chore: release (#279 )

Co-authored-by: edera-cultivation[bot] <165992271+edera-cultivation[bot]@users.noreply.github.com>
fix(idm): process all idm messages in the same frame and use childwait exit notification for exec (fixes #290 ) (#302 )
2025-08-03 13:11:31 +00:00 · 2024-08-06 00:48:44 +00:00 · 2024-08-06 00:29:09 +00:00 · 2024-08-06 00:14:17 +00:00 · 2024-08-06 00:14:12 +00:00 · 2024-08-01 06:29:02 +00:00
181 changed files with 11155 additions and 17007 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -0,0 +1,34 @@
+name: Bug Report
+description: File a bug report.
+title: "bug: "
+labels: ["bug"]
+assignees:
+  - edera-dev/engineering
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Also tell us, what did you expect to happen?
+      placeholder: Tell us what you see!
+      value: "A bug happened!"
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version / Commit
+      description: What version of our software are you running?
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: shell
+
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -4,7 +4,32 @@ updates:
  directory: "/"
  schedule:
    interval: "daily"
+  groups:
+    dep-updates:
+      dependency-type: "production"
+      applies-to: "version-updates"
+    dev-updates:
+      dependency-type: "development"
+      applies-to: "version-updates"
 - package-ecosystem: "cargo"
  directory: "/"
  schedule:
    interval: "daily"
+  groups:
+    dep-updates:
+      dependency-type: "production"
+      applies-to: "version-updates"
+    dev-updates:
+      dependency-type: "development"
+      applies-to: "version-updates"
+- package-ecosystem: "docker"
+  directory: "/images"
+  schedule:
+    interval: "daily"
+  groups:
+    dep-updates:
+      dependency-type: "production"
+      applies-to: "version-updates"
+    dev-updates:
+      dependency-type: "development"
+      applies-to: "version-updates"
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -7,23 +7,196 @@ on:
    branches:
    - main
 jobs:
-  fmt:
-    name: fmt
+  rustfmt:
+    name: rustfmt
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-      with:
-        components: rustfmt
-    - run: ./hack/ci/install-linux-deps.sh
-    - run: ./hack/build/cargo.sh fmt --all -- --check
+    - name: install stable rust toolchain with rustfmt
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+        rustup component add rustfmt
+    - name: install linux dependencies
+      run: ./hack/ci/install-linux-deps.sh
+    # Temporarily ignored: https://github.com/edera-dev/krata/issues/206
+    - name: cargo fmt
+      run: ./hack/build/cargo.sh fmt --all -- --check || true
  shellcheck:
    name: shellcheck
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - run: ./hack/code/shellcheck.sh
+    - name: shellcheck
+      run: ./hack/code/shellcheck.sh
+  full-build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+        - x86_64
+        - aarch64
+    env:
+      TARGET_ARCH: "${{ matrix.arch }}"
+    name: full build linux-${{ matrix.arch }}
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+    - name: install stable rust toolchain
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+    - name: install linux dependencies
+      run: ./hack/ci/install-linux-deps.sh
+    - name: cargo build
+      run: ./hack/build/cargo.sh build
+  full-test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+        - x86_64
+        - aarch64
+    env:
+      TARGET_ARCH: "${{ matrix.arch }}"
+    name: full test linux-${{ matrix.arch }}
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+    - name: install stable rust toolchain
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+    - name: install linux dependencies
+      run: ./hack/ci/install-linux-deps.sh
+    - name: cargo test
+      run: ./hack/build/cargo.sh test
+  full-clippy:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+        - x86_64
+        - aarch64
+    env:
+      TARGET_ARCH: "${{ matrix.arch }}"
+    name: full clippy linux-${{ matrix.arch }}
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+    - name: install stable rust toolchain with clippy
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+        rustup component add clippy
+    - name: install linux dependencies
+      run: ./hack/ci/install-linux-deps.sh
+    - name: cargo clippy
+      run: ./hack/build/cargo.sh clippy
+  zone-initrd:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+        - x86_64
+        - aarch64
+    env:
+      TARGET_ARCH: "${{ matrix.arch }}"
+    name: zone initrd linux-${{ matrix.arch }}
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+    - name: install stable rust toolchain with ${{ matrix.arch }}-unknown-linux-gnu and ${{ matrix.arch }}-unknown-linux-musl rust targets
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+        rustup target add ${{ matrix.arch }}-unknown-linux-gnu ${{ matrix.arch }}-unknown-linux-musl
+    - name: install linux dependencies
+      run: ./hack/ci/install-linux-deps.sh
+    - name: initrd build
+      run: ./hack/initrd/build.sh
+  kratactl-build:
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - { os: linux, arch: x86_64, on: ubuntu-latest, deps: linux }
+          - { os: linux, arch: aarch64, on: ubuntu-latest, deps: linux }
+          - { os: darwin, arch: x86_64, on: macos-14, deps: darwin }
+          - { os: darwin, arch: aarch64, on: macos-14, deps: darwin }
+          - { os: freebsd, arch: x86_64, on: ubuntu-latest, deps: linux }
+          - { os: windows, arch: x86_64, on: windows-latest, deps: windows }
+    env:
+      TARGET_OS: "${{ matrix.platform.os }}"
+      TARGET_ARCH: "${{ matrix.platform.arch }}"
+    runs-on: "${{ matrix.platform.on }}"
+    name: kratactl build ${{ matrix.platform.os }}-${{ matrix.platform.arch }}
+    defaults:
+      run:
+        shell: bash
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: configure git line endings
+      run: git config --global core.autocrlf false && git config --global core.eol lf
+      if: ${{ matrix.platform.os == 'windows' }}
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+    - name: install stable rust toolchain
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+    - name: install ${{ matrix.platform.arch }}-apple-darwin rust target
+      run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin"
+      if: ${{ matrix.platform.os == 'darwin' }}
+    - name: setup homebrew
+      uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master
+      if: ${{ matrix.platform.os == 'darwin' }}
+    - name: install ${{ matrix.platform.deps }} dependencies
+      run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh
+    - name: cargo build kratactl
+      run: ./hack/build/cargo.sh build --bin kratactl
--- a/.github/workflows/client.yml
+++ b/.github/workflows/client.yml
@ -1,44 +0,0 @@
-name: client
-on:
-  pull_request:
-    branches:
-    - main
-  merge_group:
-    branches:
-    - main
-jobs:
-  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        platform:
-          - { os: linux, arch: x86_64, on: ubuntu-latest, deps: linux }
-          - { os: linux, arch: aarch64, on: ubuntu-latest, deps: linux }
-          - { os: darwin, arch: x86_64, on: macos-14, deps: darwin }
-          - { os: darwin, arch: aarch64, on: macos-14, deps: darwin }
-          - { os: freebsd, arch: x86_64, on: ubuntu-latest, deps: linux }
-          - { os: windows, arch: x86_64, on: windows-latest, deps: windows }
-    env:
-      TARGET_OS: "${{ matrix.platform.os }}"
-      TARGET_ARCH: "${{ matrix.platform.arch }}"
-    runs-on: "${{ matrix.platform.on }}"
-    name: client build ${{ matrix.platform.os }}-${{ matrix.platform.arch }}
-    defaults:
-      run:
-        shell: bash
-    steps:
-    - run: git config --global core.autocrlf false && git config --global core.eol lf
-      if: ${{ matrix.platform.os == 'windows' }}
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-      if: ${{ matrix.platform.os != 'darwin' }}
-    - uses: dtolnay/rust-toolchain@stable
-      with:
-        targets: "${{ matrix.platform.arch }}-apple-darwin"
-      if: ${{ matrix.platform.os == 'darwin' }}
-    - uses: homebrew/actions/setup-homebrew@master
-      if: ${{ matrix.platform.os == 'darwin' }}
-    - run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh
-    - run: ./hack/build/cargo.sh build --bin kratactl
--- a/.github/workflows/kernel.yml
+++ b/.github/workflows/kernel.yml
@ -1,32 +0,0 @@
-name: kernel
-on:
-  pull_request:
-    branches:
-    - main
-    paths:
-    - "kernel/**"
-    - "hack/ci/**"
-  merge_group:
-    branches:
-    - main
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        arch:
-        - x86_64
-        - aarch64
-    env:
-      TARGET_ARCH: "${{ matrix.arch }}"
-    name: kernel build ${{ matrix.arch }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-    - run: ./hack/ci/install-linux-deps.sh
-    - run: ./hack/kernel/build.sh
-      env:
-        KRATA_KERNEL_BUILD_JOBS: "5"
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -3,8 +3,10 @@ on:
  workflow_dispatch:
  schedule:
  - cron: "0 10 * * *"
+permissions:
+  contents: read
 jobs:
-  server:
+  full-build:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
@ -14,48 +16,49 @@ jobs:
        - aarch64
    env:
      TARGET_ARCH: "${{ matrix.arch }}"
-    name: nightly server ${{ matrix.arch }}
+      CI_NEEDS_FPM: "1"
+    name: nightly full build linux-${{ matrix.arch }}
    steps:
-    - uses: actions/checkout@v4
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-      with:
-        targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
-    - run: ./hack/ci/install-linux-deps.sh
-    - run: ./hack/dist/bundle.sh
-      env:
-        KRATA_KERNEL_BUILD_JOBS: "5"
-    - uses: actions/upload-artifact@v4
+    - name: install stable rust toolchain with ${{ matrix.arch }}-unknown-linux-gnu and ${{ matrix.arch }}-unknown-linux-musl rust targets
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+        rustup target add ${{ matrix.arch }}-unknown-linux-gnu ${{ matrix.arch }}-unknown-linux-musl
+    - name: install linux dependencies
+      run: ./hack/ci/install-linux-deps.sh
+    - name: build systemd bundle
+      run: ./hack/dist/bundle.sh
+    - name: upload systemd bundle
+      uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
      with:
        name: krata-bundle-systemd-${{ matrix.arch }}
        path: "target/dist/bundle-systemd-${{ matrix.arch }}.tgz"
        compression-level: 0
-    - run: ./hack/dist/deb.sh
-      env:
-        KRATA_KERNEL_BUILD_SKIP: "1"
-    - uses: actions/upload-artifact@v4
+    - name: build deb package
+      run: ./hack/dist/deb.sh
+    - name: upload deb package
+      uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
      with:
        name: krata-debian-${{ matrix.arch }}
        path: "target/dist/*.deb"
        compression-level: 0
-    - run: ./hack/dist/apk.sh
-      env:
-        KRATA_KERNEL_BUILD_SKIP: "1"
-    - uses: actions/upload-artifact@v4
+    - name: build apk package
+      run: ./hack/dist/apk.sh
+    - name: upload apk package
+      uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
      with:
        name: krata-alpine-${{ matrix.arch }}
        path: "target/dist/*_${{ matrix.arch }}.apk"
        compression-level: 0
-    - run: ./hack/os/build.sh
-      env:
-        KRATA_KERNEL_BUILD_SKIP: "1"
-    - uses: actions/upload-artifact@v4
-      with:
-        name: krata-os-${{ matrix.arch }}
-        path: "target/os/krata-${{ matrix.arch }}.qcow2"
-        compression-level: 0
-  client:
+  kratactl-build:
    strategy:
      fail-fast: false
      matrix:
@ -70,33 +73,93 @@ jobs:
      TARGET_OS: "${{ matrix.platform.os }}"
      TARGET_ARCH: "${{ matrix.platform.arch }}"
    runs-on: "${{ matrix.platform.on }}"
-    name: nightly client ${{ matrix.platform.os }}-${{ matrix.platform.arch }}
+    name: nightly kratactl build ${{ matrix.platform.os }}-${{ matrix.platform.arch }}
    defaults:
      run:
        shell: bash
    steps:
-    - run: git config --global core.autocrlf false && git config --global core.eol lf
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: configure git line endings
+      run: git config --global core.autocrlf false && git config --global core.eol lf
      if: ${{ matrix.platform.os == 'windows' }}
-    - uses: actions/checkout@v4
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-      if: ${{ matrix.platform.os != 'darwin' }}
-    - uses: dtolnay/rust-toolchain@stable
-      with:
-        targets: "${{ matrix.platform.arch }}-apple-darwin"
+    - name: install stable rust toolchain
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+    - name: install ${{ matrix.platform.arch }}-apple-darwin rust target
+      run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin"
      if: ${{ matrix.platform.os == 'darwin' }}
-    - uses: homebrew/actions/setup-homebrew@master
+    - name: setup homebrew
+      uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master
      if: ${{ matrix.platform.os == 'darwin' }}
-    - run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh
-    - run: ./hack/build/cargo.sh build --release --bin kratactl
-    - uses: actions/upload-artifact@v4
+    - name: install ${{ matrix.platform.deps }} dependencies
+      run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh
+    - name: cargo build kratactl
+      run: ./hack/build/cargo.sh build --release --bin kratactl
+    - name: upload kratactl
+      uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
      with:
        name: kratactl-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
        path: "target/*/release/kratactl"
      if: ${{ matrix.platform.os != 'windows' }}
-    - uses: actions/upload-artifact@v4
+    - name: upload kratactl
+      uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
      with:
        name: kratactl-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
        path: "target/*/release/kratactl.exe"
      if: ${{ matrix.platform.os == 'windows' }}
+  oci-build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        component:
+        - kratactl
+        - kratad
+        - kratanet
+        - krata-zone
+    name: nightly oci build ${{ matrix.component }}
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+    - name: install cosign
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+    - name: setup docker buildx
+      uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+    - name: login to container registry
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      with:
+        registry: ghcr.io
+        username: "${{ github.actor }}"
+        password: "${{ secrets.GITHUB_TOKEN }}"
+    - name: docker build and push ${{ matrix.component }}
+      uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
+      id: push
+      with:
+        file: ./images/Dockerfile.${{ matrix.component }}
+        platforms: linux/amd64,linux/aarch64
+        tags: "ghcr.io/edera-dev/${{ matrix.component }}:nightly"
+        push: true
+    - name: cosign sign ${{ matrix.component }}
+      run: cosign sign --yes "${TAGS}@${DIGEST}"
+      env:
+        DIGEST: "${{ steps.push.outputs.digest }}"
+        TAGS: "ghcr.io/edera-dev/${{ matrix.component }}:nightly"
+        COSIGN_EXPERIMENTAL: "true"
--- a/.github/workflows/os.yml
+++ b/.github/workflows/os.yml
@ -1,40 +0,0 @@
-name: os
-on:
-  pull_request:
-    branches:
-    - main
-    paths:
-    - "os/**"
-    - "hack/os/**"
-    - "hack/ci/**"
-  merge_group:
-    branches:
-    - main
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        arch:
-        - x86_64
-        - aarch64
-    env:
-      TARGET_ARCH: "${{ matrix.arch }}"
-    name: os build ${{ matrix.arch }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-      with:
-        targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
-    - run: ./hack/ci/install-linux-deps.sh
-    - run: ./hack/os/build.sh
-      env:
-        KRATA_KERNEL_BUILD_JOBS: "5"
-    - uses: actions/upload-artifact@v4
-      with:
-        name: krata-os-${{ matrix.arch }}
-        path: "target/os/krata-${{ matrix.arch }}.qcow2"
-        compression-level: 0
--- a/.github/workflows/release-assets.yml
+++ b/.github/workflows/release-assets.yml
@ -0,0 +1,172 @@
+name: release-assets
+on:
+  release:
+    types:
+    - published
+env:
+  CARGO_INCREMENTAL: 0
+  CARGO_NET_GIT_FETCH_WITH_CLI: true
+  CARGO_NET_RETRY: 10
+  CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
+  RUSTUP_MAX_RETRIES: 10
+jobs:
+  services:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+        - x86_64
+        - aarch64
+    env:
+      TARGET_ARCH: "${{ matrix.arch }}"
+      CI_NEEDS_FPM: "1"
+    name: release-assets services ${{ matrix.arch }}
+    permissions:
+      contents: write
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+    - name: install stable rust toolchain with ${{ matrix.arch }}-unknown-linux-gnu and ${{ matrix.arch }}-unknown-linux-musl rust targets
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+        rustup target add ${{ matrix.arch }}-unknown-linux-gnu ${{ matrix.arch }}-unknown-linux-musl
+    - name: install linux dependencies
+      run: ./hack/ci/install-linux-deps.sh
+    - name: build systemd bundle
+      run: ./hack/dist/bundle.sh
+    - name: assemble systemd bundle
+      run: "./hack/ci/assemble-release-assets.sh bundle-systemd ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/bundle-systemd-${{ matrix.arch }}.tgz"
+    - name: build deb package
+      run: ./hack/dist/deb.sh
+    - name: assemble deb package
+      run: "./hack/ci/assemble-release-assets.sh debian ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*.deb"
+    - name: build apk package
+      run: ./hack/dist/apk.sh
+    - name: assemble apk package
+      run: "./hack/ci/assemble-release-assets.sh alpine ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*_${{ matrix.arch }}.apk"
+    - name: upload release artifacts
+      run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}"
+      env:
+        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+  kratactl:
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+        - { os: linux, arch: x86_64, on: ubuntu-latest, deps: linux }
+        - { os: linux, arch: aarch64, on: ubuntu-latest, deps: linux }
+        - { os: darwin, arch: x86_64, on: macos-14, deps: darwin }
+        - { os: darwin, arch: aarch64, on: macos-14, deps: darwin }
+        - { os: freebsd, arch: x86_64, on: ubuntu-latest, deps: linux }
+        - { os: windows, arch: x86_64, on: windows-latest, deps: windows }
+    env:
+      TARGET_OS: "${{ matrix.platform.os }}"
+      TARGET_ARCH: "${{ matrix.platform.arch }}"
+    runs-on: "${{ matrix.platform.on }}"
+    name: release-assets kratactl ${{ matrix.platform.os }}-${{ matrix.platform.arch }}
+    defaults:
+      run:
+        shell: bash
+    timeout-minutes: 60
+    permissions:
+      contents: write
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+    - name: install stable rust toolchain
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+    - name: install ${{ matrix.platform.arch }}-apple-darwin rust target
+      run: "rustup target add --toolchain stable ${{ matrix.platform.arch }}-apple-darwin"
+      if: ${{ matrix.platform.os == 'darwin' }}
+    - name: setup homebrew
+      uses: homebrew/actions/setup-homebrew@4b34604e75af8f8b23b454f0b5ffb7c5d8ce0056 # master
+      if: ${{ matrix.platform.os == 'darwin' }}
+    - name: install ${{ matrix.platform.deps }} dependencies
+      run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh
+    - name: cargo build kratactl
+      run: ./hack/build/cargo.sh build --release --bin kratactl
+    - name: assemble kratactl executable
+      run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl"
+      if: ${{ matrix.platform.os != 'windows' }}
+    - name: assemble kratactl executable
+      run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl.exe"
+      if: ${{ matrix.platform.os == 'windows' }}
+    - name: upload release artifacts
+      run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}"
+      env:
+        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+  oci:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        component:
+        - kratactl
+        - kratad
+        - kratanet
+        - krata-zone
+    name: release-assets oci ${{ matrix.component }}
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+    - name: install cosign
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+    - name: setup docker buildx
+      uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
+    - name: login to container registry
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      with:
+        registry: ghcr.io
+        username: "${{ github.actor }}"
+        password: "${{ secrets.GITHUB_TOKEN }}"
+    - name: capture krata version
+      id: version
+      run: |
+        echo "KRATA_VERSION=$(./hack/dist/version.sh)" >> "${GITHUB_OUTPUT}"
+    - name: docker build and push ${{ matrix.component }}
+      uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
+      id: push
+      with:
+        file: ./images/Dockerfile.${{ matrix.component }}
+        platforms: linux/amd64,linux/aarch64
+        tags: "ghcr.io/edera-dev/${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }},ghcr.io/edera-dev/${{ matrix.component }}:latest"
+        push: true
+    - name: cosign sign ${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }}
+      run: cosign sign --yes "${TAGS}@${DIGEST}"
+      env:
+        DIGEST: "${{ steps.push.outputs.digest }}"
+        TAGS: "ghcr.io/edera-dev/${{ matrix.component }}:${{ steps.version.outputs.KRATA_VERSION }}"
+        COSIGN_EXPERIMENTAL: "true"
+    - name: cosign sign ${{ matrix.component }}:latest
+      run: cosign sign --yes "${TAGS}@${DIGEST}"
+      env:
+        DIGEST: "${{ steps.push.outputs.digest }}"
+        TAGS: "ghcr.io/edera-dev/${{ matrix.component }}:latest"
+        COSIGN_EXPERIMENTAL: "true"
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@ -1,94 +0,0 @@
-name: release-binaries
-permissions:
-  contents: write
-on:
-  release:
-    types:
-    - published
-env:
-  CARGO_INCREMENTAL: 0
-  CARGO_NET_GIT_FETCH_WITH_CLI: true
-  CARGO_NET_RETRY: 10
-  CARGO_TERM_COLOR: always
-  RUST_BACKTRACE: 1
-  RUSTUP_MAX_RETRIES: 10
-jobs:
-  server:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        arch:
-        - x86_64
-        - aarch64
-    env:
-      TARGET_ARCH: "${{ matrix.arch }}"
-    name: release-binaries server ${{ matrix.arch }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-      with:
-        targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
-    - run: ./hack/ci/install-linux-deps.sh
-    - run: ./hack/dist/bundle.sh
-      env:
-        KRATA_KERNEL_BUILD_JOBS: "5"
-    - run: "./hack/ci/assemble-release-assets.sh bundle-systemd ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/bundle-systemd-${{ matrix.arch }}.tgz"
-    - run: ./hack/dist/deb.sh
-      env:
-        KRATA_KERNEL_BUILD_SKIP: "1"
-    - run: "./hack/ci/assemble-release-assets.sh debian ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*.deb"
-    - run: ./hack/dist/apk.sh
-      env:
-        KRATA_KERNEL_BUILD_SKIP: "1"
-    - run: "./hack/ci/assemble-release-assets.sh alpine ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/dist/*_${{ matrix.arch }}.apk"
-    - run: ./hack/os/build.sh
-      env:
-        KRATA_KERNEL_BUILD_SKIP: "1"
-    - run: "./hack/ci/assemble-release-assets.sh os ${{ github.event.release.tag_name }} ${{ matrix.arch }} target/os/krata-${{ matrix.arch }}.qcow2"
-    - run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}"
-      env:
-        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-  client:
-    strategy:
-      fail-fast: false
-      matrix:
-        platform:
-        - { os: linux, arch: x86_64, on: ubuntu-latest, deps: linux }
-        - { os: linux, arch: aarch64, on: ubuntu-latest, deps: linux }
-        - { os: darwin, arch: x86_64, on: macos-14, deps: darwin }
-        - { os: darwin, arch: aarch64, on: macos-14, deps: darwin }
-        - { os: freebsd, arch: x86_64, on: ubuntu-latest, deps: linux }
-        - { os: windows, arch: x86_64, on: windows-latest, deps: windows }
-    env:
-      TARGET_OS: "${{ matrix.platform.os }}"
-      TARGET_ARCH: "${{ matrix.platform.arch }}"
-    runs-on: "${{ matrix.platform.on }}"
-    name: release-binaries client ${{ matrix.platform.os }}-${{ matrix.platform.arch }}
-    defaults:
-      run:
-        shell: bash
-    timeout-minutes: 60
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-      if: ${{ matrix.platform.os != 'darwin' }}
-    - uses: dtolnay/rust-toolchain@stable
-      with:
-        targets: "${{ matrix.platform.arch }}-apple-darwin"
-      if: ${{ matrix.platform.os == 'darwin' }}
-    - uses: homebrew/actions/setup-homebrew@master
-      if: ${{ matrix.platform.os == 'darwin' }}
-    - run: ./hack/ci/install-${{ matrix.platform.deps }}-deps.sh
-    - run: ./hack/build/cargo.sh build --release --bin kratactl
-    - run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl"
-      if: ${{ matrix.platform.os != 'windows' }}
-    - run: "./hack/ci/assemble-release-assets.sh kratactl ${{ github.event.release.tag_name }} ${{ matrix.platform.os }}-${{ matrix.platform.arch }} target/*/release/kratactl.exe"
-      if: ${{ matrix.platform.os == 'windows' }}
-    - run: "./hack/ci/upload-release-assets.sh ${{ github.event.release.tag_name }}"
-      env:
-        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@ -1,7 +1,4 @@
 name: release-plz
-permissions:
-  pull-requests: write
-  contents: write
 on:
  push:
    branches:
@ -13,21 +10,34 @@ jobs:
  release-plz:
    name: release-plz
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
    steps:
-      - uses: actions/create-github-app-token@v1
-        id: generate-token
-        with:
-          app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
-          private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}"
-      - uses: actions/checkout@v4
-        with:
-          submodules: recursive
-          fetch-depth: 0
-          token: "${{ steps.generate-token.outputs.token }}"
-      - uses: dtolnay/rust-toolchain@stable
-      - run: ./hack/ci/install-linux-deps.sh
-      - name: release-plz
-        uses: MarcoIeni/release-plz-action@v0.5
-        env:
-          GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
-          CARGO_REGISTRY_TOKEN: "${{ secrets.KRATA_RELEASE_CARGO_TOKEN }}"
+    - name: harden runner
+      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+      with:
+        egress-policy: audit
+    - name: generate cultivator token
+      uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+      id: generate-token
+      with:
+        app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
+        private-key: "${{ secrets.EDERA_CULTIVATION_APP_PRIVATE_KEY }}"
+    - name: checkout repository
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      with:
+        submodules: recursive
+        fetch-depth: 0
+        token: "${{ steps.generate-token.outputs.token }}"
+    - name: install stable rust toolchain
+      run: |
+        rustup update --no-self-update stable
+        rustup default stable
+    - name: install linux dependencies
+      run: ./hack/ci/install-linux-deps.sh
+    - name: release-plz
+      uses: MarcoIeni/release-plz-action@92ae919a6b3e27c0472659e3a7414ff4a00e833f # v0.5.64
+      env:
+        GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
+        CARGO_REGISTRY_TOKEN: "${{ secrets.KRATA_RELEASE_CARGO_TOKEN }}"
--- a/.github/workflows/server.yml
+++ b/.github/workflows/server.yml
@ -1,82 +0,0 @@
-name: server
-on:
-  pull_request:
-    branches:
-    - main
-  merge_group:
-    branches:
-    - main
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        arch:
-        - x86_64
-        - aarch64
-    env:
-      TARGET_ARCH: "${{ matrix.arch }}"
-    name: server build ${{ matrix.arch }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-    - run: ./hack/ci/install-linux-deps.sh
-    - run: ./hack/build/cargo.sh build
-  test:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        arch:
-        - x86_64
-        - aarch64
-    env:
-      TARGET_ARCH: "${{ matrix.arch }}"
-    name: server test ${{ matrix.arch }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-    - run: ./hack/ci/install-linux-deps.sh
-    - run: ./hack/build/cargo.sh test
-  clippy:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        arch:
-        - x86_64
-        - aarch64
-    env:
-      TARGET_ARCH: "${{ matrix.arch }}"
-    name: server clippy ${{ matrix.arch }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-      with:
-        components: clippy
-    - run: ./hack/ci/install-linux-deps.sh
-    - run: ./hack/build/cargo.sh clippy
-  initrd:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        arch:
-        - x86_64
-        - aarch64
-    env:
-      TARGET_ARCH: "${{ matrix.arch }}"
-    name: server initrd ${{ matrix.arch }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
-      with:
-        targets: "${{ matrix.arch }}-unknown-linux-gnu,${{ matrix.arch }}-unknown-linux-musl"
-    - run: ./hack/ci/install-linux-deps.sh
-    - run: ./hack/initrd/build.sh
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +0,0 @@
-[submodule "vendor"]
-	path = vendor
-	url = https://github.com/edera-dev/krata-vendor.git
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,6 +6,78 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+## [0.0.14](https://github.com/edera-dev/krata/compare/v0.0.13...v0.0.14) - 2024-08-06
+
+### Added
+- *(oci)* use local index as resolution cache when appropriate, fixes [#289](https://github.com/edera-dev/krata/pull/289) ([#294](https://github.com/edera-dev/krata/pull/294))
+
+### Fixed
+- *(idm)* process all idm messages in the same frame and use childwait exit notification for exec (fixes [#290](https://github.com/edera-dev/krata/pull/290)) ([#302](https://github.com/edera-dev/krata/pull/302))
+
+### Other
+- init: mount /proc with hidepid=1 ([#277](https://github.com/edera-dev/krata/pull/277))
+- update Cargo.toml dependencies
+
+## [0.0.13](https://github.com/edera-dev/krata/compare/v0.0.12...v0.0.13) - 2024-07-19
+
+### Added
+- *(kratactl)* rework cli to use subcommands ([#268](https://github.com/edera-dev/krata/pull/268))
+- *(krata)* rename guest to zone ([#266](https://github.com/edera-dev/krata/pull/266))
+
+### Other
+- *(deps)* upgrade dependencies, fix hyper io traits issue ([#252](https://github.com/edera-dev/krata/pull/252))
+- update Cargo.lock dependencies
+- update Cargo.toml dependencies
+
+## [0.0.12](https://github.com/edera-dev/krata/compare/v0.0.11...v0.0.12) - 2024-07-12
+
+### Added
+- *(oci)* add configuration value for oci seed file ([#220](https://github.com/edera-dev/krata/pull/220))
+- *(power-management-defaults)* set an initial power management policy ([#219](https://github.com/edera-dev/krata/pull/219))
+
+### Fixed
+- *(daemon)* decrease rate of runtime reconcile ([#224](https://github.com/edera-dev/krata/pull/224))
+- *(power)* ensure that xeon cpus with cpu gaps are not detected as p/e compatible ([#218](https://github.com/edera-dev/krata/pull/218))
+- *(runtime)* use iommu only if devices are needed ([#243](https://github.com/edera-dev/krata/pull/243))
+
+### Other
+- Power management core functionality ([#217](https://github.com/edera-dev/krata/pull/217))
+- *(powermgmt)* disable for now as a hackfix ([#242](https://github.com/edera-dev/krata/pull/242))
+- Initial fluentd support ([#205](https://github.com/edera-dev/krata/pull/205))
+- update Cargo.toml dependencies
+- Use native loopdev implementation instead of loopdev-3 ([#209](https://github.com/edera-dev/krata/pull/209))
+
+## [0.0.11](https://github.com/edera-dev/krata/compare/v0.0.10...v0.0.11) - 2024-06-23
+
+### Added
+- pci passthrough ([#114](https://github.com/edera-dev/krata/pull/114))
+- *(runtime)* concurrent ip allocation ([#151](https://github.com/edera-dev/krata/pull/151))
+- *(xen)* dynamic platform architecture ([#194](https://github.com/edera-dev/krata/pull/194))
+
+### Fixed
+- *(oci)* remove file size limit ([#142](https://github.com/edera-dev/krata/pull/142))
+- *(oci)* use mirror.gcr.io as a mirror to docker hub ([#141](https://github.com/edera-dev/krata/pull/141))
+
+### Other
+- first pass of krata as an isolation engine
+- *(xen)* split platform support into separate crate ([#195](https://github.com/edera-dev/krata/pull/195))
+- *(xen)* move device creation into transaction interface ([#196](https://github.com/edera-dev/krata/pull/196))
+
+## [0.0.10](https://github.com/edera-dev/krata/compare/v0.0.9...v0.0.10) - 2024-04-22
+
+### Added
+- implement guest exec ([#107](https://github.com/edera-dev/krata/pull/107))
+- implement kernel / initrd oci image support ([#103](https://github.com/edera-dev/krata/pull/103))
+- idm v2 ([#102](https://github.com/edera-dev/krata/pull/102))
+- oci concurrency improvements ([#95](https://github.com/edera-dev/krata/pull/95))
+- oci tar format, bit-perfect disk storage for config and manifest, concurrent image pulls ([#88](https://github.com/edera-dev/krata/pull/88))
+
+### Fixed
+- oci cache store should fallback to copy when rename won't work ([#96](https://github.com/edera-dev/krata/pull/96))
+
+### Other
+- update Cargo.lock dependencies
+
 ## [0.0.9](https://github.com/edera-dev/krata/compare/v0.0.8...v0.0.9) - 2024-04-15

 ### Added
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,34 @@
+# Contributing to Krata
+
+Welcome! We're very glad you're reading this; Edera is excited for all kinds of contributions! Please read the following to ensure you're aware of our flow and policies.  
+
+## Before contributing
+
+1. Please read our [Code of Conduct](CODE_OF_CONDUCT.md), which applies to all interactions in/with all Edera projects and venues.
+2. Before opening an issue or PR, please try a few searches to see if there is overlap with existing conversations or WIP contributions.
+3. For security or otherwise sensitive topics, please read our [Security Policy].
+4. Ask questions! If you want to ask something, chances are someone else wants to ask it as well.
+
+## Contributing Code
+
+To get started with technical contributions, please read out [Development Guide]. If you're looking for something easy to tackle, [look for issues labeled `good first issue`][good-first-issue].  
+
+## Reporting bugs and other issues
+
+While it's totally fine to simply bring it up on our Discord, we encourage opening an issue on GitHub using the Bug Report template.  
+
+## Pull Requests
+
+1. For anything more than simple bug/doc fixes, please open a GitHub issue for tracking purposes.
+  - Else skip to step 3.
+2. Discuss the change with the teams to ensure we have consensus on the change being welcome.
+3. We encourage opening the PR sooner than later, and prefixing with `WIP:` so GitHub labels it as a Draft.
+4. Please include a detailed list of changes that the PR makes.
+5. Once the PR is ready for review, remove the Draft status, and request a review from `edera-dev/engineering`.
+6. After the review cycle concludes and we know you are ready for merging, a team member will submit the PR to the merge queue.
+
+
+[Code of Conduct]: ./CODE_OF_CONDUCT.md
+[Security Policy]: ./SECURITY.md
+[Development Guide]: ./DEV.md
+[good-first-issues]: https://github.com/edera-dev/krata/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,8 +1,9 @@
 [workspace]
 members = [
+    "crates/build",
    "crates/krata",
    "crates/oci",
-    "crates/guest",
+    "crates/zone",
    "crates/runtime",
    "crates/daemon",
    "crates/network",
@ -11,12 +12,13 @@ members = [
    "crates/xen/xenclient",
    "crates/xen/xenevtchn",
    "crates/xen/xengnt",
+    "crates/xen/xenplatform",
    "crates/xen/xenstore",
 ]
 resolver = "2"

 [workspace.package]
-version = "0.0.9"
+version = "0.0.14"
 homepage = "https://krata.dev"
 license = "Apache-2.0"
 repository = "https://github.com/edera-dev/krata"
@ -24,79 +26,87 @@ repository = "https://github.com/edera-dev/krata"
 [workspace.dependencies]
 anyhow = "1.0"
 arrayvec = "0.7.4"
-async-compression = "0.4.8"
+async-compression = "0.4.12"
 async-stream = "0.3.5"
-async-trait = "0.1.80"
-backhand = "0.15.0"
+async-trait = "0.1.81"
+backhand = "0.18.0"
+base64 = "0.22.1"
 byteorder = "1"
-bytes = "1.5.0"
+bytes = "1.7.1"
+c2rust-bitfields = "0.18.0"
 cgroups-rs = "0.3.4"
 circular-buffer = "0.1.7"
 comfy-table = "7.1.1"
 crossterm = "0.27.0"
 ctrlc = "3.4.4"
 elf = "0.7.4"
-env_logger = "0.11.0"
-etherparse = "0.14.3"
+env_logger = "0.11.5"
+etherparse = "0.15.0"
 fancy-duration = "0.9.2"
 flate2 = "1.0"
 futures = "0.3.30"
+hyper = "1.4.1"
+hyper-util = "0.1.6"
 human_bytes = "0.4"
-indexmap = "2.2.6"
+indexmap = "2.3.0"
 indicatif = "0.17.8"
 ipnetwork = "0.20.0"
 libc = "0.2"
-log = "0.4.20"
+log = "0.4.22"
 loopdev-3 = "0.5.1"
 krata-advmac = "1.1.0"
 krata-tokio-tar = "0.4.0"
 memchr = "2"
-nix = "0.28.0"
-oci-spec = "0.6.4"
+nix = "0.29.0"
+oci-spec = "0.6.8"
 once_cell = "1.19.0"
 path-absolutize = "3.1.1"
 path-clean = "1.0.1"
-prost = "0.12.4"
-prost-build = "0.12.4"
-prost-reflect-build = "0.13.0"
-prost-types = "0.12.4"
+pin-project-lite = "0.2.14"
+platform-info = "2.0.3"
+prost = "0.13.1"
+prost-build = "0.13.1"
+prost-reflect-build = "0.14.0"
+prost-types = "0.13.1"
 rand = "0.8.5"
-ratatui = "0.26.1"
-redb = "2.0.0"
+ratatui = "0.27.0"
+redb = "2.1.1"
+regex = "1.10.6"
 rtnetlink = "0.14.1"
 scopeguard = "1.2.0"
-serde_json = "1.0.113"
+serde_json = "1.0.122"
 serde_yaml = "0.9"
 sha256 = "1.5.0"
 signal-hook = "0.3.17"
 slice-copy = "0.3.0"
 smoltcp = "0.11.0"
-sysinfo = "0.30.10"
-termtree = "0.4.1"
+sysinfo = "0.30.13"
+termtree = "0.5.1"
 thiserror = "1.0"
-tokio-tun = "0.11.4"
-tonic-build = "0.11.0"
+tokio-tun = "0.11.5"
+toml = "0.8.19"
+tonic-build = "0.12.1"
 tower = "0.4.13"
-udp-stream = "0.0.11"
-url = "2.5.0"
+udp-stream = "0.0.12"
+url = "2.5.2"
 walkdir = "2"
 xz2 = "0.1"

 [workspace.dependencies.clap]
-version = "4.4.18"
+version = "4.5.13"
 features = ["derive"]

 [workspace.dependencies.prost-reflect]
-version = "0.13.1"
+version = "0.14.0"
 features = ["derive"]

 [workspace.dependencies.reqwest]
-version = "0.12.3"
+version = "0.12.5"
 default-features = false
 features = ["rustls-tls"]

 [workspace.dependencies.serde]
-version = "1.0.196"
+version = "1.0.204"
 features = ["derive"]

 [workspace.dependencies.sys-mount]
@ -104,7 +114,7 @@ version = "3.0.0"
 default-features = false

 [workspace.dependencies.tokio]
-version = "1.35.1"
+version = "1.39.2"
 features = ["full"]

 [workspace.dependencies.tokio-stream]
@ -112,11 +122,11 @@ version = "0.1"
 features = ["io-util", "net"]

 [workspace.dependencies.tonic]
-version = "0.11.0"
+version = "0.12.1"
 features = ["tls"]

 [workspace.dependencies.uuid]
-version = "1.6.1"
+version = "1.10.0"
 features = ["v4"]

 [profile.release]
--- a/DEV.md
+++ b/DEV.md
@ -4,25 +4,25 @@

 krata is composed of four major executables:

-| Executable | Runs On | User Interaction | Dev Runner               | Code Path         |
-| ---------- | ------- | ---------------- | ------------------------ | ----------------- |
-| kratad     | host    | backend daemon   | ./hack/debug/kratad.sh   | crates/daemon     |
-| kratanet   | host    | backend daemon   | ./hack/debug/kratanet.sh | crates/network    |
-| kratactl   | host    | CLI tool         | ./hack/debug/kratactl.sh | crates/ctl        |
-| krataguest | guest   | none, guest init | N/A                      | crates/guest      |
+| Executable | Runs On | User Interaction | Dev Runner               | Code Path      |
+|------------|---------|------------------|--------------------------|----------------|
+| kratad     | host    | backend daemon   | ./hack/debug/kratad.sh   | crates/daemon  |
+| kratanet   | host    | backend daemon   | ./hack/debug/kratanet.sh | crates/network |
+| kratactl   | host    | CLI tool         | ./hack/debug/kratactl.sh | crates/ctl     |
+| kratazone  | zone    | none, zone init  | N/A                      | crates/zone    |

 You will find the code to each executable available in the bin/ and src/ directories inside
 it's corresponding code path from the above table.

 ## Environment

-| Component     | Specification | Notes                                                                             |
-| ------------- | ------------- | --------------------------------------------------------------------------------- |
-| Architecture  | x86_64        | aarch64 support is still in development                                           |
-| Memory        | At least 6GB  | dom0 will need to be configured will lower memory limit to give krata guests room | 
-| Xen           | 4.17          | Temporary due to hardcoded interface version constants                            |
-| Debian        | stable / sid  | Debian is recommended due to the ease of Xen setup                                |
-| rustup        | any           | Install Rustup from https://rustup.rs                                             |
+| Component    | Specification | Notes                                                                            |
+|--------------|---------------|----------------------------------------------------------------------------------|
+| Architecture | x86_64        | aarch64 support is still in development                                          |
+| Memory       | At least 6GB  | dom0 will need to be configured with lower memory limit to give krata zones room | 
+| Xen          | 4.17+         |                                                                                  |
+| Debian       | stable / sid  | Debian is recommended due to the ease of Xen setup                               |
+| rustup       | any           | Install Rustup from https://rustup.rs                                            |

 ## Setup Guide

@ -31,7 +31,8 @@ it's corresponding code path from the above table.
 2. Install required packages:

 ```sh
-$ apt install git xen-system-amd64 build-essential libclang-dev musl-tools flex bison libelf-dev libssl-dev bc protobuf-compiler libprotobuf-dev squashfs-tools erofs-utils
+$ apt install git xen-system-amd64 build-essential musl-tools \
+      protobuf-compiler libprotobuf-dev squashfs-tools erofs-utils
 ```

 3. Install [rustup](https://rustup.rs) for managing a Rust environment.
@ -43,10 +44,10 @@ $ rustup target add x86_64-unknown-linux-gnu
 $ rustup target add x86_64-unknown-linux-musl
 ```

-4. Configure `/etc/default/grub.d/xen.cfg` to give krata guests some room:
+4. Configure `/etc/default/grub.d/xen.cfg` to give krata zones some room:

 ```sh
-# Configure dom0_mem to be 4GB, but leave the rest of the RAM for krata guests.
+# Configure dom0_mem to be 4GB, but leave the rest of the RAM for krata zones.
 GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=4G,max:4G"
 ```

@ -62,29 +63,36 @@ $ git clone https://github.com/edera-dev/krata.git krata
 $ cd krata
 ```

-6. Build a guest kernel image:
+6. Fetch the zone kernel image:

 ```sh
-$ ./hack/kernel/build.sh
+$ ./hack/kernel/fetch.sh -u
 ```

-7. Copy the guest kernel image at `target/kernel/kernel-x86_64` to `/var/lib/krata/guest/kernel` to have it automatically detected by kratad.
-8. Launch `./hack/debug/kratanet.sh` and keep it running in the foreground.
-9. Launch `./hack/debug/kratad.sh` and keep it running in the foreground.
-10. Run kratactl to launch a guest:
+7. Copy the zone kernel artifacts to `/var/lib/krata/zone/kernel` so it is automatically detected by kratad:

 ```sh
-$ ./hack/debug/kratactl.sh launch --attach alpine:latest
+$ mkdir -p /var/lib/krata/zone
+$ cp target/kernel/kernel-x86_64 /var/lib/krata/zone/kernel
+$ cp target/kernel/addons-x86_64.squashfs /var/lib/krata/zone/addons.squashfs
 ```

-To detach from the guest console, use `Ctrl + ]` on your keyboard.
+8. Launch `./hack/debug/kratad.sh` and keep it running in the foreground.
+9. Launch `./hack/debug/kratanet.sh` and keep it running in the foreground.
+10. Run `kratactl` to launch a zone:

-To list the running guests, run:
 ```sh
-$ ./hack/debug/kratactl.sh list
+$ ./hack/debug/kratactl.sh zone launch --attach alpine:latest
 ```

-To destroy a running guest, copy it's UUID from either the launch command or the guest list and run:
+To detach from the zone console, use `Ctrl + ]` on your keyboard.
+
+To list the running zones, run:
 ```sh
-$ ./hack/debug/kratactl.sh destroy GUEST_UUID
+$ ./hack/debug/kratactl.sh zone list
+```
+
+To destroy a running zone, copy it's UUID from either the launch command or the zone list and run:
+```sh
+$ ./hack/debug/kratactl.sh zone destroy ZONE_UUID
 ```
--- a/FAQ.md
+++ b/FAQ.md
@ -2,18 +2,14 @@

 ## How does krata currently work?

-The krata hypervisor makes it possible to launch OCI containers on a Xen hypervisor without utilizing the Xen userspace tooling. krata contains just enough of the userspace of Xen (reimplemented in Rust) to start an x86_64 Xen Linux PV guest, and implements a Linux init process that can boot an OCI container. It does so by converting an OCI image into a squashfs/erofs file and packaging basic startup data in a bundle which the init container can read.
+The krata isolation engine makes it possible to launch OCI containers on a Xen hypervisor without utilizing the Xen userspace tooling. krata contains just enough of the userspace of Xen (reimplemented in Rust) to start an x86_64 Xen Linux PV guest, and implements a Linux init process that can boot an OCI container. It does so by converting an OCI image into a squashfs/erofs file and packaging basic startup data in a bundle that the init container can read.

-In addition, due to the desire to reduce dependence on the dom0 network, krata contains a networking daemon called kratanet. kratanet listens for krata guests to startup and launches a userspace networking environment. krata guests can access the dom0 networking stack via the proxynat layer that makes it possible to communicate over UDP, TCP, and ICMP (echo only) to the outside world. In addition, each krata guest is provided a "gateway" IP (both in IPv4 and IPv6) which utilizes smoltcp to provide a virtual host. That virtual host in the future could dial connections into the container to access container networking resources.
+In addition, due to the desire to reduce dependence on the dom0 network, krata contains a networking daemon called kratanet. kratanet listens for krata guests to startup and launches a userspace networking environment. krata guests can access the dom0 networking stack via the proxynat, which that makes it possible to communicate over UDP, TCP, and ICMP (echo only) to the outside world. In addition, each krata guest is provided a "gateway" IP (both in IPv4 and IPv6) which utilizes smoltcp to provide a virtual host. That virtual host in the future could dial connections into the container to access container networking resources.

 ## Why utilize Xen instead of KVM?

-Xen is a very interesting technology, and Edera believes that type-1 hypervisors are ideal for security. Most OCI isolation techniques use KVM, which is not a type-1 hypervisor, and thus is subject to the security limitations of the OS kernel. A type-1 hypervisor on the otherhand provides a minimal amount of attack surface upon which less-trusted guests can be launched on top of.
+Xen is a very interesting technology, and Edera believes that type-1 hypervisors are ideal for security. Most OCI isolation techniques use KVM, which is not a type-1 hypervisor, and thus is subject to the security limitations of the OS kernel. A type-1 hypervisor on the other hand provides a minimal attack surface upon which less-trusted guests can be launched on top of.

 ## Why not utilize pvcalls to provide access to the host network?

-pvcalls is extremely interesting, and although it is certainly possible to utilize pvcalls to get the job done, we chose to utilize userspace networking technology in order to enhance security. Our goal is to drop the use of all xen networking backend drivers within the kernel and have the guest talk directly to a userspace daemon, bypassing the vif (xen-netback) driver. Currently, in order to develop the networking layer, we utilize xen-netback and then use raw sockets to provide the userspace networking layer on the host.
-
-## What are the future plans?
-
-Edera is building a company to compete in the hypervisor space with open-source technology. More information to come soon on official channels.
+pvcalls is fascinating, and although it is certainly possible to utilize pvcalls to get the job done, we chose to utilize userspace networking technology in order to enhance security. Our goal is to drop the use of all xen networking backend drivers within the kernel and have the guest talk directly to a userspace daemon, bypassing the vif (xen-netback) driver. Currently, in order to develop the networking layer, we utilize xen-netback and then use raw sockets to provide the userspace networking layer on the host.
--- a/README.md
+++ b/README.md
@ -1,6 +1,10 @@
 # krata

-The Edera Hypervisor
+An isolation engine for securing compute workloads.
+
+```bash
+$ kratactl zone launch -a alpine:latest
+```

 ![license](https://img.shields.io/github/license/edera-dev/krata)
 ![discord](https://img.shields.io/discord/1207447453083766814?label=discord)
@ -16,13 +20,13 @@ The Edera Hypervisor

 ## Introduction

-krata is a single-host hypervisor service built for OCI-compliant containers. It isolates containers using a type-1 hypervisor, providing workload isolation that can exceed the security level of KVM-based OCI-compliant runtimes.
+krata is a single-host workload isolation service. It isolates workloads using a type-1 hypervisor, providing a tight security boundary while preserving performance.

