Introduce a tier-0 image

This is basically just:

- kernel
- systemd
- selinux-policy-targeted
- bootc

Notably it doesn't have `rpm-ostree` or `rpm`, or many other things.
It also doesn't even have `linux-firmware`.

And no `openssh`!

It's almost certain that you need to derive from this, but
it should be a suitable starting point.

TODO: Add something like

```
$ dnf-system-bootstrap
Installing packaging tools from quay.io/fedora/fedora-boot-dnf@sha256:abcd...)
 # This would be basically all the packages not in tier-0 that
 # are enough to give `dnf install`
$ dnf install cowsay
 # Install critical stuff
$ dnf system-bootstrap remove
 # Remove everything that we added for the package system, that isn't
 # a dependency of what the user wants!
```

(In theory we could make this work with multi-stage builds, but
 it's a little hard)

.gitlab-ci.yml

@@ -8,11 +8,15 @@ stages:
 .base:
   parallel:
     matrix:
-      - TIER: [tier-1]
+      - TIER:
+          - tier-0
+          - tier-1
         OS: centos
         VERSION: [stream9]
         VARIANT: ["", "-rt"]
-      - TIER: [tier-1]
+      - TIER:
+          - tier-0
+          - tier-1
         OS: fedora
         VERSION: [38]
         VARIANT: [""]

centos-base.yaml

@@ -1,13 +0,0 @@
-releasever: stream9
-
-repos:
-  - baseos
-  - appstream
-
-metadata:
-  name: c9s-boot-tier1
-  summary: CentOS 9 Bootable Tier 1
-
-include:
-  - tier-1/manifest.yaml
-

centos-stream-9.yaml

@@ -0,0 +1,5 @@
+releasever: stream9
+
+repos:
+  - baseos
+  - appstream

centos-tier-0-rt-stream9.yaml

@@ -0,0 +1,5 @@
+include:
+  - centos-stream-9.yaml
+  - tier-0/kernel-rt.yaml
+  - tier-0/manifest.yaml
+

centos-tier-0-stream9.yaml

@@ -0,0 +1,5 @@
+include:
+  - centos-stream-9.yaml
+  - tier-0/kernel.yaml
+  - tier-0/manifest.yaml
+

centos-tier-1-rt-stream9.yaml

@@ -1,3 +1,4 @@
 include:
-  - centos-base.yaml
+  - centos-stream-9.yaml
-  - tier-1/kernel-rt.yaml
+  - tier-0/kernel-rt.yaml
+  - tier-1/manifest.yaml

centos-tier-1-stream9.yaml

@@ -1,4 +1,5 @@
 include:
-  - centos-base.yaml
+  - centos-stream-9.yaml
   - tier-1/kernel.yaml
+  - tier-1/manifest.yaml
 

fedora-tier-0-38.yaml

@@ -0,0 +1,9 @@
+releasever: 38
+
+repos:
+  - fedora
+  - fedora-updates
+
+include:
+  - tier-0/manifest.yaml
+  - tier-0/kernel.yaml

tier-0/bootc.yaml

@@ -0,0 +1,25 @@
+# A relatively minimal base, but we also do include linux-firmware so
+# we can be directly booted on metal.
+packages:
+ - systemd
+ # linux-firmware now a recommends so let's explicitly include it
+ # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
+ # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
+ - linux-firmware
+ - ostree
+ # For now this will be shipped in rpm-ostree
+ # - bootc
+ # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
+ - gdisk xfsprogs e2fsprogs dosfstools
+
+exclude-packages:
+  # Exclude kernel-debug-core to make sure that it doesn't somehow get
+  # chosen as the package to satisfy the `kernel-core` dependency from
+  # the kernel package.
+  - kernel-debug-core
+
+# rpm-ostree can be an alias for bootc, we want to enable that here.
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    ln -sr /usr/bin/{rpm-ostree,bootc}

tier-0/bootupd.yaml

@@ -0,0 +1,31 @@
+# Integration with https://github.com/coreos/bootupd and bootloader logic
+# xref https://github.com/coreos/fedora-coreos-tracker/issues/510
+packages:
+  - bootupd
+
+# bootloader
+packages-aarch64:
+  - grub2-efi-aa64 efibootmgr shim
+packages-ppc64le:
+  - grub2 ostree-grub2
+packages-s390x:
+  # On Fedora, this is provided by s390utils-core. on RHEL, this is for now
+  # provided by s390utils-base, but soon will be -core too.
+  - /usr/sbin/zipl
+packages-x86_64:
+  - grub2 grub2-efi-x64 efibootmgr shim
+  - microcode_ctl
+
+conditional-include:
+  - if: basearch != "s390x"
+    # And remove some cruft from grub2
+    include: grub2-removals.yaml
+
+postprocess:
+  - |
+    #!/bin/bash
+    set -xeuo pipefail
+    # Until we have https://github.com/coreos/rpm-ostree/pull/2275
+    mkdir -p /run
+    # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
+    /usr/bin/bootupctl backend generate-update-metadata /

