From 22cfd02909f10dd9ad8cbbdf3656a5298d4c236f Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 9 Jan 2025 15:29:26 -0500
Subject: [PATCH 1/7] build-sys: Switch to heredoc for RUN

It's a bit more legible as is, but this is prep
for further work.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 Containerfile | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Containerfile b/Containerfile
index abc0b92..ed14f01 100644
--- a/Containerfile
+++ b/Containerfile
@@ -41,10 +41,12 @@ RUN rm -vf /src/*.repo
 COPY --from=repos /etc/yum.repos.d/*.repo /src
 RUN --mount=type=cache,target=/workdir \
     --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
-    --mount=type=bind,from=repos,src=/,dst=/repos \
-      rpm-ostree compose image --image-config fedora-bootc-config.json \
-        --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
+    --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
+set -xeuo pipefail
+rpm-ostree compose image --image-config fedora-bootc-config.json \
+       --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
        --source-root=/repos /buildcontext/out.ociarchive
+EORUN
 
 FROM oci-archive:./out.ociarchive
 # Need to reference builder here to force ordering. But since we have to run

From 32c1677a90abb1acdacf61f436c43e9ed07777d4 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 9 Jan 2025 17:01:17 -0500
Subject: [PATCH 2/7] build-sys: Split up the rootfs from commit phases

This allows someone forking this to inject their own content
into the middle in a clean and obvious, container-native
way.
---
 Containerfile | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/Containerfile b/Containerfile
index ed14f01..049389a 100644
--- a/Containerfile
+++ b/Containerfile
@@ -39,15 +39,29 @@ COPY . /src
 WORKDIR /src
 RUN rm -vf /src/*.repo
 COPY --from=repos /etc/yum.repos.d/*.repo /src
+
+# Construct the base rootfs
 RUN --mount=type=cache,target=/workdir \
-    --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared \
     --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
 set -xeuo pipefail
-rpm-ostree compose image --image-config fedora-bootc-config.json \
-       --cachedir=/workdir --format=ociarchive --initialize ${MANIFEST} \
-       --source-root=/repos /buildcontext/out.ociarchive
+mkdir /tmp-ostree
+ostree --repo=/tmp-ostree init --mode=bare-user
+rm /workdir/target-rootfs -rf
+rpm-ostree compose install --unified-core --cachedir=/workdir --repo=/tmp-ostree --source-root=/repos ${MANIFEST} /workdir/target-rootfs
 EORUN
 
+# Add whatever you want here! e.g.
+# FROM quay.io/examplecorp/someartifact:latest as artifacts
+# COPY --from=artifacts /usr /usr
+
+# Final steps: postprocess and commit, then generate an OCI archive
+RUN --mount=type=cache,target=/workdir --mount=type=bind,rw=true,src=.,dst=/buildcontext,bind-propagation=shared <<EORUN
+set -xeuo pipefail
+rpm-ostree compose commit --repo=/tmp-ostree --write-commitid-to=/tmp/commit.txt ${MANIFEST} /workdir/target-rootfs/rootfs
+rpm-ostree compose container-encapsulate --repo=/tmp-ostree --image-config fedora-bootc-config.json $(cat /tmp/commit.txt) oci-archive:/buildcontext/out.ociarchive
+EORUN
+# At this point we're done with the builder image and we have our OCI archive.
+
 FROM oci-archive:./out.ociarchive
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.

From eb9b8e816772b6f1f0136ec1fd912e8a47f6f2b0 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 9 Jan 2025 17:19:24 -0500
Subject: [PATCH 3/7] build-sys: Drop compat with pungi

It's too hard to keep things working both ways.
---
 Containerfile       |  19 +++++----
 fedora-40.yaml      |   7 ---
 fedora-41.yaml      |   7 ---
 fedora-rawhide.yaml |   6 ---
 fedora.repo         | 102 --------------------------------------------
 5 files changed, 11 insertions(+), 130 deletions(-)
 delete mode 100644 fedora-40.yaml
 delete mode 100644 fedora-41.yaml
 delete mode 100644 fedora-rawhide.yaml
 delete mode 100644 fedora.repo