-krata utilizes the core of the Xen hypervisor, with a fully memory-safe Rust control plane to bring Xen tooling into a new secure era.
+krata utilizes the core of the Xen hypervisor with a fully memory-safe Rust control plane.

 ## Hardware Support

-| Architecture | Completion Level | Virtualization Technology |
-| ------------ | ---------------- | ------------------------- |
-| x86_64       | 100% Completed   | Intel VT-x, AMD-V         |
-| aarch64      | 30% Completed    | AArch64 virtualization    |
+| Architecture | Completion Level | Hardware Virtualization |
+|--------------|------------------|-------------------------|
+| x86_64       | 100% Completed   | None, Intel VT-x, AMD-V |
+| aarch64      | 10% Completed    | AArch64 virtualization  |
--- a/crates/build/Cargo.toml
+++ b/crates/build/Cargo.toml
@ -0,0 +1,25 @@
+[package]
+name = "krata-buildtools"
+description = "Build tools for krata."
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition = "2021"
+resolver = "2"
+publish = false
+
+[dependencies]
+anyhow = { workspace = true }
+env_logger = { workspace = true }
+oci-spec = { workspace = true }
+scopeguard = { workspace = true }
+tokio = { workspace = true }
+tokio-stream = { workspace = true }
+krata-oci = { path = "../oci", version = "^0.0.14" }
+krata-tokio-tar = { workspace = true }
+uuid = { workspace = true }
+
+[[bin]]
+name = "build-fetch-kernel"
+path = "bin/fetch_kernel.rs"
--- a/crates/build/bin/fetch_kernel.rs
+++ b/crates/build/bin/fetch_kernel.rs
@ -0,0 +1,121 @@
+use std::{
+    env::{self, args},
+    path::PathBuf,
+};
+
+use anyhow::{anyhow, Result};
+use env_logger::Env;
+use krataoci::{
+    name::ImageName,
+    packer::{service::OciPackerService, OciPackedFormat},
+    progress::OciProgressContext,
+    registry::OciPlatform,
+};
+use oci_spec::image::{Arch, Os};
+use tokio::{
+    fs::{self, File},
+    io::BufReader,
+};
+use tokio_stream::StreamExt;
+use tokio_tar::Archive;
+use uuid::Uuid;
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    env_logger::Builder::from_env(Env::default().default_filter_or("warn")).init();
+    fs::create_dir_all("target/kernel").await?;
+
+    let arch = env::var("TARGET_ARCH").map_err(|_| anyhow!("missing TARGET_ARCH env var"))?;
+    println!("kernel architecture: {}", arch);
+    let platform = OciPlatform::new(
+        Os::Linux,
+        match arch.as_str() {
+            "x86_64" => Arch::Amd64,
+            "aarch64" => Arch::ARM64,
+            _ => {
+                return Err(anyhow!("unknown architecture '{}'", arch));
+            }
+        },
+    );
+
+    let image = ImageName::parse(&args().nth(1).unwrap())?;
+    let mut cache_dir = env::temp_dir().clone();
+    cache_dir.push(format!("krata-cache-{}", Uuid::new_v4()));
+    fs::create_dir_all(&cache_dir).await?;
+
+    let _delete_cache_dir = scopeguard::guard(cache_dir.clone(), |dir| {
+        let _ = std::fs::remove_dir_all(dir);
+    });
+
+    let (context, _) = OciProgressContext::create();
+    let service = OciPackerService::new(None, &cache_dir, platform).await?;
+    let packed = service
+        .request(image.clone(), OciPackedFormat::Tar, false, true, context)
+        .await?;
+    let annotations = packed
+        .manifest
+        .item()
+        .annotations()
+        .clone()
+        .unwrap_or_default();
+    let Some(format) = annotations.get("dev.edera.kernel.format") else {
+        return Err(anyhow!(
+            "image manifest missing 'dev.edera.kernel.format' annotation"
+        ));
+    };
+    let Some(version) = annotations.get("dev.edera.kernel.version") else {
+        return Err(anyhow!(
+            "image manifest missing 'dev.edera.kernel.version' annotation"
+        ));
+    };
+    let Some(flavor) = annotations.get("dev.edera.kernel.flavor") else {
+        return Err(anyhow!(
+            "image manifest missing 'dev.edera.kernel.flavor' annotation"
+        ));
+    };
+
+    if format != "1" {
+        return Err(anyhow!("kernel format version '{}' is unknown", format));
+    }
+
+    let file = BufReader::new(File::open(packed.path).await?);
+    let mut archive = Archive::new(file);
+    let mut entries = archive.entries()?;
+
+    let kernel_image_tar_path = PathBuf::from("kernel/image");
+    let kernel_addons_tar_path = PathBuf::from("kernel/addons.squashfs");
+    let kernel_image_out_path = PathBuf::from(format!("target/kernel/kernel-{}", arch));
+    let kernel_addons_out_path = PathBuf::from(format!("target/kernel/addons-{}.squashfs", arch));
+
+    if kernel_image_out_path.exists() {
+        fs::remove_file(&kernel_image_out_path).await?;
+    }
+
+    if kernel_addons_out_path.exists() {
+        fs::remove_file(&kernel_addons_out_path).await?;
+    }
+
+    while let Some(entry) = entries.next().await {
+        let mut entry = entry?;
+        let path = entry.path()?.to_path_buf();
+
+        if !entry.header().entry_type().is_file() {
+            continue;
+        }
+
+        if path == kernel_image_tar_path {
+            entry.unpack(&kernel_image_out_path).await?;
+        } else if path == kernel_addons_tar_path {
+            entry.unpack(&kernel_addons_out_path).await?;
+        }
+    }
+
+    if !kernel_image_out_path.exists() {
+        return Err(anyhow!("image did not contain a file named /kernel/image"));
+    }
+
+    println!("kernel version: v{}", version);
+    println!("kernel flavor: {}", flavor);
+
+    Ok(())
+}
--- a/crates/ctl/Cargo.toml
+++ b/crates/ctl/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "krata-ctl"
-description = "Command-line tool to control the krata hypervisor"
+description = "Command-line tool to control the krata isolation engine"
 license.workspace = true
 version.workspace = true
 homepage.workspace = true
@ -11,6 +11,7 @@ resolver = "2"
 [dependencies]
 anyhow = { workspace = true }
 async-stream = { workspace = true }
+base64 = { workspace = true }
 clap = { workspace = true }
 comfy-table = { workspace = true }
 crossterm = { workspace = true, features = ["event-stream"] }
@ -19,11 +20,12 @@ env_logger = { workspace = true }
 fancy-duration = { workspace = true }
 human_bytes = { workspace = true }
 indicatif = { workspace = true }
-krata = { path = "../krata", version = "^0.0.9" }
+krata = { path = "../krata", version = "^0.0.14" }
 log = { workspace = true }
 prost-reflect = { workspace = true, features = ["serde"] }
 prost-types = { workspace = true }
 ratatui = { workspace = true }
+serde = { workspace = true }
 serde_json = { workspace = true }
 serde_yaml = { workspace = true }
 termtree = { workspace = true }
--- a/crates/ctl/src/cli/device/list.rs
+++ b/crates/ctl/src/cli/device/list.rs
@ -0,0 +1,128 @@
+use anyhow::Result;
+use clap::{Parser, ValueEnum};
+use comfy_table::{presets::UTF8_FULL_CONDENSED, Cell, Color, Table};
+use krata::{
+    events::EventStream,
+    v1::control::{control_service_client::ControlServiceClient, DeviceInfo, ListDevicesRequest},
+};
+
+use serde_json::Value;
+use tonic::transport::Channel;
+
+use crate::format::{kv2line, proto2dynamic, proto2kv};
+
+#[derive(ValueEnum, Clone, Debug, PartialEq, Eq)]
+enum DeviceListFormat {
+    Table,
+    Json,
+    JsonPretty,
+    Jsonl,
+    Yaml,
+    KeyValue,
+    Simple,
+}
+
+#[derive(Parser)]
+#[command(about = "List the devices on the isolation engine")]
+pub struct DeviceListCommand {
+    #[arg(short, long, default_value = "table", help = "Output format")]
+    format: DeviceListFormat,
+}
+
+impl DeviceListCommand {
+    pub async fn run(
+        self,
+        mut client: ControlServiceClient<Channel>,
+        _events: EventStream,
+    ) -> Result<()> {
+        let reply = client
+            .list_devices(ListDevicesRequest {})
+            .await?
+            .into_inner();
+        let mut devices = reply.devices;
+
+        devices.sort_by(|a, b| a.name.cmp(&b.name));
+
+        match self.format {
+            DeviceListFormat::Table => {
+                self.print_devices_table(devices)?;
+            }
+
+            DeviceListFormat::Simple => {
+                for device in devices {
+                    println!("{}\t{}\t{}", device.name, device.claimed, device.owner);
+                }
+            }
+
+            DeviceListFormat::Json | DeviceListFormat::JsonPretty | DeviceListFormat::Yaml => {
+                let mut values = Vec::new();
+                for device in devices {
+                    let message = proto2dynamic(device)?;
+                    values.push(serde_json::to_value(message)?);
+                }
+                let value = Value::Array(values);
+                let encoded = if self.format == DeviceListFormat::JsonPretty {
+                    serde_json::to_string_pretty(&value)?
+                } else if self.format == DeviceListFormat::Yaml {
+                    serde_yaml::to_string(&value)?
+                } else {
+                    serde_json::to_string(&value)?
+                };
+                println!("{}", encoded.trim());
+            }
+
+            DeviceListFormat::Jsonl => {
+                for device in devices {
+                    let message = proto2dynamic(device)?;
+                    println!("{}", serde_json::to_string(&message)?);
+                }
+            }
+
+            DeviceListFormat::KeyValue => {
+                self.print_key_value(devices)?;
+            }
+        }
+
+        Ok(())
+    }
+
+    fn print_devices_table(&self, devices: Vec<DeviceInfo>) -> Result<()> {
+        let mut table = Table::new();
+        table.load_preset(UTF8_FULL_CONDENSED);
+        table.set_content_arrangement(comfy_table::ContentArrangement::Dynamic);
+        table.set_header(vec!["name", "status", "owner"]);
+        for device in devices {
+            let status_text = if device.claimed {
+                "claimed"
+            } else {
+                "available"
+            };
+
+            let status_color = if device.claimed {
+                Color::Blue
+            } else {
+                Color::Green
+            };
+
+            table.add_row(vec![
+                Cell::new(device.name),
+                Cell::new(status_text).fg(status_color),
+                Cell::new(device.owner),
+            ]);
+        }
+        if table.is_empty() {
+            println!("no devices configured");
+        } else {
+            println!("{}", table);
+        }
+        Ok(())
+    }
+
+    fn print_key_value(&self, devices: Vec<DeviceInfo>) -> Result<()> {
+        for device in devices {
+            let kvs = proto2kv(device)?;
+            println!("{}", kv2line(kvs));
+        }
+        Ok(())
+    }
+}
--- a/crates/ctl/src/cli/device/mod.rs
+++ b/crates/ctl/src/cli/device/mod.rs
@ -0,0 +1,44 @@
+use anyhow::Result;
+use clap::{Parser, Subcommand};
+use tonic::transport::Channel;
+
+use krata::events::EventStream;
+use krata::v1::control::control_service_client::ControlServiceClient;
+
+use crate::cli::device::list::DeviceListCommand;
+
+pub mod list;
+
+#[derive(Parser)]
+#[command(about = "Manage the devices on the isolation engine")]
+pub struct DeviceCommand {
+    #[command(subcommand)]
+    subcommand: DeviceCommands,
+}
+
+impl DeviceCommand {
+    pub async fn run(
+        self,
+        client: ControlServiceClient<Channel>,
+        events: EventStream,
+    ) -> Result<()> {
+        self.subcommand.run(client, events).await
+    }
+}
+
+#[derive(Subcommand)]
+pub enum DeviceCommands {
+    List(DeviceListCommand),
+}
+
+impl DeviceCommands {
+    pub async fn run(
+        self,
+        client: ControlServiceClient<Channel>,
+        events: EventStream,
+    ) -> Result<()> {
+        match self {
+            DeviceCommands::List(list) => list.run(client, events).await,
+        }
+    }
+}
--- a/crates/ctl/src/cli/host/cpu_topology.rs
+++ b/crates/ctl/src/cli/host/cpu_topology.rs
@ -0,0 +1,60 @@
+use anyhow::Result;
+use clap::{Parser, ValueEnum};
+use comfy_table::presets::UTF8_FULL_CONDENSED;
+use comfy_table::{Cell, Table};
+use krata::v1::control::{
+    control_service_client::ControlServiceClient, HostCpuTopologyClass, HostCpuTopologyRequest,
+};
+
+use tonic::{transport::Channel, Request};
+
+fn class_to_str(input: HostCpuTopologyClass) -> String {
+    match input {
+        HostCpuTopologyClass::Standard => "Standard".to_string(),
+        HostCpuTopologyClass::Performance => "Performance".to_string(),
+        HostCpuTopologyClass::Efficiency => "Efficiency".to_string(),
+    }
+}
+
+#[derive(ValueEnum, Clone, Debug, PartialEq, Eq)]
+enum HostCpuTopologyFormat {
+    Table,
+}
+
+#[derive(Parser)]
+#[command(about = "Display information about the host CPU topology")]
+pub struct HostCpuTopologyCommand {
+    #[arg(short, long, default_value = "table", help = "Output format")]
+    format: HostCpuTopologyFormat,
+}
+
+impl HostCpuTopologyCommand {
+    pub async fn run(self, mut client: ControlServiceClient<Channel>) -> Result<()> {
+        let response = client
+            .get_host_cpu_topology(Request::new(HostCpuTopologyRequest {}))
+            .await?
+            .into_inner();
+
+        let mut table = Table::new();
+        table.load_preset(UTF8_FULL_CONDENSED);
+        table.set_content_arrangement(comfy_table::ContentArrangement::Dynamic);
+        table.set_header(vec!["id", "node", "socket", "core", "thread", "class"]);
+
+        for (i, cpu) in response.cpus.iter().enumerate() {
+            table.add_row(vec![
+                Cell::new(i),
+                Cell::new(cpu.node),
+                Cell::new(cpu.socket),
+                Cell::new(cpu.core),
+                Cell::new(cpu.thread),
+                Cell::new(class_to_str(cpu.class())),
+            ]);
+        }
+
+        if !table.is_empty() {
+            println!("{}", table);
+        }
+
+        Ok(())
+    }
+}
--- a/crates/ctl/src/cli/host/identify.rs
+++ b/crates/ctl/src/cli/host/identify.rs
@ -0,0 +1,22 @@
+use anyhow::Result;
+use clap::Parser;
+use krata::v1::control::{control_service_client::ControlServiceClient, IdentifyHostRequest};
+
+use tonic::{transport::Channel, Request};
+
+#[derive(Parser)]
+#[command(about = "Identify information about the host")]
+pub struct HostIdentifyCommand {}
+
+impl HostIdentifyCommand {
+    pub async fn run(self, mut client: ControlServiceClient<Channel>) -> Result<()> {
+        let response = client
+            .identify_host(Request::new(IdentifyHostRequest {}))
+            .await?
+            .into_inner();
+        println!("Host UUID: {}", response.host_uuid);
+        println!("Host Domain: {}", response.host_domid);
+        println!("Krata Version: {}", response.krata_version);
+        Ok(())
+    }
+}
--- a/crates/ctl/src/cli/host/idm_snoop.rs
+++ b/crates/ctl/src/cli/host/idm_snoop.rs
@ -0,0 +1,157 @@
+use anyhow::Result;
+use base64::Engine;
+use clap::{Parser, ValueEnum};
+use krata::{
+    events::EventStream,
+    idm::{internal, serialize::IdmSerializable, transport::IdmTransportPacketForm},
+    v1::control::{control_service_client::ControlServiceClient, SnoopIdmReply, SnoopIdmRequest},
+};
+
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+use tokio_stream::StreamExt;
+use tonic::transport::Channel;
+
+use crate::format::{kv2line, proto2dynamic, value2kv};
+
+#[derive(ValueEnum, Clone, Debug, PartialEq, Eq)]
+enum HostIdmSnoopFormat {
+    Simple,
+    Jsonl,
+    KeyValue,
+}
+
+#[derive(Parser)]
+#[command(about = "Snoop on the IDM bus")]
+pub struct HostIdmSnoopCommand {
+    #[arg(short, long, default_value = "simple", help = "Output format")]
+    format: HostIdmSnoopFormat,
+}
+
+impl HostIdmSnoopCommand {
+    pub async fn run(
+        self,
+        mut client: ControlServiceClient<Channel>,
+        _events: EventStream,
+    ) -> Result<()> {
+        let mut stream = client.snoop_idm(SnoopIdmRequest {}).await?.into_inner();
+
+        while let Some(reply) = stream.next().await {
+            let reply = reply?;
+            let Some(line) = convert_idm_snoop(reply) else {
+                continue;
+            };
+
+            match self.format {
+                HostIdmSnoopFormat::Simple => {
+                    self.print_simple(line)?;
+                }
+
+                HostIdmSnoopFormat::Jsonl => {
+                    let encoded = serde_json::to_string(&line)?;
+                    println!("{}", encoded.trim());
+                }
+
+                HostIdmSnoopFormat::KeyValue => {
+                    self.print_key_value(line)?;
+                }
+            }
+        }
+
+        Ok(())
+    }
+
+    fn print_simple(&self, line: IdmSnoopLine) -> Result<()> {
+        let encoded = if !line.packet.decoded.is_null() {
+            serde_json::to_string(&line.packet.decoded)?
+        } else {
+            base64::prelude::BASE64_STANDARD.encode(&line.packet.data)
+        };
+        println!(
+            "({} -> {}) {} {} {}",
+            line.from, line.to, line.packet.id, line.packet.form, encoded
+        );
+        Ok(())
+    }
+
+    fn print_key_value(&self, line: IdmSnoopLine) -> Result<()> {
+        let kvs = value2kv(serde_json::to_value(line)?)?;
+        println!("{}", kv2line(kvs));
+        Ok(())
+    }
+}
+
+#[derive(Serialize, Deserialize)]
+pub struct IdmSnoopLine {
+    pub from: String,
+    pub to: String,
+    pub packet: IdmSnoopData,
+}
+
+#[derive(Serialize, Deserialize)]
+pub struct IdmSnoopData {
+    pub id: u64,
+    pub channel: u64,
+    pub form: String,
+    pub data: String,
+    pub decoded: Value,
+}
+
+pub fn convert_idm_snoop(reply: SnoopIdmReply) -> Option<IdmSnoopLine> {
+    let packet = &(reply.packet?);
+
+    let decoded = if packet.channel == 0 {
+        match packet.form() {
+            IdmTransportPacketForm::Event => internal::Event::decode(&packet.data)
+                .ok()
+                .and_then(|event| proto2dynamic(event).ok()),
+
+            IdmTransportPacketForm::Request
+            | IdmTransportPacketForm::StreamRequest
+            | IdmTransportPacketForm::StreamRequestUpdate => {
+                internal::Request::decode(&packet.data)
+                    .ok()
+                    .and_then(|event| proto2dynamic(event).ok())
+            }
+
+            IdmTransportPacketForm::Response | IdmTransportPacketForm::StreamResponseUpdate => {
+                internal::Response::decode(&packet.data)
+                    .ok()
+                    .and_then(|event| proto2dynamic(event).ok())
+            }
+
+            _ => None,
+        }
+    } else {
+        None
+    };
+
+    let decoded = decoded
+        .and_then(|message| serde_json::to_value(message).ok())
+        .unwrap_or(Value::Null);
+
+    let data = IdmSnoopData {
+        id: packet.id,
+        channel: packet.channel,
+        form: match packet.form() {
+            IdmTransportPacketForm::Raw => "raw".to_string(),
+            IdmTransportPacketForm::Event => "event".to_string(),
+            IdmTransportPacketForm::Request => "request".to_string(),
+            IdmTransportPacketForm::Response => "response".to_string(),
+            IdmTransportPacketForm::StreamRequest => "stream-request".to_string(),
+            IdmTransportPacketForm::StreamRequestUpdate => "stream-request-update".to_string(),
+            IdmTransportPacketForm::StreamRequestClosed => "stream-request-closed".to_string(),
+            IdmTransportPacketForm::StreamResponseUpdate => "stream-response-update".to_string(),
+            IdmTransportPacketForm::StreamResponseClosed => "stream-response-closed".to_string(),
+            _ => format!("unknown-{}", packet.form),
+        },
+        data: base64::prelude::BASE64_STANDARD.encode(&packet.data),
+        decoded,
+    };
+
+    Some(IdmSnoopLine {
+        from: reply.from,
+        to: reply.to,
+        packet: data,
+    })
+}
--- a/crates/ctl/src/cli/host/mod.rs
+++ b/crates/ctl/src/cli/host/mod.rs
@ -0,0 +1,54 @@
+use anyhow::Result;
+use clap::{Parser, Subcommand};
+use tonic::transport::Channel;
+
+use krata::events::EventStream;
+use krata::v1::control::control_service_client::ControlServiceClient;
+
+use crate::cli::host::cpu_topology::HostCpuTopologyCommand;
+use crate::cli::host::identify::HostIdentifyCommand;
+use crate::cli::host::idm_snoop::HostIdmSnoopCommand;
+
+pub mod cpu_topology;
+pub mod identify;
+pub mod idm_snoop;
+
+#[derive(Parser)]
+#[command(about = "Manage the host of the isolation engine")]
+pub struct HostCommand {
+    #[command(subcommand)]
+    subcommand: HostCommands,
+}
+
+impl HostCommand {
+    pub async fn run(
+        self,
+        client: ControlServiceClient<Channel>,
+        events: EventStream,
+    ) -> Result<()> {
+        self.subcommand.run(client, events).await
+    }
+}
+
+#[derive(Subcommand)]
+pub enum HostCommands {
+    CpuTopology(HostCpuTopologyCommand),
+    Identify(HostIdentifyCommand),
+    IdmSnoop(HostIdmSnoopCommand),
+}
+
+impl HostCommands {
+    pub async fn run(
+        self,
+        client: ControlServiceClient<Channel>,
+        events: EventStream,
+    ) -> Result<()> {
+        match self {
+            HostCommands::CpuTopology(cpu_topology) => cpu_topology.run(client).await,
+
+            HostCommands::Identify(identify) => identify.run(client).await,
+
+            HostCommands::IdmSnoop(snoop) => snoop.run(client, events).await,
+        }
+    }
+}
--- a/crates/ctl/src/cli/idm_snoop.rs
+++ b/crates/ctl/src/cli/idm_snoop.rs
@ -1,74 +0,0 @@
-use anyhow::Result;
-use clap::{Parser, ValueEnum};
-use krata::{
-    events::EventStream,
-    v1::control::{control_service_client::ControlServiceClient, SnoopIdmReply, SnoopIdmRequest},
-};
-
-use tokio_stream::StreamExt;
-use tonic::transport::Channel;
-
-use crate::format::{kv2line, proto2dynamic, proto2kv};
-
-#[derive(ValueEnum, Clone, Debug, PartialEq, Eq)]
-enum IdmSnoopFormat {
-    Simple,
-    Jsonl,
-    KeyValue,
-}
-
-#[derive(Parser)]
-#[command(about = "Snoop on the IDM bus")]
-pub struct IdmSnoopCommand {
-    #[arg(short, long, default_value = "simple", help = "Output format")]
-    format: IdmSnoopFormat,
-}
-
-impl IdmSnoopCommand {
-    pub async fn run(
-        self,
-        mut client: ControlServiceClient<Channel>,
-        _events: EventStream,
-    ) -> Result<()> {
-        let mut stream = client.snoop_idm(SnoopIdmRequest {}).await?.into_inner();
-
-        while let Some(reply) = stream.next().await {
-            let reply = reply?;
-            match self.format {
-                IdmSnoopFormat::Simple => {
-                    self.print_simple(reply)?;
-                }
-
-                IdmSnoopFormat::Jsonl => {
-                    let value = serde_json::to_value(proto2dynamic(reply)?)?;
-                    let encoded = serde_json::to_string(&value)?;
-                    println!("{}", encoded.trim());
-                }
-
-                IdmSnoopFormat::KeyValue => {
-                    self.print_key_value(reply)?;
-                }
-            }
-        }
-
-        Ok(())
-    }
-
-    fn print_simple(&self, reply: SnoopIdmReply) -> Result<()> {
-        let from = reply.from;
-        let to = reply.to;
-        let Some(packet) = reply.packet else {
-            return Ok(());
-        };
-        let value = serde_json::to_value(proto2dynamic(packet)?)?;
-        let encoded = serde_json::to_string(&value)?;
-        println!("({} -> {}) {}", from, to, encoded);
-        Ok(())
-    }
-
-    fn print_key_value(&self, reply: SnoopIdmReply) -> Result<()> {
-        let kvs = proto2kv(reply)?;
-        println!("{}", kv2line(kvs));
-        Ok(())
-    }
-}
--- a/crates/ctl/src/cli/image/mod.rs
+++ b/crates/ctl/src/cli/image/mod.rs
@ -0,0 +1,44 @@
+use anyhow::Result;
+use clap::{Parser, Subcommand};
+use tonic::transport::Channel;
+
+use krata::events::EventStream;
+use krata::v1::control::control_service_client::ControlServiceClient;
+
+use crate::cli::image::pull::ImagePullCommand;
+
+pub mod pull;
+
+#[derive(Parser)]
+#[command(about = "Manage the images on the isolation engine")]
+pub struct ImageCommand {
+    #[command(subcommand)]
+    subcommand: ImageCommands,
+}
+
+impl ImageCommand {
+    pub async fn run(
+        self,
+        client: ControlServiceClient<Channel>,
+        events: EventStream,
+    ) -> Result<()> {
+        self.subcommand.run(client, events).await
+    }
+}
+
+#[derive(Subcommand)]
+pub enum ImageCommands {
+    Pull(ImagePullCommand),
+}
+
+impl ImageCommands {
+    pub async fn run(
+        self,
+        client: ControlServiceClient<Channel>,
+        _events: EventStream,
+    ) -> Result<()> {
+        match self {
+            ImageCommands::Pull(pull) => pull.run(client).await,
+        }
+    }
+}
--- a/crates/ctl/src/cli/image/pull.rs
+++ b/crates/ctl/src/cli/image/pull.rs
@ -1,7 +1,7 @@
 use anyhow::Result;
 use clap::{Parser, ValueEnum};
 use krata::v1::{
-    common::GuestOciImageFormat,
+    common::OciImageFormat,
    control::{control_service_client::ControlServiceClient, PullImageRequest},
 };

@ -10,29 +10,35 @@ use tonic::transport::Channel;
 use crate::pull::pull_interactive_progress;

 #[derive(ValueEnum, Clone, Debug, PartialEq, Eq)]
-pub enum PullImageFormat {
+pub enum ImagePullImageFormat {
    Squashfs,
    Erofs,
+    Tar,
 }

 #[derive(Parser)]
 #[command(about = "Pull an image into the cache")]
-pub struct PullCommand {
+pub struct ImagePullCommand {
    #[arg(help = "Image name")]
    image: String,
    #[arg(short = 's', long, default_value = "squashfs", help = "Image format")]
-    image_format: PullImageFormat,
+    image_format: ImagePullImageFormat,
+    #[arg(short = 'o', long, help = "Overwrite image cache")]
+    overwrite_cache: bool,
 }

-impl PullCommand {
+impl ImagePullCommand {
    pub async fn run(self, mut client: ControlServiceClient<Channel>) -> Result<()> {
        let response = client
            .pull_image(PullImageRequest {
                image: self.image.clone(),
                format: match self.image_format {
-                    PullImageFormat::Squashfs => GuestOciImageFormat::Squashfs.into(),
-                    PullImageFormat::Erofs => GuestOciImageFormat::Erofs.into(),
+                    ImagePullImageFormat::Squashfs => OciImageFormat::Squashfs.into(),
+                    ImagePullImageFormat::Erofs => OciImageFormat::Erofs.into(),
+                    ImagePullImageFormat::Tar => OciImageFormat::Tar.into(),
                },
+                overwrite_cache: self.overwrite_cache,
+                update: true,
            })
            .await?;
        let reply = pull_interactive_progress(response.into_inner()).await?;
--- a/crates/ctl/src/cli/launch.rs
+++ b/crates/ctl/src/cli/launch.rs
@ -1,192 +0,0 @@
-use std::collections::HashMap;
-
-use anyhow::Result;
-use clap::Parser;
-use krata::{
-    events::EventStream,
-    v1::{
-        common::{
-            guest_image_spec::Image, GuestImageSpec, GuestOciImageFormat, GuestOciImageSpec,
-            GuestSpec, GuestStatus, GuestTaskSpec, GuestTaskSpecEnvVar,
-        },
-        control::{
-            control_service_client::ControlServiceClient, watch_events_reply::Event,
-            CreateGuestRequest, PullImageRequest,
-        },
-    },
-};
-use log::error;
-use tokio::select;
-use tonic::{transport::Channel, Request};
-
-use crate::{console::StdioConsoleStream, pull::pull_interactive_progress};
-
-use super::pull::PullImageFormat;
-
-#[derive(Parser)]
-#[command(about = "Launch a new guest")]
-pub struct LauchCommand {
-    #[arg(short = 'S', long, default_value = "squashfs", help = "Image format")]
-    image_format: PullImageFormat,
-    #[arg(short, long, help = "Name of the guest")]
-    name: Option<String>,
-    #[arg(
-        short,
-        long,
-        default_value_t = 1,
-        help = "vCPUs available to the guest"
-    )]
-    cpus: u32,
-    #[arg(
-        short,
-        long,
-        default_value_t = 512,
-        help = "Memory available to the guest, in megabytes"
-    )]
-    mem: u64,
-    #[arg[short, long, help = "Environment variables set in the guest"]]
-    env: Option<Vec<String>>,
-    #[arg(
-        short,
-        long,
-        help = "Attach to the guest after guest starts, implies --wait"
-    )]
-    attach: bool,
-    #[arg(
-        short = 'W',
-        long,
-        help = "Wait for the guest to start, implied by --attach"
-    )]
-    wait: bool,
-    #[arg(help = "Container image for guest to use")]
-    oci: String,
-    #[arg(
-        allow_hyphen_values = true,
-        trailing_var_arg = true,
-        help = "Command to run inside the guest"
-    )]
-    command: Vec<String>,
-}
-
-impl LauchCommand {
-    pub async fn run(
-        self,
-        mut client: ControlServiceClient<Channel>,
-        events: EventStream,
-    ) -> Result<()> {
-        let response = client
-            .pull_image(PullImageRequest {
-                image: self.oci.clone(),
-                format: match self.image_format {
-                    PullImageFormat::Squashfs => GuestOciImageFormat::Squashfs.into(),
-                    PullImageFormat::Erofs => GuestOciImageFormat::Erofs.into(),
-                },
-            })
-            .await?;
-        let reply = pull_interactive_progress(response.into_inner()).await?;
-
-        let request = CreateGuestRequest {
-            spec: Some(GuestSpec {
-                name: self.name.unwrap_or_default(),
-                image: Some(GuestImageSpec {
-                    image: Some(Image::Oci(GuestOciImageSpec {
-                        digest: reply.digest,
-                        format: reply.format,
-                    })),
-                }),
-                vcpus: self.cpus,
-                mem: self.mem,
-                task: Some(GuestTaskSpec {
-                    environment: env_map(&self.env.unwrap_or_default())
-                        .iter()
-                        .map(|(key, value)| GuestTaskSpecEnvVar {
-                            key: key.clone(),
-                            value: value.clone(),
-                        })
-                        .collect(),
-                    command: self.command,
-                }),
-                annotations: vec![],
-            }),
-        };
-        let response = client
-            .create_guest(Request::new(request))
-            .await?
-            .into_inner();
-        let id = response.guest_id;
-
-        if self.wait || self.attach {
-            wait_guest_started(&id, events.clone()).await?;
-        }
-
-        let code = if self.attach {
-            let input = StdioConsoleStream::stdin_stream(id.clone()).await;
-            let output = client.console_data(input).await?.into_inner();
-            let stdout_handle =
-                tokio::task::spawn(async move { StdioConsoleStream::stdout(output).await });
-            let exit_hook_task = StdioConsoleStream::guest_exit_hook(id.clone(), events).await?;
-            select! {
-                x = stdout_handle => {
-                    x??;
-                    None
-                },
-                x = exit_hook_task => x?
-            }
-        } else {
-            println!("{}", id);
-            None
-        };
-        StdioConsoleStream::restore_terminal_mode();
-        std::process::exit(code.unwrap_or(0));
-    }
-}
-
-async fn wait_guest_started(id: &str, events: EventStream) -> Result<()> {
-    let mut stream = events.subscribe();
-    while let Ok(event) = stream.recv().await {
-        match event {
-            Event::GuestChanged(changed) => {
-                let Some(guest) = changed.guest else {
-                    continue;
-                };
-
-                if guest.id != id {
-                    continue;
-                }
-
-                let Some(state) = guest.state else {
-                    continue;
-                };
-
-                if let Some(ref error) = state.error_info {
-                    if state.status() == GuestStatus::Failed {
-                        error!("launch failed: {}", error.message);
-                        std::process::exit(1);
-                    } else {
-                        error!("guest error: {}", error.message);
-                    }
-                }
-
-                if state.status() == GuestStatus::Destroyed {
-                    error!("guest destroyed");
-                    std::process::exit(1);
-                }
-
-                if state.status() == GuestStatus::Started {
-                    break;
-                }
-            }
-        }
-    }
-    Ok(())
-}
-
-fn env_map(env: &[String]) -> HashMap<String, String> {
-    let mut map = HashMap::<String, String>::new();
-    for item in env {
-        if let Some((key, value)) = item.split_once('=') {
-            map.insert(key.to_string(), value.to_string());
-        }
-    }
-    map
-}
--- a/crates/ctl/src/cli/mod.rs
+++ b/crates/ctl/src/cli/mod.rs
@ -1,61 +1,42 @@
-pub mod attach;
-pub mod destroy;
-pub mod idm_snoop;
-pub mod launch;
-pub mod list;
-pub mod logs;
-pub mod metrics;
-pub mod pull;
-pub mod resolve;
-pub mod top;
-pub mod watch;
+pub mod device;
+pub mod host;
+pub mod image;
+pub mod zone;

+use crate::cli::device::DeviceCommand;
+use crate::cli::host::HostCommand;
+use crate::cli::image::ImageCommand;
+use crate::cli::zone::ZoneCommand;
 use anyhow::{anyhow, Result};
-use clap::{Parser, Subcommand};
+use clap::Parser;
 use krata::{
    client::ControlClientProvider,
    events::EventStream,
-    v1::control::{control_service_client::ControlServiceClient, ResolveGuestRequest},
+    v1::control::{control_service_client::ControlServiceClient, ResolveZoneRequest},
 };
 use tonic::{transport::Channel, Request};

-use self::{
-    attach::AttachCommand, destroy::DestroyCommand, idm_snoop::IdmSnoopCommand,
-    launch::LauchCommand, list::ListCommand, logs::LogsCommand, metrics::MetricsCommand,
-    pull::PullCommand, resolve::ResolveCommand, top::TopCommand, watch::WatchCommand,
-};
-
 #[derive(Parser)]
-#[command(
-    version,
-    about = "Control the krata hypervisor, a secure platform for running containers"
-)]
+#[command(version, about = "Control the krata isolation engine")]
 pub struct ControlCommand {
    #[arg(
        short,
        long,
-        help = "The connection URL to the krata hypervisor",
+        help = "The connection URL to the krata isolation engine",
        default_value = "unix:///var/lib/krata/daemon.socket"
    )]
    connection: String,

    #[command(subcommand)]
-    command: Commands,
+    command: ControlCommands,
 }

-#[derive(Subcommand)]
-pub enum Commands {
-    Launch(LauchCommand),
-    Destroy(DestroyCommand),
-    List(ListCommand),
-    Attach(AttachCommand),
-    Pull(PullCommand),
-    Logs(LogsCommand),
-    Watch(WatchCommand),
-    Resolve(ResolveCommand),
-    Metrics(MetricsCommand),
-    IdmSnoop(IdmSnoopCommand),
-    Top(TopCommand),
+#[derive(Parser)]
+pub enum ControlCommands {
+    Zone(ZoneCommand),
+    Image(ImageCommand),
+    Device(DeviceCommand),
+    Host(HostCommand),
 }

 impl ControlCommand {
@ -64,68 +45,31 @@ impl ControlCommand {
        let events = EventStream::open(client.clone()).await?;

        match self.command {
-            Commands::Launch(launch) => {
-                launch.run(client, events).await?;
-            }
+            ControlCommands::Zone(zone) => zone.run(client, events).await,

-            Commands::Destroy(destroy) => {
-                destroy.run(client, events).await?;
-            }
+            ControlCommands::Image(image) => image.run(client, events).await,

-            Commands::Attach(attach) => {
-                attach.run(client, events).await?;
-            }
+            ControlCommands::Device(device) => device.run(client, events).await,

-            Commands::Logs(logs) => {
-                logs.run(client, events).await?;
-            }
-
-            Commands::List(list) => {
-                list.run(client, events).await?;
-            }
-
-            Commands::Watch(watch) => {
-                watch.run(events).await?;
-            }
-
-            Commands::Resolve(resolve) => {
-                resolve.run(client).await?;
-            }
-
-            Commands::Metrics(metrics) => {
-                metrics.run(client, events).await?;
-            }
-
-            Commands::IdmSnoop(snoop) => {
-                snoop.run(client, events).await?;
-            }
-
-            Commands::Top(top) => {
-                top.run(client, events).await?;
-            }
-
-            Commands::Pull(pull) => {
-                pull.run(client).await?;
-            }
+            ControlCommands::Host(snoop) => snoop.run(client, events).await,
        }
-        Ok(())
    }
 }

-pub async fn resolve_guest(
+pub async fn resolve_zone(
    client: &mut ControlServiceClient<Channel>,
    name: &str,
 ) -> Result<String> {
    let reply = client
-        .resolve_guest(Request::new(ResolveGuestRequest {
+        .resolve_zone(Request::new(ResolveZoneRequest {
            name: name.to_string(),
        }))
        .await?
        .into_inner();

-    if let Some(guest) = reply.guest {
-        Ok(guest.id)
+    if let Some(zone) = reply.zone {
+        Ok(zone.id)
    } else {
-        Err(anyhow!("unable to resolve guest '{}'", name))
+        Err(anyhow!("unable to resolve zone '{}'", name))
    }
 }
--- a/crates/ctl/src/cli/zone/attach.rs
+++ b/crates/ctl/src/cli/zone/attach.rs
@ -7,27 +7,27 @@ use tonic::transport::Channel;

 use crate::console::StdioConsoleStream;

-use super::resolve_guest;
+use crate::cli::resolve_zone;

 #[derive(Parser)]
-#[command(about = "Attach to the guest console")]
-pub struct AttachCommand {
-    #[arg(help = "Guest to attach to, either the name or the uuid")]
-    guest: String,
+#[command(about = "Attach to the zone console")]
+pub struct ZoneAttachCommand {
+    #[arg(help = "Zone to attach to, either the name or the uuid")]
+    zone: String,
 }

-impl AttachCommand {
+impl ZoneAttachCommand {
    pub async fn run(
        self,
        mut client: ControlServiceClient<Channel>,
        events: EventStream,
    ) -> Result<()> {
-        let guest_id: String = resolve_guest(&mut client, &self.guest).await?;
-        let input = StdioConsoleStream::stdin_stream(guest_id.clone()).await;
-        let output = client.console_data(input).await?.into_inner();
+        let zone_id: String = resolve_zone(&mut client, &self.zone).await?;
+        let input = StdioConsoleStream::stdin_stream(zone_id.clone()).await;
+        let output = client.attach_zone_console(input).await?.into_inner();
        let stdout_handle =
            tokio::task::spawn(async move { StdioConsoleStream::stdout(output).await });
-        let exit_hook_task = StdioConsoleStream::guest_exit_hook(guest_id.clone(), events).await?;
+        let exit_hook_task = StdioConsoleStream::zone_exit_hook(zone_id.clone(), events).await?;
        let code = select! {
            x = stdout_handle => {
                x??;
--- a/crates/ctl/src/cli/zone/destroy.rs
+++ b/crates/ctl/src/cli/zone/destroy.rs
@ -3,10 +3,10 @@ use clap::Parser;
 use krata::{
    events::EventStream,
    v1::{
-        common::GuestStatus,
+        common::ZoneStatus,
        control::{
            control_service_client::ControlServiceClient, watch_events_reply::Event,
-            DestroyGuestRequest,
+            DestroyZoneRequest,
        },
    },
 };
@ -14,67 +14,67 @@ use krata::{
 use log::error;
 use tonic::{transport::Channel, Request};

-use crate::cli::resolve_guest;
+use crate::cli::resolve_zone;

 #[derive(Parser)]
-#[command(about = "Destroy a guest")]
-pub struct DestroyCommand {
+#[command(about = "Destroy a zone")]
+pub struct ZoneDestroyCommand {
    #[arg(
        short = 'W',
        long,
-        help = "Wait for the destruction of the guest to complete"
+        help = "Wait for the destruction of the zone to complete"
    )]
    wait: bool,
-    #[arg(help = "Guest to destroy, either the name or the uuid")]
-    guest: String,
+    #[arg(help = "Zone to destroy, either the name or the uuid")]
+    zone: String,
 }

-impl DestroyCommand {
+impl ZoneDestroyCommand {
    pub async fn run(
        self,
        mut client: ControlServiceClient<Channel>,
        events: EventStream,
    ) -> Result<()> {
-        let guest_id: String = resolve_guest(&mut client, &self.guest).await?;
+        let zone_id: String = resolve_zone(&mut client, &self.zone).await?;
        let _ = client
-            .destroy_guest(Request::new(DestroyGuestRequest {
-                guest_id: guest_id.clone(),
+            .destroy_zone(Request::new(DestroyZoneRequest {
+                zone_id: zone_id.clone(),
            }))
            .await?
            .into_inner();
        if self.wait {
-            wait_guest_destroyed(&guest_id, events).await?;
+            wait_zone_destroyed(&zone_id, events).await?;
        }
        Ok(())
    }
 }

-async fn wait_guest_destroyed(id: &str, events: EventStream) -> Result<()> {
+async fn wait_zone_destroyed(id: &str, events: EventStream) -> Result<()> {
    let mut stream = events.subscribe();
    while let Ok(event) = stream.recv().await {
-        let Event::GuestChanged(changed) = event;
-        let Some(guest) = changed.guest else {
+        let Event::ZoneChanged(changed) = event;
+        let Some(zone) = changed.zone else {
            continue;
        };

-        if guest.id != id {
+        if zone.id != id {
            continue;
        }

-        let Some(state) = guest.state else {
+        let Some(state) = zone.state else {
            continue;
        };

        if let Some(ref error) = state.error_info {
-            if state.status() == GuestStatus::Failed {
+            if state.status() == ZoneStatus::Failed {
                error!("destroy failed: {}", error.message);
                std::process::exit(1);
            } else {
-                error!("guest error: {}", error.message);
+                error!("zone error: {}", error.message);
            }
        }

-        if state.status() == GuestStatus::Destroyed {
+        if state.status() == ZoneStatus::Destroyed {
            std::process::exit(0);
        }
    }
--- a/crates/ctl/src/cli/zone/exec.rs
+++ b/crates/ctl/src/cli/zone/exec.rs
@ -0,0 +1,70 @@
+use std::collections::HashMap;
+
+use anyhow::Result;
+
+use clap::Parser;
+use krata::v1::{
+    common::{ZoneTaskSpec, ZoneTaskSpecEnvVar},
+    control::{control_service_client::ControlServiceClient, ExecZoneRequest},
+};
+
+use tonic::{transport::Channel, Request};
+
+use crate::console::StdioConsoleStream;
+
+use crate::cli::resolve_zone;
+
+#[derive(Parser)]
+#[command(about = "Execute a command inside the zone")]
+pub struct ZoneExecCommand {
+    #[arg[short, long, help = "Environment variables"]]
+    env: Option<Vec<String>>,
+    #[arg(short = 'w', long, help = "Working directory")]
+    working_directory: Option<String>,
+    #[arg(help = "Zone to exec inside, either the name or the uuid")]
+    zone: String,
+    #[arg(
+        allow_hyphen_values = true,
+        trailing_var_arg = true,
+        help = "Command to run inside the zone"
+    )]
+    command: Vec<String>,
+}
+
+impl ZoneExecCommand {
+    pub async fn run(self, mut client: ControlServiceClient<Channel>) -> Result<()> {
+        let zone_id: String = resolve_zone(&mut client, &self.zone).await?;
+        let initial = ExecZoneRequest {
+            zone_id,
+            task: Some(ZoneTaskSpec {
+                environment: env_map(&self.env.unwrap_or_default())
+                    .iter()
+                    .map(|(key, value)| ZoneTaskSpecEnvVar {
+                        key: key.clone(),
+                        value: value.clone(),
+                    })
+                    .collect(),
+                command: self.command,
+                working_directory: self.working_directory.unwrap_or_default(),
+            }),
+            data: vec![],
+        };
+
+        let stream = StdioConsoleStream::stdin_stream_exec(initial).await;
+
+        let response = client.exec_zone(Request::new(stream)).await?.into_inner();
+
+        let code = StdioConsoleStream::exec_output(response).await?;
+        std::process::exit(code);
+    }
+}
+
+fn env_map(env: &[String]) -> HashMap<String, String> {
+    let mut map = HashMap::<String, String>::new();
+    for item in env {
+        if let Some((key, value)) = item.split_once('=') {
+            map.insert(key.to_string(), value.to_string());
+        }
+    }
+    map
+}
--- a/crates/ctl/src/cli/zone/launch.rs
+++ b/crates/ctl/src/cli/zone/launch.rs
@ -0,0 +1,247 @@
+use std::collections::HashMap;
+
+use anyhow::Result;
+use clap::{Parser, ValueEnum};
+use krata::{
+    events::EventStream,
+    v1::{
+        common::{
+            zone_image_spec::Image, OciImageFormat, ZoneImageSpec, ZoneOciImageSpec, ZoneSpec,
+            ZoneSpecDevice, ZoneStatus, ZoneTaskSpec, ZoneTaskSpecEnvVar,
+        },
+        control::{
+            control_service_client::ControlServiceClient, watch_events_reply::Event,
+            CreateZoneRequest, PullImageRequest,
+        },
+    },
+};
+use log::error;
+use tokio::select;
+use tonic::{transport::Channel, Request};
+
+use crate::{console::StdioConsoleStream, pull::pull_interactive_progress};
+
+#[derive(ValueEnum, Clone, Debug, PartialEq, Eq)]
+pub enum LaunchImageFormat {
+    Squashfs,
+    Erofs,
+}
+
+#[derive(Parser)]
+#[command(about = "Launch a new zone")]
+pub struct ZoneLaunchCommand {
+    #[arg(long, default_value = "squashfs", help = "Image format")]
+    image_format: LaunchImageFormat,
+    #[arg(long, help = "Overwrite image cache on pull")]
+    pull_overwrite_cache: bool,
+    #[arg(long, help = "Update image on pull")]
+    pull_update: bool,
+    #[arg(short, long, help = "Name of the zone")]
+    name: Option<String>,
+    #[arg(short, long, default_value_t = 1, help = "vCPUs available to the zone")]
+    cpus: u32,
+    #[arg(
+        short,
+        long,
+        default_value_t = 512,
+        help = "Memory available to the zone, in megabytes"
+    )]
+    mem: u64,
+    #[arg[short = 'D', long = "device", help = "Devices to request for the zone"]]
+    device: Vec<String>,
+    #[arg[short, long, help = "Environment variables set in the zone"]]
+    env: Option<Vec<String>>,
+    #[arg(
+        short,
+        long,
+        help = "Attach to the zone after zone starts, implies --wait"
+    )]
+    attach: bool,
+    #[arg(
+        short = 'W',
+        long,
+        help = "Wait for the zone to start, implied by --attach"
+    )]
+    wait: bool,
+    #[arg(short = 'k', long, help = "OCI kernel image for zone to use")]
+    kernel: Option<String>,
+    #[arg(short = 'I', long, help = "OCI initrd image for zone to use")]
+    initrd: Option<String>,
+    #[arg(short = 'w', long, help = "Working directory")]
+    working_directory: Option<String>,
+    #[arg(help = "Container image for zone to use")]
+    oci: String,
+    #[arg(
+        allow_hyphen_values = true,
+        trailing_var_arg = true,
+        help = "Command to run inside the zone"
+    )]
+    command: Vec<String>,
+}
+
+impl ZoneLaunchCommand {
+    pub async fn run(
+        self,
+        mut client: ControlServiceClient<Channel>,
+        events: EventStream,
+    ) -> Result<()> {
+        let image = self
+            .pull_image(
+                &mut client,
+                &self.oci,
+                match self.image_format {
+                    LaunchImageFormat::Squashfs => OciImageFormat::Squashfs,
+                    LaunchImageFormat::Erofs => OciImageFormat::Erofs,
+                },
+            )
+            .await?;
+
+        let kernel = if let Some(ref kernel) = self.kernel {
+            let kernel_image = self
+                .pull_image(&mut client, kernel, OciImageFormat::Tar)
+                .await?;
+            Some(kernel_image)
+        } else {
+            None
+        };
+
+        let initrd = if let Some(ref initrd) = self.initrd {
+            let kernel_image = self
+                .pull_image(&mut client, initrd, OciImageFormat::Tar)
+                .await?;
+            Some(kernel_image)
+        } else {
+            None
+        };
+
+        let request = CreateZoneRequest {
+            spec: Some(ZoneSpec {
+                name: self.name.unwrap_or_default(),
+                image: Some(image),
+                kernel,
+                initrd,
+                vcpus: self.cpus,
+                mem: self.mem,
+                task: Some(ZoneTaskSpec {
+                    environment: env_map(&self.env.unwrap_or_default())
+                        .iter()
+                        .map(|(key, value)| ZoneTaskSpecEnvVar {
+                            key: key.clone(),
+                            value: value.clone(),
+                        })
+                        .collect(),
+                    command: self.command,
+                    working_directory: self.working_directory.unwrap_or_default(),
+                }),
+                annotations: vec![],
+                devices: self
+                    .device
+                    .iter()
+                    .map(|name| ZoneSpecDevice { name: name.clone() })
+                    .collect(),
+            }),
+        };
+        let response = client
+            .create_zone(Request::new(request))
+            .await?
+            .into_inner();
+        let id = response.zone_id;
+
+        if self.wait || self.attach {
+            wait_zone_started(&id, events.clone()).await?;
+        }
+
+        let code = if self.attach {
+            let input = StdioConsoleStream::stdin_stream(id.clone()).await;
+            let output = client.attach_zone_console(input).await?.into_inner();
+            let stdout_handle =
+                tokio::task::spawn(async move { StdioConsoleStream::stdout(output).await });
+            let exit_hook_task = StdioConsoleStream::zone_exit_hook(id.clone(), events).await?;
+            select! {
+                x = stdout_handle => {
+                    x??;
+                    None
+                },
+                x = exit_hook_task => x?
+            }
+        } else {
+            println!("{}", id);
+            None
+        };
+        StdioConsoleStream::restore_terminal_mode();
+        std::process::exit(code.unwrap_or(0));
+    }
+
+    async fn pull_image(
+        &self,
+        client: &mut ControlServiceClient<Channel>,
+        image: &str,
+        format: OciImageFormat,
+    ) -> Result<ZoneImageSpec> {
+        let response = client
+            .pull_image(PullImageRequest {
+                image: image.to_string(),
+                format: format.into(),
+                overwrite_cache: self.pull_overwrite_cache,
+                update: self.pull_update,
+            })
+            .await?;
+        let reply = pull_interactive_progress(response.into_inner()).await?;
+        Ok(ZoneImageSpec {
+            image: Some(Image::Oci(ZoneOciImageSpec {
+                digest: reply.digest,
+                format: reply.format,
+            })),
+        })
+    }
+}
+
+async fn wait_zone_started(id: &str, events: EventStream) -> Result<()> {
+    let mut stream = events.subscribe();
+    while let Ok(event) = stream.recv().await {
+        match event {
+            Event::ZoneChanged(changed) => {
+                let Some(zone) = changed.zone else {
+                    continue;
+                };
+
+                if zone.id != id {
+                    continue;
+                }
+
+                let Some(state) = zone.state else {
+                    continue;
+                };
+
+                if let Some(ref error) = state.error_info {
+                    if state.status() == ZoneStatus::Failed {
+                        error!("launch failed: {}", error.message);
+                        std::process::exit(1);
+                    } else {
+                        error!("zone error: {}", error.message);
+                    }
+                }
+
+                if state.status() == ZoneStatus::Destroyed {
+                    error!("zone destroyed");
+                    std::process::exit(1);
+                }
+
+                if state.status() == ZoneStatus::Started {
+                    break;
+                }
+            }
+        }
+    }
+    Ok(())
+}
+
+fn env_map(env: &[String]) -> HashMap<String, String> {
+    let mut map = HashMap::<String, String>::new();
+    for item in env {
+        if let Some((key, value)) = item.split_once('=') {
+            map.insert(key.to_string(), value.to_string());
+        }
+    }
+    map
+}
--- a/crates/ctl/src/cli/zone/list.rs
+++ b/crates/ctl/src/cli/zone/list.rs
@ -4,9 +4,9 @@ use comfy_table::{presets::UTF8_FULL_CONDENSED, Cell, Color, Table};
 use krata::{
    events::EventStream,
    v1::{
-        common::{Guest, GuestStatus},
+        common::{Zone, ZoneStatus},
        control::{
-            control_service_client::ControlServiceClient, ListGuestsRequest, ResolveGuestRequest,
+            control_service_client::ControlServiceClient, ListZonesRequest, ResolveZoneRequest,
        },
    },
 };
@ -14,10 +14,10 @@ use krata::{
 use serde_json::Value;
 use tonic::{transport::Channel, Request};

