diff --git a/images/libvirt/install-libvirt.sh b/images/libvirt/install-libvirt.sh
index 13967be78f..53ccb50d2c 100755
--- a/images/libvirt/install-libvirt.sh
+++ b/images/libvirt/install-libvirt.sh
@@ -18,7 +18,7 @@ usage() {
     cat <<EOF
     Usage: $0 [OPTIONS]
     Options:
-    
+
     Set the source base directory:      -s, --src-base PATH (example: /mysourcedir)
     Set the build base directory:       -b, --build-dir FOLDER (example: mybuildfolder)
     Set the destination base directory: -d, --dest-base PATH (example: /mydestdir)
@@ -103,9 +103,9 @@ fi
 lib_version=$(convert_version $VERSION_NUM)
 
 # List of files and destinations of libvirt
-# Commented lines - binary for additional features. 
+# Commented lines - binary for additional features.
 #
-# The specific format of the list, 'SOURCE_FILE to DESTINATION', 
+# The specific format of the list, 'SOURCE_FILE to DESTINATION',
 # is due to the output of the installation scripts. To make it easier to add them to this list.
 
 FILE_LIST=$(cat <<EOF
@@ -568,6 +568,11 @@ copy_file() {
     fi
     cp -p "$SOURCE_PATH" "$DEST_BASE$dest_dir"
     echo "Copied $SOURCE_PATH to $DEST_BASE$dest_dir"
+
+    if [[ "$SOURCE_PATH" == *virtqemud ]]; then
+        setcap cap_net_bind_service=eip "$DEST_BASE$dest_dir/virtqemud"
+        echo "SETCAP $SOURCE_PATH to $DEST_BASE$dest_dir"
+    fi
 }
 