diff --git a/Containerfile b/Containerfile
index 049389a..cd14401 100644
--- a/Containerfile
+++ b/Containerfile
@@ -29,21 +29,24 @@ FROM quay.io/fedora/fedora:rawhide as repos
 FROM quay.io/fedora/fedora:41 as builder
 RUN dnf -y install rpm-ostree selinux-policy-targeted
 ARG MANIFEST=fedora-bootc.yaml
-COPY --from=repos /etc/dnf/vars /etc/dnf/vars
-COPY --from=repos /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-* /etc/pki/rpm-gpg
-# The input git repository has .repo files committed to git rpm-ostree has historically
-# emphasized that.  But here, we are fetching the repos from the container base image.
-# So copy the source, and delete the hardcoded ones in git, and use the container base
-# image ones.  We can drop the ones commited to git when we hard switch to Containerfile.
+
+# Copy in the source code
 COPY . /src
 WORKDIR /src
-RUN rm -vf /src/*.repo
-COPY --from=repos /etc/yum.repos.d/*.repo /src
 
 # Construct the base rootfs
 RUN --mount=type=cache,target=/workdir \
     --mount=type=bind,from=repos,src=/,dst=/repos <<EORUN
 set -xeuo pipefail
+# Synchronize the repo files (and RPM gpg keys, and DNF variables) from the "repos" image into our builder rootfs.
+for d in /etc/yum.repos.d /etc/pki/rpm-gpg /etc/dnf/vars; do
+    rm -rf $d
+    cp -a /repos${d} $d
+done
+
+# For legacy reasons we need the .repo files here too in the context directory
+cp /etc/yum.repos.d/* .
+
 mkdir /tmp-ostree
 ostree --repo=/tmp-ostree init --mode=bare-user
 rm /workdir/target-rootfs -rf
diff --git a/fedora-40.yaml b/fedora-40.yaml
deleted file mode 100644
index 647be5a..0000000
--- a/fedora-40.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 40
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml
diff --git a/fedora-41.yaml b/fedora-41.yaml
deleted file mode 100644
index 51026d4..0000000
--- a/fedora-41.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: 41
-repos:
-  - fedora
-  - fedora-updates
-include: fedora-bootc.yaml
diff --git a/fedora-rawhide.yaml b/fedora-rawhide.yaml
deleted file mode 100644
index 5eec79c..0000000
--- a/fedora-rawhide.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-# NB: This treefile is used by the legacy pungi path only to build tier-1. It
-# will be removed in the future.
-releasever: rawhide
-repos:
-  - fedora-rawhide
-include: fedora-bootc.yaml
diff --git a/fedora.repo b/fedora.repo
deleted file mode 100644
index 373d78c..0000000
--- a/fedora.repo
+++ /dev/null
@@ -1,102 +0,0 @@
-# Note we use baseurl= here because using auto-selected mirrors conflicts with
-# change detection: https://github.com/coreos/fedora-coreos-pipeline/issues/85.
-
-[fedora]
-name=Fedora $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-updates]
-name=Fedora $releasever - $basearch - Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Everything/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
-enabled=1
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-updates-testing]
-name=Fedora $releasever - $basearch - Test Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Everything/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Everything/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
-enabled=1
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-modular]
-name=Fedora Modular $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Modular/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/releases/$releasever/Modular/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-
-[fedora-updates-modular]
-name=Fedora Modular $releasever - $basearch - Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Modular/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/$releasever/Modular/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
-enabled=1
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-
-[fedora-updates-testing-modular]
-name=Fedora Modular $releasever - $basearch - Test Updates
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/updates/testing/$releasever/Modular/$basearch/
-        https://dl.fedoraproject.org/pub/fedora-secondary/updates/testing/$releasever/Modular/$basearch/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
-enabled=1
-gpgcheck=1
-metadata_expire=6h
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[rawhide]
-name=Fedora - Rawhide - Developmental packages for the next Fedora release
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False
-
-[fedora-devel]
-name=Fedora $releasever - $basearch
-baseurl=https://dl.fedoraproject.org/pub/fedora/linux/development/$releasever/Everything/$basearch/os/
-        https://dl.fedoraproject.org/pub/fedora-secondary/development/$releasever/Everything/$basearch/os/
-#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-#metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///usr/share/distribution-gpg-keys/fedora/RPM-GPG-KEY-fedora-$releasever-primary
-skip_if_unavailable=False

From f72141cc38f3d1d8461d903a12b4a86afab29aea Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 9 Jan 2025 17:24:01 -0500
Subject: [PATCH 4/7] tier-0: Drop dnf

We will have a better way to make derived container images
that doesn't require having dnf in the base image.

