image-docker-scout.json
-          dockerhub-user: ${{ secrets.DOCKER_HUB_USERNAME }}
-          dockerhub-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
-
-      - name: upload Docker Scout image security scan result as artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: image-security-scan-feature-result
-          path: image-docker-scout.json
-
-      - name: download Docker Scout artifacts from develop branch built by nightly scan
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          mv ./image-docker-scout.json ./image-docker-scout-feature.json
-          (gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || :
-          if [[ -e ./image-docker-scout.json ]]; then
-            mv ./image-docker-scout.json ./image-docker-scout-develop.json
-          else
-            echo "null" > ./image-docker-scout-develop.json
-          fi
-
-      - name: pr vs develop Docker Scout scan report comparison export to html
-        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=table --export --export-filename="/data/image-docker-scout-result")
-
-      - name: upload html file as Docker Scout artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: html-image-result-compare-to-develop-${{github.run_id}}
-          path: image-docker-scout-result.html
-
-      - name: analyse different vulnerabilities against develop branch by Docker Scout
-        id: set-diff-docker-scout-matrix
-        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=docker-scout --path="/data/image-docker-scout-feature.json" --compare-to="/data/image-docker-scout-develop.json" --output-type=matrix)
-          echo "image_diff_docker_scout_result=${result}" >> $GITHUB_OUTPUT
-
-  result-analysis:
-    name: Analyse Scan Result Against develop Branch
-    needs: [client-dependencies, server-dependencies, image-vulnerability]
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request &&
-      github.event.review.body == '/scan' &&
-      github.event.pull_request.draft == false
-    strategy:
-      matrix:
-        jsdiff: ${{fromJson(needs.client-dependencies.outputs.jsdiff)}}
-        godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}}
-        imagediff-trivy: ${{fromJson(needs.image-vulnerability.outputs.imagediff-trivy)}}
-        imagediff-docker-scout: ${{fromJson(needs.image-vulnerability.outputs.imagediff-docker-scout)}}
-    steps:
-      - name: check job status of diff result
-        if: >-
-          matrix.jsdiff.status == 'failure' ||
-          matrix.godiff.status == 'failure' ||
-          matrix.imagediff-trivy.status == 'failure' ||
-          matrix.imagediff-docker-scout.status == 'failure'
-        run: |
-          echo "${{ matrix.jsdiff.status }}"
-          echo "${{ matrix.godiff.status }}"
-          echo "${{ matrix.imagediff-trivy.status }}"
-          echo "${{ matrix.imagediff-docker-scout.status }}"
-          echo "${{ matrix.jsdiff.summary }}"
-          echo "${{ matrix.godiff.summary }}"
-          echo "${{ matrix.imagediff-trivy.summary }}"
-          echo "${{ matrix.imagediff-docker-scout.summary }}"
-          exit 1
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -1,19 +0,0 @@
-name: Automatic Rebase
-on:
-  issue_comment:
-    types: [created]
-jobs:
-  rebase:
-    name: Rebase
-    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the latest code
-        uses: actions/checkout@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
-      - name: Automatic Rebase
-        uses: cirrus-actions/rebase@1.4
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,28 +0,0 @@
-name: Close Stale Issues
-on:
-  schedule:
-    - cron: '0 12 * * *'
-  workflow_dispatch:
-jobs:
-  stale:
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-
-    steps:
-    - uses: actions/stale@v8
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-
-        # Issue Config
-        days-before-issue-stale: 60
-        days-before-issue-close: 7
-        stale-issue-label: 'status/stale'
-        exempt-all-issue-milestones: true # Do not stale issues in a milestone
-        exempt-issue-labels: kind/enhancement, kind/style, kind/workaround, kind/refactor, bug/need-confirmation, bug/confirmed, status/discuss
-        stale-issue-message: 'This issue has been marked as stale as it has not had recent activity, it will be closed if no further activity occurs in the next 7 days. If you believe that it has been incorrectly labelled as stale, leave a comment and the label will be removed.'
-        close-issue-message: 'Since no further activity has appeared on this issue it will be closed. If you believe that it has been incorrectly closed, leave a comment mentioning `portainer/support` and one of our staff will then review the issue. Note - If it is an old bug report, make sure that it is reproduceable in the latest version of Portainer as it may have already been fixed.'
-        
-        # Pull Request Config
-        days-before-pr-stale: -1 # Do not stale pull request
-        days-before-pr-close: -1 # Do not close pull request
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -1,76 +0,0 @@
-name: Test
-
-env:
-  GO_VERSION: 1.22.5
-  NODE_VERSION: 18.x
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches:
-      - master
-      - develop
-      - release/*
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-  push:
-    branches:
-      - master
-      - develop
-      - release/*
-
-jobs:
-  test-client:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
-    steps:
-      - name: 'checkout the current branch'
-        uses: actions/checkout@v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branch }}
-
-      - name: 'set up node.js'
-        uses: actions/setup-node@v4.0.1
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-
-      - run: yarn --frozen-lockfile
-
-      - name: Run tests
-        run: make test-client ARGS="--maxWorkers=2 --minWorkers=1"
-
-  test-server:
-    strategy:
-      matrix:
-        config:
-          - { platform: linux, arch: amd64 }
-          - { platform: linux, arch: arm64 }
-          - { platform: windows, arch: amd64, version: 1809 }
-          - { platform: windows, arch: amd64, version: ltsc2022 }
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-
-    steps:
-      - name: 'checkout the current branch'
-        uses: actions/checkout@v4.1.1
-        with:
-          ref: ${{ github.event.inputs.branch }}
-
-      - name: 'set up golang'
-        uses: actions/setup-go@v5.0.0
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: 'install dependencies'
-        run: make test-deps PLATFORM=linux ARCH=amd64
-
-      - name: 'update $PATH'
-        run: echo "$(pwd)/dist" >> $GITHUB_PATH
-
-      - name: 'run tests'
-        run: make test-server
--- a/.github/workflows/validate-openapi-spec.yaml
+++ b/.github/workflows/validate-openapi-spec.yaml
@@ -1,39 +0,0 @@
-name: Validate OpenAPI specs
-
-on:
-  pull_request:
-    branches:
-      - master
-      - develop
-      - 'release/*'
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-
-env:
-  GO_VERSION: 1.22.5
-  NODE_VERSION: 18.x
-
-jobs:
-  openapi-spec:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: ${{ env.GO_VERSION }}
-
-      - name: Download golang modules
-        run: cd ./api && go get -t -v -d ./...
-      - uses: actions/setup-node@v3
-        with:
-          node-version: ${{ env.NODE_VERSION }}
-          cache: 'yarn'
-      - run: yarn --frozen-lockfile
-
-      - name: Validate OpenAPI Spec
-        run: make docs-validate
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -9,6 +9,7 @@ linters:
    - gosimple
    - govet
    - errorlint
+    - exportloopref

 linters-settings:
  depguard:
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@@ -1,4 +1,4 @@
 #!/usr/bin/env sh
 . "$(dirname -- "$0")/_/husky.sh"

-yarn lint-staged
+cd $(dirname -- "$0") && yarn lint-staged
--- a/.storybook/preview.tsx
+++ b/.storybook/preview.tsx
@@ -3,7 +3,7 @@ import React from 'react';
 import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
 import { initialize as initMSW, mswLoader } from 'msw-storybook-addon';
 import { handlers } from '../app/setup-tests/server-handlers';
-import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { QueryClient, QueryClientProvider } from 'react-query';

 initMSW(
  {
--- a/4
+++ b/4
@@ -30,7 +30,7 @@ build-server: init-dist ## Build the server binary
 	./build/build_binary.sh "$(PLATFORM)" "$(ARCH)"

 build-image: build-all ## Build the Portainer image locally
-	docker buildx build --load -t portainerci/portainer-ce:$(TAG) -f build/linux/Dockerfile .
+	docker buildx build --load -t portainerci/portainer:$(TAG) -f build/linux/Dockerfile .

 build-storybook: ## Build and serve the storybook files
 	yarn storybook:build
@@ -85,8 +85,6 @@ dev-client: ## Run the client in development mode
 dev-server: build-server ## Run the server in development mode
 	@./dev/run_container.sh

-dev-server-podman: build-server ## Run the server in development mode
-	@./dev/run_container_podman.sh

 ##@ Format
 .PHONY: format format-client format-server
--- a/api/agent/version.go
+++ b/api/agent/version.go
@@ -10,7 +10,7 @@ import (
 	"time"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/url"
+	"github.com/portainer/portainer/api/internal/url"
 )

 // GetAgentVersionAndPlatform returns the agent version and platform
--- a/api/apikey/apikey_test.go
+++ b/api/apikey/apikey_test.go
@@ -3,6 +3,7 @@ package apikey
 import (
 	"testing"

+	"github.com/portainer/portainer/api/internal/securecookie"
 	"github.com/stretchr/testify/assert"
 )

@@ -33,19 +34,17 @@ func Test_generateRandomKey(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := GenerateRandomKey(tt.wantLenth)
+			got := securecookie.GenerateRandomKey(tt.wantLenth)
 			is.Equal(tt.wantLenth, len(got))
 		})
 	}

 	t.Run("Generated keys are unique", func(t *testing.T) {
 		keys := make(map[string]bool)
-
-		for range 100 {
-			key := GenerateRandomKey(8)
+		for i := 0; i < 100; i++ {
+			key := securecookie.GenerateRandomKey(8)
 			_, ok := keys[string(key)]
 			is.False(ok)
-
 			keys[string(key)] = true
 		}
 	})
--- a/api/apikey/cache.go
+++ b/api/apikey/cache.go
@@ -1,79 +1,69 @@
 package apikey

 import (
-	portainer "github.com/portainer/portainer/api"
-
 	lru "github.com/hashicorp/golang-lru"
+	portainer "github.com/portainer/portainer/api"
 )

-const DefaultAPIKeyCacheSize = 1024
+const defaultAPIKeyCacheSize = 1024

 // entry is a tuple containing the user and API key associated to an API key digest
-type entry[T any] struct {
-	user   T
+type entry struct {
+	user   portainer.User
 	apiKey portainer.APIKey
 }

-type UserCompareFn[T any] func(T, portainer.UserID) bool
-
-// ApiKeyCache is a concurrency-safe, in-memory cache which primarily exists for to reduce database roundtrips.
+// apiKeyCache is a concurrency-safe, in-memory cache which primarily exists for to reduce database roundtrips.
 // We store the api-key digest (keys) and the associated user and key-data (values) in the cache.
 // This is required because HTTP requests will contain only the api-key digest in the x-api-key request header;
 // digest value must be mapped to a portainer user (and respective key data) for validation.
 // This cache is used to avoid multiple database queries to retrieve these user/key associated to the digest.
-type ApiKeyCache[T any] struct {
+type apiKeyCache struct {
 	// cache type [string]entry cache (key: string(digest), value: user/key entry)
 	// note: []byte keys are not supported by golang-lru Cache
-	cache     *lru.Cache
-	userCmpFn UserCompareFn[T]
+	cache *lru.Cache
 }

 // NewAPIKeyCache creates a new cache for API keys
-func NewAPIKeyCache[T any](cacheSize int, userCompareFn UserCompareFn[T]) *ApiKeyCache[T] {
+func NewAPIKeyCache(cacheSize int) *apiKeyCache {
 	cache, _ := lru.New(cacheSize)
-
-	return &ApiKeyCache[T]{cache: cache, userCmpFn: userCompareFn}
+	return &apiKeyCache{cache: cache}
 }

 // Get returns the user/key associated to an api-key's digest
 // This is required because HTTP requests will contain the digest of the API key in header,
 // the digest value must be mapped to a portainer user.
-func (c *ApiKeyCache[T]) Get(digest string) (T, portainer.APIKey, bool) {
+func (c *apiKeyCache) Get(digest string) (portainer.User, portainer.APIKey, bool) {
 	val, ok := c.cache.Get(digest)
 	if !ok {
-		var t T
-
-		return t, portainer.APIKey{}, false
+		return portainer.User{}, portainer.APIKey{}, false
 	}
-
-	tuple := val.(entry[T])
+	tuple := val.(entry)

 	return tuple.user, tuple.apiKey, true
 }

 // Set persists a user/key entry to the cache
-func (c *ApiKeyCache[T]) Set(digest string, user T, apiKey portainer.APIKey) {
-	c.cache.Add(digest, entry[T]{
+func (c *apiKeyCache) Set(digest string, user portainer.User, apiKey portainer.APIKey) {
+	c.cache.Add(digest, entry{
 		user:   user,
 		apiKey: apiKey,
 	})
 }

 // Delete evicts a digest's user/key entry key from the cache
-func (c *ApiKeyCache[T]) Delete(digest string) {
+func (c *apiKeyCache) Delete(digest string) {
 	c.cache.Remove(digest)
 }

 // InvalidateUserKeyCache loops through all the api-keys associated to a user and removes them from the cache
-func (c *ApiKeyCache[T]) InvalidateUserKeyCache(userId portainer.UserID) bool {
+func (c *apiKeyCache) InvalidateUserKeyCache(userId portainer.UserID) bool {
 	present := false
-
 	for _, k := range c.cache.Keys() {
 		user, _, _ := c.Get(k.(string))
-		if c.userCmpFn(user, userId) {
+		if user.ID == userId {
 			present = c.cache.Remove(k)
 		}
 	}
-
 	return present
 }
--- a/api/apikey/cache_test.go
+++ b/api/apikey/cache_test.go
@@ -10,11 +10,11 @@ import (
 func Test_apiKeyCacheGet(t *testing.T) {
 	is := assert.New(t)

-	keyCache := NewAPIKeyCache(10, compareUser)
+	keyCache := NewAPIKeyCache(10)

 	// pre-populate cache
-	keyCache.cache.Add(string("foo"), entry[portainer.User]{user: portainer.User{}, apiKey: portainer.APIKey{}})
-	keyCache.cache.Add(string(""), entry[portainer.User]{user: portainer.User{}, apiKey: portainer.APIKey{}})
+	keyCache.cache.Add(string("foo"), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})
+	keyCache.cache.Add(string(""), entry{user: portainer.User{}, apiKey: portainer.APIKey{}})

 	tests := []struct {
 		digest string
@@ -35,7 +35,7 @@ func Test_apiKeyCacheGet(t *testing.T) {
 	}

 	for _, test := range tests {
-		t.Run(test.digest, func(t *testing.T) {
+		t.Run(string(test.digest), func(t *testing.T) {
 			_, _, found := keyCache.Get(test.digest)
 			is.Equal(test.found, found)
 		})
@@ -45,7 +45,7 @@ func Test_apiKeyCacheGet(t *testing.T) {
 func Test_apiKeyCacheSet(t *testing.T) {
 	is := assert.New(t)

-	keyCache := NewAPIKeyCache(10, compareUser)
+	keyCache := NewAPIKeyCache(10)

 	// pre-populate cache
 	keyCache.Set("bar", portainer.User{ID: 2}, portainer.APIKey{})
@@ -57,23 +57,23 @@ func Test_apiKeyCacheSet(t *testing.T) {
 	val, ok := keyCache.cache.Get(string("bar"))
 	is.True(ok)

-	tuple := val.(entry[portainer.User])
+	tuple := val.(entry)
 	is.Equal(portainer.User{ID: 2}, tuple.user)

 	val, ok = keyCache.cache.Get(string("foo"))
 	is.True(ok)

-	tuple = val.(entry[portainer.User])
+	tuple = val.(entry)
 	is.Equal(portainer.User{ID: 3}, tuple.user)
 }

 func Test_apiKeyCacheDelete(t *testing.T) {
 	is := assert.New(t)

-	keyCache := NewAPIKeyCache(10, compareUser)
+	keyCache := NewAPIKeyCache(10)

 	t.Run("Delete an existing entry", func(t *testing.T) {
-		keyCache.cache.Add(string("foo"), entry[portainer.User]{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
 		keyCache.Delete("foo")

 		_, ok := keyCache.cache.Get(string("foo"))
@@ -128,7 +128,7 @@ func Test_apiKeyCacheLRU(t *testing.T) {

 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			keyCache := NewAPIKeyCache(test.cacheLen, compareUser)
+			keyCache := NewAPIKeyCache(test.cacheLen)

 			for _, key := range test.key {
 				keyCache.Set(key, portainer.User{ID: 1}, portainer.APIKey{})
@@ -150,10 +150,10 @@ func Test_apiKeyCacheLRU(t *testing.T) {
 func Test_apiKeyCacheInvalidateUserKeyCache(t *testing.T) {
 	is := assert.New(t)

-	keyCache := NewAPIKeyCache(10, compareUser)
+	keyCache := NewAPIKeyCache(10)

 	t.Run("Removes users keys from cache", func(t *testing.T) {
-		keyCache.cache.Add(string("foo"), entry[portainer.User]{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})

 		ok := keyCache.InvalidateUserKeyCache(1)
 		is.True(ok)
@@ -163,8 +163,8 @@ func Test_apiKeyCacheInvalidateUserKeyCache(t *testing.T) {
 	})

 	t.Run("Does not affect other keys", func(t *testing.T) {
-		keyCache.cache.Add(string("foo"), entry[portainer.User]{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
-		keyCache.cache.Add(string("bar"), entry[portainer.User]{user: portainer.User{ID: 2}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("foo"), entry{user: portainer.User{ID: 1}, apiKey: portainer.APIKey{}})
+		keyCache.cache.Add(string("bar"), entry{user: portainer.User{ID: 2}, apiKey: portainer.APIKey{}})

 		ok := keyCache.InvalidateUserKeyCache(1)
 		is.True(ok)
--- a/api/apikey/service.go
+++ b/api/apikey/service.go
@@ -1,15 +1,14 @@
 package apikey

 import (
-	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
-	"io"
 	"time"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/internal/securecookie"

 	"github.com/pkg/errors"
 )
@@ -21,45 +20,30 @@ var ErrInvalidAPIKey = errors.New("Invalid API key")
 type apiKeyService struct {
 	apiKeyRepository dataservices.APIKeyRepository
 	userRepository   dataservices.UserService
-	cache            *ApiKeyCache[portainer.User]
-}
-
-// GenerateRandomKey generates a random key of specified length
-// source: https://github.com/gorilla/securecookie/blob/master/securecookie.go#L515
-func GenerateRandomKey(length int) []byte {
-	k := make([]byte, length)
-	if _, err := io.ReadFull(rand.Reader, k); err != nil {
-		return nil
-	}
-
-	return k
-}
-
-func compareUser(u portainer.User, id portainer.UserID) bool {
-	return u.ID == id
+	cache            *apiKeyCache
 }

 func NewAPIKeyService(apiKeyRepository dataservices.APIKeyRepository, userRepository dataservices.UserService) *apiKeyService {
 	return &apiKeyService{
 		apiKeyRepository: apiKeyRepository,
 		userRepository:   userRepository,
-		cache:            NewAPIKeyCache(DefaultAPIKeyCacheSize, compareUser),
+		cache:            NewAPIKeyCache(defaultAPIKeyCacheSize),
 	}
 }

 // HashRaw computes a hash digest of provided raw API key.
 func (a *apiKeyService) HashRaw(rawKey string) string {
 	hashDigest := sha256.Sum256([]byte(rawKey))
-
 	return base64.StdEncoding.EncodeToString(hashDigest[:])
 }

 // GenerateApiKey generates a raw API key for a user (for one-time display).
 // The generated API key is stored in the cache and database.
 func (a *apiKeyService) GenerateApiKey(user portainer.User, description string) (string, *portainer.APIKey, error) {
-	randKey := GenerateRandomKey(32)
+	randKey := securecookie.GenerateRandomKey(32)
 	encodedRawAPIKey := base64.StdEncoding.EncodeToString(randKey)
 	prefixedAPIKey := portainerAPIKeyPrefix + encodedRawAPIKey
+
 	hashDigest := a.HashRaw(prefixedAPIKey)

 	apiKey := &portainer.APIKey{
@@ -70,7 +54,8 @@ func (a *apiKeyService) GenerateApiKey(user portainer.User, description string)
 		Digest:      hashDigest,
 	}

-	if err := a.apiKeyRepository.Create(apiKey); err != nil {
+	err := a.apiKeyRepository.Create(apiKey)
+	if err != nil {
 		return "", nil, errors.Wrap(err, "Unable to create API key")
 	}

@@ -93,6 +78,7 @@ func (a *apiKeyService) GetAPIKeys(userID portainer.UserID) ([]portainer.APIKey,
 // GetDigestUserAndKey returns the user and api-key associated to a specified hash digest.
 // A cache lookup is performed first; if the user/api-key is not found in the cache, respective database lookups are performed.
 func (a *apiKeyService) GetDigestUserAndKey(digest string) (portainer.User, portainer.APIKey, error) {
+	// get api key from cache if possible
 	cachedUser, cachedKey, ok := a.cache.Get(digest)
 	if ok {
 		return cachedUser, cachedKey, nil
@@ -120,21 +106,20 @@ func (a *apiKeyService) UpdateAPIKey(apiKey *portainer.APIKey) error {
 	if err != nil {
 		return errors.Wrap(err, "Unable to retrieve API key")
 	}
-
 	a.cache.Set(apiKey.Digest, user, *apiKey)
-
 	return a.apiKeyRepository.Update(apiKey.ID, apiKey)
 }

