diff --git a/.github/workflows/ghcr-image-build-and-publish.yml b/.github/workflows/ghcr-image-build-and-publish.yml
index 4fe76a9ce23..103778eb92c 100644
--- a/.github/workflows/ghcr-image-build-and-publish.yml
+++ b/.github/workflows/ghcr-image-build-and-publish.yml
@@ -25,7 +25,7 @@ env:
 jobs:
   build:
 
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 50f4bab6650..5cd401df273 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ env:
   GO111MODULE: on
 jobs:
   release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 40
     steps:
     - uses: actions/checkout@v4.1.7
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3d1e2d58d7c..7371b32b59b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -15,7 +15,7 @@ env:
 jobs:
   project:
     name: Project Checks
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v4.1.7
@@ -36,7 +36,7 @@ jobs:
         working-directory: src/github.com/containerd/nerdctl
 
   lint:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v4.1.7
@@ -56,7 +56,7 @@ jobs:
         run: yamllint .
 
   test-unit:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 20
     steps:
       - uses: actions/checkout@v4.1.7
@@ -76,15 +76,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-20.04: cgroup v1, ubuntu-22.04: cgroup v2
+        # ubuntu-20.04: cgroup v1, ubuntu-24.04: cgroup v2
         include:
           - ubuntu: 20.04
             containerd: v1.6.33
           - ubuntu: 20.04
             containerd: v1.7.18
-          - ubuntu: 22.04
+          - ubuntu: 24.04
             containerd: v1.7.18
-          - ubuntu: 22.04
+          - ubuntu: 24.04
             containerd: main # v2.0.0-rc.X
     env:
       UBUNTU_VERSION: "${{ matrix.ubuntu }}"
@@ -117,9 +117,9 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-20.04: cgroup v1, ubuntu-22.04: cgroup v2
+        # ubuntu-20.04: cgroup v1, ubuntu-24.04: cgroup v2
         include:
-          - ubuntu: 22.04
+          - ubuntu: 24.04
             containerd: v1.7.18
     env:
       UBUNTU_VERSION: "${{ matrix.ubuntu }}"
@@ -166,7 +166,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        # ubuntu-22.04: cgroup v1, ubuntu-22.04: cgroup v2
+        # ubuntu-24.04: cgroup v1, ubuntu-24.04: cgroup v2
         include:
           - ubuntu: 20.04
             containerd: v1.6.33
@@ -176,11 +176,11 @@ jobs:
             containerd: v1.7.18
             rootlesskit: v2.1.0
             target: test-integration-rootless
-          - ubuntu: 22.04
+          - ubuntu: 24.04
             containerd: v1.7.18
             rootlesskit: v1.1.1
             target: test-integration-rootless
-          - ubuntu: 22.04
+          - ubuntu: 24.04
             containerd: main # v2.0.0-rc.X
             rootlesskit: v2.1.0
             target: test-integration-rootless
@@ -192,11 +192,11 @@ jobs:
             containerd: v1.7.18
             rootlesskit: v2.1.0
             target: test-integration-rootless-port-slirp4netns
-          - ubuntu: 22.04
+          - ubuntu: 24.04
             containerd: v1.7.18
             rootlesskit: v1.1.1
             target: test-integration-rootless-port-slirp4netns
-          - ubuntu: 22.04
+          - ubuntu: 24.04
             containerd: main # v2.0.0-rc.X
             rootlesskit: v2.1.0
             target: test-integration-rootless-port-slirp4netns
@@ -206,6 +206,21 @@ jobs:
       ROOTLESSKIT_VERSION: "${{ matrix.rootlesskit }}"
       TEST_TARGET: "${{ matrix.target }}"
     steps:
+      - name: "Set up AppArmor"
+        if: matrix.ubuntu == '24.04'
+        run: |
+          cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit"
+          abi <abi/4.0>,
+          include <tunables/global>
+
+          /usr/local/bin/rootlesskit flags=(unconfined) {
+            userns,
+
+            # Site-specific additions and overrides. See local/README for details.
+            include if exists <local/usr.local.bin.rootlesskit>
+          }
+         EOT
+         sudo systemctl restart apparmor.service
       - uses: actions/checkout@v4.1.7
         with:
           fetch-depth: 1
@@ -222,7 +237,7 @@ jobs:
           command: docker run -t --rm --privileged -e WORKAROUND_ISSUE_622=1 ${TEST_TARGET}
 
