Merge branch 'custom-base' into 'wip-baseimage-rework'

Rework base image build

See merge request fedora/bootc/base-images!81

.gitlab-ci.yml

@@ -1,15 +1,17 @@
----
-include:
-  - remote: https://gitlab.com/platform-engineering-org/gitlab-ci/-/raw/main/templates/build-image.gitlab-ci.yml
+stages:
+  - build
 
-build-image:
+variables:
+  IMAGE_PREFIX: ${CI_REGISTRY}/${CI_PROJECT_PATH}
+
+.build-image:
+  stage: build
+  image: quay.io/buildah/stable:v1.38.0
+  needs: []
+
+build:
   extends: .build-image
-  parallel:
-    matrix:
-      - TIER: [tier-0, tier-1, tier-x]
-  variables:
-    EXTRA_ARGS: "--security-opt=label=disable --cap-add=all --build-arg MANIFEST=fedora-$TIER.yaml"
-  rules:
-    - if: $CI_PROJECT_NAMESPACE != "fedora/bootc"
-      when: never
-    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+  stage: build
+  script: |
+    buildah bud -f Containerfile.base --no-cache --security-opt=label=disable --cap-add=all --device /dev/fuse -t ${IMAGE_PREFIX}-base .
+    buildah bud -f Containerfile --no-cache --from ${IMAGE_PREFIX}-base -t ${IMAGE_PREFIX}-standard .

Containerfile

@@ -1,54 +1,59 @@
-# This container build uses some special features of podman that allow
-# a process executing as part of a container build to generate a new container
-# image "from scratch".
-#
-# This container build uses nested containerization, so you must build with e.g.
-# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
-#
-# # Why are we doing this?
-#
-# Today this base image build process uses rpm-ostree.  There is a lot of things that
-# rpm-ostree does when generating a container image...but important parts include:
-#
-# - auto-updating labels in the container metadata
-# - Generating "chunked" content-addressed reproducible image layers (notice
-#   how there are ~60 layers in the generated image)
-#
-# The latter bit in particular is currently impossible to do from Containerfile.
-# A future goal is adding some support for this in a way that can be honored by
-# buildah (xref https://github.com/containers/podman/discussions/12605)
-#
-# # Why does this build process require additional privileges?
-#
-# Because it's generating a base image and uses containerization features itself.
-# In the future some of this can be lifted.
+# This generates the default base image.
 
-FROM quay.io/fedora/fedora:rawhide as repos
+# This is a local reference by default because we haven't shipped this image yet.
+FROM localhost/fedora-bootc:base as rootfs
+# Drop our package sets into /usr/share/doc, so that other things can parse it
+COPY packages*.txt /usr/share/doc/fedora-bootc/
+# Overlay our defaults
+COPY usr/ /usr/
+RUN <<EORUN
+set -euo pipefail
+dnf_args=()
+echo "Loading packages-excluded"
+basedir=/usr/share/doc/fedora-bootc/
+for x in $(grep -E -v '^#' ${basedir}/packages-excluded.txt); do
+  dnf_args+=(--exclude ${x})
+done
+echo "Loading packages"
+package_files=(${basedir}/packages-recommended-minimal.txt ${basedir}/packages.txt)
+pkgfile_for_arch=/usr/share/doc/fedora-bootc/packages-$(arch).txt
+if test -f ${pkgfile_for_arch}; then
+  echo "Loading ${pkgfile_for_arch}"
+  package_files+=(${pkgfile_for_arch})
+fi
+base_pkgs=$(grep -hE -v '^#' ${package_files[@]})
+dnf -y ${dnf_args[@]} install $base_pkgs
 
