diff --git a/core/internal/node/BUILD.bazel b/core/internal/node/BUILD.bazel
index d96c0e6..48afed0 100644
--- a/core/internal/node/BUILD.bazel
+++ b/core/internal/node/BUILD.bazel
@@ -3,6 +3,7 @@
 go_library(
     name = "go_default_library",
     srcs = [
+        "debug.go",
         "main.go",
         "setup.go",
     ],
@@ -13,6 +14,7 @@
         "//core/internal/api:go_default_library",
         "//core/internal/common:go_default_library",
         "//core/internal/consensus:go_default_library",
+        "//core/internal/containerd:go_default_library",
         "//core/internal/integrity/tpm2:go_default_library",
         "//core/internal/kubernetes:go_default_library",
         "//core/internal/network:go_default_library",
@@ -23,6 +25,7 @@
         "@org_golang_google_grpc//codes:go_default_library",
         "@org_golang_google_grpc//credentials:go_default_library",
         "@org_golang_google_grpc//status:go_default_library",
+        "@org_golang_x_sys//unix:go_default_library",
         "@org_uber_go_zap//:go_default_library",
     ],
 )
diff --git a/core/internal/node/debug.go b/core/internal/node/debug.go
new file mode 100644
index 0000000..1d91ad6
--- /dev/null
+++ b/core/internal/node/debug.go
@@ -0,0 +1,88 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package node
+
+// Implements a debug gRPC service for testing and introspection
+// This is attached to the SmalltownNode because most other services are instantiated there and thus are accessible
+// from there. Have a look at //core/cmd/dbg if you need to interact with this from a CLI.
+
+import (
+	"context"
+	"math"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	schema "git.monogon.dev/source/nexantic.git/core/generated/api"
+	"git.monogon.dev/source/nexantic.git/core/internal/storage"
+)
+
+func (s *SmalltownNode) GetDebugKubeconfig(ctx context.Context, req *schema.GetDebugKubeconfigRequest) (*schema.GetDebugKubeconfigResponse, error) {
+	return s.Kubernetes.GetDebugKubeconfig(ctx, req)
+}
+
+// GetComponentLogs gets various logbuffers from binaries we call. This function just deals with the first path component,
+// delegating the rest to the service-specific handlers.
+func (s *SmalltownNode) GetComponentLogs(ctx context.Context, req *schema.GetComponentLogsRequest) (*schema.GetComponentLogsResponse, error) {
+	if len(req.ComponentPath) < 1 {
+		return nil, status.Error(codes.InvalidArgument, "component_path needs to contain at least one part")
+	}
+	linesToRead := int(req.TailLines)
+	if linesToRead == 0 {
+		linesToRead = math.MaxInt32
+	}
+	var lines []string
+	var err error
+	switch req.ComponentPath[0] {
+	case "containerd":
+		lines = s.Containerd.Log.ReadLinesTruncated(linesToRead, "...")
+	case "kube":
+		if len(req.ComponentPath) < 2 {
+			return nil, status.Error(codes.NotFound, "Component not found")
+		}
+		lines, err = s.Kubernetes.GetComponentLogs(req.ComponentPath[1], linesToRead)
+		if err != nil {
+			return nil, status.Error(codes.NotFound, "Component not found")
+		}
+	default:
+		return nil, status.Error(codes.NotFound, "component not found")
+	}
+	return &schema.GetComponentLogsResponse{Line: lines}, nil
+}
+
+// GetCondition checks for various conditions exposed by different services. Mostly intended for testing. If you need
+// to make sure something is available in an E2E test, consider adding a condition here.
+func (s *SmalltownNode) GetCondition(ctx context.Context, req *schema.GetConditionRequest) (*schema.GetConditionResponse, error) {
+	var ok bool
+	switch req.Name {
+	case "IPAssigned":
+		ip, err := s.Network.GetIP(ctx, false)
+		if err == nil && ip != nil {
+			ok = true
+		}
+	case "DataAvailable":
+		_, err := s.Storage.GetPathInPlace(storage.PlaceData, "test")
+		if err == nil {
+			ok = true
+		}
+	default:
+		return nil, status.Errorf(codes.NotFound, "condition %v not found", req.Name)
+	}
+	return &schema.GetConditionResponse{
+		Ok: ok,
+	}, nil
+}
diff --git a/core/internal/node/main.go b/core/internal/node/main.go
index b0674d2..4041cb8 100644
--- a/core/internal/node/main.go
+++ b/core/internal/node/main.go
@@ -25,14 +25,16 @@
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/base64"
+	"encoding/hex"
 	"errors"
 	"flag"
 	"fmt"
+	"git.monogon.dev/source/nexantic.git/core/internal/containerd"
 	"io/ioutil"
 	"math/big"
 	"net"
 	"os"
+	"strings"
 	"time"
 
 	apipb "git.monogon.dev/source/nexantic.git/core/generated/api"
@@ -43,6 +45,7 @@
 	"git.monogon.dev/source/nexantic.git/core/internal/kubernetes"
 	"git.monogon.dev/source/nexantic.git/core/internal/network"
 	"git.monogon.dev/source/nexantic.git/core/internal/storage"
+	"golang.org/x/sys/unix"
 