tier-0/group

@@ -0,0 +1,46 @@
+root:x:0:
+bin:x:1:
+daemon:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:
+mem:x:8:
+kmem:x:9:
+wheel:x:10:
+cdrom:x:11:
+mail:x:12:
+man:x:15:
+sudo:x:16:
+dialout:x:18:
+floppy:x:19:
+games:x:20:
+tape:x:33:
+video:x:39:
+ftp:x:50:
+lock:x:54:
+audio:x:63:
+nobody:x:99:
+users:x:100:
+ssh_keys:x:999:
+systemd-journal:x:190:
+polkitd:x:998:
+etcd:x:997:
+dip:x:40:
+cgred:x:996:
+avahi-autoipd:x:170:
+sssd:x:993:
+dockerroot:x:986:
+rpcuser:x:29:
+nfsnobody:x:65534:
+kube:x:994:
+chrony:x:992:
+tcpdump:x:72:
+ceph:x:167:
+input:x:104:
+systemd-timesync:x:991:
+systemd-network:x:990:
+systemd-resolve:x:989:
+systemd-bus-proxy:x:988:
+cockpit-ws:x:987:

tier-0/grub2-removals.yaml

@@ -0,0 +1,8 @@
+remove-from-packages:
+  # The grub bits are mainly designed for desktops, and IMO haven't seen
+  # enough testing in concert with ostree. At some point we'll flesh out
+  # the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
+  - [grub2-tools, /etc/grub.d/08_fallback_counting,
+                  /etc/grub.d/10_reset_boot_success,
+                  /etc/grub.d/12_menu_auto_hide,
+                  /usr/lib/systemd/.*]

tier-0/initramfs.yaml

@@ -0,0 +1,14 @@
+# Configuration for the initramfs
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    mkdir -p /usr/lib/dracut/dracut.conf.d
+    cat > /usr/lib/dracut/dracut.conf.d/01-bootc-nohostonly.conf
+    # We want a generic image; hostonly makes no sense as part of a server side build
+    hostonly=no
+    EOF
+    cat > /usr/lib/dracut/dracut.conf.d/49-tpm2-tss.conf << 'EOF'
+    # We want this for systemd-cryptsetup tpm2 locking
+    dracutmodules+=" tpm2-tss "
+    EOF
+  

tier-0/kernel.yaml

@@ -0,0 +1,6 @@
+# Enable the Linux kernel; see also kernel-rt.
+packages:
+ - kernel
+
+exclude-packages:
+  - kernel-debug

tier-0/manifest.yaml

@@ -0,0 +1,62 @@
+
+# Modern defaults we want
+boot-location: modules
+tmp-is-dir: true
+# This one at least historically broke compatibility with Anaconda, but
+# let's use it by default now.
+machineid-compat: false
+# Be minimal
+recommends: false
+
+ignore-removed-users:
+  - root
+ignore-removed-groups:
+  - root
+etc-group-members:
+  - wheel
+  - sudo
+  - systemd-journal
+  - adm
+
+# Note that the default for c9s+ is sqlite; we can't rely on rpm being
+# in the target (it isn't in tier-0!) so turn this to host here.  This
+# does break the "hermetic build" aspect a bit.  Maybe eventually
+# what we should do is special case this and actually install RPM temporarily
+# and then remove it...
+rpmdb: host
+
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
+
+automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
+mutate-os-release: "${releasever}"
+
+remove-from-packages:
+  # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
+  - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
+  # We don't want auto-generated mount units. See also
+  # https://github.com/systemd/systemd/issues/13099
+  - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
+  # Drop some buggy sysusers fragments which do not match static IDs allocation:
+  # https://bugzilla.redhat.com/show_bug.cgi?id=2105177
+  - [dbus-common, /usr/lib/sysusers.d/dbus.conf]
+
+include:
+  - bootc.yaml
+  - initramfs.yaml
+
+packages:
+  # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
+  # to build a custom image.
+  - selinux-policy-targeted
+  # Needed for tpm2 bound luks
+  - tpm2-tools
+
+# See https://github.com/coreos/bootupd
+arch-include:
+  x86_64: bootupd.yaml
+  aarch64: bootupd.yaml