 main() {
@@ -589,4 +594,4 @@ main() {
     done <<< "$FILE_LIST"
 }
 
-main
\ No newline at end of file
+main
diff --git a/images/libvirt/patches/001-disable-ro-and-admin-servers.patch b/images/libvirt/patches/001-disable-ro-and-admin-servers.patch
deleted file mode 100644
index 0813ed5119..0000000000
--- a/images/libvirt/patches/001-disable-ro-and-admin-servers.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-diff --git a/src/logging/log_daemon.c b/src/logging/log_daemon.c
-index daf7ef4b2f..7877ab03f7 100644
---- a/src/logging/log_daemon.c
-+++ b/src/logging/log_daemon.c
-@@ -550,6 +550,7 @@ virLogDaemonUsage(const char *argv0, bool privileged)
-               "  -f | --config <file>   Configuration file.\n"
-               "  -V | --version         Display version information.\n"
-               "  -p | --pid-file <file> Change name of PID file.\n"
-+              "  -A | --no-admin-srv    Disable admin server startup.\n"
-               "\n"
-               "libvirt log management daemon:\n"), argv0);
- 
-@@ -610,6 +611,8 @@ int main(int argc, char **argv) {
-     virLogDaemonConfig *config = NULL;
-     int rv;
- 
-+    bool no_admin_srv = false;
-+
-     struct option opts[] = {
-         { "verbose", no_argument, &verbose, 'v' },
-         { "daemon", no_argument, &godaemon, 'd' },
-@@ -618,6 +621,7 @@ int main(int argc, char **argv) {
-         { "pid-file", required_argument, NULL, 'p' },
-         { "version", no_argument, NULL, 'V' },
-         { "help", no_argument, NULL, 'h' },
-+        { "no-admin-srv", no_argument, NULL,'A' },
-         { 0, 0, 0, 0 },
-     };
- 
-@@ -634,7 +638,7 @@ int main(int argc, char **argv) {
-         int c;
-         char *tmp;
- 
--        c = getopt_long(argc, argv, "df:p:t:vVh", opts, &optidx);
-+        c = getopt_long(argc, argv, "df:p:t:vVhA", opts, &optidx);
- 
-         if (c == -1)
-             break;
-@@ -678,6 +682,10 @@ int main(int argc, char **argv) {
-             virLogDaemonUsage(argv[0], privileged);
-             exit(EXIT_SUCCESS);
- 
-+        case 'A':
-+            no_admin_srv = true;
-+            break;
-+            
-         case '?':
-         default:
-             virLogDaemonUsage(argv[0], privileged);
-@@ -732,16 +740,18 @@ int main(int argc, char **argv) {
-     VIR_DEBUG("Decided on pid file path '%s'", NULLSTR(pid_file));
- 
-     if (virDaemonUnixSocketPaths("virtlogd",
--                                 privileged,
--                                 NULL,
--                                 &sock_file,
--                                 NULL,
--                                 &admin_sock_file) < 0) {
-+                                privileged,
-+                                NULL,
-+                                &sock_file,
-+                                NULL,
-+                                no_admin_srv ? NULL : &admin_sock_file) < 0) {
-         VIR_ERROR(_("Can't determine socket paths"));
-         exit(EXIT_FAILURE);
-     }
--    VIR_DEBUG("Decided on socket paths '%s' and '%s'",
--              sock_file, admin_sock_file);
-+    VIR_DEBUG("Decided on socket path '%s'", sock_file);
-+    if (!no_admin_srv) {
-+        VIR_DEBUG("Decided on socket path '%s'", admin_sock_file);
-+    }
- 
-     if (virLogDaemonExecRestartStatePath(privileged,
-                                          &state_file) < 0) {
-@@ -819,7 +829,6 @@ int main(int argc, char **argv) {
-         }
- 
-         logSrv = virNetDaemonGetServer(logDaemon->dmn, "virtlogd");
--        adminSrv = virNetDaemonGetServer(logDaemon->dmn, "admin");
- 
-         if (virNetServerAddServiceUNIX(logSrv,
-                                        act, "virtlogd.socket",
-@@ -829,13 +838,16 @@ int main(int argc, char **argv) {
-             ret = VIR_DAEMON_ERR_NETWORK;
-             goto cleanup;
-         }
--        if (virNetServerAddServiceUNIX(adminSrv,
--                                       act, "virtlogd-admin.socket",
--                                       admin_sock_file, 0700, 0, 0,
--                                       NULL,
--                                       false, 0, 1) < 0) {
--            ret = VIR_DAEMON_ERR_NETWORK;
--            goto cleanup;
-+        if (!no_admin_srv) {
-+            adminSrv = virNetDaemonGetServer(logDaemon->dmn, "admin");
-+            if (virNetServerAddServiceUNIX(adminSrv,
-+                                        act, "virtlogd-admin.socket",
-+                                        admin_sock_file, 0700, 0, 0,
-+                                        NULL,
-+                                        false, 0, 1) < 0) {
-+                ret = VIR_DAEMON_ERR_NETWORK;
-+                goto cleanup;
-+            }
-         }
- 
-         if (act &&
-@@ -847,7 +859,7 @@ int main(int argc, char **argv) {