-# BOOTSTRAPPING: This can be any image that has rpm-ostree and selinux-policy-targeted.
-FROM quay.io/fedora/fedora:rawhide as builder
-RUN dnf -y install rpm-ostree selinux-policy-targeted
-ARG MANIFEST=fedora-bootc.yaml
-COPY --from=repos /etc/dnf/vars /etc/dnf/vars
-COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
-# The input git repository has .repo files committed to git rpm-ostree has historically
-# emphasized that.  But here, we are fetching the repos from the container base image.
-# So copy the source, and delete the hardcoded ones in git, and use the container base
-# image ones.  We can drop the ones commited to git when we hard switch to Containerfile.
-COPY . /src
-WORKDIR /src
-RUN rm -vf /src/*.repo
-COPY --from=repos /etc/yum.repos.d/*.repo /src
-RUN --mount=type=cache,target=/workdir \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=type=bind,from=repos,src=/,dst=/repos \
-      rpm-ostree compose image --image-config fedora-bootc-config.json \
-        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
-       --source-root=/repos /buildcontext/out.ociarchive
+# Ensure we regenerate the initramfs with new content
+# https://docs.fedoraproject.org/en-US/bootc/initramfs/
+kver=$(cd /usr/lib/modules && echo *); dracut -vf /usr/lib/modules/$kver/initramfs.img $kver
 
-FROM oci-archive:./out.ociarchive
+# Undo RPM scripts enabling units; we want the presets to be canonical for the base image.
+# https://github.com/projectatomic/rpm-ostree/issues/1803
+rm -rf /etc/systemd/system/*
+systemctl preset-all
+rm -rf /etc/systemd/user/*
+systemctl --user --global preset-all
+
+dnf clean all
+# Lots of cleaning
+rm -vrf /var/log /var/cache /var/lib/dnf
+bootc container lint
+EORUN
+
+# This image just needs rpm-ostree in the end that has
+# https://github.com/coreos/rpm-ostree/issues/5221
+FROM registry.gitlab.com/fedora/bootc/base-images-dev/fedora-bootc-dev:rawhide as builder
+RUN --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+    --mount=from=rootfs,dst=/rootfs <<EORUN
+set -xeuo pipefail
+rm /buildcontext/out.oci -rf
+rpm-ostree experimental compose build-chunked-oci --bootc --format-version=1 \
+           --rootfs=/rootfs --output /buildcontext/out.oci
+EORUN
+
+FROM oci:./out.oci
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.
 RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-      rm /buildcontext/out.ociarchive
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared rm /buildcontext/out.oci -rf

Containerfile.base

@@ -0,0 +1,50 @@
+# This is a relatively minimal base image build; it's intended as a derivation
+# point.
+#
+# This container build uses nested containerization to construct
+# a target rootfs from scratch; so you must build with e.g.
+# podman build --security-opt=label=disable --cap-add=all --device /dev/fuse <...>
+
+# If you want to configure the input rpm-md repositories, just override this
+# container image.
+FROM quay.io/fedora/fedora:rawhide as repos
+
+# BOOTSTRAPPING: This can be any image that has the following packages.
+FROM quay.io/fedora/fedora:rawhide as builder
+RUN dnf -y install rpm-ostree selinux-policy-targeted sqlite
+# Copy in our source code.
+COPY . /src
+WORKDIR /src
+RUN --mount=type=cache,target=/workdir \
+    --mount=type=bind,from=repos,target=/repos \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+    --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
+set -xeuo pipefail
+# Synchronize the dnf/rpm configs from the repos container.
+for x in etc/dnf etc/yum.repos.d etc/pki/rpm-gpg; do
+  rm -rf /"$x" && cp -a /repos/${x} /$x
+done
+# And copy to the workdir; TODO fix this in rpm-ostree
+cp /etc/yum.repos.d/*.repo base
+rpm-ostree compose image \
+    --cachedir=/workdir --format=ociarchive --initialize base/manifest.yaml \
+    --source-root=/repos /buildcontext/out.ociarchive
+EORUN
+
+# This pulls in the OCI archive generated in the previous step.
+FROM oci-archive:./out.ociarchive
+LABEL containers.bootc 1
+# This is an ad-hoc way for us to reference bootc-image-builder in
+# a way that in theory client tooling can inspect and find. Today
+# it isn't widely used.
+LABEL bootc.diskimage-builder quay.io/centos-bootc/bootc-image-builder
+# https://pagure.io/fedora-kiwi-descriptions/pull-request/52
+ENV container=oci
+# Make systemd the default
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]
+# Need to reference builder here to force ordering. But since we have to run
+# something anyway, we might as well cleanup after ourselves.
+RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
+    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
+      rm /buildcontext/out.ociarchive

README.md

@@ -47,33 +47,17 @@ podman build --from quay.io/fedora/fedora:41 ...
 You are of course also free to fork, customize, and build base images yourself.
 See this page[6] of the documentation for more information.
 