 	"github.com/cenkalti/backoff/v4"
 	"github.com/gogo/protobuf/proto"
@@ -62,12 +65,15 @@
 		Consensus  *consensus.Service
 		Storage    *storage.Manager
 		Kubernetes *kubernetes.Service
+		Containerd *containerd.Service
 		Network    *network.Service
 
 		logger          *zap.Logger
 		state           common.SmalltownState
 		hostname        string
 		enrolmentConfig *apipb.EnrolmentConfig
+
+		debugServer *grpc.Server
 	}
 )
 
@@ -101,12 +107,18 @@
 		return nil, err
 	}
 
+	containerdService, err := containerd.New()
+	if err != nil {
+		return nil, err
+	}
+
 	s := &SmalltownNode{
-		Consensus: consensusService,
-		Storage:   strg,
-		Network:   ntwk,
-		logger:    logger,
-		hostname:  hostname,
+		Consensus:  consensusService,
+		Containerd: containerdService,
+		Storage:    strg,
+		Network:    ntwk,
+		logger:     logger,
+		hostname:   hostname,
 	}
 
 	apiService, err := api.NewApiServer(&api.Config{}, logger.With(zap.String("module", "api")), s.Consensus)
@@ -118,6 +130,9 @@
 
 	s.Kubernetes = kubernetes.New(logger.With(zap.String("module", "kubernetes")), consensusService)
 
+	s.debugServer = grpc.NewServer()
+	apipb.RegisterNodeDebugServiceServer(s.debugServer, s)
+
 	logger.Info("Created SmalltownNode")
 
 	return s, nil
@@ -126,6 +141,8 @@
 func (s *SmalltownNode) Start(ctx context.Context) error {
 	s.logger.Info("Starting Smalltown node")
 
+	s.startDebugSvc()
+
 	// TODO(lorenz): Abstracting enrolment sounds like a good idea, but ends up being painful
 	// because of things like storage access. I'm keeping it this way until the more complex
 	// enrolment procedures are fleshed out. This is also a bit panic()-happy, but there is really
@@ -157,6 +174,30 @@
 	panic("Unreachable")
 }
 
+func (s *SmalltownNode) startDebugSvc() {
+	debugListenHost := fmt.Sprintf(":%v", common.DebugServicePort)
+	debugListener, err := net.Listen("tcp", debugListenHost)
+	if err != nil {
+		s.logger.Fatal("failed to listen", zap.Error(err))
+	}
+
+	go func() {
+		if err := s.debugServer.Serve(debugListener); err != nil {
+			s.logger.Fatal("failed to serve", zap.Error(err))
+		}
+	}()
+}
+
+func (s *SmalltownNode) initHostname() error {
+	if err := unix.Sethostname([]byte(s.hostname)); err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile("/etc/hosts", []byte(fmt.Sprintf("%v %v", "127.0.0.1", s.hostname)), 0644); err != nil {
+		return err
+	}
+	return ioutil.WriteFile("/etc/machine-id", []byte(strings.TrimPrefix(s.hostname, "smalltown-")), 0644)
+}
+
 func (s *SmalltownNode) startEnrolling(ctx context.Context) error {
 	s.logger.Info("Initializing subsystems for enrolment")
 	s.state = common.StateEnrollMode
@@ -166,6 +207,11 @@
 		return err
 	}
 
+	s.hostname = nodeID
+	if err := s.initHostname(); err != nil {
+		return err
+	}
+
 	// We only support TPM2 at the moment, any abstractions here would be premature
 	trustAgent := tpm2.TPM2Agent{}
 
@@ -207,11 +253,18 @@
 	if err != nil {
 		return err
 	}
+	s.hostname = nodeID
+	if err := s.initHostname(); err != nil {
+		return err
+	}
 
 	if err := s.initNodeAPI(); err != nil {
 		return err
 	}
 
+	// TODO: Use supervisor.Run for this
+	go s.Containerd.Run()(context.TODO())
+
 	dataPath, err := s.Storage.GetPathInPlace(storage.PlaceData, "etcd")
 	if err != nil {
 		return err
@@ -314,7 +367,7 @@
 		return []byte{}, "", fmt.Errorf("failed to write node key: %w", err)
 	}
 
-	name := "smalltown-" + base64.RawStdEncoding.EncodeToString([]byte(pubKey))
+	name := "smalltown-" + hex.EncodeToString([]byte(pubKey[:16]))
 
 	// This has no SANs because it authenticates by public key, not by name
 	nodeCert := &x509.Certificate{
@@ -429,6 +482,11 @@
 	s.logger.Info("Initializing subsystems for production")
 	s.state = common.StateJoined
 
+	s.hostname = s.enrolmentConfig.NodeId
+	if err := s.initHostname(); err != nil {
+		return err
+	}
+
 	trustAgent := tpm2.TPM2Agent{}
 	unlockOp := func() error {
 		unlockKey, err := trustAgent.Unlock(*s.enrolmentConfig)
@@ -449,6 +507,9 @@
 
 	s.initNodeAPI()
 
+	// TODO: Use supervisor.Run for this
+	go s.Containerd.Run()(context.TODO())
+
 	err := s.Consensus.Start()
 	if err != nil {
 		return err