-         logSrv = virNetDaemonGetServer(logDaemon->dmn, "virtlogd");
-         /* If exec-restarting from old virtlogd, we won't have an
-          * admin server present */
--        if (virNetDaemonHasServer(logDaemon->dmn, "admin"))
-+        if (!no_admin_srv && virNetDaemonHasServer(logDaemon->dmn, "admin"))
-             adminSrv = virNetDaemonGetServer(logDaemon->dmn, "admin");
-     }
- 
-@@ -873,7 +885,7 @@ int main(int argc, char **argv) {
-         goto cleanup;
-     }
- 
--    if (adminSrv != NULL) {
-+    if (!no_admin_srv && adminSrv != NULL) {
-         if (!(adminProgram = virNetServerProgramNew(ADMIN_PROGRAM,
-                                                     ADMIN_PROTOCOL_VERSION,
-                                                     adminProcs,
-diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
-index 9e82132654..522aad2177 100644
---- a/src/remote/remote_daemon.c
-+++ b/src/remote/remote_daemon.c
-@@ -722,6 +722,8 @@ daemonUsage(const char *argv0, bool privileged)
-         { "-f | --config <file>", N_("Configuration file") },
-         { "-V | --version", N_("Display version information") },
-         { "-p | --pid-file <file>", N_("Change name of PID file") },
-+        { "-A | --no-admin-srv", N_("Disable admin server startup")},
-+        { "-R | --no-ro-srv", N_("Disable read-only server startup")},
-     };
- 
-     fprintf(stderr, "\n");
-@@ -806,6 +808,9 @@ int main(int argc, char **argv) {
-     bool implicit_conf = false;
-     char *run_dir = NULL;
-     mode_t old_umask;
-+    
-+    bool no_admin_srv = false;
-+    bool no_ro_srv = false;
- 
-     struct option opts[] = {
-         { "verbose", no_argument, &verbose, 'v' },
-@@ -818,6 +823,8 @@ int main(int argc, char **argv) {
-         { "pid-file", required_argument, NULL, 'p' },
-         { "version", no_argument, NULL, 'V' },
-         { "help", no_argument, NULL, 'h' },
-+        {"no-admin-srv", no_argument, NULL, 'A'},
-+        {"no-ro-srv", no_argument, NULL, 'R'},
-         { 0, 0, 0, 0 },
-     };
- 
-@@ -834,9 +841,9 @@ int main(int argc, char **argv) {
-         int c;
-         char *tmp;
- #if defined(WITH_IP) && defined(LIBVIRTD)
--        const char *optstr = "ldf:p:t:vVh";
-+        const char *optstr = "ldf:p:t:vVhAR";
- #else /* !(WITH_IP && LIBVIRTD) */
--        const char *optstr = "df:p:t:vVh";
-+        const char *optstr = "df:p:t:vVhAR";
- #endif /* !(WITH_IP && LIBVIRTD) */
- 
-         c = getopt_long(argc, argv, optstr, opts, &optidx);
-@@ -889,6 +896,14 @@ int main(int argc, char **argv) {
-             daemonUsage(argv[0], privileged);
-             exit(EXIT_SUCCESS);
- 
-+        case 'A':
-+            no_admin_srv = true;
-+            break;
-+
-+        case 'R':
-+            no_ro_srv = true;
-+            break;
-+            
-         case '?':
-         default:
-             daemonUsage(argv[0], privileged);
-@@ -966,15 +981,18 @@ int main(int argc, char **argv) {
-                                  privileged,
-                                  config->unix_sock_dir,
-                                  &sock_file,
--                                 &sock_file_ro,
--                                 &sock_file_adm) < 0) {
-+                                 no_ro_srv ? NULL : &sock_file_ro,
-+                                 no_admin_srv ? NULL : &sock_file_adm) < 0) {
-         VIR_ERROR(_("Can't determine socket paths"));
-         exit(EXIT_FAILURE);
-     }
--    VIR_DEBUG("Decided on socket paths '%s', '%s' and '%s'",
--              sock_file,
--              NULLSTR(sock_file_ro),
--              NULLSTR(sock_file_adm));
-+    VIR_DEBUG("Decided on socket path '%s'", sock_file);
-+    if (!no_ro_srv) {
-+        VIR_DEBUG("Decided on socket path '%s'", NULLSTR(sock_file_ro));
-+    }
-+    if (!no_admin_srv) {
-+        VIR_DEBUG("Decided on socket path '%s'", NULLSTR(sock_file_adm));
-+    }          
- 
-     if (godaemon) {
-         if (chdir("/") < 0) {
-@@ -1172,8 +1190,8 @@ int main(int argc, char **argv) {
-                               privileged,
- #endif /* !WITH_IP */
-                               sock_file,
--                              sock_file_ro,
--                              sock_file_adm) < 0) {
-+                              no_ro_srv ? NULL : sock_file_ro,
-+                              no_admin_srv ? NULL : sock_file_adm) < 0) {
-         ret = VIR_DAEMON_ERR_NETWORK;
-         goto cleanup;
-     }
diff --git a/images/libvirt/patches/001-podsadsadsapa.patch b/images/libvirt/patches/001-podsadsadsapa.patch
new file mode 100644
index 0000000000..f1acce9bea
--- /dev/null
+++ b/images/libvirt/patches/001-podsadsadsapa.patch
@@ -0,0 +1,47 @@
+diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