-## Tiers
+## Images
 
 At the current time, there is just one reference base image published
-to the registry. Internally the content set is split up somewhat
-into "tiers", but this is an internal implementation detail and may change
-at any time.
+to the registry. There is a `Containerfile.base` which produces a
+quite minimal base image, from which the default image derives.
 
-It is planned to rework and improve this in the future, especially
-to support smaller custom images. For more on this, see
-[this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
+More on the history from [this tracker issue](https://gitlab.com/fedora/bootc/tracker/-/issues/32).
 
-- **tier-1**: This image is the default, what is published as
-  https://quay.io/repository/fedora/fedora-bootc
-- **tier-0**: This content set is more of a convenient centralization point for CI
-  and curation around a package set that we can all agree is the rough minimum
-  necessary for a usable system. It's not meant to be used as is, but layered
-  upon.
-- **tier-x**: This content set is the shared base used by all image-based
-  Fedora variants (IoT, Atomic Desktops, and CoreOS).
-  Changes to this tier may be done without accounting for external users.
-  To build this, pass `--build-arg=MANIFEST=fedora-tier-x.yaml` to the build
-  command above.
-
-**tier-1** inherits from **tier-x** and **tier-x** in turn inherit from **tier-0**.
-
-All non-trivial changes to **tier-0** and **tier-x** should be ACKed by at least
-one stakeholder of each Fedora variant WGs.
+- Containefile.base: A base image with the effective equivalent of installing `bootc kernel systemd dnf`
+  with "recommends" off. Intended as a derivation starting point for minimal systems.
+- Containerfile: Produces the default much larger image; somewhat similar to CoreOS.
 
 ## More information
 

base/bootc.yaml

@@ -9,9 +9,3 @@ packages:
  # Required by bootc install, sgdisk has been replaced by Rust crate
  # in bootc https://github.com/containers/bootc/pull/775
  - xfsprogs e2fsprogs dosfstools
-
-exclude-packages:
-  # Exclude kernel-debug-core to make sure that it doesn't somehow get
-  # chosen as the package to satisfy the `kernel-core` dependency from
-  # the kernel package.
-  - kernel-debug-core

base/finalize.d/05-rpmdb.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -euo pipefail
+# https://github.com/coreos/rpm-ostree/pull/5244
+# 
+sysimage_rpmdb=usr/lib/sysimage/rpm/rpmdb.sqlite
+rpmostree_rpmdb_dir=usr/share/rpm
+rpmostree_rpmdb="${rpmostree_rpmdb_dir}/rpmdb.sqlite"
+rpmostree_base_rpmdb_dir=usr/lib/sysimage/rpm-ostree-base-db
+rpmostree_base_rpmdb="${rpmostree_base_rpmdb_dir}/rpmdb.sqlite"
+pragma='PRAGMA journal_mode=delete;'
+
+# Forcibly delete this because ostree hardlinking the sqlite databases
+# confuses rpm. This will cause rpm-ostree to enter a fallback
+# mode with package layering, but that's OK.
+if test -d "${rpmostree_base_rpmdb_dir}"; then
+    echo "Removing ${rpmostree_base_rpmdb_dir}"
+    rm "${rpmostree_base_rpmdb_dir}" -rf
+fi
+for path in ${sysimage_rpmdb} ${rpmostree_rpmdb}; do
+    if test -f "${path}-shm"; then
+        echo "Executing in ${path}: ${pragma}"
+        sqlite3 "${path}" "${pragma}" >/dev/null
+    fi
+done

base/manifest.yaml

@@ -22,16 +22,19 @@ include:
   - initramfs.yaml
   - basic-fixes.yaml
   - kernel-install.yaml
+  - persistent-journal.yaml
+  - fedora-repos.yaml
 
 packages:
+  # This can be replaced later
+  - kernel
   # this is implied by dependencies but let's make it explicit
   - coreutils
   # We need dnf for building derived container images. In Fedora, this pulls
   # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
   # just `dnf` once the `dnf` package is retired from Fedora.
   - /usr/bin/dnf
-  # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
-  # to build a custom image.
+  # If you don't want SELinux today, you'll need to build a custom image.
   - selinux-policy-targeted
   # And we want container-selinux because trying to layer it on later currently causes issues.
   - container-selinux