-use crate::format::{guest_simple_line, guest_status_text, kv2line, proto2dynamic, proto2kv};
+use crate::format::{kv2line, proto2dynamic, proto2kv, zone_simple_line, zone_status_text};

 #[derive(ValueEnum, Clone, Debug, PartialEq, Eq)]
-enum ListFormat {
+enum ZoneListFormat {
    Table,
    Json,
    JsonPretty,
@ -28,41 +28,39 @@ enum ListFormat {
 }

 #[derive(Parser)]
-#[command(about = "List the guests on the hypervisor")]
-pub struct ListCommand {
+#[command(about = "List the zones on the isolation engine")]
+pub struct ZoneListCommand {
    #[arg(short, long, default_value = "table", help = "Output format")]
-    format: ListFormat,
-    #[arg(help = "Limit to a single guest, either the name or the uuid")]
-    guest: Option<String>,
+    format: ZoneListFormat,
+    #[arg(help = "Limit to a single zone, either the name or the uuid")]
+    zone: Option<String>,
 }

-impl ListCommand {
+impl ZoneListCommand {
    pub async fn run(
        self,
        mut client: ControlServiceClient<Channel>,
        _events: EventStream,
    ) -> Result<()> {
-        let mut guests = if let Some(ref guest) = self.guest {
+        let mut zones = if let Some(ref zone) = self.zone {
            let reply = client
-                .resolve_guest(Request::new(ResolveGuestRequest {
-                    name: guest.clone(),
-                }))
+                .resolve_zone(Request::new(ResolveZoneRequest { name: zone.clone() }))
                .await?
                .into_inner();
-            if let Some(guest) = reply.guest {
-                vec![guest]
+            if let Some(zone) = reply.zone {
+                vec![zone]
            } else {
-                return Err(anyhow!("unable to resolve guest '{}'", guest));
+                return Err(anyhow!("unable to resolve zone '{}'", zone));
            }
        } else {
            client
-                .list_guests(Request::new(ListGuestsRequest {}))
+                .list_zones(Request::new(ListZonesRequest {}))
                .await?
                .into_inner()
-                .guests
+                .zones
        };

-        guests.sort_by(|a, b| {
+        zones.sort_by(|a, b| {
            a.spec
                .as_ref()
                .map(|x| x.name.as_str())
@ -71,26 +69,26 @@ impl ListCommand {
        });

        match self.format {
-            ListFormat::Table => {
-                self.print_guest_table(guests)?;
+            ZoneListFormat::Table => {
+                self.print_zone_table(zones)?;
            }

-            ListFormat::Simple => {
-                for guest in guests {
-                    println!("{}", guest_simple_line(&guest));
+            ZoneListFormat::Simple => {
+                for zone in zones {
+                    println!("{}", zone_simple_line(&zone));
                }
            }

-            ListFormat::Json | ListFormat::JsonPretty | ListFormat::Yaml => {
+            ZoneListFormat::Json | ZoneListFormat::JsonPretty | ZoneListFormat::Yaml => {
                let mut values = Vec::new();
-                for guest in guests {
-                    let message = proto2dynamic(guest)?;
+                for zone in zones {
+                    let message = proto2dynamic(zone)?;
                    values.push(serde_json::to_value(message)?);
                }
                let value = Value::Array(values);
-                let encoded = if self.format == ListFormat::JsonPretty {
+                let encoded = if self.format == ZoneListFormat::JsonPretty {
                    serde_json::to_string_pretty(&value)?
-                } else if self.format == ListFormat::Yaml {
+                } else if self.format == ZoneListFormat::Yaml {
                    serde_yaml::to_string(&value)?
                } else {
                    serde_json::to_string(&value)?
@ -98,65 +96,63 @@ impl ListCommand {
                println!("{}", encoded.trim());
            }

-            ListFormat::Jsonl => {
-                for guest in guests {
-                    let message = proto2dynamic(guest)?;
+            ZoneListFormat::Jsonl => {
+                for zone in zones {
+                    let message = proto2dynamic(zone)?;
                    println!("{}", serde_json::to_string(&message)?);
                }
            }

-            ListFormat::KeyValue => {
-                self.print_key_value(guests)?;
+            ZoneListFormat::KeyValue => {
+                self.print_key_value(zones)?;
            }
        }

        Ok(())
    }

-    fn print_guest_table(&self, guests: Vec<Guest>) -> Result<()> {
+    fn print_zone_table(&self, zones: Vec<Zone>) -> Result<()> {
        let mut table = Table::new();
        table.load_preset(UTF8_FULL_CONDENSED);
        table.set_content_arrangement(comfy_table::ContentArrangement::Dynamic);
        table.set_header(vec!["name", "uuid", "status", "ipv4", "ipv6"]);
-        for guest in guests {
-            let ipv4 = guest
+        for zone in zones {
+            let ipv4 = zone
                .state
                .as_ref()
                .and_then(|x| x.network.as_ref())
-                .map(|x| x.guest_ipv4.as_str())
+                .map(|x| x.zone_ipv4.as_str())
                .unwrap_or("n/a");
-            let ipv6 = guest
+            let ipv6 = zone
                .state
                .as_ref()
                .and_then(|x| x.network.as_ref())
-                .map(|x| x.guest_ipv6.as_str())
+                .map(|x| x.zone_ipv6.as_str())
                .unwrap_or("n/a");
-            let Some(spec) = guest.spec else {
+            let Some(spec) = zone.spec else {
                continue;
            };
-            let status = guest.state.as_ref().cloned().unwrap_or_default().status();
-            let status_text = guest_status_text(status);
+            let status = zone.state.as_ref().cloned().unwrap_or_default().status();
+            let status_text = zone_status_text(status);

            let status_color = match status {
-                GuestStatus::Destroyed | GuestStatus::Failed => Color::Red,
-                GuestStatus::Destroying | GuestStatus::Exited | GuestStatus::Starting => {
-                    Color::Yellow
-                }
-                GuestStatus::Started => Color::Green,
+                ZoneStatus::Destroyed | ZoneStatus::Failed => Color::Red,
+                ZoneStatus::Destroying | ZoneStatus::Exited | ZoneStatus::Starting => Color::Yellow,
+                ZoneStatus::Started => Color::Green,
                _ => Color::Reset,
            };

            table.add_row(vec![
                Cell::new(spec.name),
-                Cell::new(guest.id),
+                Cell::new(zone.id),
                Cell::new(status_text).fg(status_color),
                Cell::new(ipv4.to_string()),
                Cell::new(ipv6.to_string()),
            ]);
        }
        if table.is_empty() {
-            if self.guest.is_none() {
-                println!("no guests have been launched");
+            if self.zone.is_none() {
+                println!("no zones have been launched");
            }
        } else {
            println!("{}", table);
@ -164,9 +160,9 @@ impl ListCommand {
        Ok(())
    }

-    fn print_key_value(&self, guests: Vec<Guest>) -> Result<()> {
-        for guest in guests {
-            let kvs = proto2kv(guest)?;
+    fn print_key_value(&self, zones: Vec<Zone>) -> Result<()> {
+        for zone in zones {
+            let kvs = proto2kv(zone)?;
            println!("{}", kv2line(kvs),);
        }
        Ok(())
--- a/crates/ctl/src/cli/zone/logs.rs
+++ b/crates/ctl/src/cli/zone/logs.rs
@ -3,7 +3,7 @@ use async_stream::stream;
 use clap::Parser;
 use krata::{
    events::EventStream,
-    v1::control::{control_service_client::ControlServiceClient, ConsoleDataRequest},
+    v1::control::{control_service_client::ControlServiceClient, ZoneConsoleRequest},
 };

 use tokio::select;
@ -12,39 +12,39 @@ use tonic::transport::Channel;

 use crate::console::StdioConsoleStream;

-use super::resolve_guest;
+use crate::cli::resolve_zone;

 #[derive(Parser)]
-#[command(about = "View the logs of a guest")]
-pub struct LogsCommand {
-    #[arg(short, long, help = "Follow output from the guest")]
+#[command(about = "View the logs of a zone")]
+pub struct ZoneLogsCommand {
+    #[arg(short, long, help = "Follow output from the zone")]
    follow: bool,
-    #[arg(help = "Guest to show logs for, either the name or the uuid")]
-    guest: String,
+    #[arg(help = "Zone to show logs for, either the name or the uuid")]
+    zone: String,
 }

-impl LogsCommand {
+impl ZoneLogsCommand {
    pub async fn run(
        self,
        mut client: ControlServiceClient<Channel>,
        events: EventStream,
    ) -> Result<()> {
-        let guest_id: String = resolve_guest(&mut client, &self.guest).await?;
-        let guest_id_stream = guest_id.clone();
+        let zone_id: String = resolve_zone(&mut client, &self.zone).await?;
+        let zone_id_stream = zone_id.clone();
        let follow = self.follow;
        let input = stream! {
-            yield ConsoleDataRequest { guest_id: guest_id_stream, data: Vec::new() };
+            yield ZoneConsoleRequest { zone_id: zone_id_stream, data: Vec::new() };
            if follow {
-                let mut pending = pending::<ConsoleDataRequest>();
+                let mut pending = pending::<ZoneConsoleRequest>();
                while let Some(x) = pending.next().await {
                    yield x;
                }
            }
        };
-        let output = client.console_data(input).await?.into_inner();
+        let output = client.attach_zone_console(input).await?.into_inner();
        let stdout_handle =
            tokio::task::spawn(async move { StdioConsoleStream::stdout(output).await });
-        let exit_hook_task = StdioConsoleStream::guest_exit_hook(guest_id.clone(), events).await?;
+        let exit_hook_task = StdioConsoleStream::zone_exit_hook(zone_id.clone(), events).await?;
        let code = select! {
            x = stdout_handle => {
                x??;
--- a/crates/ctl/src/cli/zone/metrics.rs
+++ b/crates/ctl/src/cli/zone/metrics.rs
@ -3,8 +3,8 @@ use clap::{Parser, ValueEnum};
 use krata::{
    events::EventStream,
    v1::{
-        common::GuestMetricNode,
-        control::{control_service_client::ControlServiceClient, ReadGuestMetricsRequest},
+        common::ZoneMetricNode,
+        control::{control_service_client::ControlServiceClient, ReadZoneMetricsRequest},
    },
 };

@ -12,10 +12,10 @@ use tonic::transport::Channel;

 use crate::format::{kv2line, metrics_flat, metrics_tree, proto2dynamic};

-use super::resolve_guest;
+use crate::cli::resolve_zone;

 #[derive(ValueEnum, Clone, Debug, PartialEq, Eq)]
-enum MetricsFormat {
+enum ZoneMetricsFormat {
    Tree,
    Json,
    JsonPretty,
@ -24,37 +24,37 @@ enum MetricsFormat {
 }

 #[derive(Parser)]
-#[command(about = "Read metrics from the guest")]
-pub struct MetricsCommand {
+#[command(about = "Read metrics from the zone")]
+pub struct ZoneMetricsCommand {
    #[arg(short, long, default_value = "tree", help = "Output format")]
-    format: MetricsFormat,
-    #[arg(help = "Guest to read metrics for, either the name or the uuid")]
-    guest: String,
+    format: ZoneMetricsFormat,
+    #[arg(help = "Zone to read metrics for, either the name or the uuid")]
+    zone: String,
 }

-impl MetricsCommand {
+impl ZoneMetricsCommand {
    pub async fn run(
        self,
        mut client: ControlServiceClient<Channel>,
        _events: EventStream,
    ) -> Result<()> {
-        let guest_id: String = resolve_guest(&mut client, &self.guest).await?;
+        let zone_id: String = resolve_zone(&mut client, &self.zone).await?;
        let root = client
-            .read_guest_metrics(ReadGuestMetricsRequest { guest_id })
+            .read_zone_metrics(ReadZoneMetricsRequest { zone_id })
            .await?
            .into_inner()
            .root
            .unwrap_or_default();
        match self.format {
-            MetricsFormat::Tree => {
+            ZoneMetricsFormat::Tree => {
                self.print_metrics_tree(root)?;
            }

-            MetricsFormat::Json | MetricsFormat::JsonPretty | MetricsFormat::Yaml => {
+            ZoneMetricsFormat::Json | ZoneMetricsFormat::JsonPretty | ZoneMetricsFormat::Yaml => {
                let value = serde_json::to_value(proto2dynamic(root)?)?;
-                let encoded = if self.format == MetricsFormat::JsonPretty {
+                let encoded = if self.format == ZoneMetricsFormat::JsonPretty {
                    serde_json::to_string_pretty(&value)?
-                } else if self.format == MetricsFormat::Yaml {
+                } else if self.format == ZoneMetricsFormat::Yaml {
                    serde_yaml::to_string(&value)?
                } else {
                    serde_json::to_string(&value)?
@ -62,7 +62,7 @@ impl MetricsCommand {
                println!("{}", encoded.trim());
            }

-            MetricsFormat::KeyValue => {
+            ZoneMetricsFormat::KeyValue => {
                self.print_key_value(root)?;
            }
        }
@ -70,12 +70,12 @@ impl MetricsCommand {
        Ok(())
    }

-    fn print_metrics_tree(&self, root: GuestMetricNode) -> Result<()> {
+    fn print_metrics_tree(&self, root: ZoneMetricNode) -> Result<()> {
        print!("{}", metrics_tree(root));
        Ok(())
    }

-    fn print_key_value(&self, metrics: GuestMetricNode) -> Result<()> {
+    fn print_key_value(&self, metrics: ZoneMetricNode) -> Result<()> {
        let kvs = metrics_flat(metrics);
        println!("{}", kv2line(kvs));
        Ok(())
--- a/crates/ctl/src/cli/zone/mod.rs
+++ b/crates/ctl/src/cli/zone/mod.rs
@ -0,0 +1,89 @@
+use anyhow::Result;
+use clap::{Parser, Subcommand};
+use tonic::transport::Channel;
+
+use krata::events::EventStream;
+use krata::v1::control::control_service_client::ControlServiceClient;
+
+use crate::cli::zone::attach::ZoneAttachCommand;
+use crate::cli::zone::destroy::ZoneDestroyCommand;
+use crate::cli::zone::exec::ZoneExecCommand;
+use crate::cli::zone::launch::ZoneLaunchCommand;
+use crate::cli::zone::list::ZoneListCommand;
+use crate::cli::zone::logs::ZoneLogsCommand;
+use crate::cli::zone::metrics::ZoneMetricsCommand;
+use crate::cli::zone::resolve::ZoneResolveCommand;
+use crate::cli::zone::top::ZoneTopCommand;
+use crate::cli::zone::watch::ZoneWatchCommand;
+
+pub mod attach;
+pub mod destroy;
+pub mod exec;
+pub mod launch;
+pub mod list;
+pub mod logs;
+pub mod metrics;
+pub mod resolve;
+pub mod top;
+pub mod watch;
+
+#[derive(Parser)]
+#[command(about = "Manage the zones on the isolation engine")]
+pub struct ZoneCommand {
+    #[command(subcommand)]
+    subcommand: ZoneCommands,
+}
+
+impl ZoneCommand {
+    pub async fn run(
+        self,
+        client: ControlServiceClient<Channel>,
+        events: EventStream,
+    ) -> Result<()> {
+        self.subcommand.run(client, events).await
+    }
+}
+
+#[derive(Subcommand)]
+pub enum ZoneCommands {
+    Attach(ZoneAttachCommand),
+    List(ZoneListCommand),
+    Launch(ZoneLaunchCommand),
+    Destroy(ZoneDestroyCommand),
+    Exec(ZoneExecCommand),
+    Logs(ZoneLogsCommand),
+    Metrics(ZoneMetricsCommand),
+    Resolve(ZoneResolveCommand),
+    Top(ZoneTopCommand),
+    Watch(ZoneWatchCommand),
+}
+
+impl ZoneCommands {
+    pub async fn run(
+        self,
+        client: ControlServiceClient<Channel>,
+        events: EventStream,
+    ) -> Result<()> {
+        match self {
+            ZoneCommands::Launch(launch) => launch.run(client, events).await,
+
+            ZoneCommands::Destroy(destroy) => destroy.run(client, events).await,
+
+            ZoneCommands::Attach(attach) => attach.run(client, events).await,
+
+            ZoneCommands::Logs(logs) => logs.run(client, events).await,
+
+            ZoneCommands::List(list) => list.run(client, events).await,
+
+            ZoneCommands::Watch(watch) => watch.run(events).await,
+
+            ZoneCommands::Resolve(resolve) => resolve.run(client).await,
+
+            ZoneCommands::Metrics(metrics) => metrics.run(client, events).await,
+
+            ZoneCommands::Top(top) => top.run(client, events).await,
+
+            ZoneCommands::Exec(exec) => exec.run(client).await,
+        }
+    }
+}
--- a/crates/ctl/src/cli/zone/resolve.rs
+++ b/crates/ctl/src/cli/zone/resolve.rs
@ -1,26 +1,26 @@
 use anyhow::Result;
 use clap::Parser;
-use krata::v1::control::{control_service_client::ControlServiceClient, ResolveGuestRequest};
+use krata::v1::control::{control_service_client::ControlServiceClient, ResolveZoneRequest};

 use tonic::{transport::Channel, Request};

 #[derive(Parser)]
-#[command(about = "Resolve a guest name to a uuid")]
-pub struct ResolveCommand {
-    #[arg(help = "Guest name")]
-    guest: String,
+#[command(about = "Resolve a zone name to a uuid")]
+pub struct ZoneResolveCommand {
+    #[arg(help = "Zone name")]
+    zone: String,
 }

-impl ResolveCommand {
+impl ZoneResolveCommand {
    pub async fn run(self, mut client: ControlServiceClient<Channel>) -> Result<()> {
        let reply = client
-            .resolve_guest(Request::new(ResolveGuestRequest {
-                name: self.guest.clone(),
+            .resolve_zone(Request::new(ResolveZoneRequest {
+                name: self.zone.clone(),
            }))
            .await?
            .into_inner();
-        if let Some(guest) = reply.guest {
-            println!("{}", guest.id);
+        if let Some(zone) = reply.zone {
+            println!("{}", zone.id);
        } else {
            std::process::exit(1);
        }
--- a/crates/ctl/src/cli/zone/top.rs
+++ b/crates/ctl/src/cli/zone/top.rs
@ -24,19 +24,19 @@ use ratatui::{
 };

 use crate::{
-    format::guest_status_text,
+    format::zone_status_text,
    metrics::{
        lookup_metric_value, MultiMetricCollector, MultiMetricCollectorHandle, MultiMetricState,
    },
 };

 #[derive(Parser)]
-#[command(about = "Dashboard for running guests")]
-pub struct TopCommand {}
+#[command(about = "Dashboard for running zones")]
+pub struct ZoneTopCommand {}

 pub type Tui = Terminal<CrosstermBackend<Stdout>>;

-impl TopCommand {
+impl ZoneTopCommand {
    pub async fn run(
        self,
        client: ControlServiceClient<Channel>,
@ -44,14 +44,14 @@ impl TopCommand {
    ) -> Result<()> {
        let collector = MultiMetricCollector::new(client, events, Duration::from_millis(200))?;
        let collector = collector.launch().await?;
-        let mut tui = TopCommand::init()?;
-        let mut app = TopApp {
-            metrics: MultiMetricState { guests: vec![] },
+        let mut tui = ZoneTopCommand::init()?;
+        let mut app = ZoneTopApp {
+            metrics: MultiMetricState { zones: vec![] },
            exit: false,
            table: TableState::new(),
        };
        app.run(collector, &mut tui).await?;
-        TopCommand::restore()?;
+        ZoneTopCommand::restore()?;
        Ok(())
    }

@ -68,13 +68,13 @@ impl TopCommand {
    }
 }

-pub struct TopApp {
+pub struct ZoneTopApp {
    table: TableState,
    metrics: MultiMetricState,
    exit: bool,
 }

-impl TopApp {
+impl ZoneTopApp {
    pub async fn run(
        &mut self,
        mut collector: MultiMetricCollectorHandle,
@ -136,9 +136,9 @@ impl TopApp {
    }
 }

-impl Widget for &mut TopApp {
+impl Widget for &mut ZoneTopApp {
    fn render(self, area: Rect, buf: &mut Buffer) {
-        let title = Title::from(" krata hypervisor ".bold());
+        let title = Title::from(" krata isolation engine ".bold());
        let instructions = Title::from(vec![" Quit ".into(), "<Q> ".blue().bold()]);
        let block = Block::default()
            .title(title.alignment(Alignment::Center))
@ -152,12 +152,12 @@ impl Widget for &mut TopApp {

        let mut rows = vec![];

-        for ms in &self.metrics.guests {
-            let Some(ref spec) = ms.guest.spec else {
+        for ms in &self.metrics.zones {
+            let Some(ref spec) = ms.zone.spec else {
                continue;
            };

-            let Some(ref state) = ms.guest.state else {
+            let Some(ref state) = ms.zone.state else {
                continue;
            };

@ -176,8 +176,8 @@ impl Widget for &mut TopApp {

            let row = Row::new(vec![
                spec.name.clone(),
-                ms.guest.id.clone(),
-                guest_status_text(state.status()),
+                ms.zone.id.clone(),
+                zone_status_text(state.status()),
                memory_total.unwrap_or_default(),
                memory_used.unwrap_or_default(),
                memory_free.unwrap_or_default(),
--- a/crates/ctl/src/cli/zone/watch.rs
+++ b/crates/ctl/src/cli/zone/watch.rs
@ -2,53 +2,48 @@ use anyhow::Result;
 use clap::{Parser, ValueEnum};
 use krata::{
    events::EventStream,
-    v1::{common::Guest, control::watch_events_reply::Event},
+    v1::{common::Zone, control::watch_events_reply::Event},
 };
 use prost_reflect::ReflectMessage;
 use serde_json::Value;

-use crate::format::{guest_simple_line, kv2line, proto2dynamic, proto2kv};
+use crate::format::{kv2line, proto2dynamic, proto2kv, zone_simple_line};

 #[derive(ValueEnum, Clone, Debug, PartialEq, Eq)]
-enum WatchFormat {
+enum ZoneWatchFormat {
    Simple,
    Json,
    KeyValue,
 }

 #[derive(Parser)]
-#[command(about = "Watch for guest changes")]
-pub struct WatchCommand {
+#[command(about = "Watch for zone changes")]
+pub struct ZoneWatchCommand {
    #[arg(short, long, default_value = "simple", help = "Output format")]
-    format: WatchFormat,
+    format: ZoneWatchFormat,
 }

-impl WatchCommand {
+impl ZoneWatchCommand {
    pub async fn run(self, events: EventStream) -> Result<()> {
        let mut stream = events.subscribe();
        loop {
            let event = stream.recv().await?;

-            let Event::GuestChanged(changed) = event;
-            let guest = changed.guest.clone();
-            self.print_event("guest.changed", changed, guest)?;
+            let Event::ZoneChanged(changed) = event;
+            let zone = changed.zone.clone();
+            self.print_event("zone.changed", changed, zone)?;
        }
    }

-    fn print_event(
-        &self,
-        typ: &str,
-        event: impl ReflectMessage,
-        guest: Option<Guest>,
-    ) -> Result<()> {
+    fn print_event(&self, typ: &str, event: impl ReflectMessage, zone: Option<Zone>) -> Result<()> {
        match self.format {
-            WatchFormat::Simple => {
-                if let Some(guest) = guest {
-                    println!("{}", guest_simple_line(&guest));
+            ZoneWatchFormat::Simple => {
+                if let Some(zone) = zone {
+                    println!("{}", zone_simple_line(&zone));
                }
            }

-            WatchFormat::Json => {
+            ZoneWatchFormat::Json => {
                let message = proto2dynamic(event)?;
                let mut value = serde_json::to_value(&message)?;
                if let Value::Object(ref mut map) = value {
@ -57,7 +52,7 @@ impl WatchCommand {
                println!("{}", serde_json::to_string(&value)?);
            }

-            WatchFormat::KeyValue => {
+            ZoneWatchFormat::KeyValue => {
                let mut map = proto2kv(event)?;
                map.insert("event.type".to_string(), typ.to_string());
                println!("{}", kv2line(map),);
--- a/crates/ctl/src/console.rs
+++ b/crates/ctl/src/console.rs
@ -1,4 +1,4 @@
-use anyhow::Result;
+use anyhow::{anyhow, Result};
 use async_stream::stream;
 use crossterm::{
    terminal::{disable_raw_mode, enable_raw_mode, is_raw_mode_enabled},
@ -7,13 +7,16 @@ use crossterm::{
 use krata::{
    events::EventStream,
    v1::{
-        common::GuestStatus,
-        control::{watch_events_reply::Event, ConsoleDataReply, ConsoleDataRequest},
+        common::ZoneStatus,
+        control::{
+            watch_events_reply::Event, ExecZoneReply, ExecZoneRequest, ZoneConsoleReply,
+            ZoneConsoleRequest,
+        },
    },
 };
 use log::debug;
 use tokio::{
-    io::{stdin, stdout, AsyncReadExt, AsyncWriteExt},
+    io::{stderr, stdin, stdout, AsyncReadExt, AsyncWriteExt},
    task::JoinHandle,
 };
 use tokio_stream::{Stream, StreamExt};
@ -22,10 +25,10 @@ use tonic::Streaming;
 pub struct StdioConsoleStream;

 impl StdioConsoleStream {
-    pub async fn stdin_stream(guest: String) -> impl Stream<Item = ConsoleDataRequest> {
+    pub async fn stdin_stream(zone: String) -> impl Stream<Item = ZoneConsoleRequest> {
        let mut stdin = stdin();
        stream! {
-            yield ConsoleDataRequest { guest_id: guest, data: vec![] };
+            yield ZoneConsoleRequest { zone_id: zone, data: vec![] };

            let mut buffer = vec![0u8; 60];
            loop {
@ -40,12 +43,37 @@ impl StdioConsoleStream {
                if size == 1 && buffer[0] == 0x1d {
                    break;
                }
-                yield ConsoleDataRequest { guest_id: String::default(), data };
+                yield ZoneConsoleRequest { zone_id: String::default(), data };
            }
        }
    }

-    pub async fn stdout(mut stream: Streaming<ConsoleDataReply>) -> Result<()> {
+    pub async fn stdin_stream_exec(
+        initial: ExecZoneRequest,
+    ) -> impl Stream<Item = ExecZoneRequest> {
+        let mut stdin = stdin();
+        stream! {
+            yield initial;
+
+            let mut buffer = vec![0u8; 60];
+            loop {
+                let size = match stdin.read(&mut buffer).await {
+                    Ok(size) => size,
+                    Err(error) => {
+                        debug!("failed to read stdin: {}", error);
+                        break;
+                    }
+                };
+                let data = buffer[0..size].to_vec();
+                if size == 1 && buffer[0] == 0x1d {
+                    break;
+                }
+                yield ExecZoneRequest { zone_id: String::default(), task: None, data };
+            }
+        }
+    }
+
+    pub async fn stdout(mut stream: Streaming<ZoneConsoleReply>) -> Result<()> {
        if stdin().is_tty() {
            enable_raw_mode()?;
            StdioConsoleStream::register_terminal_restore_hook()?;
@ -62,23 +90,49 @@ impl StdioConsoleStream {
        Ok(())
    }

-    pub async fn guest_exit_hook(
+    pub async fn exec_output(mut stream: Streaming<ExecZoneReply>) -> Result<i32> {
+        let mut stdout = stdout();
+        let mut stderr = stderr();
+        while let Some(reply) = stream.next().await {
+            let reply = reply?;
+            if !reply.stdout.is_empty() {
+                stdout.write_all(&reply.stdout).await?;
+                stdout.flush().await?;
+            }
+
+            if !reply.stderr.is_empty() {
+                stderr.write_all(&reply.stderr).await?;
+                stderr.flush().await?;
+            }
+
+            if reply.exited {
+                return if reply.error.is_empty() {
+                    Ok(reply.exit_code)
+                } else {
+                    Err(anyhow!("exec failed: {}", reply.error))
+                };
+            }
+        }
+        Ok(-1)
+    }
+
+    pub async fn zone_exit_hook(
        id: String,
        events: EventStream,
    ) -> Result<JoinHandle<Option<i32>>> {
        Ok(tokio::task::spawn(async move {
            let mut stream = events.subscribe();
            while let Ok(event) = stream.recv().await {
-                let Event::GuestChanged(changed) = event;
-                let Some(guest) = changed.guest else {
+                let Event::ZoneChanged(changed) = event;
+                let Some(zone) = changed.zone else {
                    continue;
                };

-                let Some(state) = guest.state else {
+                let Some(state) = zone.state else {
                    continue;
                };

-                if guest.id != id {
+                if zone.id != id {
                    continue;
                }

@ -87,7 +141,7 @@ impl StdioConsoleStream {
                }

                let status = state.status();
-                if status == GuestStatus::Destroying || status == GuestStatus::Destroyed {
+                if status == ZoneStatus::Destroying || status == ZoneStatus::Destroyed {
                    return Some(10);
                }
            }
--- a/crates/ctl/src/format.rs
+++ b/crates/ctl/src/format.rs
@ -3,8 +3,8 @@ use std::{collections::HashMap, time::Duration};
 use anyhow::Result;
 use fancy_duration::FancyDuration;
 use human_bytes::human_bytes;
-use krata::v1::common::{Guest, GuestMetricFormat, GuestMetricNode, GuestStatus};
-use prost_reflect::{DynamicMessage, FieldDescriptor, ReflectMessage, Value as ReflectValue};
+use krata::v1::common::{Zone, ZoneMetricFormat, ZoneMetricNode, ZoneStatus};
+use prost_reflect::{DynamicMessage, ReflectMessage};
 use prost_types::Value;
 use termtree::Tree;

@ -15,64 +15,59 @@ pub fn proto2dynamic(proto: impl ReflectMessage) -> Result<DynamicMessage> {
    )?)
 }

-pub fn proto2kv(proto: impl ReflectMessage) -> Result<HashMap<String, String>> {
-    let message = proto2dynamic(proto)?;
+pub fn value2kv(value: serde_json::Value) -> Result<HashMap<String, String>> {
    let mut map = HashMap::new();
+    fn crawl(prefix: String, map: &mut HashMap<String, String>, value: serde_json::Value) {
+        fn dot(prefix: &str, next: String) -> String {
+            if prefix.is_empty() {
+                next.to_string()
+            } else {
+                format!("{}.{}", prefix, next)
+            }
+        }

-    fn crawl(
-        prefix: String,
-        field: Option<&FieldDescriptor>,
-        map: &mut HashMap<String, String>,
-        value: &ReflectValue,
-    ) {
        match value {
-            ReflectValue::Message(child) => {
-                for (field, field_value) in child.fields() {
-                    let path = if prefix.is_empty() {
-                        field.json_name().to_string()
-                    } else {
-                        format!("{}.{}", prefix, field.json_name())
-                    };
-                    crawl(path, Some(&field), map, field_value);
+            serde_json::Value::Null => {
+                map.insert(prefix, "null".to_string());
+            }
+
+            serde_json::Value::String(value) => {
+                map.insert(prefix, value);
+            }
+
+            serde_json::Value::Bool(value) => {
+                map.insert(prefix, value.to_string());
+            }
+
+            serde_json::Value::Number(value) => {
+                map.insert(prefix, value.to_string());
+            }
+
+            serde_json::Value::Array(value) => {
+                for (i, item) in value.into_iter().enumerate() {
+                    let next = dot(&prefix, i.to_string());
+                    crawl(next, map, item);
                }
            }

-            ReflectValue::EnumNumber(number) => {
-                if let Some(kind) = field.map(|x| x.kind()) {
-                    if let Some(e) = kind.as_enum() {
-                        if let Some(value) = e.get_value(*number) {
-                            map.insert(prefix, value.name().to_string());
-                        }
-                    }
+            serde_json::Value::Object(value) => {
+                for (key, item) in value {
+                    let next = dot(&prefix, key);
+                    crawl(next, map, item);
                }
            }
-
-            ReflectValue::String(value) => {
-                map.insert(prefix.to_string(), value.clone());
-            }
-
-            ReflectValue::List(value) => {
-                for (x, value) in value.iter().enumerate() {
-                    crawl(format!("{}.{}", prefix, x), field, map, value);
-                }
-            }
-
-            _ => {
-                map.insert(prefix.to_string(), value.to_string());
-            }
        }
    }
-
-    crawl(
-        "".to_string(),
-        None,
-        &mut map,
-        &ReflectValue::Message(message),
-    );
-
+    crawl("".to_string(), &mut map, value);
    Ok(map)
 }

+pub fn proto2kv(proto: impl ReflectMessage) -> Result<HashMap<String, String>> {
+    let message = proto2dynamic(proto)?;
+    let value = serde_json::to_value(message)?;
+    value2kv(value)
+}
+
 pub fn kv2line(map: HashMap<String, String>) -> String {
    map.iter()
        .map(|(k, v)| format!("{}=\"{}\"", k, v.replace('"', "\\\"")))
@ -80,32 +75,31 @@ pub fn kv2line(map: HashMap<String, String>) -> String {
        .join(" ")
 }

-pub fn guest_status_text(status: GuestStatus) -> String {
+pub fn zone_status_text(status: ZoneStatus) -> String {
    match status {
-        GuestStatus::Starting => "starting",
-        GuestStatus::Started => "started",
-        GuestStatus::Destroying => "destroying",
-        GuestStatus::Destroyed => "destroyed",
-        GuestStatus::Exited => "exited",
-        GuestStatus::Failed => "failed",
+        ZoneStatus::Starting => "starting",
+        ZoneStatus::Started => "started",
+        ZoneStatus::Destroying => "destroying",
+        ZoneStatus::Destroyed => "destroyed",
+        ZoneStatus::Exited => "exited",
+        ZoneStatus::Failed => "failed",
        _ => "unknown",
    }
    .to_string()
 }

-pub fn guest_simple_line(guest: &Guest) -> String {
-    let state = guest_status_text(
-        guest
-            .state
+pub fn zone_simple_line(zone: &Zone) -> String {
+    let state = zone_status_text(
+        zone.state
            .as_ref()
            .map(|x| x.status())
-            .unwrap_or(GuestStatus::Unknown),
+            .unwrap_or(ZoneStatus::Unknown),
    );
-    let name = guest.spec.as_ref().map(|x| x.name.as_str()).unwrap_or("");
-    let network = guest.state.as_ref().and_then(|x| x.network.as_ref());
-    let ipv4 = network.map(|x| x.guest_ipv4.as_str()).unwrap_or("");
-    let ipv6 = network.map(|x| x.guest_ipv6.as_str()).unwrap_or("");
-    format!("{}\t{}\t{}\t{}\t{}", guest.id, state, name, ipv4, ipv6)
+    let name = zone.spec.as_ref().map(|x| x.name.as_str()).unwrap_or("");
+    let network = zone.state.as_ref().and_then(|x| x.network.as_ref());
+    let ipv4 = network.map(|x| x.zone_ipv4.as_str()).unwrap_or("");
+    let ipv6 = network.map(|x| x.zone_ipv6.as_str()).unwrap_or("");
+    format!("{}\t{}\t{}\t{}\t{}", zone.id, state, name, ipv4, ipv6)
 }

 fn metrics_value_string(value: Value) -> String {
@ -121,18 +115,18 @@ fn metrics_value_numeric(value: Value) -> f64 {
    string.parse::<f64>().ok().unwrap_or(f64::NAN)
 }

-pub fn metrics_value_pretty(value: Value, format: GuestMetricFormat) -> String {
+pub fn metrics_value_pretty(value: Value, format: ZoneMetricFormat) -> String {
    match format {
-        GuestMetricFormat::Bytes => human_bytes(metrics_value_numeric(value)),
-        GuestMetricFormat::Integer => (metrics_value_numeric(value) as u64).to_string(),
-        GuestMetricFormat::DurationSeconds => {
+        ZoneMetricFormat::Bytes => human_bytes(metrics_value_numeric(value)),
+        ZoneMetricFormat::Integer => (metrics_value_numeric(value) as u64).to_string(),
+        ZoneMetricFormat::DurationSeconds => {
            FancyDuration(Duration::from_secs_f64(metrics_value_numeric(value))).to_string()
        }
        _ => metrics_value_string(value),
    }
 }

-fn metrics_flat_internal(prefix: &str, node: GuestMetricNode, map: &mut HashMap<String, String>) {
+fn metrics_flat_internal(prefix: &str, node: ZoneMetricNode, map: &mut HashMap<String, String>) {
    if let Some(value) = node.value {
        map.insert(prefix.to_string(), metrics_value_string(value));
    }
@ -147,13 +141,13 @@ fn metrics_flat_internal(prefix: &str, node: GuestMetricNode, map: &mut HashMap<
    }
 }

-pub fn metrics_flat(root: GuestMetricNode) -> HashMap<String, String> {
+pub fn metrics_flat(root: ZoneMetricNode) -> HashMap<String, String> {
    let mut map = HashMap::new();
    metrics_flat_internal("", root, &mut map);
    map
 }

-pub fn metrics_tree(node: GuestMetricNode) -> Tree<String> {
+pub fn metrics_tree(node: ZoneMetricNode) -> Tree<String> {
    let mut name = node.name.to_string();
    let format = node.format();
    if let Some(value) = node.value {
--- a/crates/ctl/src/metrics.rs
+++ b/crates/ctl/src/metrics.rs
@ -2,10 +2,10 @@ use anyhow::Result;
 use krata::{
    events::EventStream,
    v1::{
-        common::{Guest, GuestMetricNode, GuestStatus},
+        common::{Zone, ZoneMetricNode, ZoneStatus},
        control::{
            control_service_client::ControlServiceClient, watch_events_reply::Event,
-            ListGuestsRequest, ReadGuestMetricsRequest,
+            ListZonesRequest, ReadZoneMetricsRequest,
        },
    },
 };
@ -22,12 +22,12 @@ use tonic::transport::Channel;
 use crate::format::metrics_value_pretty;

 pub struct MetricState {
-    pub guest: Guest,
-    pub root: Option<GuestMetricNode>,
+    pub zone: Zone,
+    pub root: Option<ZoneMetricNode>,
 }

 pub struct MultiMetricState {
-    pub guests: Vec<MetricState>,
+    pub zones: Vec<MetricState>,
 }

 pub struct MultiMetricCollector {
@ -72,26 +72,26 @@ impl MultiMetricCollector {

    pub async fn process(&mut self, sender: Sender<MultiMetricState>) -> Result<()> {
        let mut events = self.events.subscribe();
-        let mut guests: Vec<Guest> = self
+        let mut zones: Vec<Zone> = self
            .client
-            .list_guests(ListGuestsRequest {})
+            .list_zones(ListZonesRequest {})
            .await?
            .into_inner()
-            .guests;
+            .zones;
        loop {
            let collect = select! {
                x = events.recv() => match x {
                    Ok(event) => {
-                        let Event::GuestChanged(changed) = event;
-                            let Some(guest) = changed.guest else {
+                        let Event::ZoneChanged(changed) = event;
+                            let Some(zone) = changed.zone else {
                                continue;
                            };
-                            let Some(ref state) = guest.state else {
+                            let Some(ref state) = zone.state else {
                                continue;
                            };
-                            guests.retain(|x| x.id != guest.id);
-                            if state.status() != GuestStatus::Destroying {
-                                guests.push(guest);
+                            zones.retain(|x| x.id != zone.id);
+                            if state.status() != ZoneStatus::Destroying {
+                                zones.push(zone);
                            }
                        false
                    },
@ -111,19 +111,19 @@ impl MultiMetricCollector {
            }

            let mut metrics = Vec::new();
-            for guest in &guests {
-                let Some(ref state) = guest.state else {
+            for zone in &zones {
+                let Some(ref state) = zone.state else {
                    continue;
                };

-                if state.status() != GuestStatus::Started {
+                if state.status() != ZoneStatus::Started {
                    continue;
                }

                let root = timeout(
                    Duration::from_secs(5),
-                    self.client.read_guest_metrics(ReadGuestMetricsRequest {
-                        guest_id: guest.id.clone(),
+                    self.client.read_zone_metrics(ReadZoneMetricsRequest {
+                        zone_id: zone.id.clone(),
                    }),
                )
                .await
@ -132,16 +132,16 @@ impl MultiMetricCollector {
                .map(|x| x.into_inner())
                .and_then(|x| x.root);
                metrics.push(MetricState {
-                    guest: guest.clone(),
+                    zone: zone.clone(),
                    root,
                });
            }
-            sender.send(MultiMetricState { guests: metrics }).await?;
+            sender.send(MultiMetricState { zones: metrics }).await?;
        }
    }
 }

-pub fn lookup<'a>(node: &'a GuestMetricNode, path: &str) -> Option<&'a GuestMetricNode> {
+pub fn lookup<'a>(node: &'a ZoneMetricNode, path: &str) -> Option<&'a ZoneMetricNode> {
    let Some((what, b)) = path.split_once('/') else {
        return node.children.iter().find(|x| x.name == path);
    };
@ -149,7 +149,7 @@ pub fn lookup<'a>(node: &'a GuestMetricNode, path: &str) -> Option<&'a GuestMetr
    return lookup(next, b);
 }

-pub fn lookup_metric_value(node: &GuestMetricNode, path: &str) -> Option<String> {
+pub fn lookup_metric_value(node: &ZoneMetricNode, path: &str) -> Option<String> {
    lookup(node, path).and_then(|x| {
        x.value
            .as_ref()
--- a/crates/ctl/src/pull.rs
+++ b/crates/ctl/src/pull.rs
@ -1,20 +1,205 @@
-use std::collections::HashMap;
+use std::{
+    collections::{hash_map::Entry, HashMap},
+    time::Duration,
+};

 use anyhow::{anyhow, Result};
 use indicatif::{MultiProgress, ProgressBar, ProgressStyle};
-use krata::v1::control::{PullImageProgressLayerPhase, PullImageProgressPhase, PullImageReply};
+use krata::v1::control::{
+    image_progress_indication::Indication, ImageProgressIndication, ImageProgressLayerPhase,
+    ImageProgressPhase, PullImageReply,
+};
 use tokio_stream::StreamExt;
 use tonic::Streaming;