 // DeleteAPIKey deletes an API key and removes the digest/api-key entry from the cache.
 func (a *apiKeyService) DeleteAPIKey(apiKeyID portainer.APIKeyID) error {
+	// get api-key digest to remove from cache
 	apiKey, err := a.apiKeyRepository.Read(apiKeyID)
 	if err != nil {
 		return errors.Wrap(err, fmt.Sprintf("Unable to retrieve API key: %d", apiKeyID))
 	}

+	// delete the user/api-key from cache
 	a.cache.Delete(apiKey.Digest)
-
 	return a.apiKeyRepository.Delete(apiKeyID)
 }

--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -287,7 +287,7 @@ func (service *Service) checkTunnels() {
 				Msg("unable to snapshot Edge environment")
 		}

-		service.close(endpointID)
+		service.close(portainer.EndpointID(endpointID))

 		return
 	}
--- a/api/chisel/service_test.go
+++ b/api/chisel/service_test.go
@@ -1,7 +1,6 @@
 package chisel

 import (
-	"context"
 	"net"
 	"net/http"
 	"testing"
@@ -37,11 +36,8 @@ func TestPingAgentPanic(t *testing.T) {
 	ln, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
 	require.NoError(t, err)

-	srv := &http.Server{Handler: mux}
-
-	errCh := make(chan error)
 	go func() {
-		errCh <- srv.Serve(ln)
+		require.NoError(t, http.Serve(ln, mux))
 	}()

 	err = s.Open(endpoint)
@@ -49,6 +45,4 @@ func TestPingAgentPanic(t *testing.T) {
 	s.activeTunnels[endpoint.ID].Port = ln.Addr().(*net.TCPAddr).Port

 	require.Error(t, s.pingAgent(endpoint.ID))
-	require.NoError(t, srv.Shutdown(context.Background()))
-	require.ErrorIs(t, <-errCh, http.ErrServerClosed)
 }
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -17,20 +17,24 @@ import (
 type Service struct{}

 var (
-	ErrInvalidEndpointProtocol       = errors.New("Invalid environment protocol: Portainer only supports unix://, npipe:// or tcp://")
-	ErrSocketOrNamedPipeNotFound     = errors.New("Unable to locate Unix socket or named pipe")
-	ErrInvalidSnapshotInterval       = errors.New("Invalid snapshot interval")
-	ErrAdminPassExcludeAdminPassFile = errors.New("Cannot use --admin-password with --admin-password-file")
+	errInvalidEndpointProtocol       = errors.New("Invalid environment protocol: Portainer only supports unix://, npipe:// or tcp://")
+	errSocketOrNamedPipeNotFound     = errors.New("Unable to locate Unix socket or named pipe")
+	errInvalidSnapshotInterval       = errors.New("Invalid snapshot interval")
+	errAdminPassExcludeAdminPassFile = errors.New("Cannot use --admin-password with --admin-password-file")
 )

-func CLIFlags() *portainer.CLIFlags {
-	return &portainer.CLIFlags{
+// ParseFlags parse the CLI flags and return a portainer.Flags struct
+func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
+	kingpin.Version(version)
+
+	flags := &portainer.CLIFlags{
 		Addr:                      kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
 		AddrHTTPS:                 kingpin.Flag("bind-https", "Address and port to serve Portainer via https").Default(defaultHTTPSBindAddress).String(),
 		TunnelAddr:                kingpin.Flag("tunnel-addr", "Address to serve the tunnel server").Default(defaultTunnelServerAddress).String(),
 		TunnelPort:                kingpin.Flag("tunnel-port", "Port to serve the tunnel server").Default(defaultTunnelServerPort).String(),
 		Assets:                    kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:                      kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
+		DemoEnvironment:           kingpin.Flag("demo", "Demo environment").Bool(),
 		EndpointURL:               kingpin.Flag("host", "Environment URL").Short('H').String(),
 		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Strings(),
 		EnableEdgeComputeFeatures: kingpin.Flag("edge-compute", "Enable Edge Compute features").Bool(),
@@ -60,13 +64,6 @@ func CLIFlags() *portainer.CLIFlags {
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
 	}
-}
-
-// ParseFlags parse the CLI flags and return a portainer.Flags struct
-func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
-	kingpin.Version(version)
-
-	flags := CLIFlags()

 	kingpin.Parse()

@@ -86,16 +83,18 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 	displayDeprecationWarnings(flags)

-	if err := validateEndpointURL(*flags.EndpointURL); err != nil {
+	err := validateEndpointURL(*flags.EndpointURL)
+	if err != nil {
 		return err
 	}

-	if err := validateSnapshotInterval(*flags.SnapshotInterval); err != nil {
+	err = validateSnapshotInterval(*flags.SnapshotInterval)
+	if err != nil {
 		return err
 	}

 	if *flags.AdminPassword != "" && *flags.AdminPasswordFile != "" {
-		return ErrAdminPassExcludeAdminPassFile
+		return errAdminPassExcludeAdminPassFile
 	}

 	return nil
@@ -117,16 +116,15 @@ func validateEndpointURL(endpointURL string) error {
 	}

 	if !strings.HasPrefix(endpointURL, "unix://") && !strings.HasPrefix(endpointURL, "tcp://") && !strings.HasPrefix(endpointURL, "npipe://") {
-		return ErrInvalidEndpointProtocol
+		return errInvalidEndpointProtocol
 	}

 	if strings.HasPrefix(endpointURL, "unix://") || strings.HasPrefix(endpointURL, "npipe://") {
 		socketPath := strings.TrimPrefix(endpointURL, "unix://")
 		socketPath = strings.TrimPrefix(socketPath, "npipe://")
-
 		if _, err := os.Stat(socketPath); err != nil {
 			if os.IsNotExist(err) {
-				return ErrSocketOrNamedPipeNotFound
+				return errSocketOrNamedPipeNotFound
 			}

 			return err
@@ -141,8 +139,9 @@ func validateSnapshotInterval(snapshotInterval string) error {
 		return nil
 	}

-	if _, err := time.ParseDuration(snapshotInterval); err != nil {
-		return ErrInvalidSnapshotInterval
+	_, err := time.ParseDuration(snapshotInterval)
+	if err != nil {
+		return errInvalidSnapshotInterval
 	}

 	return nil
--- a/api/cmd/portainer/log.go
+++ b/api/cmd/portainer/log.go
@@ -54,7 +54,7 @@ func setLoggingMode(mode string) {
 	}
 }

-func formatMessage(i any) string {
+func formatMessage(i interface{}) string {
 	if i == nil {
 		return ""
 	}
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -1,7 +1,6 @@
 package main

 import (
-	"cmp"
 	"context"
 	"crypto/sha256"
 	"os"
@@ -21,6 +20,7 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/datastore/migrator"
 	"github.com/portainer/portainer/api/datastore/postinit"
+	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/docker"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/exec"
@@ -43,9 +43,6 @@ import (
 	"github.com/portainer/portainer/api/ldap"
 	"github.com/portainer/portainer/api/oauth"
 	"github.com/portainer/portainer/api/pendingactions"
-	"github.com/portainer/portainer/api/pendingactions/actions"
-	"github.com/portainer/portainer/api/pendingactions/handlers"
-	"github.com/portainer/portainer/api/platform"
 	"github.com/portainer/portainer/api/scheduler"
 	"github.com/portainer/portainer/api/stacks/deployments"
 	"github.com/portainer/portainer/pkg/featureflags"
@@ -58,14 +55,14 @@ import (
 )

 func initCLI() *portainer.CLIFlags {
-	cliService := &cli.Service{}
-
+	var cliService portainer.CLIService = &cli.Service{}
 	flags, err := cliService.ParseFlags(portainer.APIVersion)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed parsing flags")
 	}

-	if err := cliService.ValidateFlags(flags); err != nil {
+	err = cliService.ValidateFlags(flags)
+	if err != nil {
 		log.Fatal().Err(err).Msg("failed validating flags")
 	}

@@ -96,14 +93,14 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	}

 	store := datastore.NewStore(*flags.Data, fileService, connection)
-
 	isNew, err := store.Open()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed opening store")
 	}

 	if *flags.Rollback {
-		if err := store.Rollback(false); err != nil {
+		err := store.Rollback(false)
+		if err != nil {
 			log.Fatal().Err(err).Msg("failed rolling back")
 		}

@@ -112,7 +109,8 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 	}

 	// Init sets some defaults - it's basically a migration
-	if err := store.Init(); err != nil {
+	err = store.Init()
+	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing data store")
 	}

@@ -134,23 +132,25 @@ func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService port
 		}
 		store.VersionService.UpdateVersion(&v)

-		if err := updateSettingsFromFlags(store, flags); err != nil {
+		err = updateSettingsFromFlags(store, flags)
+		if err != nil {
 			log.Fatal().Err(err).Msg("failed updating settings from flags")
 		}
 	} else {
-		if err := store.MigrateData(); err != nil {
+		err = store.MigrateData()
+		if err != nil {
 			log.Fatal().Err(err).Msg("failed migration")
 		}
 	}

-	if err := updateSettingsFromFlags(store, flags); err != nil {
+	err = updateSettingsFromFlags(store, flags)
+	if err != nil {
 		log.Fatal().Err(err).Msg("failed updating settings from flags")
 	}

 	// this is for the db restore functionality - needs more tests.
 	go func() {
 		<-shutdownCtx.Done()
-
 		defer connection.Close()
 	}()

@@ -204,16 +204,36 @@ func initJWTService(userSessionTimeout string, dataStore dataservices.DataStore)
 		userSessionTimeout = portainer.DefaultUserSessionTimeout
 	}

-	return jwt.NewService(userSessionTimeout, dataStore)
+	jwtService, err := jwt.NewService(userSessionTimeout, dataStore)
+	if err != nil {
+		return nil, err
+	}
+
+	return jwtService, nil
 }

 func initDigitalSignatureService() portainer.DigitalSignatureService {
 	return crypto.NewECDSAService(os.Getenv("AGENT_SECRET"))
 }

+func initCryptoService() portainer.CryptoService {
+	return &crypto.Service{}
+}
+
+func initLDAPService() portainer.LDAPService {
+	return &ldap.Service{}
+}
+
+func initOAuthService() portainer.OAuthService {
+	return oauth.NewService()
+}
+
+func initGitService(ctx context.Context) portainer.GitService {
+	return git.NewService(ctx)
+}
+
 func initSSLService(addr, certPath, keyPath string, fileService portainer.FileService, dataStore dataservices.DataStore, shutdownTrigger context.CancelFunc) (*ssl.Service, error) {
 	slices := strings.Split(addr, ":")
-
 	host := slices[0]
 	if host == "" {
 		host = "0.0.0.0"
@@ -221,13 +241,22 @@ func initSSLService(addr, certPath, keyPath string, fileService portainer.FileSe

 	sslService := ssl.NewService(fileService, dataStore, shutdownTrigger)

-	if err := sslService.Init(host, certPath, keyPath); err != nil {
+	err := sslService.Init(host, certPath, keyPath)
+	if err != nil {
 		return nil, err
 	}

 	return sslService, nil
 }

+func initDockerClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *dockerclient.ClientFactory {
+	return dockerclient.NewClientFactory(signatureService, reverseTunnelService)
+}
+
+func initKubernetesClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, dataStore dataservices.DataStore, instanceID, addrHTTPS, userSessionTimeout string) (*kubecli.ClientFactory, error) {
+	return kubecli.NewClientFactory(signatureService, reverseTunnelService, dataStore, instanceID, addrHTTPS, userSessionTimeout)
+}
+
 func initSnapshotService(
 	snapshotIntervalFromFlag string,
 	dataStore dataservices.DataStore,
@@ -260,21 +289,34 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		return err
 	}

-	settings.SnapshotInterval = *cmp.Or(flags.SnapshotInterval, &settings.SnapshotInterval)
-	settings.LogoURL = *cmp.Or(flags.Logo, &settings.LogoURL)
-	settings.EnableEdgeComputeFeatures = *cmp.Or(flags.EnableEdgeComputeFeatures, &settings.EnableEdgeComputeFeatures)
-	settings.TemplatesURL = *cmp.Or(flags.Templates, &settings.TemplatesURL)
+	if *flags.SnapshotInterval != "" {
+		settings.SnapshotInterval = *flags.SnapshotInterval
+	}
+
+	if *flags.Logo != "" {
+		settings.LogoURL = *flags.Logo
+	}
+
+	if *flags.EnableEdgeComputeFeatures {
+		settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
+	}
+
+	if *flags.Templates != "" {
+		settings.TemplatesURL = *flags.Templates
+	}

 	if *flags.Labels != nil {
 		settings.BlackListedLabels = *flags.Labels
 	}

-	settings.AgentSecret = ""
 	if agentKey, ok := os.LookupEnv("AGENT_SECRET"); ok {
 		settings.AgentSecret = agentKey
+	} else {
+		settings.AgentSecret = ""
 	}

-	if err := dataStore.Settings().UpdateSettings(settings); err != nil {
+	err = dataStore.Settings().UpdateSettings(settings)
+	if err != nil {
 		return err
 	}

@@ -297,7 +339,6 @@ func loadAndParseKeyPair(fileService portainer.FileService, signatureService por
 	if err != nil {
 		return err
 	}
-
 	return signatureService.ParseKeyPair(private, public)
 }

@@ -306,9 +347,7 @@ func generateAndStoreKeyPair(fileService portainer.FileService, signatureService
 	if err != nil {
 		return err
 	}
-
 	privateHeader, publicHeader := signatureService.PEMHeaders()
-
 	return fileService.StoreKeyPair(private, public, privateHeader, publicHeader)
 }

@@ -321,7 +360,6 @@ func initKeyPair(fileService portainer.FileService, signatureService portainer.D
 	if existingKeyPair {
 		return loadAndParseKeyPair(fileService, signatureService)
 	}
-
 	return generateAndStoreKeyPair(fileService, signatureService)
 }

@@ -339,7 +377,6 @@ func loadEncryptionSecretKey(keyfilename string) []byte {

 	// return a 32 byte hash of the secret (required for AES)
 	hash := sha256.Sum256(content)
-
 	return hash[:]
 }

@@ -384,17 +421,17 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Err(err).Msg("failed initializing JWT service")
 	}

-	ldapService := &ldap.Service{}
+	ldapService := initLDAPService()

-	oauthService := oauth.NewService()
+	oauthService := initOAuthService()

-	gitService := git.NewService(shutdownCtx)
+	gitService := initGitService(shutdownCtx)

 	openAMTService := openamt.NewService()

-	cryptoService := &crypto.Service{}
+	cryptoService := initCryptoService()

-	signatureService := initDigitalSignatureService()
+	digitalSignatureService := initDigitalSignatureService()

 	edgeStacksService := edgestacks.NewService(dataStore)

@@ -408,18 +445,15 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Err(err).Msg("failed to get SSL settings")
 	}

-	if err := initKeyPair(fileService, signatureService); err != nil {
+	err = initKeyPair(fileService, digitalSignatureService)
+	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing key pair")
 	}

 	reverseTunnelService := chisel.NewService(dataStore, shutdownCtx, fileService)

-	dockerClientFactory := dockerclient.NewClientFactory(signatureService, reverseTunnelService)
-
-	kubernetesClientFactory, err := kubecli.NewClientFactory(signatureService, reverseTunnelService, dataStore, instanceID, *flags.AddrHTTPS, settings.UserSessionTimeout)
-	if err != nil {
-		log.Fatal().Err(err).Msg("failed initializing Kubernetes Client Factory service")
-	}
+	dockerClientFactory := initDockerClientFactory(digitalSignatureService, reverseTunnelService)
+	kubernetesClientFactory, err := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, dataStore, instanceID, *flags.AddrHTTPS, settings.UserSessionTimeout)

 	authorizationService := authorization.NewService(dataStore)
 	authorizationService.K8sClientFactory = kubernetesClientFactory
@@ -441,45 +475,49 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	composeStackManager := initComposeStackManager(composeDeployer, proxyManager)

-	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, signatureService, fileService, reverseTunnelService, dataStore)
+	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, digitalSignatureService, fileService, reverseTunnelService, dataStore)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing swarm stack manager")
 	}

-	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, *flags.Assets)
+	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, digitalSignatureService, proxyManager, *flags.Assets)

-	pendingActionsService := pendingactions.NewService(dataStore, kubernetesClientFactory)
-	pendingActionsService.RegisterHandler(actions.CleanNAPWithOverridePolicies, handlers.NewHandlerCleanNAPWithOverridePolicies(authorizationService, dataStore))
-	pendingActionsService.RegisterHandler(actions.DeletePortainerK8sRegistrySecrets, handlers.NewHandlerDeleteRegistrySecrets(authorizationService, dataStore, kubernetesClientFactory))
-	pendingActionsService.RegisterHandler(actions.PostInitMigrateEnvironment, handlers.NewHandlerPostInitMigrateEnvironment(authorizationService, dataStore, kubernetesClientFactory, dockerClientFactory, *flags.Assets, kubernetesDeployer))
+	pendingActionsService := pendingactions.NewService(dataStore, kubernetesClientFactory, dockerClientFactory, authorizationService, shutdownCtx, *flags.Assets, kubernetesDeployer)

 	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx, pendingActionsService)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing snapshot service")
 	}
-
 	snapshotService.Start()

-	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
+	proxyManager.NewProxyFactory(dataStore, digitalSignatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)

 	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing helm package manager")
 	}

-	if err := edge.LoadEdgeJobs(dataStore, reverseTunnelService); err != nil {
+	err = edge.LoadEdgeJobs(dataStore, reverseTunnelService)
+	if err != nil {
 		log.Fatal().Err(err).Msg("failed loading edge jobs from database")
 	}

 	applicationStatus := initStatus(instanceID)

+	demoService := demo.NewService()
+	if *flags.DemoEnvironment {
+		err := demoService.Init(dataStore, cryptoService)
+		if err != nil {
+			log.Fatal().Err(err).Msg("failed initializing demo environment")
+		}
+	}
+
 	// channel to control when the admin user is created
 	adminCreationDone := make(chan struct{}, 1)

 	go endpointutils.InitEndpoint(shutdownCtx, adminCreationDone, flags, dataStore, snapshotService)

 	adminPasswordHash := ""
-
 	if *flags.AdminPasswordFile != "" {
 		content, err := fileService.GetFileContent(*flags.AdminPasswordFile, "")
 		if err != nil {
@@ -502,14 +540,14 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 		if len(users) == 0 {
 			log.Info().Msg("created admin user with the given password.")
-
 			user := &portainer.User{
 				Username: "admin",
 				Role:     portainer.AdministratorRole,
 				Password: adminPasswordHash,
 			}

-			if err := dataStore.User().Create(user); err != nil {
+			err := dataStore.User().Create(user)
+			if err != nil {
 				log.Fatal().Err(err).Msg("failed creating admin user")
 			}

@@ -520,7 +558,8 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		}
 	}

-	if err := reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService); err != nil {
+	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService)
+	if err != nil {
 		log.Fatal().Err(err).Msg("failed starting tunnel server")
 	}

@@ -533,20 +572,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Msg("failed to fetch SSL settings from DB")
 	}

-	platformService, err := platform.NewService(dataStore)
-	if err != nil {
-		log.Fatal().Err(err).Msg("failed initializing platform service")
-	}
-
-	upgradeService, err := upgrade.NewService(
-		*flags.Assets,
-		kubernetesClientFactory,
-		dockerClientFactory,
-		composeStackManager,
-		dataStore,
-		fileService,
-		stackDeployer,
-	)
+	upgradeService, err := upgrade.NewService(*flags.Assets, composeDeployer, kubernetesClientFactory)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing upgrade service")
 	}
@@ -591,7 +617,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		ProxyManager:                proxyManager,
 		KubernetesTokenCacheManager: kubernetesTokenCacheManager,
 		KubeClusterAccessService:    kubeClusterAccessService,
-		SignatureService:            signatureService,
+		SignatureService:            digitalSignatureService,
 		SnapshotService:             snapshotService,
 		SSLService:                  sslService,
 		DockerClientFactory:         dockerClientFactory,
@@ -600,10 +626,10 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		ShutdownCtx:                 shutdownCtx,
 		ShutdownTrigger:             shutdownTrigger,
 		StackDeployer:               stackDeployer,
+		DemoService:                 demoService,
 		UpgradeService:              upgradeService,
 		AdminCreationDone:           adminCreationDone,
 		PendingActionsService:       pendingActionsService,
-		PlatformService:             platformService,
 	}
 }

