diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index a41d4bb..8cd440f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -61,6 +61,10 @@ jobs:
         - quay.io/centos/centos:stream
 
     steps:
+    - name: Free Disk Space (Ubuntu)
+      uses: linka-cloud/free-disk-space@main
+      if: matrix.image == 'quay.io/centos/centos:stream'
+
     - name: Checkout
       uses: actions/checkout@v3
       with:
@@ -109,6 +113,9 @@ jobs:
         - centos:8
         - quay.io/centos/centos:stream10
     steps:
+    - name: Free Disk Space (Ubuntu)
+      uses: linka-cloud/free-disk-space@main
+
     - name: Checkout
       uses: actions/checkout@v3
       with:
diff --git a/config_test.go b/config_test.go
index 9b8f826..1940a33 100644
--- a/config_test.go
+++ b/config_test.go
@@ -24,12 +24,13 @@ import (
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/require"
+	"go.uber.org/multierr"
 
 	"go.linka.cloud/d2vm/pkg/docker"
 	"go.linka.cloud/d2vm/pkg/exec"
 )
 
-func testConfig(t *testing.T, ctx context.Context, name, img string, config Config, luks, grubBIOS, grubEFI bool) {
+func testConfig(t *testing.T, ctx context.Context, name, img string, config Config, luks, grubBIOS, grubEFI bool) func() error {
 	require.NoError(t, docker.Pull(ctx, Arch, img))
 	tmpPath := filepath.Join(os.TempDir(), "d2vm-tests", strings.NewReplacer(":", "-", ".", "-").Replace(name))
 	require.NoError(t, os.MkdirAll(tmpPath, 0755))
@@ -37,7 +38,16 @@ func testConfig(t *testing.T, ctx context.Context, name, img string, config Conf
 	logrus.Infof("inspecting image %s", img)
 	r, err := FetchDockerImageOSRelease(ctx, img)
 	require.NoError(t, err)
-	defer docker.Remove(ctx, img)
+	var fns []func() error
+	clean := func() (err error) {
+		for _, v := range fns {
+			err = multierr.Append(err, v())
+		}
+		return err
+	}
+	fns = append(fns, func() error {
+		return docker.Remove(ctx, img)
+	})
 	if !r.SupportsLUKS() && luks {
 		t.Skipf("LUKS not supported for %s", r.Version)
 	}
@@ -53,13 +63,16 @@ func testConfig(t *testing.T, ctx context.Context, name, img string, config Conf
 	imgUUID := uuid.New().String()
 	logrus.Infof("building kernel enabled image")
 	require.NoError(t, docker.Build(ctx, false, imgUUID, p, dir, Arch))
-	defer docker.Remove(ctx, imgUUID)
+	fns = append(fns, func() error {
+		return docker.Remove(ctx, imgUUID)
+	})
 	// we don't need to test the kernel location if grub is enabled
 	if grubBIOS || grubEFI {
-		return
+		return clean
 	}
 	require.NoError(t, docker.RunAndRemove(ctx, imgUUID, "test", "-f", config.Kernel))
 	require.NoError(t, docker.RunAndRemove(ctx, imgUUID, "test", "-f", config.Initrd))
+	return clean
 }
 
 func TestConfig(t *testing.T) {
@@ -147,12 +160,17 @@ func TestConfig(t *testing.T) {
 							}
 						}
 						name := strings.Join(n, "-")
+						var clean func() error
 						t.Run(name, func(t *testing.T) {
-							t.Parallel()
 							ctx, cancel := context.WithCancel(context.Background())
 							defer cancel()
-							testConfig(t, ctx, name, test.image, test.config, luks, grubBIOS, grubEFI)
+							clean = testConfig(t, ctx, name, test.image, test.config, luks, grubBIOS, grubEFI)
 						})
+						defer func() {
+							if clean != nil {
+								_ = clean()
+							}
+						}()
 					}
 				}
 			}
diff --git a/templates/alpine.Dockerfile b/templates/alpine.Dockerfile
index 540bfb8..67d1822 100644
--- a/templates/alpine.Dockerfile
+++ b/templates/alpine.Dockerfile
@@ -1,4 +1,4 @@
-FROM {{ .Image }}
+FROM {{ .Image }} AS rootfs
 
 USER root
 
@@ -48,3 +48,7 @@ RUN apk add --no-cache  \
 {{- end }}
     grub || true
 {{- end }}
+
+FROM scratch
+
+COPY --from=rootfs / /
diff --git a/templates/centos.Dockerfile b/templates/centos.Dockerfile
index 78e1ea1..6ad9ca9 100644
--- a/templates/centos.Dockerfile
+++ b/templates/centos.Dockerfile
@@ -1,4 +1,4 @@
-FROM {{ .Image }}
+FROM {{ .Image }} AS rootfs
 
