diff --git a/.cirrus.yml b/.cirrus.yml
deleted file mode 100644
index 79e9eeb..0000000
--- a/.cirrus.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-compute_engine_instance:
-  image_project: cirrus-images
-  image: family/docker-kvm
-  platform: linux
-  nested_virtualization: true
-  # CPU limit: `16 / NTASK`: see https://cirrus-ci.org/faq/#are-there-any-limits
-  cpu: 4
-  # Memory limit: `4GB * NCPU`
-  memory: 16G
-
-vagrant_task:
-  name: "Vagrant"
-  timeout_in: 30m
-  env:
-    DEBIAN_FRONTEND: noninteractive
-    HOME: /root
-    DOCKER_BUILDKIT: 1
-  info_script:
-    - uname -a
-    - cat /proc/cpuinfo
-    - docker info
-  build_script:
-    - make
-  install_libvirt_vagrant_script:
-    - apt-get update
-    - apt-get install -y libvirt-daemon libvirt-daemon-system vagrant vagrant-libvirt
-    - systemctl enable --now libvirtd
-  vagrant_cache:
-    fingerprint_script: uname -s ; cat Vagrantfile
-    folder: /root/.vagrant.d
-  vagrant_up_script:
-    - vagrant up
-  # <FIXME>
-  # Enabling cgroup delegation seems to need rebooting since Fedora 34: https://github.com/rootless-containers/rootlesscontaine.rs/issues/32
-  # We shouldn't need this reboot.
-  vagrant_reboot_script:
-    - vagrant halt
-    - vagrant up
-  # </FIXME>
-  vagrant_ssh_config_script:
-    - mkdir -p -m 0700 /root/.ssh
-    - vagrant ssh-config >> /root/.ssh/config
-  containerd_test_script:
-    - ssh default /vagrant/hack/smoketest-binaries.sh --cri=containerd
-  crio_test_script:
-    - ssh default /vagrant/hack/smoketest-binaries.sh --cri=crio
diff --git a/.dockerignore b/.dockerignore
deleted file mode 120000
index 3e4e48b..0000000
--- a/.dockerignore
+++ /dev/null
@@ -1 +0,0 @@
-.gitignore
\ No newline at end of file
diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..4dd9a78
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,2 @@
+/kubeconfig
+/join-command
diff --git a/.github/workflows/ghcr.yaml b/.github/workflows/ghcr.yaml
deleted file mode 100644
index ea5e663..0000000
--- a/.github/workflows/ghcr.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-# Adopted from https://github.com/docker/metadata-action/tree/v3.3.0#basic
-# (Apache License 2.0)
-name: GHCR
-
-on:
-  push:
-    branches:
-      - 'master'
-    tags:
-      - 'v*'
-  pull_request:
-    branches:
-      - 'master'
-
-jobs:
-  ghcr:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          images: ghcr.io/${{ github.repository }}
-      - name: Login to GHCR
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index accbe28..dc23717 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -1,25 +1,60 @@
+---
 name: Main
 on: [push, pull_request]
 env:
   DOCKER_BUILDKIT: 1
+  KUBECONFIG: ./kubeconfig
 jobs:
-  docker:
-    name: "Docker"
+  single-node:
+    name: "Single node"
     runs-on: ubuntu-22.04
     timeout-minutes: 40
     steps:
-      - name: "System info"
-        run: sh -xec "uname -a; docker info; cat /proc/cpuinfo; df -h"
       - uses: actions/checkout@v3
-      - name: "Make"
-        run: make image
-      - name: "Clean up (To avoid `node.kubernetes.io/disk-pressure` taint)"
+      - name: Set up cgroup v2 delegation
         run: |
-          make clean
-          docker builder prune -a -f
-      - name: "Smoke test (containerd)"
-        run: ./hack/smoketest-docker.sh u7s-test-containerd ghcr.io/rootless-containers/usernetes --cri=containerd
-      - name: "Smoke test (CRI-O)"
-        run: ./hack/smoketest-docker.sh u7s-test-crio ghcr.io/rootless-containers/usernetes --cri=crio
-      - name: "Smoke test (multi-node cluster with Flannel)"
-        run: ./hack/smoketest-docker-compose.sh
+          sudo mkdir -p /etc/systemd/system/user@.service.d
+          cat <<EOF | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
+          [Service]
+          Delegate=cpu cpuset io memory pids
+          EOF
+          sudo systemctl daemon-reload
+      - name: Set up Rootless Docker
+        run: |
+          set -eux -o pipefail
+          sudo apt-get remove moby-engine-*
+          curl https://get.docker.com | sudo sh
+          sudo systemctl disable --now docker.socket docker.service
+          sudo rm -rf /var/run/docker*
+          dockerd-rootless-setuptool.sh install
+          docker info
+      - run: make up
+      - run: sleep 5
+      - run: make kubeadm-init
+      - run: make install-flannel
+      - run: make kubeconfig
+      - run: kubectl taint nodes --all node-role.kubernetes.io/control-plane-
+      - run: ./hack/test-smoke.sh
+      - name: "Test data persistency after restarting the node"
+        run: |
+          make down
+          make up
+          sleep 30
+          ./hack/test-smoke.sh
+
+  multi-node:
+    name: "Multi node (emulated using LXD)"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    steps:
+      - run: sudo modprobe vxlan
+      - uses: actions/checkout@v3
+      - uses: canonical/setup-lxd@v0.1.1
+      - run: ./hack/create-cluster-lxd.sh
+      - run: kubectl taint nodes --all node-role.kubernetes.io/control-plane- || true
+      - run: ./hack/test-smoke.sh
+      - name: "Test data persistency after restarting the node"
+        run: |
+          lxc restart host0 host1
+          sleep 30
+          ./hack/test-smoke.sh
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
deleted file mode 100644
index 2815e55..0000000
--- a/.github/workflows/release.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-name: Release
-on:
-  push:
-    tags:
-    - 'v*'
-env:
-  DOCKER_BUILDKIT: 1
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    timeout-minutes: 40
-    steps:
-    - uses: actions/checkout@v2
-    - run: make artifact
-    - run: cat _artifact/SHA256SUMS
-    - uses: actions/create-release@v1
-      id: create_release
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        tag_name: ${{ github.ref }}
-        release_name: ${{ github.ref }}
-        draft: true
-    - name: "Upload usernetes-x86_64.tbz"
-      uses: actions/upload-release-asset@v1.0.2
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }}
-        asset_path: _artifact/usernetes-x86_64.tbz
-        asset_name: usernetes-x86_64.tbz
-        asset_content_type: application/octet-stream
-    - name: "Upload SHA256SUMS"
-      uses: actions/upload-release-asset@v1.0.2
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ steps.create_release.outputs.upload_url }}
-        asset_path: _artifact/SHA256SUMS
-        asset_name: SHA256SUMS
-        asset_content_type: application/octet-stream
-    - name: "Upload SHA256SUMS (artifact)"
-      uses: actions/upload-artifact@v1
-      with:
-        name: SHA256SUMS
-        path: _artifact/SHA256SUMS
diff --git a/.gitignore b/.gitignore
index 7a0ed42..4dd9a78 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,2 @@
-bin/
-_artifact/
-.vagrant/
-*.pem
-*.csr
-*.kubeconfig
+/kubeconfig
+/join-command
diff --git a/Dockerfile b/Dockerfile
index f95062e..29cb2c0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,205 +1,25 @@
-# this dockerfile can be translated to `docker/dockerfile:1-experimental` syntax for enabling cache mounts:
-# $ ./hack/translate-dockerfile-runopt-directive.sh < Dockerfile  | DOCKER_BUILDKIT=1 docker build  -f -  .
-
-### Version definitions
-# use ./hack/show-latest-commits.sh to get the latest commits
-
-ARG ROOTLESSKIT_COMMIT=v1.1.0
-ARG CONTAINERD_COMMIT=v1.7.3
-ARG CRIO_COMMIT=v1.27.1
-
-ARG KUBE_NODE_COMMIT=v1.28.0
-
-# Version definitions (cont.)
-ARG SLIRP4NETNS_RELEASE=v1.2.0
-ARG CONMON_RELEASE=2.1.7
-ARG CRUN_RELEASE=1.8.6
-ARG FUSE_OVERLAYFS_RELEASE=v1.12
-ARG CONTAINERD_FUSE_OVERLAYFS_RELEASE=1.0.6
-ARG KUBE_MASTER_RELEASE=v1.28.0
-# Kube's build script requires KUBE_GIT_VERSION to be set to a semver string
-ARG KUBE_GIT_VERSION=v1.28.0
-ARG CNI_PLUGINS_RELEASE=v1.3.0
-ARG FLANNEL_CNI_PLUGIN_RELEASE=v1.2.0
-ARG FLANNEL_RELEASE=v0.22.1
-ARG ETCD_RELEASE=v3.5.9
-ARG CFSSL_RELEASE=1.6.4
-
-ARG ALPINE_RELEASE=3.18
-ARG GO_RELEASE=1.21
-ARG FEDORA_RELEASE=38
-
-### Common base images (common-*)
-FROM alpine:${ALPINE_RELEASE} AS common-alpine
-RUN apk add -q --no-cache git build-base autoconf automake libtool wget
-
-FROM golang:${GO_RELEASE}-alpine AS common-golang-alpine
-RUN apk add -q --no-cache git
-
-FROM common-golang-alpine AS common-golang-alpine-heavy
-RUN apk -q --no-cache add bash build-base linux-headers libseccomp-dev libseccomp-static
-
-### RootlessKit (rootlesskit-build)
-FROM common-golang-alpine AS rootlesskit-build
-RUN git clone -q https://github.com/rootless-containers/rootlesskit.git /go/src/github.com/rootless-containers/rootlesskit
-WORKDIR /go/src/github.com/rootless-containers/rootlesskit
-ARG ROOTLESSKIT_COMMIT
-RUN git pull && git checkout ${ROOTLESSKIT_COMMIT}
-ENV CGO_ENABLED=0
-RUN mkdir /out && \
-  go build -o /out/rootlesskit github.com/rootless-containers/rootlesskit/cmd/rootlesskit && \
-  go build -o /out/rootlessctl github.com/rootless-containers/rootlesskit/cmd/rootlessctl
-
-#### slirp4netns (slirp4netns-build)
-FROM common-alpine AS slirp4netns-build
-ARG SLIRP4NETNS_RELEASE
-ADD https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_RELEASE}/slirp4netns-x86_64 /out/slirp4netns
-RUN chmod +x /out/slirp4netns
-
-### fuse-overlayfs (fuse-overlayfs-build)
-FROM common-alpine AS fuse-overlayfs-build
-ARG FUSE_OVERLAYFS_RELEASE
-ADD https://github.com/containers/fuse-overlayfs/releases/download/${FUSE_OVERLAYFS_RELEASE}/fuse-overlayfs-x86_64 /out/fuse-overlayfs
-RUN chmod +x /out/fuse-overlayfs
-
-### containerd-fuse-overlayfs (containerd-fuse-overlayfs-build)
-FROM common-alpine AS containerd-fuse-overlayfs-build
-ARG CONTAINERD_FUSE_OVERLAYFS_RELEASE
-RUN mkdir -p /out && \
- wget -q -O - https://github.com/containerd/fuse-overlayfs-snapshotter/releases/download/v${CONTAINERD_FUSE_OVERLAYFS_RELEASE}/containerd-fuse-overlayfs-${CONTAINERD_FUSE_OVERLAYFS_RELEASE}-linux-amd64.tar.gz | tar xz -C /out
-
-### crun (crun-build)
-FROM common-alpine AS crun-build
-ARG CRUN_RELEASE
-ADD https://github.com/containers/crun/releases/download/${CRUN_RELEASE}/crun-${CRUN_RELEASE}-linux-amd64 /out/crun
-RUN chmod +x /out/crun
-
-### containerd (containerd-build)
-FROM common-golang-alpine-heavy AS containerd-build
-RUN git clone https://github.com/containerd/containerd.git /go/src/github.com/containerd/containerd
-WORKDIR /go/src/github.com/containerd/containerd
-ARG CONTAINERD_COMMIT
-RUN git pull && git checkout ${CONTAINERD_COMMIT}
-ENV CGO_ENABLED=0
-RUN make --quiet EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-linkmode external -extldflags "-fno-PIC -static"' BUILDTAGS="netgo osusergo static_build no_devmapper no_btrfs no_aufs no_zfs" \
-  bin/containerd bin/containerd-shim-runc-v2 bin/ctr && \
-  mkdir /out && cp bin/containerd bin/containerd-shim-runc-v2 bin/ctr /out
-
-### CRI-O (crio-build)
-FROM common-golang-alpine-heavy AS crio-build
-RUN apk add -q --no-cache gpgme gpgme-dev
-RUN git clone -q https://github.com/cri-o/cri-o.git /go/src/github.com/cri-o/cri-o
-WORKDIR /go/src/github.com/cri-o/cri-o
-ARG CRIO_COMMIT
-RUN git pull && git checkout ${CRIO_COMMIT}
-RUN EXTRA_LDFLAGS='-linkmode external -extldflags "-static"' make binaries && \
-  mkdir /out && cp bin/crio bin/crio-status bin/pinns /out
-
-### conmon (conmon-build)
-FROM common-golang-alpine-heavy AS conmon-build
-RUN apk add -q --no-cache glib-dev glib-static libseccomp-dev libseccomp-static
-RUN git clone -q https://github.com/containers/conmon.git /go/src/github.com/containers/conmon
-WORKDIR /go/src/github.com/containers/conmon
-ARG CONMON_COMMIT
-RUN git pull && git checkout ${CONMON_COMMIT}
-RUN make PKG_CONFIG='pkg-config --static' CFLAGS='-static' LDFLAGS='-s -w -static' && \
-  mkdir /out && cp bin/conmon /out
-
-### CNI Plugins (cniplugins-build)
-FROM common-alpine AS cniplugins-build
-ARG CNI_PLUGINS_RELEASE
-RUN mkdir -p /out/cni && \
- wget -q -O - https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGINS_RELEASE}/cni-plugins-linux-amd64-${CNI_PLUGINS_RELEASE}.tgz | tar xz -C /out/cni && \
- cd /out/cni && ls | egrep -vx "(host-local|loopback|bridge|portmap)" | xargs rm -f
-ARG FLANNEL_CNI_PLUGIN_RELEASE
-RUN wget -q -O /out/cni/flannel https://github.com/flannel-io/cni-plugin/releases/download/${FLANNEL_CNI_PLUGIN_RELEASE}/flannel-amd64 && \
-  chmod +x /out/cni/flannel
-
-### Kubernetes master (kube-master-build)
-FROM common-alpine AS kube-master-build
-ARG KUBE_MASTER_RELEASE
-RUN mkdir /out && \
-  wget -q -O - https://dl.k8s.io/${KUBE_MASTER_RELEASE}/kubernetes-server-linux-amd64.tar.gz | tar xz -C / && \
-  cd /kubernetes/server/bin && \
-  cp kube-apiserver kube-controller-manager kube-scheduler kubectl /out
-
-### Kubernetes node (kube-node-build)
-FROM common-golang-alpine-heavy AS kube-node-build
-RUN apk add -q --no-cache rsync
-RUN git clone -q https://github.com/kubernetes/kubernetes.git /kubernetes
-WORKDIR /kubernetes
-ARG KUBE_NODE_COMMIT
-RUN git pull && git checkout ${KUBE_NODE_COMMIT}
-ARG KUBE_GIT_VERSION
-# runopt = --mount=type=cache,id=u7s-k8s-build-cache,target=/root
-RUN KUBE_STATIC_OVERRIDES=kubelet \
-  make --quiet kube-proxy kubelet && \
-  mkdir /out && cp _output/bin/kube* /out
-
-#### flannel (flannel-build)
-# TODO: use upstream binary when https://github.com/coreos/flannel/issues/1365 gets resolved
-FROM common-golang-alpine-heavy AS flannel-build
-RUN git clone -q https://github.com/coreos/flannel.git /go/src/github.com/coreos/flannel
-WORKDIR /go/src/github.com/coreos/flannel
-ARG FLANNEL_RELEASE
-RUN git pull && git checkout ${FLANNEL_RELEASE}
-ENV CGO_ENABLED=0
-RUN make dist/flanneld && \
-  mkdir /out && cp dist/flanneld /out
-
-#### etcd (etcd-build)
-FROM common-alpine AS etcd-build
-ARG ETCD_RELEASE
-RUN mkdir /tmp-etcd /out && \
-  wget -q -O - https://github.com/etcd-io/etcd/releases/download/${ETCD_RELEASE}/etcd-${ETCD_RELEASE}-linux-amd64.tar.gz | tar xz -C /tmp-etcd && \
-  cp /tmp-etcd/etcd-${ETCD_RELEASE}-linux-amd64/etcd /tmp-etcd/etcd-${ETCD_RELEASE}-linux-amd64/etcdctl /out
-
-#### cfssl (cfssl-build)
-FROM common-alpine AS cfssl-build
-ARG CFSSL_RELEASE
-RUN mkdir -p /out && \
-  wget -q -O /out/cfssl https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_RELEASE}/cfssl_${CFSSL_RELEASE}_linux_amd64 && \
-  chmod +x /out/cfssl && \
-  wget -q -O /out/cfssljson https://github.com/cloudflare/cfssl/releases/download/v${CFSSL_RELEASE}/cfssljson_${CFSSL_RELEASE}_linux_amd64 && \
-  chmod +x /out/cfssljson
-
-### Binaries (bin-main)
-FROM scratch AS bin-main
-COPY --from=rootlesskit-build /out/* /
-COPY --from=slirp4netns-build /out/* /
-COPY --from=fuse-overlayfs-build /out/* /
-COPY --from=crun-build /out/* /
-COPY --from=containerd-build /out/* /
-COPY --from=containerd-fuse-overlayfs-build /out/* /
-COPY --from=crio-build /out/* /
-COPY --from=conmon-build /out/* /
-# can't use wildcard here: https://github.com/rootless-containers/usernetes/issues/78
-COPY --from=cniplugins-build /out/cni /cni
-COPY --from=kube-master-build /out/* /
-COPY --from=kube-node-build /out/* /
-COPY --from=flannel-build /out/* /
-COPY --from=etcd-build /out/* /
-COPY --from=cfssl-build /out/* /
-
-#### Test (test-main)
-FROM fedora:${FEDORA_RELEASE} AS test-main
-ADD https://raw.githubusercontent.com/AkihiroSuda/containerized-systemd/6ced78a9df65c13399ef1ce41c0bedc194d7cff6/docker-entrypoint.sh /docker-entrypoint.sh
-COPY hack/etc_systemd_system_user@.service.d_delegate.conf /etc/systemd/system/user@.service.d/delegate.conf
-RUN chmod +x /docker-entrypoint.sh && \
-# As of Feb 2020, Fedora has wrong permission bits on newuidmap and newgidmap.
-  chmod +s /usr/bin/newuidmap /usr/bin/newgidmap && \
-  dnf install -q -y conntrack findutils fuse3 git iproute iptables hostname procps-ng time which \
-# systemd-container: for machinectl
-  systemd-container && \
-  useradd --create-home --home-dir /home/user --uid 1000 -G systemd-journal user && \
-  mkdir -p /home/user/.local /home/user/.config/usernetes && \
-  chown -R user:user /home/user && \
-  rm -rf /tmp/*
-COPY --chown=user:user . /home/user/usernetes
-COPY --from=bin-main --chown=user:user / /home/user/usernetes/bin
-RUN ln -sf /home/user/usernetes/boot/docker-unsudo.sh /usr/local/bin/unsudo
-VOLUME /home/user/.local
-VOLUME /home/user/.config
-HEALTHCHECK --interval=30s --timeout=10s --start-period=90s --retries=5 \
-  CMD ["unsudo", "systemctl", "--user", "is-system-running"]
-ENTRYPOINT ["/docker-entrypoint.sh", "unsudo", "/home/user/usernetes/boot/docker-2ndboot.sh"]
+ARG BASE_IMAGE=kindest/node:v1.27.3
+
+# TODO: use `ADD --checksum=sha256...`
+FROM scratch AS cni-plugins-amd64
+ADD https://github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-amd64-v1.3.0.tgz /cni-plugins.tgz
+
+FROM scratch AS cni-plugins-arm64
+ADD https://github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-arm64-v1.3.0.tgz /cni-plugins.tgz
+
+ARG TARGETARCH
+FROM cni-plugins-$TARGETARCH AS cni-plugins
+
+ARG BASE_IMAGE
+FROM ${BASE_IMAGE}
+RUN --mount=type=bind,from=cni-plugins,dst=/mnt/tmp \
+  tar Cxzvf /opt/cni/bin /mnt/tmp/cni-plugins.tgz
+# gettext-base: for `envsubst`
+# moreutils: for `sponge`
+# socat: for `socat` (to silence "[WARNING FileExisting-socat]" from kubeadm)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  gettext-base \
+  moreutils \
+  socat
+ADD Dockerfile.d/u7s-entrypoint.sh /
+ENTRYPOINT ["/u7s-entrypoint.sh", "/usr/local/bin/entrypoint", "/sbin/init"]
diff --git a/Dockerfile.d/u7s-entrypoint.sh b/Dockerfile.d/u7s-entrypoint.sh
new file mode 100755
index 0000000..537707c
--- /dev/null
+++ b/Dockerfile.d/u7s-entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -eux -o pipefail
+
+# Append "---node-ip=${U7S_HOST_IP}" to "KUBELET_EXTRA_ARGS=..." in /etc/default/kubelet
+sed -e "s/\(^KUBELET_EXTRA_ARGS=.*\)/\\1 --node-ip=${U7S_HOST_IP}/" </etc/default/kubelet | sponge /etc/default/kubelet
+
+# Let kubelet recognize ${U7S_HOST_IP} as its IP:
+# https://github.com/kubernetes/kubernetes/issues/54337#issuecomment-363597985
+ip addr add "${U7S_HOST_IP}" dev eth0
+
+cat <<EOF >/u7s-flanneld-wrapper.sh
+#!/bin/sh
+# Usage: /u7s-flanneld-wrapper.sh /opt/bin/flanneld --ip-masq --kube-subnet-mgr ...
+# This script is expected to be mounted inside a "docker.io/flannel/flannel" container.
+set -eux
+"\$@" --public-ip="${U7S_HOST_IP}"
+EOF
+chmod +x /u7s-flanneld-wrapper.sh
+
+exec "$@"
diff --git a/Makefile b/Makefile
index bce108e..567be06 100644
--- a/Makefile
+++ b/Makefile
@@ -1,52 +1,94 @@
-# targets prefixed with underscore are not intended be invoked by human
+# Run `make help` to show usage
+.DEFAULT_GOAL := help
 
