From 19b046d36d6f3a1cb6a70dc6a0448c01b12e1130 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 11:28:27 -0500
Subject: [PATCH 01/14] Drop support for pungi

The only interface to building this image will be via Containerfile
now.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 fedora-40.yaml      |   7 ---
 fedora-41.yaml      |   7 ---
 fedora-bootc.yaml   |   8 ----
 fedora-rawhide.yaml |   6 ---
 fedora.repo         | 102 --------------------------------------------
 5 files changed, 130 deletions(-)
 delete mode 100644 fedora-40.yaml
 delete mode 100644 fedora-41.yaml
 delete mode 100644 fedora-bootc.yaml
 delete mode 100644 fedora-rawhide.yaml
 delete mode 100644 fedora.repo

diff --git a/fedora-40.yaml b/fedora-40.yaml
deleted file mode 100644
index 647be5a..0000000
--- a/fedora-40.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 40
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml
diff --git a/fedora-41.yaml b/fedora-41.yaml
deleted file mode 100644
index 51026d4..0000000
--- a/fedora-41.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 41
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml
diff --git a/fedora-bootc.yaml b/fedora-bootc.yaml
deleted file mode 100644
index 68dc692..0000000
--- a/fedora-bootc.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier1
-  summary: Fedora Bootable Tier 1
-
-include:
-  - fedora-generic.yaml
-  - tier-1/manifest.yaml
-  - tier-1/kernel.yaml
diff --git a/fedora-rawhide.yaml b/fedora-rawhide.yaml
deleted file mode 100644
index 5eec79c..0000000
--- a/fedora-rawhide.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: rawhide
-repos:
-  - fedora-rawhide
-include: fedora-bootc.yaml
diff --git a/fedora.repo b/fedora.repo
deleted file mode 100644
index 373d78c..0000000
--- a/fedora.repo
+++ /dev/null
@@ -1,102 +0,0 @@
-# Note we use baseurl= here because using auto-selected mirrors conflicts with
-# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
-
-[fedora]
-name=Fedora $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-updates]
-name=Fedora $releasever - $basearch - Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
-enabled=1
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-updates-testing]
-name=Fedora $releasever - $basearch - Test Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
-enabled=1
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-modular]
-name=Fedora Modular $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Modular/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Modular/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-
-[fedora-updates-modular]
-name=Fedora Modular $releasever - $basearch - Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
-enabled=1
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-
-[fedora-updates-testing-modular]
-name=Fedora Modular $releasever - $basearch - Test Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
-enabled=1
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[rawhide]
-name=Fedora - Rawhide - Developmental packages for the next Fedora release
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-devel]
-name=Fedora $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False

From 029e4c7038c5317284a112563707eff1a22ab05e Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 11:27:54 -0500
Subject: [PATCH 02/14] Split off Containerfile.base

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile      | 54 ----------------------------------------------
 Containerfile.base | 41 +++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 54 deletions(-)
 delete mode 100644 Containerfile
 create mode 100644 Containerfile.base

diff --git a/Containerfile b/Containerfile
deleted file mode 100644
index f512548..0000000
--- a/Containerfile
+++ /dev/null
@@ -1,54 +0,0 @@
-# This container build uses some special features of podman that allow
-# a process executing as part of a container build to generate a new container
-# image "from scratch".
-#
-# This container build uses nested containerization, so you must build with e.g.
-# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
-#
-# # Why are we doing this?
-#
-# Today this base image build process uses rpm-ostree.  There is a lot of things that
-# rpm-ostree does when generating a container image...but important parts include:
-#
-# - auto-updating labels in the container metadata
-# - Generating "chunked" content-addressed reproducible image layers (notice
-#   how there are ~60 layers in the generated image)
-#
-# The latter bit in particular is currently impossible to do from Containerfile.
-# A future goal is adding some support for this in a way that can be honored by
-# buildah (xref https://github.com/containers/podman/discussions/12605)
-#
-# # Why does this build process require additional privileges?
-#
-# Because it's generating a base image and uses containerization features itself.
-# In the future some of this can be lifted.
-
-FROM quay.io/fedora/fedora:rawhide as repos
-
-# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
-FROM quay.io/fedora/fedora:rawhide as builder
-RUN dnf -y install rpm-ostree selinux-policy-targeted
-ARG MANIFEST=fedora-bootc.yaml
-COPY --from=repos /etc/dnf/vars /etc/dnf/vars
-COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
-# The input git repository has .repo files committed to git rpm-ostree has historically
-# emphasized that.  But here, we are fetching the repos from the container base image.
-# So copy the source, and delete the hardcoded ones in git, and use the container base
-# image ones.  We can drop the ones commited to git when we hard switch to Containerfile.
-COPY . /src
-WORKDIR /src
-RUN rm -vf /src/*.repo
-COPY --from=repos /etc/yum.repos.d/*.repo /src
-RUN --mount=type=cache,target=/workdir \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=type=bind,from=repos,src=/,dst=/repos \
-      rpm-ostree compose image --image-config fedora-bootc-config.json \
-        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
-       --source-root=/repos /buildcontext/out.ociarchive
-
-FROM oci-archive:./out.ociarchive
-# Need to reference builder here to force ordering. But since we have to run
-# something anyway, we might as well cleanup after ourselves.
-RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-      rm /buildcontext/out.ociarchive
diff --git a/Containerfile.base b/Containerfile.base
new file mode 100644
index 0000000..1cba2b7
--- /dev/null
+++ b/Containerfile.base
@@ -0,0 +1,41 @@
+# This is a relatively minimal base image build; it's intended as a derivation
+# point.
+#
+# This container build uses nested containerization to construct
+# a target rootfs from scratch; so you must build with e.g.
+# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
+
+# If you want to configure the input rpm-md repositories, just override this
+# container image.
+FROM quay.io/fedora/fedora:rawhide as repos
+
+# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
+FROM quay.io/fedora/fedora:rawhide as builder
+RUN dnf -y install rpm-ostree selinux-policy-targeted
+# Change the input manifest if desired, but this is discouraged.
+ARG MANIFEST=fedora-tier-0.yaml
+# Copy in our source code.
+COPY . /src
+WORKDIR /src
+RUN --mount=type=cache,target=/workdir \
+    --mount=type=bind,from=repos,target=/repos \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+    --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
+set -xeuo pipefail
+# Synchronize the dnf/rpm configs from the repos container.
+for x in /etc/dnf /etc/yum.repos.d /etc/pki/rpm-gpg; do
+  rm -vf "$x" && cp -a /repos/$x $x
+done
+cp - /repos/etc/dnf/vars /etc/dnf/vars
+rpm-ostree compose image --image-config fedora-bootc-config.json \
+    --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
+    --source-root=/repos /buildcontext/out.ociarchive
+EORUN
+
+# This pulls in the OCI archive generated in the previous step.
+FROM oci-archive:./out.ociarchive
+# Need to reference builder here to force ordering. But since we have to run
+# something anyway, we might as well cleanup after ourselves.
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+      rm /buildcontext/out.ociarchive

From 08928a103a20300a33ad8c9cccb76ab272e9f25d Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 13:38:08 -0500
Subject: [PATCH 03/14] tier-x -> packages-recommended.txt