+const SPINNER_STRINGS: &[&str] = &[
+    "[=                   ]",
+    "[ =                  ]",
+    "[  =                 ]",
+    "[   =                ]",
+    "[    =               ]",
+    "[     =              ]",
+    "[      =             ]",
+    "[       =            ]",
+    "[        =           ]",
+    "[         =          ]",
+    "[          =         ]",
+    "[           =        ]",
+    "[            =       ]",
+    "[             =      ]",
+    "[              =     ]",
+    "[               =    ]",
+    "[                =   ]",
+    "[                 =  ]",
+    "[                  = ]",
+    "[                   =]",
+    "[====================]",
+];
+
+fn progress_bar_for_indication(indication: &ImageProgressIndication) -> Option<ProgressBar> {
+    match indication.indication.as_ref() {
+        Some(Indication::Hidden(_)) | None => None,
+        Some(Indication::Bar(indic)) => {
+            let bar = ProgressBar::new(indic.total);
+            bar.enable_steady_tick(Duration::from_millis(100));
+            Some(bar)
+        }
+        Some(Indication::Spinner(_)) => {
+            let bar = ProgressBar::new_spinner();
+            bar.enable_steady_tick(Duration::from_millis(100));
+            Some(bar)
+        }
+        Some(Indication::Completed(indic)) => {
+            let bar = ProgressBar::new_spinner();
+            bar.enable_steady_tick(Duration::from_millis(100));
+            if !indic.message.is_empty() {
+                bar.finish_with_message(indic.message.clone());
+            } else {
+                bar.finish()
+            }
+            Some(bar)
+        }
+    }
+}
+
+fn configure_for_indication(
+    bar: &mut ProgressBar,
+    multi_progress: &mut MultiProgress,
+    indication: &ImageProgressIndication,
+    top_phase: Option<ImageProgressPhase>,
+    layer_phase: Option<ImageProgressLayerPhase>,
+    layer_id: Option<&str>,
+) {
+    let prefix = if let Some(phase) = top_phase {
+        match phase {
+            ImageProgressPhase::Unknown => "unknown",
+            ImageProgressPhase::Started => "started",
+            ImageProgressPhase::Resolving => "resolving",
+            ImageProgressPhase::Resolved => "resolved",
+            ImageProgressPhase::ConfigDownload => "downloading",
+            ImageProgressPhase::LayerDownload => "downloading",
+            ImageProgressPhase::Assemble => "assembling",
+            ImageProgressPhase::Pack => "packing",
+            ImageProgressPhase::Complete => "complete",
+        }
+    } else if let Some(phase) = layer_phase {
+        match phase {
+            ImageProgressLayerPhase::Unknown => "unknown",
+            ImageProgressLayerPhase::Waiting => "waiting",
+            ImageProgressLayerPhase::Downloading => "downloading",
+            ImageProgressLayerPhase::Downloaded => "downloaded",
+            ImageProgressLayerPhase::Extracting => "extracting",
+            ImageProgressLayerPhase::Extracted => "extracted",
+        }
+    } else {
+        ""
+    };
+    let prefix = prefix.to_string();
+
+    let id = if let Some(layer_id) = layer_id {
+        let hash = if let Some((_, hash)) = layer_id.split_once(':') {
+            hash
+        } else {
+            "unknown"
+        };
+        let small_hash = if hash.len() > 10 { &hash[0..10] } else { hash };
+        Some(format!("{:width$}", small_hash, width = 10))
+    } else {
+        None
+    };
+
+    let prefix = if let Some(id) = id {
+        format!("{} {:width$}", id, prefix, width = 11)
+    } else {
+        format!("           {:width$}", prefix, width = 11)
+    };
+
+    match indication.indication.as_ref() {
+        Some(Indication::Hidden(_)) | None => {
+            multi_progress.remove(bar);
+            return;
+        }
+        Some(Indication::Bar(indic)) => {
+            if indic.is_bytes {
+                bar.set_style(ProgressStyle::with_template("{prefix} [{bar:20}] {msg} {binary_bytes}/{binary_total_bytes} ({binary_bytes_per_sec}) eta: {eta}").unwrap().progress_chars("=>-"));
+            } else {
+                bar.set_style(
+                    ProgressStyle::with_template(
+                        "{prefix} [{bar:20} {msg} {human_pos}/{human_len} ({per_sec}/sec)",
+                    )
+                    .unwrap()
+                    .progress_chars("=>-"),
+                );
+            }
+            bar.set_message(indic.message.clone());
+            bar.set_position(indic.current);
+            bar.set_length(indic.total);
+        }
+        Some(Indication::Spinner(indic)) => {
+            bar.set_style(
+                ProgressStyle::with_template("{prefix} {spinner}  {msg}")
+                    .unwrap()
+                    .tick_strings(SPINNER_STRINGS),
+            );
+            bar.set_message(indic.message.clone());
+        }
+        Some(Indication::Completed(indic)) => {
+            if bar.is_finished() {
+                return;
+            }
+            bar.disable_steady_tick();
+            bar.set_message(indic.message.clone());
+            if indic.total != 0 {
+                bar.set_position(indic.total);
+                bar.set_length(indic.total);
+            }
+            if bar.style().get_tick_str(0).contains('=') {
+                bar.set_style(
+                    ProgressStyle::with_template("{prefix} {spinner}  {msg}")
+                        .unwrap()
+                        .tick_strings(SPINNER_STRINGS),
+                );
+                bar.finish_with_message(indic.message.clone());
+            } else if indic.is_bytes {
+                bar.set_style(
+                    ProgressStyle::with_template("{prefix} [{bar:20}] {msg} {binary_total_bytes}")
+                        .unwrap()
+                        .progress_chars("=>-"),
+                );
+            } else {
+                bar.set_style(
+                    ProgressStyle::with_template("{prefix} [{bar:20}] {msg}")
+                        .unwrap()
+                        .progress_chars("=>-"),
+                );
+            }
+            bar.tick();
+            bar.enable_steady_tick(Duration::from_millis(100));
+        }
+    };
+
+    bar.set_prefix(prefix);
+    bar.tick();
+}
+
 pub async fn pull_interactive_progress(
    mut stream: Streaming<PullImageReply>,
 ) -> Result<PullImageReply> {
-    let mut multi_progress: Option<(MultiProgress, HashMap<String, ProgressBar>)> = None;
+    let mut multi_progress = MultiProgress::new();
+    multi_progress.set_move_cursor(false);
+    let mut progresses = HashMap::new();

    while let Some(reply) = stream.next().await {
-        let reply = reply?;
+        let reply = match reply {
+            Ok(reply) => reply,
+            Err(error) => {
+                multi_progress.clear()?;
+                return Err(error.into());
+            }
+        };

        if reply.progress.is_none() && !reply.digest.is_empty() {
+            multi_progress.clear()?;
            return Ok(reply);
        }

@ -22,97 +207,62 @@ pub async fn pull_interactive_progress(
            continue;
        };

-        if multi_progress.is_none() {
-            multi_progress = Some((MultiProgress::new(), HashMap::new()));
+        for layer in &oci.layers {
+            let Some(ref indication) = layer.indication else {
+                continue;
+            };
+
+            let bar = match progresses.entry(layer.id.clone()) {
+                Entry::Occupied(entry) => Some(entry.into_mut()),
+
+                Entry::Vacant(entry) => {
+                    if let Some(bar) = progress_bar_for_indication(indication) {
+                        multi_progress.add(bar.clone());
+                        Some(entry.insert(bar))
+                    } else {
+                        None
+                    }
+                }
+            };
+
+            if let Some(bar) = bar {
+                configure_for_indication(
+                    bar,
+                    &mut multi_progress,
+                    indication,
+                    None,
+                    Some(layer.phase()),
+                    Some(&layer.id),
+                );
+            }
        }

-        let Some((multi_progress, progresses)) = multi_progress.as_mut() else {
-            continue;
-        };
+        if let Some(ref indication) = oci.indication {
+            let bar = match progresses.entry("root".to_string()) {
+                Entry::Occupied(entry) => Some(entry.into_mut()),

-        match oci.phase() {
-            PullImageProgressPhase::Resolved
-            | PullImageProgressPhase::ConfigAcquire
-            | PullImageProgressPhase::LayerAcquire => {
-                if progresses.is_empty() && !oci.layers.is_empty() {
-                    for layer in &oci.layers {
-                        let bar = ProgressBar::new(layer.total);
-                        bar.set_style(ProgressStyle::with_template("{msg} {bar}").unwrap());
-                        progresses.insert(layer.id.clone(), bar.clone());
-                        multi_progress.add(bar);
-                    }
-                }
-
-                for layer in oci.layers {
-                    let Some(progress) = progresses.get_mut(&layer.id) else {
-                        continue;
-                    };
-
-                    let phase = match layer.phase() {
-                        PullImageProgressLayerPhase::Waiting => "waiting",
-                        PullImageProgressLayerPhase::Downloading => "downloading",
-                        PullImageProgressLayerPhase::Downloaded => "downloaded",
-                        PullImageProgressLayerPhase::Extracting => "extracting",
-                        PullImageProgressLayerPhase::Extracted => "extracted",
-                        _ => "unknown",
-                    };
-
-                    let simple = if let Some((_, hash)) = layer.id.split_once(':') {
-                        hash
+                Entry::Vacant(entry) => {
+                    if let Some(bar) = progress_bar_for_indication(indication) {
+                        multi_progress.add(bar.clone());
+                        Some(entry.insert(bar))
                    } else {
-                        "unknown"
-                    };
-                    let simple = if simple.len() > 10 {
-                        &simple[0..10]
-                    } else {
-                        simple
-                    };
-                    let message = format!(
-                        "{:width$} {:phwidth$}",
-                        simple,
-                        phase,
-                        width = 10,
-                        phwidth = 11
-                    );
-
-                    if message != progress.message() {
-                        progress.set_message(message);
+                        None
                    }
-
-                    progress.update(|state| {
-                        state.set_len(layer.total);
-                        state.set_pos(layer.value);
-                    });
                }
+            };
+
+            if let Some(bar) = bar {
+                configure_for_indication(
+                    bar,
+                    &mut multi_progress,
+                    indication,
+                    Some(oci.phase()),
+                    None,
+                    None,
+                );
            }
-
-            PullImageProgressPhase::Packing => {
-                for (key, bar) in &mut *progresses {
-                    if key == "packing" {
-                        continue;
-                    }
-                    bar.finish_and_clear();
-                    multi_progress.remove(bar);
-                }
-                progresses.retain(|k, _| k == "packing");
-                if progresses.is_empty() {
-                    let progress = ProgressBar::new(100);
-                    progress.set_message("packing    ");
-                    progress.set_style(ProgressStyle::with_template("{msg} {bar}").unwrap());
-                    progresses.insert("packing".to_string(), progress);
-                }
-                let Some(progress) = progresses.get("packing") else {
-                    continue;
-                };
-
-                progress.update(|state| {
-                    state.set_len(oci.total);
-                    state.set_pos(oci.value);
-                });
-            }
-
-            _ => {}
        }
    }
+    multi_progress.clear()?;
    Err(anyhow!("never received final reply for image pull"))
 }
--- a/crates/daemon/Cargo.toml
+++ b/crates/daemon/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "krata-daemon"
-description = "Daemon for the krata hypervisor."
+description = "Daemon for the krata isolation engine"
 license.workspace = true
 version.workspace = true
 homepage.workspace = true
@ -17,15 +17,19 @@ circular-buffer = { workspace = true }
 clap = { workspace = true }
 env_logger = { workspace = true }
 futures = { workspace = true }
-krata = { path = "../krata", version = "^0.0.9" }
-krata-oci = { path = "../oci", version = "^0.0.9" }
-krata-runtime = { path = "../runtime", version = "^0.0.9" }
+krata = { path = "../krata", version = "^0.0.14" }
+krata-oci = { path = "../oci", version = "^0.0.14" }
+krata-runtime = { path = "../runtime", version = "^0.0.14" }
 log = { workspace = true }
 prost = { workspace = true }
 redb = { workspace = true }
+scopeguard = { workspace = true }
+serde = { workspace = true }
 signal-hook = { workspace = true }
 tokio = { workspace = true }
 tokio-stream = { workspace = true }
+toml = { workspace = true }
+krata-tokio-tar = { workspace = true }
 tonic = { workspace = true, features = ["tls"] }
 uuid = { workspace = true }

--- a/crates/daemon/bin/daemon.rs
+++ b/crates/daemon/bin/daemon.rs
@ -1,35 +1,35 @@
-use anyhow::Result;
-use clap::Parser;
-use env_logger::Env;
-use krata::dial::ControlDialAddress;
-use kratad::Daemon;
-use log::LevelFilter;
 use std::{
+    net::{SocketAddr, TcpStream},
    str::FromStr,
    sync::{atomic::AtomicBool, Arc},
 };

-#[derive(Parser)]
-struct DaemonCommand {
-    #[arg(short, long, default_value = "unix:///var/lib/krata/daemon.socket")]
-    listen: String,
-    #[arg(short, long, default_value = "/var/lib/krata")]
-    store: String,
-}
+use anyhow::Result;
+use clap::Parser;
+use env_logger::fmt::Target;
+use log::LevelFilter;
+
+use kratad::command::DaemonCommand;

 #[tokio::main(flavor = "multi_thread", worker_threads = 10)]
 async fn main() -> Result<()> {
-    env_logger::Builder::from_env(Env::default().default_filter_or("info"))
-        .filter(Some("backhand::filesystem::writer"), LevelFilter::Warn)
-        .init();
+    let mut builder = env_logger::Builder::new();
+    builder
+        .filter_level(LevelFilter::Trace)
+        .parse_default_env()
+        .filter(Some("backhand::filesystem::writer"), LevelFilter::Warn);
+
+    if let Ok(f_addr) = std::env::var("KRATA_FLUENT_ADDR") {
+        let target = SocketAddr::from_str(f_addr.as_str())?;
+        builder.target(Target::Pipe(Box::new(TcpStream::connect(target)?)));
+    }
+
+    builder.init();
+
    mask_sighup()?;

-    let args = DaemonCommand::parse();
-    let addr = ControlDialAddress::from_str(&args.listen)?;
-
-    let mut daemon = Daemon::new(args.store.clone()).await?;
-    daemon.listen(addr).await?;
-    Ok(())
+    let command = DaemonCommand::parse();
+    command.run().await
 }

 fn mask_sighup() -> Result<()> {
--- a/crates/daemon/src/command.rs
+++ b/crates/daemon/src/command.rs
@ -0,0 +1,36 @@
+use anyhow::Result;
+use clap::{CommandFactory, Parser};
+use krata::dial::ControlDialAddress;
+use std::str::FromStr;
+
+use crate::Daemon;
+
+#[derive(Parser)]
+#[command(version, about = "krata isolation engine daemon")]
+pub struct DaemonCommand {
+    #[arg(
+        short,
+        long,
+        default_value = "unix:///var/lib/krata/daemon.socket",
+        help = "Listen address"
+    )]
+    listen: String,
+    #[arg(short, long, default_value = "/var/lib/krata", help = "Storage path")]
+    store: String,
+}
+
+impl DaemonCommand {
+    pub async fn run(self) -> Result<()> {
+        let addr = ControlDialAddress::from_str(&self.listen)?;
+        let mut daemon = Daemon::new(self.store.clone()).await?;
+        daemon.listen(addr).await?;
+        Ok(())
+    }
+
+    pub fn version() -> String {
+        DaemonCommand::command()
+            .get_version()
+            .unwrap_or("unknown")
+            .to_string()
+    }
+}
--- a/crates/daemon/src/config.rs
+++ b/crates/daemon/src/config.rs
@ -0,0 +1,63 @@
+use std::{collections::HashMap, path::Path};
+
+use anyhow::Result;
+use serde::{Deserialize, Serialize};
+use tokio::fs;
+
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+pub struct DaemonConfig {
+    #[serde(default)]
+    pub oci: OciConfig,
+    #[serde(default)]
+    pub pci: DaemonPciConfig,
+}
+
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+pub struct OciConfig {
+    #[serde(default)]
+    pub seed: Option<String>,
+}
+
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+pub struct DaemonPciConfig {
+    #[serde(default)]
+    pub devices: HashMap<String, DaemonPciDeviceConfig>,
+}
+
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct DaemonPciDeviceConfig {
+    pub locations: Vec<String>,
+    #[serde(default)]
+    pub permissive: bool,
+    #[serde(default)]
+    #[serde(rename = "msi-translate")]
+    pub msi_translate: bool,
+    #[serde(default)]
+    #[serde(rename = "power-management")]
+    pub power_management: bool,
+    #[serde(default)]
+    #[serde(rename = "rdm-reserve-policy")]
+    pub rdm_reserve_policy: DaemonPciDeviceRdmReservePolicy,
+}
+
+#[derive(Serialize, Deserialize, Clone, Debug, Default)]
+pub enum DaemonPciDeviceRdmReservePolicy {
+    #[default]
+    #[serde(rename = "strict")]
+    Strict,
+    #[serde(rename = "relaxed")]
+    Relaxed,
+}
+
+impl DaemonConfig {
+    pub async fn load(path: &Path) -> Result<DaemonConfig> {
+        if path.exists() {
+            let content = fs::read_to_string(path).await?;
+            let config: DaemonConfig = toml::from_str(&content)?;
+            Ok(config)
+        } else {
+            fs::write(&path, "").await?;
+            Ok(DaemonConfig::default())
+        }
+    }
+}
--- a/crates/daemon/src/console.rs
+++ b/crates/daemon/src/console.rs
@ -1,6 +1,6 @@
 use std::{collections::HashMap, sync::Arc};

-use anyhow::Result;
+use anyhow::{anyhow, Result};
 use circular_buffer::CircularBuffer;
 use kratart::channel::ChannelService;
 use log::error;
@ -11,6 +11,9 @@ use tokio::{
    },
    task::JoinHandle,
 };
+use uuid::Uuid;
+
+use crate::zlt::ZoneLookupTable;

 const CONSOLE_BUFFER_SIZE: usize = 1024 * 1024;
 type RawConsoleBuffer = CircularBuffer<CONSOLE_BUFFER_SIZE, u8>;
@ -21,6 +24,7 @@ type BufferMap = Arc<Mutex<HashMap<u32, ConsoleBuffer>>>;

 #[derive(Clone)]
 pub struct DaemonConsoleHandle {
+    glt: ZoneLookupTable,
    listeners: ListenerMap,
    buffers: BufferMap,
    sender: Sender<(u32, Vec<u8>)>,
@ -50,9 +54,12 @@ impl DaemonConsoleAttachHandle {
 impl DaemonConsoleHandle {
    pub async fn attach(
        &self,
-        domid: u32,
+        uuid: Uuid,
        sender: Sender<Vec<u8>>,
    ) -> Result<DaemonConsoleAttachHandle> {
+        let Some(domid) = self.glt.lookup_domid_by_uuid(&uuid).await else {
+            return Err(anyhow!("unable to find domain {}", uuid));
+        };
        let buffers = self.buffers.lock().await;
        let buffer = buffers.get(&domid).map(|x| x.to_vec()).unwrap_or_default();
        drop(buffers);
@ -77,6 +84,7 @@ impl Drop for DaemonConsoleHandle {
 }

 pub struct DaemonConsole {
+    glt: ZoneLookupTable,
    listeners: ListenerMap,
    buffers: BufferMap,
    receiver: Receiver<(u32, Option<Vec<u8>>)>,
@ -85,13 +93,14 @@ pub struct DaemonConsole {
 }

 impl DaemonConsole {
-    pub async fn new() -> Result<DaemonConsole> {
+    pub async fn new(glt: ZoneLookupTable) -> Result<DaemonConsole> {
        let (service, sender, receiver) =
            ChannelService::new("krata-console".to_string(), Some(0)).await?;
        let task = service.launch().await?;
        let listeners = Arc::new(Mutex::new(HashMap::new()));
        let buffers = Arc::new(Mutex::new(HashMap::new()));
        Ok(DaemonConsole {
+            glt,
            listeners,
            buffers,
            receiver,
@ -101,6 +110,7 @@ impl DaemonConsole {
    }

    pub async fn launch(mut self) -> Result<DaemonConsoleHandle> {
+        let glt = self.glt.clone();
        let listeners = self.listeners.clone();
        let buffers = self.buffers.clone();
        let sender = self.sender.clone();
@ -110,6 +120,7 @@ impl DaemonConsole {
            }
        });
        Ok(DaemonConsoleHandle {
+            glt,
            listeners,
            buffers,
            sender,
--- a/crates/daemon/src/control.rs
+++ b/crates/daemon/src/control.rs
@ -1,26 +1,31 @@
 use async_stream::try_stream;
 use futures::Stream;
 use krata::{
-    idm::protocol::{
-        idm_request::Request as IdmRequestType, idm_response::Response as IdmResponseType,
-        IdmMetricsRequest,
+    idm::internal::{
+        exec_stream_request_update::Update, request::Request as IdmRequestType,
+        response::Response as IdmResponseType, ExecEnvVar, ExecStreamRequestStart,
+        ExecStreamRequestStdin, ExecStreamRequestUpdate, MetricsRequest, Request as IdmRequest,
    },
    v1::{
-        common::{Guest, GuestOciImageFormat, GuestState, GuestStatus},
+        common::{OciImageFormat, Zone, ZoneState, ZoneStatus},
        control::{
-            control_service_server::ControlService, ConsoleDataReply, ConsoleDataRequest,
-            CreateGuestReply, CreateGuestRequest, DestroyGuestReply, DestroyGuestRequest,
-            ListGuestsReply, ListGuestsRequest, PullImageReply, PullImageRequest,
-            ReadGuestMetricsReply, ReadGuestMetricsRequest, ResolveGuestReply, ResolveGuestRequest,
-            SnoopIdmReply, SnoopIdmRequest, WatchEventsReply, WatchEventsRequest,
+            control_service_server::ControlService, CreateZoneReply, CreateZoneRequest,
+            DestroyZoneReply, DestroyZoneRequest, DeviceInfo, ExecZoneReply, ExecZoneRequest,
+            HostCpuTopologyInfo, HostCpuTopologyReply, HostCpuTopologyRequest,
+            HostPowerManagementPolicy, IdentifyHostReply, IdentifyHostRequest, ListDevicesReply,
+            ListDevicesRequest, ListZonesReply, ListZonesRequest, PullImageReply, PullImageRequest,
+            ReadZoneMetricsReply, ReadZoneMetricsRequest, ResolveZoneReply, ResolveZoneRequest,
+            SnoopIdmReply, SnoopIdmRequest, WatchEventsReply, WatchEventsRequest, ZoneConsoleReply,
+            ZoneConsoleRequest,
        },
    },
 };
 use krataoci::{
    name::ImageName,
-    packer::{service::OciPackerService, OciImagePacked, OciPackedFormat},
+    packer::{service::OciPackerService, OciPackedFormat, OciPackedImage},
    progress::{OciProgress, OciProgressContext},
 };
+use kratart::Runtime;
 use std::{pin::Pin, str::FromStr};
 use tokio::{
    select,
@ -32,8 +37,9 @@ use tonic::{Request, Response, Status, Streaming};
 use uuid::Uuid;

 use crate::{
-    console::DaemonConsoleHandle, db::GuestStore, event::DaemonEventContext, idm::DaemonIdmHandle,
-    metrics::idm_metric_to_api, oci::convert_oci_progress,
+    command::DaemonCommand, console::DaemonConsoleHandle, db::ZoneStore,
+    devices::DaemonDeviceManager, event::DaemonEventContext, idm::DaemonIdmHandle,
+    metrics::idm_metric_to_api, oci::convert_oci_progress, zlt::ZoneLookupTable,
 };

 pub struct ApiError {
@ -56,48 +62,61 @@ impl From<ApiError> for Status {

 #[derive(Clone)]
 pub struct DaemonControlService {
+    glt: ZoneLookupTable,
+    devices: DaemonDeviceManager,
    events: DaemonEventContext,
    console: DaemonConsoleHandle,
    idm: DaemonIdmHandle,
-    guests: GuestStore,
-    guest_reconciler_notify: Sender<Uuid>,
+    zones: ZoneStore,
+    zone_reconciler_notify: Sender<Uuid>,
    packer: OciPackerService,
+    runtime: Runtime,
 }

 impl DaemonControlService {
+    #[allow(clippy::too_many_arguments)]
    pub fn new(
+        glt: ZoneLookupTable,
+        devices: DaemonDeviceManager,
        events: DaemonEventContext,
        console: DaemonConsoleHandle,
        idm: DaemonIdmHandle,
-        guests: GuestStore,
-        guest_reconciler_notify: Sender<Uuid>,
+        zones: ZoneStore,
+        zone_reconciler_notify: Sender<Uuid>,
        packer: OciPackerService,
+        runtime: Runtime,
    ) -> Self {
        Self {
+            glt,
+            devices,
            events,
            console,
            idm,
-            guests,
-            guest_reconciler_notify,
+            zones,
+            zone_reconciler_notify,
            packer,
+            runtime,
        }
    }
 }

 enum ConsoleDataSelect {
    Read(Option<Vec<u8>>),
-    Write(Option<Result<ConsoleDataRequest, tonic::Status>>),
+    Write(Option<Result<ZoneConsoleRequest, Status>>),
 }

 enum PullImageSelect {
-    Progress(usize),
-    Completed(Result<Result<OciImagePacked, anyhow::Error>, JoinError>),
+    Progress(Option<OciProgress>),
+    Completed(Result<Result<OciPackedImage, anyhow::Error>, JoinError>),
 }

 #[tonic::async_trait]
 impl ControlService for DaemonControlService {
-    type ConsoleDataStream =
-        Pin<Box<dyn Stream<Item = Result<ConsoleDataReply, Status>> + Send + 'static>>;
+    type ExecZoneStream =
+        Pin<Box<dyn Stream<Item = Result<ExecZoneReply, Status>> + Send + 'static>>;
+
+    type AttachZoneConsoleStream =
+        Pin<Box<dyn Stream<Item = Result<ZoneConsoleReply, Status>> + Send + 'static>>;

    type PullImageStream =
        Pin<Box<dyn Stream<Item = Result<PullImageReply, Status>> + Send + 'static>>;
@ -108,28 +127,41 @@ impl ControlService for DaemonControlService {
    type SnoopIdmStream =
        Pin<Box<dyn Stream<Item = Result<SnoopIdmReply, Status>> + Send + 'static>>;

-    async fn create_guest(
+    async fn identify_host(
        &self,
-        request: Request<CreateGuestRequest>,
-    ) -> Result<Response<CreateGuestReply>, Status> {
+        request: Request<IdentifyHostRequest>,
+    ) -> Result<Response<IdentifyHostReply>, Status> {
+        let _ = request.into_inner();
+        Ok(Response::new(IdentifyHostReply {
+            host_domid: self.glt.host_domid(),
+            host_uuid: self.glt.host_uuid().to_string(),
+            krata_version: DaemonCommand::version(),
+        }))
+    }
+
+    async fn create_zone(
+        &self,
+        request: Request<CreateZoneRequest>,
+    ) -> Result<Response<CreateZoneReply>, Status> {
        let request = request.into_inner();
        let Some(spec) = request.spec else {
            return Err(ApiError {
-                message: "guest spec not provided".to_string(),
+                message: "zone spec not provided".to_string(),
            }
            .into());
        };
        let uuid = Uuid::new_v4();
-        self.guests
+        self.zones
            .update(
                uuid,
-                Guest {
+                Zone {
                    id: uuid.to_string(),
-                    state: Some(GuestState {
-                        status: GuestStatus::Starting.into(),
+                    state: Some(ZoneState {
+                        status: ZoneStatus::Starting.into(),
                        network: None,
                        exit_info: None,
                        error_info: None,
+                        host: self.glt.host_uuid().to_string(),
                        domid: u32::MAX,
                    }),
                    spec: Some(spec),
@ -137,88 +169,21 @@ impl ControlService for DaemonControlService {
            )
            .await
            .map_err(ApiError::from)?;
-        self.guest_reconciler_notify
+        self.zone_reconciler_notify
            .send(uuid)
            .await
            .map_err(|x| ApiError {
                message: x.to_string(),
            })?;
-        Ok(Response::new(CreateGuestReply {
-            guest_id: uuid.to_string(),
+        Ok(Response::new(CreateZoneReply {
+            zone_id: uuid.to_string(),
        }))
    }

-    async fn destroy_guest(
+    async fn exec_zone(
        &self,
-        request: Request<DestroyGuestRequest>,
-    ) -> Result<Response<DestroyGuestReply>, Status> {
-        let request = request.into_inner();
-        let uuid = Uuid::from_str(&request.guest_id).map_err(|error| ApiError {
-            message: error.to_string(),
-        })?;
-        let Some(mut guest) = self.guests.read(uuid).await.map_err(ApiError::from)? else {
-            return Err(ApiError {
-                message: "guest not found".to_string(),
-            }
-            .into());
-        };
-
-        guest.state = Some(guest.state.as_mut().cloned().unwrap_or_default());
-
-        if guest.state.as_ref().unwrap().status() == GuestStatus::Destroyed {
-            return Err(ApiError {
-                message: "guest already destroyed".to_string(),
-            }
-            .into());
-        }
-
-        guest.state.as_mut().unwrap().status = GuestStatus::Destroying.into();
-        self.guests
-            .update(uuid, guest)
-            .await
-            .map_err(ApiError::from)?;
-        self.guest_reconciler_notify
-            .send(uuid)
-            .await
-            .map_err(|x| ApiError {
-                message: x.to_string(),
-            })?;
-        Ok(Response::new(DestroyGuestReply {}))
-    }
-
-    async fn list_guests(
-        &self,
-        request: Request<ListGuestsRequest>,
-    ) -> Result<Response<ListGuestsReply>, Status> {
-        let _ = request.into_inner();
-        let guests = self.guests.list().await.map_err(ApiError::from)?;
-        let guests = guests.into_values().collect::<Vec<Guest>>();
-        Ok(Response::new(ListGuestsReply { guests }))
-    }
-
-    async fn resolve_guest(
-        &self,
-        request: Request<ResolveGuestRequest>,
-    ) -> Result<Response<ResolveGuestReply>, Status> {
-        let request = request.into_inner();
-        let guests = self.guests.list().await.map_err(ApiError::from)?;
-        let guests = guests
-            .into_values()
-            .filter(|x| {
-                let comparison_spec = x.spec.as_ref().cloned().unwrap_or_default();
-                (!request.name.is_empty() && comparison_spec.name == request.name)
-                    || x.id == request.name
-            })
-            .collect::<Vec<Guest>>();
-        Ok(Response::new(ResolveGuestReply {
-            guest: guests.first().cloned(),
-        }))
-    }
-
-    async fn console_data(
-        &self,
-        request: Request<Streaming<ConsoleDataRequest>>,
-    ) -> Result<Response<Self::ConsoleDataStream>, Status> {
+        request: Request<Streaming<ExecZoneRequest>>,
+    ) -> Result<Response<Self::ExecZoneStream>, Status> {
        let mut input = request.into_inner();
        let Some(request) = input.next().await else {
            return Err(ApiError {
@ -227,46 +192,179 @@ impl ControlService for DaemonControlService {
            .into());
        };
        let request = request?;
-        let uuid = Uuid::from_str(&request.guest_id).map_err(|error| ApiError {
-            message: error.to_string(),
-        })?;
-        let guest = self
-            .guests
-            .read(uuid)
-            .await
-            .map_err(|error| ApiError {
-                message: error.to_string(),
-            })?
-            .ok_or_else(|| ApiError {
-                message: "guest did not exist in the database".to_string(),
-            })?;

-        let Some(ref state) = guest.state else {
+        let Some(task) = request.task else {
            return Err(ApiError {
-                message: "guest did not have state".to_string(),
+                message: "task is missing".to_string(),
            }
            .into());
        };

-        let domid = state.domid;
-        if domid == 0 {
+        let uuid = Uuid::from_str(&request.zone_id).map_err(|error| ApiError {
+            message: error.to_string(),
+        })?;
+        let idm = self.idm.client(uuid).await.map_err(|error| ApiError {
+            message: error.to_string(),
+        })?;
+
+        let idm_request = IdmRequest {
+            request: Some(IdmRequestType::ExecStream(ExecStreamRequestUpdate {
+                update: Some(Update::Start(ExecStreamRequestStart {
+                    environment: task
+                        .environment
+                        .into_iter()
+                        .map(|x| ExecEnvVar {
+                            key: x.key,
+                            value: x.value,
+                        })
+                        .collect(),
+                    command: task.command,
+                    working_directory: task.working_directory,
+                })),
+            })),
+        };
+
+        let output = try_stream! {
+            let mut handle = idm.send_stream(idm_request).await.map_err(|x| ApiError {
+                message: x.to_string(),
+            })?;
+
+            loop {
+                select! {
+                    x = input.next() => if let Some(update) = x {
+                        let update: Result<ExecZoneRequest, Status> = update.map_err(|error| ApiError {
+                            message: error.to_string()
+                        }.into());
+
+                        if let Ok(update) = update {
+                            if !update.data.is_empty() {
+                                let _ = handle.update(IdmRequest {
+                                    request: Some(IdmRequestType::ExecStream(ExecStreamRequestUpdate {
+                                        update: Some(Update::Stdin(ExecStreamRequestStdin {
+                                            data: update.data,
+                                        })),
+                                    }))}).await;
+                            }
+                        }
+                    },
+                    x = handle.receiver.recv() => match x {
+                        Some(response) => {
+                            let Some(IdmResponseType::ExecStream(update)) = response.response else {
+                                break;
+                            };
+                            let reply = ExecZoneReply {
+                                exited: update.exited,
+                                error: update.error,
+                                exit_code: update.exit_code,
+                                stdout: update.stdout,
+                                stderr: update.stderr
+                            };
+                            yield reply;
+                        },
+                        None => {
+                            break;
+                        }
+                    }
+                };
+            }
+        };
+
+        Ok(Response::new(Box::pin(output) as Self::ExecZoneStream))
+    }
+
+    async fn destroy_zone(
+        &self,
+        request: Request<DestroyZoneRequest>,
+    ) -> Result<Response<DestroyZoneReply>, Status> {
+        let request = request.into_inner();
+        let uuid = Uuid::from_str(&request.zone_id).map_err(|error| ApiError {
+            message: error.to_string(),
+        })?;
+        let Some(mut zone) = self.zones.read(uuid).await.map_err(ApiError::from)? else {
            return Err(ApiError {
-                message: "invalid domid on the guest".to_string(),
+                message: "zone not found".to_string(),
+            }
+            .into());
+        };
+
+        zone.state = Some(zone.state.as_mut().cloned().unwrap_or_default());
+
+        if zone.state.as_ref().unwrap().status() == ZoneStatus::Destroyed {
+            return Err(ApiError {
+                message: "zone already destroyed".to_string(),
            }
            .into());
        }

+        zone.state.as_mut().unwrap().status = ZoneStatus::Destroying.into();
+        self.zones
+            .update(uuid, zone)
+            .await
+            .map_err(ApiError::from)?;
+        self.zone_reconciler_notify
+            .send(uuid)
+            .await
+            .map_err(|x| ApiError {
+                message: x.to_string(),
+            })?;
+        Ok(Response::new(DestroyZoneReply {}))
+    }
+
+    async fn list_zones(
+        &self,
+        request: Request<ListZonesRequest>,
+    ) -> Result<Response<ListZonesReply>, Status> {
+        let _ = request.into_inner();
+        let zones = self.zones.list().await.map_err(ApiError::from)?;
+        let zones = zones.into_values().collect::<Vec<Zone>>();
+        Ok(Response::new(ListZonesReply { zones }))
+    }
+
+    async fn resolve_zone(
+        &self,
+        request: Request<ResolveZoneRequest>,
+    ) -> Result<Response<ResolveZoneReply>, Status> {
+        let request = request.into_inner();
+        let zones = self.zones.list().await.map_err(ApiError::from)?;
+        let zones = zones
+            .into_values()
+            .filter(|x| {
+                let comparison_spec = x.spec.as_ref().cloned().unwrap_or_default();
+                (!request.name.is_empty() && comparison_spec.name == request.name)
+                    || x.id == request.name
+            })
+            .collect::<Vec<Zone>>();
+        Ok(Response::new(ResolveZoneReply {
+            zone: zones.first().cloned(),
+        }))
+    }
+
+    async fn attach_zone_console(
+        &self,
+        request: Request<Streaming<ZoneConsoleRequest>>,
+    ) -> Result<Response<Self::AttachZoneConsoleStream>, Status> {
+        let mut input = request.into_inner();
+        let Some(request) = input.next().await else {
+            return Err(ApiError {
+                message: "expected to have at least one request".to_string(),
+            }
+            .into());
+        };
+        let request = request?;
+        let uuid = Uuid::from_str(&request.zone_id).map_err(|error| ApiError {
+            message: error.to_string(),
+        })?;
        let (sender, mut receiver) = channel(100);
        let console = self
            .console
-            .attach(domid, sender)
+            .attach(uuid, sender)
            .await
            .map_err(|error| ApiError {
                message: format!("failed to attach to console: {}", error),
            })?;

        let output = try_stream! {
-            yield ConsoleDataReply { data: console.initial.clone(), };
+            yield ZoneConsoleReply { data: console.initial.clone(), };
            loop {
                let what = select! {
                    x = receiver.recv() => ConsoleDataSelect::Read(x),
@ -275,7 +373,7 @@ impl ControlService for DaemonControlService {

                match what {
                    ConsoleDataSelect::Read(Some(data)) => {
-                        yield ConsoleDataReply { data, };
+                        yield ZoneConsoleReply { data, };
                    },

                    ConsoleDataSelect::Read(None) => {
@ -298,56 +396,34 @@ impl ControlService for DaemonControlService {
            }
        };

-        Ok(Response::new(Box::pin(output) as Self::ConsoleDataStream))
+        Ok(Response::new(
+            Box::pin(output) as Self::AttachZoneConsoleStream
+        ))
    }

-    async fn read_guest_metrics(
+    async fn read_zone_metrics(
        &self,
-        request: Request<ReadGuestMetricsRequest>,
-    ) -> Result<Response<ReadGuestMetricsReply>, Status> {
+        request: Request<ReadZoneMetricsRequest>,
+    ) -> Result<Response<ReadZoneMetricsReply>, Status> {
        let request = request.into_inner();
-        let uuid = Uuid::from_str(&request.guest_id).map_err(|error| ApiError {
+        let uuid = Uuid::from_str(&request.zone_id).map_err(|error| ApiError {
            message: error.to_string(),
        })?;
-        let guest = self
-            .guests
-            .read(uuid)
-            .await
-            .map_err(|error| ApiError {
-                message: error.to_string(),
-            })?
-            .ok_or_else(|| ApiError {
-                message: "guest did not exist in the database".to_string(),
-            })?;
-
-        let Some(ref state) = guest.state else {
-            return Err(ApiError {
-                message: "guest did not have state".to_string(),
-            }
-            .into());
-        };
-
-        let domid = state.domid;
-        if domid == 0 {
-            return Err(ApiError {
-                message: "invalid domid on the guest".to_string(),
-            }
-            .into());
-        }
-
-        let client = self.idm.client(domid).await.map_err(|error| ApiError {
+        let client = self.idm.client(uuid).await.map_err(|error| ApiError {
            message: error.to_string(),
        })?;

        let response = client
-            .send(IdmRequestType::Metrics(IdmMetricsRequest {}))
+            .send(IdmRequest {
+                request: Some(IdmRequestType::Metrics(MetricsRequest {})),
+            })
            .await
            .map_err(|error| ApiError {
                message: error.to_string(),
            })?;

-        let mut reply = ReadGuestMetricsReply::default();
-        if let IdmResponseType::Metrics(metrics) = response {
+        let mut reply = ReadZoneMetricsReply::default();
+        if let Some(IdmResponseType::Metrics(metrics)) = response.response {
            reply.root = metrics.root.map(idm_metric_to_api);
        }
        Ok(Response::new(reply))
@ -362,36 +438,39 @@ impl ControlService for DaemonControlService {
            message: err.to_string(),
        })?;
        let format = match request.format() {
-            GuestOciImageFormat::Unknown => OciPackedFormat::Squashfs,
-            GuestOciImageFormat::Squashfs => OciPackedFormat::Squashfs,
-            GuestOciImageFormat::Erofs => OciPackedFormat::Erofs,
+            OciImageFormat::Unknown => OciPackedFormat::Squashfs,
+            OciImageFormat::Squashfs => OciPackedFormat::Squashfs,
+            OciImageFormat::Erofs => OciPackedFormat::Erofs,
+            OciImageFormat::Tar => OciPackedFormat::Tar,
        };
-        let (sender, mut receiver) = channel::<OciProgress>(100);
-        let context = OciProgressContext::new(sender);
-
+        let (context, mut receiver) = OciProgressContext::create();
        let our_packer = self.packer.clone();

        let output = try_stream! {
            let mut task = tokio::task::spawn(async move {
-                our_packer.request(name, format, context).await
+                our_packer.request(name, format, request.overwrite_cache, request.update, context).await
            });
+            let abort_handle = task.abort_handle();
+            let _task_cancel_guard = scopeguard::guard(abort_handle, |handle| {
+                handle.abort();
+            });
+
            loop {
-                let mut progresses = Vec::new();
                let what = select! {
-                    x = receiver.recv_many(&mut progresses, 10) => PullImageSelect::Progress(x),
+                    x = receiver.changed() => match x {
+                        Ok(_) => PullImageSelect::Progress(Some(receiver.borrow_and_update().clone())),
+                        Err(_) => PullImageSelect::Progress(None),
+                    },
                    x = &mut task => PullImageSelect::Completed(x),
                };
                match what {
-                    PullImageSelect::Progress(count) => {
-                        if count > 0 {
-                            let progress = progresses.remove(progresses.len() - 1);
-                            let reply = PullImageReply {
-                                progress: Some(convert_oci_progress(progress)),
-                                digest: String::new(),
-                                format: GuestOciImageFormat::Unknown.into(),
-                            };
-                            yield reply;
-                        }
+                    PullImageSelect::Progress(Some(progress)) => {
+                        let reply = PullImageReply {
+                            progress: Some(convert_oci_progress(progress)),
+                            digest: String::new(),
+                            format: OciImageFormat::Unknown.into(),
+                        };
+                        yield reply;
                    },

                    PullImageSelect::Completed(result) => {
@ -405,13 +484,18 @@ impl ControlService for DaemonControlService {
                            progress: None,
                            digest: packed.digest,
                            format: match packed.format {
-                                OciPackedFormat::Squashfs => GuestOciImageFormat::Squashfs.into(),
-                                OciPackedFormat::Erofs => GuestOciImageFormat::Erofs.into(),
+                                OciPackedFormat::Squashfs => OciImageFormat::Squashfs.into(),
+                                OciPackedFormat::Erofs => OciImageFormat::Erofs.into(),
+                                OciPackedFormat::Tar => OciImageFormat::Tar.into(),
                            },
                        };
                        yield reply;
                        break;
                    },
+
+                    _ => {
+                        continue;
+                    }
                }
            }
        };
@ -438,11 +522,90 @@ impl ControlService for DaemonControlService {
    ) -> Result<Response<Self::SnoopIdmStream>, Status> {
        let _ = request.into_inner();
        let mut messages = self.idm.snoop();
+        let glt = self.glt.clone();
        let output = try_stream! {
            while let Ok(event) = messages.recv().await {
-                yield SnoopIdmReply { from: event.from, to: event.to, packet: Some(event.packet) };
+                let Some(from_uuid) = glt.lookup_uuid_by_domid(event.from).await else {
+                    continue;
+                };
+                let Some(to_uuid) = glt.lookup_uuid_by_domid(event.to).await else {
+                    continue;
+                };
+                yield SnoopIdmReply { from: from_uuid.to_string(), to: to_uuid.to_string(), packet: Some(event.packet) };
            }
        };
        Ok(Response::new(Box::pin(output) as Self::SnoopIdmStream))
    }
+
+    async fn list_devices(
+        &self,
+        request: Request<ListDevicesRequest>,
+    ) -> Result<Response<ListDevicesReply>, Status> {
+        let _ = request.into_inner();
+        let mut devices = Vec::new();
+        let state = self.devices.copy().await.map_err(|error| ApiError {
+            message: error.to_string(),
+        })?;
+        for (name, state) in state {
+            devices.push(DeviceInfo {
+                name,
+                claimed: state.owner.is_some(),
+                owner: state.owner.map(|x| x.to_string()).unwrap_or_default(),
+            });
+        }
+        Ok(Response::new(ListDevicesReply { devices }))
+    }
+
+    async fn get_host_cpu_topology(
+        &self,
+        request: Request<HostCpuTopologyRequest>,
+    ) -> Result<Response<HostCpuTopologyReply>, Status> {
+        let _ = request.into_inner();
+        let power = self
+            .runtime
+            .power_management_context()
+            .await
+            .map_err(ApiError::from)?;
+        let cputopo = power.cpu_topology().await.map_err(ApiError::from)?;
+        let mut cpus = vec![];
+
+        for cpu in cputopo {
+            cpus.push(HostCpuTopologyInfo {
+                core: cpu.core,
+                socket: cpu.socket,
+                node: cpu.node,
+                thread: cpu.thread,
+                class: cpu.class as i32,
+            })
+        }
+
+        Ok(Response::new(HostCpuTopologyReply { cpus }))
+    }
+
+    async fn set_host_power_management_policy(
+        &self,
+        request: Request<HostPowerManagementPolicy>,
+    ) -> Result<Response<HostPowerManagementPolicy>, Status> {
+        let policy = request.into_inner();
+        let power = self
+            .runtime
+            .power_management_context()
+            .await
+            .map_err(ApiError::from)?;
+        let scheduler = &policy.scheduler;
+
+        power
+            .set_smt_policy(policy.smt_awareness)
+            .await
+            .map_err(ApiError::from)?;
+        power
+            .set_scheduler_policy(scheduler)
+            .await
+            .map_err(ApiError::from)?;
+
+        Ok(Response::new(HostPowerManagementPolicy {
+            scheduler: scheduler.to_string(),
+            smt_awareness: policy.smt_awareness,
+        }))
+    }
 }
--- a/crates/daemon/src/db.rs
+++ b/crates/daemon/src/db.rs
@ -1,66 +1,66 @@
 use std::{collections::HashMap, path::Path, sync::Arc};

 use anyhow::Result;
-use krata::v1::common::Guest;
+use krata::v1::common::Zone;
 use log::error;
 use prost::Message;
 use redb::{Database, ReadableTable, TableDefinition};
 use uuid::Uuid;

-const GUESTS: TableDefinition<u128, &[u8]> = TableDefinition::new("guests");
+const ZONES: TableDefinition<u128, &[u8]> = TableDefinition::new("zones");

 #[derive(Clone)]
-pub struct GuestStore {
+pub struct ZoneStore {
    database: Arc<Database>,
 }

-impl GuestStore {
+impl ZoneStore {
    pub fn open(path: &Path) -> Result<Self> {
        let database = Database::create(path)?;
        let write = database.begin_write()?;
-        let _ = write.open_table(GUESTS);
+        let _ = write.open_table(ZONES);
        write.commit()?;
-        Ok(GuestStore {
+        Ok(ZoneStore {
            database: Arc::new(database),
        })
    }

-    pub async fn read(&self, id: Uuid) -> Result<Option<Guest>> {
+    pub async fn read(&self, id: Uuid) -> Result<Option<Zone>> {
        let read = self.database.begin_read()?;
-        let table = read.open_table(GUESTS)?;
+        let table = read.open_table(ZONES)?;
        let Some(entry) = table.get(id.to_u128_le())? else {
            return Ok(None);
        };
        let bytes = entry.value();
-        Ok(Some(Guest::decode(bytes)?))
+        Ok(Some(Zone::decode(bytes)?))
    }

-    pub async fn list(&self) -> Result<HashMap<Uuid, Guest>> {
-        let mut guests: HashMap<Uuid, Guest> = HashMap::new();
+    pub async fn list(&self) -> Result<HashMap<Uuid, Zone>> {
+        let mut zones: HashMap<Uuid, Zone> = HashMap::new();
        let read = self.database.begin_read()?;
-        let table = read.open_table(GUESTS)?;
+        let table = read.open_table(ZONES)?;
        for result in table.iter()? {
            let (key, value) = result?;
            let uuid = Uuid::from_u128_le(key.value());
-            let state = match Guest::decode(value.value()) {
+            let state = match Zone::decode(value.value()) {
                Ok(state) => state,
                Err(error) => {
                    error!(
-                        "found invalid guest state in database for uuid {}: {}",
+                        "found invalid zone state in database for uuid {}: {}",
                        uuid, error
                    );
                    continue;
                }
            };
-            guests.insert(uuid, state);
+            zones.insert(uuid, state);
        }
-        Ok(guests)
+        Ok(zones)
    }