fedora-40.yaml

@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 40
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml

fedora-41.yaml

@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 41
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml

fedora-bootc-config.json

@@ -1,12 +0,0 @@
-{
-    "Labels": {
-        "containers.bootc": "1",
-        "bootc.diskimage-builder": "quay.io/centos-bootc/bootc-image-builder",
-        "redhat.id": "fedora",
-        "redhat.version-id": "rawhide"
-    },
-    "StopSignal": "SIGRTMIN+3",
-    "Env": [
-        "container=oci"
-    ]
-}

fedora-bootc.yaml

@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier1
-  summary: Fedora Bootable Tier 1
-
-include:
-  - fedora-generic.yaml
-  - tier-1/manifest.yaml
-  - tier-1/kernel.yaml

fedora-rawhide.yaml

@@ -1,6 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: rawhide
-repos:
-  - fedora-rawhide
-include: fedora-bootc.yaml

fedora-tier-0.yaml

@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier0
-  summary: Fedora Bootable Tier 0
-
-include:
-  - fedora-generic.yaml
-  - tier-0/manifest.yaml
-  - tier-0/kernel.yaml

fedora-tier-1.yaml

@@ -1 +0,0 @@
-fedora-bootc.yaml

fedora-tier-x.yaml

@@ -1,8 +0,0 @@
-metadata:
-  name: fedora-boot-tier-x
-  summary: Fedora Bootable Tier X
-
-include:
-  - fedora-generic.yaml
-  - tier-x/manifest.yaml
-  - tier-x/kernel.yaml

fedora.repo

@@ -1,102 +0,0 @@
-# Note we use baseurl= here because using auto-selected mirrors conflicts with
-# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
-
-[fedora]
-name=Fedora $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-updates]
-name=Fedora $releasever - $basearch - Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
-enabled=1
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-updates-testing]
-name=Fedora $releasever - $basearch - Test Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
-enabled=1
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-modular]
-name=Fedora Modular $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Modular/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Modular/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-
-[fedora-updates-modular]
-name=Fedora Modular $releasever - $basearch - Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
-enabled=1
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-
-[fedora-updates-testing-modular]
-name=Fedora Modular $releasever - $basearch - Test Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
-enabled=1
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[rawhide]
-name=Fedora - Rawhide - Developmental packages for the next Fedora release
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-devel]
-name=Fedora $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False

packages-aarch64.txt

@@ -0,0 +1 @@
+irqbalance

packages-excluded.txt

@@ -0,0 +1,21 @@
+# Packages excluded by default
+
+# We use NetworkManager
+systemd-networkd
+# But without the legacy
+# See https://github.com/coreos/fedora-coreos-config/pull/1991
+NetworkManager-initscripts-ifcfg-rh
+
+# Let's not have both legacy and nft versions in the image. Users are free to
+# also layer legacy themselves if they want.
+iptables-legacy
+
+# We use bootupd
+grubby
+# Let's make sure initscripts doesn't get pulled back in
+# https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
+initscripts
+
+# For (datacenter/cloud oriented) servers, we want to see the details by default.
+# https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
+plymouth

packages-ppc64le.txt

@@ -0,0 +1,4 @@
+irqbalance
+librtas
+powerpc-utils-core
+ppc64-diag-rtas

packages-recommended-minimal.txt

@@ -0,0 +1,45 @@
+# This file is simply a list of packages recommended to be used by default.
+# You can process this via e.g.
+# grep -E -v '^#' packages-recommended.txt | xargs dnf -y install
+
+# Used by admins interactively
+attr
+bash-completion
+hostname
+iproute
+jq
+less
+vim-minimal
+# deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
+# dep, we still want it
+podman skopeo
+# crun recommends but doesn't require criu and criu-libs. We want them for
+# checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
+crun criu criu-libs
+# storage
+cryptsetup
+lvm2
+tar
+# zram-generator (but not zram-generator-defaults) for F33 change
+# https://github.com/coreos/fedora-coreos-tracker/issues/509
+zram-generator
+# networking
+iptables-nft
+NetworkManager
+openssh-clients
+openssh-server
+systemd-resolved
+# linux-firmware now a recommends so let's explicitly include it
+# https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
+# https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
+linux-firmware
+# security
+polkit
+sudo
+# Allow for configuring different timezones
+tzdata
+# rpm-ostree
+rpm-ostree nss-altfiles
+# firmware updates
+# If you're using linux-firmware, you probably also want fwupd
+fwupd