That's basically all this is...plus a default
inheritance from the base image.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile            | 35 +++++++++++++++++++++++++++++++
 Containerfile.base       |  7 ++++---
 README.md                |  4 +---
 fedora-tier-x.yaml       |  8 -------
 packages-recommended.txt | 45 ++++++++++++++++++++++++++++++++++++++++
 tier-x/kernel.yaml       |  1 -
 tier-x/manifest.yaml     | 45 ----------------------------------------
 7 files changed, 85 insertions(+), 60 deletions(-)
 create mode 100644 Containerfile
 delete mode 100644 fedora-tier-x.yaml
 create mode 100644 packages-recommended.txt
 delete mode 120000 tier-x/kernel.yaml
 delete mode 100644 tier-x/manifest.yaml

diff --git a/Containerfile b/Containerfile
new file mode 100644
index 0000000..8fb88d6
--- /dev/null
+++ b/Containerfile
@@ -0,0 +1,35 @@
+# This generates the default base image.
+
+# This is a local reference by default because we haven't shipped this image yet.
+FROM localhost/fedora-bootc:base as rootfs
+# Drop this into /usr/share/doc, so that other things can parse it
+COPY packages-recommended.txt /usr/share/doc/fedora-bootc/packages-recommended.txt
+RUN <<EORUN
+set -xeuo pipefail
+grep -E -v '^#' /usr/share/doc/fedora-bootc/packages-recommended.txt | xargs dnf -y install
+
+# Ensure we regenerate the initramfs with new content
+# https://docs.fedoraproject.org/en-US/bootc/initramfs/
+kver=$(cd /usr/lib/modules && echo *); dracut -vf /usr/lib/modules/$kver/initramfs.img $kver
+
+dnf clean all
+rm -vf /var/log/dnf*
+bootc container lint
+EORUN
+
+# This image just needs rpm-ostree in the end that has
+# https://github.com/coreos/rpm-ostree/issues/5221
+FROM registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide as builder
+RUN --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+    --mount=from=rootfs,dst=/rootfs <<EORUN
+set -xeuo pipefail
+rm /buildcontext/out.oci -rf
+rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
+           --rootfs=/rootfs --output /buildcontext/out.oci
+EORUN
+
+FROM oci:./out.oci
+# Need to reference builder here to force ordering. But since we have to run
+# something anyway, we might as well cleanup after ourselves.
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.oci -rf
diff --git a/Containerfile.base b/Containerfile.base
index 1cba2b7..28c81b0 100644
--- a/Containerfile.base
+++ b/Containerfile.base
@@ -23,10 +23,11 @@ RUN --mount=type=cache,target=/workdir \
     --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
 set -xeuo pipefail
 # Synchronize the dnf/rpm configs from the repos container.
-for x in /etc/dnf /etc/yum.repos.d /etc/pki/rpm-gpg; do
-  rm -vf "$x" && cp -a /repos/$x $x
+for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
+  rm -rf /"$x" && cp -a /repos/${x} /$x
 done
-cp - /repos/etc/dnf/vars /etc/dnf/vars
+# And copy to the workdir; TODO fix this in rpm-ostree
+cp /etc/yum.repos.d/*.repo .
 rpm-ostree compose image --image-config fedora-bootc-config.json \
     --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
     --source-root=/repos /buildcontext/out.ociarchive
diff --git a/README.md b/README.md
index c4ddc9f..467b6fc 100644
--- a/README.md
+++ b/README.md
@@ -64,11 +64,9 @@ to support smaller custom images. For more on this, see
   and curation around a package set that we can all agree is the rough minimum
   necessary for a usable system. It's not meant to be used as is, but layered
   upon.
-- **tier-x**: This content set is the shared base used by all image-based
+- **packages-recommended.txt**: This content set is the shared base used by all image-based
   Fedora variants (IoT, Atomic Desktops, and CoreOS).
   Changes to this tier may be done without accounting for external users.
-  To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
-  command above.
 
 **tier-1** inherits from **tier-x** and **tier-x** in turn inherit from **tier-0**.
 
diff --git a/fedora-tier-x.yaml b/fedora-tier-x.yaml
deleted file mode 100644
index 90a96fd..0000000
--- a/fedora-tier-x.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier-x
-  summary: Fedora Bootable Tier X
-
-include:
-  - fedora-generic.yaml
-  - tier-x/manifest.yaml
-  - tier-x/kernel.yaml
diff --git a/packages-recommended.txt b/packages-recommended.txt
new file mode 100644
index 0000000..673b78a
--- /dev/null
+++ b/packages-recommended.txt
@@ -0,0 +1,45 @@
+# This file is simply a list of packages recommended to be used by default.
+# You can process this via e.g.
+# grep -E -v '^#' packages-recommended.txt | xargs dnf -y install
+
+# Used by admins interactively
+attr
+bash-completion
+hostname
+iproute
+jq
+less
+vim-minimal
+# deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
+# dep, we still want it
+podman skopeo
+# crun recommends but doesn't require criu and criu-libs. We want them for
+# checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
+crun criu criu-libs
+# storage
+cryptsetup
+lvm2
+tar
+# zram-generator (but not zram-generator-defaults) for F33 change
+# https://github.com/coreos/fedora-coreos-tracker/issues/509
+zram-generator
+# networking
+iptables-nft
+NetworkManager
+openssh-clients
+openssh-server
+systemd-resolved
+# linux-firmware now a recommends so let's explicitly include it
+# https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
+# https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
+linux-firmware
+# security
+polkit
+sudo
+# Allow for configuring different timezones
+tzdata
+# rpm-ostree
+rpm-ostree nss-altfiles
+# firmware updates
+# If you're using linux-firmware, you probably also want fwupd
+fwupd
diff --git a/tier-x/kernel.yaml b/tier-x/kernel.yaml
deleted file mode 120000
index d6f64cc..0000000
--- a/tier-x/kernel.yaml
+++ /dev/null
@@ -1 +0,0 @@
-../tier-0/kernel.yaml
\ No newline at end of file
diff --git a/tier-x/manifest.yaml b/tier-x/manifest.yaml
deleted file mode 100644
index 492a379..0000000
--- a/tier-x/manifest.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-include:
-  - ../tier-0/manifest.yaml
-
-packages:
-  # Used by admins interactively
-  - attr
-  - bash-completion
-  - hostname
-  - iproute
-  - jq
-  - less
-  - vim-minimal
-  # deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
-  # dep, we still want it
-  - podman skopeo
-  # crun recommends but doesn't require criu and criu-libs. We want them for
-  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
-  - crun criu criu-libs
-  # storage
-  - cryptsetup
-  - lvm2
-  - tar
-  # zram-generator (but not zram-generator-defaults) for F33 change
-  # https://github.com/coreos/fedora-coreos-tracker/issues/509
-  - zram-generator
-  # networking
-  - iptables-nft
-  - NetworkManager
-  - openssh-clients
-  - openssh-server
-  - systemd-resolved
-  # linux-firmware now a recommends so let's explicitly include it
-  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
-  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
-  - linux-firmware
-  # security
-  - polkit
-  - sudo
-  # Allow for configuring different timezones
-  - tzdata
-  # rpm-ostree
-  - rpm-ostree nss-altfiles
-  # firmware updates
-  # If you're using linux-firmware, you probably also want fwupd
-  - fwupd

From 255780a9d06d3cb4f5ff2c9f3fd0ff6155e5a790 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 14:01:15 -0500
Subject: [PATCH 04/14] Rename tier-0 -> base