@@ -618,7 +644,6 @@ func main() {

 	for {
 		server := buildServer(flags)
-
 		log.Info().
 			Str("version", portainer.APIVersion).
 			Str("build_number", build.BuildNumber).
--- a/api/concurrent/concurrent.go
+++ b/api/concurrent/concurrent.go
@@ -1,148 +0,0 @@
-// Package concurrent provides utilities for running multiple functions concurrently in Go.
-// For example, many kubernetes calls can take a while to fulfill.  Oftentimes in Portainer
-// we need to get a list of objects from multiple kubernetes REST APIs. We can often call these
-// apis concurrently to speed up the response time.
-// This package provides a clean way to do just that.
-//
-// Examples:
-//   The ConfigMaps and Secrets function converted using concurrent.Run.
-/*
-
-// GetConfigMapsAndSecrets gets all the ConfigMaps AND all the Secrets for a
-// given namespace in a k8s endpoint. The result is a list of both config maps
-// and secrets. The IsSecret boolean property indicates if a given struct is a
-// secret or configmap.
-func (kcl *KubeClient) GetConfigMapsAndSecrets(namespace string) ([]models.K8sConfigMapOrSecret, error) {
-
-	// use closures to capture the current kube client and namespace by declaring wrapper functions
-	// that match the interface signature for concurrent.Func
-
-	listConfigMaps := func(ctx context.Context) (any, error) {
-		return kcl.cli.CoreV1().ConfigMaps(namespace).List(context.Background(), meta.ListOptions{})
-	}
-
-	listSecrets := func(ctx context.Context) (any, error) {
-		return kcl.cli.CoreV1().Secrets(namespace).List(context.Background(), meta.ListOptions{})
-	}
-
-	// run the functions concurrently and wait for results.  We can also pass in a context to cancel.
-	// e.g. Deadline timer.
-	results, err := concurrent.Run(context.TODO(), listConfigMaps, listSecrets)
-	if err != nil {
-		return nil, err
-	}
-
-	var configMapList *core.ConfigMapList
-	var secretList *core.SecretList
-	for _, r := range results {
-		switch v := r.Result.(type) {
-		case *core.ConfigMapList:
-			configMapList = v
-		case *core.SecretList:
-			secretList = v
-		}
-	}
-
-	// TODO: Applications
-	var combined []models.K8sConfigMapOrSecret
-	for _, m := range configMapList.Items {
-		var cm models.K8sConfigMapOrSecret
-		cm.UID = string(m.UID)
-		cm.Name = m.Name
-		cm.Namespace = m.Namespace
-		cm.Annotations = m.Annotations
-		cm.Data = m.Data
-		cm.CreationDate = m.CreationTimestamp.Time.UTC().Format(time.RFC3339)
-		combined = append(combined, cm)
-	}
-
-	for _, s := range secretList.Items {
-		var secret models.K8sConfigMapOrSecret
-		secret.UID = string(s.UID)
-		secret.Name = s.Name
-		secret.Namespace = s.Namespace
-		secret.Annotations = s.Annotations
-		secret.Data = msbToMss(s.Data)
-		secret.CreationDate = s.CreationTimestamp.Time.UTC().Format(time.RFC3339)
-		secret.IsSecret = true
-		secret.SecretType = string(s.Type)
-		combined = append(combined, secret)
-	}
-
-	return combined, nil
-}
-
-*/
-
-package concurrent
-
-import (
-	"context"
-	"sync"
-)
-
-// Result contains the result and any error returned from running a client task function
-type Result struct {
-	Result any   // the result of running the task function
-	Err    error // any error that occurred while running the task function
-}
-
-// Func is a function returns a result or error
-type Func func(ctx context.Context) (any, error)
-
-// Run runs a list of functions returns the results
-func Run(ctx context.Context, maxConcurrency int, tasks ...Func) ([]Result, error) {
-	var wg sync.WaitGroup
-
-	resultsChan := make(chan Result, len(tasks))
-	taskChan := make(chan Func, len(tasks))
-
-	localCtx, cancelCtx := context.WithCancel(ctx)
-	defer cancelCtx()
-
-	runTask := func() {
-		defer wg.Done()
-
-		for fn := range taskChan {
-			result, err := fn(localCtx)
-			resultsChan <- Result{Result: result, Err: err}
-		}
-	}
-
-	// Set maxConcurrency to the number of tasks if zero or negative
-	if maxConcurrency <= 0 {
-		maxConcurrency = len(tasks)
-	}
-
-	// Start worker goroutines
-	for range maxConcurrency {
-		wg.Add(1)
-		go runTask()
-	}
-
-	// Add tasks to the task channel
-	for _, fn := range tasks {
-		taskChan <- fn
-	}
-
-	// Close the task channel to signal workers to stop when all tasks are done
-	close(taskChan)
-
-	// Wait for all workers to complete
-	wg.Wait()
-	close(resultsChan)
-
-	// Collect the results and cancel on error
-	results := make([]Result, 0, len(tasks))
-	for r := range resultsChan {
-		if r.Err != nil {
-			cancelCtx()
-
-			return nil, r.Err
-		}
-
-		results = append(results, r)
-	}
-
-	return results, nil
-}
--- a/api/connection.go
+++ b/api/connection.go
@@ -5,21 +5,22 @@ import (
 )

 type ReadTransaction interface {
-	GetObject(bucketName string, key []byte, object any) error
-	GetAll(bucketName string, obj any, append func(o any) (any, error)) error
-	GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, append func(o any) (any, error)) error
+	GetObject(bucketName string, key []byte, object interface{}) error
+	GetAll(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error
+	GetAllWithJsoniter(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error
+	GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj interface{}, append func(o interface{}) (interface{}, error)) error
 }

 type Transaction interface {
 	ReadTransaction

 	SetServiceName(bucketName string) error
-	UpdateObject(bucketName string, key []byte, object any) error
+	UpdateObject(bucketName string, key []byte, object interface{}) error
 	DeleteObject(bucketName string, key []byte) error
-	CreateObject(bucketName string, fn func(uint64) (int, any)) error
-	CreateObjectWithId(bucketName string, id int, obj any) error
-	CreateObjectWithStringId(bucketName string, id []byte, obj any) error
-	DeleteAllObjects(bucketName string, obj any, matching func(o any) (id int, ok bool)) error
+	CreateObject(bucketName string, fn func(uint64) (int, interface{})) error
+	CreateObjectWithId(bucketName string, id int, obj interface{}) error
+	CreateObjectWithStringId(bucketName string, id []byte, obj interface{}) error
+	DeleteAllObjects(bucketName string, obj interface{}, matching func(o interface{}) (id int, ok bool)) error
 	GetNextIdentifier(bucketName string) int
 }

@@ -45,8 +46,8 @@ type Connection interface {
 	NeedsEncryptionMigration() (bool, error)
 	SetEncrypted(encrypted bool)

-	BackupMetadata() (map[string]any, error)
-	RestoreMetadata(s map[string]any) error
+	BackupMetadata() (map[string]interface{}, error)
+	RestoreMetadata(s map[string]interface{}) error

 	UpdateObjectFunc(bucketName string, key []byte, object any, updateFn func()) error
 	ConvertToKey(v int) []byte
--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -8,7 +8,6 @@ import (
 	"math"
 	"os"
 	"path"
-	"strconv"
 	"time"

 	portainer "github.com/portainer/portainer/api"
@@ -74,6 +73,7 @@ func (connection *DbConnection) IsEncryptedStore() bool {
 // NeedsEncryptionMigration returns true if database encryption is enabled and
 // we have an un-encrypted DB that requires migration to an encrypted DB
 func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {
+
 	// Cases:  Note, we need to check both portainer.db and portainer.edb
 	// to determine if it's a new store.   We only need to differentiate between cases 2,3 and 5

@@ -121,11 +121,11 @@ func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {

 // Open opens and initializes the BoltDB database.
 func (connection *DbConnection) Open() error {
+
 	log.Info().Str("filename", connection.GetDatabaseFileName()).Msg("loading PortainerDB")

 	// Now we open the db
 	databasePath := connection.GetDatabaseFilePath()
-
 	db, err := bolt.Open(databasePath, 0600, &bolt.Options{
 		Timeout:         1 * time.Second,
 		InitialMmapSize: connection.InitialMmapSize,
@@ -178,7 +178,6 @@ func (connection *DbConnection) ViewTx(fn func(portainer.Transaction) error) err
 func (connection *DbConnection) BackupTo(w io.Writer) error {
 	return connection.View(func(tx *bolt.Tx) error {
 		_, err := tx.WriteTo(w)
-
 		return err
 	})
 }
@@ -193,7 +192,6 @@ func (connection *DbConnection) ExportRaw(filename string) error {
 	if err != nil {
 		return err
 	}
-
 	return os.WriteFile(filename, b, 0600)
 }

@@ -203,7 +201,6 @@ func (connection *DbConnection) ExportRaw(filename string) error {
 func (connection *DbConnection) ConvertToKey(v int) []byte {
 	b := make([]byte, 8)
 	binary.BigEndian.PutUint64(b, uint64(v))
-
 	return b
 }

@@ -215,7 +212,7 @@ func keyToString(b []byte) string {

 	v := binary.BigEndian.Uint64(b)
 	if v <= math.MaxInt32 {
-		return strconv.FormatUint(v, 10)
+		return fmt.Sprintf("%d", v)
 	}

 	return string(b)
@@ -229,7 +226,7 @@ func (connection *DbConnection) SetServiceName(bucketName string) error {
 }

 // GetObject is a generic function used to retrieve an unmarshalled object from a database.
-func (connection *DbConnection) GetObject(bucketName string, key []byte, object any) error {
+func (connection *DbConnection) GetObject(bucketName string, key []byte, object interface{}) error {
 	return connection.ViewTx(func(tx portainer.Transaction) error {
 		return tx.GetObject(bucketName, key, object)
 	})
@@ -244,7 +241,7 @@ func (connection *DbConnection) getEncryptionKey() []byte {
 }

 // UpdateObject is a generic function used to update an object inside a database.
-func (connection *DbConnection) UpdateObject(bucketName string, key []byte, object any) error {
+func (connection *DbConnection) UpdateObject(bucketName string, key []byte, object interface{}) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.UpdateObject(bucketName, key, object)
 	})
@@ -285,7 +282,7 @@ func (connection *DbConnection) DeleteObject(bucketName string, key []byte) erro

 // DeleteAllObjects delete all objects where matching() returns (id, ok).
 // TODO: think about how to return the error inside (maybe change ok to type err, and use "notfound"?
-func (connection *DbConnection) DeleteAllObjects(bucketName string, obj any, matching func(o any) (id int, ok bool)) error {
+func (connection *DbConnection) DeleteAllObjects(bucketName string, obj interface{}, matching func(o interface{}) (id int, ok bool)) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.DeleteAllObjects(bucketName, obj, matching)
 	})
@@ -304,64 +301,71 @@ func (connection *DbConnection) GetNextIdentifier(bucketName string) int {
 }

 // CreateObject creates a new object in the bucket, using the next bucket sequence id
-func (connection *DbConnection) CreateObject(bucketName string, fn func(uint64) (int, any)) error {
+func (connection *DbConnection) CreateObject(bucketName string, fn func(uint64) (int, interface{})) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.CreateObject(bucketName, fn)
 	})
 }

 // CreateObjectWithId creates a new object in the bucket, using the specified id
-func (connection *DbConnection) CreateObjectWithId(bucketName string, id int, obj any) error {
+func (connection *DbConnection) CreateObjectWithId(bucketName string, id int, obj interface{}) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.CreateObjectWithId(bucketName, id, obj)
 	})
 }

 // CreateObjectWithStringId creates a new object in the bucket, using the specified id
-func (connection *DbConnection) CreateObjectWithStringId(bucketName string, id []byte, obj any) error {
+func (connection *DbConnection) CreateObjectWithStringId(bucketName string, id []byte, obj interface{}) error {
 	return connection.UpdateTx(func(tx portainer.Transaction) error {
 		return tx.CreateObjectWithStringId(bucketName, id, obj)
 	})
 }

-func (connection *DbConnection) GetAll(bucketName string, obj any, appendFn func(o any) (any, error)) error {
+func (connection *DbConnection) GetAll(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error {
 	return connection.ViewTx(func(tx portainer.Transaction) error {
-		return tx.GetAll(bucketName, obj, appendFn)
+		return tx.GetAll(bucketName, obj, append)
 	})
 }

-func (connection *DbConnection) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, appendFn func(o any) (any, error)) error {
+// TODO: decide which Unmarshal to use, and use one...
+func (connection *DbConnection) GetAllWithJsoniter(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error {
 	return connection.ViewTx(func(tx portainer.Transaction) error {
-		return tx.GetAllWithKeyPrefix(bucketName, keyPrefix, obj, appendFn)
+		return tx.GetAllWithJsoniter(bucketName, obj, append)
+	})
+}
+
+func (connection *DbConnection) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj interface{}, append func(o interface{}) (interface{}, error)) error {
+	return connection.ViewTx(func(tx portainer.Transaction) error {
+		return tx.GetAllWithKeyPrefix(bucketName, keyPrefix, obj, append)
 	})
 }

 // BackupMetadata will return a copy of the boltdb sequence numbers for all buckets.
-func (connection *DbConnection) BackupMetadata() (map[string]any, error) {
-	buckets := map[string]any{}
+func (connection *DbConnection) BackupMetadata() (map[string]interface{}, error) {
+	buckets := map[string]interface{}{}

 	err := connection.View(func(tx *bolt.Tx) error {
-		return tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
+		err := tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
 			bucketName := string(name)
 			seqId := bucket.Sequence()
 			buckets[bucketName] = int(seqId)
-
 			return nil
 		})
+
+		return err
 	})

 	return buckets, err
 }

 // RestoreMetadata will restore the boltdb sequence numbers for all buckets.
-func (connection *DbConnection) RestoreMetadata(s map[string]any) error {
+func (connection *DbConnection) RestoreMetadata(s map[string]interface{}) error {
 	var err error

 	for bucketName, v := range s {
 		id, ok := v.(float64) // JSON ints are unmarshalled to interface as float64. See: https://pkg.go.dev/encoding/json#Decoder.Decode
 		if !ok {
 			log.Error().Str("bucket", bucketName).Msg("failed to restore metadata to bucket, skipped")
-
 			continue
 		}

--- a/api/database/boltdb/db_test.go
+++ b/api/database/boltdb/db_test.go
@@ -87,7 +87,10 @@ func Test_NeedsEncryptionMigration(t *testing.T) {
 	}

 	for _, tc := range cases {
+		tc := tc
+
 		t.Run(tc.name, func(t *testing.T) {
+
 			connection := DbConnection{Path: dir}

 			if tc.dbname == "both" {
--- a/api/database/boltdb/export.go
+++ b/api/database/boltdb/export.go
@@ -8,8 +8,8 @@ import (
 	bolt "go.etcd.io/bbolt"
 )

-func backupMetadata(connection *bolt.DB) (map[string]any, error) {
-	buckets := map[string]any{}
+func backupMetadata(connection *bolt.DB) (map[string]interface{}, error) {
+	buckets := map[string]interface{}{}

 	err := connection.View(func(tx *bolt.Tx) error {
 		err := tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
@@ -39,7 +39,7 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 	}
 	defer connection.Close()

-	backup := make(map[string]any)
+	backup := make(map[string]interface{})
 	if metadata {
 		meta, err := backupMetadata(connection)
 		if err != nil {
@@ -52,7 +52,7 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 	err = connection.View(func(tx *bolt.Tx) error {
 		err = tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
 			bucketName := string(name)
-			var list []any
+			var list []interface{}
 			version := make(map[string]string)
 			cursor := bucket.Cursor()
 			for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
@@ -60,7 +60,7 @@ func (c *DbConnection) ExportJSON(databasePath string, metadata bool) ([]byte, e
 					continue
 				}

-				var obj any
+				var obj interface{}
 				err := c.UnmarshalObject(v, &obj)
 				if err != nil {
 					log.Error().
--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -5,16 +5,17 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"fmt"
 	"io"

 	"github.com/pkg/errors"
 	"github.com/segmentio/encoding/json"
 )

-var errEncryptedStringTooShort = errors.New("encrypted string too short")
+var errEncryptedStringTooShort = fmt.Errorf("encrypted string too short")

 // MarshalObject encodes an object to binary format
-func (connection *DbConnection) MarshalObject(object any) ([]byte, error) {
+func (connection *DbConnection) MarshalObject(object interface{}) ([]byte, error) {
 	buf := &bytes.Buffer{}

 	// Special case for the VERSION bucket. Here we're not using json
@@ -38,7 +39,7 @@ func (connection *DbConnection) MarshalObject(object any) ([]byte, error) {
 }

 // UnmarshalObject decodes an object from binary data
-func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
+func (connection *DbConnection) UnmarshalObject(data []byte, object interface{}) error {
 	var err error
 	if connection.getEncryptionKey() != nil {
 		data, err = decrypt(data, connection.getEncryptionKey())
@@ -46,8 +47,8 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
 			return errors.Wrap(err, "Failed decrypting object")
 		}
 	}
-
-	if e := json.Unmarshal(data, object); e != nil {
+	e := json.Unmarshal(data, object)
+	if e != nil {
 		// Special case for the VERSION bucket. Here we're not using json
 		// So we need to return it as a string
 		s, ok := object.(*string)
@@ -57,7 +58,6 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {

 		*s = string(data)
 	}
-
 	return err
 }

@@ -70,20 +70,22 @@ func encrypt(plaintext []byte, passphrase []byte) (encrypted []byte, err error)
 	if err != nil {
 		return encrypted, err
 	}
-
 	nonce := make([]byte, gcm.NonceSize())
-	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
 		return encrypted, err
 	}
-
-	return gcm.Seal(nonce, nonce, plaintext, nil), nil
+	ciphertextByte := gcm.Seal(
+		nonce,
+		nonce,
+		plaintext,
+		nil)
+	return ciphertextByte, nil
 }

 func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err error) {
 	if string(encrypted) == "false" {
 		return []byte("false"), nil
 	}
-
 	block, err := aes.NewCipher(passphrase)
 	if err != nil {
 		return encrypted, errors.Wrap(err, "Error creating cypher block")
@@ -100,8 +102,11 @@ func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err err
 	}

 	nonce, ciphertextByteClean := encrypted[:nonceSize], encrypted[nonceSize:]
-
-	plaintextByte, err = gcm.Open(nil, nonce, ciphertextByteClean, nil)
+	plaintextByte, err = gcm.Open(
+		nil,
+		nonce,
+		ciphertextByteClean,
+		nil)
 	if err != nil {
 		return encrypted, errors.Wrap(err, "Error decrypting text")
 	}
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -25,7 +25,7 @@ func Test_MarshalObjectUnencrypted(t *testing.T) {
 	uuid := uuid.Must(uuid.NewV4())

 	tests := []struct {
-		object   any
+		object   interface{}
 		expected string
 	}{
 		{
@@ -57,7 +57,7 @@ func Test_MarshalObjectUnencrypted(t *testing.T) {
 			expected: uuid.String(),
 		},
 		{
-			object:   map[string]any{"key": "value"},
+			object:   map[string]interface{}{"key": "value"},
 			expected: `{"key":"value"}`,
 		},
 		{
@@ -73,11 +73,11 @@ func Test_MarshalObjectUnencrypted(t *testing.T) {
 			expected: `["1","2","3"]`,
 		},
 		{
-			object:   []map[string]any{{"key1": "value1"}, {"key2": "value2"}},
+			object:   []map[string]interface{}{{"key1": "value1"}, {"key2": "value2"}},
 			expected: `[{"key1":"value1"},{"key2":"value2"}]`,
 		},
 		{
-			object:   []any{1, "2", false, map[string]any{"key1": "value1"}},
+			object:   []interface{}{1, "2", false, map[string]interface{}{"key1": "value1"}},
 			expected: `[1,"2",false,{"key1":"value1"}]`,
 		},
 	}
--- a/api/database/boltdb/tx.go
+++ b/api/database/boltdb/tx.go
@@ -20,7 +20,7 @@ func (tx *DbTransaction) SetServiceName(bucketName string) error {
 	return err
 }

-func (tx *DbTransaction) GetObject(bucketName string, key []byte, object any) error {
+func (tx *DbTransaction) GetObject(bucketName string, key []byte, object interface{}) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))

 	value := bucket.Get(key)
@@ -31,7 +31,7 @@ func (tx *DbTransaction) GetObject(bucketName string, key []byte, object any) er
 	return tx.conn.UnmarshalObject(value, object)
 }