-    pub async fn update(&self, id: Uuid, entry: Guest) -> Result<()> {
+    pub async fn update(&self, id: Uuid, entry: Zone) -> Result<()> {
        let write = self.database.begin_write()?;
        {
-            let mut table = write.open_table(GUESTS)?;
+            let mut table = write.open_table(ZONES)?;
            let bytes = entry.encode_to_vec();
            table.insert(id.to_u128_le(), bytes.as_slice())?;
        }
@ -71,7 +71,7 @@ impl GuestStore {
    pub async fn remove(&self, id: Uuid) -> Result<()> {
        let write = self.database.begin_write()?;
        {
-            let mut table = write.open_table(GUESTS)?;
+            let mut table = write.open_table(ZONES)?;
            table.remove(id.to_u128_le())?;
        }
        write.commit()?;
--- a/crates/daemon/src/devices.rs
+++ b/crates/daemon/src/devices.rs
@ -0,0 +1,106 @@
+use std::{collections::HashMap, sync::Arc};
+
+use anyhow::{anyhow, Result};
+use log::warn;
+use tokio::sync::RwLock;
+use uuid::Uuid;
+
+use crate::config::{DaemonConfig, DaemonPciDeviceConfig};
+
+#[derive(Clone)]
+pub struct DaemonDeviceState {
+    pub pci: Option<DaemonPciDeviceConfig>,
+    pub owner: Option<Uuid>,
+}
+
+#[derive(Clone)]
+pub struct DaemonDeviceManager {
+    config: Arc<DaemonConfig>,
+    devices: Arc<RwLock<HashMap<String, DaemonDeviceState>>>,
+}
+
+impl DaemonDeviceManager {
+    pub fn new(config: Arc<DaemonConfig>) -> Self {
+        Self {
+            config,
+            devices: Arc::new(RwLock::new(HashMap::new())),
+        }
+    }
+
+    pub async fn claim(&self, device: &str, uuid: Uuid) -> Result<DaemonDeviceState> {
+        let mut devices = self.devices.write().await;
+        let Some(state) = devices.get_mut(device) else {
+            return Err(anyhow!(
+                "unable to claim unknown device '{}' for zone {}",
+                device,
+                uuid
+            ));
+        };
+
+        if let Some(owner) = state.owner {
+            return Err(anyhow!(
+                "unable to claim device '{}' for zone {}: already claimed by {}",
+                device,
+                uuid,
+                owner
+            ));
+        }
+
+        state.owner = Some(uuid);
+        Ok(state.clone())
+    }
+
+    pub async fn release_all(&self, uuid: Uuid) -> Result<()> {
+        let mut devices = self.devices.write().await;
+        for state in (*devices).values_mut() {
+            if state.owner == Some(uuid) {
+                state.owner = None;
+            }
+        }
+        Ok(())
+    }
+
+    pub async fn release(&self, device: &str, uuid: Uuid) -> Result<()> {
+        let mut devices = self.devices.write().await;
+        let Some(state) = devices.get_mut(device) else {
+            return Ok(());
+        };
+
+        if let Some(owner) = state.owner {
+            if owner != uuid {
+                return Ok(());
+            }
+        }
+
+        state.owner = None;
+        Ok(())
+    }
+
+    pub async fn update_claims(&self, claims: HashMap<String, Uuid>) -> Result<()> {
+        let mut devices = self.devices.write().await;
+        devices.clear();
+        for (name, pci) in &self.config.pci.devices {
+            let owner = claims.get(name).cloned();
+            devices.insert(
+                name.clone(),
+                DaemonDeviceState {
+                    owner,
+                    pci: Some(pci.clone()),
+                },
+            );
+        }
+
+        for (name, uuid) in &claims {
+            if !devices.contains_key(name) {
+                warn!("unknown device '{}' assigned to zone {}", name, uuid);
+            }
+        }
+
+        Ok(())
+    }
+
+    pub async fn copy(&self) -> Result<HashMap<String, DaemonDeviceState>> {
+        let devices = self.devices.read().await;
+        Ok(devices.clone())
+    }
+}
--- a/crates/daemon/src/event.rs
+++ b/crates/daemon/src/event.rs
@ -4,10 +4,12 @@ use std::{
    time::Duration,
 };

+use crate::{db::ZoneStore, idm::DaemonIdmHandle};
 use anyhow::Result;
+use krata::v1::common::ZoneExitInfo;
 use krata::{
-    idm::protocol::{idm_event::Event, IdmEvent},
-    v1::common::{GuestExitInfo, GuestState, GuestStatus},
+    idm::{internal::event::Event as EventType, internal::Event},
+    v1::common::{ZoneState, ZoneStatus},
 };
 use log::{error, warn};
 use tokio::{
@ -21,8 +23,6 @@ use tokio::{
 };
 use uuid::Uuid;

-use crate::{db::GuestStore, idm::DaemonIdmHandle};
-
 pub type DaemonEvent = krata::v1::control::watch_events_reply::Event;

 const EVENT_CHANNEL_QUEUE_LEN: usize = 1000;
@ -45,27 +45,27 @@ impl DaemonEventContext {
 }

 pub struct DaemonEventGenerator {
-    guests: GuestStore,
-    guest_reconciler_notify: Sender<Uuid>,
+    zones: ZoneStore,
+    zone_reconciler_notify: Sender<Uuid>,
    feed: broadcast::Receiver<DaemonEvent>,
    idm: DaemonIdmHandle,
    idms: HashMap<u32, (Uuid, JoinHandle<()>)>,
-    idm_sender: Sender<(u32, IdmEvent)>,
-    idm_receiver: Receiver<(u32, IdmEvent)>,
+    idm_sender: Sender<(u32, Event)>,
+    idm_receiver: Receiver<(u32, Event)>,
    _event_sender: broadcast::Sender<DaemonEvent>,
 }

 impl DaemonEventGenerator {
    pub async fn new(
-        guests: GuestStore,
-        guest_reconciler_notify: Sender<Uuid>,
+        zones: ZoneStore,
+        zone_reconciler_notify: Sender<Uuid>,
        idm: DaemonIdmHandle,
    ) -> Result<(DaemonEventContext, DaemonEventGenerator)> {
        let (sender, _) = broadcast::channel(EVENT_CHANNEL_QUEUE_LEN);
        let (idm_sender, idm_receiver) = channel(IDM_EVENT_CHANNEL_QUEUE_LEN);
        let generator = DaemonEventGenerator {
-            guests,
-            guest_reconciler_notify,
+            zones,
+            zone_reconciler_notify,
            feed: sender.subscribe(),
            idm,
            idms: HashMap::new(),
@ -78,22 +78,22 @@ impl DaemonEventGenerator {
    }

    async fn handle_feed_event(&mut self, event: &DaemonEvent) -> Result<()> {
-        let DaemonEvent::GuestChanged(changed) = event;
-        let Some(ref guest) = changed.guest else {
+        let DaemonEvent::ZoneChanged(changed) = event;
+        let Some(ref zone) = changed.zone else {
            return Ok(());
        };

-        let Some(ref state) = guest.state else {
+        let Some(ref state) = zone.state else {
            return Ok(());
        };

        let status = state.status();
-        let id = Uuid::from_str(&guest.id)?;
+        let id = Uuid::from_str(&zone.id)?;
        let domid = state.domid;
        match status {
-            GuestStatus::Started => {
+            ZoneStatus::Started => {
                if let Entry::Vacant(e) = self.idms.entry(domid) {
-                    let client = self.idm.client(domid).await?;
+                    let client = self.idm.client_by_domid(domid).await?;
                    let mut receiver = client.subscribe().await?;
                    let sender = self.idm_sender.clone();
                    let task = tokio::task::spawn(async move {
@ -111,7 +111,7 @@ impl DaemonEventGenerator {
                }
            }

-            GuestStatus::Destroyed => {
+            ZoneStatus::Destroyed => {
                if let Some((_, handle)) = self.idms.remove(&domid) {
                    handle.abort();
                }
@ -122,25 +122,26 @@ impl DaemonEventGenerator {
        Ok(())
    }

-    async fn handle_idm_event(&mut self, id: Uuid, event: IdmEvent) -> Result<()> {
+    async fn handle_idm_event(&mut self, id: Uuid, event: Event) -> Result<()> {
        match event.event {
-            Some(Event::Exit(exit)) => self.handle_exit_code(id, exit.code).await,
+            Some(EventType::Exit(exit)) => self.handle_exit_code(id, exit.code).await,
            None => Ok(()),
        }
    }

    async fn handle_exit_code(&mut self, id: Uuid, code: i32) -> Result<()> {
-        if let Some(mut guest) = self.guests.read(id).await? {
-            guest.state = Some(GuestState {
-                status: GuestStatus::Exited.into(),
-                network: guest.state.clone().unwrap_or_default().network,
-                exit_info: Some(GuestExitInfo { code }),
+        if let Some(mut zone) = self.zones.read(id).await? {
+            zone.state = Some(ZoneState {
+                status: ZoneStatus::Exited.into(),
+                network: zone.state.clone().unwrap_or_default().network,
+                exit_info: Some(ZoneExitInfo { code }),
                error_info: None,
-                domid: guest.state.clone().map(|x| x.domid).unwrap_or(u32::MAX),
+                host: zone.state.clone().map(|x| x.host).unwrap_or_default(),
+                domid: zone.state.clone().map(|x| x.domid).unwrap_or(u32::MAX),
            });

-            self.guests.update(id, guest).await?;
-            self.guest_reconciler_notify.send(id).await?;
+            self.zones.update(id, zone).await?;
+            self.zone_reconciler_notify.send(id).await?;
        }
        Ok(())
    }
--- a/crates/daemon/src/idm.rs
+++ b/crates/daemon/src/idm.rs
@ -6,8 +6,9 @@ use std::{
 use anyhow::{anyhow, Result};
 use bytes::{Buf, BytesMut};
 use krata::idm::{
-    client::{IdmBackend, IdmClient},
-    protocol::IdmPacket,
+    client::{IdmBackend, IdmInternalClient},
+    internal::INTERNAL_IDM_CHANNEL,
+    transport::IdmTransportPacket,
 };
 use kratart::channel::ChannelService;
 use log::{error, warn};
@ -21,15 +22,19 @@ use tokio::{
    },
    task::JoinHandle,
 };
+use uuid::Uuid;

-type BackendFeedMap = Arc<Mutex<HashMap<u32, Sender<IdmPacket>>>>;
-type ClientMap = Arc<Mutex<HashMap<u32, IdmClient>>>;
+use crate::zlt::ZoneLookupTable;
+
+type BackendFeedMap = Arc<Mutex<HashMap<u32, Sender<IdmTransportPacket>>>>;
+type ClientMap = Arc<Mutex<HashMap<u32, IdmInternalClient>>>;

 #[derive(Clone)]
 pub struct DaemonIdmHandle {
+    glt: ZoneLookupTable,
    clients: ClientMap,
    feeds: BackendFeedMap,
-    tx_sender: Sender<(u32, IdmPacket)>,
+    tx_sender: Sender<(u32, IdmTransportPacket)>,
    task: Arc<JoinHandle<()>>,
    snoop_sender: broadcast::Sender<DaemonIdmSnoopPacket>,
 }
@ -39,7 +44,14 @@ impl DaemonIdmHandle {
        self.snoop_sender.subscribe()
    }

-    pub async fn client(&self, domid: u32) -> Result<IdmClient> {
+    pub async fn client(&self, uuid: Uuid) -> Result<IdmInternalClient> {
+        let Some(domid) = self.glt.lookup_domid_by_uuid(&uuid).await else {
+            return Err(anyhow!("unable to find domain {}", uuid));
+        };
+        self.client_by_domid(domid).await
+    }
+
+    pub async fn client_by_domid(&self, domid: u32) -> Result<IdmInternalClient> {
        client_or_create(domid, &self.tx_sender, &self.clients, &self.feeds).await
    }
 }
@ -56,22 +68,23 @@ impl Drop for DaemonIdmHandle {
 pub struct DaemonIdmSnoopPacket {
    pub from: u32,
    pub to: u32,
-    pub packet: IdmPacket,
+    pub packet: IdmTransportPacket,
 }

 pub struct DaemonIdm {
+    glt: ZoneLookupTable,
    clients: ClientMap,
    feeds: BackendFeedMap,
-    tx_sender: Sender<(u32, IdmPacket)>,
+    tx_sender: Sender<(u32, IdmTransportPacket)>,
    tx_raw_sender: Sender<(u32, Vec<u8>)>,
-    tx_receiver: Receiver<(u32, IdmPacket)>,
+    tx_receiver: Receiver<(u32, IdmTransportPacket)>,
    rx_receiver: Receiver<(u32, Option<Vec<u8>>)>,
    snoop_sender: broadcast::Sender<DaemonIdmSnoopPacket>,
    task: JoinHandle<()>,
 }

 impl DaemonIdm {
-    pub async fn new() -> Result<DaemonIdm> {
+    pub async fn new(glt: ZoneLookupTable) -> Result<DaemonIdm> {
        let (service, tx_raw_sender, rx_receiver) =
            ChannelService::new("krata-channel".to_string(), None).await?;
        let (tx_sender, tx_receiver) = channel(100);
@ -80,6 +93,7 @@ impl DaemonIdm {
        let clients = Arc::new(Mutex::new(HashMap::new()));
        let feeds = Arc::new(Mutex::new(HashMap::new()));
        Ok(DaemonIdm {
+            glt,
            rx_receiver,
            tx_receiver,
            tx_sender,
@ -92,6 +106,7 @@ impl DaemonIdm {
    }

    pub async fn launch(mut self) -> Result<DaemonIdmHandle> {
+        let glt = self.glt.clone();
        let clients = self.clients.clone();
        let feeds = self.feeds.clone();
        let tx_sender = self.tx_sender.clone();
@ -104,6 +119,7 @@ impl DaemonIdm {
            }
        });
        Ok(DaemonIdmHandle {
+            glt,
            clients,
            feeds,
            tx_sender,
@ -120,34 +136,36 @@ impl DaemonIdm {
                        if let Some(data) = data {
                            let buffer = buffers.entry(domid).or_insert_with_key(|_| BytesMut::new());
                            buffer.extend_from_slice(&data);
-                            if buffer.len() < 6 {
-                                continue;
-                            }
-
-                            if buffer[0] != 0xff || buffer[1] != 0xff {
-                                buffer.clear();
-                                continue;
-                            }
-
-                            let size = (buffer[2] as u32 | (buffer[3] as u32) << 8 | (buffer[4] as u32) << 16 | (buffer[5] as u32) << 24) as usize;
-                            let needed = size + 6;
-                            if buffer.len() < needed {
-                                continue;
-                            }
-                            let mut packet = buffer.split_to(needed);
-                            packet.advance(6);
-                            match IdmPacket::decode(packet) {
-                                Ok(packet) => {
-                                    let _ = client_or_create(domid, &self.tx_sender, &self.clients, &self.feeds).await?;
-                                    let guard = self.feeds.lock().await;
-                                    if let Some(feed) = guard.get(&domid) {
-                                        let _ = feed.try_send(packet.clone());
-                                    }
-                                    let _ = self.snoop_sender.send(DaemonIdmSnoopPacket { from: domid, to: 0, packet });
+                            loop {
+                                if buffer.len() < 6 {
+                                    break;
                                }

-                                Err(packet) => {
-                                    warn!("received invalid packet from domain {}: {}", domid, packet);
+                                if buffer[0] != 0xff || buffer[1] != 0xff {
+                                    buffer.clear();
+                                    break;
+                                }
+
+                                let size = (buffer[2] as u32 | (buffer[3] as u32) << 8 | (buffer[4] as u32) << 16 | (buffer[5] as u32) << 24) as usize;
+                                let needed = size + 6;
+                                if buffer.len() < needed {
+                                    break;
+                                }
+                                let mut packet = buffer.split_to(needed);
+                                packet.advance(6);
+                                match IdmTransportPacket::decode(packet) {
+                                    Ok(packet) => {
+                                        let _ = client_or_create(domid, &self.tx_sender, &self.clients, &self.feeds).await?;
+                                        let guard = self.feeds.lock().await;
+                                        if let Some(feed) = guard.get(&domid) {
+                                            let _ = feed.try_send(packet.clone());
+                                        }
+                                        let _ = self.snoop_sender.send(DaemonIdmSnoopPacket { from: domid, to: 0, packet });
+                                    }
+
+                                    Err(packet) => {
+                                        warn!("received invalid packet from domain {}: {}", domid, packet);
+                                    }
                                }
                            }
                        } else {
@ -196,10 +214,10 @@ impl Drop for DaemonIdm {

 async fn client_or_create(
    domid: u32,
-    tx_sender: &Sender<(u32, IdmPacket)>,
+    tx_sender: &Sender<(u32, IdmTransportPacket)>,
    clients: &ClientMap,
    feeds: &BackendFeedMap,
-) -> Result<IdmClient> {
+) -> Result<IdmInternalClient> {
    let mut clients = clients.lock().await;
    let mut feeds = feeds.lock().await;
    match clients.entry(domid) {
@ -212,7 +230,11 @@ async fn client_or_create(
                rx_receiver,
                tx_sender: tx_sender.clone(),
            };
-            let client = IdmClient::new(Box::new(backend) as Box<dyn IdmBackend>).await?;
+            let client = IdmInternalClient::new(
+                INTERNAL_IDM_CHANNEL,
+                Box::new(backend) as Box<dyn IdmBackend>,
+            )
+            .await?;
            entry.insert(client.clone());
            Ok(client)
        }
@ -221,13 +243,13 @@ async fn client_or_create(

 pub struct IdmDaemonBackend {
    domid: u32,
-    rx_receiver: Receiver<IdmPacket>,
-    tx_sender: Sender<(u32, IdmPacket)>,
+    rx_receiver: Receiver<IdmTransportPacket>,
+    tx_sender: Sender<(u32, IdmTransportPacket)>,
 }

 #[async_trait::async_trait]
 impl IdmBackend for IdmDaemonBackend {
-    async fn recv(&mut self) -> Result<IdmPacket> {
+    async fn recv(&mut self) -> Result<IdmTransportPacket> {
        if let Some(packet) = self.rx_receiver.recv().await {
            Ok(packet)
        } else {
@ -235,7 +257,7 @@ impl IdmBackend for IdmDaemonBackend {
        }
    }

-    async fn send(&mut self, packet: IdmPacket) -> Result<()> {
+    async fn send(&mut self, packet: IdmTransportPacket) -> Result<()> {
        self.tx_sender.send((self.domid, packet)).await?;
        Ok(())
    }
--- a/crates/daemon/src/lib.rs
+++ b/crates/daemon/src/lib.rs
@ -1,16 +1,18 @@
-use std::{net::SocketAddr, path::PathBuf, str::FromStr};
+use std::{net::SocketAddr, path::PathBuf, str::FromStr, sync::Arc};

-use anyhow::Result;
+use anyhow::{anyhow, Result};
+use config::DaemonConfig;
 use console::{DaemonConsole, DaemonConsoleHandle};
 use control::DaemonControlService;
-use db::GuestStore;
+use db::ZoneStore;
+use devices::DaemonDeviceManager;
 use event::{DaemonEventContext, DaemonEventGenerator};
 use idm::{DaemonIdm, DaemonIdmHandle};
 use krata::{dial::ControlDialAddress, v1::control::control_service_server::ControlServiceServer};
 use krataoci::{packer::service::OciPackerService, registry::OciPlatform};
 use kratart::Runtime;
 use log::info;
-use reconcile::guest::GuestReconciler;
+use reconcile::zone::ZoneReconciler;
 use tokio::{
    fs,
    net::UnixListener,
@ -20,84 +22,146 @@ use tokio::{
 use tokio_stream::wrappers::UnixListenerStream;
 use tonic::transport::{Identity, Server, ServerTlsConfig};
 use uuid::Uuid;
+use zlt::ZoneLookupTable;

+pub mod command;
+pub mod config;
 pub mod console;
 pub mod control;
 pub mod db;
+pub mod devices;
 pub mod event;
 pub mod idm;
 pub mod metrics;
 pub mod oci;
 pub mod reconcile;
+pub mod zlt;

 pub struct Daemon {
    store: String,
-    guests: GuestStore,
+    _config: Arc<DaemonConfig>,
+    glt: ZoneLookupTable,
+    devices: DaemonDeviceManager,
+    zones: ZoneStore,
    events: DaemonEventContext,
-    guest_reconciler_task: JoinHandle<()>,
-    guest_reconciler_notify: Sender<Uuid>,
+    zone_reconciler_task: JoinHandle<()>,
+    zone_reconciler_notify: Sender<Uuid>,
    generator_task: JoinHandle<()>,
    idm: DaemonIdmHandle,
    console: DaemonConsoleHandle,
    packer: OciPackerService,
+    runtime: Runtime,
 }

-const GUEST_RECONCILER_QUEUE_LEN: usize = 1000;
+const ZONE_RECONCILER_QUEUE_LEN: usize = 1000;

 impl Daemon {
    pub async fn new(store: String) -> Result<Self> {
-        let mut image_cache_dir = PathBuf::from(store.clone());
+        let store_dir = PathBuf::from(store.clone());
+        let mut config_path = store_dir.clone();
+        config_path.push("config.toml");
+
+        let config = DaemonConfig::load(&config_path).await?;
+        let config = Arc::new(config);
+        let devices = DaemonDeviceManager::new(config.clone());
+
+        let mut image_cache_dir = store_dir.clone();
        image_cache_dir.push("cache");
        image_cache_dir.push("image");
        fs::create_dir_all(&image_cache_dir).await?;

-        let packer = OciPackerService::new(None, &image_cache_dir, OciPlatform::current())?;
+        let mut host_uuid_path = store_dir.clone();
+        host_uuid_path.push("host.uuid");
+        let host_uuid = if host_uuid_path.is_file() {
+            let content = fs::read_to_string(&host_uuid_path).await?;
+            Uuid::from_str(content.trim()).ok()
+        } else {
+            None
+        };

-        let runtime = Runtime::new(store.clone()).await?;
-        let guests_db_path = format!("{}/guests.db", store);
-        let guests = GuestStore::open(&PathBuf::from(guests_db_path))?;
-        let (guest_reconciler_notify, guest_reconciler_receiver) =
-            channel::<Uuid>(GUEST_RECONCILER_QUEUE_LEN);
-        let idm = DaemonIdm::new().await?;
+        let host_uuid = if let Some(host_uuid) = host_uuid {
+            host_uuid
+        } else {
+            let generated = Uuid::new_v4();
+            let mut string = generated.to_string();
+            string.push('\n');
+            fs::write(&host_uuid_path, string).await?;
+            generated
+        };
+
+        let initrd_path = detect_zone_path(&store, "initrd")?;
+        let kernel_path = detect_zone_path(&store, "kernel")?;
+        let addons_path = detect_zone_path(&store, "addons.squashfs")?;
+
+        let seed = config.oci.seed.clone().map(PathBuf::from);
+        let packer = OciPackerService::new(seed, &image_cache_dir, OciPlatform::current()).await?;
+        let runtime = Runtime::new(host_uuid).await?;
+        let glt = ZoneLookupTable::new(0, host_uuid);
+        let zones_db_path = format!("{}/zones.db", store);
+        let zones = ZoneStore::open(&PathBuf::from(zones_db_path))?;
+        let (zone_reconciler_notify, zone_reconciler_receiver) =
+            channel::<Uuid>(ZONE_RECONCILER_QUEUE_LEN);
+        let idm = DaemonIdm::new(glt.clone()).await?;
        let idm = idm.launch().await?;
-        let console = DaemonConsole::new().await?;
+        let console = DaemonConsole::new(glt.clone()).await?;
        let console = console.launch().await?;
        let (events, generator) =
-            DaemonEventGenerator::new(guests.clone(), guest_reconciler_notify.clone(), idm.clone())
+            DaemonEventGenerator::new(zones.clone(), zone_reconciler_notify.clone(), idm.clone())
                .await?;
        let runtime_for_reconciler = runtime.dupe().await?;
-        let guest_reconciler = GuestReconciler::new(
-            guests.clone(),
+        let zone_reconciler = ZoneReconciler::new(
+            devices.clone(),
+            glt.clone(),
+            zones.clone(),
            events.clone(),
            runtime_for_reconciler,
            packer.clone(),
-            guest_reconciler_notify.clone(),
+            zone_reconciler_notify.clone(),
+            kernel_path,
+            initrd_path,
+            addons_path,
        )?;

-        let guest_reconciler_task = guest_reconciler.launch(guest_reconciler_receiver).await?;
+        let zone_reconciler_task = zone_reconciler.launch(zone_reconciler_receiver).await?;
        let generator_task = generator.launch().await?;

+        // TODO: Create a way of abstracting early init tasks in kratad.
+        // TODO: Make initial power management policy configurable.
+        // FIXME: Power management hypercalls fail when running as an L1 hypervisor.
+        // let power = runtime.power_management_context().await?;
+        // power.set_smt_policy(true).await?;
+        // power
+        //     .set_scheduler_policy("performance".to_string())
+        //     .await?;
+
        Ok(Self {
            store,
-            guests,
+            _config: config,
+            glt,
+            devices,
+            zones,
            events,
-            guest_reconciler_task,
-            guest_reconciler_notify,
+            zone_reconciler_task,
+            zone_reconciler_notify,
            generator_task,
            idm,
            console,
            packer,
+            runtime,
        })
    }

    pub async fn listen(&mut self, addr: ControlDialAddress) -> Result<()> {
        let control_service = DaemonControlService::new(
+            self.glt.clone(),
+            self.devices.clone(),
            self.events.clone(),
            self.console.clone(),
            self.idm.clone(),
-            self.guests.clone(),
-            self.guest_reconciler_notify.clone(),
+            self.zones.clone(),
+            self.zone_reconciler_notify.clone(),
            self.packer.clone(),
+            self.runtime.clone(),
        );

        let mut server = Server::builder();
@ -150,7 +214,20 @@ impl Daemon {

 impl Drop for Daemon {
    fn drop(&mut self) {
-        self.guest_reconciler_task.abort();
+        self.zone_reconciler_task.abort();
        self.generator_task.abort();
    }
 }
+
+fn detect_zone_path(store: &str, name: &str) -> Result<PathBuf> {
+    let mut path = PathBuf::from(format!("{}/zone/{}", store, name));
+    if path.is_file() {
+        return Ok(path);
+    }
+
+    path = PathBuf::from(format!("/usr/share/krata/zone/{}", name));
+    if path.is_file() {
+        return Ok(path);
+    }
+    Err(anyhow!("unable to find required zone file: {}", name))
+}
--- a/crates/daemon/src/metrics.rs
+++ b/crates/daemon/src/metrics.rs
@ -1,20 +1,20 @@
 use krata::{
-    idm::protocol::{IdmMetricFormat, IdmMetricNode},
-    v1::common::{GuestMetricFormat, GuestMetricNode},
+    idm::internal::{MetricFormat, MetricNode},
+    v1::common::{ZoneMetricFormat, ZoneMetricNode},
 };

-fn idm_metric_format_to_api(format: IdmMetricFormat) -> GuestMetricFormat {
+fn idm_metric_format_to_api(format: MetricFormat) -> ZoneMetricFormat {
    match format {
-        IdmMetricFormat::Unknown => GuestMetricFormat::Unknown,
-        IdmMetricFormat::Bytes => GuestMetricFormat::Bytes,
-        IdmMetricFormat::Integer => GuestMetricFormat::Integer,
-        IdmMetricFormat::DurationSeconds => GuestMetricFormat::DurationSeconds,
+        MetricFormat::Unknown => ZoneMetricFormat::Unknown,
+        MetricFormat::Bytes => ZoneMetricFormat::Bytes,
+        MetricFormat::Integer => ZoneMetricFormat::Integer,
+        MetricFormat::DurationSeconds => ZoneMetricFormat::DurationSeconds,
    }
 }

-pub fn idm_metric_to_api(node: IdmMetricNode) -> GuestMetricNode {
+pub fn idm_metric_to_api(node: MetricNode) -> ZoneMetricNode {
    let format = node.format();
-    GuestMetricNode {
+    ZoneMetricNode {
        name: node.name,
        value: node.value,
        format: idm_metric_format_to_api(format).into(),
--- a/crates/daemon/src/oci.rs
+++ b/crates/daemon/src/oci.rs
@ -1,33 +1,72 @@
 use krata::v1::control::{
-    PullImageProgress, PullImageProgressLayer, PullImageProgressLayerPhase, PullImageProgressPhase,
+    image_progress_indication::Indication, ImageProgress, ImageProgressIndication,
+    ImageProgressIndicationBar, ImageProgressIndicationCompleted, ImageProgressIndicationHidden,
+    ImageProgressIndicationSpinner, ImageProgressLayer, ImageProgressLayerPhase,
+    ImageProgressPhase,
+};
+use krataoci::progress::{
+    OciProgress, OciProgressIndication, OciProgressLayer, OciProgressLayerPhase, OciProgressPhase,
 };
-use krataoci::progress::{OciProgress, OciProgressLayer, OciProgressLayerPhase, OciProgressPhase};

-fn convert_oci_layer_progress(layer: OciProgressLayer) -> PullImageProgressLayer {
-    PullImageProgressLayer {
-        id: layer.id,
-        phase: match layer.phase {
-            OciProgressLayerPhase::Waiting => PullImageProgressLayerPhase::Waiting,
-            OciProgressLayerPhase::Downloading => PullImageProgressLayerPhase::Downloading,
-            OciProgressLayerPhase::Downloaded => PullImageProgressLayerPhase::Downloaded,
-            OciProgressLayerPhase::Extracting => PullImageProgressLayerPhase::Extracting,
-            OciProgressLayerPhase::Extracted => PullImageProgressLayerPhase::Extracted,
-        }
-        .into(),
-        value: layer.value,
-        total: layer.total,
+fn convert_oci_progress_indication(indication: OciProgressIndication) -> ImageProgressIndication {
+    ImageProgressIndication {
+        indication: Some(match indication {
+            OciProgressIndication::Hidden => Indication::Hidden(ImageProgressIndicationHidden {}),
+            OciProgressIndication::ProgressBar {
+                message,
+                current,
+                total,
+                bytes,
+            } => Indication::Bar(ImageProgressIndicationBar {
+                message: message.unwrap_or_default(),
+                current,
+                total,
+                is_bytes: bytes,
+            }),
+            OciProgressIndication::Spinner { message } => {
+                Indication::Spinner(ImageProgressIndicationSpinner {
+                    message: message.unwrap_or_default(),
+                })
+            }
+            OciProgressIndication::Completed {
+                message,
+                total,
+                bytes,
+            } => Indication::Completed(ImageProgressIndicationCompleted {
+                message: message.unwrap_or_default(),
+                total: total.unwrap_or(0),
+                is_bytes: bytes,
+            }),
+        }),
    }
 }