Part of dropping the "tier" nomenclature which never made sense
since the introduction of `tier-x` anyways.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile.base                     | 6 ++----
 README.md                              | 6 ++----
 {tier-0 => base}/basic-fixes.yaml      | 0
 {tier-0 => base}/bootc.yaml            | 0
 {tier-0 => base}/bootupd.yaml          | 0
 {tier-0 => base}/finalize.d/01-var.sh  | 0
 {tier-0 => base}/group                 | 0
 {tier-0 => base}/grub2-removals.yaml   | 0
 {tier-0 => base}/initramfs.yaml        | 0
 {tier-0 => base}/kernel-install.yaml   | 0
 {tier-0 => base}/kernel.yaml           | 0
 {tier-0 => base}/manifest.yaml         | 5 +++--
 {tier-0 => base}/ostree.yaml           | 0
 {tier-0 => base}/passwd                | 0
 {tier-0 => base}/postprocess-conf.yaml | 0
 fedora-tier-0.yaml                     | 8 --------
 16 files changed, 7 insertions(+), 18 deletions(-)
 rename {tier-0 => base}/basic-fixes.yaml (100%)
 rename {tier-0 => base}/bootc.yaml (100%)
 rename {tier-0 => base}/bootupd.yaml (100%)
 rename {tier-0 => base}/finalize.d/01-var.sh (100%)
 rename {tier-0 => base}/group (100%)
 rename {tier-0 => base}/grub2-removals.yaml (100%)
 rename {tier-0 => base}/initramfs.yaml (100%)
 rename {tier-0 => base}/kernel-install.yaml (100%)
 rename {tier-0 => base}/kernel.yaml (100%)
 rename {tier-0 => base}/manifest.yaml (91%)
 rename {tier-0 => base}/ostree.yaml (100%)
 rename {tier-0 => base}/passwd (100%)
 rename {tier-0 => base}/postprocess-conf.yaml (100%)
 delete mode 100644 fedora-tier-0.yaml

diff --git a/Containerfile.base b/Containerfile.base
index 28c81b0..55af79f 100644
--- a/Containerfile.base
+++ b/Containerfile.base
@@ -12,8 +12,6 @@ FROM quay.io/fedora/fedora:rawhide as repos
 # BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
 FROM quay.io/fedora/fedora:rawhide as builder
 RUN dnf -y install rpm-ostree selinux-policy-targeted
-# Change the input manifest if desired, but this is discouraged.
-ARG MANIFEST=fedora-tier-0.yaml
 # Copy in our source code.
 COPY . /src
 WORKDIR /src
@@ -27,9 +25,9 @@ for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
   rm -rf /"$x" && cp -a /repos/${x} /$x
 done
 # And copy to the workdir; TODO fix this in rpm-ostree
-cp /etc/yum.repos.d/*.repo .
+cp /etc/yum.repos.d/*.repo base
 rpm-ostree compose image --image-config fedora-bootc-config.json \
-    --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
+    --cachedir=/workdir --format=ociarchive --initialize base/manifest.yaml \
     --source-root=/repos /buildcontext/out.ociarchive
 EORUN
 
diff --git a/README.md b/README.md
index 467b6fc..dfda627 100644
--- a/README.md
+++ b/README.md
@@ -58,12 +58,10 @@ It is planned to rework and improve this in the future, especially
 to support smaller custom images. For more on this, see
 [this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
 
+- **base**: A base image with the effective equivalent of installing `bootc kernel systemd dnf`
+  with "recommends" off. Intended as a derivation starting point for minimal systems.
 - **tier-1**: This image is the default, what is published as
   https://quay.io/repository/fedora/fedora-bootc
-- **tier-0**: This content set is more of a convenient centralization point for CI
-  and curation around a package set that we can all agree is the rough minimum
-  necessary for a usable system. It's not meant to be used as is, but layered
-  upon.
 - **packages-recommended.txt**: This content set is the shared base used by all image-based
   Fedora variants (IoT, Atomic Desktops, and CoreOS).
   Changes to this tier may be done without accounting for external users.
diff --git a/tier-0/basic-fixes.yaml b/base/basic-fixes.yaml
similarity index 100%
rename from tier-0/basic-fixes.yaml
rename to base/basic-fixes.yaml
diff --git a/tier-0/bootc.yaml b/base/bootc.yaml
similarity index 100%
rename from tier-0/bootc.yaml
rename to base/bootc.yaml
diff --git a/tier-0/bootupd.yaml b/base/bootupd.yaml
similarity index 100%
rename from tier-0/bootupd.yaml
rename to base/bootupd.yaml
diff --git a/tier-0/finalize.d/01-var.sh b/base/finalize.d/01-var.sh
similarity index 100%
rename from tier-0/finalize.d/01-var.sh
rename to base/finalize.d/01-var.sh
diff --git a/tier-0/group b/base/group
similarity index 100%
rename from tier-0/group
rename to base/group
diff --git a/tier-0/grub2-removals.yaml b/base/grub2-removals.yaml
similarity index 100%
rename from tier-0/grub2-removals.yaml
rename to base/grub2-removals.yaml
diff --git a/tier-0/initramfs.yaml b/base/initramfs.yaml
similarity index 100%
rename from tier-0/initramfs.yaml
rename to base/initramfs.yaml
diff --git a/tier-0/kernel-install.yaml b/base/kernel-install.yaml
similarity index 100%
rename from tier-0/kernel-install.yaml
rename to base/kernel-install.yaml
diff --git a/tier-0/kernel.yaml b/base/kernel.yaml
similarity index 100%
rename from tier-0/kernel.yaml
rename to base/kernel.yaml
diff --git a/tier-0/manifest.yaml b/base/manifest.yaml
similarity index 91%
rename from tier-0/manifest.yaml
rename to base/manifest.yaml
index a531a15..b10e3ce 100644
--- a/tier-0/manifest.yaml
+++ b/base/manifest.yaml
@@ -24,14 +24,15 @@ include:
   - kernel-install.yaml
 
 packages:
+  # This can be replaced later
+  - kernel
   # this is implied by dependencies but let's make it explicit
   - coreutils
   # We need dnf for building derived container images. In Fedora, this pulls
   # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
   # just `dnf` once the `dnf` package is retired from Fedora.
   - /usr/bin/dnf
-  # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
-  # to build a custom image.
+  # If you don't want SELinux today, you'll need to build a custom image.
   - selinux-policy-targeted
   # And we want container-selinux because trying to layer it on later currently causes issues.
   - container-selinux
diff --git a/tier-0/ostree.yaml b/base/ostree.yaml
similarity index 100%
rename from tier-0/ostree.yaml
rename to base/ostree.yaml
diff --git a/tier-0/passwd b/base/passwd
similarity index 100%
rename from tier-0/passwd
rename to base/passwd
diff --git a/tier-0/postprocess-conf.yaml b/base/postprocess-conf.yaml
similarity index 100%
rename from tier-0/postprocess-conf.yaml
rename to base/postprocess-conf.yaml
diff --git a/fedora-tier-0.yaml b/fedora-tier-0.yaml
deleted file mode 100644
index 6cef2a1..0000000
--- a/fedora-tier-0.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier0
-  summary: Fedora Bootable Tier 0
-
-include:
-  - fedora-generic.yaml
-  - tier-0/manifest.yaml
-  - tier-0/kernel.yaml

From 2a387e2167bb42a5fda810c2717d8d5481d1d7e5 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 15:27:48 -0500
Subject: [PATCH 05/14] ci: Rework

Signed-off-by: Colin Walters <walters@verbum.org>
---
 .gitlab-ci.yml | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 08c0ffe..ef4c96e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,15 +1,17 @@
----
-include:
-  - remote: https://gitlab.com/platform-engineering-org/gitlab-ci/-/raw/main/templates/build-image.gitlab-ci.yml
+stages:
+  - build
 
-build-image:
+variables:
+  IMAGE_PREFIX: ${CI_REGISTRY}/${CI_PROJECT_PATH}
+
+.build-image:
+  stage: build
+  image: quay.io/buildah/stable:v1.38.0
+  needs: []
+
+build:
   extends: .build-image
-  parallel:
-    matrix:
-      - TIER: [tier-0, tier-1, tier-x]
-  variables:
-    EXTRA_ARGS: "--security-opt=label=disable --cap-add=all --build-arg MANIFEST=fedora-$TIER.yaml"
-  rules:
-    - if: $CI_PROJECT_NAMESPACE != "fedora/bootc"
-      when: never
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  stage: build
+  script: |
+    buildah bud -f Containerfile.base --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base .
+    buildah bud -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard .

From 1901092f5dde5af1f2cfb61d6a784eac36a731d0 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 16:06:37 -0500
Subject: [PATCH 06/14] Move labels into Containerfile.base

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile.base       | 12 +++++++++++-
 fedora-bootc-config.json | 12 ------------
 2 files changed, 11 insertions(+), 13 deletions(-)
 delete mode 100644 fedora-bootc-config.json

diff --git a/Containerfile.base b/Containerfile.base
index 55af79f..ef4ac22 100644
--- a/Containerfile.base
+++ b/Containerfile.base
@@ -26,13 +26,23 @@ for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
 done
 # And copy to the workdir; TODO fix this in rpm-ostree
 cp /etc/yum.repos.d/*.repo base
-rpm-ostree compose image --image-config fedora-bootc-config.json \
+rpm-ostree compose image \
     --cachedir=/workdir --format=ociarchive --initialize base/manifest.yaml \
     --source-root=/repos /buildcontext/out.ociarchive
 EORUN
 
 # This pulls in the OCI archive generated in the previous step.
 FROM oci-archive:./out.ociarchive
+LABEL containers.bootc 1
+# This is an ad-hoc way for us to reference bootc-image-builder in
+# a way that in theory client tooling can inspect and find. Today
+# it isn't widely used.
+LABEL bootc.diskimage-builder quay.io/centos-bootc/bootc-image-builder
+# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
+ENV container=oci
+# Make systemd the default
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.
 RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
diff --git a/fedora-bootc-config.json b/fedora-bootc-config.json
deleted file mode 100644
index 3a53fe1..0000000
--- a/fedora-bootc-config.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "Labels": {
-        "containers.bootc": "1",
-        "bootc.diskimage-builder": "quay.io/centos-bootc/bootc-image-builder",
-        "redhat.id": "fedora",
-        "redhat.version-id": "rawhide"
-    },
-    "StopSignal": "SIGRTMIN+3",
-    "Env": [
-        "container=oci"
-    ]
-}

From e2aa69433cf369cdbd457987db9e68adb7bbbd0e Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 16:14:48 -0500
Subject: [PATCH 07/14] Move fedora-repos-archive into base

Signed-off-by: Colin Walters <walters@verbum.org>
---
 fedora-generic.yaml => base/fedora-repos.yaml | 0
 base/manifest.yaml                            | 1 +
 2 files changed, 1 insertion(+)
 rename fedora-generic.yaml => base/fedora-repos.yaml (100%)

diff --git a/fedora-generic.yaml b/base/fedora-repos.yaml
similarity index 100%
rename from fedora-generic.yaml
rename to base/fedora-repos.yaml
diff --git a/base/manifest.yaml b/base/manifest.yaml
index b10e3ce..6420455 100644
--- a/base/manifest.yaml
+++ b/base/manifest.yaml
@@ -22,6 +22,7 @@ include:
   - initramfs.yaml
   - basic-fixes.yaml
   - kernel-install.yaml
+  - fedora-repos.yaml
 
 packages:
   # This can be replaced later

From a14ba656200f3a34fadce7e5386b61ed55e7e342 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 16:16:44 -0500
Subject: [PATCH 08/14] Drop unused fedora-tier-1

Signed-off-by: Colin Walters <walters@verbum.org>
---
 fedora-tier-1.yaml | 1 -
 1 file changed, 1 deletion(-)
 delete mode 120000 fedora-tier-1.yaml

diff --git a/fedora-tier-1.yaml b/fedora-tier-1.yaml
deleted file mode 120000
index d9c3fd0..0000000
--- a/fedora-tier-1.yaml
+++ /dev/null
@@ -1 +0,0 @@
-fedora-bootc.yaml
\ No newline at end of file

From 3addf4c691c657fbd7816eb889f4c433c73967dd Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 16:39:00 -0500
Subject: [PATCH 09/14] Move persistent-journal into base

This is something we want people to have by default.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 base/manifest.yaml                       | 1 +
 {tier-1 => base}/persistent-journal.yaml | 0
 2 files changed, 1 insertion(+)
 rename {tier-1 => base}/persistent-journal.yaml (100%)

diff --git a/base/manifest.yaml b/base/manifest.yaml
index 6420455..e1c31fa 100644
--- a/base/manifest.yaml
+++ b/base/manifest.yaml
@@ -22,6 +22,7 @@ include:
   - initramfs.yaml
   - basic-fixes.yaml
   - kernel-install.yaml
+  - persistent-journal.yaml
   - fedora-repos.yaml
 
 packages:
diff --git a/tier-1/persistent-journal.yaml b/base/persistent-journal.yaml
similarity index 100%
rename from tier-1/persistent-journal.yaml
rename to base/persistent-journal.yaml

From 176ede233215fdd669831367eb13e1a808e06ab9 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 17:12:06 -0500
Subject: [PATCH 10/14] Split excluded and arch packages into "package text
 file"

Aiming to have the main container build not use rpm-ostree.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile                                 | 33 ++++++++++--
 base/bootc.yaml                               |  6 ---
 packages-aarch64.txt                          |  1 +
 packages-excluded.txt                         | 21 ++++++++
 packages-ppc64le.txt                          |  4 ++
 packages-x86_64.txt                           |  1 +
 tier-1/initramfs-full.yaml                    |  8 ---
 tier-1/kernel.yaml                            |  1 -
 tier-1/manifest.yaml                          | 54 -------------------
 tier-1/networking-tools.yaml                  |  4 --
 .../dracut/dracut.conf.d/30-bootc-full.conf   |  1 +
 11 files changed, 56 insertions(+), 78 deletions(-)
 create mode 100644 packages-aarch64.txt
 create mode 100644 packages-excluded.txt
 create mode 100644 packages-ppc64le.txt
 create mode 100644 packages-x86_64.txt
 delete mode 100644 tier-1/initramfs-full.yaml
 delete mode 120000 tier-1/kernel.yaml
 create mode 100644 tier-1/usr/lib/dracut/dracut.conf.d/30-bootc-full.conf

diff --git a/Containerfile b/Containerfile
index 8fb88d6..c3bb6c7 100644
--- a/Containerfile
+++ b/Containerfile
@@ -2,18 +2,41 @@
 