-func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object any) error {
+func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object interface{}) error {
 	data, err := tx.conn.MarshalObject(object)
 	if err != nil {
 		return err
@@ -46,7 +46,7 @@ func (tx *DbTransaction) DeleteObject(bucketName string, key []byte) error {
 	return bucket.Delete(key)
 }

-func (tx *DbTransaction) DeleteAllObjects(bucketName string, obj any, matchingFn func(o any) (id int, ok bool)) error {
+func (tx *DbTransaction) DeleteAllObjects(bucketName string, obj interface{}, matchingFn func(o interface{}) (id int, ok bool)) error {
 	var ids []int

 	bucket := tx.tx.Bucket([]byte(bucketName))
@@ -74,18 +74,16 @@ func (tx *DbTransaction) DeleteAllObjects(bucketName string, obj any, matchingFn

 func (tx *DbTransaction) GetNextIdentifier(bucketName string) int {
 	bucket := tx.tx.Bucket([]byte(bucketName))
-
 	id, err := bucket.NextSequence()
 	if err != nil {
-		log.Error().Err(err).Str("bucket", bucketName).Msg("failed to get the next identifier")
-
+		log.Error().Err(err).Str("bucket", bucketName).Msg("failed to get the next identifer")
 		return 0
 	}

 	return int(id)
 }

-func (tx *DbTransaction) CreateObject(bucketName string, fn func(uint64) (int, any)) error {
+func (tx *DbTransaction) CreateObject(bucketName string, fn func(uint64) (int, interface{})) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))

 	seqId, _ := bucket.NextSequence()
@@ -99,7 +97,7 @@ func (tx *DbTransaction) CreateObject(bucketName string, fn func(uint64) (int, a
 	return bucket.Put(tx.conn.ConvertToKey(id), data)
 }

-func (tx *DbTransaction) CreateObjectWithId(bucketName string, id int, obj any) error {
+func (tx *DbTransaction) CreateObjectWithId(bucketName string, id int, obj interface{}) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))
 	data, err := tx.conn.MarshalObject(obj)
 	if err != nil {
@@ -109,7 +107,7 @@ func (tx *DbTransaction) CreateObjectWithId(bucketName string, id int, obj any)
 	return bucket.Put(tx.conn.ConvertToKey(id), data)
 }

-func (tx *DbTransaction) CreateObjectWithStringId(bucketName string, id []byte, obj any) error {
+func (tx *DbTransaction) CreateObjectWithStringId(bucketName string, id []byte, obj interface{}) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))
 	data, err := tx.conn.MarshalObject(obj)
 	if err != nil {
@@ -119,7 +117,7 @@ func (tx *DbTransaction) CreateObjectWithStringId(bucketName string, id []byte,
 	return bucket.Put(id, data)
 }

-func (tx *DbTransaction) GetAll(bucketName string, obj any, appendFn func(o any) (any, error)) error {
+func (tx *DbTransaction) GetAll(bucketName string, obj interface{}, appendFn func(o interface{}) (interface{}, error)) error {
 	bucket := tx.tx.Bucket([]byte(bucketName))

 	return bucket.ForEach(func(k []byte, v []byte) error {
@@ -132,7 +130,20 @@ func (tx *DbTransaction) GetAll(bucketName string, obj any, appendFn func(o any)
 	})
 }

-func (tx *DbTransaction) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, appendFn func(o any) (any, error)) error {
+func (tx *DbTransaction) GetAllWithJsoniter(bucketName string, obj interface{}, appendFn func(o interface{}) (interface{}, error)) error {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	return bucket.ForEach(func(k []byte, v []byte) error {
+		err := tx.conn.UnmarshalObject(v, obj)
+		if err == nil {
+			obj, err = appendFn(obj)
+		}
+
+		return err
+	})
+}
+
+func (tx *DbTransaction) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj interface{}, appendFn func(o interface{}) (interface{}, error)) error {
 	cursor := tx.tx.Bucket([]byte(bucketName)).Cursor()

 	for k, v := cursor.Seek(keyPrefix); k != nil && bytes.HasPrefix(k, keyPrefix); k, v = cursor.Next() {
--- a/api/dataservices/apikeyrepository/apikeyrepository.go
+++ b/api/dataservices/apikeyrepository/apikeyrepository.go
@@ -41,7 +41,7 @@ func (service *Service) GetAPIKeysByUserID(userID portainer.UserID) ([]portainer
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.APIKey{},
-		func(obj any) (any, error) {
+		func(obj interface{}) (interface{}, error) {
 			record, ok := obj.(*portainer.APIKey)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to APIKey object")
@@ -66,7 +66,7 @@ func (service *Service) GetAPIKeyByDigest(digest string) (*portainer.APIKey, err
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.APIKey{},
-		func(obj any) (any, error) {
+		func(obj interface{}) (interface{}, error) {
 			key, ok := obj.(*portainer.APIKey)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to APIKey object")
@@ -95,7 +95,7 @@ func (service *Service) GetAPIKeyByDigest(digest string) (*portainer.APIKey, err
 func (service *Service) Create(record *portainer.APIKey) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			record.ID = portainer.APIKeyID(id)

 			return int(record.ID), record
--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -31,7 +31,7 @@ func (service BaseDataServiceTx[T, I]) Read(ID I) (*T, error) {
 func (service BaseDataServiceTx[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)

-	return collection, service.Tx.GetAll(
+	return collection, service.Tx.GetAllWithJsoniter(
 		service.Bucket,
 		new(T),
 		AppendFn(&collection),
--- a/api/dataservices/edgegroup/tx.go
+++ b/api/dataservices/edgegroup/tx.go
@@ -19,7 +19,7 @@ func (service ServiceTx) UpdateEdgeGroupFunc(ID portainer.EdgeGroupID, updateFun
 func (service ServiceTx) Create(group *portainer.EdgeGroup) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			group.ID = portainer.EdgeGroupID(id)
 			return int(group.ID), group
 		},
--- a/api/dataservices/edgestack/tx.go
+++ b/api/dataservices/edgestack/tx.go
@@ -24,7 +24,7 @@ func (service ServiceTx) EdgeStacks() ([]portainer.EdgeStack, error) {
 	err := service.tx.GetAll(
 		BucketName,
 		&portainer.EdgeStack{},
-		func(obj any) (any, error) {
+		func(obj interface{}) (interface{}, error) {
 			stack, ok := obj.(*portainer.EdgeStack)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to EdgeStack object")
--- a/api/dataservices/endpoint/endpoint.go
+++ b/api/dataservices/endpoint/endpoint.go
@@ -6,8 +6,6 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-
-	"github.com/rs/zerolog/log"
 )

 // BucketName represents the name of the bucket where this service stores data.
@@ -159,7 +157,6 @@ func (service *Service) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.
 					return true
 				}
 			}
-
 			return false
 		}),
 	)
@@ -169,13 +166,11 @@ func (service *Service) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer.
 func (service *Service) GetNextIdentifier() int {
 	var identifier int

-	if err := service.connection.UpdateTx(func(tx portainer.Transaction) error {
+	service.connection.UpdateTx(func(tx portainer.Transaction) error {
 		identifier = service.Tx(tx).GetNextIdentifier()

 		return nil
-	}); err != nil {
-		log.Error().Err(err).Str("bucket", BucketName).Msg("could not get the next identifier")
-	}
+	})

 	return identifier
 }
--- a/api/dataservices/endpoint/tx.go
+++ b/api/dataservices/endpoint/tx.go
@@ -20,10 +20,10 @@ func (service ServiceTx) BucketName() string {
 // Endpoint returns an environment(endpoint) by ID.
 func (service ServiceTx) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error) {
 	var endpoint portainer.Endpoint
-
 	identifier := service.service.connection.ConvertToKey(int(ID))

-	if err := service.tx.GetObject(BucketName, identifier, &endpoint); err != nil {
+	err := service.tx.GetObject(BucketName, identifier, &endpoint)
+	if err != nil {
 		return nil, err
 	}

@@ -36,7 +36,8 @@ func (service ServiceTx) Endpoint(ID portainer.EndpointID) (*portainer.Endpoint,
 func (service ServiceTx) UpdateEndpoint(ID portainer.EndpointID, endpoint *portainer.Endpoint) error {
 	identifier := service.service.connection.ConvertToKey(int(ID))

-	if err := service.tx.UpdateObject(BucketName, identifier, endpoint); err != nil {
+	err := service.tx.UpdateObject(BucketName, identifier, endpoint)
+	if err != nil {
 		return err
 	}

@@ -44,7 +45,6 @@ func (service ServiceTx) UpdateEndpoint(ID portainer.EndpointID, endpoint *porta
 	if len(endpoint.EdgeID) > 0 {
 		service.service.idxEdgeID[endpoint.EdgeID] = ID
 	}
-
 	service.service.heartbeats.Store(ID, endpoint.LastCheckInDate)
 	service.service.mu.Unlock()

@@ -57,7 +57,8 @@ func (service ServiceTx) UpdateEndpoint(ID portainer.EndpointID, endpoint *porta
 func (service ServiceTx) DeleteEndpoint(ID portainer.EndpointID) error {
 	identifier := service.service.connection.ConvertToKey(int(ID))

-	if err := service.tx.DeleteObject(BucketName, identifier); err != nil {
+	err := service.tx.DeleteObject(BucketName, identifier)
+	if err != nil {
 		return err
 	}

@@ -69,7 +70,6 @@ func (service ServiceTx) DeleteEndpoint(ID portainer.EndpointID) error {
 			break
 		}
 	}
-
 	service.service.heartbeats.Delete(ID)
 	service.service.mu.Unlock()

@@ -82,7 +82,7 @@ func (service ServiceTx) DeleteEndpoint(ID portainer.EndpointID) error {
 func (service ServiceTx) Endpoints() ([]portainer.Endpoint, error) {
 	var endpoints = make([]portainer.Endpoint, 0)

-	return endpoints, service.tx.GetAll(
+	return endpoints, service.tx.GetAllWithJsoniter(
 		BucketName,
 		&portainer.Endpoint{},
 		dataservices.AppendFn(&endpoints),
@@ -107,7 +107,8 @@ func (service ServiceTx) UpdateHeartbeat(endpointID portainer.EndpointID) {

 // CreateEndpoint assign an ID to a new environment(endpoint) and saves it.
 func (service ServiceTx) Create(endpoint *portainer.Endpoint) error {
-	if err := service.tx.CreateObjectWithId(BucketName, int(endpoint.ID), endpoint); err != nil {
+	err := service.tx.CreateObjectWithId(BucketName, int(endpoint.ID), endpoint)
+	if err != nil {
 		return err
 	}

@@ -115,7 +116,6 @@ func (service ServiceTx) Create(endpoint *portainer.Endpoint) error {
 	if len(endpoint.EdgeID) > 0 {
 		service.service.idxEdgeID[endpoint.EdgeID] = endpoint.ID
 	}
-
 	service.service.heartbeats.Store(endpoint.ID, endpoint.LastCheckInDate)
 	service.service.mu.Unlock()

@@ -134,7 +134,6 @@ func (service ServiceTx) EndpointsByTeamID(teamID portainer.TeamID) ([]portainer
 					return true
 				}
 			}
-
 			return false
 		}),
 	)
--- a/api/dataservices/endpointgroup/endpointgroup.go
+++ b/api/dataservices/endpointgroup/endpointgroup.go
@@ -41,7 +41,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(endpointGroup *portainer.EndpointGroup) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			endpointGroup.ID = portainer.EndpointGroupID(id)
 			return int(endpointGroup.ID), endpointGroup
 		},
--- a/api/dataservices/endpointgroup/tx.go
+++ b/api/dataservices/endpointgroup/tx.go
@@ -13,7 +13,7 @@ type ServiceTx struct {
 func (service ServiceTx) Create(endpointGroup *portainer.EndpointGroup) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			endpointGroup.ID = portainer.EndpointGroupID(id)
 			return int(endpointGroup.ID), endpointGroup
 		},
--- a/api/dataservices/endpointrelation/endpointrelation.go
+++ b/api/dataservices/endpointrelation/endpointrelation.go
@@ -32,7 +32,8 @@ func (service *Service) RegisterUpdateStackFunction(

 // NewService creates a new instance of a service.
 func NewService(connection portainer.Connection) (*Service, error) {
-	if err := connection.SetServiceName(BucketName); err != nil {
+	err := connection.SetServiceName(BucketName)
+	if err != nil {
 		return nil, err
 	}

@@ -64,7 +65,8 @@ func (service *Service) EndpointRelation(endpointID portainer.EndpointID) (*port
 	var endpointRelation portainer.EndpointRelation
 	identifier := service.connection.ConvertToKey(int(endpointID))

-	if err := service.connection.GetObject(BucketName, identifier, &endpointRelation); err != nil {
+	err := service.connection.GetObject(BucketName, identifier, &endpointRelation)
+	if err != nil {
 		return nil, err
 	}

@@ -159,24 +161,19 @@ func (service *Service) updateEdgeStacksAfterRelationChange(previousRelationStat
 	// list how many time this stack is referenced in all relations
 	// in order to update the stack deployments count
 	for refStackId, refStackEnabled := range stacksToUpdate {
-		if !refStackEnabled {
-			continue
-		}
-
-		numDeployments := 0
-
-		for _, r := range relations {
-			for sId, enabled := range r.EdgeStacks {
-				if enabled && sId == refStackId {
-					numDeployments += 1
+		if refStackEnabled {
+			numDeployments := 0
+			for _, r := range relations {
+				for sId, enabled := range r.EdgeStacks {
+					if enabled && sId == refStackId {
+						numDeployments += 1
+					}
 				}
 			}
-		}

-		if err := service.updateStackFn(refStackId, func(edgeStack *portainer.EdgeStack) {
-			edgeStack.NumDeployments = numDeployments
-		}); err != nil {
-			log.Error().Err(err).Msg("could not update the number of deployments")
+			service.updateStackFn(refStackId, func(edgeStack *portainer.EdgeStack) {
+				edgeStack.NumDeployments = numDeployments
+			})
 		}
 	}
 }
--- a/api/dataservices/endpointrelation/tx.go
+++ b/api/dataservices/endpointrelation/tx.go
@@ -33,7 +33,8 @@ func (service ServiceTx) EndpointRelation(endpointID portainer.EndpointID) (*por
 	var endpointRelation portainer.EndpointRelation
 	identifier := service.service.connection.ConvertToKey(int(endpointID))

-	if err := service.tx.GetObject(BucketName, identifier, &endpointRelation); err != nil {
+	err := service.tx.GetObject(BucketName, identifier, &endpointRelation)
+	if err != nil {
 		return nil, err
 	}

@@ -128,23 +129,19 @@ func (service ServiceTx) updateEdgeStacksAfterRelationChange(previousRelationSta
 	// list how many time this stack is referenced in all relations
 	// in order to update the stack deployments count
 	for refStackId, refStackEnabled := range stacksToUpdate {
-		if !refStackEnabled {
-			continue
-		}
-
-		numDeployments := 0
-		for _, r := range relations {
-			for sId, enabled := range r.EdgeStacks {
-				if enabled && sId == refStackId {
-					numDeployments += 1
+		if refStackEnabled {
+			numDeployments := 0
+			for _, r := range relations {
+				for sId, enabled := range r.EdgeStacks {
+					if enabled && sId == refStackId {
+						numDeployments += 1
+					}
 				}
 			}
-		}

-		if err := service.service.updateStackFnTx(service.tx, refStackId, func(edgeStack *portainer.EdgeStack) {
-			edgeStack.NumDeployments = numDeployments
-		}); err != nil {
-			log.Error().Err(err).Msg("could not update the number of deployments")
+			service.service.updateStackFnTx(service.tx, refStackId, func(edgeStack *portainer.EdgeStack) {
+				edgeStack.NumDeployments = numDeployments
+			})
 		}
 	}
 }
--- a/api/dataservices/fdoprofile/fdoprofile.go
+++ b/api/dataservices/fdoprofile/fdoprofile.go
@@ -0,0 +1,43 @@
+package fdoprofile
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+// BucketName represents the name of the bucket where this service stores data.
+const BucketName = "fdo_profiles"
+
+// Service represents a service for managingFDO Profiles data.
+type Service struct {
+	dataservices.BaseDataService[portainer.FDOProfile, portainer.FDOProfileID]
+}
+
+// NewService creates a new instance of a service.
+func NewService(connection portainer.Connection) (*Service, error) {
+	err := connection.SetServiceName(BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		BaseDataService: dataservices.BaseDataService[portainer.FDOProfile, portainer.FDOProfileID]{
+			Bucket:     BucketName,
+			Connection: connection,
+		},
+	}, nil
+}
+
+// Create assign an ID to a new FDO Profile and saves it.
+func (service *Service) Create(FDOProfile *portainer.FDOProfile) error {
+	return service.Connection.CreateObjectWithId(
+		BucketName,
+		int(FDOProfile.ID),
+		FDOProfile,
+	)
+}
+
+// GetNextIdentifier returns the next identifier for a FDO Profile.
+func (service *Service) GetNextIdentifier() int {
+	return service.Connection.GetNextIdentifier(BucketName)
+}
--- a/api/dataservices/helmuserrepository/helmuserrepository.go
+++ b/api/dataservices/helmuserrepository/helmuserrepository.go
@@ -45,7 +45,7 @@ func (service *Service) HelmUserRepositoryByUserID(userID portainer.UserID) ([]p
 func (service *Service) Create(record *portainer.HelmUserRepository) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			record.ID = portainer.HelmUserRepositoryID(id)
 			return int(record.ID), record
 		},
--- a/api/dataservices/helpers.go
+++ b/api/dataservices/helpers.go
@@ -17,8 +17,8 @@ func IsErrObjectNotFound(e error) bool {
 }

 // AppendFn appends elements to the given collection slice
-func AppendFn[T any](collection *[]T) func(obj any) (any, error) {
-	return func(obj any) (any, error) {
+func AppendFn[T any](collection *[]T) func(obj interface{}) (interface{}, error) {
+	return func(obj interface{}) (interface{}, error) {
 		element, ok := obj.(*T)
 		if !ok {
 			log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("type assertion failed")
@@ -32,8 +32,8 @@ func AppendFn[T any](collection *[]T) func(obj any) (any, error) {
 }

 // FilterFn appends elements to the given collection when the predicate is true
-func FilterFn[T any](collection *[]T, predicate func(T) bool) func(obj any) (any, error) {
-	return func(obj any) (any, error) {
+func FilterFn[T any](collection *[]T, predicate func(T) bool) func(obj interface{}) (interface{}, error) {
+	return func(obj interface{}) (interface{}, error) {
 		element, ok := obj.(*T)
 		if !ok {
 			log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("type assertion failed")
@@ -50,8 +50,8 @@ func FilterFn[T any](collection *[]T, predicate func(T) bool) func(obj any) (any

 // FirstFn sets the element to the first one that satisfies the predicate and stops the computation, returns ErrStop on
 // success
-func FirstFn[T any](element *T, predicate func(T) bool) func(obj any) (any, error) {
-	return func(obj any) (any, error) {
+func FirstFn[T any](element *T, predicate func(T) bool) func(obj interface{}) (interface{}, error) {
+	return func(obj interface{}) (interface{}, error) {
 		e, ok := obj.(*T)
 		if !ok {
 			log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("type assertion failed")
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -15,6 +15,7 @@ type (
 		Endpoint() EndpointService
 		EndpointGroup() EndpointGroupService
 		EndpointRelation() EndpointRelationService
+		FDOProfile() FDOProfileService
 		HelmUserRepository() HelmUserRepositoryService
 		Registry() RegistryService
 		ResourceControl() ResourceControlService
@@ -71,7 +72,7 @@ type (
 	}

 	PendingActionsService interface {
-		BaseCRUD[portainer.PendingAction, portainer.PendingActionID]
+		BaseCRUD[portainer.PendingActions, portainer.PendingActionsID]
 		GetNextIdentifier() int
 		DeleteByEndpointID(ID portainer.EndpointID) error
 	}
@@ -119,6 +120,12 @@ type (
 		BucketName() string
 	}

+	// FDOProfileService represents a service to manage FDO Profiles
+	FDOProfileService interface {
+		BaseCRUD[portainer.FDOProfile, portainer.FDOProfileID]
+		GetNextIdentifier() int
+	}
+
 	// HelmUserRepositoryService represents a service to manage HelmUserRepositories
 	HelmUserRepositoryService interface {
 		BaseCRUD[portainer.HelmUserRepository, portainer.HelmUserRepositoryID]
--- a/api/dataservices/pendingactions/pendingactions.go
+++ b/api/dataservices/pendingactions/pendingactions.go
@@ -14,11 +14,11 @@ const (
 )

 type Service struct {
-	dataservices.BaseDataService[portainer.PendingAction, portainer.PendingActionID]
+	dataservices.BaseDataService[portainer.PendingActions, portainer.PendingActionsID]
 }

 type ServiceTx struct {
-	dataservices.BaseDataServiceTx[portainer.PendingAction, portainer.PendingActionID]
+	dataservices.BaseDataServiceTx[portainer.PendingActions, portainer.PendingActionsID]
 }

 func NewService(connection portainer.Connection) (*Service, error) {
@@ -28,20 +28,20 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}

 	return &Service{
-		BaseDataService: dataservices.BaseDataService[portainer.PendingAction, portainer.PendingActionID]{
+		BaseDataService: dataservices.BaseDataService[portainer.PendingActions, portainer.PendingActionsID]{
 			Bucket:     BucketName,
 			Connection: connection,
 		},
 	}, nil
 }