   cross:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 40
     strategy:
       matrix:
@@ -240,7 +255,7 @@ jobs:
         run: GO_VERSION="$(echo ${{ matrix.go-version }} | sed -e s/.x//)" make binaries
 
   test-integration-docker-compatibility:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 45
     steps:
       - uses: actions/checkout@v4.1.7
@@ -251,26 +266,9 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
           cache: true
           check-latest: true
-      - name: "Install Docker v26"
+      - name: "Print docker info"
         run: |
           set -eux -o pipefail
-          # Uninstall the preinstalled Docker
-          sudo apt-get remove docker-* containerd.io
-          # Enable BuildKit explicitly
-          sudo apt-get install -y moreutils
-          cat /etc/docker/daemon.json
-          jq '.features.buildkit = true' </etc/docker/daemon.json  | sudo sponge /etc/docker/daemon.json
-          cat /etc/docker/daemon.json
-          # Download Docker packages
-          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/containerd.io_1.6.33-1_amd64.deb
-          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-ce_26.1.4-1~ubuntu.22.04~jammy_amd64.deb
-          curl -OSl https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-ce-cli_26.1.4-1~ubuntu.22.04~jammy_amd64.deb
-          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-buildx-plugin_0.14.1-1~ubuntu.22.04~jammy_amd64.deb
-          curl -OSL https://download.docker.com/linux/ubuntu/dists/jammy/pool/stable/amd64/docker-compose-plugin_2.27.1-1~ubuntu.22.04~jammy_amd64.deb
-          # Install Docker
-          sudo apt-get install -y ./*.deb
-          rm -f ./*.deb
-          # Print docker info
           docker info
           docker version
       - name: "Register QEMU (tonistiigi/binfmt)"
@@ -328,6 +326,7 @@ jobs:
 
   test-integration-freebsd:
     name: FreeBSD
+    # ubuntu-24.04 lacks the vagrant package
     runs-on: ubuntu-22.04
     timeout-minutes: 20
 
diff --git a/Dockerfile b/Dockerfile
index 81da164d935..fa41e63de70 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -45,7 +45,7 @@ ARG BUILDG_VERSION=v0.4.1
 
 # Test deps
 ARG GO_VERSION=1.22
-ARG UBUNTU_VERSION=22.04
+ARG UBUNTU_VERSION=24.04
 ARG CONTAINERIZED_SYSTEMD_VERSION=v0.1.1
 ARG GOTESTSUM_VERSION=v1.12.0
 ARG NYDUS_VERSION=v2.2.5
@@ -324,7 +324,7 @@ RUN apt-get update && \
   apt-get install -qq -y \
   uidmap \
   openssh-server openssh-client
-# TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants <TARGET> sshd` here
+# TODO: update containerized-systemd to enable sshd by default, or allow `systemctl wants <TARGET> ssh` here
 RUN ssh-keygen -q -t rsa -f /root/.ssh/id_rsa -N '' && \
   useradd -m -s /bin/bash rootless && \
   mkdir -p -m 0700 /home/rootless/.ssh && \
diff --git a/Dockerfile.d/test-integration-rootless.sh b/Dockerfile.d/test-integration-rootless.sh
index 00975410f7f..2a324c3951e 100755
--- a/Dockerfile.d/test-integration-rootless.sh
+++ b/Dockerfile.d/test-integration-rootless.sh
@@ -27,7 +27,7 @@ if [[ "$(id -u)" = "0" ]]; then
 	fi
 
 	# Switch to the rootless user via SSH
-	systemctl start sshd
+	systemctl start ssh
 	exec ssh -o StrictHostKeyChecking=no rootless@localhost "$0" "$@"
 else
 	containerd-rootless-setuptool.sh install