diff --git a/Dockerfile b/Dockerfile
index 7ca5053..0a9a53e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,6 +31,10 @@ ARG KERNEL_BRANCH=5.10
 RUN git clone --depth 1 -c advice.detachedHead=false \
     --branch "v${KERNEL_BRANCH}" https://github.com/torvalds/linux.git .
 
+COPY vmlinux/*.patch ./
+
+RUN git apply -v ./*.patch
+
 ###############################################
 
 FROM linux.git AS vmlinux
diff --git a/docker-compose.test.yml b/docker-compose.test.yml
index f56d634..eba6d6f 100644
--- a/docker-compose.test.yml
+++ b/docker-compose.test.yml
@@ -60,9 +60,6 @@ services:
       cache_from:
         - sut:latest
     hostname: alpine-test
-    environment:
-      - DOCKERHUB_USERNAME=${DOCKERHUB_USERNAME:-}
-      - DOCKERHUB_PASSWORD=${DOCKERHUB_PASSWORD:-}
 
   debian-test:
     extends:
@@ -75,9 +72,6 @@ services:
       cache_from:
         - sut:latest
     hostname: debian-test
-    environment:
-      - DOCKERHUB_USERNAME=${DOCKERHUB_USERNAME:-}
-      - DOCKERHUB_PASSWORD=${DOCKERHUB_PASSWORD:-}
 
   ubuntu-test:
     extends:
@@ -90,6 +84,3 @@ services:
       cache_from:
         - sut:latest
     hostname: ubuntu-test
-    environment:
-      - DOCKERHUB_USERNAME=${DOCKERHUB_USERNAME:-}
-      - DOCKERHUB_PASSWORD=${DOCKERHUB_PASSWORD:-}
diff --git a/overlay/sbin/init b/overlay/sbin/init
index 2c8bd74..2ee759b 100644
--- a/overlay/sbin/init
+++ b/overlay/sbin/init
@@ -70,7 +70,7 @@ if [ ! -d /sys/fs/cgroup/systemd ]; then
   mount -v -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd
 fi
 
-if ! grep -q localhost /etc/hosts; then
+if ! grep -q localhost /etc/hosts 2>/dev/null; then
   echo "127.0.0.1 localhost" >>/etc/hosts
 fi
 
diff --git a/start.sh b/start.sh
index cdde0e6..c1aea42 100644
--- a/start.sh
+++ b/start.sh
@@ -322,6 +322,10 @@ if [ -z "${KERNEL_BOOT_ARGS:-}" ]; then
     fi
 fi
 
+if [ -n "${EXTRA_KERNEL_BOOT_ARGS:-}" ]; then
+    KERNEL_BOOT_ARGS="${KERNEL_BOOT_ARGS} ${EXTRA_KERNEL_BOOT_ARGS}"
+fi
+
 KERNEL_BOOT_ARGS="${KERNEL_BOOT_ARGS} $(network_config "${GUEST_IP}" "${TAP_IP}" "$(hostname)" eth0)"
 
 echo "Virtual CPUs: ${VCPU_COUNT}"
diff --git a/test/healthcheck.sh b/test/healthcheck.sh
index 2866744..2e26c75 100644
--- a/test/healthcheck.sh
+++ b/test/healthcheck.sh
@@ -17,7 +17,21 @@ id
 
 date
 
-uname -a
+userspace_arch="$(dpkg --print-architecture 2>/dev/null || apk --print-arch)"
+case ${userspace_arch} in
+x86_64|amd64)
+    uname -a | grep x86_64
+    ;;
+aarch64|arm64)
+    uname -a | grep aarch64
+    setarch linux32 uname -m | tee /dev/stderr | grep armv7l
+    setarch linux32 --uname-2.6 uname -m | tee /dev/stderr | grep armv6l
+    ;;
+*)
+    echo "Unsupported architecture: ${userspace_arch}"
+    exit 1
+    ;;
+esac
 
 df -h
 
@@ -51,15 +65,20 @@ if command -v ip >/dev/null 2>&1; then
     ip route
 fi
 
-# nested virtualization is not available on aarch64
-if [ -r /dev/kvm ]; then
+case $(uname -m) in
+x86_64)
     ls -l /dev/kvm
-    test -w /dev/kvm
-
+    test -w /dev/kvm || test "$(id -u)" != 0
     if which kvm-ok >/dev/null; then
         kvm-ok
     fi
-fi
+    ;;
+*)
+    # https://github.com/balena-io-experimental/container-jail/issues/44
+    # https://github.com/firecracker-microvm/firecracker/issues/1721
+    echo "Nested KVM unavailable on this architecture!"
+    ;;
+esac
 