 # This is a local reference by default because we haven't shipped this image yet.
 FROM localhost/fedora-bootc:base as rootfs
-# Drop this into /usr/share/doc, so that other things can parse it
-COPY packages-recommended.txt /usr/share/doc/fedora-bootc/packages-recommended.txt
+# Drop our package sets into /usr/share/doc, so that other things can parse it
+COPY packages-*.txt /usr/share/doc/fedora-bootc/
+# Overlay our defaults
+COPY tier-1/usr/ /usr/
 RUN <<EORUN
-set -xeuo pipefail
-grep -E -v '^#' /usr/share/doc/fedora-bootc/packages-recommended.txt | xargs dnf -y install
+set -euo pipefail
+dnf_args=()
+echo "Loading packages-excluded"
+for x in $(grep -E -v '^#' /usr/share/doc/fedora-bootc/packages-excluded.txt); do
+  dnf_args+=(--exclude ${x})
+done
+echo "Loading packages-recommended"
+base_pkgs=$(grep -E -v '^#' /usr/share/doc/fedora-bootc/packages-recommended.txt)
+pkgfile_for_arch=/usr/share/doc/fedora-bootc/packages-$(arch).txt
+arch_pkgs=
+if test -f ${pkgfile_for_arch}; then
+  echo "Loading ${pkgfile_for_arch}"
+  arch_pkgs=$(grep -E -v '^#' ${pkgfile_for_arch})
+fi
+
+dnf -y ${dnf_args[@]} install $base_pkgs $arch_pkgs
 
 # Ensure we regenerate the initramfs with new content
 # https://docs.fedoraproject.org/en-US/bootc/initramfs/
 kver=$(cd /usr/lib/modules && echo *); dracut -vf /usr/lib/modules/$kver/initramfs.img $kver
 
+# Undo RPM scripts enabling units; we want the presets to be canonical for the base image.
+# https://github.com/projectatomic/rpm-ostree/issues/1803
+rm -rf /etc/systemd/system/*
+systemctl preset-all
+rm -rf /etc/systemd/user/*
+systemctl --user --global preset-all
+
 dnf clean all
-rm -vf /var/log/dnf*
+rm -vrf /var/log/*
 bootc container lint
 EORUN
 
diff --git a/base/bootc.yaml b/base/bootc.yaml
index 5cecefb..48c4929 100644
--- a/base/bootc.yaml
+++ b/base/bootc.yaml
@@ -9,9 +9,3 @@ packages:
  # Required by bootc install, sgdisk has been replaced by Rust crate
  # in bootc https://github.com/containers/bootc/pull/775
  - xfsprogs e2fsprogs dosfstools
-
-exclude-packages:
-  # Exclude kernel-debug-core to make sure that it doesn't somehow get
-  # chosen as the package to satisfy the `kernel-core` dependency from
-  # the kernel package.
-  - kernel-debug-core
diff --git a/packages-aarch64.txt b/packages-aarch64.txt
new file mode 100644
index 0000000..77617c0
--- /dev/null
+++ b/packages-aarch64.txt
@@ -0,0 +1 @@
+irqbalance
diff --git a/packages-excluded.txt b/packages-excluded.txt
new file mode 100644
index 0000000..a8fec11
--- /dev/null
+++ b/packages-excluded.txt
@@ -0,0 +1,21 @@
+# Packages excluded by default
+
+# We use NetworkManager
+systemd-networkd
+# But without the legacy
+# See https://github.com/coreos/fedora-coreos-config/pull/1991
+NetworkManager-initscripts-ifcfg-rh
+
+# Let's not have both legacy and nft versions in the image. Users are free to
+# also layer legacy themselves if they want.
+iptables-legacy
+
+# We use bootupd
+grubby
+# Let's make sure initscripts doesn't get pulled back in
+# https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
+initscripts
+
+# For (datacenter/cloud oriented) servers, we want to see the details by default.
+# https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
+plymouth
diff --git a/packages-ppc64le.txt b/packages-ppc64le.txt
new file mode 100644
index 0000000..79caa8d
--- /dev/null
+++ b/packages-ppc64le.txt
@@ -0,0 +1,4 @@
+irqbalance
+librtas
+powerpc-utils-core
+ppc64-diag-rtas
diff --git a/packages-x86_64.txt b/packages-x86_64.txt
new file mode 100644
index 0000000..77617c0
--- /dev/null
+++ b/packages-x86_64.txt
@@ -0,0 +1 @@
+irqbalance
diff --git a/tier-1/initramfs-full.yaml b/tier-1/initramfs-full.yaml
deleted file mode 100644
index 2c55a83..0000000
--- a/tier-1/initramfs-full.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# Configuration for the "tier-1" initramfs
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    mkdir -p /usr/lib/dracut/dracut.conf.d
-    cat > /usr/lib/dracut/dracut.conf.d/30-bootc-tier-1.conf << 'EOF'
-    add_dracutmodules+=" lvm crypt fips "
-    EOF
diff --git a/tier-1/kernel.yaml b/tier-1/kernel.yaml
deleted file mode 120000
index d6f64cc..0000000
--- a/tier-1/kernel.yaml
+++ /dev/null
@@ -1 +0,0 @@
-../tier-0/kernel.yaml
\ No newline at end of file
diff --git a/tier-1/manifest.yaml b/tier-1/manifest.yaml
index c84117b..826e11b 100644
--- a/tier-1/manifest.yaml
+++ b/tier-1/manifest.yaml
@@ -8,7 +8,6 @@ include:
   - system-configuration.yaml
   - coreos-user-experience.yaml
   - persistent-journal.yaml
-  - initramfs-full.yaml
   - generic-growfs.yaml
 
 packages:
@@ -36,56 +35,3 @@ packages:
   - zram-generator
   # This one is in Python so isn't in FCOS, but we can safely add it here.
   - sos
-
-# These are random architecture-specific packages
-packages-x86_64:
-  - irqbalance
-packages-ppc64le:
-  - irqbalance
-  - librtas
-  - powerpc-utils-core
-  - ppc64-diag-rtas
-packages-aarch64:
-  - irqbalance
-
-postprocess:
-  # Undo RPM scripts enabling units; we want the presets to be canonical
-  # https://github.com/projectatomic/rpm-ostree/issues/1803
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    rm -rf /etc/systemd/system/*
-    systemctl preset-all
-    rm -rf /etc/systemd/user/*
-    systemctl --user --global preset-all
-  # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
-  #      https://bugzilla.redhat.com/show_bug.cgi?id=2112857
-  #      https://github.com/coreos/rpm-ostree/issues/3918
-  # Temporary workaround to remove the SetGID binary from liblockfile that is
-  # pulled by the s390utils but not needed for /usr/sbin/zipl.
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    rm -f /usr/bin/dotlockfile
-
-# Things we don't expect to ship on the host.  We currently
-# have recommends: false so these could only come in via
-# hard requirement, in which case the build will fail.
-exclude-packages:
-  - perl
-  - perl-interpreter
-  - nodejs
-  - grubby
-  - cowsay  # Just in case
-  # Let's make sure initscripts doesn't get pulled back in
-  # https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
-  - initscripts
-  # For (datacenter/cloud oriented) servers, we want to see the details by default.
-  # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
-  - plymouth
-  # Do not use legacy ifcfg config format in NetworkManager
-  # See https://github.com/coreos/fedora-coreos-config/pull/1991
-  - NetworkManager-initscripts-ifcfg-rh
-  # Let's not have both legacy and nft versions in the image. Users are free to
-  # also layer legacy themselves if they want.
-  - iptables-legacy
diff --git a/tier-1/networking-tools.yaml b/tier-1/networking-tools.yaml
index 7d6e7d1..79ad66c 100644
--- a/tier-1/networking-tools.yaml
+++ b/tier-1/networking-tools.yaml
@@ -14,7 +14,3 @@ packages:
   - iptables nftables
   # Interactive network tools for admins
   - socat net-tools bind-utils
-
-exclude-packages:
-  # We use NetworkManager
-  - systemd-networkd
diff --git a/tier-1/usr/lib/dracut/dracut.conf.d/30-bootc-full.conf b/tier-1/usr/lib/dracut/dracut.conf.d/30-bootc-full.conf
new file mode 100644
index 0000000..c580b15
--- /dev/null
+++ b/tier-1/usr/lib/dracut/dracut.conf.d/30-bootc-full.conf
@@ -0,0 +1 @@
+add_dracutmodules+=" lvm crypt fips "

From d6f376b36e865c4af5637a3da30f993f0e16223a Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 17:19:28 -0500
Subject: [PATCH 11/14] Move growfs and autoupdates into `tier-1/usr` overlay,
 use preset

Instead of having postprocessing scripts for these, add
them to the overlay. Also instead of hand rolling static systemd
enablement, add and use a preset file for them instead.