+index 9e82132654..fcc7514169 100644
+--- a/src/remote/remote_daemon.c
++++ b/src/remote/remote_daemon.c
+@@ -628,24 +628,24 @@ static void daemonRunStateInit(void *opaque)
+
+     /* Tie the non-privileged daemons to the session/shutdown lifecycle */
+     if (!virNetDaemonIsPrivileged(dmn)) {
+-
+-        sessionBus = virGDBusGetSessionBus();
+-        if (sessionBus != NULL)
+-            g_dbus_connection_add_filter(sessionBus,
+-                                         handleSessionMessageFunc, dmn, NULL);
+-
+-        systemBus = virGDBusGetSystemBus();
+-        if (systemBus != NULL)
+-            g_dbus_connection_signal_subscribe(systemBus,
+-                                               "org.freedesktop.login1",
+-                                               "org.freedesktop.login1.Manager",
+-                                               "PrepareForShutdown",
+-                                               NULL,
+-                                               NULL,
+-                                               G_DBUS_SIGNAL_FLAGS_NONE,
+-                                               handleSystemMessageFunc,
+-                                               dmn,
+-                                               NULL);
++        if (FALSE) {
++            sessionBus = virGDBusGetSessionBus();
++            if (sessionBus != NULL)
++                g_dbus_connection_add_filter(sessionBus,
++                                            handleSessionMessageFunc, dmn, NULL);
++            systemBus = virGDBusGetSystemBus();
++            if (systemBus != NULL)
++                g_dbus_connection_signal_subscribe(systemBus,
++                                                "org.freedesktop.login1",
++                                                "org.freedesktop.login1.Manager",
++                                                "PrepareForShutdown",
++                                                NULL,
++                                                NULL,
++                                                G_DBUS_SIGNAL_FLAGS_NONE,
++                                                handleSystemMessageFunc,
++                                                dmn,
++                                                NULL);
++        }
+     }
+
+     /* Only now accept clients from network */
diff --git a/images/libvirt/patches/002-treat-getpeercon-eintval-as-success.patch b/images/libvirt/patches/002-treat-getpeercon-eintval-as-success.patch
deleted file mode 100644
index 2ab6ba1700..0000000000
--- a/images/libvirt/patches/002-treat-getpeercon-eintval-as-success.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
-index e8fc2d5f7d..472bd8debf 100644
---- a/src/rpc/virnetsocket.c
-+++ b/src/rpc/virnetsocket.c
-@@ -1556,6 +1556,13 @@ int virNetSocketGetSELinuxContext(virNetSocket *sock,
- 
-     virObjectLock(sock);
-     if (getpeercon(sock->fd, &seccon) < 0) {
-+        // getpeercon from libselinux uses getsockopt() syscall. Some implementations of getsockopts
-+        // returns EINVAL errno for unsupported valopt argument instead of ENOPROTOOPT errno.
-+        // This fix makes libvirt works with such broken implementations.
-+        if (errno == EINVAL) {
-+            ret = 0;
-+            goto cleanup;
-+        }
-         if (errno == ENOSYS || errno == ENOPROTOOPT) {
-             ret = 0;
-             goto cleanup;
diff --git a/images/virt-artifact/patches/042-test.patch b/images/virt-artifact/patches/042-test.patch
new file mode 100644
index 0000000000..6e7c08cea8
--- /dev/null
+++ b/images/virt-artifact/patches/042-test.patch
@@ -0,0 +1,29 @@
+diff --git a/cmd/virt-launcher-monitor/virt-launcher-monitor.go b/cmd/virt-launcher-monitor/virt-launcher-monitor.go
+index f2a0ed86f5..90caff4265 100644
+--- a/cmd/virt-launcher-monitor/virt-launcher-monitor.go
++++ b/cmd/virt-launcher-monitor/virt-launcher-monitor.go
+@@ -35,8 +35,8 @@ import (
+ 	"time"
+ 
+ 	"github.com/spf13/pflag"
+-
+ 	"golang.org/x/sys/unix"
++
+ 	"kubevirt.io/client-go/log"
+ 
+ 	"kubevirt.io/kubevirt/pkg/util"
+@@ -177,10 +177,13 @@ func RunAndMonitor(containerDiskDir, uid string) (int, error) {
+ 	cmd.Stdout = os.Stdout
+ 	cmd.Stderr = os.Stderr
+ 
++	log.Log.Info("11111")
++
+ 	if err := cmd.Start(); err != nil {
+-		log.Log.Reason(err).Error("failed to run virt-launcher")
++		log.Log.Reason(err).With("cmd", cmd.String()).Error("[AAA] failed to run virt-launcher")
+ 		return 1, err
+ 	}
++	log.Log.Info("22222")
+ 
+ 	exitStatus := make(chan int, 10)
+ 	sigs := make(chan os.Signal, 10)
diff --git a/images/virt-artifact/werf.inc.yaml b/images/virt-artifact/werf.inc.yaml
index 10e9c3ae83..8af850c092 100644
--- a/images/virt-artifact/werf.inc.yaml
+++ b/images/virt-artifact/werf.inc.yaml
@@ -96,7 +96,8 @@ shell:
 