-pub fn convert_oci_progress(oci: OciProgress) -> PullImageProgress {
-    PullImageProgress {
+fn convert_oci_layer_progress(layer: OciProgressLayer) -> ImageProgressLayer {
+    ImageProgressLayer {
+        id: layer.id,
+        phase: match layer.phase {
+            OciProgressLayerPhase::Waiting => ImageProgressLayerPhase::Waiting,
+            OciProgressLayerPhase::Downloading => ImageProgressLayerPhase::Downloading,
+            OciProgressLayerPhase::Downloaded => ImageProgressLayerPhase::Downloaded,
+            OciProgressLayerPhase::Extracting => ImageProgressLayerPhase::Extracting,
+            OciProgressLayerPhase::Extracted => ImageProgressLayerPhase::Extracted,
+        }
+        .into(),
+        indication: Some(convert_oci_progress_indication(layer.indication)),
+    }
+}
+
+pub fn convert_oci_progress(oci: OciProgress) -> ImageProgress {
+    ImageProgress {
        phase: match oci.phase {
-            OciProgressPhase::Resolving => PullImageProgressPhase::Resolving,
-            OciProgressPhase::Resolved => PullImageProgressPhase::Resolved,
-            OciProgressPhase::ConfigAcquire => PullImageProgressPhase::ConfigAcquire,
-            OciProgressPhase::LayerAcquire => PullImageProgressPhase::LayerAcquire,
-            OciProgressPhase::Packing => PullImageProgressPhase::Packing,
-            OciProgressPhase::Complete => PullImageProgressPhase::Complete,
+            OciProgressPhase::Started => ImageProgressPhase::Started,
+            OciProgressPhase::Resolving => ImageProgressPhase::Resolving,
+            OciProgressPhase::Resolved => ImageProgressPhase::Resolved,
+            OciProgressPhase::ConfigDownload => ImageProgressPhase::ConfigDownload,
+            OciProgressPhase::LayerDownload => ImageProgressPhase::LayerDownload,
+            OciProgressPhase::Assemble => ImageProgressPhase::Assemble,
+            OciProgressPhase::Pack => ImageProgressPhase::Pack,
+            OciProgressPhase::Complete => ImageProgressPhase::Complete,
        }
        .into(),
        layers: oci
@ -35,7 +74,6 @@ pub fn convert_oci_progress(oci: OciProgress) -> PullImageProgress {
            .into_values()
            .map(convert_oci_layer_progress)
            .collect::<Vec<_>>(),
-        value: oci.value,
-        total: oci.total,
+        indication: Some(convert_oci_progress_indication(oci.indication)),
    }
 }
--- a/crates/daemon/src/reconcile/guest.rs
+++ b/crates/daemon/src/reconcile/guest.rs
@ -1,376 +0,0 @@
-use std::{
-    collections::{hash_map::Entry, HashMap},
-    sync::Arc,
-    time::Duration,
-};
-
-use anyhow::{anyhow, Result};
-use krata::launchcfg::LaunchPackedFormat;
-use krata::v1::{
-    common::{
-        guest_image_spec::Image, Guest, GuestErrorInfo, GuestExitInfo, GuestNetworkState,
-        GuestOciImageFormat, GuestState, GuestStatus,
-    },
-    control::GuestChangedEvent,
-};
-use krataoci::packer::{service::OciPackerService, OciPackedFormat};
-use kratart::{launch::GuestLaunchRequest, GuestInfo, Runtime};
-use log::{error, info, trace, warn};
-use tokio::{
-    select,
-    sync::{
-        mpsc::{channel, Receiver, Sender},
-        Mutex, RwLock,
-    },
-    task::JoinHandle,
-    time::sleep,
-};
-use uuid::Uuid;
-
-use crate::{
-    db::GuestStore,
-    event::{DaemonEvent, DaemonEventContext},
-};
-
-const PARALLEL_LIMIT: u32 = 5;
-
-#[derive(Debug)]
-enum GuestReconcilerResult {
-    Unchanged,
-    Changed { rerun: bool },
-}
-
-struct GuestReconcilerEntry {
-    task: JoinHandle<()>,
-    sender: Sender<()>,
-}
-
-impl Drop for GuestReconcilerEntry {
-    fn drop(&mut self) {
-        self.task.abort();
-    }
-}
-
-#[derive(Clone)]
-pub struct GuestReconciler {
-    guests: GuestStore,
-    events: DaemonEventContext,
-    runtime: Runtime,
-    packer: OciPackerService,
-    tasks: Arc<Mutex<HashMap<Uuid, GuestReconcilerEntry>>>,
-    guest_reconciler_notify: Sender<Uuid>,
-    reconcile_lock: Arc<RwLock<()>>,
-}
-
-impl GuestReconciler {
-    pub fn new(
-        guests: GuestStore,
-        events: DaemonEventContext,
-        runtime: Runtime,
-        packer: OciPackerService,
-        guest_reconciler_notify: Sender<Uuid>,
-    ) -> Result<Self> {
-        Ok(Self {
-            guests,
-            events,
-            runtime,
-            packer,
-            tasks: Arc::new(Mutex::new(HashMap::new())),
-            guest_reconciler_notify,
-            reconcile_lock: Arc::new(RwLock::with_max_readers((), PARALLEL_LIMIT)),
-        })
-    }
-
-    pub async fn launch(self, mut notify: Receiver<Uuid>) -> Result<JoinHandle<()>> {
-        Ok(tokio::task::spawn(async move {
-            if let Err(error) = self.reconcile_runtime(true).await {
-                error!("runtime reconciler failed: {}", error);
-            }
-
-            loop {
-                select! {
-                    x = notify.recv() => match x {
-                        None => {
-                            break;
-                        },
-
-                        Some(uuid) => {
-                            if let Err(error) = self.launch_task_if_needed(uuid).await {
-                                error!("failed to start guest reconciler task {}: {}", uuid, error);
-                            }
-
-                            let map = self.tasks.lock().await;
-                            if let Some(entry) = map.get(&uuid) {
-                                if let Err(error) = entry.sender.send(()).await {
-                                    error!("failed to notify guest reconciler task {}: {}", uuid, error);
-                                }
-                            }
-                        }
-                    },
-
-                    _ = sleep(Duration::from_secs(5)) => {
-                        if let Err(error) = self.reconcile_runtime(false).await {
-                            error!("runtime reconciler failed: {}", error);
-                        }
-                    }
-                };
-            }
-        }))
-    }
-
-    pub async fn reconcile_runtime(&self, initial: bool) -> Result<()> {
-        let _permit = self.reconcile_lock.write().await;
-        trace!("reconciling runtime");
-        let runtime_guests = self.runtime.list().await?;
-        let stored_guests = self.guests.list().await?;
-        for (uuid, mut stored_guest) in stored_guests {
-            let previous_guest = stored_guest.clone();
-            let runtime_guest = runtime_guests.iter().find(|x| x.uuid == uuid);
-            match runtime_guest {
-                None => {
-                    let mut state = stored_guest.state.as_mut().cloned().unwrap_or_default();
-                    if state.status() == GuestStatus::Started {
-                        state.status = GuestStatus::Starting.into();
-                    }
-                    stored_guest.state = Some(state);
-                }
-
-                Some(runtime) => {
-                    let mut state = stored_guest.state.as_mut().cloned().unwrap_or_default();
-                    if let Some(code) = runtime.state.exit_code {
-                        state.status = GuestStatus::Exited.into();
-                        state.exit_info = Some(GuestExitInfo { code });
-                    } else {
-                        state.status = GuestStatus::Started.into();
-                    }
-                    state.network = Some(guestinfo_to_networkstate(runtime));
-                    stored_guest.state = Some(state);
-                }
-            }
-
-            let changed = stored_guest != previous_guest;
-
-            if changed || initial {
-                self.guests.update(uuid, stored_guest).await?;
-                let _ = self.guest_reconciler_notify.try_send(uuid);
-            }
-        }
-        Ok(())
-    }
-
-    pub async fn reconcile(&self, uuid: Uuid) -> Result<bool> {
-        let _runtime_reconcile_permit = self.reconcile_lock.read().await;
-        let Some(mut guest) = self.guests.read(uuid).await? else {
-            warn!(
-                "notified of reconcile for guest {} but it didn't exist",
-                uuid
-            );
-            return Ok(false);
-        };
-
-        info!("reconciling guest {}", uuid);
-
-        self.events
-            .send(DaemonEvent::GuestChanged(GuestChangedEvent {
-                guest: Some(guest.clone()),
-            }))?;
-
-        let start_status = guest.state.as_ref().map(|x| x.status()).unwrap_or_default();
-        let result = match start_status {
-            GuestStatus::Starting => self.start(uuid, &mut guest).await,
-            GuestStatus::Exited => self.exited(&mut guest).await,
-            GuestStatus::Destroying => self.destroy(uuid, &mut guest).await,
-            _ => Ok(GuestReconcilerResult::Unchanged),
-        };
-
-        let result = match result {
-            Ok(result) => result,
-            Err(error) => {
-                guest.state = Some(guest.state.as_mut().cloned().unwrap_or_default());
-                guest.state.as_mut().unwrap().status = GuestStatus::Failed.into();
-                guest.state.as_mut().unwrap().error_info = Some(GuestErrorInfo {
-                    message: error.to_string(),
-                });
-                warn!("failed to start guest {}: {}", guest.id, error);
-                GuestReconcilerResult::Changed { rerun: false }
-            }
-        };
-
-        info!("reconciled guest {}", uuid);
-
-        let status = guest.state.as_ref().map(|x| x.status()).unwrap_or_default();
-        let destroyed = status == GuestStatus::Destroyed;
-
-        let rerun = if let GuestReconcilerResult::Changed { rerun } = result {
-            let event = DaemonEvent::GuestChanged(GuestChangedEvent {
-                guest: Some(guest.clone()),
-            });
-
-            if destroyed {
-                self.guests.remove(uuid).await?;
-                let mut map = self.tasks.lock().await;
-                map.remove(&uuid);
-            } else {
-                self.guests.update(uuid, guest.clone()).await?;
-            }
-
-            self.events.send(event)?;
-            rerun
-        } else {
-            false
-        };
-
-        Ok(rerun)
-    }
-
-    async fn start(&self, uuid: Uuid, guest: &mut Guest) -> Result<GuestReconcilerResult> {
-        let Some(ref spec) = guest.spec else {
-            return Err(anyhow!("guest spec not specified"));
-        };
-
-        let Some(ref image) = spec.image else {
-            return Err(anyhow!("image spec not provided"));
-        };
-        let oci = match image.image {
-            Some(Image::Oci(ref oci)) => oci,
-            None => {
-                return Err(anyhow!("oci spec not specified"));
-            }
-        };
-        let task = spec.task.as_ref().cloned().unwrap_or_default();
-
-        let image = self
-            .packer
-            .recall(
-                &oci.digest,
-                match oci.format() {
-                    GuestOciImageFormat::Unknown => OciPackedFormat::Squashfs,
-                    GuestOciImageFormat::Squashfs => OciPackedFormat::Squashfs,
-                    GuestOciImageFormat::Erofs => OciPackedFormat::Erofs,
-                },
-            )
-            .await?;
-
-        let Some(image) = image else {
-            return Err(anyhow!(
-                "image {} in the requested format did not exist",
-                oci.digest
-            ));
-        };
-
-        let info = self
-            .runtime
-            .launch(GuestLaunchRequest {
-                format: LaunchPackedFormat::Squashfs,
-                uuid: Some(uuid),
-                name: if spec.name.is_empty() {
-                    None
-                } else {
-                    Some(spec.name.clone())
-                },
-                image,
-                vcpus: spec.vcpus,
-                mem: spec.mem,
-                env: task
-                    .environment
-                    .iter()
-                    .map(|x| (x.key.clone(), x.value.clone()))
-                    .collect::<HashMap<_, _>>(),
-                run: empty_vec_optional(task.command.clone()),
-                debug: false,
-            })
-            .await?;
-        info!("started guest {}", uuid);
-        guest.state = Some(GuestState {
-            status: GuestStatus::Started.into(),
-            network: Some(guestinfo_to_networkstate(&info)),
-            exit_info: None,
-            error_info: None,
-            domid: info.domid,
-        });
-        Ok(GuestReconcilerResult::Changed { rerun: false })
-    }
-
-    async fn exited(&self, guest: &mut Guest) -> Result<GuestReconcilerResult> {
-        if let Some(ref mut state) = guest.state {
-            state.set_status(GuestStatus::Destroying);
-            Ok(GuestReconcilerResult::Changed { rerun: true })
-        } else {
-            Ok(GuestReconcilerResult::Unchanged)
-        }
-    }
-
-    async fn destroy(&self, uuid: Uuid, guest: &mut Guest) -> Result<GuestReconcilerResult> {
-        if let Err(error) = self.runtime.destroy(uuid).await {
-            trace!("failed to destroy runtime guest {}: {}", uuid, error);
-        }
-
-        info!("destroyed guest {}", uuid);
-        guest.state = Some(GuestState {
-            status: GuestStatus::Destroyed.into(),
-            network: None,
-            exit_info: None,
-            error_info: None,
-            domid: guest.state.as_ref().map(|x| x.domid).unwrap_or(u32::MAX),
-        });
-        Ok(GuestReconcilerResult::Changed { rerun: false })
-    }
-
-    async fn launch_task_if_needed(&self, uuid: Uuid) -> Result<()> {
-        let mut map = self.tasks.lock().await;
-        match map.entry(uuid) {
-            Entry::Occupied(_) => {}
-            Entry::Vacant(entry) => {
-                entry.insert(self.launch_task(uuid).await?);
-            }
-        }
-        Ok(())
-    }
-
-    async fn launch_task(&self, uuid: Uuid) -> Result<GuestReconcilerEntry> {
-        let this = self.clone();
-        let (sender, mut receiver) = channel(10);
-        let task = tokio::task::spawn(async move {
-            'notify_loop: loop {
-                if receiver.recv().await.is_none() {
-                    break 'notify_loop;
-                }
-
-                'rerun_loop: loop {
-                    let rerun = match this.reconcile(uuid).await {
-                        Ok(rerun) => rerun,
-                        Err(error) => {
-                            error!("failed to reconcile guest {}: {}", uuid, error);
-                            false
-                        }
-                    };
-
-                    if rerun {
-                        continue 'rerun_loop;
-                    }
-                    break 'rerun_loop;
-                }
-            }
-        });
-        Ok(GuestReconcilerEntry { task, sender })
-    }
-}
-
-fn empty_vec_optional<T>(value: Vec<T>) -> Option<Vec<T>> {
-    if value.is_empty() {
-        None
-    } else {
-        Some(value)
-    }
-}
-
-fn guestinfo_to_networkstate(info: &GuestInfo) -> GuestNetworkState {
-    GuestNetworkState {
-        guest_ipv4: info.guest_ipv4.map(|x| x.to_string()).unwrap_or_default(),
-        guest_ipv6: info.guest_ipv6.map(|x| x.to_string()).unwrap_or_default(),
-        guest_mac: info.guest_mac.as_ref().cloned().unwrap_or_default(),
-        gateway_ipv4: info.gateway_ipv4.map(|x| x.to_string()).unwrap_or_default(),
-        gateway_ipv6: info.gateway_ipv6.map(|x| x.to_string()).unwrap_or_default(),
-        gateway_mac: info.gateway_mac.as_ref().cloned().unwrap_or_default(),
-    }
-}
--- a/crates/daemon/src/reconcile/mod.rs
+++ b/crates/daemon/src/reconcile/mod.rs
@ -1 +1 @@
-pub mod guest;
+pub mod zone;
--- a/crates/daemon/src/reconcile/zone/mod.rs
+++ b/crates/daemon/src/reconcile/zone/mod.rs
@ -0,0 +1,374 @@
+use std::{
+    collections::{hash_map::Entry, HashMap},
+    path::PathBuf,
+    sync::Arc,
+    time::Duration,
+};
+
+use anyhow::Result;
+use krata::v1::{
+    common::{Zone, ZoneErrorInfo, ZoneExitInfo, ZoneNetworkState, ZoneState, ZoneStatus},
+    control::ZoneChangedEvent,
+};
+use krataoci::packer::service::OciPackerService;
+use kratart::{Runtime, ZoneInfo};
+use log::{error, info, trace, warn};
+use tokio::{
+    select,
+    sync::{
+        mpsc::{channel, Receiver, Sender},
+        Mutex, RwLock,
+    },
+    task::JoinHandle,
+    time::sleep,
+};
+use uuid::Uuid;
+
+use crate::{
+    db::ZoneStore,
+    devices::DaemonDeviceManager,
+    event::{DaemonEvent, DaemonEventContext},
+    zlt::ZoneLookupTable,
+};
+
+use self::start::ZoneStarter;
+
+mod start;
+
+const PARALLEL_LIMIT: u32 = 5;
+
+#[derive(Debug)]
+enum ZoneReconcilerResult {
+    Unchanged,
+    Changed { rerun: bool },
+}
+
+struct ZoneReconcilerEntry {
+    task: JoinHandle<()>,
+    sender: Sender<()>,
+}
+
+impl Drop for ZoneReconcilerEntry {
+    fn drop(&mut self) {
+        self.task.abort();
+    }
+}
+
+#[derive(Clone)]
+pub struct ZoneReconciler {
+    devices: DaemonDeviceManager,
+    zlt: ZoneLookupTable,
+    zones: ZoneStore,
+    events: DaemonEventContext,
+    runtime: Runtime,
+    packer: OciPackerService,
+    kernel_path: PathBuf,
+    initrd_path: PathBuf,
+    addons_path: PathBuf,
+    tasks: Arc<Mutex<HashMap<Uuid, ZoneReconcilerEntry>>>,
+    zone_reconciler_notify: Sender<Uuid>,
+    zone_reconcile_lock: Arc<RwLock<()>>,
+}
+
+impl ZoneReconciler {
+    #[allow(clippy::too_many_arguments)]
+    pub fn new(
+        devices: DaemonDeviceManager,
+        zlt: ZoneLookupTable,
+        zones: ZoneStore,
+        events: DaemonEventContext,
+        runtime: Runtime,
+        packer: OciPackerService,
+        zone_reconciler_notify: Sender<Uuid>,
+        kernel_path: PathBuf,
+        initrd_path: PathBuf,
+        modules_path: PathBuf,
+    ) -> Result<Self> {
+        Ok(Self {
+            devices,
+            zlt,
+            zones,
+            events,
+            runtime,
+            packer,
+            kernel_path,
+            initrd_path,
+            addons_path: modules_path,
+            tasks: Arc::new(Mutex::new(HashMap::new())),
+            zone_reconciler_notify,
+            zone_reconcile_lock: Arc::new(RwLock::with_max_readers((), PARALLEL_LIMIT)),
+        })
+    }
+
+    pub async fn launch(self, mut notify: Receiver<Uuid>) -> Result<JoinHandle<()>> {
+        Ok(tokio::task::spawn(async move {
+            if let Err(error) = self.reconcile_runtime(true).await {
+                error!("runtime reconciler failed: {}", error);
+            }
+
+            loop {
+                select! {
+                    x = notify.recv() => match x {
+                        None => {
+                            break;
+                        },
+
+                        Some(uuid) => {
+                            if let Err(error) = self.launch_task_if_needed(uuid).await {
+                                error!("failed to start zone reconciler task {}: {}", uuid, error);
+                            }
+
+                            let map = self.tasks.lock().await;
+                            if let Some(entry) = map.get(&uuid) {
+                                if let Err(error) = entry.sender.send(()).await {
+                                    error!("failed to notify zone reconciler task {}: {}", uuid, error);
+                                }
+                            }
+                        }
+                    },
+
+                    _ = sleep(Duration::from_secs(15)) => {
+                        if let Err(error) = self.reconcile_runtime(false).await {
+                            error!("runtime reconciler failed: {}", error);
+                        }
+                    }
+                };
+            }
+        }))
+    }
+
+    pub async fn reconcile_runtime(&self, initial: bool) -> Result<()> {
+        let _permit = self.zone_reconcile_lock.write().await;
+        trace!("reconciling runtime");
+        let runtime_zones = self.runtime.list().await?;
+        let stored_zones = self.zones.list().await?;
+
+        let non_existent_zones = runtime_zones
+            .iter()
+            .filter(|x| !stored_zones.iter().any(|g| *g.0 == x.uuid))
+            .collect::<Vec<_>>();
+
+        for zone in non_existent_zones {
+            warn!("destroying unknown runtime zone {}", zone.uuid);
+            if let Err(error) = self.runtime.destroy(zone.uuid).await {
+                error!(
+                    "failed to destroy unknown runtime zone {}: {}",
+                    zone.uuid, error
+                );
+            }
+            self.zones.remove(zone.uuid).await?;
+        }
+
+        let mut device_claims = HashMap::new();
+
+        for (uuid, mut stored_zone) in stored_zones {
+            let previous_zone = stored_zone.clone();
+            let runtime_zone = runtime_zones.iter().find(|x| x.uuid == uuid);
+            match runtime_zone {
+                None => {
+                    let mut state = stored_zone.state.as_mut().cloned().unwrap_or_default();
+                    if state.status() == ZoneStatus::Started {
+                        state.status = ZoneStatus::Starting.into();
+                    }
+                    stored_zone.state = Some(state);
+                }
+
+                Some(runtime) => {
+                    self.zlt.associate(uuid, runtime.domid).await;
+                    let mut state = stored_zone.state.as_mut().cloned().unwrap_or_default();
+                    if let Some(code) = runtime.state.exit_code {
+                        state.status = ZoneStatus::Exited.into();
+                        state.exit_info = Some(ZoneExitInfo { code });
+                    } else {
+                        state.status = ZoneStatus::Started.into();
+                    }
+
+                    for device in &stored_zone
+                        .spec
+                        .as_ref()
+                        .cloned()
+                        .unwrap_or_default()
+                        .devices
+                    {
+                        device_claims.insert(device.name.clone(), uuid);
+                    }
+
+                    state.network = Some(zoneinfo_to_networkstate(runtime));
+                    stored_zone.state = Some(state);
+                }
+            }
+
+            let changed = stored_zone != previous_zone;
+
+            if changed || initial {
+                self.zones.update(uuid, stored_zone).await?;
+                let _ = self.zone_reconciler_notify.try_send(uuid);
+            }
+        }
+
+        self.devices.update_claims(device_claims).await?;
+
+        Ok(())
+    }
+
+    pub async fn reconcile(&self, uuid: Uuid) -> Result<bool> {
+        let _runtime_reconcile_permit = self.zone_reconcile_lock.read().await;
+        let Some(mut zone) = self.zones.read(uuid).await? else {
+            warn!(
+                "notified of reconcile for zone {} but it didn't exist",
+                uuid
+            );
+            return Ok(false);
+        };
+
+        info!("reconciling zone {}", uuid);
+
+        self.events
+            .send(DaemonEvent::ZoneChanged(ZoneChangedEvent {
+                zone: Some(zone.clone()),
+            }))?;
+
+        let start_status = zone.state.as_ref().map(|x| x.status()).unwrap_or_default();
+        let result = match start_status {
+            ZoneStatus::Starting => self.start(uuid, &mut zone).await,
+            ZoneStatus::Exited => self.exited(&mut zone).await,
+            ZoneStatus::Destroying => self.destroy(uuid, &mut zone).await,
+            _ => Ok(ZoneReconcilerResult::Unchanged),
+        };
+
+        let result = match result {
+            Ok(result) => result,
+            Err(error) => {
+                zone.state = Some(zone.state.as_mut().cloned().unwrap_or_default());
+                zone.state.as_mut().unwrap().status = ZoneStatus::Failed.into();
+                zone.state.as_mut().unwrap().error_info = Some(ZoneErrorInfo {
+                    message: error.to_string(),
+                });
+                warn!("failed to start zone {}: {}", zone.id, error);
+                ZoneReconcilerResult::Changed { rerun: false }
+            }
+        };
+
+        info!("reconciled zone {}", uuid);
+
+        let status = zone.state.as_ref().map(|x| x.status()).unwrap_or_default();
+        let destroyed = status == ZoneStatus::Destroyed;
+
+        let rerun = if let ZoneReconcilerResult::Changed { rerun } = result {
+            let event = DaemonEvent::ZoneChanged(ZoneChangedEvent {
+                zone: Some(zone.clone()),
+            });
+
+            if destroyed {
+                self.zones.remove(uuid).await?;
+                let mut map = self.tasks.lock().await;
+                map.remove(&uuid);
+            } else {
+                self.zones.update(uuid, zone.clone()).await?;
+            }
+
+            self.events.send(event)?;
+            rerun
+        } else {
+            false
+        };
+
+        Ok(rerun)
+    }
+
+    async fn start(&self, uuid: Uuid, zone: &mut Zone) -> Result<ZoneReconcilerResult> {
+        let starter = ZoneStarter {
+            devices: &self.devices,
+            kernel_path: &self.kernel_path,
+            initrd_path: &self.initrd_path,
+            addons_path: &self.addons_path,
+            packer: &self.packer,
+            glt: &self.zlt,
+            runtime: &self.runtime,
+        };
+        starter.start(uuid, zone).await
+    }
+
+    async fn exited(&self, zone: &mut Zone) -> Result<ZoneReconcilerResult> {
+        if let Some(ref mut state) = zone.state {
+            state.set_status(ZoneStatus::Destroying);
+            Ok(ZoneReconcilerResult::Changed { rerun: true })
+        } else {
+            Ok(ZoneReconcilerResult::Unchanged)
+        }
+    }
+
+    async fn destroy(&self, uuid: Uuid, zone: &mut Zone) -> Result<ZoneReconcilerResult> {
+        if let Err(error) = self.runtime.destroy(uuid).await {
+            trace!("failed to destroy runtime zone {}: {}", uuid, error);
+        }
+
+        let domid = zone.state.as_ref().map(|x| x.domid);
+
+        if let Some(domid) = domid {
+            self.zlt.remove(uuid, domid).await;
+        }
+
+        info!("destroyed zone {}", uuid);
+        zone.state = Some(ZoneState {
+            status: ZoneStatus::Destroyed.into(),
+            network: None,
+            exit_info: None,
+            error_info: None,
+            host: self.zlt.host_uuid().to_string(),
+            domid: domid.unwrap_or(u32::MAX),
+        });
+        self.devices.release_all(uuid).await?;
+        Ok(ZoneReconcilerResult::Changed { rerun: false })
+    }
+
+    async fn launch_task_if_needed(&self, uuid: Uuid) -> Result<()> {
+        let mut map = self.tasks.lock().await;
+        match map.entry(uuid) {
+            Entry::Occupied(_) => {}
+            Entry::Vacant(entry) => {
+                entry.insert(self.launch_task(uuid).await?);
+            }
+        }
+        Ok(())
+    }
+
+    async fn launch_task(&self, uuid: Uuid) -> Result<ZoneReconcilerEntry> {
+        let this = self.clone();
+        let (sender, mut receiver) = channel(10);
+        let task = tokio::task::spawn(async move {
+            'notify_loop: loop {
+                if receiver.recv().await.is_none() {
+                    break 'notify_loop;
+                }
+
+                'rerun_loop: loop {
+                    let rerun = match this.reconcile(uuid).await {
+                        Ok(rerun) => rerun,
+                        Err(error) => {
+                            error!("failed to reconcile zone {}: {}", uuid, error);
+                            false
+                        }
+                    };
+
+                    if rerun {
+                        continue 'rerun_loop;
+                    }
+                    break 'rerun_loop;
+                }
+            }
+        });
+        Ok(ZoneReconcilerEntry { task, sender })
+    }
+}
+
+pub fn zoneinfo_to_networkstate(info: &ZoneInfo) -> ZoneNetworkState {
+    ZoneNetworkState {
+        zone_ipv4: info.zone_ipv4.map(|x| x.to_string()).unwrap_or_default(),
+        zone_ipv6: info.zone_ipv6.map(|x| x.to_string()).unwrap_or_default(),
+        zone_mac: info.zone_mac.as_ref().cloned().unwrap_or_default(),
+        gateway_ipv4: info.gateway_ipv4.map(|x| x.to_string()).unwrap_or_default(),
+        gateway_ipv6: info.gateway_ipv6.map(|x| x.to_string()).unwrap_or_default(),
+        gateway_mac: info.gateway_mac.as_ref().cloned().unwrap_or_default(),
+    }
+}
--- a/crates/daemon/src/reconcile/zone/start.rs
+++ b/crates/daemon/src/reconcile/zone/start.rs
@ -0,0 +1,224 @@
+use std::collections::HashMap;
+use std::path::{Path, PathBuf};
+use std::str::FromStr;
+use std::sync::atomic::{AtomicBool, Ordering};
+
+use anyhow::{anyhow, Result};
+use futures::StreamExt;
+use krata::launchcfg::LaunchPackedFormat;
+use krata::v1::common::ZoneOciImageSpec;
+use krata::v1::common::{OciImageFormat, Zone, ZoneState, ZoneStatus};
+use krataoci::packer::{service::OciPackerService, OciPackedFormat};
+use kratart::launch::{PciBdf, PciDevice, PciRdmReservePolicy};
+use kratart::{launch::ZoneLaunchRequest, Runtime};
+use log::info;
+
+use crate::config::DaemonPciDeviceRdmReservePolicy;
+use crate::devices::DaemonDeviceManager;
+use crate::{
+    reconcile::zone::{zoneinfo_to_networkstate, ZoneReconcilerResult},
+    zlt::ZoneLookupTable,
+};
+use krata::v1::common::zone_image_spec::Image;
+use tokio::fs::{self, File};
+use tokio::io::AsyncReadExt;
+use tokio_tar::Archive;
+use uuid::Uuid;
+
+pub struct ZoneStarter<'a> {
+    pub devices: &'a DaemonDeviceManager,
+    pub kernel_path: &'a Path,
+    pub initrd_path: &'a Path,
+    pub addons_path: &'a Path,
+    pub packer: &'a OciPackerService,
+    pub glt: &'a ZoneLookupTable,
+    pub runtime: &'a Runtime,
+}
+
+impl ZoneStarter<'_> {
+    pub async fn oci_spec_tar_read_file(
+        &self,
+        file: &Path,
+        oci: &ZoneOciImageSpec,
+    ) -> Result<Vec<u8>> {
+        if oci.format() != OciImageFormat::Tar {
+            return Err(anyhow!(
+                "oci image spec for {} is required to be in tar format",
+                oci.digest
+            ));
+        }
+
+        let image = self
+            .packer
+            .recall(&oci.digest, OciPackedFormat::Tar)
+            .await?;
+
+        let Some(image) = image else {
+            return Err(anyhow!("image {} was not found in tar format", oci.digest));
+        };
+
+        let mut archive = Archive::new(File::open(&image.path).await?);
+        let mut entries = archive.entries()?;
+        while let Some(entry) = entries.next().await {
+            let mut entry = entry?;
+            let path = entry.path()?;
+            if path == file {
+                let mut buffer = Vec::new();
+                entry.read_to_end(&mut buffer).await?;
+                return Ok(buffer);
+            }
+        }
+        Err(anyhow!(
+            "unable to find file {} in image {}",
+            file.to_string_lossy(),
+            oci.digest
+        ))
+    }
+
+    pub async fn start(&self, uuid: Uuid, zone: &mut Zone) -> Result<ZoneReconcilerResult> {
+        let Some(ref spec) = zone.spec else {
+            return Err(anyhow!("zone spec not specified"));
+        };
+
+        let Some(ref image) = spec.image else {
+            return Err(anyhow!("image spec not provided"));
+        };
+        let oci = match image.image {
+            Some(Image::Oci(ref oci)) => oci,
+            None => {
+                return Err(anyhow!("oci spec not specified"));
+            }
+        };
+        let task = spec.task.as_ref().cloned().unwrap_or_default();
+
+        let image = self
+            .packer
+            .recall(
+                &oci.digest,
+                match oci.format() {
+                    OciImageFormat::Unknown => OciPackedFormat::Squashfs,
+                    OciImageFormat::Squashfs => OciPackedFormat::Squashfs,
+                    OciImageFormat::Erofs => OciPackedFormat::Erofs,
+                    OciImageFormat::Tar => {
+                        return Err(anyhow!("tar image format is not supported for zones"));
+                    }
+                },
+            )
+            .await?;
+
+        let Some(image) = image else {
+            return Err(anyhow!(
+                "image {} in the requested format did not exist",
+                oci.digest
+            ));
+        };
+
+        let kernel = if let Some(ref spec) = spec.kernel {
+            let Some(Image::Oci(ref oci)) = spec.image else {
+                return Err(anyhow!("kernel image spec must be an oci image"));
+            };
+            self.oci_spec_tar_read_file(&PathBuf::from("kernel/image"), oci)
+                .await?
+        } else {
+            fs::read(&self.kernel_path).await?
+        };
+        let initrd = if let Some(ref spec) = spec.initrd {
+            let Some(Image::Oci(ref oci)) = spec.image else {
+                return Err(anyhow!("initrd image spec must be an oci image"));
+            };
+            self.oci_spec_tar_read_file(&PathBuf::from("krata/initrd"), oci)
+                .await?
+        } else {
+            fs::read(&self.initrd_path).await?
+        };
+
+        let success = AtomicBool::new(false);
+
+        let _device_release_guard = scopeguard::guard(
+            (spec.devices.clone(), self.devices.clone()),
+            |(devices, manager)| {
+                if !success.load(Ordering::Acquire) {
+                    tokio::task::spawn(async move {
+                        for device in devices {
+                            let _ = manager.release(&device.name, uuid).await;
+                        }
+                    });
+                }
+            },
+        );
+
+        let mut pcis = Vec::new();
+        for device in &spec.devices {
+            let state = self.devices.claim(&device.name, uuid).await?;
+            if let Some(cfg) = state.pci {
+                for location in cfg.locations {
+                    let pci = PciDevice {
+                        bdf: PciBdf::from_str(&location)?.with_domain(0),
+                        permissive: cfg.permissive,
+                        msi_translate: cfg.msi_translate,
+                        power_management: cfg.power_management,
+                        rdm_reserve_policy: match cfg.rdm_reserve_policy {
+                            DaemonPciDeviceRdmReservePolicy::Strict => PciRdmReservePolicy::Strict,
+                            DaemonPciDeviceRdmReservePolicy::Relaxed => {
+                                PciRdmReservePolicy::Relaxed
+                            }
+                        },
+                    };
+                    pcis.push(pci);
+                }
+            } else {
+                return Err(anyhow!(
+                    "device '{}' isn't a known device type",
+                    device.name
+                ));
+            }
+        }
+
+        let info = self
+            .runtime
+            .launch(ZoneLaunchRequest {
+                format: LaunchPackedFormat::Squashfs,
+                uuid: Some(uuid),
+                name: if spec.name.is_empty() {
+                    None
+                } else {
+                    Some(spec.name.clone())
+                },
+                image,
+                kernel,
+                initrd,
+                vcpus: spec.vcpus,
+                mem: spec.mem,
+                pcis,
+                env: task
+                    .environment
+                    .iter()
+                    .map(|x| (x.key.clone(), x.value.clone()))
+                    .collect::<HashMap<_, _>>(),
+                run: empty_vec_optional(task.command.clone()),
+                debug: false,
+                addons_image: Some(self.addons_path.to_path_buf()),
+            })
+            .await?;
+        self.glt.associate(uuid, info.domid).await;
+        info!("started zone {}", uuid);
+        zone.state = Some(ZoneState {
+            status: ZoneStatus::Started.into(),
+            network: Some(zoneinfo_to_networkstate(&info)),
+            exit_info: None,
+            error_info: None,
+            host: self.glt.host_uuid().to_string(),
+            domid: info.domid,
+        });
+        success.store(true, Ordering::Release);
+        Ok(ZoneReconcilerResult::Changed { rerun: false })
+    }
+}
+
+fn empty_vec_optional<T>(value: Vec<T>) -> Option<Vec<T>> {
+    if value.is_empty() {
+        None
+    } else {
+        Some(value)
+    }
+}
--- a/crates/daemon/src/zlt.rs
+++ b/crates/daemon/src/zlt.rs
@ -0,0 +1,69 @@
+use std::{collections::HashMap, sync::Arc};
+
+use tokio::sync::RwLock;
+use uuid::Uuid;
+
+struct ZoneLookupTableState {
+    domid_to_uuid: HashMap<u32, Uuid>,
+    uuid_to_domid: HashMap<Uuid, u32>,
+}
+
+impl ZoneLookupTableState {
+    pub fn new(host_uuid: Uuid) -> Self {
+        let mut domid_to_uuid = HashMap::new();
+        let mut uuid_to_domid = HashMap::new();
+        domid_to_uuid.insert(0, host_uuid);
+        uuid_to_domid.insert(host_uuid, 0);
+        ZoneLookupTableState {
+            domid_to_uuid,
+            uuid_to_domid,
+        }
+    }
+}
+
+#[derive(Clone)]
+pub struct ZoneLookupTable {
+    host_domid: u32,
+    host_uuid: Uuid,
+    state: Arc<RwLock<ZoneLookupTableState>>,
+}
+
+impl ZoneLookupTable {
+    pub fn new(host_domid: u32, host_uuid: Uuid) -> Self {
+        ZoneLookupTable {
+            host_domid,
+            host_uuid,
+            state: Arc::new(RwLock::new(ZoneLookupTableState::new(host_uuid))),
+        }
+    }
+
+    pub fn host_uuid(&self) -> Uuid {
+        self.host_uuid
+    }
+
+    pub fn host_domid(&self) -> u32 {
+        self.host_domid
+    }
+
+    pub async fn lookup_uuid_by_domid(&self, domid: u32) -> Option<Uuid> {
+        let state = self.state.read().await;
+        state.domid_to_uuid.get(&domid).cloned()
+    }
+
+    pub async fn lookup_domid_by_uuid(&self, uuid: &Uuid) -> Option<u32> {
+        let state = self.state.read().await;
+        state.uuid_to_domid.get(uuid).cloned()
+    }
+
+    pub async fn associate(&self, uuid: Uuid, domid: u32) {
+        let mut state = self.state.write().await;
+        state.uuid_to_domid.insert(uuid, domid);
+        state.domid_to_uuid.insert(domid, uuid);
+    }
+
+    pub async fn remove(&self, uuid: Uuid, domid: u32) {
+        let mut state = self.state.write().await;
+        state.uuid_to_domid.remove(&uuid);
+        state.domid_to_uuid.remove(&domid);
+    }
+}
--- a/crates/guest/bin/init.rs
+++ b/crates/guest/bin/init.rs
@ -1,30 +0,0 @@
-use anyhow::{anyhow, Result};
-use env_logger::Env;
-use krataguest::{death, init::GuestInit};
-use log::error;
-use std::env;
-
-#[tokio::main]
-async fn main() -> Result<()> {
-    env::set_var("RUST_BACKTRACE", "1");
-    env_logger::Builder::from_env(Env::default().default_filter_or("warn")).init();
-    if env::var("KRATA_UNSAFE_ALWAYS_ALLOW_INIT").unwrap_or("0".to_string()) != "1" {
-        let pid = std::process::id();
-        if pid > 3 {
-            return Err(anyhow!(
-                "not running because the pid of {} indicates this is probably not \
-                    the right context for the init daemon. \
-                        run with KRATA_UNSAFE_ALWAYS_ALLOW_INIT=1 to bypass this check",
-                pid
-            ));
-        }
-    }
-    let mut guest = GuestInit::new();
-    if let Err(error) = guest.init().await {
-        error!("failed to initialize guest: {}", error);
-        death(127).await?;
-        return Ok(());
-    }
-    death(1).await?;
-    Ok(())
-}
--- a/crates/guest/src/background.rs
+++ b/crates/guest/src/background.rs
@ -1,116 +0,0 @@
-use crate::{
-    childwait::{ChildEvent, ChildWait},
-    death,
-    metrics::MetricsCollector,
-};
-use anyhow::Result;
-use cgroups_rs::Cgroup;
-use krata::idm::{
-    client::IdmClient,
-    protocol::{
-        idm_event::Event, idm_request::Request, idm_response::Response, IdmEvent, IdmExitEvent,
-        IdmMetricsResponse, IdmPingResponse, IdmRequest,
-    },
-};
-use log::debug;
-use nix::unistd::Pid;
-use tokio::{select, sync::broadcast};
-
-pub struct GuestBackground {
-    idm: IdmClient,
-    child: Pid,
-    _cgroup: Cgroup,
-    wait: ChildWait,
-}
-
-impl GuestBackground {
-    pub async fn new(idm: IdmClient, cgroup: Cgroup, child: Pid) -> Result<GuestBackground> {
-        Ok(GuestBackground {
-            idm,
-            child,
-            _cgroup: cgroup,
-            wait: ChildWait::new()?,
-        })
-    }
-
-    pub async fn run(&mut self) -> Result<()> {
-        let mut event_subscription = self.idm.subscribe().await?;
-        let mut requests_subscription = self.idm.requests().await?;
-        loop {
-            select! {
-                x = event_subscription.recv() => match x {
-                    Ok(_event) => {
-
-                    },
-
-                    Err(broadcast::error::RecvError::Closed) => {
-                        debug!("idm packet channel closed");
-                        break;
-                    },
-
-                    _ => {
-                        continue;
-                    }
-                },
-
-                x = requests_subscription.recv() => match x {
-                    Ok(request) => {
-                        self.handle_idm_request(request).await?;
-                    },
-
-                    Err(broadcast::error::RecvError::Closed) => {
-                        debug!("idm packet channel closed");
-                        break;
-                    },
-
-                    _ => {
-                        continue;
-                    }
-                },
-
-                event = self.wait.recv() => match event {
-                    Some(event) => self.child_event(event).await?,
-                    None => {
-                        break;
-                    }
-                }
-            };
-        }
-        Ok(())
-    }
-
-    async fn handle_idm_request(&mut self, packet: IdmRequest) -> Result<()> {
-        let id = packet.id;
-
-        match packet.request {
-            Some(Request::Ping(_)) => {
-                self.idm
-                    .respond(id, Response::Ping(IdmPingResponse {}))
-                    .await?;
-            }
-
-            Some(Request::Metrics(_)) => {
-                let metrics = MetricsCollector::new()?;
-                let root = metrics.collect()?;
-                let response = IdmMetricsResponse { root: Some(root) };
-
-                self.idm.respond(id, Response::Metrics(response)).await?;
-            }
-
-            None => {}
-        }
-        Ok(())
-    }
-
-    async fn child_event(&mut self, event: ChildEvent) -> Result<()> {
-        if event.pid == self.child {
-            self.idm
-                .emit(IdmEvent {
-                    event: Some(Event::Exit(IdmExitEvent { code: event.status })),
-                })
-                .await?;
-            death(event.status).await?;
-        }
-        Ok(())
-    }
-}
--- a/crates/krata/Cargo.toml
+++ b/crates/krata/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "krata"
-description = "Client library and common services for the krata hypervisor."
+description = "Client library and common services for the krata isolation engine"
 license.workspace = true
 version.workspace = true
 homepage.workspace = true
@ -15,6 +15,7 @@ bytes = { workspace = true }
 libc = { workspace = true }
 log = { workspace = true }
 once_cell = { workspace = true }
+pin-project-lite = { workspace = true }
 prost = { workspace = true }
 prost-reflect = { workspace = true }
 prost-types = { workspace = true }
@ -27,6 +28,8 @@ tower = { workspace = true }
 url = { workspace = true }

 [target.'cfg(unix)'.dependencies]
+hyper = { workspace = true }
+hyper-util = { workspace = true }
 nix = { workspace = true, features = ["term"] }

 [build-dependencies]
--- a/crates/krata/build.rs
+++ b/crates/krata/build.rs
@ -6,12 +6,20 @@ fn main() -> Result<()> {
        .descriptor_pool("crate::DESCRIPTOR_POOL")
        .configure(
            &mut config,
-            &["proto/krata/v1/control.proto", "proto/krata/bus/idm.proto"],
+            &[
+                "proto/krata/v1/control.proto",
+                "proto/krata/idm/transport.proto",
+                "proto/krata/idm/internal.proto",
+            ],
            &["proto/"],
        )?;
    tonic_build::configure().compile_with_config(
        config,
-        &["proto/krata/v1/control.proto", "proto/krata/bus/idm.proto"],
+        &[
+            "proto/krata/v1/control.proto",
+            "proto/krata/idm/transport.proto",
+            "proto/krata/idm/internal.proto",
+        ],
        &["proto/"],
    )?;
    Ok(())
--- a/crates/krata/proto/krata/bus/idm.proto
+++ b/crates/krata/proto/krata/bus/idm.proto
@ -1,67 +0,0 @@
-syntax = "proto3";
-
-package krata.bus.idm;
-
-option java_multiple_files = true;
-option java_package = "dev.krata.proto.bus.idm";
-option java_outer_classname = "IdmProto";
-
-import "google/protobuf/struct.proto";
-
-message IdmPacket {
-    oneof content {
-        IdmEvent event = 1;
-        IdmRequest request = 2;
-        IdmResponse response = 3;
-    }
-}
-
-message IdmEvent {
-    oneof event {
-        IdmExitEvent exit = 1;
-    }
-}
-
-message IdmExitEvent {
-    int32 code = 1;
-}
-
-message IdmRequest {
-    uint64 id = 1;
-    oneof request {
-        IdmPingRequest ping = 2;
-        IdmMetricsRequest metrics = 3;
-    }
-}
-
-message IdmPingRequest {}
-
-message IdmMetricsRequest {}
-
-message IdmResponse {
-    uint64 id = 1;
-    oneof response {
-        IdmPingResponse ping = 2;
-        IdmMetricsResponse metrics = 3;
-    }
-}
-
-message IdmPingResponse {}
-
-message IdmMetricsResponse {
-    IdmMetricNode root = 1;
-}
-
-message IdmMetricNode {
-    string name = 1;
-    google.protobuf.Value value = 2;
-    IdmMetricFormat format = 3;
-    repeated IdmMetricNode children = 4;
-}
-
-enum IdmMetricFormat {
-    IDM_METRIC_FORMAT_UNKNOWN = 0;
-    IDM_METRIC_FORMAT_BYTES = 1;
-    IDM_METRIC_FORMAT_INTEGER = 2;
-    IDM_METRIC_FORMAT_DURATION_SECONDS = 3;
-}
--- a/crates/krata/proto/krata/idm/internal.proto
+++ b/crates/krata/proto/krata/idm/internal.proto
@ -0,0 +1,89 @@
+syntax = "proto3";
+
+package krata.idm.internal;
+
+option java_multiple_files = true;
+option java_package = "dev.krata.proto.idm.internal";
+option java_outer_classname = "IdmInternalProto";
+
+import "google/protobuf/struct.proto";
+
+message ExitEvent {
+    int32 code = 1;
+}
+
+message PingRequest {}
+
+message PingResponse {}
+
+message MetricsRequest {}
+
+message MetricsResponse {
+    MetricNode root = 1;
+}
+
+message MetricNode {
+    string name = 1;
+    google.protobuf.Value value = 2;
+    MetricFormat format = 3;
+    repeated MetricNode children = 4;
+}
+
+enum MetricFormat {
+    METRIC_FORMAT_UNKNOWN = 0;
+    METRIC_FORMAT_BYTES = 1;
+    METRIC_FORMAT_INTEGER = 2;
+    METRIC_FORMAT_DURATION_SECONDS = 3;
+}
+
+message ExecEnvVar {
+    string key = 1;
+    string value = 2;
+}
+
+message ExecStreamRequestStart {
+    repeated ExecEnvVar environment = 1;
+    repeated string command = 2;
+    string working_directory = 3;
+}
+
+message ExecStreamRequestStdin {
+    bytes data = 1;
+}
+
+message ExecStreamRequestUpdate {
+    oneof update {
+        ExecStreamRequestStart start = 1;
+        ExecStreamRequestStdin stdin = 2;
+    }
+}
+
+message ExecStreamResponseUpdate {
+    bool exited = 1;
+    string error = 2;
+    int32 exit_code = 3;
+    bytes stdout = 4;
+    bytes stderr = 5;
+}
+
+message Event {
+    oneof event {
+        ExitEvent exit = 1;
+    }
+}
+
+message Request {
+    oneof request {
+        PingRequest ping = 1;
+        MetricsRequest metrics = 2;
+        ExecStreamRequestUpdate exec_stream = 3;
+    }
+}
+
+message Response {
+    oneof response {
+        PingResponse ping = 1;
+        MetricsResponse metrics = 2;
+        ExecStreamResponseUpdate exec_stream = 3;
+    }
+}
--- a/crates/krata/proto/krata/idm/transport.proto
+++ b/crates/krata/proto/krata/idm/transport.proto
@ -0,0 +1,27 @@
+syntax = "proto3";
+
+package krata.idm.transport;
+
+option java_multiple_files = true;
+option java_package = "dev.krata.proto.idm.transport";
+option java_outer_classname = "IdmTransportProto";
+
+message IdmTransportPacket {
+    uint64 id = 1;
+    uint64 channel = 2;
+    IdmTransportPacketForm form = 3;
+    bytes data = 4;
+}
+
+enum IdmTransportPacketForm {
+    IDM_TRANSPORT_PACKET_FORM_UNKNOWN = 0;
+    IDM_TRANSPORT_PACKET_FORM_RAW = 1;
+    IDM_TRANSPORT_PACKET_FORM_EVENT = 2;
+    IDM_TRANSPORT_PACKET_FORM_REQUEST = 3;
+    IDM_TRANSPORT_PACKET_FORM_RESPONSE = 4;
+    IDM_TRANSPORT_PACKET_FORM_STREAM_REQUEST = 5;
+    IDM_TRANSPORT_PACKET_FORM_STREAM_REQUEST_UPDATE = 6;
+    IDM_TRANSPORT_PACKET_FORM_STREAM_RESPONSE_UPDATE = 7;
+    IDM_TRANSPORT_PACKET_FORM_STREAM_REQUEST_CLOSED = 8;
+    IDM_TRANSPORT_PACKET_FORM_STREAM_RESPONSE_CLOSED = 9;
+}
--- a/crates/krata/proto/krata/v1/common.proto
+++ b/crates/krata/proto/krata/v1/common.proto
@ -8,98 +8,111 @@ option java_outer_classname = "CommonProto";

 import "google/protobuf/struct.proto";

-message Guest {
+message Zone {
    string id = 1;
-    GuestSpec spec = 2;
-    GuestState state = 3;
+    ZoneSpec spec = 2;
+    ZoneState state = 3;
 }

-message GuestSpec {
+message ZoneSpec {
    string name = 1;
-    GuestImageSpec image = 2;
-    uint32 vcpus = 3;
-    uint64 mem = 4;
-    GuestTaskSpec task = 5;
-    repeated GuestSpecAnnotation annotations = 6;
+    ZoneImageSpec image = 2;
+    // If not specified, defaults to the daemon default kernel.
+    ZoneImageSpec kernel = 3;
+    // If not specified, defaults to the daemon default initrd.
+    ZoneImageSpec initrd = 4;
+    uint32 vcpus = 5;
+    uint64 mem = 6;
+    ZoneTaskSpec task = 7;
+    repeated ZoneSpecAnnotation annotations = 8;
+    repeated ZoneSpecDevice devices = 9;
 }

-message GuestImageSpec {
+message ZoneImageSpec {
    oneof image {
-        GuestOciImageSpec oci = 1;
+        ZoneOciImageSpec oci = 1;
    }
 }

-enum GuestOciImageFormat {
-    GUEST_OCI_IMAGE_FORMAT_UNKNOWN = 0;
-    GUEST_OCI_IMAGE_FORMAT_SQUASHFS = 1;
-    GUEST_OCI_IMAGE_FORMAT_EROFS = 2;
+enum OciImageFormat {
+    OCI_IMAGE_FORMAT_UNKNOWN = 0;
+    OCI_IMAGE_FORMAT_SQUASHFS = 1;
+    OCI_IMAGE_FORMAT_EROFS = 2;
+    // Tar format is not launchable, and is intended for kernel images.
+    OCI_IMAGE_FORMAT_TAR = 3;
 }

-message GuestOciImageSpec {
+message ZoneOciImageSpec {
    string digest = 1;
-    GuestOciImageFormat format = 2;
+    OciImageFormat format = 2;
 }

-message GuestTaskSpec {
-    repeated GuestTaskSpecEnvVar environment = 1;
+message ZoneTaskSpec {
+    repeated ZoneTaskSpecEnvVar environment = 1;
    repeated string command = 2;
+    string working_directory = 3;
 }

-message GuestTaskSpecEnvVar {
+message ZoneTaskSpecEnvVar {
    string key = 1;
    string value = 2;
 }

-message GuestSpecAnnotation {
+message ZoneSpecAnnotation {
    string key = 1;
    string value = 2;
 }

-message GuestState {
-    GuestStatus status = 1;
-    GuestNetworkState network = 2;
-    GuestExitInfo exit_info = 3;
-    GuestErrorInfo error_info = 4;
-    uint32 domid = 5;
+message ZoneSpecDevice {
+    string name = 1;
 }

-enum GuestStatus {
-    GUEST_STATUS_UNKNOWN = 0;
-    GUEST_STATUS_STARTING = 1;
-    GUEST_STATUS_STARTED = 2;
-    GUEST_STATUS_EXITED = 3;
-    GUEST_STATUS_DESTROYING = 4;
-    GUEST_STATUS_DESTROYED = 5;
-    GUEST_STATUS_FAILED = 6;
+message ZoneState {
+    ZoneStatus status = 1;
+    ZoneNetworkState network = 2;
+    ZoneExitInfo exit_info = 3;
+    ZoneErrorInfo error_info = 4;
+    string host = 5;
+    uint32 domid = 6;
 }

-message GuestNetworkState {
-    string guest_ipv4 = 1;
-    string guest_ipv6 = 2;
-    string guest_mac = 3;
+enum ZoneStatus {
+    ZONE_STATUS_UNKNOWN = 0;
+    ZONE_STATUS_STARTING = 1;
+    ZONE_STATUS_STARTED = 2;
+    ZONE_STATUS_EXITED = 3;
+    ZONE_STATUS_DESTROYING = 4;
+    ZONE_STATUS_DESTROYED = 5;
+    ZONE_STATUS_FAILED = 6;
+}
+
+message ZoneNetworkState {
+    string zone_ipv4 = 1;
+    string zone_ipv6 = 2;
+    string zone_mac = 3;
    string gateway_ipv4 = 4;
    string gateway_ipv6 = 5;
    string gateway_mac = 6;
 }

-message GuestExitInfo {
+message ZoneExitInfo {
    int32 code = 1;
 }

-message GuestErrorInfo {
+message ZoneErrorInfo {
    string message = 1;
 }

-message GuestMetricNode {
+message ZoneMetricNode {
    string name = 1;
    google.protobuf.Value value = 2;
-    GuestMetricFormat format = 3;
-    repeated GuestMetricNode children = 4;
+    ZoneMetricFormat format = 3;
+    repeated ZoneMetricNode children = 4;
 }

-enum GuestMetricFormat {
-    GUEST_METRIC_FORMAT_UNKNOWN = 0;
-    GUEST_METRIC_FORMAT_BYTES = 1;
-    GUEST_METRIC_FORMAT_INTEGER = 2;
-    GUEST_METRIC_FORMAT_DURATION_SECONDS = 3;
+enum ZoneMetricFormat {
+    ZONE_METRIC_FORMAT_UNKNOWN = 0;
+    ZONE_METRIC_FORMAT_BYTES = 1;
+    ZONE_METRIC_FORMAT_INTEGER = 2;
+    ZONE_METRIC_FORMAT_DURATION_SECONDS = 3;
 }
--- a/crates/krata/proto/krata/v1/control.proto
+++ b/crates/krata/proto/krata/v1/control.proto
@ -6,58 +6,88 @@ option java_multiple_files = true;
 option java_package = "dev.krata.proto.v1.control";
 option java_outer_classname = "ControlProto";

-import "krata/bus/idm.proto";
+import "krata/idm/transport.proto";
 import "krata/v1/common.proto";

 service ControlService {
-    rpc CreateGuest(CreateGuestRequest) returns (CreateGuestReply);
-    rpc DestroyGuest(DestroyGuestRequest) returns (DestroyGuestReply);
-    rpc ResolveGuest(ResolveGuestRequest) returns (ResolveGuestReply);
-    rpc ListGuests(ListGuestsRequest) returns (ListGuestsReply);
+    rpc IdentifyHost(IdentifyHostRequest) returns (IdentifyHostReply);
+
+    rpc CreateZone(CreateZoneRequest) returns (CreateZoneReply);
+    rpc DestroyZone(DestroyZoneRequest) returns (DestroyZoneReply);
+    rpc ResolveZone(ResolveZoneRequest) returns (ResolveZoneReply);
+    rpc ListZones(ListZonesRequest) returns (ListZonesReply);
+    rpc ListDevices(ListDevicesRequest) returns (ListDevicesReply);
+
+    rpc ExecZone(stream ExecZoneRequest) returns (stream ExecZoneReply);
+
+    rpc AttachZoneConsole(stream ZoneConsoleRequest) returns (stream ZoneConsoleReply);
+    rpc ReadZoneMetrics(ReadZoneMetricsRequest) returns (ReadZoneMetricsReply);

-    rpc ConsoleData(stream ConsoleDataRequest) returns (stream ConsoleDataReply);
-    rpc ReadGuestMetrics(ReadGuestMetricsRequest) returns (ReadGuestMetricsReply);
-    
    rpc SnoopIdm(SnoopIdmRequest) returns (stream SnoopIdmReply);
    rpc WatchEvents(WatchEventsRequest) returns (stream WatchEventsReply);

    rpc PullImage(PullImageRequest) returns (stream PullImageReply);
+
+    rpc GetHostCpuTopology(HostCpuTopologyRequest) returns (HostCpuTopologyReply);
+    rpc SetHostPowerManagementPolicy(HostPowerManagementPolicy) returns (HostPowerManagementPolicy);
 }

-message CreateGuestRequest {
-    krata.v1.common.GuestSpec spec = 1;
+message IdentifyHostRequest {}
+
+message IdentifyHostReply {
+    string host_uuid = 1;
+    uint32 host_domid = 2;
+    string krata_version = 3;
 }

-message CreateGuestReply {
-    string guest_id = 1;
+message CreateZoneRequest {
+    krata.v1.common.ZoneSpec spec = 1;
 }

-message DestroyGuestRequest {
-    string guest_id = 1;
+message CreateZoneReply {
+    string Zone_id = 1;
 }

-message DestroyGuestReply {}
+message DestroyZoneRequest {
+    string Zone_id = 1;
+}

-message ResolveGuestRequest {
+message DestroyZoneReply {}
+
+message ResolveZoneRequest {
    string name = 1;
 }

-message ResolveGuestReply {
-    krata.v1.common.Guest guest = 1;
+message ResolveZoneReply {
+    krata.v1.common.Zone Zone = 1;
 }

-message ListGuestsRequest {}
+message ListZonesRequest {}

-message ListGuestsReply {
-    repeated krata.v1.common.Guest guests = 1;
+message ListZonesReply {
+    repeated krata.v1.common.Zone Zones = 1;
 }

-message ConsoleDataRequest {
-    string guest_id = 1;
+message ExecZoneRequest {
+    string Zone_id = 1;
+    krata.v1.common.ZoneTaskSpec task = 2;
+    bytes data = 3;
+}
+
+message ExecZoneReply {
+    bool exited = 1;
+    string error = 2;
+    int32 exit_code = 3;
+    bytes stdout = 4;
+    bytes stderr = 5;
+}
+
+message ZoneConsoleRequest {
+    string Zone_id = 1;
    bytes data = 2;
 }

-message ConsoleDataReply {
+message ZoneConsoleReply {
    bytes data = 1;
 }

@ -65,70 +95,139 @@ message WatchEventsRequest {}

 message WatchEventsReply {
    oneof event {
-        GuestChangedEvent guest_changed = 1;
+        ZoneChangedEvent Zone_changed = 1;
    }
 }

-message GuestChangedEvent {
-    krata.v1.common.Guest guest = 1;
+message ZoneChangedEvent {
+    krata.v1.common.Zone Zone = 1;
 }

-message ReadGuestMetricsRequest {
-    string guest_id = 1;
+message ReadZoneMetricsRequest {
+    string Zone_id = 1;
 }

-message ReadGuestMetricsReply {
-    krata.v1.common.GuestMetricNode root = 1;
+message ReadZoneMetricsReply {
+    krata.v1.common.ZoneMetricNode root = 1;
 }

 message SnoopIdmRequest {}

 message SnoopIdmReply {
-    uint32 from = 1;
-    uint32 to = 2;
-    krata.bus.idm.IdmPacket packet = 3;
+    string from = 1;
+    string to = 2;
+    krata.idm.transport.IdmTransportPacket packet = 3;
 }

-enum PullImageProgressLayerPhase {
-    PULL_IMAGE_PROGRESS_LAYER_PHASE_UNKNOWN = 0;
-    PULL_IMAGE_PROGRESS_LAYER_PHASE_WAITING = 1;
-    PULL_IMAGE_PROGRESS_LAYER_PHASE_DOWNLOADING = 2;
-    PULL_IMAGE_PROGRESS_LAYER_PHASE_DOWNLOADED = 3;
-    PULL_IMAGE_PROGRESS_LAYER_PHASE_EXTRACTING = 4;
-    PULL_IMAGE_PROGRESS_LAYER_PHASE_EXTRACTED = 5;
+message ImageProgress {
+    ImageProgressPhase phase = 1;
+    repeated ImageProgressLayer layers = 2;
+    ImageProgressIndication indication = 3;
 }

-message PullImageProgressLayer {
+enum ImageProgressPhase {
+    IMAGE_PROGRESS_PHASE_UNKNOWN = 0;
+    IMAGE_PROGRESS_PHASE_STARTED = 1;
+    IMAGE_PROGRESS_PHASE_RESOLVING = 2;
+    IMAGE_PROGRESS_PHASE_RESOLVED = 3;
+    IMAGE_PROGRESS_PHASE_CONFIG_DOWNLOAD = 4;
+    IMAGE_PROGRESS_PHASE_LAYER_DOWNLOAD = 5;
+    IMAGE_PROGRESS_PHASE_ASSEMBLE = 6;
+    IMAGE_PROGRESS_PHASE_PACK = 7;
+    IMAGE_PROGRESS_PHASE_COMPLETE = 8;
+}
+
+message ImageProgressLayer {
    string id = 1;
-    PullImageProgressLayerPhase phase = 2;
-    uint64 value = 3;
-    uint64 total = 4;
+    ImageProgressLayerPhase phase = 2;
+    ImageProgressIndication indication = 3;
 }

-enum PullImageProgressPhase {
-    PULL_IMAGE_PROGRESS_PHASE_UNKNOWN = 0;
-    PULL_IMAGE_PROGRESS_PHASE_RESOLVING = 1;
-    PULL_IMAGE_PROGRESS_PHASE_RESOLVED = 2;
-    PULL_IMAGE_PROGRESS_PHASE_CONFIG_ACQUIRE = 3;
-    PULL_IMAGE_PROGRESS_PHASE_LAYER_ACQUIRE = 4;
-    PULL_IMAGE_PROGRESS_PHASE_PACKING = 5;
-    PULL_IMAGE_PROGRESS_PHASE_COMPLETE = 6;
+enum ImageProgressLayerPhase {
+    IMAGE_PROGRESS_LAYER_PHASE_UNKNOWN = 0;
+    IMAGE_PROGRESS_LAYER_PHASE_WAITING = 1;
+    IMAGE_PROGRESS_LAYER_PHASE_DOWNLOADING = 2;
+    IMAGE_PROGRESS_LAYER_PHASE_DOWNLOADED = 3;
+    IMAGE_PROGRESS_LAYER_PHASE_EXTRACTING = 4;
+    IMAGE_PROGRESS_LAYER_PHASE_EXTRACTED = 5;
 }

-message PullImageProgress {
-    PullImageProgressPhase phase = 1;
-    repeated PullImageProgressLayer layers = 2;
-    uint64 value = 3;
-    uint64 total = 4;
+message ImageProgressIndication {
+    oneof indication {
+        ImageProgressIndicationBar bar = 1;
+        ImageProgressIndicationSpinner spinner = 2;
+        ImageProgressIndicationHidden hidden = 3;
+        ImageProgressIndicationCompleted completed = 4;
+    }
+}
+
+message ImageProgressIndicationBar {
+    string message = 1;
+    uint64 current = 2;
+    uint64 total = 3;
+    bool is_bytes = 4;
+}
+
+message ImageProgressIndicationSpinner {
+    string message = 1;
+}
+
+message ImageProgressIndicationHidden {}
+
+message ImageProgressIndicationCompleted {
+    string message = 1;
+    uint64 total = 2;
+    bool is_bytes = 3;
 }

 message PullImageRequest {
    string image = 1;
-    krata.v1.common.GuestOciImageFormat format = 2;
+    krata.v1.common.OciImageFormat format = 2;
+    bool overwrite_cache = 3;
+    bool update = 4;
 }

 message PullImageReply {
-    PullImageProgress progress = 1;
+    ImageProgress progress = 1;
    string digest = 2;
-    krata.v1.common.GuestOciImageFormat format = 3;
+    krata.v1.common.OciImageFormat format = 3;
+}
+
+message DeviceInfo {
+    string name = 1;
+    bool claimed = 2;
+    string owner = 3;
+}
+
+message ListDevicesRequest {}
+
+message ListDevicesReply {
+    repeated DeviceInfo devices = 1;
+}
+
+enum HostCpuTopologyClass {
+    HOST_CPU_TOPOLOGY_CLASS_STANDARD = 0;
+    HOST_CPU_TOPOLOGY_CLASS_PERFORMANCE = 1;
+    HOST_CPU_TOPOLOGY_CLASS_EFFICIENCY = 2;
+}
+
+message HostCpuTopologyInfo {
+    uint32 core = 1;
+    uint32 socket = 2;
+    uint32 node = 3;
+    uint32 thread = 4;
+    HostCpuTopologyClass class = 5;
+}
+
+message HostCpuTopologyRequest {}
+
+message HostCpuTopologyReply {
+    repeated HostCpuTopologyInfo cpus = 1;
+}
+
+message HostPowerManagementPolicyRequest {}
+
+message HostPowerManagementPolicy {
+    string scheduler = 1;
+    bool smt_awareness = 2;
 }
--- a/crates/krata/src/bus/mod.rs
+++ b/crates/krata/src/bus/mod.rs
@ -1 +0,0 @@
-pub mod idm;
--- a/crates/krata/src/client.rs
+++ b/crates/krata/src/client.rs
@ -1,14 +1,10 @@
+#[cfg(unix)]
+use crate::unix::HyperUnixConnector;
 use crate::{dial::ControlDialAddress, v1::control::control_service_client::ControlServiceClient};
 #[cfg(not(unix))]
 use anyhow::anyhow;
 use anyhow::Result;
-#[cfg(unix)]
-use tokio::net::UnixStream;
-#[cfg(unix)]
-use tonic::transport::Uri;
 use tonic::transport::{Channel, ClientTlsConfig, Endpoint};
-#[cfg(unix)]
-use tower::service_fn;

 pub struct ControlClientProvider {}

@ -52,10 +48,7 @@ impl ControlClientProvider {
    async fn dial_unix_socket(path: String) -> Result<Channel> {
        // This URL is not actually used but is required to be specified.
        Ok(Endpoint::try_from(format!("unix://localhost/{}", path))?
-            .connect_with_connector(service_fn(|uri: Uri| {
-                let path = uri.path().to_string();
-                UnixStream::connect(path)
-            }))
+            .connect_with_connector(HyperUnixConnector {})
            .await?)
    }
 }
--- a/crates/krata/src/idm/client.rs
+++ b/crates/krata/src/idm/client.rs
@ -8,11 +8,8 @@ use std::{
    time::Duration,
 };