packages-x86_64.txt

@@ -0,0 +1 @@
+irqbalance

packages.txt

@@ -0,0 +1,84 @@
+# A relatively large base image suitable for headless servers,
+# a lot like CoreOS.
+
+# Include and set the default editor
+nano
+nfs-utils
+# Additional firewall support; we aren't including these in RHCOS or they
+# don't exist in RHEL
+iptables-services
+WALinuxAgent-udev
+# Allow communication between sudo and SSSD
+# for caching sudo rules by SSSD.
+# https://github.com/coreos/fedora-coreos-tracker/issues/445
+libsss_sudo
+# SSSD; we only ship a subset of the backends
+sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
+# Used by admins interactively
+openssl
+# Provides terminal tools like clear, reset, tput, and tset
+ncurses
+# i18n
+kbd
+# zram-generator (but not zram-generator-defaults) for F33 change
+# https://github.com/coreos/fedora-coreos-tracker/issues/509
+zram-generator
+# This one is in Python so isn't in FCOS, but we can safely add it here.
+sos
+
+# Additional file compression/decompression
+bzip2 zstd
+# Improved MOTD experience
+console-login-helper-messages-issuegen
+console-login-helper-messages-profile
+# kdump support
+# https://github.com/coreos/fedora-coreos-tracker/issues/622
+kexec-tools
+# Container tooling
+toolbox
+# nvme-cli for managing nvme disks
+nvme-cli
+# Used by admins interactively
+lsof
+
+# Explicit dep for RHEL >= 10
+crypto-policies-scripts
+# Configuring SSH keys, cloud provider check-in, etc
+# TODO: needs Ignition kargs
+# - afterburn afterburn-dracut
+# NTP support
+chrony
+# Storage configuration/management
+sg3_utils
+## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
+cloud-utils-growpart
+# User configuration
+passwd
+shadow-utils
+acl
+# Manipulating the kernel keyring; used by bootc
+keyutils
+# There are things that write outside of the journal still (such as the
+# classic wtmp, etc.). auditd also writes outside the journal but it has its
+# own log rotation.
+# Anything package layered will also tend to expect files dropped in
+# /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
+# have it then people's disks will slowly fill up with logs.
+logrotate
+# Boost starving threads
+# https://github.com/coreos/fedora-coreos-tracker/issues/753
+stalld
+
+# This defines a set of tools that are useful for configuring, debugging,
+# or manipulating the network of a system.
+# Interactive Networking configuration during coreos-install
+NetworkManager-tui
+# Support for cloud quirks and dynamic config in real rootfs:
+# https://github.com/coreos/fedora-coreos-tracker/issues/320
+NetworkManager-cloud-setup
+# Route manipulation and QoS
+iproute iproute-tc
+# Firewall manipulation
+iptables nftables
+# Interactive network tools for admins
+socat net-tools bind-utils

tier-1/autoupdates.yaml

@@ -1,9 +0,0 @@
-# Enable automatic updates by default
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    set -euo pipefail
-    target=/usr/lib/systemd/system/default.target.wants
-    mkdir -p $target
-    set -x
-    ln -s ../bootc-fetch-apply-updates.timer $target

tier-1/coreos-user-experience.yaml

@@ -1,17 +0,0 @@
-# This file was forked/copied from Fedora CoreOS.  TODO: resync
-# once we have a good generic mechanism for sharing.
-packages:
-  # Additional file compression/decompression
-  - bzip2 zstd
-  # Improved MOTD experience
-  - console-login-helper-messages-issuegen
-  - console-login-helper-messages-profile
-  # kdump support
-  # https://github.com/coreos/fedora-coreos-tracker/issues/622
-  - kexec-tools
-  # Container tooling
-  - toolbox
-  # nvme-cli for managing nvme disks
-  - nvme-cli
-  # Used by admins interactively
-  - lsof