(This also makes it easier for downstream container images
 to rerun the presets if they wanted to)

Signed-off-by: Colin Walters <walters@verbum.org>
---
 tier-1/autoupdates.yaml                              |  9 ---------
 tier-1/generic-growfs.yaml                           | 12 ------------
 tier-1/manifest.yaml                                 |  3 ---
 tier-1/usr/lib/systemd/system-preset/05-bootc.preset |  7 +++++++
 .../systemd/system}/bootc-generic-growpart.service   |  0
 tier-1/{ => usr/libexec}/bootc-generic-growpart      |  0
 6 files changed, 7 insertions(+), 24 deletions(-)
 delete mode 100644 tier-1/autoupdates.yaml
 delete mode 100644 tier-1/generic-growfs.yaml
 create mode 100644 tier-1/usr/lib/systemd/system-preset/05-bootc.preset
 rename tier-1/{ => usr/lib/systemd/system}/bootc-generic-growpart.service (100%)
 rename tier-1/{ => usr/libexec}/bootc-generic-growpart (100%)

diff --git a/tier-1/autoupdates.yaml b/tier-1/autoupdates.yaml
deleted file mode 100644
index a416699..0000000
--- a/tier-1/autoupdates.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-# Enable automatic updates by default
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    set -euo pipefail
-    target=/usr/lib/systemd/system/default.target.wants
-    mkdir -p $target
-    set -x
-    ln -s ../bootc-fetch-apply-updates.timer $target
diff --git a/tier-1/generic-growfs.yaml b/tier-1/generic-growfs.yaml
deleted file mode 100644
index f64be92..0000000
--- a/tier-1/generic-growfs.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-add-files:
-  - - bootc-generic-growpart
-    - /usr/libexec/bootc-generic-growpart
-  - - bootc-generic-growpart.service
-    - /usr/lib/systemd/system/bootc-generic-growpart.service
-
-postprocess:
-  - |
-    #!/bin/bash
-    set -euo pipefail
-    mkdir -p /usr/lib/systemd/system/local-fs.target.wants
-    ln -s ../bootc-generic-growpart.service /usr/lib/systemd/system/local-fs.target.wants/bootc-generic-growpart.service
diff --git a/tier-1/manifest.yaml b/tier-1/manifest.yaml
index 826e11b..be1857b 100644
--- a/tier-1/manifest.yaml
+++ b/tier-1/manifest.yaml
@@ -3,12 +3,9 @@ recommends: true
 
 include:
   - ../tier-x/manifest.yaml
-  - autoupdates.yaml
   - networking-tools.yaml
   - system-configuration.yaml
   - coreos-user-experience.yaml
-  - persistent-journal.yaml
-  - generic-growfs.yaml
 
 packages:
   # Include and set the default editor
diff --git a/tier-1/usr/lib/systemd/system-preset/05-bootc.preset b/tier-1/usr/lib/systemd/system-preset/05-bootc.preset
new file mode 100644
index 0000000..e6e9067
--- /dev/null
+++ b/tier-1/usr/lib/systemd/system-preset/05-bootc.preset
@@ -0,0 +1,7 @@
+# Our fallback
+enable bootc-generic-growpart.service
+
+# We enable this by default just so we can say we have automatic
+# updates on by default, like CoreOS. It's very much intended
+# to be tweaked or replaced outside of trivial scenarios though.
+enable bootc-fetch-apply-updates.timer
diff --git a/tier-1/bootc-generic-growpart.service b/tier-1/usr/lib/systemd/system/bootc-generic-growpart.service
similarity index 100%
rename from tier-1/bootc-generic-growpart.service
rename to tier-1/usr/lib/systemd/system/bootc-generic-growpart.service
diff --git a/tier-1/bootc-generic-growpart b/tier-1/usr/libexec/bootc-generic-growpart
similarity index 100%
rename from tier-1/bootc-generic-growpart
rename to tier-1/usr/libexec/bootc-generic-growpart

From 8a6332e49186061ceeb02f0a2e54331d4f2bb2f6 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 21 Jan 2025 17:33:50 -0500
Subject: [PATCH 12/14] Merge tier-1 to the toplevel

Now we just have a minimal base, and what was tier-1 is now
just the default content.

We still do capture the previous conception of "tier-x" in
`packages-recommended-minimal.txt` so that people starting
from scratch can install using that.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile                                 | 18 ++--
 README.md                                     | 24 ++----
 ...ed.txt => packages-recommended-minimal.txt |  0
 packages.txt                                  | 84 +++++++++++++++++++
 tier-1/coreos-user-experience.yaml            | 17 ----
 tier-1/manifest.yaml                          | 34 --------
 tier-1/networking-tools.yaml                  | 16 ----
 tier-1/system-configuration.yaml              | 30 -------
 .../dracut/dracut.conf.d/30-bootc-full.conf   |  0
 .../lib/systemd/system-preset/05-bootc.preset |  0
 .../system/bootc-generic-growpart.service     |  0
 .../libexec/bootc-generic-growpart            |  0
 12 files changed, 99 insertions(+), 124 deletions(-)
 rename packages-recommended.txt => packages-recommended-minimal.txt (100%)
 create mode 100644 packages.txt
 delete mode 100644 tier-1/coreos-user-experience.yaml
 delete mode 100644 tier-1/manifest.yaml
 delete mode 100644 tier-1/networking-tools.yaml
 delete mode 100644 tier-1/system-configuration.yaml
 rename {tier-1/usr => usr}/lib/dracut/dracut.conf.d/30-bootc-full.conf (100%)
 rename {tier-1/usr => usr}/lib/systemd/system-preset/05-bootc.preset (100%)
 rename {tier-1/usr => usr}/lib/systemd/system/bootc-generic-growpart.service (100%)
 rename {tier-1/usr => usr}/libexec/bootc-generic-growpart (100%)