 USER root
 
@@ -16,12 +16,6 @@ RUN yum install -y \
     kernel \
     systemd \
     NetworkManager \
-{{- if .GrubBIOS }}
-    grub2 \
-{{- end }}
-{{- if .GrubEFI }}
-    grub2 grub2-efi-x64 grub2-efi-x64-modules \
-{{- end }}
     e2fsprogs \
     sudo && \
     systemctl enable NetworkManager && \
@@ -29,6 +23,13 @@ RUN yum install -y \
     systemctl unmask getty.target && \
     find /boot -type l -exec rm {} \;
 
+{{- if .GrubBIOS }}
+RUN yum install -y grub2
+{{- end }}
+{{- if .GrubEFI }}
+RUN yum install -y grub2 grub2-efi-x64 grub2-efi-x64-modules
+{{- end }}
+
 {{ if .Luks }}
 RUN yum install -y cryptsetup && \
     dracut --no-hostonly --regenerate-all --force --install="/usr/sbin/cryptsetup"
@@ -46,3 +47,7 @@ RUN cd /boot && \
 
 RUN yum clean all && \
     rm -rf /var/cache/yum
+
+FROM scratch
+
+COPY --from=rootfs / /
diff --git a/templates/debian.Dockerfile b/templates/debian.Dockerfile
index 0443523..a97cf92 100644
--- a/templates/debian.Dockerfile
+++ b/templates/debian.Dockerfile
@@ -1,4 +1,4 @@
-FROM {{ .Image }}
+FROM {{ .Image }} AS rootfs
 
 USER root
 
@@ -19,21 +19,22 @@ RUN ARCH="$([ "$(uname -m)" = "x86_64" ] && echo amd64 || echo arm64)"; \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
       systemd-sysv \
       systemd \
-    {{- if .Grub }}
-      grub-common \
-      grub2-common \
-    {{- end }}
-    {{- if .GrubBIOS }}
-      grub-pc-bin \
-    {{- end }}
-    {{- if .GrubEFI }}
-      grub-efi-${ARCH}-bin \
-    {{- end }}
       dbus \
       iproute2 \
       isc-dhcp-client \
       iputils-ping
 
+{{- if .Grub }}
+RUN DEBIAN_FRONTEND=noninteractive apt install -y grub-common grub2-common
+{{- end }}
+{{- if .GrubBIOS }}
+RUN DEBIAN_FRONTEND=noninteractive apt install -y grub-pc-bin
+{{- end }}
+{{- if .GrubEFI }}
+RUN ARCH="$([ "$(uname -m)" = "x86_64" ] && echo amd64 || echo arm64)"; \
+    DEBIAN_FRONTEND=noninteractive apt install -y grub-efi-${ARCH}-bin
+{{- end }}
+
 RUN systemctl preset-all
 
 {{ if .Password }}RUN echo "root:{{ .Password }}" | chpasswd {{ end }}
@@ -77,3 +78,7 @@ RUN mv $(ls -t /boot/vmlinuz-* | head -n 1) /boot/vmlinuz && \
 
 RUN apt-get clean && \
     rm -rf /var/lib/apt/lists/*
+
+FROM scratch
+
+COPY --from=rootfs / /
diff --git a/templates/ubuntu.Dockerfile b/templates/ubuntu.Dockerfile
index f5db285..828c2a3 100644
--- a/templates/ubuntu.Dockerfile
+++ b/templates/ubuntu.Dockerfile
@@ -1,4 +1,4 @@
-FROM {{ .Image }}
+FROM {{ .Image }} AS rootfs
 
 USER root
 
@@ -9,21 +9,22 @@ RUN ARCH="$([ "$(uname -m)" = "x86_64" ] && echo amd64 || echo arm64)"; \
   initramfs-tools \
   systemd-sysv \
   systemd \
+  dbus \
+  isc-dhcp-client \
+  iproute2 \
+  iputils-ping && \
+  find /boot -type l -exec rm {} \;
+
 {{- if .Grub }}
-  grub-common \
-  grub2-common \
+RUN DEBIAN_FRONTEND=noninteractive apt install -y grub-common grub2-common
 {{- end }}
 {{- if .GrubBIOS }}
-  grub-pc-bin \
+RUN DEBIAN_FRONTEND=noninteractive apt install -y grub-pc-bin
 {{- end }}
 {{- if .GrubEFI }}
-  grub-efi-${ARCH}-bin \
+RUN ARCH="$([ "$(uname -m)" = "x86_64" ] && echo amd64 || echo arm64)"; \
+    DEBIAN_FRONTEND=noninteractive apt install -y grub-efi-${ARCH}-bin
 {{- end }}
-  dbus \
-  isc-dhcp-client \
-  iproute2 \
-  iputils-ping && \
-  find /boot -type l -exec rm {} \;
 
 {{ if gt .Release.VersionID "16.04" }}
 RUN systemctl preset-all
@@ -68,3 +69,7 @@ RUN mv $(ls -t /boot/vmlinuz-* | head -n 1) /boot/vmlinuz && \
 
 RUN apt-get clean && \
     rm -rf /var/lib/apt/lists/*
+
+FROM scratch
+
+COPY --from=rootfs / /