     - echo ============== Build virt-launcher-monitor ============
     # virt-launcher-monitor is wrapped in the final image. Add suffix here to prevent image size increasing as effect of file renaming.
-    - go build -ldflags="-s -w" -o /kubevirt-binaries/virt-launcher-monitor ./cmd/virt-launcher-monitor/
+    - CGO_ENABLED=0 go build -ldflags="-s -w" -o /kubevirt-binaries/virt-launcher-monitor ./cmd/virt-launcher-monitor/
+    - setcap cap_net_bind_service=eip /kubevirt-binaries/virt-launcher-monitor
 
     - echo ============== Build virt-tail ========================
     - go build -ldflags="-s -w" -o /kubevirt-binaries/virt-tail ./cmd/virt-tail/
diff --git a/images/virt-launcher/werf.inc.yaml b/images/virt-launcher/werf.inc.yaml
index 76e52c943a..e82b52a0f4 100644
--- a/images/virt-launcher/werf.inc.yaml
+++ b/images/virt-launcher/werf.inc.yaml
@@ -9,7 +9,7 @@ import:
     after: install
 imageSpec:
   config:
-    user: 0
+    user: 107
 
 ---
 {{- define "virt-launcher-dependencies" -}}
@@ -111,6 +111,7 @@ libs:
   - libtirpc-devel
   - libclocale
   - libLLVMSPIRVLib-devel
+  - libcap-utils
 packages:
   - acl
   - attr
@@ -139,6 +140,12 @@ binaries:
   - /usr/bin/sh
   - /usr/bin/bash
   - /usr/bin/uname
+  - /usr/bin/ls
+  - /usr/bin/id
+  - /usr/bin/cat
+  - /usr/bin/namei
+  - /usr/bin/whoami
+  - /usr/bin/strace
   - /usr/bin/nohup
   - /usr/bin/sleep
   - /usr/bin/cp
@@ -189,6 +196,7 @@ binaries:
   - /usr/bin/attr /usr/bin/getfattr /usr/bin/setfattr
   # SELinux policy core utilities
   - /usr/sbin/semanage /usr/bin/sestatus /usr/sbin/restorecon_xattr /usr/sbin/setfiles /usr/sbin/unsetfiles /usr/sbin/load_policy /usr/sbin/setsebool
+  - /usr/sbin/setcap /usr/sbin/getcap /usr/sbin/getpcaps /usr/sbin/capsh
 {{- end -}}
 
 {{ $virtLauncherDependencies := include "virt-launcher-dependencies" . | fromYaml }}
@@ -408,4 +416,4 @@ shell:
       mkdir -p /binaries
       echo 'go build -ldflags="-s -w" -o /binaries/node-labeller ./cmd/node-labeller'
       go build -ldflags="-s -w" -o /binaries/node-labeller ./cmd/node-labeller
-      echo "Done"
\ No newline at end of file
+      echo "Done"
diff --git a/templates/kubevirt/kubevirt.yaml b/templates/kubevirt/kubevirt.yaml
index 2ebb481f06..d273e60c2b 100644
--- a/templates/kubevirt/kubevirt.yaml
+++ b/templates/kubevirt/kubevirt.yaml
@@ -40,7 +40,6 @@ spec:
       - GPU
       - Snapshot
       - ExpandDisks
-      - Root
       - VMLiveUpdateFeatures
       - CPUManager
       - Sidecar
@@ -116,8 +115,8 @@ spec:
     {{- $kubeRbacProxySettings := dict }}
     {{- $_ := set $kubeRbacProxySettings "runAsUserNobody" true }}
     {{- $_ := set $kubeRbacProxySettings "upstreams" (list
-        (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter") 
-        (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-controller") 
+        (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter")
+        (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-controller")
     ) }}
     - resourceName: virt-controller
       resourceType: Deployment
@@ -125,8 +124,8 @@ spec:
       type: strategic
 
     {{- $_ := set $kubeRbacProxySettings "upstreams" (list
-        (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter") 
-        (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-api") 
+        (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter")
+        (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-api")
     ) }}
     - resourceName: virt-api
       resourceType: Deployment
@@ -134,8 +133,8 @@ spec:
       type: strategic
 
     {{- $_ := set $kubeRbacProxySettings "upstreams" (list
-        (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "resource" "daemonsets" "name" "kube-api-rewriter") 
-        (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "resource" "daemonsets" "name" "virt-handler") 
+        (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "resource" "daemonsets" "name" "kube-api-rewriter")
+        (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "resource" "daemonsets" "name" "virt-handler")
     ) }}
     - resourceName: virt-handler
       resourceType: DaemonSet
@@ -236,7 +235,11 @@ spec:
       resourceName: virt-handler
       patch: {{ include "pod_spec_priotity_class_name_patch" $priorityClassName }}
       type: strategic
-    # Patch service for https-metrics 
+    - resourceType: DaemonSet
+      resourceName: virt-handler
+      patch: '{"spec":{"template":{"spec":{"initContainers":[{"name":"virt-launcher","securityContext":{"runAsNonRoot":false,"runAsUser":0,"privileged":true}}]}}}}'
+      type: strategic
+    # Patch service for https-metrics
     - resourceType: Service
       resourceName: kubevirt-prometheus-metrics
       patch: '[{"op": "replace", "path": "/spec/ports/0/targetPort", "value": "https-metrics"}]'