Prep for more minimal and custom images.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 tier-0/manifest.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/tier-0/manifest.yaml b/tier-0/manifest.yaml
index f4baec4..1b3a036 100644
--- a/tier-0/manifest.yaml
+++ b/tier-0/manifest.yaml
@@ -52,10 +52,6 @@ include:
 packages:
   # this is implied by dependencies but let's make it explicit
   - coreutils
-  # We need dnf for building derived container images. In Fedora, this pulls
-  # in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
-  # just `dnf` once the `dnf` package is retired from Fedora.
-  - /usr/bin/dnf
   # Even in tier-0, we have this.  If you don't want SELinux today, you'll need
   # to build a custom image.
   - selinux-policy-targeted

From 169954f736853d4ac2175fd67104bc7b1e3b9d10 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 9 Jan 2025 17:26:44 -0500
Subject: [PATCH 5/7] tier-0: Tweak some comments

---
 tier-0/manifest.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tier-0/manifest.yaml b/tier-0/manifest.yaml
index 1b3a036..e8335f6 100644
--- a/tier-0/manifest.yaml
+++ b/tier-0/manifest.yaml
@@ -1,4 +1,7 @@
 edition: "2024"
+# Basically we need to have a stub /etc/machine-id
+# so that Anaconda and especially `systemctl enable`
+# in our container builds do the right thing.
 # https://github.com/CentOS/centos-bootc/issues/167
 machineid-compat: true
 # Be minimal
@@ -14,7 +17,7 @@ etc-group-members:
   - systemd-journal
   - adm
 
-# Default to `bash` in our container, the same as other containers we ship.
+# This is an opinionated default to run systemd.
 container-cmd:
   - /sbin/init
 

From 6c5c5cecbdbec68c9c04b96c2587c8dc056de3a8 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 9 Jan 2025 18:05:47 -0500
Subject: [PATCH 6/7] Drop custom redhat. labels

- These should be standardized instead.
- But they also conflict with supporting multiple
  versions from a single container build in an
  ergonomic way.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 fedora-bootc-config.json | 2 --
 1 file changed, 2 deletions(-)

diff --git a/fedora-bootc-config.json b/fedora-bootc-config.json
index 3a53fe1..9339255 100644
--- a/fedora-bootc-config.json
+++ b/fedora-bootc-config.json
@@ -2,8 +2,6 @@
     "Labels": {
         "containers.bootc": "1",
         "bootc.diskimage-builder": "quay.io/centos-bootc/bootc-image-builder",
-        "redhat.id": "fedora",
-        "redhat.version-id": "rawhide"
     },
     "StopSignal": "SIGRTMIN+3",
     "Env": [

From 34f95a2b7700ba17de1494bfc51fe2c8e51ca5fb Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 9 Jan 2025 18:10:45 -0500
Subject: [PATCH 7/7] Move container metadata into the Containerfile

Less bespoke buildsystem.
---
 Containerfile            |  9 +++++++++
 fedora-bootc-config.json | 10 ----------
 2 files changed, 9 insertions(+), 10 deletions(-)
 delete mode 100644 fedora-bootc-config.json

diff --git a/Containerfile b/Containerfile
index cd14401..a54f1c9 100644
--- a/Containerfile
+++ b/Containerfile
@@ -66,6 +66,15 @@ EORUN
 # At this point we're done with the builder image and we have our OCI archive.
 
 FROM oci-archive:./out.ociarchive
+# We've cargo culted this one around, xref https://pagure.io/fork/cverna/fedora-kiwi-descriptions/c/a12446bbe98404cb4b30d4b07505ecf71a88dfcb
+ENV container=oci
+# Required for systemd being the default entrypoint
+STOPSIGNAL SIGRTMIN+3
+# https://containers.github.io/bootc/bootc-images.html#standard-metadata-for-bootc-compatible-images
+LABEL containers.bootc 1
+# This is our recommended way to link between the base image and
+# a tool to make disk images.
+LABEL bootc.diskimage-builder quay.io/centos-bootc/bootc-image-builder
 # Need to reference builder here to force ordering. But since we have to run
 # something anyway, we might as well cleanup after ourselves.
 RUN --mount=type=bind,from=builder,src=.,target=/var/tmp \
diff --git a/fedora-bootc-config.json b/fedora-bootc-config.json
deleted file mode 100644
index 9339255..0000000
--- a/fedora-bootc-config.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "Labels": {
-        "containers.bootc": "1",
-        "bootc.diskimage-builder": "quay.io/centos-bootc/bootc-image-builder",
-    },
-    "StopSignal": "SIGRTMIN+3",
-    "Env": [
-        "container=oci"
-    ]
-}