 if command -v npm >/dev/null 2>&1; then
     npm ping
diff --git a/vmlinux/0001-UBUNTU-SAUCE-no-up-add-compat_uts_machine-kernel-com.patch b/vmlinux/0001-UBUNTU-SAUCE-no-up-add-compat_uts_machine-kernel-com.patch
new file mode 100644
index 0000000..4141296
--- /dev/null
+++ b/vmlinux/0001-UBUNTU-SAUCE-no-up-add-compat_uts_machine-kernel-com.patch
@@ -0,0 +1,42 @@
+From: Andy Whitcroft <apw@canonical.com>
+Date: Fri, 27 Nov 2015 17:38:30 +0000
+Subject: [PATCH] UBUNTU: SAUCE: (no-up) add compat_uts_machine= kernel command
+ line override
+
+We wish to use the arm64 buildds to build armhf binaries in 32bit chroots.
+To make this work we need uname to return armv7l machine type.  To achieve
+this add a kernel command line override for the 32bit machine type.
+Add compat_uts_machine=<type> to allow the LINUX32 personality to return
+that type for uname.
+
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+---
+ kernel/sys.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index 83ffd7dccf23..5b030fbaf199 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1138,6 +1138,21 @@ SYSCALL_DEFINE0(setsid)
+ 
+ DECLARE_RWSEM(uts_sem);
+ 
++#ifdef COMPAT_UTS_MACHINE
++static char compat_uts_machine[__OLD_UTS_LEN+1] = COMPAT_UTS_MACHINE;
++
++static int __init parse_compat_uts_machine(char *arg)
++{
++	strncpy(compat_uts_machine, arg, __OLD_UTS_LEN);
++	compat_uts_machine[__OLD_UTS_LEN] = 0;
++	return 0;
++}
++early_param("compat_uts_machine", parse_compat_uts_machine);
++
++#undef COMPAT_UTS_MACHINE
++#define COMPAT_UTS_MACHINE compat_uts_machine
++#endif
++
+ #ifdef COMPAT_UTS_MACHINE
+ #define override_architecture(name) \
+ 	(personality(current->personality) == PER_LINUX32 && \
diff --git a/vmlinux/0002-HACK-Use-the-UNAME26-personality-to-return-armv6l-in.patch b/vmlinux/0002-HACK-Use-the-UNAME26-personality-to-return-armv6l-in.patch
new file mode 100644
index 0000000..5026060
--- /dev/null
+++ b/vmlinux/0002-HACK-Use-the-UNAME26-personality-to-return-armv6l-in.patch
@@ -0,0 +1,73 @@
+From: Zubair Lutfullah Kakakhel <zubair@balena.io>
+Date: Mon, 11 Feb 2019 15:52:06 +0000
+Subject: [PATCH] HACK: Use the UNAME26 personality to return armv6l instead of
+ v2.6.32+
+
+We'd like to make our arm builders return two different machine strings
+at runtime for different processes. armv7l and armv6l. This is so that
+a docker daemon for armv6l/armv8l device builds thinks the docker build
+is unning under the correct machine arch. Various package managers such
+as pip rely on the output of uname -m to be correct.
+
+The UNAME26 personality is used by old userspace programs to make the
+kernel version string appear as 2.6+.
+
+Add a hack in the kernel to modify the machine string for the uname26
+personality and make it show armv6l. And don't change the kernel
+version string to 2.6.+
+
+The benefit of this hack instead of adding a new personality is
+- we won't have to carry a custom version of the setarch userspace utility
+- simpler to implement and keep lying around
+
+Trade-off. I'm hoping no customer is pushing applications that depend
+on the kernel version string being 2.6+ and the actual uname26
+personality usage.
+
+With this patch and compat_uts_machine=armv7l in the kernel cmdline
+on our arm builder
+
+root@arm02:~# linux32 --uname-2.6 uname -m
+armv6l
+root@arm02:~# linux32 uname -m
+armv7l
+root@arm02:~# uname -m
+aarch64
+root@arm02:~#
+
+Signed-off-by: Zubair Lutfullah Kakakhel <zubair@balena.io>
+---
+ kernel/sys.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+diff --git a/kernel/sys.c b/kernel/sys.c
+index 4e0a24b0c14d..f8807b47740b 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1173,24 +1173,9 @@ static int override_release(char __user *release, size_t len)
+ {
+ 	int ret = 0;
+ 
++	strncpy(compat_uts_machine, "armv7l", __OLD_UTS_LEN);
+ 	if (current->personality & UNAME26) {
+-		const char *rest = UTS_RELEASE;
+-		char buf[65] = { 0 };
+-		int ndots = 0;
+-		unsigned v;
+-		size_t copy;
+-
+-		while (*rest) {
+-			if (*rest == '.' && ++ndots >= 3)
+-				break;
+-			if (!isdigit(*rest) && *rest != '.')
+-				break;
+-			rest++;
+-		}
+-		v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 60;
+-		copy = clamp_t(size_t, len, 1, sizeof(buf));
+-		copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
+-		ret = copy_to_user(release, buf, copy + 1);
++		strncpy(compat_uts_machine, "armv6l", __OLD_UTS_LEN);
+ 	}
+ 	return ret;
+ }