tier-1/generic-growfs.yaml

@@ -1,12 +0,0 @@
-add-files:
-  - - bootc-generic-growpart
-    - /usr/libexec/bootc-generic-growpart
-  - - bootc-generic-growpart.service
-    - /usr/lib/systemd/system/bootc-generic-growpart.service
-
-postprocess:
-  - |
-    #!/bin/bash
-    set -euo pipefail
-    mkdir -p /usr/lib/systemd/system/local-fs.target.wants
-    ln -s ../bootc-generic-growpart.service /usr/lib/systemd/system/local-fs.target.wants/bootc-generic-growpart.service

tier-1/initramfs-full.yaml

@@ -1,8 +0,0 @@
-# Configuration for the "tier-1" initramfs
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    mkdir -p /usr/lib/dracut/dracut.conf.d
-    cat > /usr/lib/dracut/dracut.conf.d/30-bootc-tier-1.conf << 'EOF'
-    add_dracutmodules+=" lvm crypt fips "
-    EOF

tier-1/kernel.yaml

@@ -1 +0,0 @@
-../tier-0/kernel.yaml

tier-1/manifest.yaml

@@ -1,91 +0,0 @@
-# Flip this back on, we're going to be a larger system
-recommends: true
-
-include:
-  - ../tier-x/manifest.yaml
-  - autoupdates.yaml
-  - networking-tools.yaml
-  - system-configuration.yaml
-  - coreos-user-experience.yaml
-  - persistent-journal.yaml
-  - initramfs-full.yaml
-  - generic-growfs.yaml
-
-packages:
-  # Include and set the default editor
-  - nano
-  - nfs-utils
-  # Additional firewall support; we aren't including these in RHCOS or they
-  # don't exist in RHEL
-  - iptables-services
-  - WALinuxAgent-udev
-  # Allow communication between sudo and SSSD
-  # for caching sudo rules by SSSD.
-  # https://github.com/coreos/fedora-coreos-tracker/issues/445
-  - libsss_sudo
-  # SSSD; we only ship a subset of the backends
-  - sssd-client sssd-ad sssd-ipa sssd-krb5 sssd-ldap
-  # Used by admins interactively
-  - openssl
-  # Provides terminal tools like clear, reset, tput, and tset
-  - ncurses
-  # i18n
-  - kbd
-  # zram-generator (but not zram-generator-defaults) for F33 change
-  # https://github.com/coreos/fedora-coreos-tracker/issues/509
-  - zram-generator
-  # This one is in Python so isn't in FCOS, but we can safely add it here.
-  - sos
-
-# These are random architecture-specific packages
-packages-x86_64:
-  - irqbalance
-packages-ppc64le:
-  - irqbalance
-  - librtas
-  - powerpc-utils-core
-  - ppc64-diag-rtas
-packages-aarch64:
-  - irqbalance
-
-postprocess:
-  # Undo RPM scripts enabling units; we want the presets to be canonical
-  # https://github.com/projectatomic/rpm-ostree/issues/1803
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    rm -rf /etc/systemd/system/*
-    systemctl preset-all
-    rm -rf /etc/systemd/user/*
-    systemctl --user --global preset-all
-  # See: https://github.com/coreos/fedora-coreos-tracker/issues/1253
-  #      https://bugzilla.redhat.com/show_bug.cgi?id=2112857
-  #      https://github.com/coreos/rpm-ostree/issues/3918
-  # Temporary workaround to remove the SetGID binary from liblockfile that is
-  # pulled by the s390utils but not needed for /usr/sbin/zipl.
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    rm -f /usr/bin/dotlockfile
-
-# Things we don't expect to ship on the host.  We currently
-# have recommends: false so these could only come in via
-# hard requirement, in which case the build will fail.
-exclude-packages:
-  - perl
-  - perl-interpreter
-  - nodejs
-  - grubby
-  - cowsay  # Just in case
-  # Let's make sure initscripts doesn't get pulled back in
-  # https://github.com/coreos/fedora-coreos-tracker/issues/220#issuecomment-611566254
-  - initscripts
-  # For (datacenter/cloud oriented) servers, we want to see the details by default.
-  # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HSMISZ3ETWQ4ETVLWZQJ55ARZT27AAV3/
-  - plymouth
-  # Do not use legacy ifcfg config format in NetworkManager
-  # See https://github.com/coreos/fedora-coreos-config/pull/1991
-  - NetworkManager-initscripts-ifcfg-rh
-  # Let's not have both legacy and nft versions in the image. Users are free to
-  # also layer legacy themselves if they want.
-  - iptables-legacy