-.DEFAULT_GOAL := binaries
-IMAGE=ghcr.io/rootless-containers/usernetes
+HOSTNAME ?= $(shell hostname)
+# HOSTNAME is the name of the physical host
+export HOSTNAME := $(HOSTNAME)
 
-binaries: image _binaries
+HOST_IP ?= $(shell ip --json route get 1 | jq -r .[0].prefsrc)
+NODE_NAME ?= u7s-$(HOSTNAME)
+NODE_SUBNET ?= $(shell $(CURDIR)/Makefile.d/node_subnet.sh)
+# U7S_HOST_IP is the IP address of the physical host. Accessible from other hosts.
+export U7S_HOST_IP := $(HOST_IP)
+# U7S_NODE_NAME is the IP address of the Kubernetes node running in Rootless Docker.
+# Not accessible from other hosts.
+export U7S_NODE_NAME:= $(NODE_NAME)
+# U7S_NODE_NAME is the subnet of the Kubernetes node running in Rootless Docker.
+# Not accessible from other hosts.
+export U7S_NODE_SUBNET := $(NODE_SUBNET)
 
-_binaries:
-	rm -rf bin
-	$(eval cid := $(shell docker create $(IMAGE)))
-	docker cp $(cid):/home/user/usernetes/bin ./bin
-	docker rm $(cid)
+DOCKER ?= docker
+COMPOSE := $(DOCKER) compose
+NODE_SERVICE_NAME := $(shell $(COMPOSE) config --services | head -n1)
+NODE_SHELL := $(COMPOSE) exec \
+	-e U7S_HOST_IP=$(U7S_HOST_IP) \
+	-e U7S_NODE_NAME=$(U7S_NODE_NAME) \
+	-e U7S_NODE_SUBNET=$(U7S_NODE_SUBNET) \
+	$(NODE_SERVICE_NAME)
 
-image:
-ifeq ($(DOCKER_BUILDKIT),1)
-	./hack/translate-dockerfile-runopt-directive.sh < Dockerfile | docker build -t $(IMAGE) -f - $(DOCKER_BUILD_FLAGS) .
-else
-	docker build -t $(IMAGE) $(DOCKER_BUILD_FLAGS) .
-endif
+.PHONY: help
+help:
+	@echo '# Bootstrap a cluster'
+	@echo 'make up'
+	@echo 'make kubeadm-init'
+	@echo 'make install-flannel'
+	@echo
+	@echo '# Enable kubectl'
+	@echo 'make kubeconfig'
+	@echo 'export KUBECONFIG=$$(pwd)/kubeconfig'
+	@echo 'kubectl get pods -A'
+	@echo
+	@echo '# Multi-host'
+	@echo 'make join-command'
+	@echo 'scp join-command another-host:~/usernetes'
+	@echo 'ssh another-host make -C ~/usernetes up kubeadm-join'
+	@echo
+	@echo '# Debug'
+	@echo 'make logs'
+	@echo 'make shell'
+	@echo 'make down-v'
+	@echo 'kubectl taint nodes --all node-role.kubernetes.io/control-plane-'
 
-test: image _test
+.PHONY: up
+up:
+	$(COMPOSE) up --build -d
 
-_test:
-	./hack/smoketest-docker.sh u7s-test-containerd $(IMAGE) --cri=containerd
-	./hack/smoketest-docker.sh u7s-test-crio $(IMAGE) --cri=crio
+.PHONY: down
+down:
+	$(COMPOSE) down
 
-up: image _up
+.PHONY: down-v
+down-v:
+	$(COMPOSE) down -v
 
-_up:
-	docker-compose --project-name=usernetes up -d
-	docker run --rm -v usernetes_tls-master:/a busybox timeout 60 sh -c "until test -f /a/done; do sleep 1; echo \"waiting for /a/done\"; done"
-	mkdir -p $(HOME)/.config/usernetes
-	docker run --rm -v usernetes_tls-master:/a busybox cat /a/admin-localhost.kubeconfig > $(HOME)/.config/usernetes/docker-compose.kubeconfig
-	echo "To use kubectl: export KUBECONFIG=$(HOME)/.config/usernetes/docker-compose.kubeconfig"
+.PHONY: shell
+shell:
+	$(NODE_SHELL) bash
 
-down:
-	docker-compose --project-name=usernetes down -v -t 0
-	rm -f $(HOME)/.config/usernetes/docker-compose.kubeconfig
+.PHONY: logs
+logs:
+	$(NODE_SHELL) journalctl --follow --since="1 day ago"
+
+.PHONY: kubeconfig
+kubeconfig:
+	$(COMPOSE) cp $(NODE_SERVICE_NAME):/etc/kubernetes/admin.conf ./kubeconfig
+	@echo "# Run the following command by yourself:"
+	@echo "export KUBECONFIG=$(shell pwd)/kubeconfig"
 
-artifact: binaries _artifact
+.PHONY: join-command
+join-command:
+	$(NODE_SHELL) kubeadm token create --print-join-command >join-command
+	@echo "# Copy the 'join-command' file to another host, and run 'make kubeadm-join' on that host (not on this host)"
 
-_artifact:
-	rm -rf _artifact _SHA256SUMS
-	mkdir _artifact
-	( cd .. && tar --exclude=usernetes/.git --exclude=usernetes/_artifact -cjvf ./usernetes/_artifact/usernetes-x86_64.tbz usernetes )
-	(cd _artifact ; sha256sum * > ../_SHA256SUMS; mv ../_SHA256SUMS ./SHA256SUMS)
-	cat _artifact/SHA256SUMS
+.PHONY: kubeadm-init
+kubeadm-init:
+	$(NODE_SHELL) sh -euc "envsubst </usernetes/kubeadm-config.yaml >/tmp/kubeadm-config.yaml"
+	$(NODE_SHELL) kubeadm init --config /tmp/kubeadm-config.yaml
 
-clean:
-	rm -rf _artifact bin
+.PHONY: kubeadm-join
+kubeadm-join:
+	$(NODE_SHELL) $(shell cat join-command)
 
-.PHONY: binaries _binaries image test _test up _up down artifact _artifact clean
+.PHONY: install-flannel
+install-flannel:
+	$(NODE_SHELL) kubectl apply -f /usernetes/manifests/kube-flannel.yml
diff --git a/Makefile.d/node_subnet.sh b/Makefile.d/node_subnet.sh
new file mode 100755
index 0000000..74bc9fa
--- /dev/null
+++ b/Makefile.d/node_subnet.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -eu -o pipefail
+: "${HOSTNAME:=$(hostname)}"
+NODE_SUBNET_ID=$((16#$(echo "${HOSTNAME}" | sha256sum | head -c2)))
+NODE_SUBNET=10.100.${NODE_SUBNET_ID}.0/24
+echo "${NODE_SUBNET}"
diff --git a/README.md b/README.md
index 7f3c932..e9bb48f 100644
--- a/README.md
+++ b/README.md
@@ -1,391 +1,69 @@
-# Usernetes: Kubernetes without the root privileges
+# Usernetes: Kubernetes without the root privileges (Generation 2)
 
-Usernetes aims to provide a reference distribution of Kubernetes that can be installed under a user's `$HOME` and does not require the root privileges.
-
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
-
-
-- [Included components](#included-components)
-- [Adoption](#adoption)
-- [How it works](#how-it-works)
-- [Restrictions](#restrictions)
-- [Requirements](#requirements)
-  - [cgroup v2](#cgroup-v2)
-    - [Enable cpu controller](#enable-cpu-controller)
-- [Quick start](#quick-start)
-  - [Download](#download)
-  - [Install](#install)
-  - [Use `kubectl`](#use-kubectl)
-  - [Uninstall](#uninstall)
-- [Run Usernetes in Docker](#run-usernetes-in-docker)
-  - [Single node](#single-node)
-  - [Multi node (Docker Compose)](#multi-node-docker-compose)
-- [Advanced guide](#advanced-guide)
-  - [Expose netns ports to the host](#expose-netns-ports-to-the-host)
-  - [Routing ping packets](#routing-ping-packets)
-  - [IP addresses](#ip-addresses)
-  - [Install Usernetes from source](#install-usernetes-from-source)
-- [License](#license)
-
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
-
-## Included components
-
-* Installer scripts
-* Rootless Containers infrastructure ([RootlessKit](https://github.com/rootless-containers/rootlesskit), [slirp4netns](https://github.com/rootless-containers/slirp4netns), and [fuse-overlayfs](https://github.com/containers/fuse-overlayfs))
-* Master components (`etcd`, `kube-apiserver`, ...)
-* Node components (`kubelet` and `kube-proxy`)
-* CRI runtimes
-  * containerd (default)
-  * CRI-O
-* OCI runtime
-  * crun
-* Multi-node CNI
-  * Flannel (VXLAN)
-* CoreDNS
-
-Installer scripts are in POC status.
-
-See [Adoption](#adoption) for Usernetes-based Kubernetes distributions.
+Usernetes (Gen2) deploys a Kubernetes cluster on [Rootless Docker hosts](https://rootlesscontaine.rs/getting-started/docker/).
 
 > **Note**
 >
-> [Usernetes no longer includes Docker (Moby) binaries since February 2020.](https://github.com/rootless-containers/usernetes/pull/126)
->
-> To install Rootless Docker, see https://get.docker.com/rootless .
+> Usernetes (Gen2) has *significantly* diverged from the original Usernetes (Gen1),
+> which did not rely on Rootless Docker hosts.
 >
-> See also https://docs.docker.com/engine/security/rootless/ for the further information.
-
-## Adoption
-
-We encourage other Kubernetes distributions to adopt Usernetes.
-
-Currently, the following distributions adopt Usernetes:
-* [k3s](https://github.com/k3s-io/k3s/blob/master/k3s-rootless.service)
-* [Silverkube](https://github.com/podenv/silverkube)
+> See the [`gen1`](https://github.com/rootless-containers/usernetes/tree/gen1) branch for
+> the original Usernetes (Gen1).
 
-## How it works
+Usernetes (Gen2) is similar to [Rootless `kind`](https://kind.sigs.k8s.io/docs/user/rootless/) and [Rootless minikube](https://minikube.sigs.k8s.io/docs/drivers/docker/),
+but Usernetes (Gen 2) supports creating a cluster with multiple hosts.
 
-Usernetes executes Kubernetes and CRI runtimes without the root privileges by using unprivileged [`user_namespaces(7)`](http://man7.org/linux/man-pages/man7/user_namespaces.7.html), [`mount_namespaces(7)`](http://man7.org/linux/man-pages/man7/mount_namespaces.7.html), and [`network_namespaces(7)`](http://man7.org/linux/man-pages/man7/network_namespaces.7.html).
-
-To set up NAT across the host and the network namespace without the root privilege, Usernetes uses a usermode network stack ([slirp4netns](https://github.com/rootless-containers/slirp4netns)).
-
-No SETUID/SETCAP binary is needed, except [`newuidmap(1)`](http://man7.org/linux/man-pages/man1/newuidmap.1.html) and [`newgidmap(1)`](http://man7.org/linux/man-pages/man1/newgidmap.1.html), which are used for setting up [`user_namespaces(7)`](http://man7.org/linux/man-pages/man7/user_namespaces.7.html) with multiple sub-UIDs and sub-GIDs.
-
-## Restrictions
-
-* Usermode networking called [slirp4netns](https://github.com/rootless-containers/slirp4netns) is used instead of kernel-mode [vEth](http://man7.org/linux/man-pages/man4/veth.4.html) pairs.
-* [fuse-overlayfs](https://github.com/containers/fuse-overlayfs) is used instead of kernel-mode overlayfs.
-* Node ports are network-namespaced
-* Apparmor is unsupported
+## Components
+- Cluster configuration: kubeadm
+- CRI: containerd
+- OCI: runc
+- CNI: Flannel
 
 ## Requirements
 
-Recommended host distributions are Ubuntu 22.04 and Fedora 38.
-
-The following requirements have to be satisfied:
-
-* Kernel >= 4.18.
-
-* cgroup v2.
-
-* Recent version of systemd. Known to work with systemd >= 242.
-
-* `mount.fuse3` binary. Provided by `fuse3` package on most distros.
-
-* `iptables` binary. Provided by `iptables` package on most distros.
-
-* `conntrack` binary. Provided by `conntrack` package on most distros.
-
-* `newuidmap` and `newgidmap` binaries. Provided by `uidmap` package on most distros.
+- [Rootless Docker](https://rootlesscontaine.rs/getting-started/docker/)
 
-* `/etc/subuid` and `/etc/subgid` should contain more than 65536 sub-IDs. e.g. `exampleuser:231072:65536`. These files are automatically configured on most distros.
+- cgroup v2 delegation:
+```bash
+sudo mkdir -p /etc/systemd/system/user@.service.d
 
-```console
-$ id -u
-1001
-$ whoami
-exampleuser
-$ grep "^$(whoami):" /etc/subuid
-exampleuser:231072:65536
-$ grep "^$(whoami):" /etc/subgid
-exampleuser:231072:65536
-```
-
-* The following kernel modules to be loaded:
-```
-fuse
-tun
-tap
-bridge
-br_netfilter
-veth
-ip_tables
-ip6_tables
-iptable_nat
-ip6table_nat
-iptable_filter
-ip6table_filter
-nf_tables
-x_tables
-xt_MASQUERADE
-xt_addrtype
-xt_comment
-xt_conntrack
-xt_mark
-xt_multiport
-xt_nat
-xt_tcpudp
-```
-
-### cgroup v2
-
-The host needs to be running with cgroup v2.
-
-If `/sys/fs/cgroup/cgroup.controllers` is present on your system, you are using v2, otherwise you are using v1.
-
-To enable cgroup v2, add `systemd.unified_cgroup_hierarchy=1` to the `GRUB_CMDLINE_LINUX` line in `/etc/default/grub` and run `sudo update-grub`.
-
-If `grubby` command is available on your system, this step can be also accomplished with `sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=1"`.
-
-
-#### Enable cpu controller
-Typically, only `memory` and `pids` controllers are delegated to non-root users by default.
-```console
-$ cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.subtree_control
-memory pids
-```
-
-
-To  allow delegation of all controllers, you need to change the systemd configuration as follows:
-
-```console
-# mkdir -p /etc/systemd/system/user@.service.d
-# cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF
+cat <<EOF | sudo tee /etc/systemd/system/user@.service.d/delegate.conf
 [Service]
-Delegate=yes
+Delegate=cpu cpuset io memory pids
 EOF
-# systemctl daemon-reload
-```
-
-You have to re-login or reboot the host after changing the systemd configuration. Rebooting is recommended.
-
-## Quick start
-
-### Download
-
-Download the latest `usernetes-x86_64.tbz` from [Releases](https://github.com/rootless-containers/usernetes/releases).
-
-```console
-$ tar xjvf usernetes-x86_64.tbz
-$ cd usernetes
-```
-
-### Install
-
-`install.sh` installs Usernetes systemd units to `$HOME/.config/systemd/unit`.
 