-func (s Service) Create(config *portainer.PendingAction) error {
+func (s Service) Create(config *portainer.PendingActions) error {
 	return s.Connection.UpdateTx(func(tx portainer.Transaction) error {
 		return s.Tx(tx).Create(config)
 	})
 }

-func (s Service) Update(ID portainer.PendingActionID, config *portainer.PendingAction) error {
+func (s Service) Update(ID portainer.PendingActionsID, config *portainer.PendingActions) error {
 	return s.Connection.UpdateTx(func(tx portainer.Transaction) error {
 		return s.Tx(tx).Update(ID, config)
 	})
@@ -55,7 +55,7 @@ func (s Service) DeleteByEndpointID(ID portainer.EndpointID) error {

 func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 	return ServiceTx{
-		BaseDataServiceTx: dataservices.BaseDataServiceTx[portainer.PendingAction, portainer.PendingActionID]{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[portainer.PendingActions, portainer.PendingActionsID]{
 			Bucket:     BucketName,
 			Connection: service.Connection,
 			Tx:         tx,
@@ -63,16 +63,16 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 	}
 }

-func (s ServiceTx) Create(config *portainer.PendingAction) error {
-	return s.Tx.CreateObject(BucketName, func(id uint64) (int, any) {
-		config.ID = portainer.PendingActionID(id)
+func (s ServiceTx) Create(config *portainer.PendingActions) error {
+	return s.Tx.CreateObject(BucketName, func(id uint64) (int, interface{}) {
+		config.ID = portainer.PendingActionsID(id)
 		config.CreatedAt = time.Now().Unix()

 		return int(config.ID), config
 	})
 }

-func (s ServiceTx) Update(ID portainer.PendingActionID, config *portainer.PendingAction) error {
+func (s ServiceTx) Update(ID portainer.PendingActionsID, config *portainer.PendingActions) error {
 	return s.BaseDataServiceTx.Update(ID, config)
 }

--- a/api/dataservices/registry/registry.go
+++ b/api/dataservices/registry/registry.go
@@ -42,7 +42,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(registry *portainer.Registry) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			registry.ID = portainer.RegistryID(id)
 			return int(registry.ID), registry
 		},
--- a/api/dataservices/registry/tx.go
+++ b/api/dataservices/registry/tx.go
@@ -13,7 +13,7 @@ type ServiceTx struct {
 func (service ServiceTx) Create(registry *portainer.Registry) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			registry.ID = portainer.RegistryID(id)
 			return int(registry.ID), registry
 		},
--- a/api/dataservices/resourcecontrol/resourcecontrol.go
+++ b/api/dataservices/resourcecontrol/resourcecontrol.go
@@ -52,7 +52,7 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 	err := service.Connection.GetAll(
 		BucketName,
 		&portainer.ResourceControl{},
-		func(obj any) (any, error) {
+		func(obj interface{}) (interface{}, error) {
 			rc, ok := obj.(*portainer.ResourceControl)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to ResourceControl object")
@@ -84,7 +84,7 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 func (service *Service) Create(resourceControl *portainer.ResourceControl) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			resourceControl.ID = portainer.ResourceControlID(id)
 			return int(resourceControl.ID), resourceControl
 		},
--- a/api/dataservices/resourcecontrol/tx.go
+++ b/api/dataservices/resourcecontrol/tx.go
@@ -23,7 +23,7 @@ func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, r
 	err := service.Tx.GetAll(
 		BucketName,
 		&portainer.ResourceControl{},
-		func(obj any) (any, error) {
+		func(obj interface{}) (interface{}, error) {
 			rc, ok := obj.(*portainer.ResourceControl)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to ResourceControl object")
@@ -55,7 +55,7 @@ func (service ServiceTx) ResourceControlByResourceIDAndType(resourceID string, r
 func (service ServiceTx) Create(resourceControl *portainer.ResourceControl) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			resourceControl.ID = portainer.ResourceControlID(id)
 			return int(resourceControl.ID), resourceControl
 		},
--- a/api/dataservices/role/role.go
+++ b/api/dataservices/role/role.go
@@ -42,7 +42,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(role *portainer.Role) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			role.ID = portainer.RoleID(id)
 			return int(role.ID), role
 		},
--- a/api/dataservices/role/tx.go
+++ b/api/dataservices/role/tx.go
@@ -13,7 +13,7 @@ type ServiceTx struct {
 func (service ServiceTx) Create(role *portainer.Role) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			role.ID = portainer.RoleID(id)
 			return int(role.ID), role
 		},
--- a/api/dataservices/stack/tests/stack_test.go
+++ b/api/dataservices/stack/tests/stack_test.go
@@ -33,7 +33,7 @@ func TestService_StackByWebhookID(t *testing.T) {

 	b := stackBuilder{t: t, store: store}
 	b.createNewStack(newGuidString(t))
-	for range 10 {
+	for i := 0; i < 10; i++ {
 		b.createNewStack("")
 	}
 	webhookID := newGuidString(t)
--- a/api/dataservices/tag/tag.go
+++ b/api/dataservices/tag/tag.go
@@ -42,7 +42,7 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(tag *portainer.Tag) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			tag.ID = portainer.TagID(id)
 			return int(tag.ID), tag
 		},
--- a/api/dataservices/tag/tx.go
+++ b/api/dataservices/tag/tx.go
@@ -15,7 +15,7 @@ type ServiceTx struct {
 func (service ServiceTx) Create(tag *portainer.Tag) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			tag.ID = portainer.TagID(id)
 			return int(tag.ID), tag
 		},
--- a/api/dataservices/team/team.go
+++ b/api/dataservices/team/team.go
@@ -68,7 +68,7 @@ func (service *Service) TeamByName(name string) (*portainer.Team, error) {
 func (service *Service) Create(team *portainer.Team) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			team.ID = portainer.TeamID(id)
 			return int(team.ID), team
 		},
--- a/api/dataservices/teammembership/teammembership.go
+++ b/api/dataservices/teammembership/teammembership.go
@@ -72,7 +72,7 @@ func (service *Service) TeamMembershipsByTeamID(teamID portainer.TeamID) ([]port
 func (service *Service) Create(membership *portainer.TeamMembership) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			membership.ID = portainer.TeamMembershipID(id)
 			return int(membership.ID), membership
 		},
@@ -84,8 +84,8 @@ func (service *Service) DeleteTeamMembershipByUserID(userID portainer.UserID) er
 	return service.Connection.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj any) (id int, ok bool) {
-			membership, ok := obj.(*portainer.TeamMembership)
+		func(obj interface{}) (id int, ok bool) {
+			membership, ok := obj.(portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
 				//return fmt.Errorf("Failed to convert to TeamMembership object: %s", obj)
@@ -105,8 +105,8 @@ func (service *Service) DeleteTeamMembershipByTeamID(teamID portainer.TeamID) er
 	return service.Connection.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj any) (id int, ok bool) {
-			membership, ok := obj.(*portainer.TeamMembership)
+		func(obj interface{}) (id int, ok bool) {
+			membership, ok := obj.(portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
 				//return fmt.Errorf("Failed to convert to TeamMembership object: %s", obj)
@@ -125,8 +125,8 @@ func (service *Service) DeleteTeamMembershipByTeamIDAndUserID(teamID portainer.T
 	return service.Connection.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj any) (id int, ok bool) {
-			membership, ok := obj.(*portainer.TeamMembership)
+		func(obj interface{}) (id int, ok bool) {
+			membership, ok := obj.(portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
 				//return fmt.Errorf("Failed to convert to TeamMembership object: %s", obj)
--- a/api/dataservices/teammembership/tx.go
+++ b/api/dataservices/teammembership/tx.go
@@ -43,7 +43,7 @@ func (service ServiceTx) TeamMembershipsByTeamID(teamID portainer.TeamID) ([]por
 func (service ServiceTx) Create(membership *portainer.TeamMembership) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			membership.ID = portainer.TeamMembershipID(id)
 			return int(membership.ID), membership
 		},
@@ -55,7 +55,7 @@ func (service ServiceTx) DeleteTeamMembershipByUserID(userID portainer.UserID) e
 	return service.Tx.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj any) (id int, ok bool) {
+		func(obj interface{}) (id int, ok bool) {
 			membership, ok := obj.(portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
@@ -76,7 +76,7 @@ func (service ServiceTx) DeleteTeamMembershipByTeamID(teamID portainer.TeamID) e
 	return service.Tx.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj any) (id int, ok bool) {
+		func(obj interface{}) (id int, ok bool) {
 			membership, ok := obj.(portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
@@ -96,7 +96,7 @@ func (service ServiceTx) DeleteTeamMembershipByTeamIDAndUserID(teamID portainer.
 	return service.Tx.DeleteAllObjects(
 		BucketName,
 		&portainer.TeamMembership{},
-		func(obj any) (id int, ok bool) {
+		func(obj interface{}) (id int, ok bool) {
 			membership, ok := obj.(portainer.TeamMembership)
 			if !ok {
 				log.Debug().Str("obj", fmt.Sprintf("%#v", obj)).Msg("failed to convert to TeamMembership object")
--- a/api/dataservices/user/tx.go
+++ b/api/dataservices/user/tx.go
@@ -53,7 +53,7 @@ func (service ServiceTx) UsersByRole(role portainer.UserRole) ([]portainer.User,
 func (service ServiceTx) Create(user *portainer.User) error {
 	return service.Tx.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			user.ID = portainer.UserID(id)
 			user.Username = strings.ToLower(user.Username)

--- a/api/dataservices/user/user.go
+++ b/api/dataservices/user/user.go
@@ -82,7 +82,7 @@ func (service *Service) UsersByRole(role portainer.UserRole) ([]portainer.User,
 func (service *Service) Create(user *portainer.User) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			user.ID = portainer.UserID(id)
 			user.Username = strings.ToLower(user.Username)

--- a/api/dataservices/webhook/webhook.go
+++ b/api/dataservices/webhook/webhook.go
@@ -81,7 +81,7 @@ func (service *Service) WebhookByToken(token string) (*portainer.Webhook, error)
 func (service *Service) Create(webhook *portainer.Webhook) error {
 	return service.Connection.CreateObject(
 		BucketName,
-		func(id uint64) (int, any) {
+		func(id uint64) (int, interface{}) {
 			webhook.ID = portainer.WebhookID(id)
 			return int(webhook.ID), webhook
 		},
--- a/api/datastore/migrate_data_test.go
+++ b/api/datastore/migrate_data_test.go
@@ -321,7 +321,7 @@ func migrateDBTestHelper(t *testing.T, srcPath, wantPath string, overrideInstanc
 // importJSON reads input JSON and commits it to a portainer datastore.Store.
 // Errors are logged with the testing package.
 func importJSON(t *testing.T, r io.Reader, store *Store) error {
-	objects := make(map[string]any)
+	objects := make(map[string]interface{})

 	// Parse json into map of objects.
 	d := json.NewDecoder(r)
@@ -337,9 +337,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 	for k, v := range objects {
 		switch k {
 		case "version":
-			versions, ok := v.(map[string]any)
+			versions, ok := v.(map[string]interface{})
 			if !ok {
-				t.Logf("failed casting %s to map[string]any", k)
+				t.Logf("failed casting %s to map[string]interface{}", k)
 			}

 			// New format db
@@ -404,9 +404,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			}

 		case "dockerhub":
-			obj, ok := v.([]any)
+			obj, ok := v.([]interface{})
 			if !ok {
-				t.Logf("failed to cast %s to []any", k)
+				t.Logf("failed to cast %s to []interface{}", k)
 			}
 			err := con.CreateObjectWithStringId(
 				k,
@@ -418,9 +418,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			}

 		case "ssl":
-			obj, ok := v.(map[string]any)
+			obj, ok := v.(map[string]interface{})
 			if !ok {
-				t.Logf("failed to case %s to map[string]any", k)
+				t.Logf("failed to case %s to map[string]interface{}", k)
 			}
 			err := con.CreateObjectWithStringId(
 				k,
@@ -432,9 +432,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			}

 		case "settings":
-			obj, ok := v.(map[string]any)
+			obj, ok := v.(map[string]interface{})
 			if !ok {
-				t.Logf("failed to case %s to map[string]any", k)
+				t.Logf("failed to case %s to map[string]interface{}", k)
 			}
 			err := con.CreateObjectWithStringId(
 				k,
@@ -446,9 +446,9 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			}

 		case "tunnel_server":
-			obj, ok := v.(map[string]any)
+			obj, ok := v.(map[string]interface{})
 			if !ok {
-				t.Logf("failed to case %s to map[string]any", k)
+				t.Logf("failed to case %s to map[string]interface{}", k)
 			}
 			err := con.CreateObjectWithStringId(
 				k,
@@ -462,18 +462,18 @@ func importJSON(t *testing.T, r io.Reader, store *Store) error {
 			continue

 		default:
-			objlist, ok := v.([]any)
+			objlist, ok := v.([]interface{})
 			if !ok {
-				t.Logf("failed to cast %s to []any", k)
+				t.Logf("failed to cast %s to []interface{}", k)
 			}

 			for _, obj := range objlist {
-				value, ok := obj.(map[string]any)
+				value, ok := obj.(map[string]interface{})
 				if !ok {
-					t.Logf("failed to cast %v to map[string]any", obj)
+					t.Logf("failed to cast %v to map[string]interface{}", obj)
 				} else {
 					var ok bool
-					var id any
+					var id interface{}
 					switch k {
 					case "endpoint_relations":
 						// TODO: need to make into an int, then do that weird
--- a/api/datastore/migrate_dbversion29_test.go
+++ b/api/datastore/migrate_dbversion29_test.go
@@ -12,13 +12,13 @@ const dummyLogoURL = "example.com"

 // initTestingDBConn creates a settings service with raw database DB connection
 // for unit testing usage only since using NewStore will cause cycle import inside migrator pkg
-func initTestingSettingsService(dbConn portainer.Connection, preSetObj map[string]any) error {
+func initTestingSettingsService(dbConn portainer.Connection, preSetObj map[string]interface{}) error {
 	//insert a obj
 	return dbConn.UpdateObject("settings", []byte("SETTINGS"), preSetObj)
 }

 func setup(store *Store) error {
-	dummySettingsObj := map[string]any{
+	dummySettingsObj := map[string]interface{}{
 		"LogoURL": dummyLogoURL,
 	}

--- a/api/datastore/migrate_legacyversion.go
+++ b/api/datastore/migrate_legacyversion.go
@@ -99,7 +99,7 @@ func (store *Store) getOrMigrateLegacyVersion() (*models.Version, error) {
 	return &models.Version{
 		SchemaVersion: dbVersionToSemanticVersion(dbVersion),
 		Edition:       edition,
-		InstanceID:    instanceId,
+		InstanceID:    string(instanceId),
 	}, nil
 }

@@ -111,6 +111,5 @@ func (store *Store) finishMigrateLegacyVersion(versionToWrite *models.Version) e
 	store.connection.DeleteObject(bucketName, []byte(legacyDBVersionKey))
 	store.connection.DeleteObject(bucketName, []byte(legacyEditionKey))
 	store.connection.DeleteObject(bucketName, []byte(legacyInstanceKey))
-
 	return err
 }
--- a/api/datastore/migrator/migrate_ce.go
+++ b/api/datastore/migrator/migrate_ce.go
@@ -15,7 +15,7 @@ func migrationError(err error, context string) error {
 	return errors.Wrap(err, "failed in "+context)
 }

-func GetFunctionName(i any) string {
+func GetFunctionName(i interface{}) string {
 	return runtime.FuncForPC(reflect.ValueOf(i).Pointer()).Name()
 }

@@ -39,19 +39,20 @@ func (m *Migrator) Migrate() error {
 		latestMigrations := m.LatestMigrations()
 		if latestMigrations.Version.Equal(schemaVersion) &&
 			version.MigratorCount != len(latestMigrations.MigrationFuncs) {
-			if err := runMigrations(latestMigrations.MigrationFuncs); err != nil {
+			err := runMigrations(latestMigrations.MigrationFuncs)
+			if err != nil {
 				return err
 			}
-
 			newMigratorCount = len(latestMigrations.MigrationFuncs)
 		}
 	} else {
 		// regular path when major/minor/patch versions differ
 		for _, migration := range m.migrations {
 			if schemaVersion.LessThan(migration.Version) {
-				log.Info().Msgf("migrating data to %s", migration.Version.String())

-				if err := runMigrations(migration.MigrationFuncs); err != nil {
+				log.Info().Msgf("migrating data to %s", migration.Version.String())
+				err := runMigrations(migration.MigrationFuncs)
+				if err != nil {
 					return err
 				}
 			}
@@ -62,14 +63,16 @@ func (m *Migrator) Migrate() error {
 		}
 	}

-	if err := m.Always(); err != nil {
+	err = m.Always()
+	if err != nil {
 		return migrationError(err, "Always migrations returned error")
 	}

 	version.SchemaVersion = portainer.APIVersion
 	version.MigratorCount = newMigratorCount

-	if err := m.versionService.UpdateVersion(version); err != nil {
+	err = m.versionService.UpdateVersion(version)
+	if err != nil {
 		return migrationError(err, "StoreDBVersion")
 	}

@@ -96,7 +99,6 @@ func (m *Migrator) NeedsMigration() bool {
 	// In this particular instance we should log a fatal error
 	if m.CurrentDBEdition() != portainer.PortainerCE {
 		log.Fatal().Msg("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
-
 		return false
 	}

--- a/api/datastore/migrator/migrate_dbversion100.go
+++ b/api/datastore/migrator/migrate_dbversion100.go
@@ -7,7 +7,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/chisel/crypto"
 	"github.com/portainer/portainer/api/dataservices"
-
 	"github.com/rs/zerolog/log"
 )

@@ -38,11 +37,9 @@ func (m *Migrator) convertSeedToPrivateKeyForDB100() error {
 			log.Info().Msg("ServerInfo object not found")
 			return nil
 		}
-
 		log.Error().
 			Err(err).
 			Msg("Failed to read ServerInfo from DB")
-
 		return err
 	}

@@ -52,15 +49,14 @@ func (m *Migrator) convertSeedToPrivateKeyForDB100() error {
 			log.Error().
 				Err(err).
 				Msg("Failed to read ServerInfo from DB")
-
 			return err
 		}

-		if err := m.fileService.StoreChiselPrivateKey(key); err != nil {
+		err = m.fileService.StoreChiselPrivateKey(key)
+		if err != nil {
 			log.Error().
 				Err(err).
 				Msg("Failed to save Chisel private key to disk")
-
 			return err
 		}
 	} else {
@@ -68,14 +64,14 @@ func (m *Migrator) convertSeedToPrivateKeyForDB100() error {
 	}

 	serverInfo.PrivateKeySeed = ""
-	if err := m.TunnelServerService.UpdateInfo(serverInfo); err != nil {
+	err = m.TunnelServerService.UpdateInfo(serverInfo)
+	if err != nil {
 		log.Error().
 			Err(err).
 			Msg("Failed to clean private key seed in DB")
 	} else {
 		log.Info().Msg("Success to migrate private key seed to private key file")
 	}
-
 	return err
 }

@@ -88,8 +84,9 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 	}

 	for _, edgeStack := range edgeStacks {
+
 		for environmentID, environmentStatus := range edgeStack.Status {
-			// Skip if status is already updated
+			// skip if status is already updated
 			if len(environmentStatus.Status) > 0 {
 				continue
 			}
@@ -149,7 +146,8 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 			edgeStack.Status[environmentID] = environmentStatus
 		}

