diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index bcc80c3..facce01 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -27,33 +27,8 @@ jobs:
 
       - name: Install required dependencies
         run: |
-          # docker
-          sudo snap install docker --channel=latest/stable
-          sudo addgroup --system docker; sudo adduser $USER docker
-          newgrp docker
-          sudo snap disable docker; sudo snap enable docker
-          
-          # skopeo
-          sudo snap install --devmode --channel edge skopeo
-          
           # rockcraft
           sudo snap install rockcraft --classic --edge
-          
-          # jq and yq
-          sudo snap install jq yq
-
-      - name: Upgrade linux deps with security updates
-        run: |
-          sudo apt-get update
-          
-          # install security updates
-          sudo apt-get -s dist-upgrade \
-            | grep "^Inst" \
-            | grep -i securi \
-            | awk -F " " {'print $2'} \
-            | xargs sudo apt-get install -y
-          
-          sudo apt-get autoremove -y
 
       - name: Build rock
         run: |
@@ -84,7 +59,9 @@ jobs:
       - name: Install required dependencies
         run: |
           # docker
-          sudo snap install docker --channel=latest/stable
+          # FIXME: v27.2.0 reports "...client version 1.22 is too old..." when trying to copy the
+          # rock to the local repository --revision=2932
+          sudo snap install docker --channel=latest/stable --revision=2932
           sudo addgroup --system docker; sudo adduser $USER docker
           newgrp docker
           sudo snap disable docker; sudo snap enable docker
@@ -92,11 +69,11 @@ jobs:
           # skopeo
           sudo snap install --devmode --channel edge skopeo
           sudo snap install yq
-          
+
       - name: Create local image
         run: |
           version="$(cat rockcraft.yaml | yq .version)"
-          
+
           sudo skopeo \
               --insecure-policy \
               copy \
diff --git a/.gitignore b/.gitignore
index 365e7ad..19dff71 100644
--- a/.gitignore
+++ b/.gitignore
@@ -364,7 +364,7 @@ cython_debug/
 [Ll]ib
 [Ll]ib64
 [Ll]ocal
-[Ss]cripts
+# [Ss]cripts
 pyvenv.cfg
 pip-selfcheck.json
 
@@ -394,3 +394,5 @@ pip-selfcheck.json
 *.code-workspace
 
 # End of https://www.toptal.com/developers/gitignore/api/intellij+all,intellij+iml,python,visualstudiocode,macos,linux,venv
+
+*.rock
diff --git a/rockcraft.yaml b/rockcraft.yaml
index a4de36f..74dbe8f 100644
--- a/rockcraft.yaml
+++ b/rockcraft.yaml
@@ -1,7 +1,7 @@
 # Copyright 2023 Canonical Ltd.
 # See LICENSE file for licensing details.
 name: charmed-opensearch  # the name of your ROCK
-base: ubuntu:22.04  # the base environment for this ROCK
+base: ubuntu@24.04  # the base environment for this ROCK
 license: Apache-2.0
 
 version: '2.17.0' # just for humans. Semantic versioning is recommended
@@ -16,6 +16,8 @@ description: |
 platforms: # The platforms this ROCK should be built on and run on
   amd64:
 
+run_user: _daemon_
+
 services:
   opensearch:
     override: replace
@@ -48,49 +50,45 @@ parts:
     stage-snaps:
       - opensearch/2/edge
     stage-packages:
-      - curl
-      - python3
+      - base-files
+      - python3-venv
       - python3-yaml
+      - curl
       - util-linux
     override-prime: |
       craftctl default
-      
+
       # opensearch
       mkdir -p data
       mkdir -p extensions
-      
+
       # enable security monitoring
       rocks=usr/share/rocks/
       mkdir -p ${rocks}
-      
+
       ## for deb packages
       dpkg-query -f '${db:Status-Abbrev},${binary:Package},${Version},${source:Package},${Source:Version}\n' -W > ${rocks}/dpkg.query
-      
+
       ## for snap packages
       cp snap.opensearch/manifest.yaml ${rocks}
       cp snap.opensearch/snapcraft.yaml ${rocks}
-      
 
   non-root-user:
     plugin: nil
     after: [opensearch-snap]
-    overlay-script: |
-      # Create a user in the $CRAFT_OVERLAY chroot
-      groupadd -R ${CRAFT_OVERLAY} -g 1000 opensearch
-      useradd -R ${CRAFT_OVERLAY} -M -r -g opensearch -u 1000 opensearch
     override-prime: |
       craftctl default
 
       # Give permission ot the required folders
       mkdir -p var/lib/opensearch usr/share/tmp var/log/opensearch
-      chown -R 1000:1000 etc/opensearch opt/opensearch usr/share/opensearch var/lib/opensearch usr/share/tmp var/log/opensearch
+      chown -R 584792:584792 etc/opensearch opt/opensearch usr/share/opensearch var/lib/opensearch usr/share/tmp var/log/opensearch
 
   entry:
     plugin: dump
     source: scripts
     organize:
-      start.sh: bin/start.sh
-      set_conf.py: bin/set_conf.py
+      start.sh: usr/bin/start.sh
+      set_conf.py: usr/bin/set_conf.py
     stage:
-      - bin/start.sh
-      - bin/set_conf.py
+      - usr/bin/start.sh
+      - usr/bin/set_conf.py
diff --git a/scripts/start.sh b/scripts/start.sh
index 4797afc..db23170 100755
--- a/scripts/start.sh
+++ b/scripts/start.sh
@@ -88,8 +88,4 @@ sed -i "s@=logs/@=${OPENSEARCH_VARLOG}/@" "${OPENSEARCH_PATH_CONF}/jvm.options"
 
 cat "${conf}"
 
-exec /usr/bin/setpriv \
-  --clear-groups \
-  --reuid opensearch \
-  --regid opensearch \
-  -- "${OPENSEARCH_BIN}"/opensearch
+exec "${OPENSEARCH_BIN}"/opensearch