-use super::protocol::{
-    idm_packet::Content, idm_request::Request, idm_response::Response, IdmEvent, IdmPacket,
-    IdmRequest, IdmResponse,
-};
 use anyhow::{anyhow, Result};
+use bytes::{BufMut, BytesMut};
 use log::{debug, error};
 use nix::sys::termios::{cfmakeraw, tcgetattr, tcsetattr, SetArg};
 use prost::Message;
@ -22,14 +19,23 @@ use tokio::{
    select,
    sync::{
        broadcast,
-        mpsc::{channel, Receiver, Sender},
+        mpsc::{self, Receiver, Sender},
        oneshot, Mutex,
    },
    task::JoinHandle,
    time::timeout,
 };

-type RequestMap = Arc<Mutex<HashMap<u64, oneshot::Sender<IdmResponse>>>>;
+use super::{
+    internal,
+    serialize::{IdmRequest, IdmSerializable},
+    transport::{IdmTransportPacket, IdmTransportPacketForm},
+};
+
+type OneshotRequestMap<R> = Arc<Mutex<HashMap<u64, oneshot::Sender<<R as IdmRequest>::Response>>>>;
+type StreamRequestMap<R> = Arc<Mutex<HashMap<u64, Sender<<R as IdmRequest>::Response>>>>;
+type StreamRequestUpdateMap<R> = Arc<Mutex<HashMap<u64, mpsc::Sender<R>>>>;
+pub type IdmInternalClient = IdmClient<internal::Request, internal::Event>;

 const IDM_PACKET_QUEUE_LEN: usize = 100;
 const IDM_REQUEST_TIMEOUT_SECS: u64 = 10;
@ -37,8 +43,8 @@ const IDM_PACKET_MAX_SIZE: usize = 20 * 1024 * 1024;

 #[async_trait::async_trait]
 pub trait IdmBackend: Send {
-    async fn recv(&mut self) -> Result<IdmPacket>;
-    async fn send(&mut self, packet: IdmPacket) -> Result<()>;
+    async fn recv(&mut self) -> Result<IdmTransportPacket>;
+    async fn send(&mut self, packet: IdmTransportPacket) -> Result<()>;
 }

 pub struct IdmFileBackend {
@ -66,50 +72,55 @@ impl IdmFileBackend {

 #[async_trait::async_trait]
 impl IdmBackend for IdmFileBackend {
-    async fn recv(&mut self) -> Result<IdmPacket> {
+    async fn recv(&mut self) -> Result<IdmTransportPacket> {
        let mut fd = self.read_fd.lock().await;
        let mut guard = fd.readable_mut().await?;
        let b1 = guard.get_inner_mut().read_u8().await?;
        if b1 != 0xff {
-            return Ok(IdmPacket::default());
+            return Ok(IdmTransportPacket::default());
        }
        let b2 = guard.get_inner_mut().read_u8().await?;
        if b2 != 0xff {
-            return Ok(IdmPacket::default());
+            return Ok(IdmTransportPacket::default());
        }
        let size = guard.get_inner_mut().read_u32_le().await?;
        if size == 0 {
-            return Ok(IdmPacket::default());
+            return Ok(IdmTransportPacket::default());
        }
        let mut buffer = vec![0u8; size as usize];
        guard.get_inner_mut().read_exact(&mut buffer).await?;
-        match IdmPacket::decode(buffer.as_slice()) {
+        match IdmTransportPacket::decode(buffer.as_slice()) {
            Ok(packet) => Ok(packet),
            Err(error) => Err(anyhow!("received invalid idm packet: {}", error)),
        }
    }

-    async fn send(&mut self, packet: IdmPacket) -> Result<()> {
+    async fn send(&mut self, packet: IdmTransportPacket) -> Result<()> {
        let mut file = self.write.lock().await;
-        let data = packet.encode_to_vec();
-        file.write_all(&[0xff, 0xff]).await?;
-        file.write_u32_le(data.len() as u32).await?;
-        file.write_all(&data).await?;
+        let length = packet.encoded_len();
+        let mut buffer = BytesMut::with_capacity(6 + length);
+        buffer.put_slice(&[0xff, 0xff]);
+        buffer.put_u32_le(length as u32);
+        packet.encode(&mut buffer)?;
+        file.write_all(&buffer).await?;
        Ok(())
    }
 }

 #[derive(Clone)]
-pub struct IdmClient {
-    request_backend_sender: broadcast::Sender<IdmRequest>,
+pub struct IdmClient<R: IdmRequest, E: IdmSerializable> {
+    channel: u64,
+    request_backend_sender: broadcast::Sender<(u64, R)>,
+    request_stream_backend_sender: broadcast::Sender<IdmClientStreamResponseHandle<R>>,
    next_request_id: Arc<Mutex<u64>>,
-    event_receiver_sender: broadcast::Sender<IdmEvent>,
-    tx_sender: Sender<IdmPacket>,
-    requests: RequestMap,
+    event_receiver_sender: broadcast::Sender<E>,
+    tx_sender: Sender<IdmTransportPacket>,
+    requests: OneshotRequestMap<R>,
+    request_streams: StreamRequestMap<R>,
    task: Arc<JoinHandle<()>>,
 }

-impl Drop for IdmClient {
+impl<R: IdmRequest, E: IdmSerializable> Drop for IdmClient<R, E> {
    fn drop(&mut self) {
        if Arc::strong_count(&self.task) <= 1 {
            self.task.abort();
@ -117,21 +128,122 @@ impl Drop for IdmClient {
    }
 }

-impl IdmClient {
-    pub async fn new(backend: Box<dyn IdmBackend>) -> Result<IdmClient> {
+pub struct IdmClientStreamRequestHandle<R: IdmRequest, E: IdmSerializable> {
+    pub id: u64,
+    pub receiver: Receiver<R::Response>,
+    pub client: IdmClient<R, E>,
+}
+
+impl<R: IdmRequest, E: IdmSerializable> IdmClientStreamRequestHandle<R, E> {
+    pub async fn update(&self, request: R) -> Result<()> {
+        self.client
+            .tx_sender
+            .send(IdmTransportPacket {
+                id: self.id,
+                channel: self.client.channel,
+                form: IdmTransportPacketForm::StreamRequestUpdate.into(),
+                data: request.encode()?,
+            })
+            .await?;
+        Ok(())
+    }
+}
+
+impl<R: IdmRequest, E: IdmSerializable> Drop for IdmClientStreamRequestHandle<R, E> {
+    fn drop(&mut self) {
+        let id = self.id;
+        let client = self.client.clone();
+        tokio::task::spawn(async move {
+            let _ = client
+                .tx_sender
+                .send(IdmTransportPacket {
+                    id,
+                    channel: client.channel,
+                    form: IdmTransportPacketForm::StreamRequestClosed.into(),
+                    data: vec![],
+                })
+                .await;
+        });
+    }
+}
+
+#[derive(Clone)]
+pub struct IdmClientStreamResponseHandle<R: IdmRequest> {
+    pub initial: R,
+    pub id: u64,
+    channel: u64,
+    tx_sender: Sender<IdmTransportPacket>,
+    receiver: Arc<Mutex<Option<Receiver<R>>>>,
+}
+
+impl<R: IdmRequest> IdmClientStreamResponseHandle<R> {
+    pub async fn respond(&self, response: R::Response) -> Result<()> {
+        self.tx_sender
+            .send(IdmTransportPacket {
+                id: self.id,
+                channel: self.channel,
+                form: IdmTransportPacketForm::StreamResponseUpdate.into(),
+                data: response.encode()?,
+            })
+            .await?;
+        Ok(())
+    }
+
+    pub async fn take(&self) -> Result<Receiver<R>> {
+        let mut guard = self.receiver.lock().await;
+        let Some(receiver) = (*guard).take() else {
+            return Err(anyhow!("request has already been claimed!"));
+        };
+        Ok(receiver)
+    }
+}
+
+impl<R: IdmRequest> Drop for IdmClientStreamResponseHandle<R> {
+    fn drop(&mut self) {
+        if Arc::strong_count(&self.receiver) <= 1 {
+            let id = self.id;
+            let channel = self.channel;
+            let tx_sender = self.tx_sender.clone();
+            tokio::task::spawn(async move {
+                let _ = tx_sender
+                    .send(IdmTransportPacket {
+                        id,
+                        channel,
+                        form: IdmTransportPacketForm::StreamResponseClosed.into(),
+                        data: vec![],
+                    })
+                    .await;
+            });
+        }
+    }
+}
+
+impl<R: IdmRequest, E: IdmSerializable> IdmClient<R, E> {
+    pub async fn new(channel: u64, backend: Box<dyn IdmBackend>) -> Result<Self> {
        let requests = Arc::new(Mutex::new(HashMap::new()));
+        let request_streams = Arc::new(Mutex::new(HashMap::new()));
+        let request_update_streams = Arc::new(Mutex::new(HashMap::new()));
        let (event_sender, event_receiver) = broadcast::channel(IDM_PACKET_QUEUE_LEN);
        let (internal_request_backend_sender, _) = broadcast::channel(IDM_PACKET_QUEUE_LEN);
-        let (tx_sender, tx_receiver) = channel(IDM_PACKET_QUEUE_LEN);
+        let (internal_request_stream_backend_sender, _) = broadcast::channel(IDM_PACKET_QUEUE_LEN);
+        let (tx_sender, tx_receiver) = mpsc::channel(IDM_PACKET_QUEUE_LEN);
        let backend_event_sender = event_sender.clone();
        let request_backend_sender = internal_request_backend_sender.clone();
+        let request_stream_backend_sender = internal_request_stream_backend_sender.clone();
        let requests_for_client = requests.clone();
+        let request_streams_for_client = request_streams.clone();
+        let tx_sender_for_client = tx_sender.clone();
        let task = tokio::task::spawn(async move {
            if let Err(error) = IdmClient::process(
                backend,
+                channel,
+                tx_sender,
                backend_event_sender,
                requests,
+                request_streams,
+                request_update_streams,
                internal_request_backend_sender,
+                internal_request_stream_backend_sender,
                event_receiver,
                tx_receiver,
            )
@ -141,16 +253,19 @@ impl IdmClient {
            }
        });
        Ok(IdmClient {
+            channel,
            next_request_id: Arc::new(Mutex::new(0)),
            event_receiver_sender: event_sender.clone(),
            request_backend_sender,
+            request_stream_backend_sender,
            requests: requests_for_client,
-            tx_sender,
+            request_streams: request_streams_for_client,
+            tx_sender: tx_sender_for_client,
            task: Arc::new(task),
        })
    }

-    pub async fn open<P: AsRef<Path>>(path: P) -> Result<IdmClient> {
+    pub async fn open<P: AsRef<Path>>(channel: u64, path: P) -> Result<Self> {
        let read_file = File::options()
            .read(true)
            .write(false)
@ -164,39 +279,54 @@ impl IdmClient {
            .open(path)
            .await?;
        let backend = IdmFileBackend::new(read_file, write_file).await?;
-        IdmClient::new(Box::new(backend) as Box<dyn IdmBackend>).await
+        IdmClient::new(channel, Box::new(backend) as Box<dyn IdmBackend>).await
    }

-    pub async fn emit(&self, event: IdmEvent) -> Result<()> {
+    pub async fn emit<T: IdmSerializable>(&self, event: T) -> Result<()> {
+        let id = {
+            let mut guard = self.next_request_id.lock().await;
+            let req = *guard;
+            *guard = req.wrapping_add(1);
+            req
+        };
        self.tx_sender
-            .send(IdmPacket {
-                content: Some(Content::Event(event)),
+            .send(IdmTransportPacket {
+                id,
+                form: IdmTransportPacketForm::Event.into(),
+                channel: self.channel,
+                data: event.encode()?,
            })
            .await?;
        Ok(())
    }

-    pub async fn requests(&self) -> Result<broadcast::Receiver<IdmRequest>> {
+    pub async fn requests(&self) -> Result<broadcast::Receiver<(u64, R)>> {
        Ok(self.request_backend_sender.subscribe())
    }

-    pub async fn respond(&self, id: u64, response: Response) -> Result<()> {
-        let packet = IdmPacket {
-            content: Some(Content::Response(IdmResponse {
-                id,
-                response: Some(response),
-            })),
+    pub async fn request_streams(
+        &self,
+    ) -> Result<broadcast::Receiver<IdmClientStreamResponseHandle<R>>> {
+        Ok(self.request_stream_backend_sender.subscribe())
+    }
+
+    pub async fn respond<T: IdmSerializable>(&self, id: u64, response: T) -> Result<()> {
+        let packet = IdmTransportPacket {
+            id,
+            form: IdmTransportPacketForm::Response.into(),
+            channel: self.channel,
+            data: response.encode()?,
        };
        self.tx_sender.send(packet).await?;
        Ok(())
    }

-    pub async fn subscribe(&self) -> Result<broadcast::Receiver<IdmEvent>> {
+    pub async fn subscribe(&self) -> Result<broadcast::Receiver<E>> {
        Ok(self.event_receiver_sender.subscribe())
    }

-    pub async fn send(&self, request: Request) -> Result<Response> {
-        let (sender, receiver) = oneshot::channel::<IdmResponse>();
+    pub async fn send(&self, request: R) -> Result<R::Response> {
+        let (sender, receiver) = oneshot::channel::<R::Response>();
        let req = {
            let mut guard = self.next_request_id.lock().await;
            let req = *guard;
@ -217,52 +347,135 @@ impl IdmClient {
            });
        });
        self.tx_sender
-            .send(IdmPacket {
-                content: Some(Content::Request(IdmRequest {
-                    id: req,
-                    request: Some(request),
-                })),
+            .send(IdmTransportPacket {
+                id: req,
+                channel: self.channel,
+                form: IdmTransportPacketForm::Request.into(),
+                data: request.encode()?,
            })
            .await?;

        let response = timeout(Duration::from_secs(IDM_REQUEST_TIMEOUT_SECS), receiver).await??;
        success.store(true, Ordering::Release);
-        if let Some(response) = response.response {
-            Ok(response)
-        } else {
-            Err(anyhow!("response did not contain any content"))
-        }
+        Ok(response)
    }

+    pub async fn send_stream(&self, request: R) -> Result<IdmClientStreamRequestHandle<R, E>> {
+        let (sender, receiver) = mpsc::channel::<R::Response>(100);
+        let req = {
+            let mut guard = self.next_request_id.lock().await;
+            let req = *guard;
+            *guard = req.wrapping_add(1);
+            req
+        };
+        let mut requests = self.request_streams.lock().await;
+        requests.insert(req, sender);
+        drop(requests);
+        self.tx_sender
+            .send(IdmTransportPacket {
+                id: req,
+                channel: self.channel,
+                form: IdmTransportPacketForm::StreamRequest.into(),
+                data: request.encode()?,
+            })
+            .await?;
+        Ok(IdmClientStreamRequestHandle {
+            id: req,
+            receiver,
+            client: self.clone(),
+        })
+    }
+
+    #[allow(clippy::too_many_arguments)]
    async fn process(
        mut backend: Box<dyn IdmBackend>,
-        event_sender: broadcast::Sender<IdmEvent>,
-        requests: RequestMap,
-        request_backend_sender: broadcast::Sender<IdmRequest>,
-        _event_receiver: broadcast::Receiver<IdmEvent>,
-        mut receiver: Receiver<IdmPacket>,
+        channel: u64,
+        tx_sender: Sender<IdmTransportPacket>,
+        event_sender: broadcast::Sender<E>,
+        requests: OneshotRequestMap<R>,
+        request_streams: StreamRequestMap<R>,
+        request_update_streams: StreamRequestUpdateMap<R>,
+        request_backend_sender: broadcast::Sender<(u64, R)>,
+        request_stream_backend_sender: broadcast::Sender<IdmClientStreamResponseHandle<R>>,
+        _event_receiver: broadcast::Receiver<E>,
+        mut receiver: Receiver<IdmTransportPacket>,
    ) -> Result<()> {
        loop {
            select! {
                x = backend.recv() => match x {
                    Ok(packet) => {
-                        match packet.content {
-                            Some(Content::Event(event)) => {
-                                let _ = event_sender.send(event);
-                            },
+                        if packet.channel != channel {
+                            continue;
+                        }

-                            Some(Content::Request(request)) => {
-                                let _ = request_backend_sender.send(request);
-                            },
-
-                            Some(Content::Response(response)) => {
-                                let mut requests = requests.lock().await;
-                                if let Some(sender) = requests.remove(&response.id) {
-                                    drop(requests);
-                                    let _ = sender.send(response);
+                        match packet.form() {
+                            IdmTransportPacketForm::Event => {
+                                if let Ok(event) = E::decode(&packet.data) {
+                                    let _ = event_sender.send(event);
                                }
                            },

+                            IdmTransportPacketForm::Request => {
+                                if let Ok(request) = R::decode(&packet.data) {
+                                    let _ = request_backend_sender.send((packet.id, request));
+                                }
+                            },
+
+                            IdmTransportPacketForm::Response => {
+                                let mut requests = requests.lock().await;
+                                if let Some(sender) = requests.remove(&packet.id) {
+                                    drop(requests);
+
+                                    if let Ok(response) = R::Response::decode(&packet.data) {
+                                        let _ = sender.send(response);
+                                    }
+                                }
+                            },
+
+                            IdmTransportPacketForm::StreamRequest => {
+                                if let Ok(request) = R::decode(&packet.data) {
+                                    let mut update_streams = request_update_streams.lock().await;
+                                    let (sender, receiver) = mpsc::channel(100);
+                                    update_streams.insert(packet.id, sender.clone());
+                                    let handle = IdmClientStreamResponseHandle {
+                                        initial: request,
+                                        id: packet.id,
+                                        channel,
+                                        tx_sender: tx_sender.clone(),
+                                        receiver: Arc::new(Mutex::new(Some(receiver))),
+                                    };
+                                    let _ = request_stream_backend_sender.send(handle);
+                                }
+                            }
+
+                            IdmTransportPacketForm::StreamRequestUpdate => {
+                                if let Ok(request) = R::decode(&packet.data) {
+                                    let mut update_streams = request_update_streams.lock().await;
+                                    if let Some(stream) = update_streams.get_mut(&packet.id) {
+                                        let _ = stream.try_send(request);
+                                    }
+                                }
+                            }
+
+                            IdmTransportPacketForm::StreamRequestClosed => {
+                                let mut update_streams = request_update_streams.lock().await;
+                                update_streams.remove(&packet.id);
+                            }
+
+                            IdmTransportPacketForm::StreamResponseUpdate => {
+                                let requests = request_streams.lock().await;
+                                if let Some(sender) = requests.get(&packet.id) {
+                                    if let Ok(response) = R::Response::decode(&packet.data) {
+                                        let _ = sender.try_send(response);
+                                    }
+                                }
+                            }
+
+                            IdmTransportPacketForm::StreamResponseClosed => {
+                                let mut requests = request_streams.lock().await;
+                                requests.remove(&packet.id);
+                            }
+
                            _ => {},
                        }
                    },
@ -278,7 +491,7 @@ impl IdmClient {
                            error!("unable to send idm packet, packet size exceeded (tried to send {} bytes)", length);
                            continue;
                        }
-                        backend.send(packet).await?;
+                        backend.send(packet.clone()).await?;
                    },

                    None => {
--- a/crates/krata/src/idm/internal.rs
+++ b/crates/krata/src/idm/internal.rs
@ -1,26 +1,66 @@
+use anyhow::Result;
+use prost::Message;
 use prost_types::{ListValue, Value};

-include!(concat!(env!("OUT_DIR"), "/krata.bus.idm.rs"));
+use super::serialize::{IdmRequest, IdmSerializable};
+
+include!(concat!(env!("OUT_DIR"), "/krata.idm.internal.rs"));
+
+pub const INTERNAL_IDM_CHANNEL: u64 = 0;
+
+impl IdmSerializable for Event {
+    fn encode(&self) -> Result<Vec<u8>> {
+        Ok(self.encode_to_vec())
+    }
+
+    fn decode(bytes: &[u8]) -> Result<Self> {
+        Ok(<Self as prost::Message>::decode(bytes)?)
+    }
+}
+
+impl IdmSerializable for Request {
+    fn encode(&self) -> Result<Vec<u8>> {
+        Ok(self.encode_to_vec())
+    }
+
+    fn decode(bytes: &[u8]) -> Result<Self> {
+        Ok(<Self as prost::Message>::decode(bytes)?)
+    }
+}
+
+impl IdmRequest for Request {
+    type Response = Response;
+}
+
+impl IdmSerializable for Response {
+    fn encode(&self) -> Result<Vec<u8>> {
+        Ok(self.encode_to_vec())
+    }
+
+    fn decode(bytes: &[u8]) -> Result<Self> {
+        Ok(<Self as prost::Message>::decode(bytes)?)
+    }
+}

 pub trait AsIdmMetricValue {
    fn as_metric_value(&self) -> Value;
 }

-impl IdmMetricNode {
-    pub fn structural<N: AsRef<str>>(name: N, children: Vec<IdmMetricNode>) -> IdmMetricNode {
-        IdmMetricNode {
+impl MetricNode {
+    pub fn structural<N: AsRef<str>>(name: N, children: Vec<MetricNode>) -> MetricNode {
+        MetricNode {
            name: name.as_ref().to_string(),
            value: None,
-            format: IdmMetricFormat::Unknown.into(),
+            format: MetricFormat::Unknown.into(),
            children,
        }
    }

-    pub fn raw_value<N: AsRef<str>, V: AsIdmMetricValue>(name: N, value: V) -> IdmMetricNode {
-        IdmMetricNode {
+    pub fn raw_value<N: AsRef<str>, V: AsIdmMetricValue>(name: N, value: V) -> MetricNode {
+        MetricNode {
            name: name.as_ref().to_string(),
            value: Some(value.as_metric_value()),
-            format: IdmMetricFormat::Unknown.into(),
+            format: MetricFormat::Unknown.into(),
            children: vec![],
        }
    }
@ -28,9 +68,9 @@ impl IdmMetricNode {
    pub fn value<N: AsRef<str>, V: AsIdmMetricValue>(
        name: N,
        value: V,
-        format: IdmMetricFormat,
-    ) -> IdmMetricNode {
-        IdmMetricNode {
+        format: MetricFormat,
+    ) -> MetricNode {
+        MetricNode {
            name: name.as_ref().to_string(),
            value: Some(value.as_metric_value()),
            format: format.into(),
--- a/crates/krata/src/idm/mod.rs
+++ b/crates/krata/src/idm/mod.rs
@ -1,3 +1,5 @@
 #[cfg(unix)]
 pub mod client;
-pub use crate::bus::idm as protocol;
+pub mod internal;
+pub mod serialize;
+pub mod transport;
--- a/crates/krata/src/idm/serialize.rs
+++ b/crates/krata/src/idm/serialize.rs
@ -0,0 +1,10 @@
+use anyhow::Result;
+
+pub trait IdmSerializable: Sized + Clone + Send + Sync + 'static {
+    fn decode(bytes: &[u8]) -> Result<Self>;
+    fn encode(&self) -> Result<Vec<u8>>;
+}
+
+pub trait IdmRequest: IdmSerializable {
+    type Response: IdmSerializable;
+}
--- a/crates/krata/src/idm/transport.rs
+++ b/crates/krata/src/idm/transport.rs
@ -0,0 +1 @@
+include!(concat!(env!("OUT_DIR"), "/krata.idm.transport.rs"));
--- a/crates/krata/src/lib.rs
+++ b/crates/krata/src/lib.rs
@ -1,7 +1,6 @@
 use once_cell::sync::Lazy;
 use prost_reflect::DescriptorPool;

-pub mod bus;
 pub mod v1;

 pub mod client;
@ -13,6 +12,9 @@ pub mod launchcfg;
 #[cfg(target_os = "linux")]
 pub mod ethtool;

+#[cfg(unix)]
+pub mod unix;
+
 pub static DESCRIPTOR_POOL: Lazy<DescriptorPool> = Lazy::new(|| {
    DescriptorPool::decode(
        include_bytes!(concat!(env!("OUT_DIR"), "/file_descriptor_set.bin")).as_ref(),
--- a/crates/krata/src/unix.rs
+++ b/crates/krata/src/unix.rs
@ -0,0 +1,73 @@
+use std::future::Future;
+use std::io::Error;
+use std::pin::Pin;
+use std::task::{Context, Poll};
+
+use hyper::rt::ReadBufCursor;
+use hyper_util::rt::TokioIo;
+use pin_project_lite::pin_project;
+use tokio::io::AsyncWrite;
+use tokio::net::UnixStream;
+use tonic::transport::Uri;
+use tower::Service;
+
+pin_project! {
+    #[derive(Debug)]
+    pub struct HyperUnixStream {
+        #[pin]
+        pub stream: UnixStream,
+    }
+}
+
+impl hyper::rt::Read for HyperUnixStream {
+    fn poll_read(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: ReadBufCursor<'_>,
+    ) -> Poll<Result<(), Error>> {
+        let mut tokio = TokioIo::new(self.project().stream);
+        Pin::new(&mut tokio).poll_read(cx, buf)
+    }
+}
+
+impl hyper::rt::Write for HyperUnixStream {
+    fn poll_write(
+        self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+        buf: &[u8],
+    ) -> Poll<Result<usize, Error>> {
+        self.project().stream.poll_write(cx, buf)
+    }
+
+    fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Error>> {
+        self.project().stream.poll_flush(cx)
+    }
+
+    fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), Error>> {
+        self.project().stream.poll_shutdown(cx)
+    }
+}
+
+pub struct HyperUnixConnector;
+
+impl Service<Uri> for HyperUnixConnector {
+    type Response = HyperUnixStream;
+    type Error = Error;
+    #[allow(clippy::type_complexity)]
+    type Future =
+        Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send + 'static>>;
+
+    fn call(&mut self, req: Uri) -> Self::Future {
+        let fut = async move {
+            let path = req.path().to_string();
+            let stream = UnixStream::connect(path).await?;
+            Ok(HyperUnixStream { stream })
+        };
+
+        Box::pin(fut)
+    }
+
+    fn poll_ready(&mut self, _cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        Poll::Ready(Ok(()))
+    }
+}
--- a/crates/loopdev/Cargo.toml
+++ b/crates/loopdev/Cargo.toml
@ -0,0 +1,15 @@
+[package]
+name = "krata-loopdev"
+description = "Loop device handling library for krata"
+license.workspace = true
+version.workspace = true
+homepage.workspace = true
+repository.workspace = true
+edition = "2021"
+resolver = "2"
+
+[lib]
+name = "krataloopdev"
+
+[dependencies]
+libc.workspace = true
--- a/crates/loopdev/src/lib.rs
+++ b/crates/loopdev/src/lib.rs
@ -0,0 +1,348 @@
+use libc::{c_int, ioctl};
+use std::{
+    fs::{File, OpenOptions},
+    io,
+    os::fd::{AsRawFd, IntoRawFd, RawFd},
+    os::unix::fs::MetadataExt,
+    path::{Path, PathBuf},
+};
+
+#[cfg(all(not(target_os = "android"), not(target_env = "musl")))]
+type IoctlRequest = libc::c_ulong;
+#[cfg(any(target_os = "android", target_env = "musl"))]
+type IoctlRequest = libc::c_int;
+
+const LOOP_CONTROL: &str = "/dev/loop-control";
+const LOOP_PREFIX: &str = "/dev/loop";
+
+/// Loop control interface IOCTLs.
+const LOOP_CTL_GET_FREE: IoctlRequest = 0x4C82;
+
+/// Loop device flags.
+const LO_FLAGS_READ_ONLY: u32 = 1;
+const LO_FLAGS_AUTOCLEAR: u32 = 4;
+const LO_FLAGS_PARTSCAN: u32 = 8;
+const LO_FLAGS_DIRECT_IO: u32 = 16;
+
+/// Loop device IOCTLs.
+const LOOP_SET_FD: IoctlRequest = 0x4C00;
+const LOOP_CLR_FD: IoctlRequest = 0x4C01;
+const LOOP_SET_STATUS64: IoctlRequest = 0x4C04;
+const LOOP_SET_CAPACITY: IoctlRequest = 0x4C07;
+const LOOP_SET_DIRECT_IO: IoctlRequest = 0x4C08;
+
+/// Interface which wraps a handle to the loop control device.
+#[derive(Debug)]
+pub struct LoopControl {
+    dev_file: File,
+}
+
+/// Translate ioctl results to errors if appropriate.
+fn translate_error(ret: i32) -> io::Result<i32> {
+    if ret < 0 {
+        Err(io::Error::last_os_error())
+    } else {
+        Ok(ret)
+    }
+}
+
+impl LoopControl {
+    /// Open the loop control device.
+    ///
+    /// # Errors
+    ///
+    /// Any errors from physically opening the loop control device are
+    /// bubbled up.
+    pub fn open() -> io::Result<Self> {
+        Ok(Self {
+            dev_file: OpenOptions::new()
+                .read(true)
+                .write(true)
+                .open(LOOP_CONTROL)?,
+        })
+    }
+
+    /// Requests the next available loop device from the kernel and opens it.
+    ///
+    /// # Examples
+    ///
+    /// ```no_run
+    /// use krataloopdev::LoopControl;
+    /// let lc = LoopControl::open().unwrap();
+    /// let ld = lc.next_free().unwrap();
+    /// println!("{}", ld.path().unwrap().display());
+    /// ```
+    ///
+    /// # Errors
+    ///
+    /// Any errors from opening the loop device are bubbled up.
+    pub fn next_free(&self) -> io::Result<LoopDevice> {
+        let dev_num = translate_error(unsafe {
+            ioctl(
+                self.dev_file.as_raw_fd() as c_int,
+                LOOP_CTL_GET_FREE as IoctlRequest,
+            )
+        })?;
+        LoopDevice::open(format!("{}{}", LOOP_PREFIX, dev_num))
+    }
+}
+
+/// Interface to a loop device itself, e.g. `/dev/loop0`.
+#[derive(Debug)]
+pub struct LoopDevice {
+    device: File,
+}
+
+impl AsRawFd for LoopDevice {
+    fn as_raw_fd(&self) -> RawFd {
+        self.device.as_raw_fd()
+    }
+}
+
+impl IntoRawFd for LoopDevice {
+    fn into_raw_fd(self) -> RawFd {
+        self.device.into_raw_fd()
+    }
+}
+
+impl LoopDevice {
+    /// Opens a loop device.
+    ///
+    /// # Errors
+    ///
+    /// Any errors from opening the underlying physical loop device are bubbled up.
+    pub fn open<P: AsRef<Path>>(dev: P) -> io::Result<Self> {
+        Ok(Self {
+            device: OpenOptions::new().read(true).write(true).open(dev)?,
+        })
+    }
+
+    /// Attach a loop device to a file with the given options.
+    pub fn with(&self) -> AttachOptions<'_> {
+        AttachOptions {
+            device: self,
+            info: LoopInfo64::default(),
+        }
+    }
+
+    /// Enables or disables Direct I/O mode.
+    pub fn set_direct_io(&self, direct_io: bool) -> io::Result<()> {
+        translate_error(unsafe {
+            ioctl(
+                self.device.as_raw_fd() as c_int,
+                LOOP_SET_DIRECT_IO as IoctlRequest,
+                if direct_io { 1 } else { 0 },
+            )
+        })?;
+        Ok(())
+    }
+
+    /// Attach the loop device to a fully-mapped file.
+    pub fn attach_file<P: AsRef<Path>>(&self, backing_file: P) -> io::Result<()> {
+        let info = LoopInfo64 {
+            ..Default::default()
+        };
+
+        Self::attach_with_loop_info(self, backing_file, info)
+    }
+
+    /// Attach the loop device to a file with `LoopInfo64`.
+    fn attach_with_loop_info(
+        &self,
+        backing_file: impl AsRef<Path>,
+        info: LoopInfo64,
+    ) -> io::Result<()> {
+        let write_access = (info.lo_flags & LO_FLAGS_READ_ONLY) == 0;
+        let bf = OpenOptions::new()
+            .read(true)
+            .write(write_access)
+            .open(backing_file)?;
+        self.attach_fd_with_loop_info(bf, info)
+    }
+
+    /// Attach the loop device to a file descriptor with `LoopInfo64`.
+    fn attach_fd_with_loop_info(&self, bf: impl AsRawFd, info: LoopInfo64) -> io::Result<()> {
+        translate_error(unsafe {
+            ioctl(
+                self.device.as_raw_fd() as c_int,
+                LOOP_SET_FD as IoctlRequest,
+                bf.as_raw_fd() as c_int,
+            )
+        })?;
+
+        let result = unsafe {
+            ioctl(
+                self.device.as_raw_fd() as c_int,
+                LOOP_SET_STATUS64 as IoctlRequest,
+                &info,
+            )
+        };
+
+        match translate_error(result) {
+            Err(err) => {
+                let _detach_err = self.detach();
+                Err(err)
+            }
+            Ok(_) => Ok(()),
+        }
+    }
+
+    /// Get the path for the loop device.
+    pub fn path(&self) -> Option<PathBuf> {
+        let mut p = PathBuf::from("/proc/self/fd");
+        p.push(self.device.as_raw_fd().to_string());
+        std::fs::read_link(&p).ok()
+    }
+
+    /// Detach a loop device.
+    pub fn detach(&self) -> io::Result<()> {
+        translate_error(unsafe {
+            ioctl(
+                self.device.as_raw_fd() as c_int,
+                LOOP_CLR_FD as IoctlRequest,
+                0,
+            )
+        })?;
+        Ok(())
+    }
+
+    /// Update a loop device's capacity.
+    pub fn set_capacity(&self) -> io::Result<()> {
+        translate_error(unsafe {
+            ioctl(
+                self.device.as_raw_fd() as c_int,
+                LOOP_SET_CAPACITY as IoctlRequest,
+                0,
+            )
+        })?;
+        Ok(())
+    }
+
+    /// Return the major device node number.
+    pub fn major(&self) -> io::Result<u32> {
+        self.device
+            .metadata()
+            .map(|m| unsafe { libc::major(m.rdev()) })
+    }
+
+    /// Return the minor device node number.
+    pub fn minor(&self) -> io::Result<u32> {
+        self.device
+            .metadata()
+            .map(|m| unsafe { libc::minor(m.rdev()) })
+    }
+}
+
+#[allow(dead_code)]
+#[derive(Clone)]
+pub struct LoopInfo64 {
+    lo_device: u64,
+    lo_inode: u64,
+    lo_rdevice: u64,
+    lo_offset: u64,
+    lo_sizelimit: u64,
+    lo_number: u32,
+    lo_encrypt_type: u32,
+    lo_encrypt_key_size: u32,
+    lo_flags: u32,
+    lo_file_name: [u8; 64],
+    lo_crypt_name: [u8; 64],
+    lo_encrypt_key: [u8; 32],
+    lo_init: [u64; 2],
+}
+
+impl Default for LoopInfo64 {
+    fn default() -> Self {
+        Self {
+            lo_device: 0,
+            lo_inode: 0,
+            lo_rdevice: 0,
+            lo_offset: 0,
+            lo_sizelimit: 0,
+            lo_number: 0,
+            lo_encrypt_type: 0,
+            lo_encrypt_key_size: 0,
+            lo_flags: 0,
+            lo_file_name: [0; 64],
+            lo_crypt_name: [0; 64],
+            lo_encrypt_key: [0; 32],
+            lo_init: [0, 2],
+        }
+    }
+}
+
+#[must_use]
+pub struct AttachOptions<'d> {
+    device: &'d LoopDevice,
+    info: LoopInfo64,
+}
+
+impl AttachOptions<'_> {
+    pub fn offset(mut self, offset: u64) -> Self {
+        self.info.lo_offset = offset;
+        self
+    }
+
+    pub fn size_limit(mut self, size_limit: u64) -> Self {
+        self.info.lo_sizelimit = size_limit;
+        self
+    }
+
+    pub fn read_only(mut self, read_only: bool) -> Self {
+        if read_only {
+            self.info.lo_flags |= LO_FLAGS_READ_ONLY;
+        } else {
+            self.info.lo_flags &= !LO_FLAGS_READ_ONLY;
+        }
+        self
+    }
+
+    pub fn autoclear(mut self, autoclear: bool) -> Self {
+        if autoclear {
+            self.info.lo_flags |= LO_FLAGS_AUTOCLEAR;
+        } else {
+            self.info.lo_flags &= !LO_FLAGS_AUTOCLEAR;
+        }
+        self
+    }
+
+    pub fn part_scan(mut self, part_scan: bool) -> Self {
+        if part_scan {
+            self.info.lo_flags |= LO_FLAGS_PARTSCAN;
+        } else {
+            self.info.lo_flags &= !LO_FLAGS_PARTSCAN;
+        }
+        self
+    }
+
+    pub fn set_direct_io(mut self, direct_io: bool) -> Self {
+        if direct_io {
+            self.info.lo_flags |= LO_FLAGS_DIRECT_IO;
+        } else {
+            self.info.lo_flags &= !LO_FLAGS_DIRECT_IO;
+        }
+        self
+    }
+
+    pub fn direct_io(&self) -> bool {
+        (self.info.lo_flags & LO_FLAGS_DIRECT_IO) == LO_FLAGS_DIRECT_IO
+    }
+
+    pub fn attach(&self, backing_file: impl AsRef<Path>) -> io::Result<()> {
+        self.device
+            .attach_with_loop_info(backing_file, self.info.clone())?;
+        if self.direct_io() {
+            self.device.set_direct_io(self.direct_io())?;
+        }
+        Ok(())
+    }
+
+    pub fn attach_fd(&self, backing_file_fd: impl AsRawFd) -> io::Result<()> {
+        self.device
+            .attach_fd_with_loop_info(backing_file_fd, self.info.clone())?;
+        if self.direct_io() {
+            self.device.set_direct_io(self.direct_io())?;
+        }
+        Ok(())
+    }
+}
--- a/crates/network/Cargo.toml
+++ b/crates/network/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "krata-network"
-description = "Networking services for the krata hypervisor."
+description = "Networking services for the krata isolation engine"
 license.workspace = true
 version.workspace = true
 homepage.workspace = true
@ -16,7 +16,7 @@ clap = { workspace = true }
 env_logger = { workspace = true }
 etherparse = { workspace = true }
 futures = { workspace = true }
-krata = { path = "../krata", version = "^0.0.9" }
+krata = { path = "../krata", version = "^0.0.14" }
 krata-advmac = { workspace = true }
 libc = { workspace = true }
 log = { workspace = true }
--- a/crates/network/src/autonet.rs
+++ b/crates/network/src/autonet.rs
@ -2,10 +2,10 @@ use anyhow::Result;
 use krata::{
    events::EventStream,
    v1::{
-        common::Guest,
+        common::Zone,
        control::{
            control_service_client::ControlServiceClient, watch_events_reply::Event,
-            ListGuestsRequest,
+            ListZonesRequest,
        },
    },
 };
@ -33,7 +33,7 @@ pub struct NetworkSide {
 pub struct NetworkMetadata {
    pub domid: u32,
    pub uuid: Uuid,
-    pub guest: NetworkSide,
+    pub zone: NetworkSide,
    pub gateway: NetworkSide,
 }

@ -60,23 +60,23 @@ impl AutoNetworkWatcher {
    }

    pub async fn read(&mut self) -> Result<Vec<NetworkMetadata>> {
-        let mut all_guests: HashMap<Uuid, Guest> = HashMap::new();
-        for guest in self
+        let mut all_zones: HashMap<Uuid, Zone> = HashMap::new();
+        for zone in self
            .control
-            .list_guests(ListGuestsRequest {})
+            .list_zones(ListZonesRequest {})
            .await?
            .into_inner()
-            .guests
+            .zones
        {
-            let Ok(uuid) = Uuid::from_str(&guest.id) else {
+            let Ok(uuid) = Uuid::from_str(&zone.id) else {
                continue;
            };
-            all_guests.insert(uuid, guest);
+            all_zones.insert(uuid, zone);
        }

        let mut networks: Vec<NetworkMetadata> = Vec::new();
-        for (uuid, guest) in &all_guests {
-            let Some(ref state) = guest.state else {
+        for (uuid, zone) in &all_zones {
+            let Some(ref state) = zone.state else {
                continue;
            };

@ -88,15 +88,15 @@ impl AutoNetworkWatcher {
                continue;
            };

-            let Ok(guest_ipv4_cidr) = Ipv4Cidr::from_str(&network.guest_ipv4) else {
+            let Ok(zone_ipv4_cidr) = Ipv4Cidr::from_str(&network.zone_ipv4) else {
                continue;
            };

-            let Ok(guest_ipv6_cidr) = Ipv6Cidr::from_str(&network.guest_ipv6) else {
+            let Ok(zone_ipv6_cidr) = Ipv6Cidr::from_str(&network.zone_ipv6) else {
                continue;
            };

-            let Ok(guest_mac) = EthernetAddress::from_str(&network.guest_mac) else {
+            let Ok(zone_mac) = EthernetAddress::from_str(&network.zone_mac) else {
                continue;
            };

@ -115,10 +115,10 @@ impl AutoNetworkWatcher {
            networks.push(NetworkMetadata {
                domid: state.domid,
                uuid: *uuid,
-                guest: NetworkSide {
-                    ipv4: guest_ipv4_cidr,
-                    ipv6: guest_ipv6_cidr,
-                    mac: guest_mac,
+                zone: NetworkSide {
+                    ipv4: zone_ipv4_cidr,
+                    ipv6: zone_ipv6_cidr,
+                    mac: zone_mac,
                },
                gateway: NetworkSide {
                    ipv4: gateway_ipv4_cidr,
@ -175,7 +175,7 @@ impl AutoNetworkWatcher {
        loop {
            select! {
                x = receiver.recv() => match x {
-                    Ok(Event::GuestChanged(_)) => {
+                    Ok(Event::ZoneChanged(_)) => {
                        break;
                    },

--- a/crates/network/src/backend.rs
+++ b/crates/network/src/backend.rs
@ -54,11 +54,11 @@ impl NetworkStack<'_> {
        match what {
            NetworkStackSelect::Receive(Some(packet)) => {
                if let Err(error) = self.bridge.to_bridge_sender.try_send(packet.clone()) {
-                    trace!("failed to send guest packet to bridge: {}", error);
+                    trace!("failed to send zone packet to bridge: {}", error);
                }

                if let Err(error) = self.nat.receive_sender.try_send(packet.clone()) {
-                    trace!("failed to send guest packet to nat: {}", error);
+                    trace!("failed to send zone packet to nat: {}", error);
                }

                self.udev.rx = Some(packet);
@ -137,7 +137,7 @@ impl NetworkBackend {
                .expect("failed to set ip addresses");
        });
        let sockets = SocketSet::new(vec![]);
-        let handle = self.bridge.join(self.metadata.guest.mac).await?;
+        let handle = self.bridge.join(self.metadata.zone.mac).await?;
        let kdev = AsyncRawSocketChannel::new(mtu, kdev)?;
        Ok(NetworkStack {
            tx: tx_receiver,
@ -153,12 +153,12 @@ impl NetworkBackend {
    pub async fn launch(self) -> Result<JoinHandle<()>> {
        Ok(tokio::task::spawn(async move {
            info!(
-                "launched network backend for krata guest {}",
+                "launched network backend for krata zone {}",
                self.metadata.uuid
            );
            if let Err(error) = self.run().await {
                warn!(
-                    "network backend for krata guest {} failed: {}",
+                    "network backend for krata zone {} failed: {}",
                    self.metadata.uuid, error
                );
            }
@ -169,7 +169,7 @@ impl NetworkBackend {
 impl Drop for NetworkBackend {
    fn drop(&mut self) {
        info!(
-            "destroyed network backend for krata guest {}",
+            "destroyed network backend for krata zone {}",
            self.metadata.uuid
        );
    }
--- a/crates/network/src/lib.rs
+++ b/crates/network/src/lib.rs
@ -7,7 +7,7 @@ use hbridge::HostBridge;
 use krata::{
    client::ControlClientProvider,
    dial::ControlDialAddress,
-    v1::{common::Guest, control::control_service_client::ControlServiceClient},
+    v1::{common::Zone, control::control_service_client::ControlServiceClient},
 };
 use log::warn;
 use tokio::{task::JoinHandle, time::sleep};
@ -33,7 +33,7 @@ pub const EXTRA_MTU: usize = 20;

 pub struct NetworkService {
    pub control: ControlServiceClient<Channel>,
-    pub guests: HashMap<Uuid, Guest>,
+    pub zones: HashMap<Uuid, Zone>,
    pub backends: HashMap<Uuid, JoinHandle<()>>,
    pub bridge: VirtualBridge,
    pub hbridge: HostBridge,
@ -47,7 +47,7 @@ impl NetworkService {
            HostBridge::new(HOST_BRIDGE_MTU + EXTRA_MTU, "krata0".to_string(), &bridge).await?;
        Ok(NetworkService {
            control,
-            guests: HashMap::new(),
+            zones: HashMap::new(),
            backends: HashMap::new(),
            bridge,
            hbridge,
@ -99,7 +99,7 @@ impl NetworkService {

                Err((metadata, error)) => {
                    warn!(
-                        "failed to launch network backend for krata guest {}: {}",
+                        "failed to launch network backend for krata zone {}: {}",
                        metadata.uuid, error
                    );
                    failed.push(metadata.uuid);
--- a/crates/oci/Cargo.toml
+++ b/crates/oci/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "krata-oci"
-description = "OCI services for the krata hypervisor."
+description = "OCI services for the krata isolation engine"
 license.workspace = true
 version.workspace = true
 homepage.workspace = true
--- a/crates/oci/examples/squashify.rs
+++ b/crates/oci/examples/squashify.rs
@ -5,10 +5,10 @@ use env_logger::Env;
 use krataoci::{
    name::ImageName,
    packer::{service::OciPackerService, OciPackedFormat},
-    progress::{OciProgress, OciProgressContext},
+    progress::OciProgressContext,
    registry::OciPlatform,
 };
-use tokio::{fs, sync::mpsc::channel};
+use tokio::fs;

 #[tokio::main]
 async fn main() -> Result<()> {
@ -22,27 +22,28 @@ async fn main() -> Result<()> {
        fs::create_dir(&cache_dir).await?;
    }

-    let (sender, mut receiver) = channel::<OciProgress>(100);
+    let (context, mut receiver) = OciProgressContext::create();
    tokio::task::spawn(async move {
        loop {
-            let mut progresses = Vec::new();
-            let _ = receiver.recv_many(&mut progresses, 100).await;
-            let Some(progress) = progresses.last() else {
-                continue;
-            };
+            if (receiver.changed().await).is_err() {
+                break;
+            }
+            let progress = receiver.borrow_and_update();
            println!("phase {:?}", progress.phase);
            for (id, layer) in &progress.layers {
-                println!(
-                    "{} {:?} {} of {}",
-                    id, layer.phase, layer.value, layer.total
-                )
+                println!("{} {:?} {:?}", id, layer.phase, layer.indication,)
            }
        }
    });
-    let context = OciProgressContext::new(sender);
-    let service = OciPackerService::new(seed, &cache_dir, OciPlatform::current())?;
+    let service = OciPackerService::new(seed, &cache_dir, OciPlatform::current()).await?;
    let packed = service
-        .request(image.clone(), OciPackedFormat::Squashfs, context)
+        .request(
+            image.clone(),
+            OciPackedFormat::Squashfs,
+            false,
+            true,
+            context,
+        )
        .await?;
    println!(
        "generated squashfs of {} to {}",
--- a/crates/oci/src/assemble.rs
+++ b/crates/oci/src/assemble.rs
@ -1,22 +1,25 @@
-use crate::fetch::{OciImageFetcher, OciImageLayer, OciResolvedImage};
+use crate::fetch::{OciImageFetcher, OciImageLayer, OciImageLayerReader, OciResolvedImage};
 use crate::progress::OciBoundProgress;
+use crate::schema::OciSchema;
 use crate::vfs::{VfsNode, VfsTree};
 use anyhow::{anyhow, Result};
 use log::{debug, trace, warn};
-use oci_spec::image::{ImageConfiguration, ImageManifest};
+use oci_spec::image::{Descriptor, ImageConfiguration, ImageManifest};
+
 use std::path::{Path, PathBuf};
 use std::pin::Pin;
+use std::sync::atomic::{AtomicBool, Ordering};
 use std::sync::Arc;
 use tokio::fs;
-use tokio::io::AsyncRead;
 use tokio_stream::StreamExt;
 use tokio_tar::{Archive, Entry};
 use uuid::Uuid;

 pub struct OciImageAssembled {
    pub digest: String,
-    pub manifest: ImageManifest,
-    pub config: ImageConfiguration,
+    pub descriptor: Descriptor,
+    pub manifest: OciSchema<ImageManifest>,
+    pub config: OciSchema<ImageConfiguration>,
    pub vfs: Arc<VfsTree>,
    pub tmp_dir: Option<PathBuf>,
 }
@ -33,11 +36,12 @@ impl Drop for OciImageAssembled {

 pub struct OciImageAssembler {
    downloader: OciImageFetcher,
-    resolved: OciResolvedImage,
+    resolved: Option<OciResolvedImage>,
    progress: OciBoundProgress,
    work_dir: PathBuf,
    disk_dir: PathBuf,
    tmp_dir: Option<PathBuf>,
+    success: AtomicBool,
 }

 impl OciImageAssembler {
@ -81,11 +85,12 @@ impl OciImageAssembler {

        Ok(OciImageAssembler {
            downloader,
-            resolved,
+            resolved: Some(resolved),
            progress,
            work_dir,
            disk_dir: target_dir,
            tmp_dir,
+            success: AtomicBool::new(false),
        })
    }