-		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
+		err = m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack)
+		if err != nil {
 			return err
 		}
 	}
--- a/api/datastore/migrator/migrate_dbversion130.go
+++ b/api/datastore/migrator/migrate_dbversion130.go
@@ -1,33 +0,0 @@
-package migrator
-
-import (
-	"github.com/segmentio/encoding/json"
-
-	"github.com/rs/zerolog/log"
-)
-
-func (migrator *Migrator) migratePendingActionsDataForDB130() error {
-	log.Info().Msg("Migrating pending actions data")
-
-	pendingActions, err := migrator.pendingActionsService.ReadAll()
-	if err != nil {
-		return err
-	}
-
-	for _, pa := range pendingActions {
-		actionData, err := json.Marshal(pa.ActionData)
-		if err != nil {
-			return err
-		}
-
-		pa.ActionData = string(actionData)
-
-		// Update the pending action
-		err = migrator.pendingActionsService.Update(pa.ID, &pa)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
--- a/api/datastore/migrator/migrate_dbversion23.go
+++ b/api/datastore/migrator/migrate_dbversion23.go
@@ -32,8 +32,8 @@ func (m *Migrator) updateStacksToDB24() error {
 	for idx := range stacks {
 		stack := &stacks[idx]
 		stack.Status = portainer.StackStatusActive
-
-		if err := m.stackService.Update(stack.ID, stack); err != nil {
+		err := m.stackService.Update(stack.ID, stack)
+		if err != nil {
 			return err
 		}
 	}
--- a/api/datastore/migrator/migrate_dbversion31.go
+++ b/api/datastore/migrator/migrate_dbversion31.go
@@ -123,7 +123,7 @@ func (m *Migrator) updateDockerhubToDB32() error {
 				migrated = true
 			} else {
 				// delete subsequent duplicates
-				m.registryService.Delete(r.ID)
+				m.registryService.Delete(portainer.RegistryID(r.ID))
 			}
 		}
 	}
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -13,6 +13,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
 	"github.com/portainer/portainer/api/dataservices/extension"
+	"github.com/portainer/portainer/api/dataservices/fdoprofile"
 	"github.com/portainer/portainer/api/dataservices/pendingactions"
 	"github.com/portainer/portainer/api/dataservices/registry"
 	"github.com/portainer/portainer/api/dataservices/resourcecontrol"
@@ -40,6 +41,7 @@ type (
 		endpointService         *endpoint.Service
 		endpointRelationService *endpointrelation.Service
 		extensionService        *extension.Service
+		fdoProfilesService      *fdoprofile.Service
 		registryService         *registry.Service
 		resourceControlService  *resourcecontrol.Service
 		roleService             *role.Service
@@ -67,6 +69,7 @@ type (
 		EndpointService         *endpoint.Service
 		EndpointRelationService *endpointrelation.Service
 		ExtensionService        *extension.Service
+		FDOProfilesService      *fdoprofile.Service
 		RegistryService         *registry.Service
 		ResourceControlService  *resourcecontrol.Service
 		RoleService             *role.Service
@@ -96,6 +99,7 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		endpointService:         parameters.EndpointService,
 		endpointRelationService: parameters.EndpointRelationService,
 		extensionService:        parameters.ExtensionService,
+		fdoProfilesService:      parameters.FDOProfilesService,
 		registryService:         parameters.RegistryService,
 		resourceControlService:  parameters.ResourceControlService,
 		roleService:             parameters.RoleService,
@@ -235,11 +239,8 @@ func (m *Migrator) initMigrations() {
 	m.addMigrations("2.20.2",
 		m.cleanPendingActionsForDeletedEndpointsForDB111,
 	)
-	m.addMigrations("2.22.0",
-		m.migratePendingActionsDataForDB130,
-	)

-	// Add new migrations above...
+	// Add new migrations below...
 	// One function per migration, each versions migration funcs in the same file.
 }

--- a/api/datastore/pendingactions_test.go
+++ b/api/datastore/pendingactions_test.go
@@ -5,48 +5,47 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/pendingactions/actions"
-	"github.com/portainer/portainer/api/pendingactions/handlers"
 )

-type cleanNAPWithOverridePolicies struct {
-	EndpointGroupID portainer.EndpointGroupID
-}
-
 func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
 	t.Run("test ConvertCleanNAPWithOverridePoliciesPayload", func(t *testing.T) {

 		_, store := MustNewTestStore(t, true, false)
 		defer store.Close()

-		gid := portainer.EndpointGroupID(1)
-
 		testData := []struct {
 			Name          string
-			PendingAction portainer.PendingAction
-			Expected      any
+			PendingAction portainer.PendingActions
+			Expected      *actions.CleanNAPWithOverridePoliciesPayload
 			Err           bool
 		}{
 			{
 				Name: "test actiondata with EndpointGroupID 1",
-				PendingAction: handlers.NewCleanNAPWithOverridePolicies(
-					1,
-					&gid,
-				),
-				Expected: portainer.EndpointGroupID(1),
+				PendingAction: portainer.PendingActions{
+					EndpointID: 1,
+					Action:     "CleanNAPWithOverridePolicies",
+					ActionData: &actions.CleanNAPWithOverridePoliciesPayload{
+						EndpointGroupID: 1,
+					},
+				},
+				Expected: &actions.CleanNAPWithOverridePoliciesPayload{
+					EndpointGroupID: 1,
+				},
 			},
 			{
 				Name: "test actionData nil",
-				PendingAction: handlers.NewCleanNAPWithOverridePolicies(
-					2,
-					nil,
-				),
+				PendingAction: portainer.PendingActions{
+					EndpointID: 2,
+					Action:     "CleanNAPWithOverridePolicies",
+					ActionData: nil,
+				},
 				Expected: nil,
 			},
 			{
 				Name: "test actionData empty and expected error",
-				PendingAction: portainer.PendingAction{
+				PendingAction: portainer.PendingActions{
 					EndpointID: 2,
-					Action:     actions.CleanNAPWithOverridePolicies,
+					Action:     "CleanNAPWithOverridePolicies",
 					ActionData: "",
 				},
 				Expected: nil,
@@ -69,24 +68,22 @@ func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {

 			for _, endpointPendingAction := range pendingActions {
 				t.Run(d.Name, func(t *testing.T) {
-					if endpointPendingAction.Action == actions.CleanNAPWithOverridePolicies {
-						var payload cleanNAPWithOverridePolicies
-
-						err := endpointPendingAction.UnmarshallActionData(&payload)
-
+					if endpointPendingAction.Action == "CleanNAPWithOverridePolicies" {
+						actionData, err := actions.ConvertCleanNAPWithOverridePoliciesPayload(endpointPendingAction.ActionData)
 						if d.Err && err == nil {
 							t.Error(err)
 						}

-						if d.Expected == nil && payload.EndpointGroupID != 0 {
-							t.Errorf("expected nil, got %d", payload.EndpointGroupID)
+						if d.Expected == nil && actionData != nil {
+							t.Errorf("expected nil , got %d", actionData)
 						}

-						if d.Expected != nil {
-							expected := d.Expected.(portainer.EndpointGroupID)
-							if d.Expected != nil && expected != payload.EndpointGroupID {
-								t.Errorf("expected EndpointGroupID %d, got %d", expected, payload.EndpointGroupID)
-							}
+						if d.Expected != nil && actionData == nil {
+							t.Errorf("expected not nil , got %d", actionData)
+						}
+
+						if d.Expected != nil && actionData.EndpointGroupID != d.Expected.EndpointGroupID {
+							t.Errorf("expected EndpointGroupID %d , got %d", d.Expected.EndpointGroupID, actionData.EndpointGroupID)
 						}
 					}
 				})
--- a/api/datastore/postinit/migrate_post_init.go
+++ b/api/datastore/postinit/migrate_post_init.go
@@ -2,6 +2,8 @@ package postinit

 import (
 	"context"
+	"fmt"
+	"reflect"

 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
@@ -72,11 +74,28 @@ func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {
 // this function exists for readability, not reusability
 // TODO: This should be moved into pending actions as part of the pending action migration
 func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(environmentID portainer.EndpointID) error {
-	// If there are no pending actions for the given endpoint, create one
-	err := postInitMigrator.dataStore.PendingActions().Create(&portainer.PendingAction{
+	migrateEnvPendingAction := portainer.PendingActions{
 		EndpointID: environmentID,
 		Action:     actions.PostInitMigrateEnvironment,
-	})
+	}
+
+	// Get all pending actions and filter them by endpoint, action and action args that are equal to the migrateEnvPendingAction
+	pendingActions, err := postInitMigrator.dataStore.PendingActions().ReadAll()
+	if err != nil {
+		log.Error().Err(err).Msgf("Error retrieving pending actions")
+		return fmt.Errorf("failed to retrieve pending actions for environment %d: %w", environmentID, err)
+	}
+	for _, pendingAction := range pendingActions {
+		if pendingAction.EndpointID == environmentID &&
+			pendingAction.Action == migrateEnvPendingAction.Action &&
+			reflect.DeepEqual(pendingAction.ActionData, migrateEnvPendingAction.ActionData) {
+			log.Debug().Msgf("Migration pending action for environment %d already exists, skipping creating another", environmentID)
+			return nil
+		}
+	}
+
+	// If there are no pending actions for the given endpoint, create one
+	err = postInitMigrator.dataStore.PendingActions().Create(&migrateEnvPendingAction)
 	if err != nil {
 		log.Error().Err(err).Msgf("Error creating pending action for environment %d", environmentID)
 	}
@@ -90,7 +109,7 @@ func (migrator *PostInitMigrator) MigrateEnvironment(environment *portainer.Endp
 	switch {
 	case endpointutils.IsKubernetesEndpoint(environment):
 		// get the kubeclient for the environment, and skip all kube migrations if there's an error
-		kubeclient, err := migrator.kubeFactory.GetPrivilegedKubeClient(environment)
+		kubeclient, err := migrator.kubeFactory.GetKubeClient(environment)
 		if err != nil {
 			log.Error().Err(err).Msgf("Error creating kubeclient for environment: %d", environment.ID)
 			return err
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -17,6 +17,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
 	"github.com/portainer/portainer/api/dataservices/extension"
+	"github.com/portainer/portainer/api/dataservices/fdoprofile"
 	"github.com/portainer/portainer/api/dataservices/helmuserrepository"
 	"github.com/portainer/portainer/api/dataservices/pendingactions"
 	"github.com/portainer/portainer/api/dataservices/registry"
@@ -54,6 +55,7 @@ type Store struct {
 	EndpointService           *endpoint.Service
 	EndpointRelationService   *endpointrelation.Service
 	ExtensionService          *extension.Service
+	FDOProfilesService        *fdoprofile.Service
 	HelmUserRepositoryService *helmuserrepository.Service
 	RegistryService           *registry.Service
 	ResourceControlService    *resourcecontrol.Service
@@ -136,6 +138,12 @@ func (store *Store) initServices() error {
 	}
 	store.ExtensionService = extensionService

+	fdoProfilesService, err := fdoprofile.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.FDOProfilesService = fdoProfilesService
+
 	helmUserRepositoryService, err := helmuserrepository.NewService(store.connection)
 	if err != nil {
 		return err
@@ -281,6 +289,11 @@ func (store *Store) EndpointRelation() dataservices.EndpointRelationService {
 	return store.EndpointRelationService
 }

+// FDOProfile gives access to the FDOProfile data management layer
+func (store *Store) FDOProfile() dataservices.FDOProfileService {
+	return store.FDOProfilesService
+}
+
 // HelmUserRepository access the helm user repository settings
 func (store *Store) HelmUserRepository() dataservices.HelmUserRepositoryService {
 	return store.HelmUserRepositoryService
@@ -385,7 +398,7 @@ type storeExport struct {
 	User               []portainer.User               `json:"users,omitempty"`
 	Version            models.Version                 `json:"version,omitempty"`
 	Webhook            []portainer.Webhook            `json:"webhooks,omitempty"`
-	Metadata           map[string]any                 `json:"metadata,omitempty"`
+	Metadata           map[string]interface{}         `json:"metadata,omitempty"`
 }

 func (store *Store) Export(filename string) (err error) {
@@ -603,7 +616,7 @@ func (store *Store) Import(filename string) (err error) {
 	if err != nil {
 		return err
 	}
-	err = json.Unmarshal(s, &backup)
+	err = json.Unmarshal([]byte(s), &backup)
 	if err != nil {
 		return err
 	}
--- a/api/datastore/services_tx.go
+++ b/api/datastore/services_tx.go
@@ -44,6 +44,7 @@ func (tx *StoreTx) EndpointRelation() dataservices.EndpointRelationService {
 	return tx.store.EndpointRelationService.Tx(tx.tx)
 }

+func (tx *StoreTx) FDOProfile() dataservices.FDOProfileService                 { return nil }
 func (tx *StoreTx) HelmUserRepository() dataservices.HelmUserRepositoryService { return nil }

 func (tx *StoreTx) Registry() dataservices.RegistryService {
@@ -69,10 +70,7 @@ func (tx *StoreTx) Snapshot() dataservices.SnapshotService {
 }

 func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService { return nil }
-
-func (tx *StoreTx) Stack() dataservices.StackService {
-	return tx.store.StackService.Tx(tx.tx)
-}
+func (tx *StoreTx) Stack() dataservices.StackService             { return nil }

 func (tx *StoreTx) Tag() dataservices.TagService {
 	return tx.store.TagService.Tx(tx.tx)
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -38,7 +38,6 @@
        "TenantID": ""
      },
      "ComposeSyntaxMaxVersion": "",
-      "ContainerEngine": "",
      "Edge": {
        "AsyncMode": false,
        "CommandInterval": 0,
@@ -584,6 +583,7 @@
    "AuthenticationMethod": 1,
    "BlackListedLabels": [],
    "Edge": {
+      "AsyncMode": false,
      "CommandInterval": 0,
      "PingInterval": 0,
      "SnapshotInterval": 0
@@ -602,7 +602,7 @@
      "RequiredPasswordLength": 12
    },
    "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.22.0",
+    "KubectlShellImage": "portainer/kubectl-shell",
    "LDAPSettings": {
      "AnonymousMode": true,
      "AutoCreateUsers": true,
@@ -644,10 +644,17 @@
      "Scopes": "",
      "UserIdentifier": ""
    },
+    "ShowKomposeBuildOption": false,
    "SnapshotInterval": "5m",
    "TemplatesURL": "",
    "TrustOnFirstConnect": false,
    "UserSessionTimeout": "8h",
+    "fdoConfiguration": {
+      "enabled": false,
+      "ownerPassword": "",
+      "ownerURL": "",
+      "ownerUsername": ""
+    },
    "openAMTConfiguration": {
      "certFileContent": "",
      "certFileName": "",
@@ -769,7 +776,6 @@
        "GpuUseList": null,
        "HealthyContainerCount": 0,
        "ImageCount": 9,
-        "IsPodman": false,
        "NodeCount": 0,
        "RunningContainerCount": 5,
        "ServiceCount": 0,
@@ -804,6 +810,7 @@
      "FromAppTemplate": false,
      "GitConfig": null,
      "Id": 2,
+      "IsComposeFormat": false,
      "Name": "alpine",
      "Namespace": "",
      "Option": null,
@@ -826,6 +833,7 @@
      "FromAppTemplate": false,
      "GitConfig": null,
      "Id": 5,
+      "IsComposeFormat": false,
      "Name": "redis",
      "Namespace": "",
      "Option": null,
@@ -848,6 +856,7 @@
      "FromAppTemplate": false,
      "GitConfig": null,
      "Id": 6,
+      "IsComposeFormat": false,
      "Name": "nginx",
      "Namespace": "",
      "Option": null,
@@ -932,6 +941,6 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.22.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.21.5\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
  }
 }
--- a/api/datastore/teststore.go
+++ b/api/datastore/teststore.go
@@ -52,24 +52,27 @@ func NewTestStore(t testing.TB, init, secure bool) (bool, *Store, func(), error)
 	}

 	if init {
-		if err := store.Init(); err != nil {
+		err = store.Init()
+		if err != nil {
 			return newStore, nil, nil, err
 		}
 	}

 	if newStore {
-		// From MigrateData
+		// from MigrateData
 		v := models.Version{
 			SchemaVersion: portainer.APIVersion,
 			Edition:       int(portainer.PortainerCE),
 		}
-		if err := store.VersionService.UpdateVersion(&v); err != nil {
+		err = store.VersionService.UpdateVersion(&v)
+		if err != nil {
 			return newStore, nil, nil, err
 		}
 	}

 	teardown := func() {
-		if err := store.Close(); err != nil {
+		err := store.Close()
+		if err != nil {
 			log.Fatal().Err(err).Msg("")
 		}
 	}
--- a/api/demo/demo.go
+++ b/api/demo/demo.go
@@ -0,0 +1,118 @@
+package demo
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
+)
+
+type EnvironmentDetails struct {
+	Enabled      bool                   `json:"enabled"`
+	Users        []portainer.UserID     `json:"users"`
+	Environments []portainer.EndpointID `json:"environments"`
+}
+
+type Service struct {
+	details EnvironmentDetails
+}
+
+func NewService() *Service {
+	return &Service{}
+}
+
+func (service *Service) Details() EnvironmentDetails {
+	return service.details
+}
+
+func (service *Service) Init(store dataservices.DataStore, cryptoService portainer.CryptoService) error {
+	log.Info().Msg("starting demo environment")
+
+	isClean, err := isCleanStore(store)
+	if err != nil {
+		return errors.WithMessage(err, "failed checking if store is clean")
+	}
+
+	if !isClean {
+		return errors.New(" Demo environment can only be initialized on a clean database")
+	}
+
+	id, err := initDemoUser(store, cryptoService)
+	if err != nil {
+		return errors.WithMessage(err, "failed creating demo user")
+	}
+
+	endpointIds, err := initDemoEndpoints(store)
+	if err != nil {
+		return errors.WithMessage(err, "failed creating demo endpoint")
+	}
+
+	err = initDemoSettings(store)
+	if err != nil {
+		return errors.WithMessage(err, "failed updating demo settings")
+	}
+
+	service.details = EnvironmentDetails{
+		Enabled: true,
+		Users:   []portainer.UserID{id},
+		// endpoints 2,3 are created after deployment of portainer
+		Environments: endpointIds,
+	}
+
+	return nil
+}
+
+func isCleanStore(store dataservices.DataStore) (bool, error) {
+	endpoints, err := store.Endpoint().Endpoints()
+	if err != nil {
+		return false, err
+	}
+
+	if len(endpoints) > 0 {
+		return false, nil
+	}
+
+	users, err := store.User().ReadAll()
+	if err != nil {
+		return false, err
+	}
+
+	if len(users) > 0 {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+func (service *Service) IsDemo() bool {
+	return service.details.Enabled
+}
+
+func (service *Service) IsDemoEnvironment(environmentID portainer.EndpointID) bool {
+	if !service.IsDemo() {
+		return false
+	}
+
+	for _, demoEndpointID := range service.details.Environments {
+		if environmentID == demoEndpointID {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (service *Service) IsDemoUser(userID portainer.UserID) bool {
+	if !service.IsDemo() {
+		return false
+	}
+
+	for _, demoUserID := range service.details.Users {
+		if userID == demoUserID {
+			return true
+		}
+	}
+
+	return false
+}
--- a/api/demo/init.go
+++ b/api/demo/init.go
@@ -0,0 +1,88 @@
+package demo
+
+import (
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+func initDemoUser(
+	store dataservices.DataStore,
+	cryptoService portainer.CryptoService,
+) (portainer.UserID, error) {
+
+	password, err := cryptoService.Hash("tryportainer")
+	if err != nil {
+		return 0, errors.WithMessage(err, "failed creating password hash")
+	}
+
+	admin := &portainer.User{
+		Username: "admin",
+		Password: password,
+		Role:     portainer.AdministratorRole,
+	}
+
+	err = store.User().Create(admin)
+	return admin.ID, errors.WithMessage(err, "failed creating user")
+}
+
+func initDemoEndpoints(store dataservices.DataStore) ([]portainer.EndpointID, error) {
+	localEndpointId, err := initDemoLocalEndpoint(store)
+	if err != nil {
+		return nil, err
+	}
+
+	// second and third endpoints are going to be created with docker-compose as a part of the demo environment set up.
+	// ref: https://github.com/portainer/portainer-demo/blob/master/docker-compose.yml
+	return []portainer.EndpointID{localEndpointId, localEndpointId + 1, localEndpointId + 2}, nil
+}
+
+func initDemoLocalEndpoint(store dataservices.DataStore) (portainer.EndpointID, error) {
+	id := portainer.EndpointID(store.Endpoint().GetNextIdentifier())
+	localEndpoint := &portainer.Endpoint{
+		ID:        id,
+		Name:      "local",
+		URL:       "unix:///var/run/docker.sock",
+		PublicURL: "demo.portainer.io",
+		Type:      portainer.DockerEnvironment,
+		GroupID:   portainer.EndpointGroupID(1),
+		TLSConfig: portainer.TLSConfiguration{
+			TLS: false,
+		},
+		AuthorizedUsers:    []portainer.UserID{},
+		AuthorizedTeams:    []portainer.TeamID{},
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		TagIDs:             []portainer.TagID{},
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.DockerSnapshot{},
+		Kubernetes:         portainer.KubernetesDefault(),
+	}
+
+	err := store.Endpoint().Create(localEndpoint)
+	if err != nil {
+		return id, errors.WithMessage(err, "failed creating local endpoint")
+	}
+
+	err = store.Snapshot().Create(&portainer.Snapshot{EndpointID: id})
+	if err != nil {
+		return id, errors.WithMessage(err, "failed creating snapshot")
+	}
+
+	return id, errors.WithMessage(err, "failed creating local endpoint")
+}
+
+func initDemoSettings(
+	store dataservices.DataStore,
+) error {
+	settings, err := store.Settings().Settings()
+	if err != nil {
+		return errors.WithMessage(err, "failed fetching settings")
+	}
+
+	settings.EnableTelemetry = false
+	settings.LogoURL = ""
+
+	err = store.Settings().UpdateSettings(settings)
+	return errors.WithMessage(err, "failed updating settings")
+}
--- a/api/docker/consts/labels.go
+++ b/api/docker/consts/labels.go
@@ -3,7 +3,6 @@ package consts
 const (
 	ComposeStackNameLabel = "com.docker.compose.project"
 	SwarmStackNameLabel   = "com.docker.stack.namespace"
-	SwarmServiceIDLabel   = "com.docker.swarm.service.id"
-	SwarmNodeIDLabel      = "com.docker.swarm.node.id"
-	HideStackLabel        = "io.portainer.hideStack"
+	SwarmServiceIdLabel   = "com.docker.swarm.service.id"
+	SwarmNodeIdLabel      = "com.docker.swarm.node.id"
 )
--- a/api/docker/container.go
+++ b/api/docker/container.go
@@ -13,6 +13,7 @@ import (
 	"github.com/docker/docker/api/types"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 )
@@ -75,7 +76,10 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	if err != nil {
 		return nil, errors.Wrap(err, "create client error")
 	}
-	defer cli.Close()
+
+	defer func(cli *client.Client) {
+		cli.Close()
+	}(cli)

 	log.Debug().Str("container_id", containerId).Msg("starting to fetch container information")