diff --git a/Containerfile b/Containerfile
index c3bb6c7..1c6f1c6 100644
--- a/Containerfile
+++ b/Containerfile
@@ -3,26 +3,26 @@
 # This is a local reference by default because we haven't shipped this image yet.
 FROM localhost/fedora-bootc:base as rootfs
 # Drop our package sets into /usr/share/doc, so that other things can parse it
-COPY packages-*.txt /usr/share/doc/fedora-bootc/
+COPY packages*.txt /usr/share/doc/fedora-bootc/
 # Overlay our defaults
-COPY tier-1/usr/ /usr/
+COPY usr/ /usr/
 RUN <<EORUN
 set -euo pipefail
 dnf_args=()
 echo "Loading packages-excluded"
-for x in $(grep -E -v '^#' /usr/share/doc/fedora-bootc/packages-excluded.txt); do
+basedir=/usr/share/doc/fedora-bootc/
+for x in $(grep -E -v '^#' ${basedir}/packages-excluded.txt); do
   dnf_args+=(--exclude ${x})
 done
-echo "Loading packages-recommended"
-base_pkgs=$(grep -E -v '^#' /usr/share/doc/fedora-bootc/packages-recommended.txt)
+echo "Loading packages"
+package_files=(${basedir}/packages-recommended-minimal.txt ${basedir}/packages.txt)
 pkgfile_for_arch=/usr/share/doc/fedora-bootc/packages-$(arch).txt
-arch_pkgs=
 if test -f ${pkgfile_for_arch}; then
   echo "Loading ${pkgfile_for_arch}"
-  arch_pkgs=$(grep -E -v '^#' ${pkgfile_for_arch})
+  package_files+=(${pkgfile_for_arch})
 fi
-
-dnf -y ${dnf_args[@]} install $base_pkgs $arch_pkgs
+base_pkgs=$(grep -hE -v '^#' ${package_files[@]})
+dnf -y ${dnf_args[@]} install $base_pkgs
 
 # Ensure we regenerate the initramfs with new content
 # https://docs.fedoraproject.org/en-US/bootc/initramfs/
diff --git a/README.md b/README.md
index dfda627..54d75a9 100644
--- a/README.md
+++ b/README.md
@@ -47,29 +47,17 @@ podman build --from quay.io/fedora/fedora:41 ...
 You are of course also free to fork, customize, and build base images yourself.
 See this page[6] of the documentation for more information.
 
-## Tiers
+## Images
 
 At the current time, there is just one reference base image published
-to the registry. Internally the content set is split up somewhat
-into "tiers", but this is an internal implementation detail and may change
-at any time.
+to the registry. There is a `Containerfile.base` which produces a
+quite minimal base image, from which the default image derives.
 
-It is planned to rework and improve this in the future, especially
-to support smaller custom images. For more on this, see
-[this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
+More on the history from [this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
 
-- **base**: A base image with the effective equivalent of installing `bootc kernel systemd dnf`
+- Containefile.base: A base image with the effective equivalent of installing `bootc kernel systemd dnf`
   with "recommends" off. Intended as a derivation starting point for minimal systems.
-- **tier-1**: This image is the default, what is published as
-  https://quay.io/repository/fedora/fedora-bootc
-- **packages-recommended.txt**: This content set is the shared base used by all image-based
-  Fedora variants (IoT, Atomic Desktops, and CoreOS).
-  Changes to this tier may be done without accounting for external users.
-
-**tier-1** inherits from **tier-x** and **tier-x** in turn inherit from **tier-0**.
-
-All non-trivial changes to **tier-0** and **tier-x** should be ACKed by at least
-one stakeholder of each Fedora variant WGs.
+- Containerfile: Produces the default much larger image; somewhat similar to CoreOS.
 
 ## More information
 
diff --git a/packages-recommended.txt b/packages-recommended-minimal.txt
similarity index 100%
rename from packages-recommended.txt
rename to packages-recommended-minimal.txt
diff --git a/packages.txt b/packages.txt
new file mode 100644
index 0000000..703d412
--- /dev/null
+++ b/packages.txt
@@ -0,0 +1,84 @@
+# A relatively large base image suitable for headless servers,
+# a lot like CoreOS.
+
+# Include and set the default editor
+nano
+nfs-utils
+# Additional firewall support; we aren't including these in RHCOS or they
+# don't exist in RHEL
+iptables-services
+WALinuxAgent-udev
+# Allow communication between sudo and SSSD
+# for caching sudo rules by SSSD.
+# https://github.com/coreos/fedora-coreos-tracker/issues/445
+libsss_sudo
+# SSSD; we only ship a subset of the backends
+sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
+# Used by admins interactively
+openssl
+# Provides terminal tools like clear, reset, tput, and tset
+ncurses
+# i18n
+kbd
+# zram-generator (but not zram-generator-defaults) for F33 change
+# https://github.com/coreos/fedora-coreos-tracker/issues/509
+zram-generator
+# This one is in Python so isn't in FCOS, but we can safely add it here.
+sos
+
+# Additional file compression/decompression
+bzip2 zstd
+# Improved MOTD experience
+console-login-helper-messages-issuegen
+console-login-helper-messages-profile
+# kdump support
+# https://github.com/coreos/fedora-coreos-tracker/issues/622
+kexec-tools
+# Container tooling
+toolbox
+# nvme-cli for managing nvme disks
+nvme-cli
+# Used by admins interactively
+lsof
+
+# Explicit dep for RHEL >= 10
+crypto-policies-scripts
+# Configuring SSH keys, cloud provider check-in, etc
+# TODO: needs Ignition kargs
+# - afterburn afterburn-dracut
+# NTP support
+chrony
+# Storage configuration/management
+sg3_utils
+## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
+cloud-utils-growpart
+# User configuration
+passwd
+shadow-utils
+acl
+# Manipulating the kernel keyring; used by bootc
+keyutils
+# There are things that write outside of the journal still (such as the
+# classic wtmp, etc.). auditd also writes outside the journal but it has its
+# own log rotation.
+# Anything package layered will also tend to expect files dropped in
+# /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
+# have it then people's disks will slowly fill up with logs.
+logrotate
+# Boost starving threads
+# https://github.com/coreos/fedora-coreos-tracker/issues/753
+stalld
+
+# This defines a set of tools that are useful for configuring, debugging,
+# or manipulating the network of a system.
+# Interactive Networking configuration during coreos-install
+NetworkManager-tui
+# Support for cloud quirks and dynamic config in real rootfs:
+# https://github.com/coreos/fedora-coreos-tracker/issues/320
+NetworkManager-cloud-setup
+# Route manipulation and QoS
+iproute iproute-tc
+# Firewall manipulation
+iptables nftables
+# Interactive network tools for admins
+socat net-tools bind-utils
\ No newline at end of file
diff --git a/tier-1/coreos-user-experience.yaml b/tier-1/coreos-user-experience.yaml
deleted file mode 100644
index 1098094..0000000
--- a/tier-1/coreos-user-experience.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-# This file was forked/copied from Fedora CoreOS.  TODO: resync
-# once we have a good generic mechanism for sharing.
-packages:
-  # Additional file compression/decompression
-  - bzip2 zstd
-  # Improved MOTD experience
-  - console-login-helper-messages-issuegen
-  - console-login-helper-messages-profile
-  # kdump support
-  # https://github.com/coreos/fedora-coreos-tracker/issues/622
-  - kexec-tools
-  # Container tooling
-  - toolbox
-  # nvme-cli for managing nvme disks
-  - nvme-cli
-  # Used by admins interactively
-  - lsof
diff --git a/tier-1/manifest.yaml b/tier-1/manifest.yaml
deleted file mode 100644
index be1857b..0000000
--- a/tier-1/manifest.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Flip this back on, we're going to be a larger system
-recommends: true
-
-include:
-  - ../tier-x/manifest.yaml
-  - networking-tools.yaml
-  - system-configuration.yaml
-  - coreos-user-experience.yaml
-
-packages:
-  # Include and set the default editor
-  - nano
-  - nfs-utils
-  # Additional firewall support; we aren't including these in RHCOS or they
-  # don't exist in RHEL
-  - iptables-services
-  - WALinuxAgent-udev
-  # Allow communication between sudo and SSSD
-  # for caching sudo rules by SSSD.
-  # https://github.com/coreos/fedora-coreos-tracker/issues/445
-  - libsss_sudo
-  # SSSD; we only ship a subset of the backends
-  - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
-  # Used by admins interactively
-  - openssl
-  # Provides terminal tools like clear, reset, tput, and tset
-  - ncurses
-  # i18n
-  - kbd
-  # zram-generator (but not zram-generator-defaults) for F33 change
-  # https://github.com/coreos/fedora-coreos-tracker/issues/509
-  - zram-generator
-  # This one is in Python so isn't in FCOS, but we can safely add it here.
-  - sos
diff --git a/tier-1/networking-tools.yaml b/tier-1/networking-tools.yaml
deleted file mode 100644
index 79ad66c..0000000
--- a/tier-1/networking-tools.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-# This defines a set of tools that are useful for configuring, debugging,
-# or manipulating the network of a system.  It is desired to keep this list
-# generic enough to be shared downstream with RHCOS.
-
-packages:
-  # Interactive Networking configuration during coreos-install
-  - NetworkManager-tui
-  # Support for cloud quirks and dynamic config in real rootfs:
-  # https://github.com/coreos/fedora-coreos-tracker/issues/320
-  - NetworkManager-cloud-setup
-  # Route manipulation and QoS
-  - iproute iproute-tc
-  # Firewall manipulation
-  - iptables nftables
-  # Interactive network tools for admins
-  - socat net-tools bind-utils
diff --git a/tier-1/system-configuration.yaml b/tier-1/system-configuration.yaml
deleted file mode 100644
index 561da50..0000000
--- a/tier-1/system-configuration.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-# These are packages that are related to configuring parts of the system.
-
-packages:
-  # Explicit dep for RHEL >= 10
-  - crypto-policies-scripts
-  # Configuring SSH keys, cloud provider check-in, etc
-  # TODO: needs Ignition kargs
-  # - afterburn afterburn-dracut
-  # NTP support
-  - chrony
-  # Storage configuration/management
-  - sg3_utils
-  ## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
-  - cloud-utils-growpart
-  # User configuration
-  - passwd
-  - shadow-utils
-  - acl
-  # Manipulating the kernel keyring; used by bootc
-  - keyutils
-  # There are things that write outside of the journal still (such as the
-  # classic wtmp, etc.). auditd also writes outside the journal but it has its
-  # own log rotation.
-  # Anything package layered will also tend to expect files dropped in
-  # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
-  # have it then people's disks will slowly fill up with logs.
-  - logrotate
-  # Boost starving threads
-  # https://github.com/coreos/fedora-coreos-tracker/issues/753
-  - stalld
diff --git a/tier-1/usr/lib/dracut/dracut.conf.d/30-bootc-full.conf b/usr/lib/dracut/dracut.conf.d/30-bootc-full.conf
similarity index 100%
rename from tier-1/usr/lib/dracut/dracut.conf.d/30-bootc-full.conf
rename to usr/lib/dracut/dracut.conf.d/30-bootc-full.conf
diff --git a/tier-1/usr/lib/systemd/system-preset/05-bootc.preset b/usr/lib/systemd/system-preset/05-bootc.preset
similarity index 100%
rename from tier-1/usr/lib/systemd/system-preset/05-bootc.preset
rename to usr/lib/systemd/system-preset/05-bootc.preset
diff --git a/tier-1/usr/lib/systemd/system/bootc-generic-growpart.service b/usr/lib/systemd/system/bootc-generic-growpart.service
similarity index 100%
rename from tier-1/usr/lib/systemd/system/bootc-generic-growpart.service
rename to usr/lib/systemd/system/bootc-generic-growpart.service
diff --git a/tier-1/usr/libexec/bootc-generic-growpart b/usr/libexec/bootc-generic-growpart
similarity index 100%
rename from tier-1/usr/libexec/bootc-generic-growpart
rename to usr/libexec/bootc-generic-growpart