-To use containerd as the CRI runtime (default):
-```console
-$ ./install.sh --cri=containerd
-[INFO] Base dir: /home/exampleuser/gopath/src/github.com/rootless-containers/usernetes
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s.target
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-rootlesskit.service
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-etcd.target
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-etcd.service
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-master.target
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-kube-apiserver.service
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-kube-controller-manager.service
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-kube-scheduler.service
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-node.target
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-containerd.service
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-kubelet-containerd.service
-[INFO] Installing /home/exampleuser/.config/systemd/user/u7s-kube-proxy.service
-[INFO] Starting u7s.target
-+ systemctl --user -T enable u7s.target
-Created symlink /home/exampleuser/.config/systemd/user/multi-user.target.wants/u7s.target → /home/exampleuser/.config/systemd/user/u7s.target.
-+ systemctl --user -T start u7s.target
-Enqueued anchor job 522 u7s.target/start.
-Enqueued auxiliary job 538 u7s-rootlesskit.service/start.
-Enqueued auxiliary job 542 u7s-kubelet-containerd.service/start.
-Enqueued auxiliary job 541 u7s-containerd.service/start.
-Enqueued auxiliary job 524 u7s-etcd.service/start.
-Enqueued auxiliary job 546 u7s-kube-controller-manager.service/start.
-Enqueued auxiliary job 523 u7s-etcd.target/start.
-Enqueued auxiliary job 543 u7s-master.target/start.
-Enqueued auxiliary job 544 u7s-kube-scheduler.service/start.
-Enqueued auxiliary job 545 u7s-kube-apiserver.service/start.
-Enqueued auxiliary job 539 u7s-node.target/start.
-Enqueued auxiliary job 540 u7s-kube-proxy.service/start.
-+ systemctl --user --no-pager status
-● localhost
-    State: running
-...
-[INFO] Installation complete.
-[INFO] Hint: `sudo loginctl enable-linger` to start user services automatically on the system start up.
-[INFO] Hint: export KUBECONFIG=/home/exampleuser/.config/usernetes/master/admin-localhost.kubeconfig
+sudo systemctl daemon-reload
 ```
 
-CoreDNS is automatically enabled since November 2021.
-Older releases of Usernetes had required installing CoreDNS from [`manifests/coredns.yaml`](./manifests/coredns.yaml).
-
-To use CRI-O:
-```console
-$ ./install.sh --cri=crio
-```
-
-### Use `kubectl`
-
-```console
-$ export KUBECONFIG="$HOME/.config/usernetes/master/admin-localhost.kubeconfig"
-$ kubectl get nodes -o wide
-```
-
-### Uninstall
-
-```console
-$ ./uninstall.sh
-```
-
-To remove data files:
-```console
-$ ./show-cleanup-command.sh
-$ eval $(./show-cleanup-command.sh)
-```
-
-## Run Usernetes in Docker
-
-All-in-one Docker image is available as [`ghcr.io/rootless-containers/usernetes`](https://ghcr.io/rootless-containers/usernetes) on GHCR.
-
-:warning: [`rootlesscontainers/usernetes`](https://hub.docker.com/r/rootlesscontainers/usernetes) on Docker Hub is no longer updated.
-Please use the GHCR image.
-
-To build the image manually:
-
-```console
-$ docker build -t ghcr.io/rootless-containers/usernetes .
-```
-
-The image is based on Fedora.
-
-### Single node
-
-```console
-$ docker run -td --name usernetes-node -p 127.0.0.1:6443:6443 --privileged ghcr.io/rootless-containers/usernetes --cri=containerd
-```
-
-Wait until `docker ps` shows "healty" as the status of `usernetes-node` container.
-
-```console
-$ docker cp usernetes-node:/home/user/.config/usernetes/master/admin-localhost.kubeconfig docker.kubeconfig
-$ export KUBECONFIG=./docker.kubeconfig
-$ kubectl run -it --rm --image busybox foo
-/ #
-```
-
-### Multi node (Docker Compose)
-
-```console
-$ make up
-$ export KUBECONFIG=$HOME/.config/usernetes/docker-compose.kubeconfig
-```
-
-Flannel VXLAN `10.5.0.0/16` is configured by default.
-
-```console
-$ kubectl get nodes -o wide
-NAME           STATUS   ROLES    AGE     VERSION           INTERNAL-IP    EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIME
-967e81e90e1f   Ready    <none>   3m42s   v1.14-usernetes   10.0.101.100   <none>        Ubuntu 18.04.1 LTS   4.15.0-43-generic   docker://Unknown
-b2204f192e5c   Ready    <none>   3m42s   v1.14-usernetes   10.0.102.100   <none>        Ubuntu 18.04.1 LTS   4.15.0-43-generic   cri-o://1.14.0-dev
-ba0133c68378   Ready    <none>   3m42s   v1.14-usernetes   10.0.103.100   <none>        Ubuntu 18.04.1 LTS   4.15.0-43-generic   containerd://1.2.0-168-gb3807c5d
-$ kubectl run --replicas=3 --image=nginx:alpine nginx
-$ kubectl get pods -o wide
-NAME                     READY   STATUS    RESTARTS   AGE   IP          NODE           NOMINATED NODE   READINESS GATES
-nginx-6b4b85b77b-7hqrk   1/1     Running   0          3s    10.5.13.3   b2204f192e5c   <none>           <none>
-nginx-6b4b85b77b-8rknj   1/1     Running   0          3s    10.5.79.3   967e81e90e1f   <none>           <none>
-nginx-6b4b85b77b-r466s   1/1     Running   0          3s    10.5.7.3    ba0133c68378   <none>           <none>
-$ kubectl exec -it nginx-6b4b85b77b-7hqrk -- wget -O - http://10.5.79.3
-Connecting to 10.5.79.3 (10.5.79.3:80)
-<!DOCTYPE html>
-<html>
-<head>
-<title>Welcome to nginx!</title>
-...
-$ kubectl exec -it nginx-6b4b85b77b-7hqrk -- wget -O - http://10.5.7.3
-Connecting to 10.5.7.3 (10.5.7.3:80)
-<!DOCTYPE html>
-<html>
-<head>
-<title>Welcome to nginx!</title>
-...
-```
-
-## Advanced guide
-
-### Expose netns ports to the host
-
-As Usernetes runs in a network namespace (with [slirp4netns](https://github.com/rootless-containers/slirp4netns)),
-you can't expose container ports to the host by just running `kubectl expose --type=NodePort`.
-
-In addition, you need to expose Usernetes netns ports to the host:
-
-```console
-$ ./rootlessctl.sh add-ports 0.0.0.0:30080:30080/tcp
-```
-
-You can also manually expose Usernetes netns ports manually with `socat`:
-
-```console
-$ pid=$(cat $XDG_RUNTIME_DIR/usernetes/rootlesskit/child_pid)
-$ socat -t -- TCP-LISTEN:30080,reuseaddr,fork EXEC:"nsenter -U -n -t $pid socat -t -- STDIN TCP4\:127.0.0.1\:30080"
+- Kernel modules:
 ```
-
-### Routing ping packets
-
-To route ping packets, you may need to set up `net.ipv4.ping_group_range` properly as the root.
-
-```console
-$ sudo sh -c "echo 0   2147483647  > /proc/sys/net/ipv4/ping_group_range"
+sudo modprobe vxlan
 ```
 
-### IP addresses
-
-* 10.0.0.0/24: The CIDR for the Kubernetes ClusterIP services
-  * 10.0.0.1: The kube-apiserver ClusterIP
-  * 10.0.0.53: The CoreDNS ClusterIP
-
-* 10.0.42.0/24: The default CIDR for the RootlessKit network namespace. Can be overridden with `install.sh --cidr=<CIDR>`. 
-  * 10.0.42.2: The slirp4netns gateway
-  * 10.0.42.3: The slirp4netns DNS
-  * 10.0.42.100: The slirp4netns TAP device
+Using Ubuntu 22.04 hosts is recommended.
 
-* 10.0.100.0/24: The CIDR used instead of 10.0.42.0/24 in Docker Compose master
-* 10.0.101.0/24: The CIDR used instead of 10.0.42.0/24 in Docker Compose containerd node
-* 10.0.102.0/24: The CIDR used instead of 10.0.42.0/24 in Docker Compose CRI-O node
+## Usage
+See `make help`.
 
-* 10.5.0.0/16: The CIDR for Flannel
+```bash
+# Bootstrap a cluster
+make up
+make kubeadm-init
+make install-flannel
 
-* 10.88.0.0/16: The CIDR for single-node CNI
+# Enable kubectl
+make kubeconfig
+export KUBECONFIG=$(pwd)/kubeconfig
+kubectl get pods -A
 
-### Install Usernetes from source
+# Multi-host
+make join-command
+scp join-command another-host:~/usernetes
+ssh another-host make -C ~/usernetes up kubeadm-join
 
-Docker 17.05+ is required for building Usernetes from the source.
-Docker 18.09+ with `DOCKER_BUILDKIT=1` is recommended.
-
-```console
-$ make
+# Debug
+make logs
+make shell
+make down-v
+kubectl taint nodes --all node-role.kubernetes.io/control-plane-
 ```
-
-Binaries are generated under `./bin` directory.
-
-## License
-
-Usernetes is licensed under the terms of  [Apache License Version 2.0](LICENSE).
-
-The binary releases of Usernetes contain files that are licensed under the terms of different licenses:
-
-* `bin/crun`:  [GNU GENERAL PUBLIC LICENSE Version 2](docs/binary-release-license/LICENSE-crun), see https://github.com/containers/crun
-* `bin/fuse-overlayfs`:  [GNU GENERAL PUBLIC LICENSE Version 2](docs/binary-release-license/LICENSE-fuse-overlayfs), see https://github.com/containers/fuse-overlayfs
-* `bin/slirp4netns`: [GNU GENERAL PUBLIC LICENSE Version 2](docs/binary-release-license/LICENSE-slirp4netns), see https://github.com/rootless-containers/slirp4netns
-* `bin/{cfssl,cfssljson}`: [2-Clause BSD License](docs/binary-release-license/LICENSE-cfssl), see https://github.com/cloudflare/cfssl
diff --git a/Vagrantfile b/Vagrantfile
deleted file mode 100644
index fb3ca4b..0000000
--- a/Vagrantfile
+++ /dev/null
@@ -1,34 +0,0 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-Vagrant.configure("2") do |config|
-  config.vm.box = "fedora/37-cloud-base"
-  memory = 4096
-  cpus = 2
-  config.vm.provider :virtualbox do |v|
-    v.memory = memory
-    v.cpus = cpus
-  end
-  config.vm.provider :libvirt do |v|
-    v.memory = memory
-    v.cpus = cpus
-  end
-  config.vm.provision "shell", inline: <<-SHELL
-    set -eux -o pipefail
-    dnf install -q -y conntrack findutils fuse3 git iproute iptables hostname procps-ng time which jq
-
-    # Delegate cgroup v2 controllers
-    mkdir -p /etc/systemd/system/user@.service.d
-    cp -f /vagrant/hack/etc_systemd_system_user@.service.d_delegate.conf /etc/systemd/system/user@.service.d/delegate.conf
-    systemctl daemon-reload
-
-    # Load kernel modules
-    cp -f /vagrant/config/modules-load.d/usernetes.conf /etc/modules-load.d/usernetes.conf
-    systemctl restart systemd-modules-load.service
-
-    # dmesg_restrict=1 is set for testing issue 204.
-    # This sysctl is NOT a requirement ro run Usernetes.
-    echo "kernel.dmesg_restrict=1" > /etc/sysctl.d/99-usernetes.conf
-    sysctl --system
-  SHELL
-end
diff --git a/boot/containerd-fuse-overlayfs-grpc.sh b/boot/containerd-fuse-overlayfs-grpc.sh
deleted file mode 100755
index 38039c8..0000000
--- a/boot/containerd-fuse-overlayfs-grpc.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-nsenter::main $0 $@
-
-mkdir -p $XDG_RUNTIME_DIR/usernetes/containerd $XDG_DATA_HOME/usernetes/containerd
-
-exec containerd-fuse-overlayfs-grpc \
-	$@ \
-	$XDG_RUNTIME_DIR/usernetes/containerd/fuse-overlayfs.sock \
-	$XDG_DATA_HOME/usernetes/containerd/io.containerd.snapshotter.v1.fuse-overlayfs
diff --git a/boot/containerd.sh b/boot/containerd.sh
deleted file mode 100755
index bc06aaa..0000000
--- a/boot/containerd.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/bash
-# needs to be called inside the namespaces
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-mkdir -p $XDG_RUNTIME_DIR/usernetes
-cat >$XDG_RUNTIME_DIR/usernetes/containerd.toml <<EOF
-version = 2
-root = "$XDG_DATA_HOME/usernetes/containerd"
-state = "$XDG_RUNTIME_DIR/usernetes/containerd"
-[grpc]
-  address = "$XDG_RUNTIME_DIR/usernetes/containerd/containerd.sock"
-[proxy_plugins]
-  [proxy_plugins."fuse-overlayfs"]
-    type = "snapshot"
-    address = "$XDG_RUNTIME_DIR/usernetes/containerd/fuse-overlayfs.sock"
-[plugins]
-  [plugins."io.containerd.grpc.v1.cri"]
-    disable_cgroup = false
-    disable_apparmor = true
-    restrict_oom_score_adj = true
-    disable_hugetlb_controller = true
-    [plugins."io.containerd.grpc.v1.cri".containerd]
-      snapshotter = "fuse-overlayfs"
-      default_runtime_name = "crun"
-      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
-        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun]
-          runtime_type = "io.containerd.runc.v2"
-          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun.options]
-            BinaryName = "crun"
-    [plugins."io.containerd.grpc.v1.cri".cni]
-      bin_dir = "/opt/cni/bin"
-      conf_dir = "/etc/cni/net.d"
-EOF
-exec containerd -c $XDG_RUNTIME_DIR/usernetes/containerd.toml $@
diff --git a/boot/crio.sh b/boot/crio.sh
deleted file mode 100755
index f3eea4e..0000000
--- a/boot/crio.sh
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/bash
-# needs to be called inside the namespaces
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-export _CRIO_ROOTLESS=1
-
-mkdir -p $XDG_CONFIG_HOME/usernetes/crio $XDG_CONFIG_HOME/usernetes/containers/oci/hooks.d
-
-cat >$XDG_CONFIG_HOME/usernetes/containers/policy.json <<EOF
-{"default": [{"type": "insecureAcceptAnything"}]}
-EOF
-
-cat >$XDG_CONFIG_HOME/usernetes/containers/registries.conf <<EOF
-unqualified-search-registries=["docker.io"]
-EOF
-
-cat >$XDG_CONFIG_HOME/usernetes/crio/crio.conf <<EOF
-[crio]
-  runroot = "$XDG_RUNTIME_DIR/usernetes/containers/storage"
-  root = "$XDG_DATA_HOME/usernetes/containers/storage"
-  version_file = "$XDG_RUNTIME_DIR/usernetes/crio/version"
-  storage_driver = "overlay"
-  storage_option = [
-    "overlay.mount_program=$U7S_BASE_DIR/bin/fuse-overlayfs" 
-  ]
-  [crio.api]
-    listen = "$XDG_RUNTIME_DIR/usernetes/crio/crio.sock"
-  [crio.image]
-    signature_policy = "$XDG_CONFIG_HOME/usernetes/containers/policy.json"
-  [crio.runtime]
-    conmon = "$U7S_BASE_DIR/bin/conmon"
-    conmon_cgroup = "pod"
-    hooks_dir = ["$XDG_DATA_HOME/usernetes/containers/oci/hooks.d"]
-    container_exits_dir = "$XDG_RUNTIME_DIR/usernetes/crio/exits"
-    container_attach_socket_dir = "$XDG_RUNTIME_DIR/usernetes/crio"
-    namespaces_dir = "$XDG_RUNTIME_DIR/usernetes/crio/ns"
-    cgroup_manager = "cgroupfs"
-    default_runtime = "crun"
-    [crio.runtime.runtimes]
-      [crio.runtime.runtimes.crun]
-        runtime_path = "$U7S_BASE_DIR/bin/crun"
-        runtime_root = "$XDG_RUNTIME_DIR/crio/crun"
-  [crio.network]
-    network_dir = "/etc/cni/net.d/"
-    plugin_dirs = ["/opt/cni/bin/"]
-EOF
-
-exec crio \
-	--config $XDG_CONFIG_HOME/usernetes/crio/crio.conf \
-	--registries-conf $XDG_CONFIG_HOME/usernetes/containers/registries.conf \
-	$@
diff --git a/boot/docker-2ndboot.sh b/boot/docker-2ndboot.sh
deleted file mode 100755
index b68eb7b..0000000
--- a/boot/docker-2ndboot.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-cd $(realpath $(dirname $0)/..)
-set -eux
-if ! ./install.sh $@; then
-	journalctl -xe --no-pager
-	exit 1
-fi
-exec journalctl -f -n 100
diff --git a/boot/docker-unsudo.sh b/boot/docker-unsudo.sh
deleted file mode 100755
index dd35f50..0000000
--- a/boot/docker-unsudo.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-set -eux
-car=$1
-shift
-cdr=$@
-# machinectl requires absolute path
-exec machinectl shell user@ $(which $car) $cdr
diff --git a/boot/etcd-init-data.sh b/boot/etcd-init-data.sh
deleted file mode 100755
index fd37f4f..0000000
--- a/boot/etcd-init-data.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-nsenter::main $0 $@
-
-: ${U7S_FLANNEL=}