tier-0/passwd

@@ -0,0 +1,32 @@
+adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
+avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
+bin:x:1:1:bin:/bin:/usr/sbin/nologin
+ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin
+chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin
+cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
+dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin
+dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin
+etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin
+ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
+games:x:12:100:games:/usr/games:/usr/sbin/nologin
+halt:x:7:0:halt:/sbin:/sbin/halt
+kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
+nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
+nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
+operator:x:11:0:operator:/root:/usr/sbin/nologin
+polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin
+root:x:0:0:Super User:/root:/bin/bash
+rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
+rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
+sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
+systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
+systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin
+systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin
+tcpdump:x:72:72::/:/usr/sbin/nologin

tier-1/bootc.yaml

@@ -1,24 +0,0 @@
-# A relatively minimal base, but we also do include linux-firmware so
-# we can be directly booted on metal.
-packages:
- - systemd
- # linux-firmware now a recommends so let's explicitly include it
- # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b
- # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide
- - linux-firmware
- # For now this will be shipped in rpm-ostree
- # - bootc
- # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk
- - gdisk xfsprogs e2fsprogs dosfstools
-
-exclude-packages:
-  # Exclude kernel-debug-core to make sure that it doesn't somehow get
-  # chosen as the package to satisfy the `kernel-core` dependency from
-  # the kernel package.
-  - kernel-debug-core
-
-# rpm-ostree can be an alias for bootc, we want to enable that here.
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    ln -sr /usr/bin/{rpm-ostree,bootc}

tier-1/bootc.yaml

@@ -0,0 +1 @@
+../tier-0/bootc.yaml

tier-1/bootupd.yaml

@@ -1,31 +0,0 @@
-# Integration with https://github.com/coreos/bootupd and bootloader logic
-# xref https://github.com/coreos/fedora-coreos-tracker/issues/510
-packages:
-  - bootupd
-
-# bootloader
-packages-aarch64:
-  - grub2-efi-aa64 efibootmgr shim
-packages-ppc64le:
-  - grub2 ostree-grub2
-packages-s390x:
-  # On Fedora, this is provided by s390utils-core. on RHEL, this is for now
-  # provided by s390utils-base, but soon will be -core too.
-  - /usr/sbin/zipl
-packages-x86_64:
-  - grub2 grub2-efi-x64 efibootmgr shim
-  - microcode_ctl
-
-conditional-include:
-  - if: basearch != "s390x"
-    # And remove some cruft from grub2
-    include: grub2-removals.yaml
-
-postprocess:
-  - |
-    #!/bin/bash
-    set -xeuo pipefail
-    # Until we have https://github.com/coreos/rpm-ostree/pull/2275
-    mkdir -p /run
-    # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload
-    /usr/bin/bootupctl backend generate-update-metadata /

tier-1/bootupd.yaml

@@ -0,0 +1 @@
+../tier-0/bootupd.yaml

tier-1/group

@@ -1,46 +0,0 @@
-root:x:0:
-bin:x:1:
-daemon:x:2:
-sys:x:3:
-adm:x:4:
-tty:x:5:
-disk:x:6:
-lp:x:7:
-mem:x:8:
-kmem:x:9:
-wheel:x:10:
-cdrom:x:11:
-mail:x:12:
-man:x:15:
-sudo:x:16:
-dialout:x:18:
-floppy:x:19:
-games:x:20:
-tape:x:33:
-video:x:39:
-ftp:x:50:
-lock:x:54:
-audio:x:63:
-nobody:x:99:
-users:x:100:
-ssh_keys:x:999:
-systemd-journal:x:190:
-polkitd:x:998:
-etcd:x:997:
-dip:x:40:
-cgred:x:996:
-avahi-autoipd:x:170:
-sssd:x:993:
-dockerroot:x:986:
-rpcuser:x:29:
-nfsnobody:x:65534:
-kube:x:994:
-chrony:x:992:
-tcpdump:x:72:
-ceph:x:167:
-input:x:104:
-systemd-timesync:x:991:
-systemd-network:x:990:
-systemd-resolve:x:989:
-systemd-bus-proxy:x:988:
-cockpit-ws:x:987:

tier-1/group

@@ -0,0 +1 @@
+../tier-0/group

tier-1/grub2-removals.yaml

@@ -1,8 +0,0 @@
-remove-from-packages:
-  # The grub bits are mainly designed for desktops, and IMO haven't seen
-  # enough testing in concert with ostree. At some point we'll flesh out
-  # the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
-  - [grub2-tools, /etc/grub.d/08_fallback_counting,
-                  /etc/grub.d/10_reset_boot_success,
-                  /etc/grub.d/12_menu_auto_hide,
-                  /usr/lib/systemd/.*]