@ -97,11 +102,11 @@ impl OciImageAssembler {
        self.assemble_with(&layer_dir).await
    }

-    async fn assemble_with(self, layer_dir: &Path) -> Result<OciImageAssembled> {
-        let local = self
-            .downloader
-            .download(self.resolved.clone(), layer_dir)
-            .await?;
+    async fn assemble_with(mut self, layer_dir: &Path) -> Result<OciImageAssembled> {
+        let Some(ref resolved) = self.resolved else {
+            return Err(anyhow!("resolved image was not available when expected"));
+        };
+        let local = self.downloader.download(resolved, layer_dir).await?;
        let mut vfs = VfsTree::new();
        for layer in &local.layers {
            debug!(
@ -110,12 +115,14 @@ impl OciImageAssembler {
            );
            self.progress
                .update(|progress| {
-                    progress.extracting_layer(&layer.digest, 0, 1);
+                    progress.start_extracting_layer(&layer.digest);
                })
                .await;
            debug!("process layer digest={}", &layer.digest,);
            let mut archive = layer.archive().await?;
            let mut entries = archive.entries()?;
+            let mut count = 0u64;
+            let mut size = 0u64;
            while let Some(entry) = entries.next().await {
                let mut entry = entry?;
                let path = entry.path()?;
@ -129,14 +136,21 @@ impl OciImageAssembler {
                    self.process_whiteout_entry(&mut vfs, &entry, name, layer)
                        .await?;
                } else {
-                    vfs.insert_tar_entry(&entry)?;
-                    self.process_write_entry(&mut vfs, &mut entry, layer)
+                    let reference = vfs.insert_tar_entry(&entry)?;
+                    self.progress
+                        .update(|progress| {
+                            progress.extracting_layer(&layer.digest, &reference.name);
+                        })
+                        .await;
+                    size += self
+                        .process_write_entry(&mut vfs, &mut entry, layer)
                        .await?;
+                    count += 1;
                }
            }
            self.progress
                .update(|progress| {
-                    progress.extracted_layer(&layer.digest);
+                    progress.extracted_layer(&layer.digest, count, size);
                })
                .await;
        }
@ -145,19 +159,27 @@ impl OciImageAssembler {
                fs::remove_file(&layer.path).await?;
            }
        }
-        Ok(OciImageAssembled {
+
+        let Some(resolved) = self.resolved.take() else {
+            return Err(anyhow!("resolved image was not available when expected"));
+        };
+
+        let assembled = OciImageAssembled {
            vfs: Arc::new(vfs),
-            digest: self.resolved.digest,
-            manifest: self.resolved.manifest,
+            descriptor: resolved.descriptor,
+            digest: resolved.digest,
+            manifest: resolved.manifest,
            config: local.config,
-            tmp_dir: self.tmp_dir,
-        })
+            tmp_dir: self.tmp_dir.clone(),
+        };
+        self.success.store(true, Ordering::Release);
+        Ok(assembled)
    }

    async fn process_whiteout_entry(
        &self,
        vfs: &mut VfsTree,
-        entry: &Entry<Archive<Pin<Box<dyn AsyncRead + Send>>>>,
+        entry: &Entry<Archive<Pin<Box<dyn OciImageLayerReader + Send>>>>,
        name: &str,
        layer: &OciImageLayer,
    ) -> Result<()> {
@ -198,11 +220,11 @@ impl OciImageAssembler {
    async fn process_write_entry(
        &self,
        vfs: &mut VfsTree,
-        entry: &mut Entry<Archive<Pin<Box<dyn AsyncRead + Send>>>>,
+        entry: &mut Entry<Archive<Pin<Box<dyn OciImageLayerReader + Send>>>>,
        layer: &OciImageLayer,
-    ) -> Result<()> {
+    ) -> Result<u64> {
        if !entry.header().entry_type().is_file() {
-            return Ok(());
+            return Ok(0);
        }
        trace!(
            "unpack entry layer={} path={:?} type={:?}",
@ -218,7 +240,19 @@ impl OciImageAssembler {
            .await?
            .ok_or(anyhow!("unpack did not return a path"))?;
        vfs.set_disk_path(&entry.path()?, &path)?;
-        Ok(())
+        Ok(entry.header().size()?)
+    }
+}
+
+impl Drop for OciImageAssembler {
+    fn drop(&mut self) {
+        if !self.success.load(Ordering::Acquire) {
+            if let Some(tmp_dir) = self.tmp_dir.clone() {
+                tokio::task::spawn(async move {
+                    let _ = fs::remove_dir_all(tmp_dir).await;
+                });
+            }
+        }
    }
 }

--- a/crates/oci/src/fetch.rs
+++ b/crates/oci/src/fetch.rs
@ -1,4 +1,7 @@
-use crate::progress::{OciBoundProgress, OciProgressPhase};
+use crate::{
+    progress::{OciBoundProgress, OciProgressPhase},
+    schema::OciSchema,
+};

 use super::{
    name::ImageName,
@ -6,6 +9,9 @@ use super::{
 };

 use std::{
+    fmt::Debug,
+    io::SeekFrom,
+    os::unix::fs::MetadataExt,
    path::{Path, PathBuf},
    pin::Pin,
 };
@ -14,12 +20,13 @@ use anyhow::{anyhow, Result};
 use async_compression::tokio::bufread::{GzipDecoder, ZstdDecoder};
 use log::debug;
 use oci_spec::image::{
-    Descriptor, ImageConfiguration, ImageIndex, ImageManifest, MediaType, ToDockerV2S2,
+    Descriptor, DescriptorBuilder, ImageConfiguration, ImageIndex, ImageManifest, MediaType,
+    ToDockerV2S2,
 };
 use serde::de::DeserializeOwned;
 use tokio::{
-    fs::File,
-    io::{AsyncRead, AsyncReadExt, BufReader, BufWriter},
+    fs::{self, File},
+    io::{AsyncRead, AsyncReadExt, AsyncSeekExt, BufReader, BufWriter},
 };
 use tokio_stream::StreamExt;
 use tokio_tar::Archive;
@ -39,16 +46,43 @@ pub enum OciImageLayerCompression {

 #[derive(Clone, Debug)]
 pub struct OciImageLayer {
+    pub metadata: Descriptor,
    pub path: PathBuf,
    pub digest: String,
    pub compression: OciImageLayerCompression,
 }

+#[async_trait::async_trait]
+pub trait OciImageLayerReader: AsyncRead + Sync {
+    async fn position(&mut self) -> Result<u64>;
+}
+
+#[async_trait::async_trait]
+impl OciImageLayerReader for BufReader<File> {
+    async fn position(&mut self) -> Result<u64> {
+        Ok(self.seek(SeekFrom::Current(0)).await?)
+    }
+}
+
+#[async_trait::async_trait]
+impl OciImageLayerReader for GzipDecoder<BufReader<File>> {
+    async fn position(&mut self) -> Result<u64> {
+        self.get_mut().position().await
+    }
+}
+
+#[async_trait::async_trait]
+impl OciImageLayerReader for ZstdDecoder<BufReader<File>> {
+    async fn position(&mut self) -> Result<u64> {
+        self.get_mut().position().await
+    }
+}
+
 impl OciImageLayer {
-    pub async fn decompress(&self) -> Result<Pin<Box<dyn AsyncRead + Send>>> {
+    pub async fn decompress(&self) -> Result<Pin<Box<dyn OciImageLayerReader + Send>>> {
        let file = File::open(&self.path).await?;
        let reader = BufReader::new(file);
-        let reader: Pin<Box<dyn AsyncRead + Send>> = match self.compression {
+        let reader: Pin<Box<dyn OciImageLayerReader + Send>> = match self.compression {
            OciImageLayerCompression::None => Box::pin(reader),
            OciImageLayerCompression::Gzip => Box::pin(GzipDecoder::new(reader)),
            OciImageLayerCompression::Zstd => Box::pin(ZstdDecoder::new(reader)),
@ -56,7 +90,7 @@ impl OciImageLayer {
        Ok(reader)
    }

-    pub async fn archive(&self) -> Result<Archive<Pin<Box<dyn AsyncRead + Send>>>> {
+    pub async fn archive(&self) -> Result<Archive<Pin<Box<dyn OciImageLayerReader + Send>>>> {
        let decompress = self.decompress().await?;
        Ok(Archive::new(decompress))
    }
@ -66,13 +100,14 @@ impl OciImageLayer {
 pub struct OciResolvedImage {
    pub name: ImageName,
    pub digest: String,
-    pub manifest: ImageManifest,
+    pub descriptor: Descriptor,
+    pub manifest: OciSchema<ImageManifest>,
 }

 #[derive(Clone, Debug)]
 pub struct OciLocalImage {
    pub image: OciResolvedImage,
-    pub config: ImageConfiguration,
+    pub config: OciSchema<ImageConfiguration>,
    pub layers: Vec<OciImageLayer>,
 }

@ -89,10 +124,10 @@ impl OciImageFetcher {
        }
    }

-    async fn load_seed_json_blob<T: DeserializeOwned>(
+    async fn load_seed_json_blob<T: Clone + Debug + DeserializeOwned>(
        &self,
        descriptor: &Descriptor,
-    ) -> Result<Option<T>> {
+    ) -> Result<Option<OciSchema<T>>> {
        let digest = descriptor.digest();
        let Some((digest_type, digest_content)) = digest.split_once(':') else {
            return Err(anyhow!("digest content was not properly formatted"));
@ -101,7 +136,10 @@ impl OciImageFetcher {
        self.load_seed_json(&want).await
    }

-    async fn load_seed_json<T: DeserializeOwned>(&self, want: &str) -> Result<Option<T>> {
+    async fn load_seed_json<T: Clone + Debug + DeserializeOwned>(
+        &self,
+        want: &str,
+    ) -> Result<Option<OciSchema<T>>> {
        let Some(ref seed) = self.seed else {
            return Ok(None);
        };
@ -113,10 +151,10 @@ impl OciImageFetcher {
            let mut entry = entry?;
            let path = String::from_utf8(entry.path_bytes().to_vec())?;
            if path == want {
-                let mut content = String::new();
-                entry.read_to_string(&mut content).await?;
-                let data = serde_json::from_str::<T>(&content)?;
-                return Ok(Some(data));
+                let mut content = Vec::new();
+                entry.read_to_end(&mut content).await?;
+                let item = serde_json::from_slice::<T>(&content)?;
+                return Ok(Some(OciSchema::new(content, item)));
            }
        }
        Ok(None)
@ -154,7 +192,7 @@ impl OciImageFetcher {

        if let Some(index) = self.load_seed_json::<ImageIndex>("index.json").await? {
            let mut found: Option<&Descriptor> = None;
-            for manifest in index.manifests() {
+            for manifest in index.item().manifests() {
                let Some(annotations) = manifest.annotations() else {
                    continue;
                };
@ -179,6 +217,13 @@ impl OciImageFetcher {
                        continue;
                    }
                }
+
+                if let Some(ref digest) = image.digest {
+                    if digest != manifest.digest() {
+                        continue;
+                    }
+                }
+
                found = Some(manifest);
                break;
            }
@ -192,6 +237,7 @@ impl OciImageFetcher {
                    );
                    return Ok(OciResolvedImage {
                        name: image,
+                        descriptor: found.clone(),
                        digest: found.digest().clone(),
                        manifest,
                    });
@ -200,11 +246,20 @@ impl OciImageFetcher {
        }

        let mut client = OciRegistryClient::new(image.registry_url()?, self.platform.clone())?;
-        let (manifest, digest) = client
-            .get_manifest_with_digest(&image.name, &image.reference)
+        let (manifest, descriptor, digest) = client
+            .get_manifest_with_digest(&image.name, image.reference.as_ref(), image.digest.as_ref())
            .await?;
+        let descriptor = descriptor.unwrap_or_else(|| {
+            DescriptorBuilder::default()
+                .media_type(MediaType::ImageManifest)
+                .size(manifest.raw().len() as i64)
+                .digest(digest.clone())
+                .build()
+                .unwrap()
+        });
        Ok(OciResolvedImage {
            name: image,
+            descriptor,
            digest,
            manifest,
        })
@ -212,41 +267,44 @@ impl OciImageFetcher {

    pub async fn download(
        &self,
-        image: OciResolvedImage,
+        image: &OciResolvedImage,
        layer_dir: &Path,
    ) -> Result<OciLocalImage> {
-        let config: ImageConfiguration;
+        let config: OciSchema<ImageConfiguration>;
        self.progress
            .update(|progress| {
-                progress.phase = OciProgressPhase::ConfigAcquire;
+                progress.phase = OciProgressPhase::ConfigDownload;
            })
            .await;
        let mut client = OciRegistryClient::new(image.name.registry_url()?, self.platform.clone())?;
        if let Some(seeded) = self
-            .load_seed_json_blob::<ImageConfiguration>(image.manifest.config())
+            .load_seed_json_blob::<ImageConfiguration>(image.manifest.item().config())
            .await?
        {
            config = seeded;
        } else {
            let config_bytes = client
-                .get_blob(&image.name.name, image.manifest.config())
+                .get_blob(&image.name.name, image.manifest.item().config())
                .await?;
-            config = serde_json::from_slice(&config_bytes)?;
+            config = OciSchema::new(
+                config_bytes.to_vec(),
+                serde_json::from_slice(&config_bytes)?,
+            );
        }
        self.progress
            .update(|progress| {
-                progress.phase = OciProgressPhase::LayerAcquire;
+                progress.phase = OciProgressPhase::LayerDownload;

-                for layer in image.manifest.layers() {
-                    progress.add_layer(layer.digest(), layer.size() as usize);
+                for layer in image.manifest.item().layers() {
+                    progress.add_layer(layer.digest());
                }
            })
            .await;
        let mut layers = Vec::new();
-        for layer in image.manifest.layers() {
+        for layer in image.manifest.item().layers() {
            self.progress
                .update(|progress| {
-                    progress.downloading_layer(layer.digest(), 0, layer.size() as usize);
+                    progress.downloading_layer(layer.digest(), 0, layer.size() as u64);
                })
                .await;
            layers.push(
@ -255,12 +313,12 @@ impl OciImageFetcher {
            );
            self.progress
                .update(|progress| {
-                    progress.downloaded_layer(layer.digest());
+                    progress.downloaded_layer(layer.digest(), layer.size() as u64);
                })
                .await;
        }
        Ok(OciLocalImage {
-            image,
+            image: image.clone(),
            config,
            layers,
        })
@ -294,6 +352,12 @@ impl OciImageFetcher {
            }
        }

+        let metadata = fs::metadata(&layer_path).await?;
+
+        if layer.size() as u64 != metadata.size() {
+            return Err(anyhow!("layer size differs from size in manifest",));
+        }
+
        let mut media_type = layer.media_type().clone();

        // docker layer compatibility
@ -308,6 +372,7 @@ impl OciImageFetcher {
            other => return Err(anyhow!("found layer with unknown media type: {}", other)),
        };
        Ok(OciImageLayer {
+            metadata: layer.clone(),
            path: layer_path,
            digest: layer.digest().clone(),
            compression,
--- a/crates/oci/src/lib.rs
+++ b/crates/oci/src/lib.rs
@ -4,4 +4,5 @@ pub mod name;
 pub mod packer;
 pub mod progress;
 pub mod registry;
+pub mod schema;
 pub mod vfs;
--- a/crates/oci/src/name.rs
+++ b/crates/oci/src/name.rs
@ -2,27 +2,39 @@ use anyhow::Result;
 use std::fmt;
 use url::Url;

-const DOCKER_HUB_MIRROR: &str = "mirror.gcr.io";
-const DEFAULT_IMAGE_TAG: &str = "latest";
-
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 pub struct ImageName {
    pub hostname: String,
    pub port: Option<u16>,
    pub name: String,
-    pub reference: String,
+    pub reference: Option<String>,
+    pub digest: Option<String>,
 }

 impl fmt::Display for ImageName {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        if let Some(port) = self.port {
-            write!(
-                f,
-                "{}:{}/{}:{}",
-                self.hostname, port, self.name, self.reference
-            )
+        let mut suffix = String::new();
+
+        if let Some(ref reference) = self.reference {
+            suffix.push(':');
+            suffix.push_str(reference);
+        }
+
+        if let Some(ref digest) = self.digest {
+            suffix.push('@');
+            suffix.push_str(digest);
+        }
+
+        if ImageName::DOCKER_HUB_MIRROR == self.hostname && self.port.is_none() {
+            if self.name.starts_with("library/") {
+                write!(f, "{}{}", &self.name[8..], suffix)
+            } else {
+                write!(f, "{}{}", self.name, suffix)
+            }
+        } else if let Some(port) = self.port {
+            write!(f, "{}:{}/{}{}", self.hostname, port, self.name, suffix)
        } else {
-            write!(f, "{}/{}:{}", self.hostname, self.name, self.reference)
+            write!(f, "{}/{}{}", self.hostname, self.name, suffix)
        }
    }
 }
@ -35,13 +47,21 @@ impl Default for ImageName {
 }

 impl ImageName {
+    pub const DOCKER_HUB_MIRROR: &'static str = "mirror.gcr.io";
+    pub const DEFAULT_IMAGE_TAG: &'static str = "latest";
+
    pub fn parse(name: &str) -> Result<Self> {
        let full_name = name.to_string();
        let name = full_name.clone();
        let (mut hostname, mut name) = name
            .split_once('/')
            .map(|x| (x.0.to_string(), x.1.to_string()))
-            .unwrap_or_else(|| (DOCKER_HUB_MIRROR.to_string(), format!("library/{}", name)));
+            .unwrap_or_else(|| {
+                (
+                    ImageName::DOCKER_HUB_MIRROR.to_string(),
+                    format!("library/{}", name),
+                )
+            });

        // heuristic to find any docker hub image formats
        // that may be in the hostname format. for example:
@ -49,7 +69,7 @@ impl ImageName {
        // and neither will abc/hello/xyz:latest
        if !hostname.contains('.') && full_name.chars().filter(|x| *x == '/').count() == 1 {
            name = format!("{}/{}", hostname, name);
-            hostname = DOCKER_HUB_MIRROR.to_string();
+            hostname = ImageName::DOCKER_HUB_MIRROR.to_string();
        }

        let (hostname, port) = if let Some((hostname, port)) = hostname
@ -60,15 +80,54 @@ impl ImageName {
        } else {
            (hostname, None)
        };
-        let (name, reference) = name
-            .split_once(':')
-            .map(|x| (x.0.to_string(), x.1.to_string()))
-            .unwrap_or((name.to_string(), DEFAULT_IMAGE_TAG.to_string()));
+
+        let name_has_digest = if name.contains('@') {
+            let digest_start = name.chars().position(|c| c == '@');
+            let ref_start = name.chars().position(|c| c == ':');
+            if let (Some(digest_start), Some(ref_start)) = (digest_start, ref_start) {
+                digest_start < ref_start
+            } else {
+                true
+            }
+        } else {
+            false
+        };
+
+        let (name, digest) = if name_has_digest {
+            name.split_once('@')
+                .map(|(name, digest)| (name.to_string(), Some(digest.to_string())))
+                .unwrap_or_else(|| (name, None))
+        } else {
+            (name, None)
+        };
+
+        let (name, reference) = if name.contains(':') {
+            name.split_once(':')
+                .map(|(name, reference)| (name.to_string(), Some(reference.to_string())))
+                .unwrap_or((name, None))
+        } else {
+            (name, None)
+        };
+
+        let (reference, digest) = if let Some(reference) = reference {
+            if let Some(digest) = digest {
+                (Some(reference), Some(digest))
+            } else {
+                reference
+                    .split_once('@')
+                    .map(|(reff, digest)| (Some(reff.to_string()), Some(digest.to_string())))
+                    .unwrap_or_else(|| (Some(reference), None))
+            }
+        } else {
+            (None, digest)
+        };
+
        Ok(ImageName {
            hostname,
            port,
            name,
            reference,
+            digest,
        })
    }

--- a/crates/oci/src/packer/backend.rs
+++ b/crates/oci/src/packer/backend.rs
@ -1,18 +1,22 @@
-use std::{path::Path, process::Stdio, sync::Arc};
+use std::{os::unix::fs::MetadataExt, path::Path, process::Stdio, sync::Arc};

 use super::OciPackedFormat;
-use crate::{
-    progress::{OciBoundProgress, OciProgressPhase},
-    vfs::VfsTree,
-};
+use crate::{progress::OciBoundProgress, vfs::VfsTree};
 use anyhow::{anyhow, Result};
 use log::warn;
-use tokio::{pin, process::Command, select};
+use tokio::{
+    fs::{self, File},
+    io::BufWriter,
+    pin,
+    process::{Child, Command},
+    select,
+};

 #[derive(Debug, Clone, Copy)]
 pub enum OciPackerBackendType {
    MkSquashfs,
    MkfsErofs,
+    Tar,
 }

 impl OciPackerBackendType {
@ -20,6 +24,7 @@ impl OciPackerBackendType {
        match self {
            OciPackerBackendType::MkSquashfs => OciPackedFormat::Squashfs,
            OciPackerBackendType::MkfsErofs => OciPackedFormat::Erofs,
+            OciPackerBackendType::Tar => OciPackedFormat::Tar,
        }
    }

@ -31,6 +36,7 @@ impl OciPackerBackendType {
            OciPackerBackendType::MkfsErofs => {
                Box::new(OciPackerMkfsErofs {}) as Box<dyn OciPackerBackend>
            }
+            OciPackerBackendType::Tar => Box::new(OciPackerTar {}) as Box<dyn OciPackerBackend>,
        }
    }
 }
@ -47,13 +53,11 @@ impl OciPackerBackend for OciPackerMkSquashfs {
    async fn pack(&self, progress: OciBoundProgress, vfs: Arc<VfsTree>, file: &Path) -> Result<()> {
        progress
            .update(|progress| {
-                progress.phase = OciProgressPhase::Packing;
-                progress.total = 1;
-                progress.value = 0;
+                progress.start_packing();
            })
            .await;

-        let mut child = Command::new("mksquashfs")
+        let child = Command::new("mksquashfs")
            .arg("-")
            .arg(file)
            .arg("-comp")
@ -63,7 +67,9 @@ impl OciPackerBackend for OciPackerMkSquashfs {
            .stderr(Stdio::null())
            .stdout(Stdio::null())
            .spawn()?;
+        let mut child = ChildProcessKillGuard(child);
        let stdin = child
+            .0
            .stdin
            .take()
            .ok_or(anyhow!("unable to acquire stdin stream"))?;
@ -74,7 +80,7 @@ impl OciPackerBackend for OciPackerMkSquashfs {
            }
            Ok(())
        }));
-        let wait = child.wait();
+        let wait = child.0.wait();
        pin!(wait);
        let status_result = loop {
            if let Some(inner) = writer.as_mut() {
@ -110,12 +116,9 @@ impl OciPackerBackend for OciPackerMkSquashfs {
                status.code().unwrap()
            ))
        } else {
+            let metadata = fs::metadata(&file).await?;
            progress
-                .update(|progress| {
-                    progress.phase = OciProgressPhase::Packing;
-                    progress.total = 1;
-                    progress.value = 1;
-                })
+                .update(|progress| progress.complete(metadata.size()))
                .await;
            Ok(())
        }
@ -126,32 +129,32 @@ pub struct OciPackerMkfsErofs {}

 #[async_trait::async_trait]
 impl OciPackerBackend for OciPackerMkfsErofs {
-    async fn pack(&self, progress: OciBoundProgress, vfs: Arc<VfsTree>, path: &Path) -> Result<()> {
+    async fn pack(&self, progress: OciBoundProgress, vfs: Arc<VfsTree>, file: &Path) -> Result<()> {
        progress
            .update(|progress| {
-                progress.phase = OciProgressPhase::Packing;
-                progress.total = 1;
-                progress.value = 0;
+                progress.start_packing();
            })
            .await;

-        let mut child = Command::new("mkfs.erofs")
+        let child = Command::new("mkfs.erofs")
            .arg("-L")
            .arg("root")
            .arg("--tar=-")
-            .arg(path)
+            .arg(file)
            .stdin(Stdio::piped())
            .stderr(Stdio::null())
            .stdout(Stdio::null())
            .spawn()?;
+        let mut child = ChildProcessKillGuard(child);
        let stdin = child
+            .0
            .stdin
            .take()
            .ok_or(anyhow!("unable to acquire stdin stream"))?;
        let mut writer = Some(tokio::task::spawn(
            async move { vfs.write_to_tar(stdin).await },
        ));
-        let wait = child.wait();
+        let wait = child.0.wait();
        pin!(wait);
        let status_result = loop {
            if let Some(inner) = writer.as_mut() {
@ -188,14 +191,46 @@ impl OciPackerBackend for OciPackerMkfsErofs {
                status.code().unwrap()
            ))
        } else {
+            let metadata = fs::metadata(&file).await?;
            progress
                .update(|progress| {
-                    progress.phase = OciProgressPhase::Packing;
-                    progress.total = 1;
-                    progress.value = 1;
+                    progress.complete(metadata.size());
                })
                .await;
            Ok(())
        }
    }
 }
+
+pub struct OciPackerTar {}
+
+#[async_trait::async_trait]
+impl OciPackerBackend for OciPackerTar {
+    async fn pack(&self, progress: OciBoundProgress, vfs: Arc<VfsTree>, file: &Path) -> Result<()> {
+        progress
+            .update(|progress| {
+                progress.start_packing();
+            })
+            .await;
+
+        let output = File::create(file).await?;
+        let output = BufWriter::new(output);
+        vfs.write_to_tar(output).await?;
+
+        let metadata = fs::metadata(file).await?;
+        progress
+            .update(|progress| {
+                progress.complete(metadata.size());
+            })
+            .await;
+        Ok(())
+    }
+}
+
+struct ChildProcessKillGuard(Child);
+
+impl Drop for ChildProcessKillGuard {
+    fn drop(&mut self) {
+        let _ = self.0.start_kill();
+    }
+}
--- a/crates/oci/src/packer/cache.rs
+++ b/crates/oci/src/packer/cache.rs
@ -1,66 +1,167 @@
-use crate::packer::{OciImagePacked, OciPackedFormat};
+use crate::{
+    name::ImageName,
+    packer::{OciPackedFormat, OciPackedImage},
+    schema::OciSchema,
+};

+use crate::fetch::OciResolvedImage;
 use anyhow::Result;
-use log::debug;
-use oci_spec::image::{ImageConfiguration, ImageManifest};
-use std::path::{Path, PathBuf};
-use tokio::fs;
+use log::{debug, error};
+use oci_spec::image::{
+    Descriptor, ImageConfiguration, ImageIndex, ImageIndexBuilder, ImageManifest, MediaType,
+    ANNOTATION_REF_NAME,
+};
+use std::{
+    path::{Path, PathBuf},
+    sync::Arc,
+};
+use tokio::{fs, sync::RwLock};

 #[derive(Clone)]
 pub struct OciPackerCache {
    cache_dir: PathBuf,
+    index: Arc<RwLock<ImageIndex>>,
 }

+const ANNOTATION_IMAGE_NAME: &str = "io.containerd.image.name";
+const ANNOTATION_OCI_PACKER_FORMAT: &str = "dev.krata.oci.packer.format";
+
 impl OciPackerCache {
-    pub fn new(cache_dir: &Path) -> Result<OciPackerCache> {
-        Ok(OciPackerCache {
+    pub async fn new(cache_dir: &Path) -> Result<OciPackerCache> {
+        let index = ImageIndexBuilder::default()
+            .schema_version(2u32)
+            .media_type(MediaType::ImageIndex)
+            .manifests(Vec::new())
+            .build()?;
+        let cache = OciPackerCache {
            cache_dir: cache_dir.to_path_buf(),
-        })
+            index: Arc::new(RwLock::new(index)),
+        };
+
+        {
+            let mut mutex = cache.index.write().await;
+            *mutex = cache.load_index().await?;
+        }
+
+        Ok(cache)
+    }
+
+    pub async fn list(&self) -> Result<Vec<Descriptor>> {
+        let index = self.index.read().await;
+        Ok(index.manifests().clone())
+    }
+
+    pub async fn resolve(
+        &self,
+        name: ImageName,
+        format: OciPackedFormat,
+    ) -> Result<Option<OciResolvedImage>> {
+        if name.reference.as_deref() == Some("latest") {
+            return Ok(None);
+        }
+        let name_str = name.to_string();
+        let index = self.index.read().await;
+        let mut descriptor: Option<Descriptor> = None;
+        for manifest in index.manifests() {
+            let Some(name) = manifest
+                .annotations()
+                .clone()
+                .unwrap_or_default()
+                .get(ANNOTATION_IMAGE_NAME)
+                .cloned()
+            else {
+                continue;
+            };
+
+            if name == name_str {
+                descriptor = Some(manifest.clone());
+            }
+        }
+
+        let Some(descriptor) = descriptor else {
+            return Ok(None);
+        };
+
+        debug!("resolve hit name={} digest={}", name, descriptor.digest());
+
+        self.recall(name, descriptor.digest().as_ref(), format)
+            .await
+            .map(|image| {
+                image.map(|i| OciResolvedImage {
+                    name: i.name,
+                    digest: i.digest,
+                    descriptor: i.descriptor,
+                    manifest: i.manifest,
+                })
+            })
    }

    pub async fn recall(
        &self,
+        name: ImageName,
        digest: &str,
        format: OciPackedFormat,
-    ) -> Result<Option<OciImagePacked>> {
+    ) -> Result<Option<OciPackedImage>> {
+        let index = self.index.read().await;
+
+        let mut descriptor: Option<Descriptor> = None;
+        for manifest in index.manifests() {
+            if manifest.digest() == digest
+                && manifest
+                    .annotations()
+                    .as_ref()
+                    .and_then(|x| x.get(ANNOTATION_OCI_PACKER_FORMAT))
+                    .map(|x| x.as_str())
+                    == Some(format.extension())
+            {
+                descriptor = Some(manifest.clone());
+                break;
+            }
+        }
+
+        let Some(descriptor) = descriptor else {
+            return Ok(None);
+        };
+
        let mut fs_path = self.cache_dir.clone();
        let mut config_path = self.cache_dir.clone();
        let mut manifest_path = self.cache_dir.clone();
        fs_path.push(format!("{}.{}", digest, format.extension()));
        manifest_path.push(format!("{}.manifest.json", digest));
        config_path.push(format!("{}.config.json", digest));
-        Ok(
-            if fs_path.exists() && manifest_path.exists() && config_path.exists() {
-                let image_metadata = fs::metadata(&fs_path).await?;
-                let manifest_metadata = fs::metadata(&manifest_path).await?;
-                let config_metadata = fs::metadata(&config_path).await?;
-                if image_metadata.is_file()
-                    && manifest_metadata.is_file()
-                    && config_metadata.is_file()
-                {
-                    let manifest_text = fs::read_to_string(&manifest_path).await?;
-                    let manifest: ImageManifest = serde_json::from_str(&manifest_text)?;
-                    let config_text = fs::read_to_string(&config_path).await?;
-                    let config: ImageConfiguration = serde_json::from_str(&config_text)?;
-                    debug!("cache hit digest={}", digest);
-                    Some(OciImagePacked::new(
-                        digest.to_string(),
-                        fs_path.clone(),
-                        format,
-                        config,
-                        manifest,
-                    ))
-                } else {
-                    None
-                }
+
+        if fs_path.exists() && manifest_path.exists() && config_path.exists() {
+            let image_metadata = fs::metadata(&fs_path).await?;
+            let manifest_metadata = fs::metadata(&manifest_path).await?;
+            let config_metadata = fs::metadata(&config_path).await?;
+            if image_metadata.is_file() && manifest_metadata.is_file() && config_metadata.is_file()
+            {
+                let manifest_bytes = fs::read(&manifest_path).await?;
+                let manifest: ImageManifest = serde_json::from_slice(&manifest_bytes)?;
+                let config_bytes = fs::read(&config_path).await?;
+                let config: ImageConfiguration = serde_json::from_slice(&config_bytes)?;
+                debug!("cache hit digest={}", digest);
+                Ok(Some(OciPackedImage::new(
+                    name,
+                    digest.to_string(),
+                    fs_path.clone(),
+                    format,
+                    descriptor,
+                    OciSchema::new(config_bytes, config),
+                    OciSchema::new(manifest_bytes, manifest),
+                )))
            } else {
-                debug!("cache miss digest={}", digest);
-                None
-            },
-        )
+                Ok(None)
+            }
+        } else {
+            debug!("cache miss digest={}", digest);
+            Ok(None)
+        }
    }

-    pub async fn store(&self, packed: OciImagePacked) -> Result<OciImagePacked> {
+    pub async fn store(&self, packed: OciPackedImage) -> Result<OciPackedImage> {
+        let mut index = self.index.write().await;
+        let mut manifests = index.manifests().clone();
        debug!("cache store digest={}", packed.digest);
        let mut fs_path = self.cache_dir.clone();
        let mut manifest_path = self.cache_dir.clone();
@ -68,17 +169,98 @@ impl OciPackerCache {
        fs_path.push(format!("{}.{}", packed.digest, packed.format.extension()));
        manifest_path.push(format!("{}.manifest.json", packed.digest));
        config_path.push(format!("{}.config.json", packed.digest));
-        fs::copy(&packed.path, &fs_path).await?;
-        let manifest_text = serde_json::to_string_pretty(&packed.manifest)?;
-        fs::write(&manifest_path, manifest_text).await?;
-        let config_text = serde_json::to_string_pretty(&packed.config)?;
-        fs::write(&config_path, config_text).await?;
-        Ok(OciImagePacked::new(
+        if fs::rename(&packed.path, &fs_path).await.is_err() {
+            fs::copy(&packed.path, &fs_path).await?;
+            fs::remove_file(&packed.path).await?;
+        }
+        fs::write(&config_path, packed.config.raw()).await?;
+        fs::write(&manifest_path, packed.manifest.raw()).await?;
+        manifests.retain(|item| {
+            if item.digest() != &packed.digest {
+                return true;
+            }
+
+            let Some(format) = item
+                .annotations()
+                .as_ref()
+                .and_then(|x| x.get(ANNOTATION_OCI_PACKER_FORMAT))
+                .map(|x| x.as_str())
+            else {
+                return true;
+            };
+
+            if format != packed.format.extension() {
+                return true;
+            }
+
+            false
+        });
+
+        let mut descriptor = packed.descriptor.clone();
+        let mut annotations = descriptor.annotations().clone().unwrap_or_default();
+        annotations.insert(
+            ANNOTATION_OCI_PACKER_FORMAT.to_string(),
+            packed.format.extension().to_string(),
+        );
+        let image_name = packed.name.to_string();
+        annotations.insert(ANNOTATION_IMAGE_NAME.to_string(), image_name);
+        let image_ref = packed.name.reference.clone();
+        if let Some(image_ref) = image_ref {
+            annotations.insert(ANNOTATION_REF_NAME.to_string(), image_ref);
+        }
+        descriptor.set_annotations(Some(annotations));
+        manifests.push(descriptor.clone());
+        index.set_manifests(manifests);
+        self.save_index(&index).await?;
+
+        let packed = OciPackedImage::new(
+            packed.name,
            packed.digest,
            fs_path.clone(),
            packed.format,
+            descriptor,
            packed.config,
            packed.manifest,
-        ))
+        );
+        Ok(packed)
+    }
+
+    async fn save_empty_index(&self) -> Result<ImageIndex> {
+        let index = ImageIndexBuilder::default()
+            .schema_version(2u32)
+            .media_type(MediaType::ImageIndex)
+            .manifests(Vec::new())
+            .build()?;
+        self.save_index(&index).await?;
+        Ok(index)
+    }
+
+    async fn load_index(&self) -> Result<ImageIndex> {
+        let mut index_path = self.cache_dir.clone();
+        index_path.push("index.json");
+
+        if !index_path.exists() {
+            self.save_empty_index().await?;
+        }
+
+        let content = fs::read_to_string(&index_path).await?;
+        let index = match serde_json::from_str::<ImageIndex>(&content) {
+            Ok(index) => index,
+            Err(error) => {
+                error!("image index was corrupted, creating a new one: {}", error);
+                self.save_empty_index().await?
+            }
+        };
+
+        Ok(index)
+    }
+
+    async fn save_index(&self, index: &ImageIndex) -> Result<()> {
+        let mut encoded = serde_json::to_string_pretty(index)?;
+        encoded.push('\n');
+        let mut index_path = self.cache_dir.clone();
+        index_path.push("index.json");
+        fs::write(&index_path, encoded).await?;
+        Ok(())
    }
 }
--- a/crates/oci/src/packer/mod.rs
+++ b/crates/oci/src/packer/mod.rs
@ -1,17 +1,20 @@
 use std::path::PathBuf;

+use crate::{name::ImageName, schema::OciSchema};
+
 use self::backend::OciPackerBackendType;
-use oci_spec::image::{ImageConfiguration, ImageManifest};
+use oci_spec::image::{Descriptor, ImageConfiguration, ImageManifest};

 pub mod backend;
 pub mod cache;
 pub mod service;

-#[derive(Debug, Default, Clone, Copy)]
+#[derive(Debug, Default, Clone, Copy, Eq, PartialEq, Hash)]
 pub enum OciPackedFormat {
    #[default]
    Squashfs,
    Erofs,
+    Tar,
 }

 impl OciPackedFormat {
@ -19,6 +22,7 @@ impl OciPackedFormat {
        match self {
            OciPackedFormat::Squashfs => "squashfs",
            OciPackedFormat::Erofs => "erofs",
+            OciPackedFormat::Tar => "tar",
        }
    }

@ -26,31 +30,38 @@ impl OciPackedFormat {
        match self {
            OciPackedFormat::Squashfs => OciPackerBackendType::MkSquashfs,
            OciPackedFormat::Erofs => OciPackerBackendType::MkfsErofs,
+            OciPackedFormat::Tar => OciPackerBackendType::Tar,
        }
    }
 }

 #[derive(Clone)]
-pub struct OciImagePacked {
+pub struct OciPackedImage {
+    pub name: ImageName,
    pub digest: String,
    pub path: PathBuf,
    pub format: OciPackedFormat,
-    pub config: ImageConfiguration,
-    pub manifest: ImageManifest,
+    pub descriptor: Descriptor,
+    pub config: OciSchema<ImageConfiguration>,
+    pub manifest: OciSchema<ImageManifest>,
 }

-impl OciImagePacked {
+impl OciPackedImage {
    pub fn new(
+        name: ImageName,
        digest: String,
        path: PathBuf,
        format: OciPackedFormat,
-        config: ImageConfiguration,
-        manifest: ImageManifest,
-    ) -> OciImagePacked {
-        OciImagePacked {
+        descriptor: Descriptor,
+        config: OciSchema<ImageConfiguration>,
+        manifest: OciSchema<ImageManifest>,
+    ) -> OciPackedImage {
+        OciPackedImage {
+            name,
            digest,
            path,
            format,
+            descriptor,
            config,
            manifest,
        }
--- a/crates/oci/src/packer/service.rs
+++ b/crates/oci/src/packer/service.rs
@ -1,58 +1,211 @@
-use std::path::{Path, PathBuf};
+use std::{
+    collections::{hash_map::Entry, HashMap},
+    fmt::Display,
+    path::{Path, PathBuf},
+    sync::Arc,
+};

 use anyhow::{anyhow, Result};
+use oci_spec::image::Descriptor;
+use tokio::{
+    sync::{watch, Mutex},
+    task::JoinHandle,
+};

 use crate::{
    assemble::OciImageAssembler,
-    fetch::OciImageFetcher,
+    fetch::{OciImageFetcher, OciResolvedImage},
    name::ImageName,
    progress::{OciBoundProgress, OciProgress, OciProgressContext},
    registry::OciPlatform,
 };

-use super::{cache::OciPackerCache, OciImagePacked, OciPackedFormat};
+use log::{error, info, warn};
+
+use super::{cache::OciPackerCache, OciPackedFormat, OciPackedImage};
+
+pub struct OciPackerTask {
+    progress: OciBoundProgress,
+    watch: watch::Sender<Option<Result<OciPackedImage>>>,
+    task: JoinHandle<()>,
+}

 #[derive(Clone)]
 pub struct OciPackerService {
    seed: Option<PathBuf>,
    platform: OciPlatform,
    cache: OciPackerCache,
+    tasks: Arc<Mutex<HashMap<OciPackerTaskKey, OciPackerTask>>>,
 }

 impl OciPackerService {
-    pub fn new(
+    pub async fn new(
        seed: Option<PathBuf>,
        cache_dir: &Path,
        platform: OciPlatform,
    ) -> Result<OciPackerService> {
        Ok(OciPackerService {
            seed,
-            cache: OciPackerCache::new(cache_dir)?,
+            cache: OciPackerCache::new(cache_dir).await?,
            platform,
+            tasks: Arc::new(Mutex::new(HashMap::new())),
        })
    }

+    pub async fn list(&self) -> Result<Vec<Descriptor>> {
+        self.cache.list().await
+    }
+
    pub async fn recall(
        &self,
        digest: &str,
        format: OciPackedFormat,
-    ) -> Result<Option<OciImagePacked>> {
-        self.cache.recall(digest, format).await
+    ) -> Result<Option<OciPackedImage>> {
+        if digest.contains('/') || digest.contains('\\') || digest.contains("..") {
+            return Ok(None);
+        }
+
+        self.cache
+            .recall(ImageName::parse("cached:latest")?, digest, format)
+            .await
    }

    pub async fn request(
        &self,
        name: ImageName,
        format: OciPackedFormat,
+        overwrite: bool,
+        pull: bool,
        progress_context: OciProgressContext,
-    ) -> Result<OciImagePacked> {
+    ) -> Result<OciPackedImage> {
        let progress = OciProgress::new();
        let progress = OciBoundProgress::new(progress_context.clone(), progress);
+        let mut resolved = None;
+        if !pull && !overwrite {
+            resolved = self.cache.resolve(name.clone(), format).await?;
+        }
        let fetcher =
            OciImageFetcher::new(self.seed.clone(), self.platform.clone(), progress.clone());
-        let resolved = fetcher.resolve(name).await?;
-        if let Some(cached) = self.cache.recall(&resolved.digest, format).await? {
-            return Ok(cached);
+        let resolved = if let Some(resolved) = resolved {
+            resolved
+        } else {
+            fetcher.resolve(name.clone()).await?
+        };
+
+        let key = OciPackerTaskKey {
+            digest: resolved.digest.clone(),
+            format,
+        };
+        let (progress_copy_task, mut receiver) = match self.tasks.lock().await.entry(key.clone()) {
+            Entry::Occupied(entry) => {
+                let entry = entry.get();
+                (
+                    Some(entry.progress.also_update(progress_context).await),
+                    entry.watch.subscribe(),
+                )
+            }
+
+            Entry::Vacant(entry) => {
+                let task = self
+                    .clone()
+                    .launch(
+                        name,
+                        key.clone(),
+                        format,
+                        overwrite,
+                        resolved,
+                        fetcher,
+                        progress.clone(),
+                    )
+                    .await;
+                let (watch, receiver) = watch::channel(None);
+
+                let task = OciPackerTask {
+                    progress: progress.clone(),
+                    task,
+                    watch,
+                };
+                entry.insert(task);
+                (None, receiver)
+            }
+        };
+
+        let _progress_task_guard = scopeguard::guard(progress_copy_task, |task| {
+            if let Some(task) = task {
+                task.abort();
+            }
+        });
+
+        let _task_cancel_guard = scopeguard::guard(self.clone(), |service| {
+            service.maybe_cancel_task(key);
+        });
+
+        loop {
+            receiver.changed().await?;
+            let current = receiver.borrow_and_update();
+            if current.is_some() {
+                return current
+                    .as_ref()
+                    .map(|x| x.as_ref().map_err(|err| anyhow!("{}", err)).cloned())
+                    .unwrap();
+            }
+        }
+    }
+
+    #[allow(clippy::too_many_arguments)]
+    async fn launch(
+        self,
+        name: ImageName,
+        key: OciPackerTaskKey,
+        format: OciPackedFormat,
+        overwrite: bool,
+        resolved: OciResolvedImage,
+        fetcher: OciImageFetcher,
+        progress: OciBoundProgress,
+    ) -> JoinHandle<()> {
+        info!("started packer task {}", key);
+        tokio::task::spawn(async move {
+            let _task_drop_guard =
+                scopeguard::guard((key.clone(), self.clone()), |(key, service)| {
+                    service.ensure_task_gone(key);
+                });
+            if let Err(error) = self
+                .task(
+                    name,
+                    key.clone(),
+                    format,
+                    overwrite,
+                    resolved,
+                    fetcher,
+                    progress,
+                )
+                .await
+            {
+                self.finish(&key, Err(error)).await;
+            }
+        })
+    }
+
+    #[allow(clippy::too_many_arguments)]
+    async fn task(
+        &self,
+        name: ImageName,
+        key: OciPackerTaskKey,
+        format: OciPackedFormat,
+        overwrite: bool,
+        resolved: OciResolvedImage,
+        fetcher: OciImageFetcher,
+        progress: OciBoundProgress,
+    ) -> Result<()> {
+        if !overwrite {
+            if let Some(cached) = self
+                .cache
+                .recall(name.clone(), &resolved.digest, format)
+                .await?
+            {
+                self.finish(&key, Ok(cached)).await;
+                return Ok(());
+            }
        }
        let assembler =
            OciImageAssembler::new(fetcher, resolved, progress.clone(), None, None).await?;
@ -67,15 +220,69 @@ impl OciPackerService {
        packer
            .pack(progress, assembled.vfs.clone(), &target)
            .await?;
-
-        let packed = OciImagePacked::new(
+        let packed = OciPackedImage::new(
+            name,
            assembled.digest.clone(),
            file,
            format,
+            assembled.descriptor.clone(),
            assembled.config.clone(),
            assembled.manifest.clone(),
        );
        let packed = self.cache.store(packed).await?;
-        Ok(packed)
+        self.finish(&key, Ok(packed)).await;
+        Ok(())
+    }
+
+    async fn finish(&self, key: &OciPackerTaskKey, result: Result<OciPackedImage>) {
+        let Some(task) = self.tasks.lock().await.remove(key) else {
+            error!("packer task {} was not found when task completed", key);
+            return;
+        };
+
+        match result.as_ref() {
+            Ok(_) => {
+                info!("completed packer task {}", key);
+            }
+
+            Err(err) => {
+                warn!("packer task {} failed: {}", key, err);
+            }
+        }
+
+        task.watch.send_replace(Some(result));
+    }
+
+    fn maybe_cancel_task(self, key: OciPackerTaskKey) {
+        tokio::task::spawn(async move {
+            let tasks = self.tasks.lock().await;
+            if let Some(task) = tasks.get(&key) {
+                if task.watch.is_closed() {
+                    task.task.abort();
+                }
+            }
+        });
+    }
+
+    fn ensure_task_gone(self, key: OciPackerTaskKey) {
+        tokio::task::spawn(async move {
+            let mut tasks = self.tasks.lock().await;
+            if let Some(task) = tasks.remove(&key) {
+                warn!("aborted packer task {}", key);
+                task.watch.send_replace(Some(Err(anyhow!("task aborted"))));
+            }
+        });
+    }
+}
+
+#[derive(Debug, Clone, Eq, PartialEq, Hash)]
+struct OciPackerTaskKey {
+    digest: String,
+    format: OciPackedFormat,
+}
+
+impl Display for OciPackerTaskKey {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_fmt(format_args!("{}:{}", self.digest, self.format.extension()))
    }
 }
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`include!(concat!(env!("OUT_DIR"), "/krata.idm.transport.rs"));`