-if [[ $U7S_FLANNEL == 1 ]]; then
-	config=$U7S_BASE_DIR/config/flannel/etcd/coreos.com_network_config
-	set -x
-	timeout 60 sh -c "until cat $config | ETCDCTL_API=3 etcdctl --endpoints https://127.0.0.1:2379 --cacert=$XDG_CONFIG_HOME/usernetes/master/ca.pem --cert=$XDG_CONFIG_HOME/usernetes/master/kubernetes.pem --key=$XDG_CONFIG_HOME/usernetes/master/kubernetes-key.pem put /coreos.com/network/config; do sleep 1; done"
-fi
diff --git a/boot/etcd.sh b/boot/etcd.sh
deleted file mode 100755
index 85bbe5d..0000000
--- a/boot/etcd.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-# FIXME: no need to nsenter?
-exec $(dirname $0)/nsenter.sh etcd \
-	--data-dir $XDG_DATA_HOME/usernetes/etcd \
-	--enable-v2=true \
-	--name $(hostname -s) \
-	--cert-file=$XDG_CONFIG_HOME/usernetes/master/kubernetes.pem \
-	--key-file=$XDG_CONFIG_HOME/usernetes/master/kubernetes-key.pem \
-	--peer-cert-file=$XDG_CONFIG_HOME/usernetes/master/kubernetes.pem \
-	--peer-key-file=$XDG_CONFIG_HOME/usernetes/master/kubernetes-key.pem \
-	--trusted-ca-file=$XDG_CONFIG_HOME/usernetes/master/ca.pem \
-	--peer-trusted-ca-file=$XDG_CONFIG_HOME/usernetes/master/ca.pem \
-	--peer-client-cert-auth \
-	--client-cert-auth \
-	--listen-client-urls https://0.0.0.0:2379 \
-	--listen-peer-urls https://0.0.0.0:2380 \
-	--advertise-client-urls https://127.0.0.1:2379 \
-	--initial-advertise-peer-urls https://127.0.0.1:2380 \
-	$@
diff --git a/boot/flanneld.sh b/boot/flanneld.sh
deleted file mode 100755
index 2289ffe..0000000
--- a/boot/flanneld.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-nsenter::main $0 $@
-
-: ${U7S_FLANNEL=}
-if [[ $U7S_FLANNEL != 1 ]]; then
-	log::error "U7S_FLANNEL needs to be 1"
-	exit 1
-fi
-
-parent_ip=$(cat $XDG_RUNTIME_DIR/usernetes/parent_ip)
-
-exec flanneld \
-	--iface "tap0" \
-	--ip-masq \
-	--public-ip "$parent_ip" \
-	--etcd-endpoints https://$(cat $XDG_CONFIG_HOME/usernetes/node/master):2379 \
-	--etcd-cafile "$XDG_CONFIG_HOME/usernetes/master/ca.pem" \
-	--etcd-certfile "$XDG_CONFIG_HOME/usernetes/master/kubernetes.pem" \
-	--etcd-keyfile "$XDG_CONFIG_HOME/usernetes/master/kubernetes-key.pem" \
-	$@
-
-# FIXME: nodes should not require the master key.
-# Currently nodes require the master key because flanneld and master
-# share the same etcd cluster.
diff --git a/boot/kube-apiserver.sh b/boot/kube-apiserver.sh
deleted file mode 100755
index ed421ee..0000000
--- a/boot/kube-apiserver.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-exec $(dirname $0)/nsenter.sh kube-apiserver \
-	--etcd-cafile=$XDG_CONFIG_HOME/usernetes/master/ca.pem \
-	--etcd-certfile=$XDG_CONFIG_HOME/usernetes/master/kubernetes.pem \
-	--etcd-keyfile=$XDG_CONFIG_HOME/usernetes/master/kubernetes-key.pem \
-	--etcd-servers https://127.0.0.1:2379 \
-	--client-ca-file=$XDG_CONFIG_HOME/usernetes/master/ca.pem \
-	--kubelet-certificate-authority=$XDG_CONFIG_HOME/usernetes/master/ca.pem \
-	--kubelet-client-certificate=$XDG_CONFIG_HOME/usernetes/master/kubernetes.pem \
-	--kubelet-client-key=$XDG_CONFIG_HOME/usernetes/master/kubernetes-key.pem \
-	--tls-cert-file=$XDG_CONFIG_HOME/usernetes/master/kubernetes.pem \
-	--tls-private-key-file=$XDG_CONFIG_HOME/usernetes/master/kubernetes-key.pem \
-	--service-account-key-file=$XDG_CONFIG_HOME/usernetes/master/service-account.pem \
-	--service-cluster-ip-range=10.0.0.0/24 \
-	--service-account-issuer="kubernetes.default.svc" \
-	--service-account-signing-key-file=$XDG_CONFIG_HOME/usernetes/master/service-account-key.pem \
-	--advertise-address=$(cat $XDG_RUNTIME_DIR/usernetes/parent_ip) \
-	--allow-privileged \
-	$@
-
-# TODO: enable --authorization-mode=Node,RBAC \
diff --git a/boot/kube-controller-manager.sh b/boot/kube-controller-manager.sh
deleted file mode 100755
index f47e003..0000000
--- a/boot/kube-controller-manager.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-exec $(dirname $0)/nsenter.sh kube-controller-manager \
-	--cluster-name=kubernetes \
-	--cluster-signing-cert-file=$XDG_CONFIG_HOME/usernetes/master/ca.pem \
-	--cluster-signing-key-file=$XDG_CONFIG_HOME/usernetes/master/ca-key.pem \
-	--kubeconfig=$XDG_CONFIG_HOME/usernetes/master/kube-controller-manager.kubeconfig \
-	--root-ca-file=$XDG_CONFIG_HOME/usernetes/master/ca.pem \
-	--service-account-private-key-file=$XDG_CONFIG_HOME/usernetes/master/service-account-key.pem \
-	--use-service-account-credentials=true \
-	$@
diff --git a/boot/kube-proxy.sh b/boot/kube-proxy.sh
deleted file mode 100755
index e9a3072..0000000
--- a/boot/kube-proxy.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-mkdir -p $XDG_RUNTIME_DIR/usernetes
-cat >$XDG_RUNTIME_DIR/usernetes/kube-proxy-config.yaml <<EOF
-apiVersion: kubeproxy.config.k8s.io/v1alpha1
-kind: KubeProxyConfiguration
-mode: "iptables"
-clientConnection:
-  kubeconfig: "$XDG_CONFIG_HOME/usernetes/node/kube-proxy.kubeconfig"
-conntrack:
-# Skip setting sysctl value "net.netfilter.nf_conntrack_max"
-  maxPerCore: 0
-# Skip setting "net.netfilter.nf_conntrack_tcp_timeout_established"
-  tcpEstablishedTimeout: 0s
-# Skip setting "net.netfilter.nf_conntrack_tcp_timeout_close"
-  tcpCloseWaitTimeout: 0s
-EOF
-
-exec $(dirname $0)/nsenter.sh kube-proxy \
-	--config $XDG_RUNTIME_DIR/usernetes/kube-proxy-config.yaml \
-	$@
diff --git a/boot/kube-scheduler.sh b/boot/kube-scheduler.sh
deleted file mode 100755
index 28ee5ca..0000000
--- a/boot/kube-scheduler.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-exec $(dirname $0)/nsenter.sh kube-scheduler \
-	--kubeconfig=$XDG_CONFIG_HOME/usernetes/master/kube-scheduler.kubeconfig \
-	$@
diff --git a/boot/kubelet-containerd.sh b/boot/kubelet-containerd.sh
deleted file mode 100755
index 4646e59..0000000
--- a/boot/kubelet-containerd.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-exec $(dirname $0)/kubelet.sh --container-runtime-endpoint unix://$XDG_RUNTIME_DIR/usernetes/containerd/containerd.sock $@
diff --git a/boot/kubelet-crio.sh b/boot/kubelet-crio.sh
deleted file mode 100755
index c4db1e8..0000000
--- a/boot/kubelet-crio.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-exec $(dirname $0)/kubelet.sh --container-runtime-endpoint unix://$XDG_RUNTIME_DIR/usernetes/crio/crio.sock $@
diff --git a/boot/kubelet.sh b/boot/kubelet.sh
deleted file mode 100755
index 716aaf0..0000000
--- a/boot/kubelet.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-mkdir -p $XDG_RUNTIME_DIR/usernetes
-cat >$XDG_RUNTIME_DIR/usernetes/kubelet-config.yaml <<EOF
-kind: KubeletConfiguration
-apiVersion: kubelet.config.k8s.io/v1beta1
-volumePluginDir: $XDG_DATA_HOME/usernetes/kubelet-plugins-exec
-authentication:
-  anonymous: 
-    enabled: false
-  x509:
-    clientCAFile: "$XDG_CONFIG_HOME/usernetes/node/ca.pem"
-tlsCertFile: "$XDG_CONFIG_HOME/usernetes/node/node.pem"
-tlsPrivateKeyFile: "$XDG_CONFIG_HOME/usernetes/node/node-key.pem"
-clusterDomain: "cluster.local"
-clusterDNS:
-  - "10.0.0.53"
-failSwapOn: false
-featureGates:
-  KubeletInUserNamespace: true
-evictionHard:
-  nodefs.available: "3%"
-localStorageCapacityIsolation: false
-cgroupDriver: "cgroupfs"
-cgroupsPerQOS: true
-enforceNodeAllocatable: []
-EOF
-
-exec $(dirname $0)/nsenter.sh kubelet \
-	--cert-dir $XDG_CONFIG_HOME/usernetes/pki \
-	--root-dir $XDG_DATA_HOME/usernetes/kubelet \
-	--kubeconfig $XDG_CONFIG_HOME/usernetes/node/node.kubeconfig \
-	--config $XDG_RUNTIME_DIR/usernetes/kubelet-config.yaml \
-	$@
-
-# Notes
-# evictrionHard: Relax disk pressure taint for CI
-# localStorageCapacityIsolation=false: workaround for "Failed to start ContainerManager failed to get rootfs info" error on Fedora 32: https://github.com/rootless-containers/usernetes/pull/157#issuecomment-621008594
diff --git a/boot/nsenter.sh b/boot/nsenter.sh
deleted file mode 100755
index 7a86781..0000000
--- a/boot/nsenter.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-nsenter::main $0 $@
-
-if [[ $# -eq 0 ]]; then
-	exec $SHELL $@
-else
-	exec $@
-fi
diff --git a/boot/rootlesskit.sh b/boot/rootlesskit.sh
deleted file mode 100755
index ed87bcf..0000000
--- a/boot/rootlesskit.sh
+++ /dev/null
@@ -1,105 +0,0 @@
-#!/bin/bash
-# Customizable environment variables:
-# * $U7S_ROOTLESSKIT_FLAGS
-# * $U7S_ROOTLESSKIT_PORTS
-# * $U7S_FLANNEL
-
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-rk_state_dir=$XDG_RUNTIME_DIR/usernetes/rootlesskit
-
-: ${U7S_ROOTLESSKIT_FLAGS=}
-: ${U7S_ROOTLESSKIT_PORTS=}
-: ${U7S_FLANNEL=}
-
-: ${_U7S_CHILD=0}
-if [[ $_U7S_CHILD == 0 ]]; then
-	_U7S_CHILD=1
-	if hostname -I &>/dev/null ; then
-		: ${U7S_PARENT_IP=$(hostname -I | sed -e 's/ .*//g')}
-	else
-		: ${U7S_PARENT_IP=$(hostname -i | sed -e 's/ .*//g')}
-	fi
-	export _U7S_CHILD U7S_PARENT_IP
-
-	# Re-exec the script via RootlessKit, so as to create unprivileged {user,mount,network} namespaces.
-	#
-	# --net specifies the network stack. slirp4netns and VPNKit are supported.
-	# Currently, slirp4netns is the fastest.
-	# See https://github.com/rootless-containers/rootlesskit for the benchmark result.
-	#
-	# --copy-up allows removing/creating files in the directories by creating tmpfs and symlinks
-	# * /etc: copy-up is required so as to prevent `/etc/resolv.conf` in the
-	#         namespace from being unexpectedly unmounted when `/etc/resolv.conf` is recreated on the host
-	#         (by either systemd-networkd or NetworkManager)
-	# * /run: copy-up is required so that we can create /run/* in our namespace
-	# * /var/lib: copy-up is required for several Kube stuff
-	# * /opt: copy-up is required for mounting /opt/cni/bin
-	rootlesskit \
-		--state-dir $rk_state_dir \
-		--net=slirp4netns --mtu=65520 --disable-host-loopback --slirp4netns-sandbox=true --slirp4netns-seccomp=true \
-		--port-driver=builtin \
-		--copy-up=/etc --copy-up=/run --copy-up=/var/lib --copy-up=/opt \
-		--cgroupns \
-		--pidns \
-		--ipcns \
-		--utsns \
-		--propagation=rslave \
-		--evacuate-cgroup2="rootlesskit_evac" \
-		$U7S_ROOTLESSKIT_FLAGS \
-		$0 $@
-else
-	# save IP address
-	echo $U7S_PARENT_IP >$XDG_RUNTIME_DIR/usernetes/parent_ip
-
-	# Remove symlinks so that the child won't be confused by the parent configuration
-	rm -f \
-		/run/xtables.lock /run/flannel /run/netns \
-		/run/runc /run/crun \
-		/run/containerd /run/containers /run/crio \
-		/etc/cni \
-		/etc/containerd /etc/containers /etc/crio \
-		/etc/kubernetes
-
-	# Copy CNI config to /etc/cni/net.d (Likely to be hardcoded in CNI installers)
-	mkdir -p /etc/cni/net.d
-	cp -f $U7S_BASE_DIR/config/cni_net.d/* /etc/cni/net.d
-	if [[ $U7S_FLANNEL == 1 ]]; then
-		cp -f $U7S_BASE_DIR/config/flannel/cni_net.d/* /etc/cni/net.d
-		mkdir -p /run/flannel
-	fi
-	# Bind-mount /opt/cni/net.d (Likely to be hardcoded in CNI installers)
-	mkdir -p /opt/cni/bin
-	mount --bind $U7S_BASE_DIR/bin/cni /opt/cni/bin
-
-	# These bind-mounts are needed at the moment because the paths are hard-coded in Kube and CRI-O.
-	binds=(/var/lib/kubelet /var/lib/cni /var/log /var/lib/containers /var/cache)
-	for f in ${binds[@]}; do
-		src=$XDG_DATA_HOME/usernetes/$(echo $f | sed -e s@/@_@g)
-		if [[ -L $f ]]; then
-			# Remove link created by `rootlesskit --copy-up` if any
-			rm -rf $f
-		fi
-		mkdir -p $src $f
-		mount --bind $src $f
-	done
-
-	rk_pid=$(cat $rk_state_dir/child_pid)
-	# workaround for https://github.com/rootless-containers/rootlesskit/issues/37
-	# child_pid might be created before the child is ready
-	echo $rk_pid >$rk_state_dir/_child_pid.u7s-ready
-	log::info "RootlessKit ready, PID=${rk_pid}, state directory=$rk_state_dir ."
-	log::info "Hint: You can enter RootlessKit namespaces by running \`nsenter -U --preserve-credential -n -m -t ${rk_pid}\`."
-	if [[ -n $U7S_ROOTLESSKIT_PORTS ]]; then
-		rootlessctl --socket $rk_state_dir/api.sock add-ports $U7S_ROOTLESSKIT_PORTS
-	fi
-	rc=0
-	if [[ $# -eq 0 ]]; then
-		sleep infinity || rc=$?
-	else
-		$@ || rc=$?
-	fi
-	log::info "RootlessKit exiting (status=$rc)"
-	exit $rc
-fi
diff --git a/common/cfssl.sh b/common/cfssl.sh
deleted file mode 100755
index 3e5328d..0000000
--- a/common/cfssl.sh
+++ /dev/null
@@ -1,218 +0,0 @@
-#!/bin/bash
-# CFSSL tool (called only via install.sh)
-#
-# ref: https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/1.15.3/docs/04-certificate-authority.md
-export U7S_BASE_DIR=$(realpath $(dirname $0)/..)
-source $U7S_BASE_DIR/common/common.inc.sh
-
-# global vars
-arg0="$0"
-loglevel="2"
-cc="$U7S_BASE_DIR/config/cfssl"
-
-# opts
-dir=""
-master=""
-nodes=()
-
-# text for --help
-usage() {
-	echo "Usage: ${arg0} --dir=DIR --master MASTER --node NODE0HOSTNAME,NODE0IP --node NODE1HOSTNAME,NODE1IP"
-	echo "DO NOT EXECUTE THIS TOOL MANUALLY"
-}
-
-# parse CLI args
-if ! args="$(getopt -o h --long help,dir:,master:,node: -n "$arg0" -- "$@")"; then
-	usage
-	exit 1
-fi
-eval set -- "$args"
-while true; do
-	case "$1" in
-	-h | --help)
-		usage
-		exit 0
-		;;
-	--dir)
-		dir="$2"
-		shift 2
-		;;
-	--master)
-		master="$2"
-		shift 2
-		;;
-	--node)
-		nodes=(${nodes[@]} "$2")
-		shift 2
-		;;
-	--)
-		shift
-		break
-		;;
-	*)
-		break
-		;;
-	esac
-done
-
-if [ -z "$dir" ]; then
-	log::error "No dir was specified"
-	exit 1
-fi
-mkdir -p $dir
-master_d="${dir}/master"
-mkdir -p ${master_d}
-
-if [ -z "$master" ]; then
-	log::error "No masterwas specified"
-	exit 1
-fi
-
-# Certificate Authority
-if [[ -f "${master_d}/ca.pem" ]]; then
-	log::info "Already exists: ${master_d}/ca.pem"
-else
-	log::info "Creating ${master_d}/{ca.pem,ca-key.pem}"
-	cfssl gencert -loglevel="$loglevel" -initca "$cc/ca-csr.json" | cfssljson -bare "${master_d}/ca"
-fi
-
-cfssl_gencert_master() {
-	name="$1"
-	if [[ -f "${master_d}/${name}.pem" ]]; then
-		log::info "Already exists: ${master_d}/${name}.pem"
-	else
-		log::info "Creating ${master_d}/{${name}.pem,${name}-key.pem}"
-		cfssl gencert -loglevel="$loglevel" \
-			-ca="${master_d}/ca.pem" \
-			-ca-key="${master_d}/ca-key.pem" \
-			-config="$cc/ca-config.json" \
-			-profile=kubernetes \
-			"$cc/${name}-csr.json" | cfssljson -bare "${master_d}/${name}"
-	fi
-}
-
-create_kubeconfig() {
-	kubeconfig="$1"
-	user="$2"
-	server="$3"
-	ca="$4"
-	clientcert="$5"
-	clientkey="$6"
-	log::info "Creating $kubeconfig"
-	echo >$kubeconfig
-	kubectl config set-cluster kubernetes-the-hard-way \
-		--certificate-authority=$ca \
-		--embed-certs=true \
-		--server=$server \
-		--kubeconfig=$kubeconfig
-	kubectl config set-credentials $user \
-		--client-certificate=$clientcert \
-		--client-key=$clientkey \
-		--embed-certs=true \
-		--kubeconfig=$kubeconfig
-	kubectl config set-context default \
-		--cluster=kubernetes-the-hard-way \
-		--user=$user \
-		--kubeconfig=$kubeconfig
-	kubectl config use-context default --kubeconfig=$kubeconfig
-}
-
-# The Admin Client Certificate
-cfssl_gencert_master "admin"
-create_kubeconfig ${master_d}/admin-localhost.kubeconfig admin https://127.0.0.1:6443 ${master_d}/ca.pem ${master_d}/admin.pem ${master_d}/admin-key.pem
-create_kubeconfig ${master_d}/admin-${master}.kubeconfig admin https://${master}:6443 ${master_d}/ca.pem ${master_d}/admin.pem ${master_d}/admin-key.pem
-