tier-1/networking-tools.yaml

@@ -1,20 +0,0 @@
-# This defines a set of tools that are useful for configuring, debugging,
-# or manipulating the network of a system.  It is desired to keep this list
-# generic enough to be shared downstream with RHCOS.
-
-packages:
-  # Interactive Networking configuration during coreos-install
-  - NetworkManager-tui
-  # Support for cloud quirks and dynamic config in real rootfs:
-  # https://github.com/coreos/fedora-coreos-tracker/issues/320
-  - NetworkManager-cloud-setup
-  # Route manipulation and QoS
-  - iproute iproute-tc
-  # Firewall manipulation
-  - iptables nftables
-  # Interactive network tools for admins
-  - socat net-tools bind-utils
-
-exclude-packages:
-  # We use NetworkManager
-  - systemd-networkd

tier-1/system-configuration.yaml

@@ -1,30 +0,0 @@
-# These are packages that are related to configuring parts of the system.
-
-packages:
-  # Explicit dep for RHEL >= 10
-  - crypto-policies-scripts
-  # Configuring SSH keys, cloud provider check-in, etc
-  # TODO: needs Ignition kargs
-  # - afterburn afterburn-dracut
-  # NTP support
-  - chrony
-  # Storage configuration/management
-  - sg3_utils
-  ## This is generally useful... https://github.com/CentOS/centos-bootc/issues/394
-  - cloud-utils-growpart
-  # User configuration
-  - passwd
-  - shadow-utils
-  - acl
-  # Manipulating the kernel keyring; used by bootc
-  - keyutils
-  # There are things that write outside of the journal still (such as the
-  # classic wtmp, etc.). auditd also writes outside the journal but it has its
-  # own log rotation.
-  # Anything package layered will also tend to expect files dropped in
-  # /etc/logrotate.d to work. Really, this is a legacy thing, but if we don't
-  # have it then people's disks will slowly fill up with logs.
-  - logrotate
-  # Boost starving threads
-  # https://github.com/coreos/fedora-coreos-tracker/issues/753
-  - stalld

tier-x/kernel.yaml

@@ -1 +0,0 @@
-../tier-0/kernel.yaml

tier-x/manifest.yaml

@@ -1,45 +0,0 @@
-include:
-  - ../tier-0/manifest.yaml
-
-packages:
-  # Used by admins interactively
-  - attr
-  - bash-completion
-  - hostname
-  - iproute
-  - jq
-  - less
-  - vim-minimal
-  # deps of bootc, but let's be explicit. e.g. even if bootc drops the skopeo
-  # dep, we still want it
-  - podman skopeo
-  # crun recommends but doesn't require criu and criu-libs. We want them for
-  # checkpoint/restore. https://github.com/coreos/fedora-coreos-tracker/issues/1370
-  - crun criu criu-libs
-  # storage
-  - cryptsetup
-  - lvm2
-  - tar
-  # zram-generator (but not zram-generator-defaults) for F33 change
-  # https://github.com/coreos/fedora-coreos-tracker/issues/509
-  - zram-generator
-  # networking
-  - iptables-nft
-  - NetworkManager
-  - openssh-clients
-  - openssh-server
-  - systemd-resolved
-  # linux-firmware now a recommends so let's explicitly include it
-  # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
-  # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
-  - linux-firmware
-  # security
-  - polkit
-  - sudo
-  # Allow for configuring different timezones
-  - tzdata
-  # rpm-ostree
-  - rpm-ostree nss-altfiles
-  # firmware updates
-  # If you're using linux-firmware, you probably also want fwupd
-  - fwupd

usr/lib/dracut/dracut.conf.d/30-bootc-full.conf

@@ -0,0 +1 @@
+add_dracutmodules+=" lvm crypt fips "

usr/lib/systemd/system-preset/05-bootc.preset

@@ -0,0 +1,7 @@
+# Our fallback
+enable bootc-generic-growpart.service
+
+# We enable this by default just so we can say we have automatic
+# updates on by default, like CoreOS. It's very much intended
+# to be tweaked or replaced outside of trivial scenarios though.
+enable bootc-fetch-apply-updates.timer