@@ -93,7 +97,8 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	}

 	if imageTag != "" {
-		if err := img.WithTag(imageTag); err != nil {
+		err = img.WithTag(imageTag)
+		if err != nil {
 			return nil, errors.Wrapf(err, "set image tag error %s", imageTag)
 		}

@@ -105,20 +110,23 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	// 1. pull image if you need force pull
 	if forcePullImage {
 		puller := images.NewPuller(cli, images.NewRegistryClient(c.dataStore), c.dataStore)
-		if err := puller.Pull(ctx, img); err != nil {
+		err = puller.Pull(ctx, img)
+		if err != nil {
 			return nil, errors.Wrapf(err, "pull image error %s", img.FullName())
 		}
 	}

 	// 2. stop the current container
 	log.Debug().Str("container_id", containerId).Msg("starting to stop the container")
-	if err := cli.ContainerStop(ctx, containerId, dockercontainer.StopOptions{}); err != nil {
+	err = cli.ContainerStop(ctx, containerId, dockercontainer.StopOptions{})
+	if err != nil {
 		return nil, errors.Wrap(err, "stop container error")
 	}

 	// 3. rename the current container
 	log.Debug().Str("container_id", containerId).Msg("starting to rename the container")
-	if err := cli.ContainerRename(ctx, containerId, container.Name+"-old"); err != nil {
+	err = cli.ContainerRename(ctx, containerId, container.Name+"-old")
+	if err != nil {
 		return nil, errors.Wrap(err, "rename container error")
 	}

@@ -129,7 +137,8 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	// 4. disconnect all networks from the current container
 	for name, network := range container.NetworkSettings.Networks {
 		// This allows new container to use the same IP address if specified
-		if err := cli.NetworkDisconnect(ctx, network.NetworkID, containerId, true); err != nil {
+		err = cli.NetworkDisconnect(ctx, network.NetworkID, containerId, true)
+		if err != nil {
 			return nil, errors.Wrap(err, "disconnect network from old container error")
 		}

@@ -147,11 +156,9 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	c.sr.push(func() {
 		log.Debug().Str("container_id", containerId).Str("container", container.Name).Msg("restoring the container")
 		cli.ContainerRename(ctx, containerId, container.Name)
-
 		for _, network := range container.NetworkSettings.Networks {
 			cli.NetworkConnect(ctx, network.NetworkID, containerId, network)
 		}
-
 		cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{})
 	})

@@ -196,14 +203,16 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 			continue
 		}

-		if err := cli.NetworkConnect(ctx, network.NetworkID, newContainerId, network); err != nil {
+		err = cli.NetworkConnect(ctx, network.NetworkID, newContainerId, network)
+		if err != nil {
 			return nil, errors.Wrap(err, "connect container network error")
 		}
 	}

 	// 8. start the new container
 	log.Debug().Str("container_id", newContainerId).Msg("starting the new container")
-	if err := cli.ContainerStart(ctx, newContainerId, dockercontainer.StartOptions{}); err != nil {
+	err = cli.ContainerStart(ctx, newContainerId, dockercontainer.StartOptions{})
+	if err != nil {
 		return nil, errors.Wrap(err, "start container error")
 	}

--- a/api/docker/container_stats.go
+++ b/api/docker/container_stats.go
@@ -1,37 +0,0 @@
-package docker
-
-import "github.com/docker/docker/api/types"
-
-type ContainerStats struct {
-	Running   int `json:"running"`
-	Stopped   int `json:"stopped"`
-	Healthy   int `json:"healthy"`
-	Unhealthy int `json:"unhealthy"`
-	Total     int `json:"total"`
-}
-
-func CalculateContainerStats(containers []types.Container) ContainerStats {
-	var running, stopped, healthy, unhealthy int
-	for _, container := range containers {
-		switch container.State {
-		case "running":
-			running++
-		case "healthy":
-			running++
-			healthy++
-		case "unhealthy":
-			running++
-			unhealthy++
-		case "exited", "stopped":
-			stopped++
-		}
-	}
-
-	return ContainerStats{
-		Running:   running,
-		Stopped:   stopped,
-		Healthy:   healthy,
-		Unhealthy: unhealthy,
-		Total:     len(containers),
-	}
-}
--- a/api/docker/container_stats_test.go
+++ b/api/docker/container_stats_test.go
@@ -1,27 +0,0 @@
-package docker
-
-import (
-	"testing"
-
-	"github.com/docker/docker/api/types"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestCalculateContainerStats(t *testing.T) {
-	containers := []types.Container{
-		{State: "running"},
-		{State: "running"},
-		{State: "exited"},
-		{State: "stopped"},
-		{State: "healthy"},
-		{State: "unhealthy"},
-	}
-
-	stats := CalculateContainerStats(containers)
-
-	assert.Equal(t, 4, stats.Running)
-	assert.Equal(t, 2, stats.Stopped)
-	assert.Equal(t, 1, stats.Healthy)
-	assert.Equal(t, 1, stats.Unhealthy)
-	assert.Equal(t, 6, stats.Total)
-}
--- a/api/docker/images/registry.go
+++ b/api/docker/images/registry.go
@@ -1,7 +1,6 @@
 package images

 import (
-	"cmp"
 	"strings"
 	"time"

@@ -42,7 +41,8 @@ func (c *RegistryClient) RegistryAuth(image Image) (string, string, error) {
 }

 func (c *RegistryClient) CertainRegistryAuth(registry *portainer.Registry) (string, string, error) {
-	if err := registryutils.EnsureRegTokenValid(c.dataStore, registry); err != nil {
+	err := registryutils.EnsureRegTokenValid(c.dataStore, registry)
+	if err != nil {
 		return "", "", err
 	}

@@ -72,7 +72,8 @@ func (c *RegistryClient) EncodedRegistryAuth(image Image) (string, error) {
 }

 func (c *RegistryClient) EncodedCertainRegistryAuth(registry *portainer.Registry) (string, error) {
-	if err := registryutils.EnsureRegTokenValid(c.dataStore, registry); err != nil {
+	err := registryutils.EnsureRegTokenValid(c.dataStore, registry)
+	if err != nil {
 		return "", err
 	}

@@ -91,32 +92,38 @@ func findBestMatchRegistry(repository string, registries []portainer.Registry) (
 	}

 	var match1, match2, match3 *portainer.Registry
+	for i := 0; i < len(registries); i++ {
+		registry := registries[i]
+		if registry.Type == portainer.DockerHubRegistry {
+
+			// try to match repository examples:
+			//   <USERNAME>/nginx:latest
+			//   docker.io/<USERNAME>/nginx:latest
+			if strings.HasPrefix(repository, registry.Username+"/") || strings.HasPrefix(repository, registry.URL+"/"+registry.Username+"/") {
+				match1 = &registry
+			}
+
+			// try to match repository examples:
+			//   portainer/portainer-ee:latest
+			//   <NON-USERNAME>/portainer-ee:latest
+			if match3 == nil {
+				match3 = &registry
+			}
+		}

-	for _, registry := range registries {
 		if strings.Contains(repository, registry.URL) {
 			match2 = &registry
 		}
-
-		if registry.Type != portainer.DockerHubRegistry {
-			continue
-		}
-
-		// try to match repository examples:
-		//   <USERNAME>/nginx:latest
-		//   docker.io/<USERNAME>/nginx:latest
-		if strings.HasPrefix(repository, registry.Username+"/") || strings.HasPrefix(repository, registry.URL+"/"+registry.Username+"/") {
-			match1 = &registry
-		}
-
-		// try to match repository examples:
-		//   portainer/portainer-ee:latest
-		//   <NON-USERNAME>/portainer-ee:latest
-		if match3 == nil {
-			match3 = &registry
-		}
 	}

-	match := cmp.Or(match1, match2, match3)
+	match := match1
+	if match == nil {
+		match = match2
+	}
+	if match == nil {
+		match = match3
+	}
+
 	if match == nil {
 		return nil, errors.New("no registries matched")
 	}
--- a/api/docker/images/status.go
+++ b/api/docker/images/status.go
@@ -48,11 +48,11 @@ func (c *DigestClient) ContainersImageStatus(ctx context.Context, containers []t
 	statuses := make([]Status, len(containers))
 	for i, ct := range containers {
 		var nodeName string
-		if swarmNodeId := ct.Labels[consts.SwarmNodeIDLabel]; swarmNodeId != "" {
+		if swarmNodeId := ct.Labels[consts.SwarmNodeIdLabel]; swarmNodeId != "" {
 			if swarmNodeName, ok := swarmID2NameCache.Get(swarmNodeId); ok {
 				nodeName, _ = swarmNodeName.(string)
 			} else {
-				node, _, err := cli.NodeInspectWithRaw(ctx, ct.Labels[consts.SwarmNodeIDLabel])
+				node, _, err := cli.NodeInspectWithRaw(ctx, ct.Labels[consts.SwarmNodeIdLabel])
 				if err != nil {
 					return Error
 				}
@@ -160,7 +160,7 @@ func (c *DigestClient) ServiceImageStatus(ctx context.Context, serviceID string,

 	containers, err := cli.ContainerList(ctx, container.ListOptions{
 		All:     true,
-		Filters: filters.NewArgs(filters.Arg("label", consts.SwarmServiceIDLabel+"="+serviceID)),
+		Filters: filters.NewArgs(filters.Arg("label", consts.SwarmServiceIdLabel+"="+serviceID)),
 	})
 	if err != nil {
 		log.Warn().Err(err).Str("serviceID", serviceID).Msg("cannot list container for the service")
--- a/api/docker/snapshot.go
+++ b/api/docker/snapshot.go
@@ -5,15 +5,14 @@ import (
 	"strings"
 	"time"

-	portainer "github.com/portainer/portainer/api"
-	dockerclient "github.com/portainer/portainer/api/docker/client"
-	"github.com/portainer/portainer/api/docker/consts"
-
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	_container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/volume"
 	"github.com/docker/docker/client"
+	portainer "github.com/portainer/portainer/api"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
+	"github.com/portainer/portainer/api/docker/consts"
 	"github.com/rs/zerolog/log"
 )

@@ -41,7 +40,8 @@ func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*p
 }

 func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.DockerSnapshot, error) {
-	if _, err := cli.Ping(context.Background()); err != nil {
+	_, err := cli.Ping(context.Background())
+	if err != nil {
 		return nil, err
 	}

@@ -49,42 +49,49 @@ func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.Dock
 		StackCount: 0,
 	}

-	if err := snapshotInfo(snapshot, cli); err != nil {
+	err = snapshotInfo(snapshot, cli)
+	if err != nil {
 		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot engine information")
 	}

 	if snapshot.Swarm {
-		if err := snapshotSwarmServices(snapshot, cli); err != nil {
+		err = snapshotSwarmServices(snapshot, cli)
+		if err != nil {
 			log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot Swarm services")
 		}

-		if err := snapshotNodes(snapshot, cli); err != nil {
+		err = snapshotNodes(snapshot, cli)
+		if err != nil {
 			log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot Swarm nodes")
 		}
 	}

-	if err := snapshotContainers(snapshot, cli); err != nil {
+	err = snapshotContainers(snapshot, cli)
+	if err != nil {
 		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot containers")
 	}

-	if err := snapshotImages(snapshot, cli); err != nil {
+	err = snapshotImages(snapshot, cli)
+	if err != nil {
 		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot images")
 	}

-	if err := snapshotVolumes(snapshot, cli); err != nil {
+	err = snapshotVolumes(snapshot, cli)
+	if err != nil {
 		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot volumes")
 	}

-	if err := snapshotNetworks(snapshot, cli); err != nil {
+	err = snapshotNetworks(snapshot, cli)
+	if err != nil {
 		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot networks")
 	}

-	if err := snapshotVersion(snapshot, cli); err != nil {
+	err = snapshotVersion(snapshot, cli)
+	if err != nil {
 		log.Warn().Str("environment", endpoint.Name).Err(err).Msg("unable to snapshot engine version")
 	}

 	snapshot.Time = time.Now().Unix()
-
 	return snapshot, nil
 }

@@ -99,7 +106,6 @@ func snapshotInfo(snapshot *portainer.DockerSnapshot, cli *client.Client) error
 	snapshot.TotalCPU = info.NCPU
 	snapshot.TotalMemory = info.MemTotal
 	snapshot.SnapshotRaw.Info = info
-
 	return nil
 }

@@ -108,19 +114,15 @@ func snapshotNodes(snapshot *portainer.DockerSnapshot, cli *client.Client) error
 	if err != nil {
 		return err
 	}
-
 	var nanoCpus int64
 	var totalMem int64
-
 	for _, node := range nodes {
 		nanoCpus += node.Description.Resources.NanoCPUs
 		totalMem += node.Description.Resources.MemoryBytes
 	}
-
 	snapshot.TotalCPU = int(nanoCpus / 1e9)
 	snapshot.TotalMemory = totalMem
 	snapshot.NodeCount = len(nodes)
-
 	return nil
 }

@@ -142,7 +144,6 @@ func snapshotSwarmServices(snapshot *portainer.DockerSnapshot, cli *client.Clien

 	snapshot.ServiceCount = len(services)
 	snapshot.StackCount += len(stacks)
-
 	return nil
 }

@@ -152,13 +153,20 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 		return err
 	}

+	runningContainers := 0
+	stoppedContainers := 0
+	healthyContainers := 0
+	unhealthyContainers := 0
 	stacks := make(map[string]struct{})
 	gpuUseSet := make(map[string]struct{})
 	gpuUseAll := false
-
 	for _, container := range containers {
-		if container.State == "running" {
-			// Snapshot GPUs
+		if container.State == "exited" || container.State == "stopped" {
+			stoppedContainers++
+		} else if container.State == "running" {
+			runningContainers++
+
+			// snapshot GPUs
 			response, err := cli.ContainerInspect(context.Background(), container.ID)
 			if err != nil {
 				// Inspect a container will fail when the container runs on a different
@@ -177,6 +185,7 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 			} else {
 				var gpuOptions *_container.DeviceRequest = nil
 				for _, deviceRequest := range response.HostConfig.Resources.DeviceRequests {
+					deviceRequest := deviceRequest
 					if deviceRequest.Driver == "nvidia" || deviceRequest.Capabilities[0][0] == "gpu" {
 						gpuOptions = &deviceRequest
 					}
@@ -186,7 +195,6 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 					if gpuOptions.Count == -1 {
 						gpuUseAll = true
 					}
-
 					for _, id := range gpuOptions.DeviceIDs {
 						gpuUseSet[id] = struct{}{}
 					}
@@ -194,6 +202,15 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 			}
 		}

+		if container.State == "healthy" {
+			runningContainers++
+			healthyContainers++
+		}
+
+		if container.State == "unhealthy" {
+			unhealthyContainers++
+		}
+
 		for k, v := range container.Labels {
 			if k == consts.ComposeStackNameLabel {
 				stacks[v] = struct{}{}
@@ -209,19 +226,15 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 	snapshot.GpuUseAll = gpuUseAll
 	snapshot.GpuUseList = gpuUseList

-	stats := CalculateContainerStats(containers)
-
-	snapshot.ContainerCount = stats.Total
-	snapshot.RunningContainerCount = stats.Running
-	snapshot.StoppedContainerCount = stats.Stopped
-	snapshot.HealthyContainerCount = stats.Healthy
-	snapshot.UnhealthyContainerCount = stats.Unhealthy
+	snapshot.ContainerCount = len(containers)
+	snapshot.RunningContainerCount = runningContainers
+	snapshot.StoppedContainerCount = stoppedContainers
+	snapshot.HealthyContainerCount = healthyContainers
+	snapshot.UnhealthyContainerCount = unhealthyContainers
 	snapshot.StackCount += len(stacks)
-
 	for _, container := range containers {
 		snapshot.SnapshotRaw.Containers = append(snapshot.SnapshotRaw.Containers, portainer.DockerContainerSnapshot{Container: container})
 	}
-
 	return nil
 }

@@ -233,7 +246,6 @@ func snapshotImages(snapshot *portainer.DockerSnapshot, cli *client.Client) erro

 	snapshot.ImageCount = len(images)
 	snapshot.SnapshotRaw.Images = images
-
 	return nil
 }

@@ -245,7 +257,6 @@ func snapshotVolumes(snapshot *portainer.DockerSnapshot, cli *client.Client) err

 	snapshot.VolumeCount = len(volumes.Volumes)
 	snapshot.SnapshotRaw.Volumes = volumes
-
 	return nil
 }

@@ -254,9 +265,7 @@ func snapshotNetworks(snapshot *portainer.DockerSnapshot, cli *client.Client) er
 	if err != nil {
 		return err
 	}
-
 	snapshot.SnapshotRaw.Networks = networks
-
 	return nil
 }

@@ -265,19 +274,6 @@ func snapshotVersion(snapshot *portainer.DockerSnapshot, cli *client.Client) err
 	if err != nil {
 		return err
 	}
-
 	snapshot.SnapshotRaw.Version = version
-	snapshot.IsPodman = isPodman(version)
 	return nil
 }
-
-// isPodman checks if the version is for Podman by checking if any of the components contain "podman".
-// If it's podman, a component name should be "Podman Engine"
-func isPodman(version types.Version) bool {
-	for _, component := range version.Components {
-		if strings.Contains(strings.ToLower(component.Name), "podman") {
-			return true
-		}
-	}
-	return false
-}
--- a/api/exec/compose_stack.go
+++ b/api/exec/compose_stack.go
@@ -38,7 +38,7 @@ func (manager *ComposeStackManager) ComposeSyntaxMaxVersion() string {
 }

 // Up builds, (re)creates and starts containers in the background. Wraps `docker-compose up -d` command
-func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Stack, endpoint *portainer.Endpoint, options portainer.ComposeUpOptions) error {
+func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Stack, endpoint *portainer.Endpoint, forceRecreate bool) error {
 	url, proxy, err := manager.fetchEndpointProxy(endpoint)
 	if err != nil {
 		return errors.Wrap(err, "failed to fetch environment proxy")
@@ -61,39 +61,7 @@ func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Sta
 			Host:        url,
 			ProjectName: stack.Name,
 		},
-		ForceRecreate:        options.ForceRecreate,
-		AbortOnContainerExit: options.AbortOnContainerExit,
-	})
-	return errors.Wrap(err, "failed to deploy a stack")
-}
-
-// Run runs a one-off command on a service. Wraps `docker-compose run` command
-func (manager *ComposeStackManager) Run(ctx context.Context, stack *portainer.Stack, endpoint *portainer.Endpoint, serviceName string, options portainer.ComposeRunOptions) error {
-	url, proxy, err := manager.fetchEndpointProxy(endpoint)
-	if err != nil {
-		return errors.Wrap(err, "failed to fetch environment proxy")
-	}
-
-	if proxy != nil {
-		defer proxy.Close()
-	}
-
-	envFilePath, err := createEnvFile(stack)
-	if err != nil {
-		return errors.Wrap(err, "failed to create env file")
-	}
-
-	filePaths := stackutils.GetStackFilePaths(stack, true)
-	err = manager.deployer.Run(ctx, filePaths, serviceName, libstack.RunOptions{
-		Options: libstack.Options{
-			WorkingDir:  stack.ProjectPath,
-			EnvFilePath: envFilePath,
-			Host:        url,
-			ProjectName: stack.Name,
-		},
-		Remove:   options.Remove,
-		Args:     options.Args,
-		Detached: options.Detached,
+		ForceRecreate: forceRecreate,
 	})
 	return errors.Wrap(err, "failed to deploy a stack")
 }
@@ -108,9 +76,15 @@ func (manager *ComposeStackManager) Down(ctx context.Context, stack *portainer.S
 		defer proxy.Close()
 	}