-# The Controller Manager Client Certificate
-cfssl_gencert_master "kube-controller-manager"
-create_kubeconfig ${master_d}/kube-controller-manager.kubeconfig system:kube-controller-manager https://127.0.0.1:6443 ${master_d}/ca.pem ${master_d}/kube-controller-manager.pem ${master_d}/kube-controller-manager-key.pem
-
-# The Kube Proxy Client Certificate
-cfssl_gencert_master "kube-proxy"
-create_kubeconfig ${master_d}/kube-proxy.kubeconfig system:kube-proxy https://${master}:6443 ${master_d}/ca.pem ${master_d}/kube-proxy.pem ${master_d}/kube-proxy-key.pem
-
-# The Scheduler Client Certificate
-cfssl_gencert_master "kube-scheduler"
-create_kubeconfig ${master_d}/kube-scheduler.kubeconfig system:kube-scheduler https://127.0.0.1:6443 ${master_d}/ca.pem ${master_d}/kube-scheduler.pem ${master_d}/kube-scheduler-key.pem
-
-# The Kubernetes API Server Certificate
-if [[ -f "${master_d}/kubernetes.pem" ]]; then
-	log::info "Already exists: ${master_d}/kubernetes.pem"
-else
-	log::info "Creating ${master_d}/{kubernetes.pem,kubernetes-key.pem}"
-	k_hostnames="kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local"
-	if hostname -I &>/dev/null ; then
-		ip_addrs=$(hostname -I | sed -e 's/ /,/g' -e 's/,$//g')
-	else
-		ip_addrs=$(hostname -i | sed -e 's/ /,/g' -e 's/,$//g')
-	fi
-	k_cluster_ip="10.0.0.1"
-	cfssl gencert -loglevel="$loglevel" \
-		-ca="${master_d}/ca.pem" \
-		-ca-key="${master_d}/ca-key.pem" \
-		-config="$cc/ca-config.json" \
-		-hostname=${master},$(hostname),${ip_addrs},localhost,127.0.0.1,${k_hostnames},${k_cluster_ip} \
-		-profile=kubernetes \
-		"$cc/kubernetes-csr.json" | cfssljson -bare "${master_d}/kubernetes"
-fi
-
-# The Service Account Key Pair
-cfssl_gencert_master "service-account"
-
-# Nodes
-for n in "${nodes[@]}"; do
-	nodename=$(echo $n | sed -e 's/,.*//g')
-	node_d="${dir}/nodes.${nodename}"
-	mkdir -p "${node_d}"
-	if [[ -f "${node_d}/master" ]]; then
-		log::info "Already exists: ${node_d}/master"
-	else
-		log::info "Writing $master to ${node_d}/master"
-		echo $master >${node_d}/master
-	fi
-	# The Kubelet Client Certificates
-	if [[ -f "${node_d}/ca.pem" ]]; then
-		log::info "Already exists: ${node_d}/ca.pem"
-	else
-		log::info "Copying ${master_d}/ca.pem to ${node_d}/ca.pem"
-		cp -f ${master_d}/ca.pem ${node_d}/ca.pem
-	fi
-	if [[ -f "${node_d}/node.pem" ]]; then
-		log::info "Already exists: ${node_d}/node.pem"
-	else
-		log::info "Creating ${node_d}/{node.pem,node-key.pem}"
-		cat >${node_d}/node-csr.json <<EOF
-{
-  "CN": "system:node:${nodename}",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "names": [
-    {
-      "C": "US",
-      "L": "Portland",
-      "O": "system:nodes",
-      "OU": "Kubernetes The Hard Way",
-      "ST": "Oregon"
-    }
-  ]
-}
-EOF
-		cfssl gencert -loglevel="$loglevel" \
-			-ca="${master_d}/ca.pem" \
-			-ca-key="${master_d}/ca-key.pem" \
-			-config="$cc/ca-config.json" \
-			-hostname=$n \
-			-profile=kubernetes \
-			"${node_d}/node-csr.json" | cfssljson -bare "${node_d}/node"
-	fi
-	# The kube-proxy Kubernetes Configuration File
-	log::info "Copying ${master_d}/kube-proxy.kubeconfig to ${node_d}/kube-proxy.kubeconfig"
-	cp -f ${master_d}/kube-proxy.kubeconfig ${node_d}/kube-proxy.kubeconfig
-	# The kubelet Kubernetes Configuration File
-	create_kubeconfig ${node_d}/node.kubeconfig system:node:${nodename} https://${master}:6443 ${master_d}/ca.pem ${node_d}/node.pem ${node_d}/node-key.pem
-	# DONE
-	touch ${node_d}/done
-done
-# DONE
-touch ${master_d}/done
diff --git a/common/common.inc.sh b/common/common.inc.sh
deleted file mode 100644
index f373996..0000000
--- a/common/common.inc.sh
+++ /dev/null
@@ -1,127 +0,0 @@
-#!/bin/bash
-# Common functions
-
-# Customizable environment variables:
-# * $U7S_BASE_DIR: Usernetes base directory
-# * $U7S_DEBUG: enable debug mode if set to "1"
-
-# Environment variables set by this script:
-# * $PATH: $U7S_BASE_DIR/bin:/sbin:/usr/sbin are prepended
-# * $XDG_DATA_HOME: $HOME/.local/share if not set
-# * $XDG_CONFIG_HOME: $HOME/.config if not set
-# * $XDG_CACHE_HOME: $HOME/.cache if not set
-
-set -euo pipefail
-
-# logging utilities
-function debug::enabled() {
-	: ${U7S_DEBUG=0}
-	[[ $U7S_DEBUG == 1 ]] || [[ $U7S_DEBUG == true ]]
-}
-
-function log::debug() {
-	if debug::enabled; then
-		echo -e "\e[102m\e[97m[DEBUG]\e[49m\e[39m $@"
-	fi
-}
-
-function log::info() {
-	echo -e "\e[104m\e[97m[INFO]\e[49m\e[39m $@"
-}
-
-function log::info_n() {
-	echo -n -e "\e[104m\e[97m[INFO]\e[49m\e[39m $@"
-}
-
-function log::warning() {
-	echo -e "\e[101m\e[97m[WARN]\e[49m\e[39m $@"
-}
-
-function log::error() {
-	echo -e "\e[101m\e[97m[ERROR]\e[49m\e[39m $@"
-}
-
-# nsenter utilities
-function nsenter::main() {
-	: ${_U7S_NSENTER_CHILD=0}
-	if [[ $_U7S_NSENTER_CHILD == 0 ]]; then
-		_U7S_NSENTER_CHILD=1
-		export _U7S_NSENTER_CHILD
-		nsenter::_nsenter_retry_loop
-		rc=0
-		nsenter::_nsenter $@ || rc=$?
-		exit $rc
-	fi
-}
-
-function nsenter::_nsenter_retry_loop() {
-	local max_trial=10
-	log::info_n "Entering RootlessKit namespaces: "
-	for ((i = 0; i < max_trial; i++)); do
-		rc=0
-		nsenter::_nsenter echo OK 2>/dev/null || rc=$?
-		if [[ rc -eq 0 ]]; then
-			return 0
-		fi
-		echo -n .
-		sleep 1
-	done
-	log::error "nsenter failed after ${max_trial} attempts, RootlessKit not running?"
-	return 1
-}
-
-function nsenter::_nsenter() {
-	local pidfile=$XDG_RUNTIME_DIR/usernetes/rootlesskit/child_pid
-	if ! [[ -f $pidfile ]]; then
-		return 1
-	fi
-	# workaround for https://github.com/rootless-containers/rootlesskit/issues/37
-	# see the corresponding code in boot/rootlesskit.sh
-	local pidreadyfile=$XDG_RUNTIME_DIR/usernetes/rootlesskit/_child_pid.u7s-ready
-	if ! [[ -f $pidreadyfile ]]; then
-		return 1
-	fi
-	if ! [[ $(cat $pidfile) -eq $(cat $pidreadyfile) ]]; then
-		return 1
-	fi
-	export ROOTLESSKIT_STATE_DIR=$XDG_RUNTIME_DIR/usernetes/rootlesskit
-	# TODO(AkihiroSuda): ping to $XDG_RUNTIME_DIR/usernetes/rootlesskit/api.sock
-	nsenter --user --preserve-credential --mount --net --cgroup --pid --ipc --uts -t $(cat $pidfile) --wd=$PWD -- $@
-}
-
-# entrypoint begins
-if debug::enabled; then
-	log::warning "Running in debug mode (\$U7S_DEBUG)"
-	set -x
-fi
-
-# verify necessary environment variables
-if ! [[ -w $XDG_RUNTIME_DIR ]]; then
-	log::error "XDG_RUNTIME_DIR needs to be set and writable"
-	return 1
-fi
-if ! [[ -w $HOME ]]; then
-	log::error "HOME needs to be set and writable"
-	return 1
-fi
-
-: ${U7S_BASE_DIR=}
-if [[ -z $U7S_BASE_DIR ]]; then
-	log::error "Usernetes base directory (\$U7S_BASE_DIR) not set"
-	return 1
-fi
-log::debug "Usernetes base directory (\$U7S_BASE_DIR) = $U7S_BASE_DIR"
-if ! [[ -d $U7S_BASE_DIR ]]; then
-	log::error "Usernetes base directory ($U7S_BASE_DIR) not found"
-	return 1
-fi
-
-# export PATH
-PATH=$U7S_BASE_DIR/bin:/sbin:/usr/sbin:$PATH
-export PATH
-
-# export XDG_{DATA,CONFIG,CACHE}_HOME
-: ${XDG_DATA_HOME=$HOME/.local/share}
-: ${XDG_CONFIG_HOME=$HOME/.config}
-: ${XDG_CACHE_HOME=$HOME/.cache}
-export XDG_DATA_HOME XDG_CONFIG_HOME XDG_CACHE_HOME
diff --git a/config/cfssl/README.md b/config/cfssl/README.md
deleted file mode 100644
index ad8ccbc..0000000
--- a/config/cfssl/README.md
+++ /dev/null
@@ -1,3 +0,0 @@
-# cfssl configs
-
-From https://github.com/kelseyhightower/kubernetes-the-hard-way/tree/1.15.3
diff --git a/config/cfssl/admin-csr.json b/config/cfssl/admin-csr.json
deleted file mode 100644
index 960ce1d..0000000
--- a/config/cfssl/admin-csr.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  "CN": "admin",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "names": [
-    {
-      "C": "US",
-      "L": "Portland",
-      "O": "system:masters",
-      "OU": "Kubernetes The Hard Way",
-      "ST": "Oregon"
-    }
-  ]
-}
diff --git a/config/cfssl/ca-config.json b/config/cfssl/ca-config.json
deleted file mode 100644
index a63e0dd..0000000
--- a/config/cfssl/ca-config.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-  "signing": {
-    "default": {
-      "expiry": "8760h"
-    },
-    "profiles": {
-      "kubernetes": {
-        "usages": ["signing", "key encipherment", "server auth", "client auth"],
-        "expiry": "8760h"
-      }
-    }
-  }
-}
diff --git a/config/cfssl/ca-csr.json b/config/cfssl/ca-csr.json
deleted file mode 100644
index 8145e50..0000000
--- a/config/cfssl/ca-csr.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  "CN": "Kubernetes",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "names": [
-    {
-      "C": "US",
-      "L": "Portland",
-      "O": "Kubernetes",
-      "OU": "CA",
-      "ST": "Oregon"
-    }
-  ]
-}
diff --git a/config/cfssl/kube-controller-manager-csr.json b/config/cfssl/kube-controller-manager-csr.json
deleted file mode 100644
index a7e8536..0000000
--- a/config/cfssl/kube-controller-manager-csr.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  "CN": "system:kube-controller-manager",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "names": [
-    {
-      "C": "US",
-      "L": "Portland",
-      "O": "system:kube-controller-manager",
-      "OU": "Kubernetes The Hard Way",
-      "ST": "Oregon"
-    }
-  ]
-}
diff --git a/config/cfssl/kube-proxy-csr.json b/config/cfssl/kube-proxy-csr.json
deleted file mode 100644
index 5f33aee..0000000
--- a/config/cfssl/kube-proxy-csr.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  "CN": "system:kube-proxy",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "names": [
-    {
-      "C": "US",
-      "L": "Portland",
-      "O": "system:node-proxier",
-      "OU": "Kubernetes The Hard Way",
-      "ST": "Oregon"
-    }
-  ]
-}
diff --git a/config/cfssl/kube-scheduler-csr.json b/config/cfssl/kube-scheduler-csr.json
deleted file mode 100644
index a3129c9..0000000
--- a/config/cfssl/kube-scheduler-csr.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  "CN": "system:kube-scheduler",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "names": [
-    {
-      "C": "US",
-      "L": "Portland",
-      "O": "system:kube-scheduler",
-      "OU": "Kubernetes The Hard Way",
-      "ST": "Oregon"
-    }
-  ]
-}
diff --git a/config/cfssl/kubernetes-csr.json b/config/cfssl/kubernetes-csr.json
deleted file mode 100644
index 778db63..0000000
--- a/config/cfssl/kubernetes-csr.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  "CN": "kubernetes",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "names": [
-    {
-      "C": "US",
-      "L": "Portland",
-      "O": "Kubernetes",
-      "OU": "Kubernetes The Hard Way",
-      "ST": "Oregon"
-    }
-  ]
-}
diff --git a/config/cfssl/service-account-csr.json b/config/cfssl/service-account-csr.json
deleted file mode 100644
index be3c0ca..0000000
--- a/config/cfssl/service-account-csr.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-  "CN": "service-accounts",
-  "key": {
-    "algo": "rsa",
-    "size": 2048
-  },
-  "names": [
-    {
-      "C": "US",
-      "L": "Portland",
-      "O": "Kubernetes",
-      "OU": "Kubernetes The Hard Way",
-      "ST": "Oregon"
-    }
-  ]
-}
diff --git a/config/cni_net.d/50-bridge.conf b/config/cni_net.d/50-bridge.conf
deleted file mode 100644
index 8a7edca..0000000
--- a/config/cni_net.d/50-bridge.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-    "cniVersion": "0.3.0",
-    "name": "u7s-bridge",
-    "type": "bridge",
-    "bridge": "cni0",
-    "isGateway": true,
-    "ipMasq": true,
-    "ipam": {
-        "type": "host-local",
-        "subnet": "10.88.0.0/16",
-        "routes": [
-            { "dst": "0.0.0.0/0" }
-        ]
-    }
-}
diff --git a/config/cni_net.d/99-loopback.conf b/config/cni_net.d/99-loopback.conf
deleted file mode 100644
index c4cd168..0000000
--- a/config/cni_net.d/99-loopback.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-    "cniVersion": "0.3.0",
-    "type": "loopback"
-}
diff --git a/config/flannel/cni_net.d/10-flannel.conflist b/config/flannel/cni_net.d/10-flannel.conflist
deleted file mode 100644
index cc2f213..0000000
--- a/config/flannel/cni_net.d/10-flannel.conflist
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-  "cniVersion": "0.4.0",
-  "name": "cbr0",
-  "plugins": [
-    {
-      "type": "flannel",
-      "delegate": {
-        "hairpinMode": true,
-        "isDefaultGateway": true
-      }
-    },
-    {
-      "type": "portmap",
-      "capabilities": {
-        "portMappings": true
-      }
-    }
-  ]
-}
diff --git a/config/flannel/etcd/coreos.com_network_config b/config/flannel/etcd/coreos.com_network_config
deleted file mode 100644
index 07c8375..0000000
--- a/config/flannel/etcd/coreos.com_network_config
+++ /dev/null
@@ -1 +0,0 @@
-{"Network": "10.5.0.0/16", "Backend": {"Type": "vxlan"}}
diff --git a/config/modules-load.d/usernetes.conf b/config/modules-load.d/usernetes.conf
deleted file mode 100644
index 4313927..0000000
--- a/config/modules-load.d/usernetes.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-fuse
-tun
-tap
-bridge
-br_netfilter
-veth
-ip_tables
-ip6_tables
-iptable_nat
-ip6table_nat
-iptable_filter
-ip6table_filter
-nf_tables
-x_tables
-xt_MASQUERADE
-xt_addrtype
-xt_comment
-xt_conntrack
-xt_mark
-xt_multiport
-xt_nat
-xt_tcpudp
diff --git a/docker-compose.yml b/docker-compose.yml
index 27e2f2c..9e17676 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,97 +1,45 @@
-version: "3"
-
+# Use `make up`, not `docker compose up`,
+# as this YAML requires ${U7S_...} variables to be set.
+---
 services:
-  init-certs:
-    image: ghcr.io/rootless-containers/usernetes
-    entrypoint: /docker-entrypoint.sh
-    command:
-      - unsudo
-      - /home/user/usernetes/common/cfssl.sh
-      - --dir=/home/user/.config/usernetes
-      - --master=master
-      - --node=node-crio
-      - --node=node-containerd
-    privileged: true
-    tty: true
-    hostname: master
-    volumes:
-      - tls-master:/home/user/.config/usernetes/master
-      - tls-node-crio:/home/user/.config/usernetes/nodes.node-crio
-      - tls-node-containerd:/home/user/.config/usernetes/nodes.node-containerd
-  master:
-    image: ghcr.io/rootless-containers/usernetes
-    command:
-      - --wait-init-certs
-      - --start=u7s-master-with-etcd.target
-      - --cidr=10.0.100.0/24
-# 2379/tcp: etcd, 6443/tcp: kube-apiserver
-      - --publish=0.0.0.0:2379:2379/tcp
-      - --publish=0.0.0.0:6443:6443/tcp
-      - --cni=flannel
-      - --cri=
+  node:
+    build: .
+    hostname: ${U7S_NODE_NAME}
     privileged: true
+    restart: on-failure
     tty: true
     ports:
-      - 127.0.0.1:6443:6443
-    hostname: master
-    networks:
-      - usernetes
-    volumes:
-      - tls-master:/home/user/.config/usernetes/master
-  node-crio:
-    image: ghcr.io/rootless-containers/usernetes
-    command:
-      - --wait-init-certs
-      - --start=u7s-node.target
-      - --cidr=10.0.101.0/24
-# 10250/tcp: kubelet, 8472/udp: flannel
-      - --publish=0.0.0.0:10250:10250/tcp
-      - --publish=0.0.0.0:8472:8472/udp
-      - --cni=flannel
-      - --cri=crio
-    privileged: true
-    tty: true
-    networks:
-      - usernetes
-    hostname: node-crio
-    volumes:
-      - tls-node-crio:/home/user/.config/usernetes/node
-# FIXME: flanneld should not require tls-master
-# (currently required because master and flanneld share the same etcd cluster)
-      - tls-master:/home/user/.config/usernetes/master
-  node-containerd:
-    image: ghcr.io/rootless-containers/usernetes
-    command:
-      - --wait-init-certs
-      - --start=u7s-node.target
-      - --cidr=10.0.102.0/24
-      - --publish=0.0.0.0:10250:10250/tcp
-      - --publish=0.0.0.0:8472:8472/udp
-      - --cni=flannel
-      - --cri=containerd
-    privileged: true
-    tty: true
-    networks:
-      - usernetes
-    hostname: node-containerd
+      # etcd
+      - 2379:2379
+      # kube-apiserver
+      - 6443:6443
+      # kubelet
+      - 10250:10250
+      # flannel
+      - 8472:8472/udp
     volumes:
-      - tls-node-containerd:/home/user/.config/usernetes/node
-      - tls-master:/home/user/.config/usernetes/master
+      - .:/usernetes:ro
+      - /boot:/boot:ro
+      - /lib/modules:/lib/modules:ro
+      - node-var:/var
+      - node-opt:/opt
+      - node-etc:/etc
+      - type: tmpfs
+        target: /run
+      - type: tmpfs
+        target: /tmp
+    working_dir: /usernetes
+    environment:
+      KUBECONFIG: /etc/kubernetes/admin.conf
+      U7S_HOST_IP: ${U7S_HOST_IP}
 networks:
-  usernetes:
+  default:
+    ipam:
+      config:
+        # Each of the nodes has to have a different IP.
+        # The node IP here is not accessible from other nodes.
+        - subnet: ${U7S_NODE_SUBNET}
 volumes:
-  tls-master:
-    driver_opts:
-      type: tmpfs
-      device: tmpfs
-      o: "uid=1000"
-  tls-node-crio:
-    driver_opts:
-      type: tmpfs
-      device: tmpfs
-      o: "uid=1000"
-  tls-node-containerd:
-    driver_opts:
-      type: tmpfs
-      device: tmpfs
-      o: "uid=1000"
+  node-var: {}
+  node-opt: {}
+  node-etc: {}
diff --git a/docs/binary-release-license/LICENSE-cfssl b/docs/binary-release-license/LICENSE-cfssl
deleted file mode 100644
index bc5841f..0000000
--- a/docs/binary-release-license/LICENSE-cfssl
+++ /dev/null
@@ -1,24 +0,0 @@
-Copyright (c) 2014 CloudFlare Inc.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation
-and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
-TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
-PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/docs/binary-release-license/LICENSE-crun b/docs/binary-release-license/LICENSE-crun
deleted file mode 100644
index d159169..0000000
--- a/docs/binary-release-license/LICENSE-crun
+++ /dev/null
@@ -1,339 +0,0 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-                            NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License along
-    with this program; if not, write to the Free Software Foundation, Inc.,
-    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
diff --git a/docs/binary-release-license/LICENSE-fuse-overlayfs b/docs/binary-release-license/LICENSE-fuse-overlayfs
deleted file mode 100644
index d159169..0000000
--- a/docs/binary-release-license/LICENSE-fuse-overlayfs
+++ /dev/null
@@ -1,339 +0,0 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-                            NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License along
-    with this program; if not, write to the Free Software Foundation, Inc.,
-    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
diff --git a/docs/binary-release-license/LICENSE-slirp4netns b/docs/binary-release-license/LICENSE-slirp4netns
deleted file mode 100644
index 0315e41..0000000
--- a/docs/binary-release-license/LICENSE-slirp4netns
+++ /dev/null
@@ -1,280 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-            51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
diff --git a/hack/create-cluster-lxd.sh b/hack/create-cluster-lxd.sh
new file mode 100755
index 0000000..3ef2b63
--- /dev/null
+++ b/hack/create-cluster-lxd.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+set -eux -o pipefail
+
+# Create Rootless Docker hosts
+./hack/create-hosts-lxd.sh "${HOME}/.u7s-ci-hosts" host0 host1
+SCP="scp -F ${HOME}/.u7s-ci-hosts/ssh_config"
+SSH="ssh -F ${HOME}/.u7s-ci-hosts/ssh_config"
+for host in host0 host1; do
+	$SCP -r "$(pwd)" "${host}:~/usernetes"
+	$SSH "${USER}-sudo@${host}" sudo "~${USER}/usernetes/hack/init-host.root.sh"
+	$SSH "${USER}-sudo@${host}" sudo loginctl enable-linger "${USER}"
+	$SSH "${host}" ~/usernetes/hack/init-host.rootless.sh
+done
+
+# Launch a Kubernetes node inside a Rootless Docker host
+for host in host0 host1; do
+	$SSH "${host}" make -C ~/usernetes up
+done
+
+# Bootstrap a cluster with host0
+$SSH host0 make -C ~/usernetes kubeadm-init install-flannel kubeconfig join-command
+
+# Let host1 join the cluster
+$SCP host0:~/usernetes/join-command host1:~/usernetes/join-command
+$SSH host1 make -C ~/usernetes kubeadm-join
+
+# Enable kubectl
+$SCP host0:~/usernetes/kubeconfig ./kubeconfig
+KUBECONFIG="$(pwd)/kubeconfig"
+export KUBECONFIG
+kubectl get nodes -o wide
+kubectl get pods -A
diff --git a/hack/create-hosts-lxd.sh b/hack/create-hosts-lxd.sh
new file mode 100755
index 0000000..1965e78
--- /dev/null
+++ b/hack/create-hosts-lxd.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -eux -o pipefail
+if [ "$#" -lt 2 ]; then
+	echo "Usage: $0 DIR INST..."
+	exit 1
+fi
+dir=$1
+shift
+names=$*
+
+LXC="sudo lxc"
+
+echo "USER=${USER}"
+ssh_config="${dir}/ssh_config"
+echo "SSH_CONFIG=${ssh_config}"
+
+# ssh-copy-id wants ~/.ssh to exist
+mkdir -p "${HOME}/.ssh"
+mkdir -p "${dir}"
+prvkey="${dir}/ssh_key"
+pubkey="${prvkey}.pub"
+if [ ! -e "${pubkey}" ]; then
+	ssh-keygen -f "${prvkey}" -q -N ""
+fi
+echo "IdentityFile ${prvkey}" >"${ssh_config}"
+
+userdata="${dir}/user-data"
+if [ ! -e "${userdata}" ]; then
+	cat <<EOF >"${userdata}"
+#cloud-config
+users:
+  - name: "${USER}"
+    shell: /bin/bash
+    ssh-authorized-keys:
+      - $(cat "${pubkey}")
+  - name: "${USER}-sudo"
+    shell: /bin/bash
+    ssh-authorized-keys:
+      - $(cat "${pubkey}")
+    sudo: ALL=(ALL) NOPASSWD:ALL
+EOF
+fi
+
+for name in ${names}; do
+	${LXC} init ubuntu:22.04 "${name}" -c security.privileged=true -c security.nesting=true
+	${LXC} config device add "${name}" bind-boot disk source=/boot path=/boot readonly=true
+	${LXC} config set "${name}" user.user-data - <"${userdata}"
+	${LXC} start "${name}"
+	sleep 10
+	ip="$(${LXC} exec "${name}" -- ip --json route get 1 | jq -r .[0].prefsrc)"
+	echo "Host ${name}" >>"${ssh_config}"
+	echo "  Hostname ${ip}" >>"${ssh_config}"
+	echo "  # For a test env, the host key can be just ignored"
+	echo "  StrictHostKeyChecking=no"
+	echo "  UserKnownHostsFile=/dev/null"
+	ssh-copy-id -F "${ssh_config}" -i "${prvkey}" -o StrictHostKeyChecking=no "${USER}@${name}"
+done
diff --git a/hack/etc_systemd_system_user@.service.d_delegate.conf b/hack/etc_systemd_system_user@.service.d_delegate.conf
deleted file mode 100644
index 7e409de..0000000
--- a/hack/etc_systemd_system_user@.service.d_delegate.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[Service]
-Delegate=yes
diff --git a/hack/init-host.root.sh b/hack/init-host.root.sh
new file mode 100755
index 0000000..20abb9c
--- /dev/null
+++ b/hack/init-host.root.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -eux -o pipefail
+
+if [ "$(id -u)" != "0" ]; then
+	echo "Must run as the root"
+	exit 1
+fi
+
+if [ ! -e /etc/systemd/system/user@.service.d/delegate.conf ]; then
+	mkdir -p /etc/systemd/system/user@.service.d
+	cat <<EOF >/etc/systemd/system/user@.service.d/delegate.conf
+[Service]
+Delegate=cpu cpuset io memory pids
+EOF
+	systemctl daemon-reload
+fi
+
+if ! command -v dockerd-rootless-setuptool.sh >/dev/null 2>&1; then
+	curl https://get.docker.com | sh
+fi
+systemctl disable --now docker
+
+apt-get install -y uidmap make jq
diff --git a/hack/init-host.rootless.sh b/hack/init-host.rootless.sh
new file mode 100755
index 0000000..bffccdc
--- /dev/null
+++ b/hack/init-host.rootless.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -eux -o pipefail
+
+if [ "$(id -u)" == "0" ]; then
+	echo "Must not run as the root"
+	exit 1
+fi
+
+dockerd-rootless-setuptool.sh install
+docker info
diff --git a/hack/show-latest-commits.sh b/hack/show-latest-commits.sh
deleted file mode 100755
index a47d392..0000000
--- a/hack/show-latest-commits.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-set -eu -o pipefail
-
-x() {
-	name=$1
-	repo=$2
-	revision=$3
-	json=$(curl -s https://api.github.com/repos/${repo}/commits/${revision})
-	sha=$(echo $json | jq -r .sha)
-	date=$(echo $json | jq -r .commit.committer.date)
-	echo "# ${date}"
-	echo "ARG ${name}_COMMIT=${sha}"
-}
-
-x ROOTLESSKIT rootless-containers/rootlesskit master
-x CONTAINERD containerd/containerd main
-x CRIO cri-o/cri-o main
-# x KUBE_NODE kubernetes/kubernetes master
diff --git a/hack/smoketest-binaries.sh b/hack/smoketest-binaries.sh
deleted file mode 100755
index 72be920..0000000
--- a/hack/smoketest-binaries.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/bash
-source $(realpath $(dirname $0))/smoketest-common.inc.sh
-cd $(realpath $(dirname $0)/..)
-function cleanup() {
-	$(pwd)/show-status.sh
-	$(pwd)/uninstall.sh || true
-	eval $($(pwd)/show-cleanup-command.sh) || true
-}
-trap cleanup EXIT
-
-set -x
-./install.sh $@
-
-export KUBECONFIG=$HOME/.config/usernetes/master/admin-localhost.kubeconfig
-export PATH=$(pwd)/bin:$PATH
-
-if ! timeout 60 sh -exc 'until [ $(kubectl get nodes | grep "Ready" | grep -v "NotReady" | wc -l) = "1" ]; do sleep 10; done'; then
-	ERROR "Node is not ready."
-	set -x
-	set +eu
-	systemctl --user status u7s-kube-apiserver
-	kubectl get nodes -o wide
-	kubectl get nodes -o yaml
-	journalctl -xe --no-pager
-	exit 1
-fi
-
-kubectl get nodes -o wide
-if ! timeout 60 kubectl run --rm -i --image busybox --restart=Never hello echo hello; then
-	ERROR "Pod is not ready."
-	set -x
-	set +eu
-	kubectl get pods -o yaml
-	kubectl get nodes -o yaml
-	journalctl -xe --no-pager
-	exit 1
-fi
-
-smoketest_dns
-
-smoketest_limits
diff --git a/hack/smoketest-docker-compose.sh b/hack/smoketest-docker-compose.sh
deleted file mode 100755
index 8b4da4e..0000000
--- a/hack/smoketest-docker-compose.sh
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/bin/bash
-source $(realpath $(dirname $0))/smoketest-common.inc.sh
-cd $(realpath $(dirname $0)/..)
-tmpdir=$(mktemp -d)
-function cleanup() {
-	set -x
-	make down
-	rm -rf $tmpdir
-}
-trap cleanup EXIT
-
-INFO "Creating the cluster"
-make _up
-master="usernetes_master_1"
-nodes="2"
-
-export KUBECONFIG="$HOME/.config/usernetes/docker-compose.kubeconfig"
-docker cp $master:/home/user/usernetes/bin/kubectl $tmpdir/kubectl
-chmod +x $tmpdir/kubectl
-export PATH=$tmpdir:$PATH
-
-INFO "Waiting for master ($master) to be ready."
-if ! timeout 60 sh -exc "until [ \$(docker inspect -f '{{.State.Health.Status}}' $master) = \"healthy\" ]; do sleep 10; done"; then
-	ERROR "Master is unhealthy."
-	set -x
-	docker logs $master
-	exit 1
-fi
-
-INFO "Waiting for $nodes nodes to be ready."
-if ! timeout 120 sh -exc "until [ \$(kubectl get nodes | grep \"Ready\" | grep -v \"NotReady\" | wc -l) = \"$nodes\" ]; do sleep 10; done"; then
-	ERROR "Nodes are not ready."
-	set -x
-	kubectl get nodes -o wide
-	kubectl get nodes -o yaml
-	exit 1
-fi
-kubectl get nodes -o wide
-
-app="nginx"
-image="nginx:alpine"
-INFO "Creating $app app"
-kubectl create deployment $app --image=$image
-kubectl scale deployment --replicas=$nodes $app
-if ! timeout 60 sh -exc "until [ \$(kubectl get pods -o json -l app=$app | jq -r \".items[].status.phase\" | grep -x \"Running\" | wc -l) = \"$nodes\" ]; do sleep 10; done"; then
-	ERROR "Pods are not running."
-	set -x
-	kubectl get pods -o wide -l app=$app
-	kubectl get pods -o yaml -l app=$app
-	exit 1
-fi
-kubectl get pods -o wide
-if ! [ $(kubectl get pods -o json -l app=$app | jq -r ".items[].spec.nodeName" | sort | uniq | wc -l) = "$nodes" ]; then
-	ERROR "Pod replicas are not scaled across the nodes."
-	set -x
-	kubectl get pods -o wide -l app=$app
-	kubectl get pods -o yaml -l app=$app
-	kubectl get nodes -o wide
-	kubectl get nodes -o yaml
-	exit 1
-fi
-
-INFO "Creating the shell pod."
-kubectl run --restart=Never --image=alpine shell sleep infinity
-if ! timeout 60 sh -exc 'until kubectl get pods -o json shell | jq -r ".status.phase" | grep -x "Running" ;do sleep 10; done'; then
-	ERROR "The shell pod is not running."
-	set -x
-	kubectl get pods -o wide shell
-	kubectl get pods -o yaml shell
-	exit 1
-fi
-kubectl get pods -o wide
-
-INFO "Connecting from the shell pod to the $app pods by IP."
-for ip in $(kubectl get pods -o json -l app=$app | jq -r ".items[].status.podIP"); do
-	INFO "Connecting to $ip."
-	kubectl exec shell -- wget -O- $ip
-done
-
-smoketest_dns
-
-INFO "PASS"
diff --git a/hack/smoketest-docker.sh b/hack/smoketest-docker.sh
deleted file mode 100755
index 8716f9f..0000000
--- a/hack/smoketest-docker.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-set -eu -o pipefail
-source $(realpath $(dirname $0))/smoketest-common.inc.sh
-if [[ $# -lt 3 ]]; then
-	echo "Usage: $0 NAME IMAGE ARGS"
-	exit 1
-fi
-
-cd $(realpath $(dirname $0)/..)
-container=$1
-image=$2
-shift 2
-args=$@
-
-set -x
-tmpdir=$(mktemp -d)
-docker run -td --name $container -p 127.0.0.1:6443:6443 --privileged $image $args
-function cleanup() {
-	docker rm -f $container
-	rm -rf $tmpdir
-}
-trap cleanup EXIT
-
-if ! timeout 60 sh -exc "until [ \$(docker inspect -f '{{.State.Health.Status}}' $container) = \"healthy\" ]; do sleep 10; done"; then
-	docker logs $container
-	exit 1
-fi
-
-docker cp $container:/home/user/.config/usernetes/master/admin-localhost.kubeconfig $tmpdir/admin-localhost.kubeconfig
-export KUBECONFIG=$tmpdir/admin-localhost.kubeconfig
-
-mkdir -p $tmpdir/bin
-docker cp $container:/home/user/usernetes/bin/kubectl $tmpdir/bin/kubectl
-chmod +x $tmpdir/bin/kubectl
-export PATH=$tmpdir/bin:$PATH
-
-kubectl get nodes -o wide
-: "FIXME remove this sleep"
-sleep 30
-if ! timeout 60 time kubectl run --rm -i --image busybox --restart=Never hello echo hello $container; then
-	kubectl get pods -o yaml
-	kubectl get nodes -o yaml
-	docker logs $container
-	exit 1
-fi
-
-smoketest_dns
diff --git a/hack/smoketest-manifests/test-limits.yaml b/hack/smoketest-manifests/test-limits.yaml
deleted file mode 100644
index fbb51d5..0000000
--- a/hack/smoketest-manifests/test-limits.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: test-limits
-spec:
-  containers:
-  - name: test-limits
-    image: alpine
-    command: ["top"]
-    resources:
-      limits:
-        cpu: 420m
-        memory: 42Mi
diff --git a/hack/smoketest-common.inc.sh b/hack/test-smoke.sh
old mode 100644
new mode 100755
similarity index 50%
rename from hack/smoketest-common.inc.sh
rename to hack/test-smoke.sh
index 8eb6547..2a8680c
--- a/hack/smoketest-common.inc.sh
+++ b/hack/test-smoke.sh
@@ -1,24 +1,14 @@
 #!/bin/bash
 set -eu -o pipefail
 