tier-1/grub2-removals.yaml

@@ -0,0 +1 @@
+../tier-0/grub2-removals.yaml

tier-1/initramfs.yaml

@@ -1,14 +0,0 @@
-# Configuration for the initramfs
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    mkdir -p /usr/lib/dracut/dracut.conf.d
-    cat > /usr/lib/dracut/dracut.conf.d/01-bootc-nohostonly.conf
-    # We want a generic image; hostonly makes no sense as part of a server side build
-    hostonly=no
-    EOF
-    cat > /usr/lib/dracut/dracut.conf.d/49-tpm2-tss.conf << 'EOF'
-    # We want this for systemd-cryptsetup tpm2 locking
-    dracutmodules+=" tpm2-tss "
-    EOF
-  

tier-1/initramfs.yaml

@@ -0,0 +1 @@
+../tier-0/initramfs.yaml

tier-1/kernel.yaml

@@ -1,6 +0,0 @@
-# Enable the Linux kernel; see also kernel-rt.
-packages:
- - kernel
-
-exclude-packages:
-  - kernel-debug

tier-1/kernel.yaml

@@ -0,0 +1 @@
+../tier-0/kernel.yaml

tier-1/manifest-tier-0.yaml

@@ -0,0 +1 @@
+../tier-0/manifest.yaml

tier-1/manifest.yaml

@@ -1,54 +1,11 @@
 
-# Modern defaults we want
-boot-location: modules
-tmp-is-dir: true
-# This one at least historically broke compatibility with Anaconda, but
-# let's use it by default now.
-machineid-compat: false
-# Be minimal
-recommends: false
-
-ignore-removed-users:
-  - root
-ignore-removed-groups:
-  - root
-etc-group-members:
-  - wheel
-  - sudo
-  - systemd-journal
-  - adm
-
-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
-
 include:
-  - bootc.yaml
+  - manifest-tier-0.yaml
-  - initramfs.yaml
-  - bootable-rpm-ostree.yaml
   - networking-tools.yaml
   - system-configuration.yaml
   - user-experience.yaml
   - fwupd.yaml
 
-remove-from-packages:
-  # Generally we expect other tools to do this (e.g. Ignition or cloud-init)
-  - [systemd, /usr/bin/systemd-firstboot,
-              /usr/lib/systemd/system/systemd-firstboot.service,
-              /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
-  # We don't want auto-generated mount units. See also
-  # https://github.com/systemd/systemd/issues/13099
-  - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
-  # Drop some buggy sysusers fragments which do not match static IDs allocation:
-  # https://bugzilla.redhat.com/show_bug.cgi?id=2105177
-  - [dbus-common, /usr/lib/sysusers.d/dbus.conf]
-
-automatic-version-prefix: "${releasever}.<date:%Y%m%d>"
-mutate-os-release: "${releasever}"
-
 packages:
   # Include and set the default editor
   - nano
@@ -114,11 +71,6 @@ packages-aarch64:
 packages-s390x:
   - qemu-user-static-x86
 
-# See https://github.com/coreos/bootupd
-arch-include:
-  x86_64: bootupd.yaml
-  aarch64: bootupd.yaml
-
 postprocess:
   # Undo RPM scripts enabling units; we want the presets to be canonical
   # https://github.com/projectatomic/rpm-ostree/issues/1803

tier-1/passwd

@@ -1,32 +0,0 @@
-adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
-avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
-bin:x:1:1:bin:/bin:/usr/sbin/nologin
-ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin
-chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin
-cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin
-daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin
-dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin
-dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin
-etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin
-ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin
-games:x:12:100:games:/usr/games:/usr/sbin/nologin
-halt:x:7:0:halt:/sbin:/sbin/halt
-kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin
-lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin
-mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin
-nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
-nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
-operator:x:11:0:operator:/root:/usr/sbin/nologin
-polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin
-root:x:0:0:Super User:/root:/bin/bash
-rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin
-rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin
-shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
-sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin
-sssd:x:995:993:User for sssd:/:/usr/sbin/nologin
-sync:x:5:0:sync:/sbin:/bin/sync
-systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin
-systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin
-systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin
-systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin
-tcpdump:x:72:72::/:/usr/sbin/nologin

tier-1/passwd

@@ -0,0 +1 @@
+../tier-0/passwd

tier-1/system-configuration.yaml

@@ -8,8 +8,6 @@ packages:
   - chrony
   # Storage configuration/management
   - cryptsetup
-  # Needed for tpm2 bound luks
-  - tpm2-tools
   - e2fsprogs
   - sg3_utils
   - xfsprogs
@@ -19,8 +17,6 @@ packages:
   - acl
   # Manipulating the kernel keyring; used by bootc
   - keyutils
-  # SELinux policy
-  - selinux-policy-targeted
   # There are things that write outside of the journal still (such as the
   # classic wtmp, etc.). auditd also writes outside the journal but it has its
   # own log rotation.