+	envFilePath, err := createEnvFile(stack)
+	if err != nil {
+		return errors.Wrap(err, "failed to create env file")
+	}
+
 	err = manager.deployer.Remove(ctx, stack.Name, nil, libstack.Options{
-		WorkingDir: "",
-		Host:       url,
+		WorkingDir:  stack.ProjectPath,
+		EnvFilePath: envFilePath,
+		Host:        url,
 	})

 	return errors.Wrap(err, "failed to remove a stack")
@@ -174,46 +148,28 @@ func createEnvFile(stack *portainer.Stack) (string, error) {
 	}
 	defer envfile.Close()

-	// Copy from default .env file
-	defaultEnvPath := path.Join(stack.ProjectPath, path.Dir(stack.EntryPoint), ".env")
-	if err = copyDefaultEnvFile(envfile, defaultEnvPath); err != nil {
-		return "", err
-	}
+	copyDefaultEnvFile(stack, envfile)

-	// Copy from stack env vars
-	if err = copyConfigEnvVars(envfile, stack.Env); err != nil {
-		return "", err
+	for _, v := range stack.Env {
+		envfile.WriteString(fmt.Sprintf("%s=%s\n", v.Name, v.Value))
 	}

 	return "stack.env", nil
 }

 // copyDefaultEnvFile copies the default .env file if it exists to the provided writer
-func copyDefaultEnvFile(w io.Writer, defaultEnvFilePath string) error {
-	defaultEnvFile, err := os.Open(defaultEnvFilePath)
+func copyDefaultEnvFile(stack *portainer.Stack, w io.Writer) {
+	defaultEnvFile, err := os.Open(path.Join(path.Join(stack.ProjectPath, path.Dir(stack.EntryPoint)), ".env"))
 	if err != nil {
 		// If cannot open a default file, then don't need to copy it.
 		// We could as well stat it and check if it exists, but this is more efficient.
-		return nil
+		return
 	}

 	defer defaultEnvFile.Close()

 	if _, err = io.Copy(w, defaultEnvFile); err == nil {
-		if _, err = fmt.Fprintf(w, "\n"); err != nil {
-			return fmt.Errorf("failed to copy default env file: %w", err)
-		}
+		io.WriteString(w, "\n")
 	}
-	return nil
 	// If couldn't copy the .env file, then ignore the error and try to continue
 }
-
-// copyConfigEnvVars write the environment variables from stack configuration to the writer
-func copyConfigEnvVars(w io.Writer, envs []portainer.Pair) error {
-	for _, v := range envs {
-		if _, err := fmt.Fprintf(w, "%s=%s\n", v.Name, v.Value); err != nil {
-			return fmt.Errorf("failed to copy config env vars: %w", err)
-		}
-	}
-	return nil
-}
--- a/api/exec/compose_stack_integration_test.go
+++ b/api/exec/compose_stack_integration_test.go
@@ -60,7 +60,7 @@ func Test_UpAndDown(t *testing.T) {

 	ctx := context.TODO()

-	err = w.Up(ctx, stack, endpoint, portainer.ComposeUpOptions{})
+	err = w.Up(ctx, stack, endpoint, false)
 	if err != nil {
 		t.Fatalf("Error calling docker-compose up: %s", err)
 	}
--- a/api/exec/compose_stack_test.go
+++ b/api/exec/compose_stack_test.go
@@ -23,7 +23,6 @@ func Test_createEnvFile(t *testing.T) {
 			name: "should not add env file option if stack doesn't have env variables",
 			stack: &portainer.Stack{
 				ProjectPath: dir,
-				Env:         nil,
 			},
 			expected: "",
 		},
--- a/api/exec/exectest/kubernetes_mocks.go
+++ b/api/exec/exectest/kubernetes_mocks.go
@@ -18,3 +18,7 @@ func (deployer *kubernetesMockDeployer) Deploy(userID portainer.UserID, endpoint
 func (deployer *kubernetesMockDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
 	return "", nil
 }
+
+func (deployer *kubernetesMockDeployer) ConvertCompose(data []byte) ([]byte, error) {
+	return nil, nil
+}
--- a/api/exec/kubernetes_deploy.go
+++ b/api/exec/kubernetes_deploy.go
@@ -44,7 +44,7 @@ func NewKubernetesDeployer(kubernetesTokenCacheManager *kubernetes.TokenCacheMan
 }

 func (deployer *KubernetesDeployer) getToken(userID portainer.UserID, endpoint *portainer.Endpoint, setLocalAdminToken bool) (string, error) {
-	kubeCLI, err := deployer.kubernetesClientFactory.GetPrivilegedKubeClient(endpoint)
+	kubeCLI, err := deployer.kubernetesClientFactory.GetKubeClient(endpoint)
 	if err != nil {
 		return "", err
 	}
@@ -137,6 +137,29 @@ func (deployer *KubernetesDeployer) command(operation string, userID portainer.U
 	return string(output), nil
 }

+// ConvertCompose leverages the kompose binary to deploy a compose compliant manifest.
+func (deployer *KubernetesDeployer) ConvertCompose(data []byte) ([]byte, error) {
+	command := path.Join(deployer.binaryPath, "kompose")
+	if runtime.GOOS == "windows" {
+		command = path.Join(deployer.binaryPath, "kompose.exe")
+	}
+
+	args := make([]string, 0)
+	args = append(args, "convert", "-f", "-", "--stdout")
+
+	var stderr bytes.Buffer
+	cmd := exec.Command(command, args...)
+	cmd.Stderr = &stderr
+	cmd.Stdin = bytes.NewReader(data)
+
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, errors.New(stderr.String())
+	}
+
+	return output, nil
+}
+
 func (deployer *KubernetesDeployer) getAgentURL(endpoint *portainer.Endpoint) (string, *factory.ProxyServer, error) {
 	proxy, err := deployer.proxyManager.CreateAgentProxyServer(endpoint)
 	if err != nil {
--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@@ -157,10 +157,7 @@ func runCommandAndCaptureStdErr(command string, args []string, env []string, wor
 	var stderr bytes.Buffer
 	cmd := exec.Command(command, args...)
 	cmd.Stderr = &stderr
-
-	if workingDir != "" {
-		cmd.Dir = workingDir
-	}
+	cmd.Dir = workingDir

 	if env != nil {
 		cmd.Env = os.Environ()
@@ -227,10 +224,10 @@ func (manager *SwarmStackManager) updateDockerCLIConfiguration(configPath string
 	}

 	if config["HttpHeaders"] == nil {
-		config["HttpHeaders"] = make(map[string]any)
+		config["HttpHeaders"] = make(map[string]interface{})
 	}

-	headersObject := config["HttpHeaders"].(map[string]any)
+	headersObject := config["HttpHeaders"].(map[string]interface{})
 	headersObject["X-PortainerAgent-ManagerOperation"] = "1"
 	headersObject["X-PortainerAgent-Signature"] = signature
 	headersObject["X-PortainerAgent-PublicKey"] = manager.signatureService.EncodedPublicKey()
@@ -238,12 +235,12 @@ func (manager *SwarmStackManager) updateDockerCLIConfiguration(configPath string
 	return manager.fileService.WriteJSONToFile(configFilePath, config)
 }

-func (manager *SwarmStackManager) retrieveConfigurationFromDisk(path string) (map[string]any, error) {
-	var config map[string]any
+func (manager *SwarmStackManager) retrieveConfigurationFromDisk(path string) (map[string]interface{}, error) {
+	var config map[string]interface{}

 	raw, err := manager.fileService.GetFileContent(path, "")
 	if err != nil {
-		return make(map[string]any), nil
+		return make(map[string]interface{}), nil
 	}

 	err = json.Unmarshal(raw, &config)
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -36,6 +36,8 @@ const (
 	ManifestFileDefaultName = "k8s-deployment.yml"
 	// EdgeStackStorePath represents the subfolder where edge stack files are stored in the file store folder.
 	EdgeStackStorePath = "edge_stacks"
+	// FDOProfileStorePath represents the subfolder where FDO profiles files are stored in the file store folder.
+	FDOProfileStorePath = "fdo_profiles"
 	// PrivateKeyFile represents the name on disk of the file containing the private key.
 	PrivateKeyFile = "portainer.key"
 	// PublicKeyFile represents the name on disk of the file containing the public key.
@@ -599,7 +601,7 @@ func (service *Service) Rename(oldPath, newPath string) error {
 }

 // WriteJSONToFile writes JSON to the specified file.
-func (service *Service) WriteJSONToFile(path string, content any) error {
+func (service *Service) WriteJSONToFile(path string, content interface{}) error {
 	jsonContent, err := json.Marshal(content)
 	if err != nil {
 		return err
@@ -1001,6 +1003,23 @@ func MoveDirectory(originalPath, newPath string, overwriteTargetPath bool) error
 	return os.Rename(originalPath, newPath)
 }

+// StoreFDOProfileFileFromBytes creates a subfolder in the FDOProfileStorePath and stores a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreFDOProfileFileFromBytes(fdoProfileIdentifier string, data []byte) (string, error) {
+	err := service.createDirectoryInStore(FDOProfileStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	filePath := JoinPaths(FDOProfileStorePath, fdoProfileIdentifier)
+	err = service.createFileInStore(filePath, bytes.NewReader(data))
+	if err != nil {
+		return "", err
+	}
+
+	return service.wrapFileStore(filePath), nil
+}
+
 func CreateFile(path string, r io.Reader) error {
 	out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
--- a/api/filesystem/serialize_per_dev_configs.go
+++ b/api/filesystem/serialize_per_dev_configs.go
@@ -6,7 +6,7 @@ import (
 	"path/filepath"
 	"strings"

-	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api"
 )

 type MultiFilterArgs []struct {
--- a/api/filesystem/serialize_per_dev_configs_test.go
+++ b/api/filesystem/serialize_per_dev_configs_test.go
@@ -1,10 +1,9 @@
 package filesystem

 import (
-	"testing"
-
 	portainer "github.com/portainer/portainer/api"
 	"github.com/stretchr/testify/assert"
+	"testing"
 )

 func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
--- a/api/git/git.go
+++ b/api/git/git.go
@@ -6,8 +6,6 @@ import (
 	"path/filepath"
 	"strings"

-	gittypes "github.com/portainer/portainer/api/git/types"
-
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
@@ -16,6 +14,7 @@ import (
 	githttp "github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/go-git/go-git/v5/storage/memory"
 	"github.com/pkg/errors"
+	gittypes "github.com/portainer/portainer/api/git/types"
 )

 type gitClient struct {
--- a/api/git/service.go
+++ b/api/git/service.go
@@ -140,18 +140,12 @@ func (service *Service) CloneRepository(destination, repositoryURL, referenceNam
 	return service.cloneRepository(destination, options)
 }

-func (service *Service) repoManager(options baseOption) repoManager {
-	repoManager := service.git
-
+func (service *Service) cloneRepository(destination string, options cloneOption) error {
 	if isAzureUrl(options.repositoryUrl) {
-		repoManager = service.azure
+		return service.azure.download(context.TODO(), destination, options)
 	}

-	return repoManager
-}
-
-func (service *Service) cloneRepository(destination string, options cloneOption) error {
-	return service.repoManager(options.baseOption).download(context.TODO(), destination, options)
+	return service.git.download(context.TODO(), destination, options)
 }

 // LatestCommitID returns SHA1 of the latest commit of the specified reference
@@ -166,7 +160,11 @@ func (service *Service) LatestCommitID(repositoryURL, referenceName, username, p
 		referenceName: referenceName,
 	}

-	return service.repoManager(options.baseOption).latestCommitID(context.TODO(), options)
+	if isAzureUrl(options.repositoryUrl) {
+		return service.azure.latestCommitID(context.TODO(), options)
+	}
+
+	return service.git.latestCommitID(context.TODO(), options)
 }

 // ListRefs will list target repository's references without cloning the repository
@@ -177,16 +175,21 @@ func (service *Service) ListRefs(repositoryURL, username, password string, hardR
 		service.repoRefCache.Remove(refCacheKey)
 		// Remove file caches pointed to the same repository
 		for _, fileCacheKey := range service.repoFileCache.Keys() {
-			if key, ok := fileCacheKey.(string); ok && strings.HasPrefix(key, repositoryURL) {
-				service.repoFileCache.Remove(key)
+			key, ok := fileCacheKey.(string)
+			if ok {
+				if strings.HasPrefix(key, repositoryURL) {
+					service.repoFileCache.Remove(key)
+				}
 			}
 		}
 	}

 	if service.repoRefCache != nil {
 		// Lookup the refs cache first
-		if cache, ok := service.repoRefCache.Get(refCacheKey); ok {
-			if refs, ok := cache.([]string); ok {
+		cache, ok := service.repoRefCache.Get(refCacheKey)
+		if ok {
+			refs, success := cache.([]string)
+			if success {
 				return refs, nil
 			}
 		}
@@ -199,15 +202,25 @@ func (service *Service) ListRefs(repositoryURL, username, password string, hardR
 		tlsSkipVerify: tlsSkipVerify,
 	}

-	refs, err := service.repoManager(options).listRefs(context.TODO(), options)
-	if err != nil {
-		return nil, err
+	var (
+		refs []string
+		err  error
+	)
+	if isAzureUrl(options.repositoryUrl) {
+		refs, err = service.azure.listRefs(context.TODO(), options)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		refs, err = service.git.listRefs(context.TODO(), options)
+		if err != nil {
+			return nil, err
+		}
 	}

 	if service.cacheEnabled && service.repoRefCache != nil {
 		service.repoRefCache.Add(refCacheKey, refs)
 	}
-
 	return refs, nil
 }

@@ -253,9 +266,20 @@ func (service *Service) listFiles(repositoryURL, referenceName, username, passwo
 		dirOnly:       dirOnly,
 	}

-	files, err := service.repoManager(options.baseOption).listFiles(context.TODO(), options)
-	if err != nil {
-		return nil, err
+	var (
+		files []string
+		err   error
+	)
+	if isAzureUrl(options.repositoryUrl) {
+		files, err = service.azure.listFiles(context.TODO(), options)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		files, err = service.git.listFiles(context.TODO(), options)
+		if err != nil {
+			return nil, err
+		}
 	}

 	if service.cacheEnabled && service.repoFileCache != nil {
@@ -289,7 +313,6 @@ func matchExtensions(target string, exts []string) bool {
 			return true
 		}
 	}
-
 	return false
 }

@@ -300,11 +323,10 @@ func filterFiles(paths []string, includedExts []string) []string {

 	var includedFiles []string
 	for _, filename := range paths {
-		// Filter out the filenames with non-included extension
+		// filter out the filenames with non-included extension
 		if matchExtensions(filename, includedExts) {
 			includedFiles = append(includedFiles, filename)
 		}
 	}
-
 	return includedFiles
 }
--- a/api/git/validate.go
+++ b/api/git/validate.go
@@ -8,7 +8,7 @@ import (
 )

 func ValidateRepoConfig(repoConfig *gittypes.RepoConfig) error {
-	if len(repoConfig.URL) == 0 || !govalidator.IsURL(repoConfig.URL) {
+	if govalidator.IsNull(repoConfig.URL) || !govalidator.IsURL(repoConfig.URL) {
 		return httperrors.NewInvalidPayloadError("Invalid repository URL. Must correspond to a valid URL format")
 	}

@@ -17,7 +17,7 @@ func ValidateRepoConfig(repoConfig *gittypes.RepoConfig) error {
 }

 func ValidateRepoAuthentication(auth *gittypes.GitAuthentication) error {
-	if auth != nil && len(auth.Password) == 0 && auth.GitCredentialID == 0 {
+	if auth != nil && govalidator.IsNull(auth.Password) && auth.GitCredentialID == 0 {
 		return httperrors.NewInvalidPayloadError("Invalid repository credentials. Password or GitCredentialID must be specified when authentication is enabled")
 	}

--- a/api/hostmanagement/fdo/owner_client.go
+++ b/api/hostmanagement/fdo/owner_client.go
@@ -0,0 +1,247 @@
+package fdo
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/portainer/portainer/third_party/digest"
+)
+
+type FDOOwnerClient struct {
+	OwnerURL string
+	Username string
+	Password string
+	Timeout  time.Duration
+}
+
+type ServiceInfo struct {
+	Module   string
+	Var      string
+	Filename string
+	Bytes    []byte
+	GUID     string
+	Device   string
+	Priority int
+	OS       string
+	Version  string
+	Arch     string
+	CRID     int
+	Hash     string
+}
+
+func (c FDOOwnerClient) doDigestAuthReq(method, endpoint, contentType string, body io.Reader) (*http.Response, error) {
+	transport := digest.NewTransport(c.Username, c.Password)
+
+	client, err := transport.Client()
+	if err != nil {
+		return nil, err
+	}
+	client.Timeout = c.Timeout
+
+	e, err := url.Parse(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	u, err := url.Parse(c.OwnerURL)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(method, u.ResolveReference(e).String(), body)
+	if err != nil {
+		return nil, err
+	}
+
+	if contentType != "" {
+		req.Header.Set("Content-Type", contentType)
+	}
+
+	return client.Do(req)
+}
+
+func (c FDOOwnerClient) PostVoucher(ov []byte) (string, error) {
+	resp, err := c.doDigestAuthReq(
+		http.MethodPost,
+		"api/v1/owner/vouchers",
+		"application/cbor",
+		bytes.NewReader(ov),
+	)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return string(body), nil
+}
+
+func (c FDOOwnerClient) PutDeviceSVI(info ServiceInfo) error {
+	values := url.Values{}
+	values.Set("module", info.Module)
+	values.Set("var", info.Var)
+	values.Set("filename", info.Filename)
+	values.Set("guid", info.GUID)
+	values.Set("device", info.Device)
+	values.Set("priority", strconv.Itoa(info.Priority))
+	values.Set("os", info.OS)
+	values.Set("version", info.Version)
+	values.Set("arch", info.Arch)
+	values.Set("crid", strconv.Itoa(info.CRID))
+	values.Set("hash", info.Hash)
+
+	resp, err := c.doDigestAuthReq(
+		http.MethodPut,
+		"api/v1/device/svi?"+values.Encode(),
+		"application/octet-stream",
+		strings.NewReader(string(info.Bytes)),
+	)
+	if err != nil {
+		return err
+	}
+
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+func (c FDOOwnerClient) PutDeviceSVIRaw(info url.Values, body []byte) error {
+	resp, err := c.doDigestAuthReq(
+		http.MethodPut,
+		"api/v1/device/svi?"+info.Encode(),
+		"application/octet-stream",
+		strings.NewReader(string(body)),
+	)
+	if err != nil {
+		return err
+	}
+
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+func (c FDOOwnerClient) GetVouchers() ([]string, error) {
+	resp, err := c.doDigestAuthReq(
+		http.MethodGet,
+		"api/v1/owner/vouchers",
+		"",
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	contents, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	guids := strings.FieldsFunc(
+		strings.TrimSpace(string(contents)),
+		func(c rune) bool {
+			return c == ','
+		},
+	)
+
+	return guids, nil
+}
+
+func (c FDOOwnerClient) DeleteVoucher(guid string) error {
+	resp, err := c.doDigestAuthReq(
+		http.MethodDelete,
+		"api/v1/owner/vouchers?id="+guid,
+		"",
+		nil,
+	)
+	if err != nil {
+		return err
+	}
+
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+func (c FDOOwnerClient) GetDeviceSVI(guid string) (string, error) {
+	resp, err := c.doDigestAuthReq(
+		http.MethodGet,
+		"api/v1/device/svi?guid="+guid,
+		"",
+		nil,
+	)
+	if err != nil {
+		return "", err
+	}
+
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return string(body), nil
+}
+
+func (c FDOOwnerClient) DeleteDeviceSVI(id string) error {
+	resp, err := c.doDigestAuthReq(
+		http.MethodDelete,
+		"api/v1/device/svi?id="+id,
+		"",
+		nil,
+	)
+	if err != nil {
+		return err
+	}
+
+	io.Copy(io.Discard, resp.Body)
+	resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
--- a/Show More
+++ b/Show More