From 98f6572750e88e9d79f5b609b83c743c6fd55703 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Wed, 22 Jan 2025 10:16:50 -0500
Subject: [PATCH 13/14] build-sys: Clean more directories

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Containerfile b/Containerfile
index 1c6f1c6..f21a91e 100644
--- a/Containerfile
+++ b/Containerfile
@@ -36,7 +36,8 @@ rm -rf /etc/systemd/user/*
 systemctl --user --global preset-all
 
 dnf clean all
-rm -vrf /var/log/*
+# Lots of cleaning
+rm -vrf /var/log /var/cache /var/lib/dnf
 bootc container lint
 EORUN
 

From f2fbdd7dad6d2e6b3fbb634c4720c6d3168db30c Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 24 Jan 2025 14:12:50 -0500
Subject: [PATCH 14/14] base: Cleanup rpmdb

First, ensure we remove the `-shm` files etc; this is another
implementation of https://github.com/coreos/rpm-ostree/pull/5244
effectively, but in shell script in the container build pipeline.

Also remove the rpm-ostree-base-db because I think it's the
hardlinking here that's causing problems in gitlab CI where
we can't rely on writethrough of hardlinks.

I am hoping this fixes the gitlab CI.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile.base          |  4 ++--
 base/finalize.d/05-rpmdb.sh | 24 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100755 base/finalize.d/05-rpmdb.sh

diff --git a/Containerfile.base b/Containerfile.base
index ef4ac22..689976a 100644
--- a/Containerfile.base
+++ b/Containerfile.base
@@ -9,9 +9,9 @@
 # container image.
 FROM quay.io/fedora/fedora:rawhide as repos
 
-# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
+# BOOTSTRAPPING: This can be any image that has the following packages.
 FROM quay.io/fedora/fedora:rawhide as builder
-RUN dnf -y install rpm-ostree selinux-policy-targeted
+RUN dnf -y install rpm-ostree selinux-policy-targeted sqlite
 # Copy in our source code.
 COPY . /src
 WORKDIR /src
diff --git a/base/finalize.d/05-rpmdb.sh b/base/finalize.d/05-rpmdb.sh
new file mode 100755
index 0000000..f4eea57
--- /dev/null
+++ b/base/finalize.d/05-rpmdb.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+set -euo pipefail
+# https://github.com/coreos/rpm-ostree/pull/5244
+# 
+sysimage_rpmdb=usr/lib/sysimage/rpm/rpmdb.sqlite
+rpmostree_rpmdb_dir=usr/share/rpm
+rpmostree_rpmdb="${rpmostree_rpmdb_dir}/rpmdb.sqlite"
+rpmostree_base_rpmdb_dir=usr/lib/sysimage/rpm-ostree-base-db
+rpmostree_base_rpmdb="${rpmostree_base_rpmdb_dir}/rpmdb.sqlite"
+pragma='PRAGMA journal_mode=delete;'
+
+# Forcibly delete this because ostree hardlinking the sqlite databases
+# confuses rpm. This will cause rpm-ostree to enter a fallback
+# mode with package layering, but that's OK.
+if test -d "${rpmostree_base_rpmdb_dir}"; then
+    echo "Removing ${rpmostree_base_rpmdb_dir}"
+    rm "${rpmostree_base_rpmdb_dir}" -rf
+fi
+for path in ${sysimage_rpmdb} ${rpmostree_rpmdb}; do
+    if test -f "${path}-shm"; then
+        echo "Executing in ${path}: ${pragma}"
+        sqlite3 "${path}" "${pragma}" >/dev/null
+    fi
+done