-function INFO() {
+INFO() {
 	echo -e "\e[104m\e[97m[INFO]\e[49m\e[39m $@"
 }
 
-function ERROR() {
-	echo >&2 -e "\e[101m\e[97m[ERROR]\e[49m\e[39m $@"
-}
-
-function util::wait_for_pod() {
-	name="$1"
-	if ! timeout 60 sh -exc "until kubectl get pods -o json $name | jq -r \".status.phase\" | grep -x \"Running\" ;do sleep 10; done"; then
-		ERROR "The $name pod is not running."
-		set -x
-		kubectl get pods -o wide $name
-		kubectl get pods -o yaml $name
-		exit 1
-	fi
-}
+INFO "Waiting for nodes to be ready"
+for node in $(kubectl get node -o name); do
+	kubectl wait --timeout=5m --for=condition=ready "${node}"
+done
 
 function smoketest_dns() {
 	INFO "Creating StatefulSet \"dnstest\" and headless Service \"dnstest\""
@@ -62,16 +52,7 @@ spec:
         - containerPort: 80
 EOF
 	INFO "Waiting for 3 replicas to be ready"
-	if ! timeout 90 sh -exc "until [ \$(kubectl get pods --field-selector status.phase=Running -l run=dnstest -o name | wc -l) = "3" ]; do sleep 10; done"; then
-		ERROR "Pods are not ready."
-		set -x
-		kubectl get pods -o wide
-		kubectl get pods -o yaml
-		exit 1
-	fi
-
-	INFO "FIXME: remove this sleep"
-	sleep 10
+	kubectl rollout status --timeout=5m statefulset
 
 	INFO "Connecting to dnstest-{0,1,2}.dnstest.default.svc.cluster.local"
 	kubectl run -i --rm --image=alpine --restart=Never dnstest-shell -- sh -exc 'for f in $(seq 0 2); do wget -O- http://dnstest-${f}.dnstest.default.svc.cluster.local; done'
@@ -82,17 +63,4 @@ EOF
 	kubectl delete statefulset dnstest
 }
 
-function smoketest_limits() {
-	INFO "Creating Pod \"test-limits\""
-	kubectl apply -f hack/smoketest-manifests/test-limits.yaml
-	util::wait_for_pod test-limits
-
-	INFO "Testing memory limit (42 Mib)"
-	[ "$(kubectl exec test-limits -- cat /sys/fs/cgroup/memory.max)" = "$((1024 * 1024 * 42))" ]
-
-	INFO "Testing CPU limit (0.42 cores)"
-	[ "$(kubectl exec test-limits -- cat /sys/fs/cgroup/cpu.max)" = "42000 100000" ]
-
-	INFO "Deleting Pod \"test-limits\""
-	kubectl delete pod test-limits
-}
+smoketest_dns
diff --git a/hack/translate-dockerfile-runopt-directive.sh b/hack/translate-dockerfile-runopt-directive.sh
deleted file mode 100755
index 013be2b..0000000
--- a/hack/translate-dockerfile-runopt-directive.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-
-# Input:
-#   FROM ...
-#   ...
-#   # runopt = --mount=type=cache,target=/root/.cache
-#   RUN foo
-
-# Output:
-#   # syntax = docker/dockerfile:1-experimental
-#   FROM ...
-#   ...
-#   RUN --mount=type=cache,target=/root/.cache foo
-
-echo '# syntax = docker/dockerfile:1-experimental'
-
-last_runopt=""
-while IFS="" read -r line || [[ -n $line ]]; do
-	run=$(echo $line | grep -ioP '^\s*RUN\s+\K.+')
-	printed=""
-	if [[ -n $run && -n $last_runopt ]]; then
-		echo "RUN $last_runopt $run"
-		printed=1
-	fi
-	last_runopt=$(echo $line | grep -ioP '^#\s*runopt\s*=\s*\K.+')
-	if [[ -z $last_runopt && -z $printed ]]; then
-		echo "$line"
-	fi
-done
diff --git a/install.sh b/install.sh
deleted file mode 100755
index abf68a6..0000000
--- a/install.sh
+++ /dev/null
@@ -1,470 +0,0 @@
-#!/bin/bash
-set -e -o pipefail
-
-function INFO() {
-	echo -e "\e[104m\e[97m[INFO]\e[49m\e[39m $@"
-}
-
-function WARNING() {
-	echo >&2 -e "\e[101m\e[97m[WARNING]\e[49m\e[39m $@"
-}
-
-function ERROR() {
-	echo >&2 -e "\e[101m\e[97m[ERROR]\e[49m\e[39m $@"
-}
-
-### Detect base dir
-cd $(dirname $0)
-base=$(realpath $(pwd))
-
-### Detect bin dir, fail early if not found
-if [ ! -d "$base/bin" ]; then
-	ERROR "Usernetes binaries not found. Run \`make\` to build binaries. If you are looking for binary distribution of Usernetes, see https://github.com/rootless-containers/usernetes/releases ."
-	exit 1
-fi
-
-### Detect config dir
-set +u
-if [ -z "$HOME" ]; then
-	ERROR "HOME needs to be set"
-	exit 1
-fi
-config_dir="$HOME/.config"
-if [ -n "$XDG_CONFIG_HOME" ]; then
-	config_dir="$XDG_CONFIG_HOME"
-fi
-set -u
-
-### Parse args
-arg0=$0
-start="u7s.target"
-cri="containerd"
-cni=""
-publish=""
-publish_default="0.0.0.0:6443:6443/tcp"
-cidr="10.0.42.0/24"
-delay=""
-wait_init_certs=""
-function usage() {
-	echo "Usage: ${arg0} [OPTION]..."
-	echo "Install Usernetes systemd units to ${config_dir}/systemd/unit ."
-	echo
-	echo "  --start=UNIT        Enable and start the specified target after the installation, e.g. \"u7s.target\". Set to an empty to disable autostart. (Default: \"$start\")"
-	echo "  --cri=RUNTIME       Specify CRI runtime, \"containerd\" or \"crio\". (Default: \"$cri\")"
-	echo '  --cni=RUNTIME       Specify CNI, an empty string (none) or "flannel". (Default: none)'
-	echo "  -p, --publish=PORT  Publish ports in RootlessKit's network namespace, e.g. \"0.0.0.0:10250:10250/tcp\". Can be specified multiple times. (Default: \"${publish_default}\")"
-	echo "  --cidr=CIDR         Specify CIDR of RootlessKit's network namespace, e.g. \"10.0.100.0/24\". (Default: \"$cidr\")"
-	echo
-	echo "Examples:"
-	echo "  # The default options"
-	echo "  ${arg0}"
-	echo
-	echo "  # Use CRI-O as the CRI runtime"
-	echo "  ${arg0} --cri=crio"
-	echo
-	echo 'Use `uninstall.sh` for uninstallation.'
-	echo 'For an example of multi-node cluster with flannel, see docker-compose.yaml'
-	echo
-	echo 'Hint: `sudo loginctl enable-linger` to start user services automatically on the system start up.'
-}
-
-set +e
-args=$(getopt -o hp: --long help,publish:,start:,cri:,cni:,cidr:,,delay:,wait-init-certs -n $arg0 -- "$@")
-getopt_status=$?
-set -e
-if [ $getopt_status != 0 ]; then
-	usage
-	exit $getopt_status
-fi
-eval set -- "$args"
-while true; do
-	case "$1" in
-	-h | --help)
-		usage
-		exit 0
-		shift
-		;;
-	-p | --publish)
-		publish="$publish $2"
-		shift 2
-		;;
-	--start)
-		start="$2"
-		shift 2
-		;;
-	--cri)
-		cri="$2"
-		case "$cri" in
-		"" | containerd | crio) ;;
-
-		*)
-			ERROR "Unknown CRI runtime \"$cri\". Supported values: \"containerd\" (default) \"crio\" \"\"."
-			exit 1
-			;;
-		esac
-		shift 2
-		;;
-	--cni)
-		cni="$2"
-		case "$cni" in
-		"" | "flannel") ;;
-
-		*)
-			ERROR "Unknown CNI \"$cni\". Supported values: \"\" (default) \"flannel\" ."
-			exit 1
-			;;
-		esac
-		shift 2
-		;;
-	--cidr)
-		cidr="$2"
-		shift 2
-		;;
-	--delay)
-		# HIDDEN FLAG. DO NO SPECIFY MANUALLY.
-		delay="$2"
-		shift 2
-		;;
-	--wait-init-certs)
-		# HIDDEN FLAG FOR DOCKER COMPOSE. DO NO SPECIFY MANUALLY.
-		wait_init_certs=1
-		shift 1
-		;;
-	--)
-		shift
-		break
-		;;
-	*)
-		break
-		;;
-	esac
-done
-
-# set default --publish if none was specified
-if [[ -z "$publish" ]]; then
-	publish=$publish_default
-fi
-
-# check cgroup config
-if [[ ! -f /sys/fs/cgroup/cgroup.controllers ]]; then
-	ERROR "Needs cgroup v2, see https://rootlesscontaine.rs/getting-started/common/cgroup2/"
-	exit 1
-else
-	f="/sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers"
-	if [[ ! -f $f ]]; then
-		ERROR "systemd not running? file not found: $f"
-		exit 1
-	fi
-	if ! grep -q cpu $f; then
-		WARNING "cpu controller might not be enabled, you need to configure /etc/systemd/system/user@.service.d , see https://rootlesscontaine.rs/getting-started/common/cgroup2/"
-	elif ! grep -q memory $f; then
-		WARNING "memory controller might not be enabled, you need to configure /etc/systemd/system/user@.service.d , see https://rootlesscontaine.rs/getting-started/common/cgroup2/"
-	else
-		INFO "Rootless cgroup (v2) is supported"
-	fi
-fi
-
-# check kernel modules
-for f in $(cat ${base}/config/modules-load.d/usernetes.conf); do
-	if ! grep -qw "^$f" /proc/modules; then
-		WARNING "Kernel module $f not loaded"
-	fi
-done
-
-# Delay for debugging
-if [[ -n "$delay" ]]; then
-	INFO "Delay: $delay seconds..."
-	sleep "$delay"
-fi
-
-### Create EnvironmentFile (~/.config/usernetes/env)
-mkdir -p ${config_dir}/usernetes
-cat /dev/null >${config_dir}/usernetes/env
-cat <<EOF >>${config_dir}/usernetes/env
-U7S_ROOTLESSKIT_PORTS=${publish}
-EOF
-if [ "$cni" = "flannel" ]; then
-	cat <<EOF >>${config_dir}/usernetes/env
-U7S_FLANNEL=1
-EOF
-fi
-if [ -n "$cidr" ]; then
-	cat <<EOF >>${config_dir}/usernetes/env
-U7S_ROOTLESSKIT_FLAGS=--cidr=${cidr}
-EOF
-fi
-
-if [[ -n "$wait_init_certs" ]]; then
-	max_trial=300
-	INFO "Waiting for certs to be created.":
-	for ((i = 0; i < max_trial; i++)); do
-		if [[ -f ${config_dir}/usernetes/node/done || -f ${config_dir}/usernetes/master/done ]]; then
-			echo "OK"
-			break
-		fi
-		echo -n .
-		sleep 5
-	done
-elif [[ ! -d ${config_dir}/usernetes/master ]]; then
-	### If the keys are not generated yet, generate them for the single-node cluster
-	INFO "Generating single-node cluster TLS keys (${config_dir}/usernetes/{master,node})"
-	cfssldir=$(mktemp -d /tmp/cfssl.XXXXXXXXX)
-	master=127.0.0.1
-	node=$(hostname)
-	${base}/common/cfssl.sh --dir=${cfssldir} --master=$master --node=$node,127.0.0.1
-	rm -rf ${config_dir}/usernetes/{master,node}
-	cp -r "${cfssldir}/master" ${config_dir}/usernetes/master
-	cp -r "${cfssldir}/nodes.$node" ${config_dir}/usernetes/node
-	rm -rf "${cfssldir}"
-fi
-
-### Begin installation
-INFO "Base dir: ${base}"
-mkdir -p ${config_dir}/systemd/user
-function x() {
-	name=$1
-	path=${config_dir}/systemd/user/${name}
-	INFO "Installing $path"
-	cat >$path
-}
-
-service_common="WorkingDirectory=${base}
-EnvironmentFile=${config_dir}/usernetes/env
-Restart=on-failure
-LimitNOFILE=65536
-"
-
-### u7s
-cat <<EOF | x u7s.target
-[Unit]
-Description=Usernetes target (all components in the single node)
-Requires=u7s-master-with-etcd.target u7s-node.target
-After=u7s-master-with-etcd.target u7s-node.target
-
-[Install]
-WantedBy=default.target
-EOF
-
-cat <<EOF | x u7s-master-with-etcd.target
-[Unit]
-Description=Usernetes target for Kubernetes master components (including etcd)
-Requires=u7s-etcd.target u7s-master.target
-After=u7s-etcd.target u7s-master.target
-PartOf=u7s.target
-
-[Install]
-WantedBy=u7s.target
-EOF
-
-### RootlessKit
-if [ -n "$cri" ]; then
-	cat <<EOF | x u7s-rootlesskit.service
-[Unit]
-Description=Usernetes RootlessKit service ($cri)
-PartOf=u7s.target
-
-[Service]
-ExecStart=${base}/boot/rootlesskit.sh ${base}/boot/${cri}.sh
-Delegate=yes
-${service_common}
-EOF
-else
-	cat <<EOF | x u7s-rootlesskit.service
-[Unit]
-Description=Usernetes RootlessKit service
-PartOf=u7s.target
-
-[Service]
-ExecStart=${base}/boot/rootlesskit.sh
-Delegate=yes
-${service_common}
-EOF
-fi
-
-### etcd
-# TODO: support running without RootlessKit
-cat <<EOF | x u7s-etcd.target
-[Unit]
-Description=Usernetes target for etcd
-Requires=u7s-etcd.service
-After=u7s-etcd.service
-PartOf=u7s-master-with-etcd.target
-EOF
-
-cat <<EOF | x u7s-etcd.service
-[Unit]
-Description=Usernetes etcd service
-BindsTo=u7s-rootlesskit.service
-PartOf=u7s-etcd.target
-
-[Service]
-Type=notify
-NotifyAccess=all
-ExecStart=${base}/boot/etcd.sh
-ExecStartPost=${base}/boot/etcd-init-data.sh
-${service_common}
-EOF
-
-### master
-# TODO: support running without RootlessKit
-# TODO: decouple from etcd (for supporting etcd on another node)
-cat <<EOF | x u7s-master.target
-[Unit]
-Description=Usernetes target for Kubernetes master components
-Requires=u7s-kube-apiserver.service u7s-kube-controller-manager.service u7s-kube-scheduler.service
-After=u7s-kube-apiserver.service u7s-kube-controller-manager.service u7s-kube-scheduler.service
-PartOf=u7s-master-with-etcd.target
-
-[Install]
-WantedBy=u7s-master-with-etcd.target
-EOF
-
-cat <<EOF | x u7s-kube-apiserver.service
-[Unit]
-Description=Usernetes kube-apiserver service
-BindsTo=u7s-rootlesskit.service
-Requires=u7s-etcd.service
-After=u7s-etcd.service
-PartOf=u7s-master.target
-
-[Service]
-Type=notify
-NotifyAccess=all
-ExecStart=${base}/boot/kube-apiserver.sh
-${service_common}
-EOF
-
-cat <<EOF | x u7s-kube-controller-manager.service
-[Unit]
-Description=Usernetes kube-controller-manager service
-BindsTo=u7s-rootlesskit.service
-Requires=u7s-kube-apiserver.service
-After=u7s-kube-apiserver.service
-PartOf=u7s-master.target
-
-[Service]
-ExecStart=${base}/boot/kube-controller-manager.sh
-${service_common}
-EOF
-
-cat <<EOF | x u7s-kube-scheduler.service
-[Unit]
-Description=Usernetes kube-scheduler service
-BindsTo=u7s-rootlesskit.service
-Requires=u7s-kube-apiserver.service
-After=u7s-kube-apiserver.service
-PartOf=u7s-master.target
-
-[Service]
-ExecStart=${base}/boot/kube-scheduler.sh
-${service_common}
-EOF
-
-### node
-if [ -n "$cri" ]; then
-	cat <<EOF | x u7s-node.target
-[Unit]
-Description=Usernetes target for Kubernetes node components (${cri})
-Requires=$([ "$cri" = "containerd" ] && echo u7s-containerd-fuse-overlayfs-grpc.service) u7s-kubelet-${cri}.service u7s-kube-proxy.service $([ "$cni" = "flannel" ] && echo u7s-flanneld.service)
-After=u7s-kubelet-${cri}.service $([ "$cri" = "containerd" ] && echo u7s-containerd-fuse-overlayfs-grpc.service) u7s-kube-proxy.service $([ "$cni" = "flannel" ] && echo u7s-flanneld.service)
-PartOf=u7s.target
-
-[Install]
-WantedBy=u7s.target
-EOF
-
-	if [ "$cri" = "containerd" ]; then
-		cat <<EOF | x u7s-containerd-fuse-overlayfs-grpc.service
-[Unit]
-Description=Usernetes containerd-fuse-overlayfs-grpc service
-BindsTo=u7s-rootlesskit.service
-PartOf=u7s-node.target
-
-[Service]
-Type=notify
-NotifyAccess=all
-ExecStart=${base}/boot/containerd-fuse-overlayfs-grpc.sh
-${service_common}
-EOF
-
-	fi
-
-	cat <<EOF | x u7s-kubelet-${cri}.service
-[Unit]
-Description=Usernetes kubelet service (${cri})
-BindsTo=u7s-rootlesskit.service
-PartOf=u7s-node.target
-
-[Service]
-Type=notify
-NotifyAccess=all
-ExecStart=${base}/boot/kubelet-${cri}.sh
-${service_common}
-EOF
-
-	cat <<EOF | x u7s-kube-proxy.service
-[Unit]
-Description=Usernetes kube-proxy service
-BindsTo=u7s-rootlesskit.service
-Requires=u7s-kubelet-${cri}.service
-After=u7s-kubelet-${cri}.service
-PartOf=u7s-node.target
-
-[Service]
-ExecStart=${base}/boot/kube-proxy.sh
-${service_common}
-EOF
-
-	if [ "$cni" = "flannel" ]; then
-		cat <<EOF | x u7s-flanneld.service
-[Unit]
-Description=Usernetes flanneld service
-BindsTo=u7s-rootlesskit.service
-PartOf=u7s-node.target
-
-[Service]
-ExecStart=${base}/boot/flanneld.sh
-${service_common}
-EOF
-	fi
-fi
-
-### Finish installation
-systemctl --user daemon-reload
-if [ -z $start ]; then
-	INFO 'Run `systemctl --user -T start u7s.target` to start Usernetes.'
-	exit 0
-fi
-INFO "Starting $start"
-set -x
-systemctl --user -T enable $start
-time systemctl --user -T start $start
-systemctl --user --all --no-pager list-units 'u7s-*'
-set +x
-
-KUBECONFIG=
-if systemctl --user -q is-active u7s-master.target; then
-	PATH="${base}/bin:$PATH"
-	KUBECONFIG="${config_dir}/usernetes/master/admin-localhost.kubeconfig"
-	export PATH KUBECONFIG
-	INFO "Installing CoreDNS"
-	set -x
-	# sleep for waiting the node to be available
-	sleep 3
-	kubectl get nodes -o wide
-	kubectl apply -f ${base}/manifests/coredns.yaml
-	set +x
-	INFO "Waiting for CoreDNS pods to be available"
-	set -x
-	# sleep for waiting the pod object to be created
-	sleep 3
-	kubectl -n kube-system wait --for=condition=ready pod -l k8s-app=kube-dns
-	kubectl get pods -A -o wide
-	set +x
-fi
-
-INFO "Installation complete."
-INFO 'Hint: `sudo loginctl enable-linger` to start user services automatically on the system start up.'
-if [[ -n "${KUBECONFIG}" ]]; then
-	INFO "Hint: export KUBECONFIG=${KUBECONFIG}"
-fi
diff --git a/kubeadm-config.yaml b/kubeadm-config.yaml
new file mode 100644
index 0000000..dd2d9e2
--- /dev/null
+++ b/kubeadm-config.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: kubeadm.k8s.io/v1beta3
+kind: InitConfiguration
+localAPIEndpoint:
+  advertiseAddress: "${U7S_HOST_IP}"
+  bindPort: 6443
+---
+apiVersion: kubeadm.k8s.io/v1beta3
+kind: ClusterConfiguration
+networking:
+  serviceSubnet: "10.96.0.0/16"
+  podSubnet: "10.244.0.0/16"
+controlPlaneEndpoint: "${U7S_HOST_IP}:6443"
+---
+kind: KubeletConfiguration
+apiVersion: kubelet.config.k8s.io/v1beta1
+failSwapOn: false
+featureGates:
+  KubeletInUserNamespace: true
+---
+apiVersion: kubeproxy.config.k8s.io/v1alpha1
+kind: KubeProxyConfiguration
+mode: "iptables"
+conntrack:
+  # Skip setting sysctl value "net.netfilter.nf_conntrack_max"
+  maxPerCore: 0
+  # Skip setting "net.netfilter.nf_conntrack_tcp_timeout_established"
+  tcpEstablishedTimeout: 0s
+  # Skip setting "net.netfilter.nf_conntrack_tcp_timeout_close"
+  tcpCloseWaitTimeout: 0s
diff --git a/manifests/coredns.yaml b/manifests/coredns.yaml
deleted file mode 100644
index 2bd5d9e..0000000
--- a/manifests/coredns.yaml
+++ /dev/null
@@ -1,182 +0,0 @@
-# from https://raw.githubusercontent.com/kelseyhightower/kubernetes-the-hard-way/1.15.3/deployments/coredns.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: coredns
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:coredns
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  - services
-  - pods
-  - namespaces
-  verbs:
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-  labels:
-    kubernetes.io/bootstrapping: rbac-defaults
-  name: system:coredns
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:coredns
-subjects:
-- kind: ServiceAccount
-  name: coredns
-  namespace: kube-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: coredns
-  namespace: kube-system
-data:
-  Corefile: |
-    .:53 {
-        errors
-        health
-        ready
-        kubernetes cluster.local in-addr.arpa ip6.arpa {
-          pods insecure
-          fallthrough in-addr.arpa ip6.arpa
-        }
-        forward . /etc/resolv.conf
-        prometheus :9153
-        cache 30
-        loop
-        reload
-        loadbalance
-    }
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: coredns
-  namespace: kube-system
-  labels:
-    k8s-app: kube-dns
-    kubernetes.io/name: "CoreDNS"
-spec:
-  replicas: 2
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 1
-  selector:
-    matchLabels:
-      k8s-app: kube-dns
-  template:
-    metadata:
-      labels:
-        k8s-app: kube-dns
-    spec:
-      priorityClassName: system-cluster-critical
-      serviceAccountName: coredns
-      tolerations:
-        - key: "CriticalAddonsOnly"
-          operator: "Exists"
-      nodeSelector:
-        kubernetes.io/os: linux
-      containers:
-      - name: coredns
-        image: coredns/coredns:1.11.1
-        imagePullPolicy: IfNotPresent
-        resources:
-          limits:
-            memory: 170Mi
-          requests:
-            cpu: 100m
-            memory: 70Mi
-        args: [ "-conf", "/etc/coredns/Corefile" ]
-        volumeMounts:
-        - name: config-volume
-          mountPath: /etc/coredns
-          readOnly: true
-        ports:
-        - containerPort: 53
-          name: dns
-          protocol: UDP
-        - containerPort: 53
-          name: dns-tcp
-          protocol: TCP
-        - containerPort: 9153
-          name: metrics
-          protocol: TCP
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            add:
-            - NET_BIND_SERVICE
-            drop:
-            - all
-          readOnlyRootFilesystem: true
-        livenessProbe:
-          httpGet:
-            path: /health
-            port: 8080
-            scheme: HTTP
-          initialDelaySeconds: 60
-          timeoutSeconds: 5
-          successThreshold: 1
-          failureThreshold: 5
-        readinessProbe:
-          httpGet:
-            path: /ready
-            port: 8181
-            scheme: HTTP
-      dnsPolicy: Default
-      volumes:
-        - name: config-volume
-          configMap:
-            name: coredns
-            items:
-            - key: Corefile
-              path: Corefile
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: kube-dns
-  namespace: kube-system
-  annotations:
-    prometheus.io/port: "9153"
-    prometheus.io/scrape: "true"
-  labels:
-    k8s-app: kube-dns
-    kubernetes.io/cluster-service: "true"
-    kubernetes.io/name: "CoreDNS"
-spec:
-  selector:
-    k8s-app: kube-dns
-  clusterIP: 10.0.0.53
-  ports:
-  - name: dns
-    port: 53
-    protocol: UDP
-  - name: dns-tcp
-    port: 53
-    protocol: TCP
-  - name: metrics
-    port: 9153
-    protocol: TCP
diff --git a/manifests/kube-flannel.yml b/manifests/kube-flannel.yml
new file mode 100644
index 0000000..9c17f43
--- /dev/null
+++ b/manifests/kube-flannel.yml
@@ -0,0 +1,236 @@
+# <USERNETES>
+# Forked from https://github.com/flannel-io/flannel/releases/download/v0.22.2/kube-flannel.yml ,
+# to specify a custom `--public-ip` value via `/u7s-flanneld-wrapper.sh.
+# </USERNETES>
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    k8s-app: flannel
+    pod-security.kubernetes.io/enforce: privileged
+  name: kube-flannel
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: flannel
+  name: flannel
+  namespace: kube-flannel
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: flannel
+  name: flannel
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - clustercidrs
+  verbs:
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-app: flannel
+  name: flannel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel
+subjects:
+- kind: ServiceAccount
+  name: flannel
+  namespace: kube-flannel
+---
+apiVersion: v1
+data:
+  cni-conf.json: |
+    {
+      "name": "cbr0",
+      "cniVersion": "0.3.1",
+      "plugins": [
+        {
+          "type": "flannel",
+          "delegate": {
+            "hairpinMode": true,
+            "isDefaultGateway": true
+          }
+        },
+        {
+          "type": "portmap",
+          "capabilities": {
+            "portMappings": true
+          }
+        }
+      ]
+    }
+  net-conf.json: |
+    {
+      "Network": "10.244.0.0/16",
+      "Backend": {
+        "Type": "vxlan"
+      }
+    }
+kind: ConfigMap
+metadata:
+  labels:
+    app: flannel
+    k8s-app: flannel
+    tier: node
+  name: kube-flannel-cfg
+  namespace: kube-flannel
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: flannel
+    k8s-app: flannel
+    tier: node
+  name: kube-flannel-ds
+  namespace: kube-flannel
+spec:
+  selector:
+    matchLabels:
+      app: flannel
+      k8s-app: flannel
+  template:
+    metadata:
+      labels:
+        app: flannel
+        k8s-app: flannel
+        tier: node
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: kubernetes.io/os
+                operator: In
+                values:
+                - linux
+      containers:
+      - args:
+# <USERNETES>
+        - /opt/bin/flanneld
+# </USERNETES>
+        - --ip-masq
+        - --kube-subnet-mgr
+        command:
+# <USERNETES>
+        - /u7s-flanneld-wrapper.sh
+# </USERNETES>
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: EVENT_QUEUE_DEPTH
+          value: "5000"
+        image: docker.io/flannel/flannel:v0.22.2
+        name: kube-flannel
+        resources:
+          requests:
+            cpu: 100m
+            memory: 50Mi
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+            - NET_RAW
+          privileged: false
+        volumeMounts:
+        - mountPath: /run/flannel
+          name: run
+        - mountPath: /etc/kube-flannel/
+          name: flannel-cfg
+        - mountPath: /run/xtables.lock
+          name: xtables-lock
+# <USERNETES>
+        - mountPath: /u7s-flanneld-wrapper.sh
+          name: u7s-flanneld-wrapper
+# </USERNETES>
+      hostNetwork: true
+      initContainers:
+      - args:
+        - -f
+        - /flannel
+        - /opt/cni/bin/flannel
+        command:
+        - cp
+        image: docker.io/flannel/flannel-cni-plugin:v1.2.0
+        name: install-cni-plugin
+        volumeMounts:
+        - mountPath: /opt/cni/bin
+          name: cni-plugin
+      - args:
+        - -f
+        - /etc/kube-flannel/cni-conf.json
+        - /etc/cni/net.d/10-flannel.conflist
+        command:
+        - cp
+        image: docker.io/flannel/flannel:v0.22.2
+        name: install-cni
+        volumeMounts:
+        - mountPath: /etc/cni/net.d
+          name: cni
+        - mountPath: /etc/kube-flannel/
+          name: flannel-cfg
+      priorityClassName: system-node-critical
+      serviceAccountName: flannel
+      tolerations:
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - hostPath:
+          path: /run/flannel
+        name: run
+      - hostPath:
+          path: /opt/cni/bin
+        name: cni-plugin
+      - hostPath:
+          path: /etc/cni/net.d
+        name: cni
+      - configMap:
+          name: kube-flannel-cfg
+        name: flannel-cfg
+      - hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+        name: xtables-lock
+# <USERNETES>
+      - hostPath:
+          path: /u7s-flanneld-wrapper.sh
+        name: u7s-flanneld-wrapper
+# </USERNETES>
diff --git a/rootlessctl.sh b/rootlessctl.sh
deleted file mode 100755
index 2f423f9..0000000
--- a/rootlessctl.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-set -eu -o pipefail
-exec $(dirname $0)/bin/rootlessctl --socket $XDG_RUNTIME_DIR/usernetes/rootlesskit/api.sock $@
diff --git a/show-cleanup-command.sh b/show-cleanup-command.sh
deleted file mode 100755
index 9c95782..0000000
--- a/show-cleanup-command.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-set -e
-cd $(dirname $0)
-if [ -z $XDG_RUNTIME_DIR ]; then
-	echo "# XDG_RUNTIME_DIR needs to be set"
-	exit 1
-fi
-if [ -z $HOME ]; then
-	echo "# HOME needs to be set"
-	exit 1
-fi
-
-# use RootlessKit for removing files owned by sub-IDs.
-echo "# review and eval the following scripts by yourself"
-echo "# You may also want to remove manually: ~/.config/{containerd,containers,crio} ~/.kube"
-echo "set -eux"
-echo ./bin/rootlesskit rm -rf \
-	$XDG_RUNTIME_DIR/{usernetes,containerd,crio,runc} \
-	$HOME/.local/share/usernetes \
-	$HOME/.local/share/containerd \
-	$HOME/.local/share/containers \
-	$HOME/.local/share/crio \
-	$HOME/.config/usernetes
diff --git a/show-status.sh b/show-status.sh
deleted file mode 100755
index 6c21ef5..0000000
--- a/show-status.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-set -e -o pipefail
-set -x
-systemctl --user --no-pager status
-systemctl --user --all --no-pager list-units 'u7s-*'
diff --git a/uninstall.sh b/uninstall.sh
deleted file mode 100755
index 6318e0f..0000000
--- a/uninstall.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-set -e -o pipefail
-cd $(dirname $0)
-if [ -z $HOME ]; then
-	echo "HOME needs to be set"
-	exit 1
-fi
-config_dir="$HOME/.config"
-if [ -n "$XDG_CONFIG_HOME" ]; then
-	config_dir="$XDG_CONFIG_HOME"
-fi
-set -u
-set +e
-set -x
-systemctl --user -T -f stop u7s.target
-systemctl --user -T -f stop --signal=KILL 'u7s-*'
-systemctl --user -T disable u7s.target
-rm -rf ${config_dir}/systemd/user/u7s*
-systemctl --user -T daemon-reload
-systemctl --user reset-failed 'u7s-*'
-systemctl --user reset-failed 'u7s-*'
-systemctl --user reset-failed 'u7s-*'
-rm -rf "$XDG_RUNTIME_DIR/usernetes"